Micro Focus Fortify Security  
Assistant Plugin for Eclipse  
Software Version: 22.2.0  
User Guide  
Document Release Date: November 2022  
Software Release Date: November 2022  
User Guide  
Legal Notices  
Micro Focus  
The Lawn  
22-30 Old Bath Road  
Newbury, Berkshire RG14 1QN  
UK  
https://www.microfocus.com  
Warranty  
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the  
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an  
additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The  
information contained herein is subject to change without notice.  
Restricted Rights Legend  
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for  
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software  
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard  
commercial license.  
Copyright Notice  
© Copyright 2015 - 2022 Micro Focus or one of its affiliates  
Trademark Notices  
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.  
Documentation Updates  
The title page of this document contains the following identifying information:  
l
Software Version number  
l
Document Release Date, which changes each time the document is updated  
l
Software Release Date, which indicates the release date of this version of the software  
This document was produced on November 09, 2022. To check for recent updates or to verify that you are using the most  
recent edition of a document, go to:  
https://www.microfocus.com/support/documentation  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 2 of 21  
User Guide  
Contents  
Preface  
5
5
5
5
5
Contacting Micro Focus Fortify Customer Support  
For More Information  
About the Documentation Set  
Fortify Product Feature Videos  
Change Log  
6
Getting Started  
7
7
7
8
9
Fortify Security Assistant for Eclipse  
Software Requirements  
Installing Fortify Security Assistant for Eclipse  
Uninstalling Fortify Security Assistant for Eclipse  
Configuring Fortify Security Assistant for Eclipse  
Configuring Where to Obtain Security Content  
Loading Fortify Security Content from a Local System  
Specifying Categories of Issues to Detect  
Updating Security Content  
9
10  
11  
12  
14  
Finding Security Issues as you Write Java Code  
Working with Issues in the Code Editor  
14  
16  
Scanning Projects for Issues  
16  
Working with the Security Assistant Issues View  
Showing Suppressed Issues  
17  
19  
19  
Unsuppressing Issues  
Hiding Security Issues  
19  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 3 of 21  
User Guide  
Revealing Previously Hidden Security Issues  
20  
20  
21  
Troubleshooting  
Send Documentation Feedback  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 4 of 21  
User Guide  
Preface  
Preface  
Contacting Micro Focus Fortify Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/cyberres/application-security  
About the Documentation Set  
The Fortify Software documentation set contains installation, user, and deployment guides for all  
Fortify Software products and components. In addition, you will find technical notes and release notes  
that describe new features, known issues, and last-minute updates. You can access the latest versions  
of these documents from the following Micro Focus Product Documentation website:  
https://www.microfocus.com/support/documentation  
To be notified of documentation updates between releases, subscribe to Fortify Product  
Announcements on the Micro Focus Community:  
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements  
Fortify Product Feature Videos  
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube  
channel:  
https://www.youtube.com/c/FortifyUnplugged  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 5 of 21  
 
 
 
 
 
User Guide  
Change Log  
Change Log  
The following table lists changes made to this document. Revisions to this document are published  
between software releases only if the changes made affect product functionality.  
Software Release /  
Document Version  
Changes  
22.2.0  
Added:  
l
"Troubleshooting" on page 20  
Updated:  
l
Support added for the latest versions of the Eclipse IDE (see  
"Software Requirements" on the next page)  
22.1.0  
Updated:  
l
Support added for the latest versions of the Eclipse IDE (see  
"Software Requirements" on the next page)  
l
New option to initially import security content from the local  
system (see "Configuring Fortify Security Assistant for  
Eclipse" on page 9 and "Updating Security Content" on  
page 14)  
21.2.0  
21.1.0  
Updated:  
l
New option to obtain security content from a Micro Focus  
Fortify Software Security Center server (see "Configuring  
Fortify Security Assistant for Eclipse" on page 9)  
Updated:  
l
"Software Requirements" on the next page  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 6 of 21  
 
User Guide  
Getting Started  
Getting Started  
This guide provides information about how to install and use the Fortify Security Assistant Plugin for  
Eclipse.  
This section contains the following topics:  
Fortify Security Assistant for Eclipse  
Software Requirements  
7
7
8
9
Installing Fortify Security Assistant for Eclipse  
Uninstalling Fortify Security Assistant for Eclipse  
Fortify Security Assistant for Eclipse  
Micro Focus Fortify Security Assistant for Eclipse is a plugin that integrates with the Eclipse Java  
development environment. Fortify Security Assistant for Eclipse works with a portion of the Fortify  
security content to provide alerts to potential security issues as you write your Java code. Fortify  
Security Assistant for Eclipse provides detailed information about security risks and  
recommendations for how to secure the potential issue.  
Fortify Security Assistant includes the semantic and intra-class data flow analyzers to detect:  
l
Potentially dangerous uses of functions and APIs  
l
Issues caused by tainted data reaching vulnerable functions and APIs at the intra-class level  
Software Requirements  
Fortify Security Assistant for Eclipse requires:  
l
A valid Fortify license  
You are prompted to provide a license file the first time you make edits to source code, request to  
analyze a project, or load Fortify Software Security Content. For information about how to obtain a  
Fortify license file, contact Micro Focus Fortify Customer Support.  
l
Up-to-date Micro Focus Fortify Software Security Content  
Fortify Security Assistant uses a knowledge base of rules to enforce secure coding standards  
applicable to the codebase for static analysis. Micro Focus Fortify Software Security Content  
consists of Fortify Secure Coding Rulepacks, which describe general secure coding idioms for  
popular languages and public APIs.  
You can obtain the Fortify security content directly from the Fortify Rulepack update server or  
from a Fortify Software Security Center server. You can also load Fortify security content from a  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 7 of 21  
 
 
 
User Guide  
Getting Started  
copy on your local system. For instructions, see "Configuring Where to Obtain Security Content" on  
page 10.  
Fortify Security Assistant supports Eclipse versions 2020-x, 2021-x, 2022-03, 2022-06, and 2022-  
09.  
Installing Fortify Security Assistant for Eclipse  
You can install the Fortify Security Assistant Plugin for Eclipse on Windows, Linux, and macOS  
operating systems. To update from an earlier version of Fortify Security Assistant Plugin for Eclipse,  
you must first remove the existing version. For information about how to uninstall the plugin, see  
"Uninstalling Fortify Security Assistant for Eclipse" on the next page.  
Note: These instructions describe a third-party product and might not match the specific,  
supported version you are using. See your product documentation for the instructions for your  
version.  
To install Fortify Security Assistant for Eclipse:  
1. Start Eclipse.  
2. Select Help > Install New Software.  
The Install wizard starts and displays the Available Software step.  
3. Click Add.  
4.  
Click Archive, and then locate and select Fortify_SecurityAssistant_Eclipse_Plugin_  
<version>.zip.  
5. Click Add.  
6. Select the Fortify Security Assistant Plugin check box.  
Note: Any required third-party dependencies are automatically installed if they do not  
already exist on your system.  
7. Click Next.  
The Install Details step lists Fortify Security Assistant Plugin For Eclipse.  
To view version and copyright information about the plugin in the Details area, click the plugin  
name.  
8. Click Next.  
9. On the Review Licenses step, review and accept the license agreement.  
10. Click Finish.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 8 of 21  
 
User Guide  
Configuring Fortify Security Assistant for Eclipse  
11. To complete the installation and restart Eclipse, click Restart Now when prompted.  
The menu bar now includes the Fortify menu.  
12. In the Locate Fortify License File dialog box, click Browse.  
13.  
Navigate to the fortify.license file, and then click OK.  
Fortify Security Assistant for Eclipse verifies the license file and then attempts to download the  
Fortify Software Security Content from the Fortify Customer Portal. To import Fortify Software  
Security Content from a Fortify Software Security Center server or the local system, see  
"Configuring Where to Obtain Security Content" on the next page or "Loading Fortify Security  
Content from a Local System" on page 11.  
Uninstalling Fortify Security Assistant for Eclipse  
Note: These instructions describe a third-party product and might not match the specific,  
supported version you are using. See your product documentation for the instructions for your  
version.  
To uninstall Fortify Security Assistant Plugin for Eclipse:  
1. Start Eclipse.  
2. Select Help > About Eclipse IDE, and then click Installation Details.  
3. On the Installed Software tab, select Fortify Security Assistant Plugin for Eclipse.  
4. Click Uninstall.  
5. In the Uninstall window, click Finish.  
6. To implement the change and restart Eclipse, click Yes when prompted.  
Configuring Fortify Security Assistant for  
Eclipse  
Fortify Security Assistant for Eclipse requires Fortify Software Security Content to detect issues. You  
can configure how Fortify Security Assistant for Eclipse obtains security content and which  
vulnerability categories you want detected.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 9 of 21  
 
 
User Guide  
Configuring Fortify Security Assistant for Eclipse  
Configuring Where to Obtain Security Content  
By default, Fortify Security Assistant for Eclipse attempts to download the Fortify Software Security  
Content from the Fortify Rulepack update server. There are three ways to obtain Fortify security  
content:  
l
From the Fortify Rulepack update server  
l
From a Micro Focus Fortify Software Security Center server  
l
From your local system if you do not have an internet connection or a Fortify Software Security  
Center server (see "Loading Fortify Security Content from a Local System" on the next page)  
To configure where to download Fortify security content:  
1. Select Fortify > Configure Security Assistant.  
The following Fortify Security Assistant dialog box shows that no security content is loaded yet.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 10 of 21  
 
User Guide  
Configuring Fortify Security Assistant for Eclipse  
2. To download the security content from a Fortify Software Security Center server, do the  
following:  
a. Select Security Content Server in the left pane.  
b. Select Update from Software Security Center, and then type the URL for your Micro Focus  
Fortify Software Security Center server in the Server URL box.  
Important! To download security content from a Fortify Software Security Center URL  
that uses HTTPS, you must import a self- or locally-signed certificate into the Java  
Runtime Environment (JRE) certificate store.  
3. To download and load the security content from the Fortify Rulepack update server server, do  
the following:  
a. Select Security Content Server in the left pane.  
b. Select Update from Fortify Update Server.  
4. Click Apply and Close to save these settings.  
5. Select Fortify > Update Security Content to load the security content.  
See Also  
"Updating Security Content" on page 14  
"Loading Fortify Security Content from a Local System" below  
Loading Fortify Security Content from a Local System  
To import and load security content from your local system:  
1. Select Fortify > Configure Security Assistant.  
2. Click import local security content.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 11 of 21  
 
User Guide  
Configuring Fortify Security Assistant for Eclipse  
3. In the Import Security Content dialog box, select the file type for the Fortify security content.  
You can import ZIP, XML, or BIN files.  
4. Navigate to and select your Fortify security content.  
5. Click Open.  
6. Click Apply and Close.  
See Also  
"Updating Security Content" on page 14  
Specifying Categories of Issues to Detect  
To specify the categories of issues to detect for the workspace or for a project:  
1. Do one of the following to select where you want the changes applied:  
l
To configure settings for the workspace, select Fortify > Configure Security Assistant.  
l
To configure settings for a project:  
i. Right-click a project, and then select Properties.  
ii. In the left pane, select Fortify Security Assistant.  
iii. Select Enable project specific settings.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 12 of 21  
 
User Guide  
Configuring Fortify Security Assistant for Eclipse  
Note: You can also specify the category of issues from a Fortify Security Assistant for  
Eclipse tooltip in the Code editor. Click Configure Security Assistant , and then click  
Configure Workspace or Configure Project.  
2. Select the categories of issues you want to detect.  
You can right-click in the list of categories, and then select Select All or select Clear All (but  
one).  
3. To import custom rules:  
a. Click Import Security Content  
.
b. Navigate to where your custom file is located, select the XML, and then click Open.  
Note: To remove any previously imported custom rules, click Clear All Imported Security  
Content . You cannot undo this action.  
4. Click Apply and Close.  
Fortify Security Assistant for Eclipse re-inspects the project to refresh any issues reported so that it  
matches your configuration settings.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 13 of 21  
User Guide  
Finding Security Issues as you Write Java Code  
Updating Security Content  
To optimize Fortify Security Assistant for Eclipse functionality, you must have complete and up-to-  
date Fortify Software Security Content.  
To obtain the latest security content from the configured server:  
1. Select Fortify > Update Security Content.  
2. If prompted to accept a key, click Yes.  
Note: This is only required when you load security content from a Fortify Software Security  
Center server. After you accept the key the first time, it is saved for the current plugin  
installation.  
To import security content from the local system:  
1. Select Fortify > Configure Security Assistant.  
2. Click Import Security Content ( ).  
You can import ZIP, XML, or BIN files.  
3. Navigate to and select your Fortify security content.  
4. Click Open.  
See Also  
"Configuring Where to Obtain Security Content" on page 10  
Finding Security Issues as you Write Java  
Code  
Fortify Security Assistant for Eclipse notifies you of any detected issues as you write your code. You  
can also have Fortify Security Assistant for Eclipse examine an entire project and then review  
detected security issues (see "Scanning Projects for Issues" on page 16).  
To review the security issues:  
l
Fortify Security Assistant for Eclipse highlights detected security issues in the code. It also tags the  
issue with an icon in the left border of the editor area. Pause your cursor over the highlighted code  
to open a tooltip that briefly describes the issue as shown in the following example:  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 14 of 21  
 
 
User Guide  
Finding Security Issues as you Write Java Code  
Fortify Security Assistant for Eclipse sorts issues based on Fortify Priority Order (Critical, High,  
Medium, and Low).  
l
Click the issue to see a detailed description of it in the Security Help view.  
Note: You can page through the visited descriptions in the Security Help view with the  
Go Back and Go Forward  
buttons.  
l
Select Fortify > Open Security Issue List to open the Security Assistant Issues view, which  
displays all the issues detected in the file.  
See "Working with the Security Assistant Issues View" on page 17 for more information.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 15 of 21  
User Guide  
Scanning Projects for Issues  
Working with Issues in the Code Editor  
Pause your cursor over the highlighted code to open a tooltip that displays one or more issues. Move  
your cursor into the Fortify Security Assistant for Eclipse tooltip or press F2 to access additional  
options.  
The Fortify Security Assistant for Eclipse tooltip displays the icons described in the following table.  
Icon  
Description  
Specify the categories of issues to show. You can configure settings for the current  
project or the workspace.  
Note: Settings configured for a project override the settings for the workspace.  
Configure Fortify Security Assistant for Eclipse annotation preferences.  
Suppress this issue for the function. This indicates that the issue is not a problem. The  
issue is not reported again for this function unless you unsuppress it.  
For dataflow issues, go to the origin of the tainted data that reached this function.  
Scanning Projects for Issues  
You can use Fortify Security Assistant for Eclipse to examine a project and identify any security  
issues.  
To scan a project for issues:  
l
Right-click the project name, and then select Inspect the Project.  
Fortify Security Assistant for Eclipse displays any detected issues in the Security Assistant Issues  
view. For information on how to use this view, see "Working with the Security Assistant Issues View"  
on the next page.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 16 of 21  
 
 
User Guide  
Working with the Security Assistant Issues View  
Working with the Security Assistant Issues  
View  
The Security Assistant Issues view shows all detected security issues for code that has been  
inspected with Fortify Security Assistant for Eclipse.  
Note: These instructions describe a third-party product and might not match the specific,  
supported version you are using. See your product documentation for the instructions for your  
version.  
Note: If the Security Assistant Issues view is not open, select Fortify > Open Security Issue  
List.  
l
To see a detailed description of an issue, right-click the issue, and then select Description.  
The Security Help view opens and provides an explanation of the issue, recommendations for  
fixing the issue, and references related to the issue.  
l
To go to the location of the issue in the file editor, double-click the issue in the Security Assistant  
Issues view.  
l
To go to the source location of the tainted data for dataflow issues, right-click the dataflow issue,  
and then select Go to Source.  
l
To change which issues are shown, click View Menu, select Show, and then select one or more of  
the options listed in the following table.  
Option  
Description  
All Critical Security Issues  
Shows all critical, non-suppressed issues for Fortify  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 17 of 21  
 
User Guide  
Working with the Security Assistant Issues View  
Option  
Description  
in Workspace  
Security Assistant for Eclipse-inspected code in your  
workspace  
All Security Issues in Workspace Shows all non-suppressed issues for Fortify Security  
Assistant for Eclipse-inspected code in your workspace  
Security Issues on Selection  
Shows all non-suppressed issues based on the current  
selection  
All Suppressed Security Issues  
Show All  
Shows all suppressed issues in your workspace  
Shows all issues (including suppressed) for Fortify Security  
Assistant for Eclipse-inspected code (selecting this option  
clears the other options in the Show menu)  
Note: If you clear all the other show options, the Show  
All option is automatically selected.  
l
To change how the issues are grouped, click the View Menu , select Group By, and then select  
Fortify Priority Order (the default view), Category, or None.  
The following example shows issues grouped by Category.  
l
By default, the maximum number of issues shown in one group is 100. To change the maximum  
number of issues shown, click View Menu, select Filters, and type a different value in the Items  
per group box.  
To display all issues, select View Menu > Filters, and then clear the Use Limits check box.  
To change the columns that are displayed, click View Menu, and then select Configure Columns.  
l
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 18 of 21  
User Guide  
Hiding Security Issues  
Showing Suppressed Issues  
Issues that you have suppressed are not highlighted in the source code (even after you restart  
Eclipse). By default, Fortify Security Assistant for Eclipse does not display suppressed issues in the  
Security Assistant Issues view.  
To show the suppressed issues:  
l
In the Security Assistant Issues view, select View Menu > Show > All Suppressed Security  
Issues.  
Suppressed issues are indicated in the Type column as a Suppressed Security Issue.  
Unsuppressing Issues  
To unsuppress an issue:  
1. If the Security Assistant Issues view is not open, select Fortify > Open Security Issue List.  
2. To show the suppressed issues in the Security Assistant Issues view, do one of the following:  
l
Select View Menu > Show > All Suppressed Security Issues.  
l
Select View Menu > Show > Show All.  
3. Right-click the suppressed issue, and then select Delete.  
4. Right-click the project, and then select Inspect the Project to have the issue display in the  
Security Assistant Issues view.  
Hiding Security Issues  
You can hide security issues in specified files for the current Eclipse session. Fortify Security Assistant  
for Eclipse ignores the files during any re-inspection until you either restore (reveal) the security  
issues for the files or restart Eclipse.  
To hide the security issues, do one of the following:  
l
For a folder, right-click the folder in the Project Explorer or Package Explorer, and then select Clear  
Security Issues.  
l
For a file, right-click in the file editor, and then select Clear Security Issues.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 19 of 21  
 
 
 
User Guide  
Revealing Previously Hidden Security Issues  
Revealing Previously Hidden Security Issues  
You can reveal security issues that you previously hid (cleared) for the current Eclipse session.  
To show previously hidden security issues, do one of the following:  
l
For a folder, right-click the folder, and then select Restore Cleared Security Issues.  
l
For a file, right-click in the file editor, and then select Restore Cleared Security Issues.  
Troubleshooting  
Fortify Security Assistant for Eclipse writes any warnings or errors to the Eclipse Error Log. Include  
this log file if you contact Micro Focus Fortify Customer Support about an issue with Fortify Security  
Assistant for Eclipse.  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 20 of 21  
 
 
Send Documentation Feedback  
If you have comments about this document, you can contact the documentation team by email.  
Note: If you are experiencing a technical issue with our product, do not email the documentation  
team. Instead, contact Micro Focus Fortify Customer Support at  
https://www.microfocus.com/support so they can assist you.  
If an email client is configured on this computer, click the link above to contact the documentation  
team and an email window opens with the following information in the subject line:  
Feedback on User Guide (Fortify Security Assistant Plugin for Eclipse 22.2.0)  
Just add your feedback to the email and click send.  
If no email client is available, copy the information above to a new message in a web mail client, and  
send your feedback to fortifydocteam@microfocus.com.  
We appreciate your feedback!  
Micro Focus Fortify Security Assistant Plugin for Eclipse (22.2.0)  
Page 21 of 21