Trouble with FortifyVulnerabilityExporter in Sonarqube version 8.9

Hi @Colin,

I am using FortifyVulnerabilityExporter in Sonarqube version 8.9.
There are specific features that are not working as fortifysonarqubeplugin works with Sonarqube version 7.9 which are as follows:
a) Can’t have any “tag” specific to Fortify issue in the tool. If not how shall we create a new tag?
b) Even rules are also not specified? How we can mark any fortify reported issue as a “False Positive”?
c)JSON is uploaded we can’t see the rule description so that we can get the correct visual for it.

Can you help me with those clarifications?
Thanks in advance.


1 Like

Hi Team,
Can anyone update me on this?


Hi Akanchha,

First, I’d like to direct you to the FAQ, and specifically:

You’re asking for help with a 3rd-party plugin. Really, you’re best served by directing your questions to the provider of the plugin.


Hi Team,

I am using Sonarqube 8.9 version, for handling security vulnerabilities using fortifyVulnerabilityExporter.
In the issue column, all the issues reported by fortifying can’t be filtered through tags. Can you help me how to create a tag for the third-party plugin?

We are not able to mark any of the fortify reported issues as False Positive. How we can achieve this?
How we can create a new rule?
When we open any of the issues and click why is this rule. to see the description. We can’t get the description details

Looking forward to your response!

Hi again Akanchha,

I’m consolidating your posts here in this thread I created for you when I moved your post on an only-tangentially related thread to a new thread.

You pose the question slightly differently this second time. Although the answer is largely the same: look to the plugin vendor.

That said, from your questions, it looks like Fortify chose to implement a plugin to import its issues as “external” issues, rather than as native issues.

  • External issues must be marked False Positive / Won’t Fix in the source tool.
  • External issues have no rule descriptions
  • I believe you should have equal ability to tag any kind of issue, even external ones.

IMO you should lobby Fortify to provide a plugin that provides rule descriptions and imports its issues as ones that can be managed in SonarQube.