How to replicate CVA Results from ATC into Fortify SSC
Although cyber attacks have become increasingly dangerous for companies of all sizes, a lot of businesses are not properly protected against security threats. As far as the security of applications is concerned, the aim should be to eliminate vulnerabilities before software is deployed. To achieve this security assurance needs to become an essential part of the software application lifecycle.
Code Vulnerability Analyzer (CVA) carries out static analysis of ABAP source code and reports possible security risks. CVA is integrated in the ABAP Test Cockpit (ATC), the central infrastructure for functional, performance and security code checks. Fortify SSC is a third party tool offering, which complements CVA by scanning non-ABAP coding.
Most of customers’ solutions comprise both ABAP and non-ABAP applications and displaying the results in two different environments can be a challenge. Therefore, they would ideally like to display findings in a single environment. With the integration between CVA and Fortify customers can analyze all the findings in Fortify Software Security Center. It pinpoints the root cause of vulnerabilities with line of code details and remediation guidance and it allows you to prioritize all application vulnerabilities by severity and importance, all in the same framework.
The integration between ATC and Fortify is partly implemented in Java and partly in ABAP. The Java part is represented by a plug-in containing a parser for the ATC results data. The ATC back end contains some software written in ABAP to extract and send ATC results to the Fortify server.
Pre-requisites:
- SAP’s ATC parser plugin. The plugin is installed in Fortify SSC (minimum Fortify SSC release: 17.20). The CVA Fortify SSC plug-in is available for download in SAP’s Software Center: https://launchpad.support.sap.com/#/softwarecenter
- An external HTTP destination entry for Fortify SSC application in SM59 (type G)
- The destination to the Fortify SSC system (as configured in SM59) should be registered as a “Replication Target” in the ATC system
Figure 1: Selecting Results for Upload
Figure 2: Viewing details of CVA findings in Fortify SSC
Documentation: Replicating CVA Results from ATC into Fortify SSC
Video: https://youtu.be/ttkUsDJeKbs
Contact: Peter Barker
Thank you for explaining the steps to connect with Fortify however when we login to ATC we are not able to see the option " Replication Targets " in the ATC administration Node.
Do we need upgrade to higher version to see this option or does need to be activated some where in SPRO or is it a security issue. We are currently are on
SAP_BASIS 750 0008 SAPK-75008INSAPBASIS
SAP_ABA 750 0008 SAPK-75008INSAPABA
Screen Shots that highlights the missing options in our system.
SAP suggested screen
ATC screen in our system
Please suggest what we could be missing in our system that doesn't give the option to maintain the replication targets.
We now have an updated version of this blog here:
https://blogs.sap.com/2019/04/02/integration-between-sap-code-vulnerability-analyzer-and-sap-fortify-by-micro-focus/