I am trying to obtain instructions on how to create an archive of HP Fortify Software Security Center's database. My parameters are to keep the current year and past two years. Anything earlier than that should be dropped into an archive. Does anyone have any instructions or can provide me steps on how this would be done? Thank you!
This depends on whether you just need to save the vulnerability data, or whether you need to download and archive the originally uploaded FPR files.
I. If you need the FPR files
I recommend you contact Fortify Professional Services. You need to do webservice programming to obtain these older FPRs, but the webservice calls are not all documented and do not always work as documented. So make it HP's problem.
If you review the fortifyclient program, you will see the following commands available:
fortifyclient downloadFPR - download latest FPR for a project.
fortifyclient purgeProjectVersion - purge all artifacts in a project version scanned before a given date.
So you can see this will get you 80% of the way there. If you downloadFPR then you will receive the "project file" which contains all the latest scan information but also supposedly all the historical information -- but that of course is not the same as your archive requirement.
There are possibly undocumented parameters to fortifyclient but this is unlikely. Fortifyclient is just a thin wrapper to a webservice client implementation. More likely, there are more specific webservices calls to select a particular "artifact" from the database.
When you download the "project file" from Fortify SSC, parts of the file are retrieved from blobs and other parts are built for you on the fly from dimensional information saved in the database.
When you would download an "artifact", that is unmodified previously uploaded file, I think the whole thing is stored in there somewhere as a blob. But it takes one or more stored procedure calls to produce a bytestream you can save.
I think at the high level, you or Fortify Professional Services would want to: 1. Use a database query against the ARTIFACT table to determine which artifact ids you need to download 2. Run the custom webservice calls to download the specified artifacts. 3. Run the purge command to delete the data you have downloaded.
II. If you just need the scan and vulnerability data
This is much easier, and is done entirely in the database. 1. Inspect the SCAN table to see the various dates that scans happened. For some SSC date values, you have to convert from the Java Epoch (number of milliseconds since midnight 1970-01-01). 2. join the SCAN rows that you want, via the many:many SCAN_ISSUE table to the ISSUE table to get the full Fortify reported vulnerability details from each scan. Note, many vulnerabilities are re-discovered on every scan. 3. If you also need the human auditors' records of their notes and decisions, you need to look further to join in the AUDITANALYSIS table to get the "Not an Issue" flags etc. If you need this information, I recommend you go to FOrtify Professional Services because it will be very complicated if the historical information is even there. 4. Once joined, select off the above rows. 5. Delete the rows from the SCAN table, cascading any rows bound in other tables by foreign keys. Make sure not to delete anything from the ISSUE table; that would delete your current vulnerability information as well.
My effort estimate for either I or II is 10-15 days.