How to export vulnerabilities to GitHub Security from a local file system (i.e. not using SSC)

[clark-shaw]

I have a local installation of the Fortify SCA software installed in a GitHub Action container and am able to run a scan and get a resulting *.fpr file that is stored within that container. I need to upload the vulnerabilities found in that fpr file to GitHub Security but I do not have access to an SSC server. How would I go about accomplishing this task?

[rsenden]

We currently don't have an out-of-the-box solution for exporting vulnerability data from FPR files. Possibly we could add support for reading FPR files in FortifyVulnerabilityExporter, but given little demand for such a feature, best chance to get this implemented is by engaging Fortify Professional Services to implement this for you. Note that the FPR file format is not documented, so potentially such an integration could break if the FPR file format is changed in a future Fortify version.

Alternatively, you or Fortify Professional Services can build a custom script/utility to extract vulnerability data from the FPR file (either directly, or from an XML report generated by the Fortify ReportGenerator utility) and convert this data to the JSON format expected by GitHub.

[clark-shaw]

Thank you for your response. I have gone down the path of translating and creating a SARIF file which, I understand, is the format GitHub Security prefers. However, there appears to be some GitHub custom fields that are not getting mapped to the resulting SARIF file. With a couple of Fortify Actions available on GitHub, I had hoped that the custom mapping was done in the FortifyVulnerabilityExporter. It sounds like the tool I'm using (MS sarif-sdk multi-tool converter) may not be updated with the required GitHub fields. I'll look into using the XML report. Thanks again.