Micro Focus  
Fortify Security Assistant Plugin for  
IntelliJ and Android Studio  
Software Version: 22.2  
User Guide  
Document Release Date: September 2022  
Software Release Date: September 2022  
User Guide  
Legal Notices  
Micro Focus  
The Lawn  
22-30 Old Bath Road  
Newbury, Berkshire RG14 1QN  
UK  
https://www.microfocus.com  
Warranty  
The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the  
express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an  
additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The  
information contained herein is subject to change without notice.  
Restricted Rights Legend  
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for  
possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software  
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard  
commercial license.  
Copyright Notice  
© Copyright 2022 Micro Focus or one of its affiliates  
Trademark Notices  
All trademarks, service marks, product names, and logos included in this document are the property of their respective owners.  
Documentation Updates  
The title page of this document contains the following identifying information:  
l
Software Version number  
l
Document Release Date, which changes each time the document is updated  
l
Software Release Date, which indicates the release date of this version of the software  
This document was produced on September 02, 2022. To check for recent updates or to verify that you are using the most  
recent edition of a document, go to:  
https://www.microfocus.com/support/documentation  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 2 of 17  
User Guide  
Contents  
Preface  
4
4
4
4
4
Contacting Micro Focus Fortify Customer Support  
For More Information  
About the Documentation Set  
Fortify Product Feature Videos  
Change Log  
5
Getting Started  
6
6
7
8
8
Fortify Security Assistant Requirements  
Installing Fortify Security Assistant  
Uninstalling Fortify Security Assistant  
Configuring Fortify Security Assistant  
Finding Security Issues as you Write Code  
Viewing Vulnerability Details  
Suppressing Issues  
10  
11  
12  
Scanning a Project for Security Issues  
Disabling Vulnerability Categories  
Enabling Vulnerability Categories  
12  
13  
14  
Working with the Fortify Security Assistant Window  
Troubleshooting  
15  
16  
17  
Send Documentation Feedback  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 3 of 17  
User Guide  
Preface  
Preface  
Contacting Micro Focus Fortify Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/cyberres/application-security  
About the Documentation Set  
The Fortify Software documentation set contains installation, user, and deployment guides for all  
Fortify Software products and components. In addition, you will find technical notes and release notes  
that describe new features, known issues, and last-minute updates. You can access the latest versions  
of these documents from the following Micro Focus Product Documentation website:  
https://www.microfocus.com/support/documentation  
To be notified of documentation updates between releases, subscribe to Fortify Product  
Announcements on the Micro Focus Community:  
https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements  
Fortify Product Feature Videos  
You can find videos that highlight Fortify products and features on the Fortify Unplugged YouTube  
channel:  
https://www.youtube.com/c/FortifyUnplugged  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 4 of 17  
 
 
 
 
 
User Guide  
Change Log  
Change Log  
The following table lists changes made to this document. Revisions to this document are published  
between software releases only if the changes made affect product functionality.  
Software Release /  
Document Version  
Changes  
22.2  
Updated:  
l
Added a requirement for downloading security content from  
Micro Focus Fortify Software Security Center ("Fortify Security  
Assistant Requirements" on the next page)  
22.1 / Revision 1: June 1, 2022 Updated:  
l
Support added for Android Studio ("Fortify Security Assistant  
Requirements" on the next page)  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 5 of 17  
 
User Guide  
Getting Started  
Getting Started  
The Fortify Security Assistant Plugin for IntelliJ and Android Studio (Fortify Security Assistant) works  
with a portion of the Fortify security content to provide alerts to potential security issues as you write  
your Java code. Fortify Security Assistant provides detailed information about security risks and  
recommendations for how to secure the potential issue.  
Fortify Security Assistant includes both structural and configuration analyzers to detect:  
l
Potentially dangerous uses of functions and APIs  
l
Insecure application configurations in property and XML files  
Fortify Security Assistant notifies you of any detected issues as you write your code. You can also use  
Fortify Security Assistant to examine an entire project and then you can review the detected security  
issues.  
Note: The instructions in this guide describe a third-party product and might not match the  
specific, supported version you are using. See your product documentation for the instructions  
for your version.  
Fortify Security Assistant Requirements  
Fortify Security Assistant requires:  
l
A valid Fortify license file  
For information about how to obtain a Fortify license, contact Micro Focus Fortify Customer  
Support.  
l
Up-to-date Micro Focus Fortify Software Security Content  
Fortify Security Assistant uses a knowledge base of rules to enforce secure coding standards  
applicable to the codebase for static analysis. Fortify security content consists of Fortify Secure  
Coding Rulepacks, which describe general secure coding idioms for popular languages and public  
APIs.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 6 of 17  
 
 
User Guide  
Getting Started  
From Fortify Security Assistant, you can:  
l
Download the Fortify security content directly from the Fortify Rulepack update server or from a  
Fortify Software Security Center server.  
Important! To download security content from a Fortify Software Security Center server  
that is configured to use HTTPS, you must first import a self- or locally-signed certificate  
into the Java Runtime Environment (JRE) certificate store. See the IntelliJ IDEA or Android  
Studio documentation for more information. The following are examples of the certificate  
storage location:  
IntelliJ IDEA: <IDE_install_dir>/jbr/lib/security/cacerts  
Android Studio: <IDE_install_dir>/jre/lib/security/cacerts  
l
Import Fortify security content from your local system.  
You might choose this option if you do not have a network connection to a server.  
See Also  
"Configuring Fortify Security Assistant" on the next page  
Installing Fortify Security Assistant  
You can install Fortify Security Assistant on Windows, Linux, and macOS. The Fortify Security  
Assistant plugin is available for download from the JetBrains Marketplace.  
To install Fortify Security Assistant:  
1. Start IntelliJ IDEA or Android Studio.  
2. Open the Settings dialog box as follows:  
l
On Windows or Linux, select File > Settings.  
l
On macOS, select <IDE_name> > Preferences.  
3. On the left pane, select Plugins.  
4.  
Select the Marketplace tab, and then in the search box type Fortify Security Assistant.  
5. Click Install.  
6. Click OK.  
If this is the first time you have installed Fortify Security Assistant, you must next specify the Fortify  
license file and load Fortify security content (see "Configuring Fortify Security Assistant" on the next  
page).  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 7 of 17  
 
User Guide  
Getting Started  
Uninstalling Fortify Security Assistant  
To uninstall Fortify Security Assistant:  
1. Start IntelliJ IDEA or Android Studio.  
2. Open the Settings dialog box as follows:  
l
On Windows or Linux, select File > Settings.  
l
On macOS, select <IDE_name> > Preferences.  
3. On the left, select Plugins.  
4. From the installed Plugins list, select Fortify Security Assistant.  
5. Select Uninstall.  
Configuring Fortify Security Assistant  
In order for Fortify Security Assistant to detect vulnerabilities in your code, you must have a valid  
Fortify license file and up-to-date Micro Focus Fortify Software Security Content. You can download  
Fortify security content from the Fortify Rulepack update server (https://update.fortify.com), or from  
a Micro Focus Fortify Software Security Center server.  
If you do not have a network connection to the Fortify Rulepack update server or a Fortify Software  
Security Center server, Fortify Security Assistant can load Fortify security content from a local folder.  
To configure Fortify Security Assistant:  
1. Open the Settings dialog box as follows:  
l
On Windows or Linux, select File > Settings.  
l
On macOS, select <IDE_name> > Preferences.  
2.  
In the search box, type fortify.  
3. Select Fortify Security Assistant in the left pane.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 8 of 17  
 
 
User Guide  
Getting Started  
4. To specify the license file, click Browse to the right of the License file box and navigate to the  
license file (fortify.license) on your system.  
5. To load or update Fortify security content stored locally:  
a. Select Use local Rulepack.  
b. Click Browse next to the Folder box and navigate to a folder on your system that contains  
the Rulepacks.  
The selected folder must contain Rulepacks as ZIP, XML, or BIN files.  
c. Click Load Security Content.  
6. To download Fortify security content from a Rulepack update server or from Fortify Software  
Security Center:  
a. Select Use security content server.  
b. To download security content from the Fortify Rulepack update server, in the URL box, type  
a Rulepack server URL.  
The default is the Fortify Rulepack update server URL (https://update.fortify.com).  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 9 of 17  
User Guide  
Finding Security Issues as you Write Code  
Note: Click Default to set the URL to the default Fortify Rulepack update server.  
c. To download security content from Fortify Software Security Center:  
i. In the URL box, type a Fortify Software Security Center URL.  
ii. Select the Software Security Center check box.  
d. To use a proxy for connection to the security content server, select Use proxy, and then  
provide the following:  
o
The proxy server host name (for example, my.proxy.com)  
o
The proxy port number  
o
(Optional) Authentication credentials for the proxy server  
e. Click Check for Updates.  
Note: If you get an error that indicates the downloaded security content is unverified,  
you might have an invalid license file. Contact Micro Focus Fortify Customer Support for  
assistance.  
7. Click OK.  
Finding Security Issues as you Write Code  
As you write your code, Fortify Security Assistant provides notifications of potential security issues in  
the Fortify Security Assistant window and in the IDE Problems window. Critical issues are shown in  
red in the code editor.  
To see more details about the detected issue from the code editor, place the cursor over the line of  
code that is marked as an issue, and select View Vulnerability Details. The Fortify Security Assistant  
Vulnerability Details window opens and provides a detailed description of the issue, examples, and  
recommendations of how to fix the issue.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 10 of 17  
 
User Guide  
Finding Security Issues as you Write Code  
Issues detected are also shown in the Problems window prefixed with [Fortify - <priority>] as  
shown in the following example:  
See Also  
"Viewing Vulnerability Details" below  
"Scanning a Project for Security Issues" on the next page  
Viewing Vulnerability Details  
To see a detailed description of an issue, from the code editor or the Fortify Security Assistant  
window, right-click the issue, and then select View Vulnerability Details.  
The Vulnerability Details window provides a detailed description of the issue, examples, and  
recommendations of how to fix the issue.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 11 of 17  
 
User Guide  
Scanning a Project for Security Issues  
Suppressing Issues  
You might want to suppress warnings for specific issues that might not be high priority or of  
immediate concern.  
To suppress issues, use the native IntelliJ IDEA or Android Studio suppress inspections feature in the  
code editor. You can suppress issues from the code editor and the Problems window. To access the  
suppression options in the code editor, right-click the issue, and then click to open the View  
Vulnerability Details submenu.  
The following is an example that shows how to access the inspection suppression options from the  
code editor:  
For more information about re-enabling suppressed inspections, see the documentation for your IDE.  
The visibility of suppressed issues in the Fortify Security Assistant window depends on the setting  
for the Suppressed column). For instructions on how to change the visibility of suppressed issues, see  
"Working with the Fortify Security Assistant Window" on page 15.  
See Also  
"Disabling Vulnerability Categories" on the next page  
Scanning a Project for Security Issues  
You can use Fortify Security Assistant to analyze the whole project (or a specific set of files) and  
identify security issues. You cannot make any code changes during the analysis.  
To scan a project for issues, perform a code inspection as follows:  
l
In IntelliJ IDEA, select Code > Inspect Code.  
l
In Android Studio, select Analyze > Inspect Code.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 12 of 17  
 
 
User Guide  
Scanning a Project for Security Issues  
If you see the following message in the Event Log:  
Please wait for the security content (Rulepack) to be loaded. Security  
content is required to detect vulnerabilities.  
Then wait until the Fortify security content is loaded. Run the code inspection again after you see the  
following message:  
Fortify Security Assistant is ready to work  
Fortify Security Assistant displays any detected issues in the IntelliJ IDEA or Android Studio  
Problems window. The issues are grouped by analyzer as shown in the following example.  
The detected security issues are also displayed in the Fortify Security Assistant window. For  
information about reviewing the security issues in the Fortify Security Assistant window, see  
"Working with the Fortify Security Assistant Window" on page 15.  
Disabling Vulnerability Categories  
As you review Fortify detected issues, you might want to completely disable a category of reported  
issues. It is useful to disable vulnerability categories if you are sure that the vulnerability category is  
not, and will never be, an issue of concern.  
All issues in the disabled vulnerability categories are not reported again unless you re-enable them  
(see "Enabling Vulnerability Categories" on the next page).  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 13 of 17  
 
User Guide  
Scanning a Project for Security Issues  
To disable a vulnerability category, use the native IntelliJ IDEA or Android Studio disable inspection  
feature (File > Settings > Editor > Inspections). There are three groupings of Fortify Security  
Assistant vulnerability categories:  
l
Security Assistant - Properties  
l
Security Assistant - Structural  
l
Security Assistant - XML  
Note: You can also disable a Fortify vulnerability category for a scanned project from the  
Problems window.  
After you clear a check box for a vulnerability category, issues that fall into that vulnerability category  
are no longer highlighted in the code as a Fortify Security Assistant detected issue.  
Enabling Vulnerability Categories  
To re-enable a Fortify vulnerability category that you have disabled, use the native IntelliJ IDEA or  
Android Studio re-enable inspection feature (File > Settings > Editor > Inspections). Locate the  
Fortify Security Assistant vulnerability category you want to re-enable and select the check box.  
Note: You can also re-enable a vulnerability category for a scanned project from the Problems  
window. To refresh the issues displayed in the Fortify Security Assistant window after re-enabling  
a vulnerability category, rescan the project (see "Scanning a Project for Security Issues" on  
page 12).  
See Also  
"Disabling Vulnerability Categories" on the previous page  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 14 of 17  
 
User Guide  
Working with the Fortify Security Assistant Window  
Working with the Fortify Security Assistant  
Window  
Fortify Security Assistant displays all the security issues detected as you write code and for open files  
in the Fortify Security Assistant window.  
The following table describes the Fortify information provided for each issue.  
Column  
Description  
Fortify  
Priority  
Colored icon indicates the Fortify Priority Order used to categorize the severity of  
a vulnerability  
l
l
l
l
Critical  
High  
Medium  
Low  
Rule ID  
Unique identifier of the rule that triggered the vulnerability detection  
Brief description of the issue  
Description  
Category  
Suppressed  
Fortify vulnerability category  
Indicates whether the issue has been suppressed  
Note: By default, suppressed issues are not visible in this window. To see  
suppressed issues in this list, select View Options ( ), and then select Show  
Suppressed.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 15 of 17  
 
User Guide  
Troubleshooting  
Column  
Description  
File  
Name of the file where the issue occurs. To change whether to show the file path  
or only the file name, select View Options ( ), and then select Show Short File  
Name.  
Line  
Line number where the issue occurs in the file.  
As you review the detected issues, you can do the following:  
l
Read more information about the vulnerability by right-clicking an issue, and then selecting View  
Vulnerability Details.  
Note: If the Vulnerability Details window is already open, click an issue to see the  
corresponding details in this window.  
l
Open the file and locate the line of code where the issue was found by clicking the issue.  
l
Group the issues by file name, Fortify Priority, Fortify Rule ID, or Fortify category by clicking View  
Options ( ) and then selecting the grouping you want.  
l
Change whether suppressed issues are visible by selecting View Options ( ), and then selecting  
Show Suppressed.  
l
Show issues for the current file only by selecting View Options ( ), and then selecting Show only  
Current File.  
See Also  
"Viewing Vulnerability Details" on page 11  
"Suppressing Issues" on page 12  
Troubleshooting  
For help diagnosing a problem, you can open the Fortify Security Assistant log file from the IDE. To  
open the log file, select Help > Show Fortify Security Assistant Log. If you contact Micro Focus  
Fortify Customer Support, provide them with this log file.  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 16 of 17  
 
Send Documentation Feedback  
If you have comments about this document, you can contact the documentation team by email.  
Note: If you are experiencing a technical issue with our product, do not email the documentation  
team. Instead, contact Micro Focus Fortify Customer Support at  
https://www.microfocus.com/support so they can assist you.  
If an email client is configured on this computer, click the link above to contact the documentation  
team and an email window opens with the following information in the subject line:  
Feedback on User Guide (Fortify Security Assistant Plugin for IntelliJ and Android Studio 22.2)  
Just add your feedback to the email and click send.  
If no email client is available, copy the information above to a new message in a web mail client, and  
send your feedback to fortifydocteam@microfocus.com.  
We appreciate your feedback!  
Micro Focus Fortify Security Assistant Plugin for IntelliJ and Android Studio (22.2)  
Page 17 of 17