An enterprise-grade custom parser plugin for Fortify Software Security Center (OpenText Application Security). Enables seamless ingestion, parsing, and visualization of PortSwigger Burp Suite XML scan results directly within the Fortify SSC dashboard.
Fortify SSC relies on external plugins to support third-party security tools. This plugin implements the modern Fortify Plugin SPI (v1.2.2320.0), bridging the gap between Burp Suite's dynamic analysis exports and Fortify's centralized vulnerability management.
- Deterministic ID Generation: Uses MD5 hashing of Issue Name, Host, Path, and Location to ensure vulnerability IDs remain stable across subsequent scans, preventing duplicates.
- Rich Attribute Mapping: Custom attributes ensure that Burp-specific data (e.g., Confidence, Issue Background, Remediation Detail) is fully visible in SSC.
- Custom View Template: Includes a tailored UI template (
viewtemplate/ViewTemplate.json) that organizes issue details cleanly within the SSC interface. - Flexible Reports Support: Parses both standard
Saved ItemsXML and the newerBurp Reports(<issues>) XML structures, with full support for CDATA and complex tags. - Isolated Dependencies: Utilizes Gradle Shadow to relocate internal libraries (e.g., Jackson), ensuring zero classloader conflicts within the Fortify environment.
- Enterprise CI/CD: Fully integrated GitHub Actions workflow for automated testing, CodeQL security scanning, linting (Checkstyle), and build packaging.
- Java: JDK 17
- Build Tool: Gradle 9.4.1
- Fortify SSC: Version 19.x or later (fully tested and compatible with modern releases)
- Burp Suite: Export capabilities to XML
The project uses the Gradle Shadow plugin to create a "Fat JAR" required by Fortify.
# Clone the repository
git clone https://github.com/ptkvaibhav/burp-fortify-ssc-parser-plugin.git
cd burp-fortify-ssc-parser-plugin
# Build the Fat JAR
./gradlew clean build shadowJarThe resulting deployment artifact will be located at:
build/libs/burp-fortify-ssc-parser-plugin-2.0.0.jar
- Log in to your Fortify SSC instance with Administrator privileges.
- Navigate to Administration > Plugins > Parsers.
- Click Add and upload the
burp-fortify-ssc-parser-plugin-2.0.0.jarfile. - Important: After uploading, locate the "Burp Suite Parser Plugin" in the list and click Enable.
Fortify SSC requires uploaded artifacts to specify their engine type.
- Export your Burp Suite scan results in XML format (e.g.,
burp-results.xml). - Create a plain text file named
scan.infoin the same directory as your XML file. - Add the following exact line to
scan.info:engineType=BURP - Create a ZIP archive (e.g.,
results.zip) containing bothburp-results.xmlandscan.info. - Upload
results.zipto your chosen Application Version in Fortify SSC.
BurpParserPlugin.java: The main entry point implementingParserPlugin<T>. Handles generic scan mapping, robust truncation, duplicate prevention, and iteration.BurpItems.java/BurpItem.java: Jackson XML data models representing the Burp export structure.BurpVulnerabilityAttribute.java: Enum defining custom fields presented in the SSC UI.
The project enforces strict code quality standards:
- Linting: Run
./gradlew checkstyleMainto ensure code meets format requirements. - Testing: Run
./gradlew testto execute comprehensive JUnit 5 and Mockito test suites verifying edge cases, duplicate handling, and CDATA parsing.
We welcome contributions! Please see our Contributing Guidelines for details on how to submit pull requests, report issues, and suggest features.
Please also adhere to our Code of Conduct.
Security is a priority. For information on supported versions, how to report vulnerabilities, and our internal checks (CodeQL, Dependabot), please refer to our Security Policy.
This project is licensed under the MIT License - see the LICENSE file for details.
If you need help or have questions, please check out our Support Guide.