Fortify BugTracker Utility


Micro Focus Micro Focus Community

App Support Tiers


Support via Micro Focus Software Support, with a ticket filed against the associated product.


Micro Focus offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by Micro Focus of the Micro Focus community.


Micro Focus Community Content is provided by Micro Focus for the benefit of customers, support for it is not available via Micro Focus Software Support but through specific community content forums.


Community Contributed Content is provided by Micro Focus customers and supported by them.

Micro Focus | Micro Focus Community

FortifyBugTrackerUtility allows for submitting vulnerabilities from either Fortify on Demand (FoD) or Software Security Center (SSC) to various bug trackers and other external systems including ALM Octane, JIRA, Archer, and MS TFS.
See previous releases


FortifyBugTrackerUtility allows for automated submission of vulnerability information from both Fortify on Demand (FoD) and Fortify Software Security Center (SSC) to bug tracking systems like Atlassian JIRA, ALM Octane and Microsoft Azure DevOps (formerly TFS/VSTS), and other external systems like RSA Archer or CSV file.The utility is fully configurable through an XML configuration file, specifying details like:

  • Vulnerability selection criteria, for example submitting only vulnerabilities audited as 'Exploitable'
  • Vulnerability grouping criteria, for example submitting a single ticket for all XSS vulnerabilities in a single JSP file
  • Fields to be submitted to the bug tracker
  • State management, specifying how to close or re-open bug tracker issues based on SSC/FoD vulnerability state

Some advantages compared to the native bug tracker functionality included with FoD/SSC:

  • Fully automated workflow; the utility can be run on a scheduled basis or as part of build jobs
  • Fully configurable; many scenarios can be supported without requiring any code changes
  • Open source, allowing for easily adding support for other systems
  • May support external systems that are not (yet) supported by FoD/SSC
  • Supports submitting a single vulnerability to multiple external systems
  • For FoD: Allows for submitting issues to on-premise bug trackers without requiring a direct connection between FoD and the on-premise bug tracker

For detailed usage and configuration instructions, please refer to the documentation included with the distribution zip file.This utility was developed by Fortify Professional Services in collaboration with the customer community. The plugin is provided as-is and is not supported through the regular Fortify support channels. If you require assistance with deployment, bug fixes or enhancements, we encourage you to reach out to your Fortify Professional Services representative, or send an email to


Fortify BugTracker Utility 3.9
Jan 8, 2020
More info Less info
Product compatibility
Version 20.10
Version 19.20 · 19.10
Version 18.20 · 18.10
Release notes

SSC: Added configuration options for including hidden/suppressed/removed vulnerabilities

Fortify BugTracker Utility 3.7
Apr 5, 2019
More info Less info
Product compatibility
Version 0.0
Release notes

Changes in this version:

  • SSC: Fixed NotSerializableException if addNativeBugLink is set to true
  • SSC: Fixed potential double slash in SSC deep links
  • TFS: Fixed failing TFS requests due to empty 'fields' request parameter
  • TFS: Fixed configuration file not using the same description fields in fields/appendedFields
  • General: Updated dependencies & dependency versions to avoid using potentially vulnerable dependencies
Fortify BugTracker Utility 3.5
Aug 13, 2018
More info Less info
Product compatibility
Version 20.10
Version 19.20 · 19.10
Version 18.20 · 18.10
Version 17.1 · 17.20
Release notes

Major update with lot's of internal refactoring, bug fixes and new and changed functionality. The sections below provide more details about the major changes from an end user perspective.Documentation & command usage:

  • A lot of documentation has been added and updated.
  • The '-help' function has been improved, providing a lot more detail about available command line options.
  • Command line options can now be specified in arbitrary order, and prefixed with either a single or double dash.
  • Most command line options can either be provided on the command line or in the configuration file.
  • The utility no longer prompts for required command line option values like URL's and credentials; you will need to explicitly provide these as command line options (on the command line or through the configuration file). If you have a need for having the utility prompt for option values, please file a feature request.


  • Configuration file format has changed significantly. If you were previously using a customized configuration file, you will need to re-do these customizations based on the new configuration files included in the distribution.
  • SSC application version/FoD application release processing has been improved and offers additional functionality.
  • The utility now allows for arbitrary data to be loaded from FoD/SSC by configuring additional REST API endpoints to be invoked, allowing users to use this data for filtering and target issue data.
  • Additional target issue data is now available for use in the configuration files, thereby increasing the possibilities for bidirectional sync.
  • Various other new or improved configuration settings.

Functionality & bug fixes:

  • The 'Add Existing Bugs' native SSC bug tracker plugin now also supports SSC 17.20+.
  • Previously the utility blindly updated target issue fields during every state management operation. This new version checks whether any target issue fields need to be updated, and only updates these fields if there have been any changes.
  • Improved error management and additional checks, for example to avoid processing vulnerabilities that have been previously submitted to a target system on a different host.
  • Bug fix for improved performance when loading vulnerability data from SSC.
Fortify BugTracker Utility 3.4
40.2 MB
Jun 6, 2018
More info Less info
Product compatibility
Version 18.20 · 18.10
Release notes

Internal refactoring to use generic Fortify Client API library

  • Bug fixes and various changes
  • Build process updated to use Maven release plugin
FortifyBugTrackerUtility 3.1
Aug 29, 2017
More info Less info
Product compatibility
Version 0.0
Version 17.1 · 17.20
Release notes
  • Added updated documentation to distribution zip
  • Fixed bug that prevented users from specifying user name and password for native SSC bug tracker integrations
  • Added SSC 'Add Existing Bugs' native bug tracker integration

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the Marketplace Terms of Service and Micro Focus Terms of Service
Since you are downloading an app from the Micro Focus unified Marketplace using an Access Manager account, you need to also accept the Micro Focus Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service and the Micro Focus Terms of Service" box below and click accept to continue your download.

Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2020-8-1-3011 | Thu Aug 6 03:14:12 PDT 2020