Fortify Software  
What’s New in Fortify Software 23.1.0  
May 2023  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
FIPS-Inside Technology Preview  
With this release, you can run Fortify Software Security Center functions in RHEL 8.5 and 9.0  
FIPS-only-enabled environments. However, Kerberos SSO authentication is not supported. The  
support is subject to limitations of Red Hat OpenJDK 11 on the RHEL OS in FIPS mode. Since  
this has been released as a Technology Preview, please report any omissions, issues, or gaps in  
functionality so that we can address them prior to the next release.  
Priority Override Signifiers in Reports  
Changes to Fortify priority values (using the priority override feature) are now reflected in issue  
reports. For details, see "Viewing Priority Overrides Information in Issue Reports" in the Fortify  
Software Security Center User Guide, 23.1.0.  
Fortify Insight  
If you have purchased Fortify Insight, you can link your Fortify Software Security Center to your  
Fortify Insight dashboard by adding a Fortify Insight link to your SSC Dashboard.  
Micro Focus Fortify Software (23.1.0)  
Page 1 of 29  
Extended Search Capability for X.509 SSO Implementation  
Previously, for an X.509 SSO implementation, Fortify Software Security Center searched the  
Subject field of the client certificate to retrieve the username for certificate authentication. The  
search now extends to include the Subject Alternative Name field.  
Replacing SOAP fortifyclient with REST fortifyclient  
In an effort to further secure your Fortify Software Security Center deployment, Fortify is  
phasing out SOAP fortifyclient and replacing it with REST fortifyclient. In this release,  
SOAP fortifyclient remains the default, but REST fortifyclient is available to you.  
The file names for both utilities are the same, but the files are in different directories. The SOAP  
fortifyclient files are in <ssc_install_dir>/Tools/fortifyclient/bin and the  
REST fortifyclient files are in <ssc_install_dir>/Tools/fortifyclient-new-  
rest/bin.  
To improve security and prepare for the eventual deprecation of SOAP-based fortifyclient,  
Fortify strongly recommends disabling SOAP and testing the REST version of fortifyclient  
in your testing environment. Report any lack of parity or functionality as soon as possible.  
For more information, see the Fortify Software Release Notes 23.1.0.  
Job Queue Redesign  
A new job execution strategy named "Flexible (technical preview)" is introduced in this release.  
Based on the conservative strategy, the flexible strategy makes more efficient use of job queue  
sensors. Users can switch between the new strategy and previous strategies, as needed.  
Improved Event Log Filtering  
Two new options enable you to refine the data displayed on the Event Logs page. You can now  
specify a username and / or an event type to filter the events that you view and export. To  
remove specified filters, click CLEAR.  
Cloud Database Support  
Fortify Software Security Center now supports SQL Server in both Azure and AWS cloud  
database services.  
Windows Server 2022 Support  
Fortify Software Security Center now supports running on the Windows Server 2022 operating  
system.  
Kubernetes Support  
l
Support added for Kubernetes versions 1.25 and 1.26  
l
Support added for Kubernetes Persistent Volumes with optional support for Pod Security  
Context fsGroup option (fsGroup support is required for using a non-default container user  
ID)  
l
Support added for kubectl command-line tool version 1.24, 1.25, and 1.26. Fortify  
recommends the use of the same version of kubectl command-line tool as the Kubernetes  
Micro Focus Fortify Software (23.1.0)  
Page 2 of 29  
cluster version  
l
Support added for version 3.10 and 3.11 of the Helm command-line tool  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Specifying Fortify Static Code Analyzer Options and Properties as -targs and -sargs  
Arguments  
ScanCentral now supports the options specified in -targs and -sargs that Fortify Static Code  
Analyzer allows, and ignores or blocks those that are not allowed.  
Clients now accept rules, filters, and project templates - not only through the designated  
ScanCentral options, but also from the scan arguments parameter (-sargs). Previously, if  
specified, these options were ignored. For more information, see Appendix A: Fortify  
ScanCentral SAST Command-Line Options in the Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
New Status Command Option: --block-until  
Previously, a ScanCentral client had no way to let you know if an FPR that you uploaded to  
Fortify Software Security Center was processed completely. Now, you can use the --block-  
until option to block additional actions from being performed until processing is complete, so  
that the merged results you later download include all of the audits, comments, suppressed  
issues, and history from the previous scans.  
The new --block-until option for the STATUS command polls Fortify Software Security  
Center for the scan merge status, and then returns the following information:  
l
Job status  
l
SSC upload status  
l
SSC application version ID  
l
SSC application name  
l
SSC application version name  
l
SSC artifact ID  
l
SSC artifact status  
Build Tools  
l
Added support for Maven version 3.9.x  
Auto Detection of Build Tool for Remote Translation  
Previously, to perform a remote translation, you had to supply the -bt (--build-tool) option  
with a value that specified the build tool. Now, Fortify ScanCentral SAST detects the build tool  
automatically based on the project files being scanned. For example, if Fortify ScanCentral SAST  
detects a pom.xml file, it automatically sets -bt to mvn. If it detects a build.gradle file, it  
Micro Focus Fortify Software (23.1.0)  
Page 3 of 29  
sets -bt to gradle. If Fortify ScanCentral SAST detects a *.sln file, it sets -bt to msbuild  
and sets -bf to the xxx.sln file.  
If ScanCentral detects multiple file types (for example, pom.xml and build.gradle), it  
prioritizes the build tool selection as follows: Maven > Gradle > MSBuild and prints a message to  
indicate which build tool type was selected based on the multiple file types found.  
Note: If you specify the build tool manually, auto-detection is overridden.  
Configurable Location for the worker-persist.properties File  
For containerized deployments it is useful to determine where certain files are generated so that  
you can customize persistence. For example, the worker-persist.properties file and the  
job files are stored in the same folder (sensor working directory). Now, you can use two new  
properties to specify where the worker-persist.properties file is generated and where the  
job files are generated. This enables you to persist the worker-persist.properties file,  
which is needed to maintain sensor pool assignments, without having to keep all of the old Job  
files.  
Fortify ScanCentral Controller and Sensor Docker Images and Helm Chart  
ScanCentral Controller and Sensor Docker images are now available on Docker Hub. You must  
be a member of the fortifydocker organization to download the images. A Helm Chart is  
available at https://github.com/fortify/helm3-charts.  
Windows Server 2022 Support  
Fortify ScanCentral SAST now runs on the Windows Server 2022 operating system.  
Micro Focus Fortify Software (23.1.0)  
Page 4 of 29  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Features  
l
The Fortify Static Code Analyzer installation program no longer includes the Fortify Static  
Code Analyzer applications and tools. A separate installer is provided to install the Fortify  
Static Code Analyzer applications and tools.  
l
Scan Policy  
You can set a scan policy to identify the most serious vulnerabilities. There are three policies  
to choose from: classic, security, or devops. The classic scan policy is the default; it does not  
prioritize analysis results. The security scan policy is used to exclude issues related to code  
quality from the results. Use this policy to focus on remediation. The devops scan policy  
excludes issues that are also excluded by the security policy and reduces the number of low-  
priority issues. Use this policy when speed is a priority and developers want to review results  
directly (without intermediate auditing).  
l
Filter Files  
You can now set an exclusion threshold value to a filter file by adding one of the following  
exclusion types: priority, impact, likelihood, confidence, probability, and accuracy.  
l
.NET analysis on Linux. You can now translate .NET code on Linux installations of Fortify  
Static Code Analyzer.  
Platforms  
l
Red Hat Enterprise Linux 9.x  
l
macOS 13 on Intel and Apple Silicon (compatibility mode)  
Compilers  
l
Clang 14.0.3  
l
gcc 11  
l
g++ 11  
l
swiftc 5.8  
Build tools  
l
Ant 1.10.13  
l
Gradle 8.0.2  
l
Maven 3.9.1  
l
MSBuild 17.5 (Windows)  
l
Xcodebuild 14.2 and 14.3  
Micro Focus Fortify Software (23.1.0)  
Page 5 of 29  
Languages  
l
.NET 7  
l
Apex 56 and 57  
l
ASP.NET Core 7  
l
C# 11  
l
Dart 2.12 - 2.18 / Flutter 2.0 - 3.3  
Rules for Dart/Flutter will be released in Q2 2023.  
l
ECMAScript 2022  
l
Go 1.18 and 1.19  
l
Kotlin 1.7  
l
PHP 8.2  
l
Python 3.10, 3.11  
l
TypeScript 4.6 - 4.9  
Micro Focus Fortify Software (23.1.0)  
Page 6 of 29  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
The Fortify Static Code Analyzer installer no longer includes the Fortify Static Code  
Analyzer applications and tools. A separate installer is included for installing the Fortify  
Static Code Analyzer applications and tools.  
Platforms and Architectures  
l
Windows 11  
l
macOS 13. All tools run in compatibility mode on Apple M1 and M2 processors  
Secure Code Plugins  
Added support for updated versions of the following IDEs:  
l
Eclipse 2023-03  
l
IntelliJ IDEA 2023.1  
l
Android Studio 2022.1  
l
Visual Studio 2022, version 17.5  
Fortify Extension for Visual Studio  
The remediation phase now supports custom tags that require comments and the priority  
override tag.  
New Report Template Versions  
l
PCI DSS 4.0  
l
PCI SSF 1.2  
l
DISA STIG 5.2  
Micro Focus Fortify Software (23.1.0)  
Page 7 of 29  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the National  
Vulnerability Database (NVD) and Debricked health metrics when configured with a Debricked  
access token.  
Key Stores  
ScanCentral DAST now provides key stores as a way to create variables that you can use in scan  
settings, base settings, and macro parameters. When a scan is run, these variables are replaced  
with the latest values from the key store.  
Artifacts Repositories  
ScanCentral DAST now supports using artifacts repositories where scan artifacts reside. When a  
scan is run that references an artifact in a repository, either a tagged version or the latest copy  
of the artifact is pulled and used to configure and run the scan.  
Private Data Settings  
You can now configure private data settings that remove personally identifiable information  
from the scan and log data upon scan completion.  
Scan Visualization Enhancements for API Scans  
The site tree in scan visualization now includes icons for operations and parameters in API  
scans.  
Postman Scan Enhancements  
You can now import global variables files to use in Postman scans. There are also changes to  
validation and the ability to edit the sessions contained in collection files after validation.  
Micro Focus Fortify Software (23.1.0)  
Page 8 of 29  
Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the National  
Vulnerability Database (NVD) and Debricked health metrics when configured with a Debricked  
access token.  
Two-factor Authentication  
WebInspect has added the ability to automate Two-factor Authentication scans of sites using  
Authenticator Apps. This is in addition to our SMS- and email-based two-factor scanning. Once  
configured, there is no need for user interaction.  
SQLite SecureBase  
WebInspect now uses a SQLite database for SecureBase. The file extension is now  
SecureBase.db.  
Support for Postman Global Variables  
You can now import global variables files to use in Postman scans.  
WebInspect REST API v2  
The WebInspect REST API now includes a version 2, which includes asynchronous versions of  
endpoints that take a long time to complete. These endpoints generate a job token that you can  
use with the v2 Job endpoints to get the status and results from the job.  
Enhanced Support of Localized SecureBase Content  
A new Application Setting for SmartUpdate allows you to select a language to localize the  
security and report content in SecureBase.  
Enhancements to False Positives  
False Positives and ignored items have been renamed as Suppressed Findings in the UI. You can  
now export and import suppressed findings as JSON files.  
Enhanced Support for Client Certificates  
WebInspect now supports client certificates with strong private key (password) protection in  
Guided Scans, Basic Scans, and Interactive Scans.  
Improved Scan Coverage and Performance  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 23.1.0 provides a faster crawl and audit, and better application support with the  
Event-based Web Macro Recorder (formerly called Web Macro Recorder with Macro Engine  
23.1.0).  
Micro Focus Fortify Software (23.1.0)  
Page 9 of 29  
WebInspect Software Requirements  
Added support for Windows Server 2022, SQL Server 2022, and SQL Server Express 2022.  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/solutions/application-security  
Micro Focus Fortify Software (23.1.0)  
Page 10 of 29  
What’s New in Micro Focus Fortify  
Software 22.2.0  
November 2022  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Priority Override Capability  
Administrators can now enable users to change, or override the priority values assigned to  
issues. With the introduction of priority override capability, the Engine Priority option was  
added to the Group by menu. This grouping selection returns issues based on the original  
priority value assigned by the engine that identified the issue.  
Prioritizing ScanCentral SAST Jobs  
In this release, you can move a pending scan request to the first position in the jobs queue from  
the SCANCENTRAL SAST tab. For details, see "Prioritizing a ScanCentral SAST Scan Request" in  
the user guide.  
Support for Tomcat Access log Pattern for Kubernetes Deployments  
Fortify Software Security Center now supports changing the Tomcat access log pattern for a  
Kubernetes deployment. For details, see "Configuring the Apache Tomcat Access Logs for  
Additional Fields on the Docker Image" in the user guide.  
ScanCentral SAST Tab Enhancements  
The following changes were made to the SAST tab in the SCANCENTRAL view:  
l
The Status column is now the State column, which now displays symbols to indicate the  
current scan state.  
l
The Scan Requests table now includes the Priority column, which shows the order in which  
pending scan requests jobs are to be run. You can sort the listed jobs by selecting the  
Priority heading. The details for an expanded scan request now include the PRIORITIZE  
SCAN button, which you can select to move the scan request to the top of the job queue for  
the pool. You can also click the arrow icon in the Scan Requests table to move the request to  
the top of the queue. For details, see "Prioritizing a ScanCentral SAST Scan Request" in the  
user guide.  
Micro Focus Fortify Software (23.1.0)  
Page 11 of 29  
Viewing and Auditing Debricked Vulnerability Results  
You can now view and audit Debricked scan results for applications in Fortify Software Security  
Center so that, in addition to seeing vulnerabilities in the source code, you can also view the  
open-source vulnerabilities from third-party libraries. For details, see "Viewing Open Source  
Data" in the user guide.  
Creating Clickable Links in Bug Tracking Templates  
As of release 22.1.1, you can use the new HtmlUtil class in the velocity templates for bug  
trackers to create a link to a specific issue in Fortify Software Security Center. For information  
about how to use this class, select the Editing tips link in the EDIT TEMPLATE dialog box (see  
"Customizing Velocity Templates for Bug Tracker Plugins" in the user guide).  
Changes to the About Fortify Software Security Center Box  
The Configuration section of the ADMINISTRATION view now includes the About page, from  
which you configure the SUPPORT link in the About box. For information about how to change  
the SUPPORT link, see "Customizing the Fortify Software Security Center About Box" in the user  
guide.  
Changes to SAML SSO Configuration  
The procedure used to configure Fortify Software Security Center to work with SAML SSO has  
changed (see "Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant  
Single Sign-On Solutions" in the user guide)  
Preventing LDAP Refresh on Startup / Enabling Persisted Cached LDAP Data  
Previously, the LDAP data resided in in-memory cache and was lost at server shutdown. Now,  
you can enable the cached data to persist after shutdown, so that restarting Fortify Software  
Security Center is much faster, especially for large LDAP environments. For more information,  
see "Enabling Persistence of the LDAP Cache" in the user guide.  
Updated Kubernetes Support  
l
Support for Kubernetes 1.23 and 1.24  
l
Support for Helm 3.9  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for Packaging Java 8 Projects  
If you have a Java 8 project that fails to build because ScanCentral SAST requires Java 11 to  
run, you can set the new SCANCENTRAL_JAVA_HOME environment variable to point Java 11.  
After you do, ScanCentral SAST runs correctly, and the build runs successfully with JAVA_HOME  
set to Java 8 for the project build.  
Upgrade of the Internal H2 Database Engine  
Micro Focus Fortify Software (23.1.0)  
Page 12 of 29  
The internal H2 database for Fortify ScanCentral SAST was upgraded. As a result, you must run  
an associated migration script. For details, see "Upgrading the ScanCentral SAST Controller" in  
the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
Improved Method for Excluding Files From Scans When Using ScanCentral SAST to  
Package Projects  
Previously, Gradle, Maven, and MSBuild integration relied on internal build procedure logic to  
collect files. The only way to exclude files was either to exclude them from the build file, or use  
an additional translation argument (-targs"-exclude...,"), which required that you knew  
where the file was to be saved in the ScanCentral SAST working directory.  
You can now use the -exclude option directly from the ScanCentral SAST command line to  
exclude some files from scans for the Maven, Gradle, MSBuild build tools, and for -bt none. For  
details see "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Configuring the Name of FPR Files Uploaded to Fortify Software Security Center  
The FPR files uploaded to Fortify Software Security Center are named scan.fpr. You can now use  
the -fprssc option specify the name to use for generated FPR files uploaded to Fortify Software  
Security Center. For details, see "Submitting Scan Requests and Uploading Results to Fortify  
Software Security Center" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Micro Focus Fortify Software (23.1.0)  
Page 13 of 29  
Packaging Projects with File Paths that Contain an Umlaut  
Previously, packaging failed if a file name or file path for a project included an umlaut character.  
Now, you can prevent such failures by adding a new property to the fortify-sca.properties file.  
For details, see the cautionary note in "Package Command" in the Micro Focus Fortify  
ScanCentral SAST Installation, Configuration, and Usage Guide.  
Configuring a Proxy for ScanCentral SAST Clients  
If your outbound traffic must go through a proxy, you can now add a proxy configuration for  
that purpose. For details, see "Configuring Proxies for Fortify ScanCentral SAST Clients " in the  
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
(Fortify on Demand only) New Option for Packaging Files for Debricked  
The new -oss packaging option enables you to package additional files that Debricked requires  
for its scans. See "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12 Apple silicon  
l
Ubuntu 22.04.1 LTS  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 14.0.0  
l
Swiftc 5.7  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Xcodebuild 14 and 14.0.1  
Micro Focus Fortify Software (23.1.0)  
Page 14 of 29  
Language and Framework Updates  
l
COBOL  
IBM Enterprise COBOL for zOS 6.2 and 6.3  
Micro Focus Visual COBOL 7.0 and 8.0  
l
Apex 55  
l
Kotlin 1.6  
l
PHP 8.1  
l
TypeScript / JavaScript  
React 17.0  
React Native .68  
Vue 2  
Note: Rules for Vue 2 will be part of the Fortify Software Security Content 2022 R4 release.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Analysis Plugin for IntelliJ and Android Studio  
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio now supports:  
l
IntelliJ 2022.2  
l
Android Studio 2021.3  
Eclipse Support  
The Fortify Eclipse Complete Plugin now supports Eclipse 2022-06 and 2022-09.  
Updated CWE Top 2022 Report  
Updated to incorporate content from the Fortify Software Security Content 2022 Update 3.  
Updated Custom Rules Editor  
Includes the following generic and category-specific templates for generating custom  
Configuration, Regex, and Infrastructure as Code (IaC) rules:  
l
Configuration Rule for PropertyMatch  
l
Configuration Rule for XPathMatch  
l
Docker Bad Practices: Untrusted Base Image in Use  
l
Credential Management: Hardcoded API Credential  
l
Regex Rule for ContentRegex  
l
Regex Rule for FileNameRegex  
Micro Focus Fortify Software (23.1.0)  
Page 15 of 29  
l
l
l
l
l
l
Regex Rule for FileNameRegex and ContentRegex  
Structural Rule for Cloud Configuration in Nested Objects  
Structural Rule for Cloud Configuration in Single Object  
Structural Rule for Terraform Configuration in Nested Blocks  
Structural Rule for Terraform Configuration in Single Block  
Terraform Bad Practices: Untrusted Module in Use  
Additional language support:  
l
Apex  
l
Go  
l
HCL  
l
JavaScript/TypeScript  
l
JSON  
l
Kotlin  
l
PHP  
l
Python  
l
YAML  
Additional configuration file type support:  
l
configuration  
l
docker  
l
xml  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
GraphQL Native Support  
ScanCentral DAST now supports scanning GraphQL natively. A Postman collection or workflow  
is no longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
ScanCentral DAST has added support for gRPC scanning. This popular server-to-server  
framework can now be scanned for security vulnerabilities.  
SOAP Service Scanning  
ScanCentral DAST now supports scanning SOAP services.  
Engine 7.1 Updates  
Micro Focus Fortify Software (23.1.0)  
Page 16 of 29  
Fortify continues to enhance its engines to improve scan coverage and performance.  
ScanCentral DAST 22.2.0 provides a faster crawl and audit and better application support from  
the Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
The ScanCentral DAST core components and sensor are now available on a lightweight Linux  
container. This new Linux option provides enhanced support for automation and sensor auto  
scaling.  
Sensor Auto Scaling  
ScanCentral DAST provides optional sensor auto scaling in Kubernetes that automatically starts  
the sensor container, runs the scan, and shuts down the container upon completion.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
GraphQL Native Support  
WebInspect now supports scanning GraphQL natively. A Postman collection or workflow is no  
longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
WebInspect has added support for gRPC scanning. This popular server-to-server framework can  
now be scanned for security vulnerabilities.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 22.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
WebInspect is now available on a lightweight Linux container. This containerized version of  
WebInspect is a great option for automation scenarios when WebInspect is used through its API.  
Updated SOAP Scanning  
WebInspect will be deprecating its older SOAP scanning option through the Web Service Test  
Designer tool. In preparation, a new mechanism to scan SOAP applications is available through  
the API scanning option.  
Micro Focus Fortify Software (23.1.0)  
Page 17 of 29  
What’s New in Micro Focus Fortify  
Software 22.1.0  
June 2022  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Issue Correlation Details  
If you have correlated issues in an application version, you can use the heading for the  
correlated issues icon ( ) to sort listed issues based on whether or not they are correlated  
with other issues (see "Viewing Correlated Issues on the AUDIT Page" in the Fortify Software  
Security Center User Guide). You can also selectively list the issues with which a given issue is  
correlated (see "Auditing Correlated Issues" in the Fortify Software Security Center User Guide).  
Targeted Rulepack Downloads  
Previously, Fortify Software Security Center ignored the clientType parameter in Rulepack  
update requests. As a result, Rulepack clients received all Rulepacks available (both Fortify  
Static Code Analyzer and Fortify Security Assistant Rulepacks). Now, Fortify Software Security  
Center takes the clientType parameter into account for Rulepack update requests. For details,  
see "Updating Rulepacks from the Micro Focus Fortify Update Server" in the Fortify Software  
Security Center User Guide.  
Micro Focus Fortify Software (23.1.0)  
Page 18 of 29  
Updated Processing Rule: Ignore SCA Scans Performed in Quick Scan Mode  
The processing rule for ignoring Fortify Static Code Analyzer scans performed in quick scan  
mode now also prevents the upload of Fortify Static Code Analyzer speed dial results performed  
with a setting of less than four. For details, see "Setting Analysis Results Processing Rules for  
Application Versions" in the Fortify Software Security Center User Guide.  
Report Maintenance: New "Days to Preserve" Option  
On the Scheduler page, the Days to preserve option was added in a new Reports maintenance  
section. This option enables you to specify the number of days Fortify Software Security Center  
retains generated reports. For more information, see "Configuring Job Scheduler Settings in the  
Fortify Software Security Center User Guide.  
Pausing Job Execution  
You can now control job execution by pausing (and then resuming) it using the Pause job  
execution option located on the Maintenance page (ADMINISTRATION > Maintenance). After  
you pause job execution, jobs (artifact processing, report generation, data export requests, and  
so on) that are currently running continue to completion. Any new jobs submitted are queued  
for processing once the Pause job execution check box is cleared and normal processing  
resumes. For more detail, see "Pausing and Resuming Job Execution" in the Fortify Software  
Security Center User Guide.  
Requiring Comments for Specific Custom Tag Values  
Administrators can now require comments for custom tags. When the "Require Comments"  
setting is checked, any changes to the custom tag will cause an additional comment box to  
appear for the custom tag and the Save button will be disabled until a comment is entered. For  
details, see "Adding Custom Tags to the System" in the Fortify Software Security Center User  
Guide.  
Expanded Issue Counts  
Previously, you could display 20, 50, or 100 issues at a time on the AUDIT page. Now, you can  
display up to 150 or 200 issues per page.  
Kubernetes Updates  
l
Added support for Kubernetes 1.22  
l
Added support for Helm 3.8  
Micro Focus Fortify Software (23.1.0)  
Page 19 of 29  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Kotlin for Android Support  
You can now use the ScanCentral Client to package Kotlin for Android projects for remote  
translation using Gradle integration (-bt gradle).  
New Command to Update ScanCentral Client  
Using the new update command, you can update ScanCentral Client to the latest version on  
the ScanCentral Controller.  
Get SSC Artifact Processing State Using Job Token  
Using the status command, ScanCentral Client can retrieve the processing state of a job that  
uploaded the FPR to SSC.  
Build Tool Updates  
• Gradle 7.3  
• MSBuild 14.0, 17.0, 17.1, and 17.2  
Support for Multiple Client Versions on the Controller for Auto-Update  
The Auto-Update feature now supports multiple versions of clients. Sensors and embedded  
clients will be updated by the versions available in the Controller, rather than the version of the  
Controller.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12  
l
Windows 11  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 13.1.6  
l
OpenJDK javac 17  
l
Swiftc 5.6  
l
cl (MSVC) 2015 and 2022  
Micro Focus Fortify Software (23.1.0)  
Page 20 of 29  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Gradle 7.4.x  
l
MSBuild 14.0, 17.0, 17.1 and 17.2  
l
Xcodebuild 13.3 and 13.3.1  
Language and Framework Updates  
l
C# 10  
l
.NET 6.0  
l
C/C++ 20  
l
HCL 2.0  
l
Java 17  
l
TypeScript 4.4 and 4.5  
Note: Rules for Terraform and Google Cloud Platform will be part of the Fortify Software  
Security Content 2022 R2 release.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Visual Studio 2022 Support  
The Fortify Extension for Visual Studio now supports Visual Studio 2022.  
IntelliJ 2021.x Support  
The Fortify Analysis Plugin for IntelliJ now supports IntelliJ 2021.x to 2021.3.  
Import Standard Fortify Rulepacks from Filesystem  
Use the Options menu in Fortify Audit Workbench, Fortify Eclipse Complete Plugin, and Fortify  
Extension for Visual Studio to import Fortify Rulepacks downloaded from the Customer Portal.  
Compare LOC of Scanned Files Between Two FPRs  
View LOC counts of analyzed files in an FPR (-loc) or compare LOC counts between two FPRs  
using FPRUtility (-loc, -compareTo).  
Configurable Timeout for fortifyupdate  
Configure the socket timeout for fortifyupdate using the  
rulepackupdate.SocketReadTimeoutSeconds property in the server.properties file.  
The default value is 180.  
Micro Focus Fortify Software (23.1.0)  
Page 21 of 29  
New Search Modifier: shortfilename  
In Fortify Audit Workbench and the Fortify Plugins for Eclipse, you can use shortfilename as  
a search modifier in Issue Templates to filter or hide issues that match the file name. For full  
path matches, continue to use the file search modifier.  
New OWASP Top 10 2021 Report  
Generate new OWASP Top 10 Report (2021) from the following tools:  
• Fortify Audit Workbench  
• Fortify Extension for Visual Studio  
• Fortify Remediation Plugin for Eclipse  
• BIRTReportGenerator  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
User Configuration Restrictions  
l
New permissions allow you to bar scanning of specific domains or IP addresses.  
l
New Modify User permission required to allow user to modify a scan. A user who does not  
have this permission can only configure a scan URL, login macro, workflow macros, and  
network credentials. With this limited role, users can start scans, create scans from base  
settings, and view settings but not change them.  
PostgresSQL Support  
l
Support for use of a PostgresSQL database.  
Scan Import  
l
Import Scans into ScanCentral PostgresSQL database from Fortify WebInspect or Fortify  
WebInspect Enterprise.  
Automated Deployment (Infrastructure as Code)  
l
Support for the fully automated deployment of ScanCentral DAST.  
Rescan Button  
l
The Rescan button allows you to rescan and existing scan.  
Micro Focus Fortify Software (23.1.0)  
Page 22 of 29  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Support for HAR Files  
Scanning with workflow macros ensures that important content is covered in a scan. WebInspect  
can now use HAR files for workflow scanning.  
Out-of-Band Testing  
WebInspect can now test for a new class of vulnerabilities called Out-of-Band or OAST  
vulnerabilities. Using the public Fortify OAST server, WebInspect can detect OAST  
vulnerabilities such as Log4Shell.  
Engine 7.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 22.1.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 7.0.  
MS SQL AD Authentication Support  
WebInspect 22.1.0 can now use a MS SQL Database using AD Authentication.  
Windows 11 Support  
WebInspect 22.1.0 is now supported on the Windows 11 operating system.  
Azure SQL Database Support  
WebInspect 22.1.0 can now use an Azure SQL Database for storing scan data.  
Sensor Support for Fortify WebInspect Enterprise 21.2.0  
WebInspect 22.1.0 can be configured as a sensor for Fortify WebInspect 21.2.0.  
Micro Focus Fortify Software (23.1.0)  
Page 23 of 29  
What’s New in Micro Focus Fortify  
Software 21.2.0  
November 2021  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Static/Dynamic Issue Correlation Indicator  
l
In this release we introduce the static/dynamic issue correlation indicator. After static and  
dynamic scans are run on an application version and the results have been uploaded to  
Fortify Software Security Center, issues that were uncovered by both static and dynamic  
scans are tagged with the correlation ( ) indicator on the AUDIT page.  
ScanCentral SAST Controller Updates  
l
You can now place the ScanCentral SAST Controller into maintenance mode which prevents  
scans that are running on the sensor from losing data.  
l
You can shut down ScanCentral SAST Controller sensors individually or in a batch.  
ScanCentral DAST Scans Support  
l
The Scans feature now includes both static and dynamic scan results  
New Premium Quarterly Reports  
l
PCI SSF (Software Security Framework) 1.2 report  
l
CWE Top 25 report  
LDAP Update  
l
You can now configure Fortify Software Security Center to invalidate tokens created by users  
who have been disabled in LDAP  
Java 11 Deployment  
l
Software Security Center can be deployed in a Java 11 (or higher) environment  
Kubernetes Updates  
l
Added support for Kubernetes 1.21  
l
Added support for Helm 3.6 and 3.7  
Micro Focus Fortify Software (23.1.0)  
Page 24 of 29  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for the Fortify License and Infrastructure Manager  
l
You can now centrally manage your Fortify ScanCentral SAST licenses through the Fortify  
License and Infrastructure Manager.  
MSBuild Integration Update  
l
With the 21.1.0 release of Fortify Static Code Analyzer, MSBuild integration was updated with  
support for .NET 5 and other new features. Fortify ScanCentral SAST now supports this new  
MSBuild integration functionality.  
Go Language Support  
l
Added support for Go version 1.17.  
Graceful Shutdown and Timer Support  
l
When shutting down Fortify ScanCentral SAST, the controller allows currently running scans  
to complete while keeping other scans from starting. Once the controller is running again, it  
will run the scans in the queue. In addition, a timeout can be set for long running scans that  
will cancel the scan if breached and free the sensor to pick up a new scan request.  
Sensor Pool Assignment Improvement  
l
When starting up a sensor, you can assign it to a specific sensor pool without having to use  
the Fortify Software Security Center UI.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Fortify License and Infrastructure Manager  
l
For customers that use Fortify under the Concurrent Scanning license model, Fortify Static  
Code Analyzer can now use the Fortify License and Infrastructure Manager to obtain a license  
key rather than the traditional fortify.license file. This enables the correct sharing of the  
Fortify Scan Machine license metric between Fortify Static Code Analyzer and WebInspect  
instances. The option to use the traditional fortify.license file is still available.  
Regular Expression (regex) Analysis  
l
The Fortify Static Code Analyzer Configuration analyzer can now detect vulnerabilities in file  
names and content using RegEx-based rules.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
Micro Focus Fortify Software (23.1.0)  
Page 25 of 29  
l
l
l
l
IBM AIX 7.1  
Oracle Solaris SPARC 11.3  
Oracle Solaris x64 11.4  
Windows Server 2022  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
gcc 10.2.1  
l
g++ 10.2.1  
l
Swiftc 5.4.2  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Gradle 7.2  
l
Maven 3.8.2  
l
MSBuild 16.11  
l
Xcodebuild 12.5.1  
C++ Updates  
l
Added support for gcc on Macintosh  
l
Added support for gcc version 10.2.1  
l
Added support for C++ 14 and 17  
JavaScript Improvements  
l
Added support for ECMAScript 2021  
l
Added support for TypeScript 4.2 - 4.3  
l
Made Type inference improvements  
l
Added support for SAPUI5/OpenUI5  
l
Minified JS excluded from scan by default  
Go Language Update  
l
Added support for Go 1.17  
YAML Support  
l
Added support for translating YAML code  
Kotlin Update  
l
Added support for Kotlin 1.5  
PHP  
l
Completed support for PHP 8  
Scala  
Micro Focus Fortify Software (23.1.0)  
Page 26 of 29  
l
Eliminated the need for a separate license from Lightbend for Scala translations. A license  
key is still required to run the plugin. The key is now included in the Fortify distribution.  
Configuration Scanning  
l
JSON scanning enabled by default  
l
Added YAML scanning  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
ScanCentral SAST Support  
l
Added Remote Translation capability to Fortify Scan Wizard, and the Fortify Eclipse Plugins  
l
Added ability to configure Fortify ScanCentral SAST and launch local and remote translations  
and scans from the Fortify Eclipse Complete Plugin running an advanced analysis.  
New PCI SSF Report  
Generate new PCI SSF Report (version 1.2) from the following tools:  
l
Fortify Audit Workbench  
l
Fortify Visual Studio Extension  
l
Fortify Eclipse Plugins (Complete and Remediation)  
l
BIRTReportGenerator  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST.  
Correlated Issues  
l
ScanCentral DAST can now uncover correlations between DAST and SAST results and  
forward the information to Fortify Software Security Center. Correlated results are displayed  
in the Fortify Software Security Center AUDIT View.  
Scan Visualization Update  
l
Selected scan visualizations can be opened in a new browser tab rather than using Site  
Explorer.  
Client-Side Certificate Support  
l
Upload a certificate and password for use when running a scan. If a scan requires the  
certificate, ScanCentral DAST will download and install it.  
l
Enable Redundant Page Detection and use it when running a scan.  
Scan Priority Level  
Micro Focus Fortify Software (23.1.0)  
Page 27 of 29  
l
l
All scans can be assigned a priority level.  
When a scan is queued because there isn't a free sensor and a scan with a lower priority is  
running, the lower-priority scan will be shut down so the scan with the higher priority can run.  
The scan with the lower priority will restart when a sensor becomes available.  
Azure SQL Support  
l
The ScanCentral DAST Configuration Tool now supports Azure SQL and Azure Managed  
SQL.  
l
The ScanCentral DAST container now supports Azure SQL and Azure Managed SQL.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
API Discovery  
With the new API Discovery, any Swagger or OpenAPI schema detected during a scan will have  
its endpoints added to the existing scan and authentication will be applied to the endpoints with  
our automatic state detection. In addition, probes will be sent to default locations of popular API  
frameworks to discover schemas.  
Two-factor Authentication  
Two-factor Authentication is a common requirement in enterprises and can be a burden to the  
security tester to get a bypass or to manually scan. WebInspect now offers the ability to  
automate Two-factor Authentication scans. This is accomplished by installing a lightweight  
Android app onto a phone or emulator that can capture SMS and Email tokens and pass them  
back to the scanner for authentication. Once configured, there is no need for user interaction.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for  
XSS. This will allow for improved XSS attack performance and the ability to detect client-side  
only attacks, such as XSS in DOM fragments.  
Web Fuzzer Tool  
The Web Fuzzer Tool lets you run Fuzzing tests that submit random or sequential data to  
various areas of an application to uncover security vulnerabilities. For example, when searching  
Micro Focus Fortify Software (23.1.0)  
Page 28 of 29  
for buffer overflows, a tester can generate data of various sizes and send it to one of the  
application entry points to observe how the application handles it.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to the Fortify WebInspect sensor used in WebInspect  
Enterprise.  
Note: WebInspect Enterprise 21.2.0 is scheduled for release in the latter half of December 2021.  
API Discovery  
With the new API Discovery function in WebInspect, any Swagger or OpenAPI schema detected  
during a scan will have its endpoints added to the existing scan and authentication will be  
applied to the endpoints with our automatic state detection. In addition, probes will be sent to  
default locations of popular API frameworks to discover schemas.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for  
XSS. This will allow for improved XSS attack performance and the ability to detect client-side  
only attacks, such as XSS in DOM fragments.  
Micro Focus Fortify Software (23.1.0)  
Page 29 of 29