SSC-DTrack Bridge

A modern bridge application that seamlessly integrates Dependency-Track with Fortify Software Security Center (SSC) to enable automated vulnerability management and SBOM synchronization between the two platforms.

🚀 Features

• Automated SBOM Synchronization: Automatically uploads CycloneDX SBOMs from Dependency-Track to Fortify SSC
• Real-time Webhook Integration: Processes Dependency-Track webhooks for instant synchronization
• Vulnerability State Management: Syncs vulnerability analysis states between platforms
• Application Lifecycle Management: Creates and manages Fortify SSC applications automatically
• Health Monitoring: Built-in health checks and comprehensive logging
• SSL/TLS Support: Secure communication with nginx reverse proxy
• Docker Ready: Complete containerized deployment with Docker Compose

📋 Prerequisites

• Docker and Docker Compose
• Fortify Software Security Center (SSC) instance
• Dependency-Track instance
• SSL certificates (for production deployment)

🏗️ Architecture

┌──────────────────┐    Webhook    ┌───────────────────┐    API Calls    ┌───────────────────────┐
│ Dependency-Track │ ────────────► │ SSC-DTrack Bridge │ ──────────────► │ Fortify SSC           │
│                  │               │                   │                 │                       │
│ • SBOM Events    │               │ • Flask App       │                 │ • Applications        │
│ • Audit Changes  │               │ • Webhook Handler │                 │ • OSS Vulnerabilities │
└──────────────────┘               └───────────────────┘                 └───────────────────────┘

🚀 Quick Start

1. Clone the Repository

git clone <repository-url>
cd ssc-dtrack-bridge

2. Configure Environment Variables

Create a .env file in the root directory:

# Fortify SSC Configuration
SSC_URL=https://your-ssc-instance.com
SSC_TOKEN=your_ssc_api_token

# Dependency-Track Configuration
DTRACK_URL=https://your-dtrack-instance.com
DTRACK_TOKEN=your_dtrack_api_key

3. Set Up SSL Certificates

Place your SSL certificates in the certs/ directory:

mkdir -p certs
# Copy your SSL certificates
cp your-certificate.crt certs/server.crt
cp your-private-key.key certs/server.key

4. Deploy with Docker Compose

docker-compose up -d

The bridge will be available at:

• HTTPS: https://your-domain.com (via nginx)
• HTTP: http://localhost:8080 (direct access)

⚙️ Configuration

Environment Variables

Variable	Description	Required	Default
SSC_URL	Fortify SSC instance URL	Yes	-
SSC_TOKEN	Fortify SSC API token	Yes	-
DTRACK_URL	Dependency-Track instance URL	Yes	-
DTRACK_TOKEN	Dependency-Track API key	Yes	-

Webhook Configuration

Configure Dependency-Track webhooks to point to your bridge:

URL: https://your-domain.com/dtrack
Events: BOM_PROCESSED, PROJECT_AUDIT_CHANGE

🔧 API Endpoints

Health Check

GET /healthz

Returns the health status of the bridge application.

Dependency-Track Webhook

POST /dtrack

Processes webhook events from Dependency-Track.

Supported Events:

• BOM_PROCESSED: Uploads SBOM to Fortify SSC
• PROJECT_AUDIT_CHANGE: Syncs vulnerability analysis states

📊 Monitoring

Health Checks

The application includes built-in health monitoring:

• Container Health Check: Runs every 30 seconds
• Application Health Endpoint: /healthz
• Comprehensive Logging: Structured JSON logging

Logs

View application logs:

docker-compose logs -f dtrack-ssc-bridge

Resource Limits

• CPU: 2 cores maximum
• Memory: 4GB maximum
• Log Rotation: 100KB files, max 3 files

🔒 Security

• SSL/TLS Encryption: All external communications are encrypted
• API Token Authentication: Secure authentication with both platforms
• Container Security: Non-root user execution
• Network Isolation: Docker network isolation

🛠️ Development

Local Development Setup

1. Install Dependencies

cd docker
pip install flask gunicorn requests

2. Run Locally

python app.py

3. Environment Setup

export SSC_URL=https://your-ssc-instance.com
export SSC_TOKEN=your_ssc_api_token
export DTRACK_URL=https://your-dtrack-instance.com
export DTRACK_TOKEN=your_dtrack_api_key

Building Custom Image

docker build -t your-registry/ssc-dtrack-bridge:latest ./docker

📝 Troubleshooting

Common Issues

1. Webhook Not Receiving Events

   • Verify webhook URL is accessible
   • Check SSL certificate validity
   • Ensure proper network connectivity

2. Authentication Failures

   • Verify API tokens are correct
   • Check token permissions
   • Ensure URLs are accessible

3. SBOM Upload Failures

   • Verify Fortify SSC permissions
   • Check CycloneDX format compatibility
   • Review application creation permissions

Debug Mode

Enable debug logging by modifying the logging level in app.py:

logging.basicConfig(level=logging.DEBUG, ...)

🤝 Contributing

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

For support and questions:

• Create an issue in the repository
• Check the troubleshooting section
• Review the logs for error details

🔄 Version History

• v0.1: Initial release with basic SBOM synchronization
• Future versions will include enhanced features and improvements

---

Note: This bridge is designed for production use but should be thoroughly tested in your environment before deployment.