Proper project configuration in DT for SSC

[Champion0081]

I followed this https://docs.dependencytrack.org/integrations/fortify-ssc/ when configuring both Dependency Track and SSC in order to push finding from DT to Fortify SSC. One thing is unclear. I have two projects in DT called abc_test and def_test. In Fortify SSC i have created two applications test_abc and test_def.

How should exactly properties be configured in those two DT projects? In documentation there is:

Group Name - i have set it to integrations - is it ok?

Property Name fortify.ssc.applicationId - what is exactly appllicationId? Should that be fortify.ssc.test_abc for example?

Property Value - The application version ID in SSC - is it version name from SSC or sth else? Property Type - that is clear

[stevespringett]

Every application/version in Fortify SSC has a dedicated ID. This ID is used when integrating SSC with external systems (including Audit Workbench - you just don't see it as it's transparent).

To obtain it, execute:

fortifyclient listApplicationVersions -url https://fortify.example.com/ssc -user myusername

Change https://fortify.example.com/ssc to the URL of your server and specify a valid username. This will display a list of all applications including their name, version, and ID. Use this ID when integrating SSC with DT.

[Champion0081]

This will display a list of all applications including their name, version, and ID. Use this ID when integrating SSC with DT.

Assume we need to obtain the ID without using fortify client. Where after login is the mentioned application.id in SSC web interface? In Application section one can see Application, Version, State, Description and Created columns.

[stevespringett]

You should see something like /ssc/version/x in the URL where x is the application version id.

[sachindast]

Hello @stevespringett ,

we are also kind of stuck in the integration part of Fortify SSC with Dependency Tracker(DT)

we know the fortify application and we know the application ID too, but when it comes to the configuration part in DT we are not able to get it working

below are my sample application details

Fortify application name: ABC fortify application ID: 123

can you please help me to fill in the below data?

Attribute Value Group Name ? Property Name ? Property Value ? Property Type ?

I feel the documentation, especially when it comes to the Per-project configuration not clear. https://docs.dependencytrack.org/integrations/fortify-ssc/

and also would like to know once we have added the Fortify SSC details in the integration section in DT how do we validate it like "Test connection" I don't see an option like that.

can you help me with the above queries?

Best Regards, Sachin

[stevespringett]

Per the documentation, the values would be:

Group name: integrations Property name: fortify.ssc.applicationId Property value: 123 Property type: STRING

[sachindast]

Thanks @stevespringett for confirming the values.

I can say that my dependency tracker project properties have the correct values.

watched the video which is posted at https://www.youtube.com/watch?v=RffZFteIhLA

but still, I'm not seeing my DT report getting uploaded to Fortify SSC.

I have generated a CI token in Fortify SSC and the same has been passed in the DT fortify integration section, but the connection seems to be not happening.

Any suggestion on that? how can I verify the connectivity of Fortify SSC and DT ? do I need to restart my Fortify SSC once the Dependency tracker parser plugin is installed to get this working?

[stevespringett]

Did you happen to restart DT after configuring Fortify SSC in the admin interface? This is a requirement and the UI should display a message stating that a restart is required for changes to take effect.

[sachindast]

Oh @stevespringett , I haven't restarted the DT, what is the best way to restart the DT?

(sorry I couldn't find any doc on how to restart the DT)

My DT is a container-based setup.

[stevespringett]

what is the best way to restart the DT?

Assuming you're using Docker Compose, then you would need to execute the following commands in the same directory as the Dependency-Track docker-compose.yml file resides

docker-compose down
docker-compose up -d

If you're using Docker Swarm, K8s, or something else, you'll need to refer to those platform specific docs on how to restart containers.

[sachindast]

Finally some good news.! @stevespringett 🙂

I just restarted my DT docker container as

#docker container restart 11111111

now I'm able to see my DT reports (in .json format) are properly getting populated in the Fortify SSC application.

Once again thanks a lot @stevespringett for your timely response on this, Much appreciated!

[stevespringett]

Glad its working. Closing.