Skip to Content

How to replicate CVA Results from ATC into Fortify SSC

Although cyber attacks have become increasingly dangerous for companies of all sizes, a lot of businesses are not properly protected against security threats. As far as the security of applications is concerned, the aim should be to eliminate vulnerabilities before software is deployed. To achieve this security assurance needs to become an essential part of the software application lifecycle.

Code Vulnerability Analyzer (CVA) carries out static analysis of ABAP source code and reports possible security risks. CVA is integrated in the ABAP Test Cockpit (ATC), the central infrastructure for functional, performance and security code checks. Fortify SSC is a third party tool offering, which complements CVA by scanning non-ABAP coding.

Most of customers’ solutions comprise both ABAP and non-ABAP applications and displaying the results in two different environments can be a challenge. Therefore, they would ideally like to display findings in a single environment. With the integration between CVA and Fortify customers can analyze all the findings in Fortify Software Security Center. It pinpoints the root cause of vulnerabilities with line of code details and remediation guidance and it allows you to prioritize all application vulnerabilities by severity and importance, all in the same framework.

The integration between ATC and Fortify is partly implemented in Java and partly in ABAP. The Java part is represented by a plug-in containing a parser for the ATC results data. The ATC back end contains some software written in ABAP to extract and send ATC results to the Fortify server.

Pre-requisites:

  • SAP’s ATC parser plugin. The plugin is installed in Fortify SSC (minimum Fortify SSC release: 17.20). The CVA Fortify SSC plug-in is available for download in SAP’s Software Center: https://launchpad.support.sap.com/#/softwarecenter
  • An external HTTP destination entry for Fortify SSC application in SM59 (type G)
  • The destination to the Fortify SSC system (as configured in SM59) should be registered as a “Replication Target” in the ATC system

 

Figure 1: Selecting Results for Upload

Figure 2: Viewing details of CVA findings in Fortify SSC

 

More on this

Documentation: Replicating CVA Results from ATC into Fortify SSC

Video: https://youtu.be/ttkUsDJeKbs

Contact: Peter Barker

1 Comment
You must be Logged on to comment or reply to a post.
  • Thank you for explaining the steps to connect with Fortify however when we login to ATC we are not able to see the option ” Replication Targets ” in the ATC administration Node.

    Do we need upgrade to higher version to see this option or does need to be activated some where in SPRO or is it a security issue.  We are currently are on

    SAP_BASIS 750 0008 SAPK-75008INSAPBASIS
    SAP_ABA    750 0008  SAPK-75008INSAPABA

    Screen Shots that highlights the missing options in our system.

    SAP suggested screen 

     

    ATC screen in our system

     

    Please suggest what we could be missing in our system that doesn’t give the option to maintain the replication targets.