Skip to content
Node.js app and Docker image to convert Fortify SCA CSV output to SonarQube Generic Issue JSON
TypeScript JavaScript Dockerfile Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Fortify to SonarQube

Node.js app as Docker image to convert Fortify SCA CSV output to SonarQube Generic Issue JSON.

Distributable Docker Image

Available as the Docker image coveros/fortify-to-sonarqube:

$ docker pull coveros/fortify-to-sonarqube

Transform Fortify CSV to SonarQube JSON

Mount the host directory containing the input file and the output file destination. By default, the application expects the input file to be /app/date/input.csv, and will output to /app/data/output.json.

To use these default settings, place the input file at /host/path/to/files/input.csv on your machine, and run the following command:

$ docker run --rm -v /host/path/to/files:/app/data coveros/fortify-to-sonarqube

The JSON output will be availabe at /host/path/to/files/output.json

To specify the names of the input and output files, execute the transform command, defining one or both as input arguments. For example, if you have an input file /host/path/to/files/custom-input-name.csv and you would like to generate /host/path/to/files/custom-output-name.json, run the following command:

$ docker run --rm -v /host/path/to/files:/app/data coveros/fortify-to-sonarqube transform -i /app/data/custom-input-name.csv -o /app/data/custom-output-name.json

Use in Jenkins Pipeline

Before converting the Fortify CSV input into the output required for the SonarQube Generic Webhook, you first need to perform the Fortify SCA scan and convert the output to csv using FPRUtility.

docker.image(<IMAGE WITH FORTIFY SCA>).inside() {
  ...perform Fortify scan, generating .fpr file...
  sh "FPRUtility -information -listIssues -project path/to/fpr/output.fpr -outputFormat CSV -f path/to/fprcsv.csv"

By using docker.image().inside(), Jenkins will mount the workspace directory to the fortify-to-sonarqube container, and execute the commands from that location. Therefore, the file locations will be relative to the workspace. Set the input file to the csv created in the prior step.

docker.image('coveros/fortify-to-sonarqube:latest').inside() {
  sh 'transform -i path/to/fprcsv.csv -o path/to/output.json'

Upload the transformed output as a SonarQube External Issues Report:

For example, when using Maven

mvn sonar:sonar -Dsonar.externalIssuesReportPaths=path/to/output.json

Example Transformation

Fortify CSV
IID, category, path, analyzer
1, Dead Code: Unused Field, src/main/java/com/api/helloWorld/, structural
SonarQube Generic Issue JSON
  "issues": [
      "engineId": "fortify",
      "ruleId": "1",
      "primaryLocation": {
        "message": "Dead Code: Unused Field",
        "filePath": "src/main/java/com/api/helloWorld/",
        "textRange": {
          "startLine": 41
      "type": "VULNERABILITY",
      "severity": "INFO",
      "effortMinutes": 0

From Source


To compile the Typescript source into distributable Javascript

$ npm run tsc

Compiled Javascript located in the dist directory


Application uses Jest for unit testing

$ npm run test


Application uses TSLint for code quality analysis

$ npm run lint 


Run the application, specifying the input file and output file location

$ npm run start -- -i /path/to/input.csv -o /path/to/output.json


$ node dist/index.js -i /path/to/input.csv -o /path/to/output.json

For example

$ npm run start -- -i ./test/testinput.csv -o ./test/testoutput.json

Build Docker Image

To build the docker image coveros/fortify-to-sonarqube:latest

$ docker build -t coveros/fortify-to-sonarqube:latest .
You can’t perform that action at this time.