Importing Test Results from External Tools

This page has been moved to Zendesk. Please, refer to this link for the latest version.


IriusRisk can import vulnerability results from ThreadFix, through the ThreadFix API.  IriusRisk uses CWE as the ID for weaknesses in the threat model, and ThreadFix also uses CWE to do the vulnerability consolidation from different tools.  In the threat model, weaknesses are associated with tests, and vulnerabilities are interpreted as test failures linked to weaknesses.  In other words, when importing vulnerabilities from ThreadFix, IriusRisk finds or creates weaknesses in the model and then sets the Test status of the weakness to the result indicated by ThreadFix.

The default ThreadFix settings for all IriusRisk products can be set in the Global Default Configuration

Those settings will be used as the default settings for all newly created products.  Since each product in IriusRisk would typically map to a different application in ThreadFix, leave the "Unique application ID" field blank so that it can be set on each product.

Once a new product is created ThreadFix can be configured for the product from its Action menu -> Settings

Once ThreadFix is configured, tests will be imported automatically using the interval specified in the Testing section → Import Interval.  This is set to 5 minutes by default.

Alternatively, the results can be imported immediately from the Threats tab → Action → Import automated test results

Vulnerability Import Process

Each vulnerability from ThreadFix is imported using the following process:

  1. The CWE ID from ThreadFix is used to search through all Weaknesses in all Components in the Product modelled in IriusRisk.
    1. if a match is found, then the Test status is set to Failed if a vulnerability is present, or Passed if it is marked as a false positive (i.e. the test is known to have been performed and it's known that it is not a vulnerability).  The additional vulnerability information is imported into the Test Results panel.
  2. If no Weakness is found with the CWE ID, then a new Component is created with the name "Undefined" and all Risk Pattern Libraries within IriusRisk are searched for a weakness that matches the CWE ID.
    1. if a match is found, then the entire risk pattern is imported, including the UseCase, Threat, Weaknesses and Controls.  And the Test status of the Weakness as well as additional vulnerability data is updated for the Test.  Note that since the entire risk pattern is imported, this may include additional risks and countermeasures that are known to be associated with the given weakness.
  3. If no Weakness is found in any of the risk pattern libraries then an "Undefined" use case is created and an "Undefined" Threat.  And a new Weakness is created with the data from the ThreadFix vulnerability.

In the cases of 2 and 3 above, the threats should then be moved into the correct component by dragging and dropping them in the Threats table, or by using the Action → Copy or Move operations.

Using the Artifacts Upload feature - HP Fortify SCA

IriusRisk is able to parse, interpret and import the vulnerability detection results file (.fpr) from HP Fortify scans. 

To import these results, select the product and go to the Architecture tab. From the Artifacts panel you can choose the .fpr file to upload or drag and drop it on the named area.  Note that the vulnerabilities will be imported based on the Product Scope method where IriusRisk will attempt to match the vulnerabilities across all components in the model.  If the Fortify results do not apply to all components in the model, then we recommend using the API to upload the results using Component Scope.

During the import process the detected vulnerabilities will be mapped into IriusRisk as explained in the "Vulnerability Import Process" on this page. The result source for the test will be set to HP Fortify.

Additional vulnerability details provided by Fortify will be imported into the Weakness Test Result.

Using the API - HP Fortify SCA, BDD-Security, Cucumber, JUnit and OWASP ZAP

IriuskRisk supports importing test and scan results from BDD-Security, CucumberOWASP ZAP and HP Fortify.  The output of these tools can be uploaded to IriusRisk through the API, documented here The current API path is and the specific calls that allow test updates are described below.

Both BDD-Security and OWASP ZAP results can be uploaded directly without any further configuration, because the mapping between the test and the model in IriusRisk is done through the CWE ID - and sometimes a unique more specific ID used by BDD-Security.  But in the case of Cucumber, each cucumber test should have a tag associated with it with the prefix: "@iriusrisk-" followed by the unique ID of the Weakness or Control to which it applies.  For example, if a given Control has the unique ID: "CWE-345-AUTH", then the cucumber test associated with this control should have the tag: "@iriusrisk-CWE-345-AUTH".  Examples of these can be found in the BDD-Security story files.

There are two distinct methods and API calls that can be used to import the results:

  1. Import tests based on the Product scope.  Using this method, the tests will be mapped and updated using the strategy explained in the Threadfix section
  2. Import tests based on a Component scope.  With this method, the tests will only be mapped to a specific component in the IriusRisk model.  For example, if the model consists of a Database, Web Service and Java Client components, then you could upload OWASP ZAP results specifically to the Web Service component, to avoid CWE's being erroneously being mapped to the other two components. 

Product Scope Upload


curl -X POST --header 'Content-Type: multipart/form-data' --header 'Accept: application/json' --header "api-token: $api_token" \
-F fileName=@"$zap_results_file.xml"  '$product-ref/tests/$[zap|cucumber|junit|hp-fortify]/upload'

Component Scope Upload


curl -X POST --header 'Content-Type: multipart/form-data' --header 'Accept: application/json' --header "api-token: $api_token" \
-F fileName=@"$cucumber_results_file.json"  'https://yourcurrent-iriusrisk-$product-ref/components/$component-ref/tests/$[zap|cucumber|junit|hp-fortify]/upload'

Updating Specific Tests

IriusRisk also offers the option of updating specific test results on an individual basis.  This could be used to automatically update the results from other tools that are not currently supported with the upload feature.


curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header "api-token: $api_token" \
 -d '{"state": "failed", "output": "The test has failed"}' '$product-ref/components/$component-ref/tests/$CWE-ID'

On this page: