Fortify · Schema
Fortify Vulnerability
Represents a vulnerability finding discovered by Fortify security testing tools. Vulnerabilities are identified through static analysis (SAST), dynamic analysis (DAST), mobile testing, or software composition analysis (SCA) and are classified by severity, category, and kingdom.
Application SecurityDASTDevSecOpsSASTSCASecurity TestingVulnerability Scanning
Properties
| Name | Type | Description |
|---|---|---|
| vulnId | integer | Unique identifier of the vulnerability |
| issueInstanceId | string | Stable instance identifier for tracking the vulnerability across scans |
| releaseId | integer | Identifier of the release where the vulnerability was found |
| applicationId | integer | Identifier of the parent application |
| category | string | Vulnerability category name (e.g., SQL Injection, Cross-Site Scripting, Buffer Overflow) |
| kingdom | string | Fortify vulnerability kingdom classification (e.g., Input Validation and Representation, Security Features, API Abuse) |
| severity | integer | Numeric severity level (1=Low, 2=Medium, 3=High, 4=Critical) |
| severityString | string | Human-readable severity label |
| scanType | string | Type of scan that detected the vulnerability |
| status | string | Current audit status of the vulnerability |
| isSuppressed | boolean | Whether the vulnerability has been suppressed (excluded from active counts) |
| isFixed | boolean | Whether the vulnerability has been fixed |
| hasComments | boolean | Whether the vulnerability has reviewer comments |
| assignedUser | string | Username of the person assigned to remediate the vulnerability |
| primaryLocation | string | Primary source file or URL location of the vulnerability |
| lineNumber | integer | Line number in the source file where the vulnerability was found |
| fullFileName | string | Full file path of the source file containing the vulnerability |
| introducedDate | string | Date when the vulnerability was first detected |
| removedDate | string | Date when the vulnerability was resolved |
| closedDate | string | Date when the vulnerability was closed |
| analyzer | string | The analysis engine that detected the vulnerability |
| confidence | number | Confidence score for the finding accuracy |
| impact | number | Impact score for the vulnerability |
| likelihood | number | Likelihood score of exploitation |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/api-search/fortify/json-schema/fortify-vulnerability-schema.json",
"title": "Fortify Vulnerability",
"description": "Represents a vulnerability finding discovered by Fortify security testing tools. Vulnerabilities are identified through static analysis (SAST), dynamic analysis (DAST), mobile testing, or software composition analysis (SCA) and are classified by severity, category, and kingdom.",
"type": "object",
"properties": {
"vulnId": {
"type": "integer",
"format": "int32",
"description": "Unique identifier of the vulnerability"
},
"issueInstanceId": {
"type": "string",
"description": "Stable instance identifier for tracking the vulnerability across scans"
},
"releaseId": {
"type": "integer",
"format": "int32",
"description": "Identifier of the release where the vulnerability was found"
},
"applicationId": {
"type": "integer",
"format": "int32",
"description": "Identifier of the parent application"
},
"category": {
"type": "string",
"description": "Vulnerability category name (e.g., SQL Injection, Cross-Site Scripting, Buffer Overflow)"
},
"kingdom": {
"type": "string",
"description": "Fortify vulnerability kingdom classification (e.g., Input Validation and Representation, Security Features, API Abuse)",
"enum": [
"Input Validation and Representation",
"API Abuse",
"Security Features",
"Time and State",
"Errors",
"Code Quality",
"Encapsulation",
"Environment"
]
},
"severity": {
"type": "integer",
"format": "int32",
"description": "Numeric severity level (1=Low, 2=Medium, 3=High, 4=Critical)",
"minimum": 1,
"maximum": 4
},
"severityString": {
"type": "string",
"description": "Human-readable severity label",
"enum": [
"Critical",
"High",
"Medium",
"Low"
]
},
"scanType": {
"type": "string",
"description": "Type of scan that detected the vulnerability",
"enum": [
"Static",
"Dynamic",
"Mobile",
"OpenSource"
]
},
"status": {
"type": "string",
"description": "Current audit status of the vulnerability"
},
"isSuppressed": {
"type": "boolean",
"description": "Whether the vulnerability has been suppressed (excluded from active counts)",
"default": false
},
"isFixed": {
"type": "boolean",
"description": "Whether the vulnerability has been fixed",
"default": false
},
"hasComments": {
"type": "boolean",
"description": "Whether the vulnerability has reviewer comments"
},
"assignedUser": {
"type": "string",
"description": "Username of the person assigned to remediate the vulnerability"
},
"primaryLocation": {
"type": "string",
"description": "Primary source file or URL location of the vulnerability"
},
"lineNumber": {
"type": "integer",
"format": "int32",
"description": "Line number in the source file where the vulnerability was found"
},
"fullFileName": {
"type": "string",
"description": "Full file path of the source file containing the vulnerability"
},
"introducedDate": {
"type": "string",
"format": "date-time",
"description": "Date when the vulnerability was first detected"
},
"removedDate": {
"type": "string",
"format": "date-time",
"description": "Date when the vulnerability was resolved"
},
"closedDate": {
"type": "string",
"format": "date-time",
"description": "Date when the vulnerability was closed"
},
"analyzer": {
"type": "string",
"description": "The analysis engine that detected the vulnerability"
},
"confidence": {
"type": "number",
"format": "float",
"description": "Confidence score for the finding accuracy",
"minimum": 0,
"maximum": 5
},
"impact": {
"type": "number",
"format": "float",
"description": "Impact score for the vulnerability",
"minimum": 0,
"maximum": 5
},
"likelihood": {
"type": "number",
"format": "float",
"description": "Likelihood score of exploitation",
"minimum": 0,
"maximum": 5
}
},
"additionalProperties": true
}