Export custom tags from HP Fortify SSC

Question

I'm using HP Fortify SSC to audit security issues in a project.

In order to estimate the time needed to fix the issues, I've added a custom tag "estimate" which we fill in for each issue.

Now I would like to export a list of issues, with their "estimate" value, so that I can do some maths with the values.

How can I do this? I've tried a handful of report types, but they all seem to munge the data too much.

Answer 1

SSC reports are BIRT reports that can be created/edited using the BIRT editor in Eclipse (http://www.eclipse.org/birt/). If there is a shipped report that you like and just want to add the extra tag to, you can download the report template from the Reports->Report Definitions area in SSC.

EDIT 1: Once you have the Report Definition you want to modify, open Eclipse and create a new project. Import the report and open it. Under Data Sources, open the data source and click Manage Drivers. Add the JTDS driver that you added to the SSC WAR when configuring it. Select the JTDS driver as the Driver Class and then specify the same Database URL, User Name and Password that you did in the WAR. Then click Test Connection... to ensure that you can connect to the server.

It appears that SSC 4.10 uses BIRT version 2.6.2.r262_v20110120. I don't know if newer report versions will work, but you can always try.

EDIT 2: If you look at the About BIRT Reports in Software Security Center section in the HP Fortify SSC User Guide, it gives a lot of information about setting up BIRT and creating/modifying the shipped reports.