SSCToSonarQube - using ssc.vulnerability.queryParam, with 2 or more attributes

[gnowynot]

Question

Hi, I would like to ask whether it's possible to include 2 or more attributes in the command line for the json export,

Currently using this parameter --ssc.vulnerability.queryParam=analysis:Exploitable, but I would like to know the command if including both the analysis:Exploitable and analysis:Bad practice

Thanks a lot.

[rsenden]

@gnowynot, the value of the --ssc.vulnerability.queryParam option is passed as the q request parameter to the SSC issues endpoint. The 'Issue Group, Filter & Search' section in the SSC REST Documentation states the following (but note that not all AWB syntax is supported by SSC, like regex-based searches):

Same syntax is used for the issue search box in SSC:

The only thing I'm not sure about is whether your should pass the URL-encoded or decoded syntax to the --ssc.vulnerability.queryParam option, so you'll need to experiment with this, for example either "--ssc.vulnerability.queryParam=analysis:exploitable analysis:bad practice", --ssc.vulnerability.queryParam=analysis:exploitable+analysis:bad%20practice or similar variants may work.

Please confirm whether you've been able to make this work, and what syntax you used exactly.

[gnowynot]

@gnowynot, the value of the --ssc.vulnerability.queryParam option is passed as the q request parameter to the SSC issues endpoint. The 'Issue Group, Filter & Search' section in the SSC REST Documentation states the following (but note that not all AWB syntax is supported by SSC, like regex-based searches):

Same syntax is used for the issue search box in SSC:

The only thing I'm not sure about is whether your should pass the URL-encoded or decoded syntax to the --ssc.vulnerability.queryParam option, so you'll need to experiment with this, for example either "--ssc.vulnerability.queryParam=analysis:exploitable analysis:bad practice", --ssc.vulnerability.queryParam=analysis:exploitable+analysis:bad%20practice or similar variants may work.

Please confirm whether you've been able to make this work, and what syntax you used exactly.

Thanks for your reply, unfortunately, it doesn't work though I tried all the combinations. It only reads the first part of the param, and returns the results.

e.g. ssc.vulnerability.queryParam=analysis:exploitable analysis:bad practice, only the results of analysis:exploitable are shown

The only problem I'm having now is how to pass both the filters to the q query parameter, I tried with a "+", but still a no.

[rsenden]

@gnowynot I'd need to check in more detail then, but not sure when I'll have time for that. You may want to consider using fcli instead; see the fcli ssc action help sonarqube-sast-report command. We migrated most FortifyVulnerabilityExporter functionality to fcli and plan on deprecating FortifyVulnerabilityExporter by the end of this year.

The fcli action doesn't provide any explicit filtering options, but you can easily customize the built-in action to add those request parameters or even do customized client-side filtering for more advanced use cases.

You can also consider implementing a custom filter set (in a custom issue template) on SSC, which allows for more flexible server-side filtering compared to the ad-hoc q request parameter. For example, this will allow you to create a SonarQube Export filter set next to the default Security Auditor View and Quick View filter sets: https://www.microfocus.com/documentation/fortify-software-security-center/2420/SSC_Help_24.2.0/index.htm#SSC_UG/A_Issue_Templ.htm. Added advantage is that you can already check in SSC what vulnerabilities will be exported to SonarQube.