The Fortify Vulnerability Integration uses data imported from the Fortify product to help you determine the impact and priority of flaws in your code.

Fortify Vulnerability Integration

The Fortify product collects scanner data and makes that data available to the Now Platform®. It easily integrates with the ServiceNow® Application Vulnerability Response feature of Vulnerability Response to map third-party vulnerabilities enriching the data in your instance.

There is a configured run-as user for each integration record. The default value for this user is VR.System. Do not change this value.

Every day, scheduled jobs invoke the integrations automatically. Once all the integrations are activated, they are chained to run in sequence. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

Available versions

Release version Release Notes
Vulnerability Response integration with

Fortify v2.4

Fortify v2.3

Fortify v2.2

Fortify v2.1

 Application Vulnerability Response release notes

For compatibility information, see KB0856498 Vulnerability Response Compatibility Matrix and Release Schema Changes

Fortify Vulnerability Integration

To view the Fortify Vulnerability Integration, navigate to Fortify Vulnerability Integration > Integrations.

The following integrations are included in the base system. These integrations are not all active by default.

After the initial run, every day, scheduled jobs are chained to run the integrations automatically in order. You can also execute individual scheduled jobs manually. Scheduled jobs simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems.

Table 1. Fortify Vulnerability Integrations
Integration Description
Fortify on Demand Application List Integration Retrieves Fortify application scanner data (vulnerabilities, metadata) and enriches your third-party application data. This integration is set to run daily at 00:00:00. It is active by default.
Fortify on Demand Scan Summary Integration Retrieves scan records from Fortify. This integration is chained to run following the Fortify on Demand Application List Integration when activated. It is inactive, by default.
Fortify on Demand Application Vulnerable Item Integration Retrieves scan results from Fortify, inserts AVITs, and enriches your third-party vulnerability data. If the scanner record is in the Closed state, AVITs are not created. Existing AVITs are still updated.

Starting with v2.3, view details such as total processing times, average times for pre- and post-integration run processes, and reports on the integration run records for the Application Vulnerable Item integration.

This integration is chained to run following the Fortify on Demand Scan Summary Integration when activated. It is inactive, by default.

For integration run statuses see, View the Fortify Vulnerability Integration import run status.

To view data in third-party vulnerabilities, see View vulnerability libraries.