rsenden
commented
1 year ago To be precise, the following line https://github.com/snyk-partners/fortify-snyk-parser/blob/dd715e61e044e0bd071f238ae1ca3e039640f7ab/src/main/java/io/snyk/integrations/fortify/parser/SnykParserPlugin.java#L99 will need to be updated to set SNYK as the engine type instead:
vulnerabilityBuilder.setEngineType("SNYK");As per the SSC 22.1 documentation at https://www.microfocus.com/documentation/fortify-software-security-center/2210/FortifySW_RN_22.1.0/FortifySW_RN_22.1.0.htm:
When a third-party scan is uploaded to Fortify Software Security Center, the Plugin Framework now validates that the engineType of the submitted vulnerabilities is coherent with engineType provided in the plugin metadata. Incorrectly implemented parser plugins will fail to submit vulnerabilities. Fortify recommends fixing such plugins at your earliest convenience. In the meantime, the validation can be suppressed by setting a system environment variable FORTIFY_PLUGINS_PARSER_VULN_ENGINETYPECHECK or JVM system property fortify.plugins.parser.vuln.engineTypeCheck to false. Starting from 23.1 release, it will no longer be possible to suppress this validation.
SNYK has integrated with SSC, but the Scan.zip file cannot be uploaded to SSC normally. When uploading the SNYK scan result scan.zip file to Fortify Software Security Center, the Plugin Framework now validates that the engineType of the submitted vulnerabilities is coherent with engineType provided in the plugin metadata. Incorrectly implemented parser plugins will fail to submit vulnerabilities. Recommends fixing such plugins at your earliest convenience.