Skip to main content

Importing Test Results from External Tools

Permanently deleted user
  • Updated

Using the API - HP Fortify SCA, Cucumber, and OWASP ZAP

IriuskRisk supports importing test and scan results from CucumberOWASP ZAP and HP Fortify.  The output of these tools can be uploaded to IriusRisk through the IriusRisk API.

 

OWASP ZAP

OWASP ZAP results can be uploaded directly without any further configuration, because the mapping between the test and the model in IriusRisk is done through the CWE ID.

 

Cucumber

Each Cucumber test should have a tag associated with it with the prefix: "@iriusrisk-" followed by the unique ID of the Weakness or Control to which it applies.

For example, if a given Control has the unique ID: CWE-345-AUTH, then the Cucumber test associated with this control should have the tag: @iriusrisk-CWE-345-AUTH.  

 

There are two distinct methods and API calls that can be used to import the results:

  1. Import tests based on the Product Scope
  2. Import tests based on a Component Scope
    1. With this method, the tests will only be mapped to a specific component in the IriusRisk model. For example, if the model consists of a Database, Web Service and Java Client components, then you could upload OWASP ZAP results specifically to the Web Service component in order to avoid CWE's being erroneously being mapped to the other two components. 

Product Scope Upload

Example:

curl -X 'POST' \
'https://demo.iriusrisk.com/api/v1/products/test/tests/cucumber/upload' \
-H 'accept: application/json' \
-H 'Content-Type: multipart/form-data' \
-H 'api-token: $api_token' \
-F fileName=@"$zap_results_file.xml"

Component Scope Upload

Example:

curl -X 'POST' \
'https://demo.iriusrisk.com/api/v1/products/test/components/test/tests/zap/upload' \
-H 'accept: application/json' \
-H 'Content-Type: multipart/form-data' \
-H 'api-token: $api_token' \
-F fileName=@"$cucumber_results_file.json"

Updating Specific Tests

IriusRisk also offers the option of updating specific test results on an individual basis.  This could be used to automatically update the results from other tools that are not currently supported with the upload feature.

Example:

curl -X 'PUT' \
'https://demo.iriusrisk.com/api/v1/products/test/components/test/tests/cwe1234' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-H 'api-token: $api_token' \
-d '{
"state": "not-tested",
"output": "string"
}'

 

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk