Unable to generate correct fpr report after auditing CVC issues in SSC Portal using fortify-ssc-parser-owasp-dependency-check plugin.

[sailohitha]

Question

Hi Team,

1. I have uploaded dependency-check-report. Json in my SSC portal and audited CVC issues in SSC portal. After auditing I have downloaded audit report from SSC portal in the form of "dependency-check-report.json.fpr". After downloading audit report, unable to view audited data and other open issues in the downloaded audit report(dependency-check-report.json.fpr).

2. I have identified there were no CVC related rule packs and valid certification for the fortify/fortify-ssc-parser-owasp-dependency-check in SSC portal.

**Kindly, provide me the solutions for the above issues. **

[rsenden]

Hi @sailohitha, can you please provide more details on the steps performed and current/expected outcome, for example by adding some screenshots?

For example, how are you downloading the report from SSC (are you downloading the Application File or an individual artifact from the SSC Artifacts page, or is this some report generated from the Reports page), and how are you attempting to view the audited data and issues after downloading the report (Audit Workbench, ...)? Also, what do you mean exactly by 'there are no CVC related rule packs and valid certification'?

For reference, the ability to import and view third-party issues through parser plugins is an SSC-only feature; you won't be able to view third-party issues in Audit Workbench. If you'd like to be able to see third-party issues in Audit Workbench, you'll need to open an enhancement request for Audit Workbench through the regular OpenText support channels.

Also, parser plugins just import issue data generated by third-party tools, there are no rule packs involved in this process.

[sailohitha]

Hi rsenden,

Is there any plugin, which can export issue data from SSC portal.

[rsenden]

@sailohitha, SSC parser plugins can only import third-party data. To export data from SSC, you can use the standard SSC CSV Export functionality, (custom) SSC reports, or the SSC REST API. The latter is for example used by fcli to generate issue reports in various third-party formats like SARIF, GitHub, or GitLab security reports; see the various *-report actions like sarif-sast-report here: https://fortify.github.io/fcli/latest/ssc-actions.html