"Configuring Java Message Service Settings" on page 100

Java Message Service

(JMS)

LDAP servers

"Configuring LDAP Servers" on page 104

Single-sign on (SSO)

providers:

l

Central Authentication

Server (CAS)

"Configuring Fortify Software Security Center to Work with a

Central Authorization Server" on page 141

l

SPNEGO/Kerberos

"Setting up Kerberos Authentication with Fortify Software

Security Center" on page 148

l

SAML

"Configuring Fortify Software Security Center to Work with

SAML 2.0-Compliant Single Sign-On" on page 141

l

HTTP

"Configuring Fortify Software Security Center to Work with

Single Sign-On and Single Logout Solutions that use HTTP

Headers" on page 146

l

x509

"Configuring Fortify Software Security Center to Use X.509

Certification-based SSO" on page 150

Fortify ScanCentral SAST

"Configuring ScanCentral SAST Monitoring in Fortify Software

Security Center" on page 127

Fortify ScanCentral DAST "Enabling the Running and Management of ScanCentral DAST

Scans from Fortify Software Security Center" on page 128

Fortify Static Code Analyzer Tools:

l

Fortify Audit

Workbench

Fortify Audit Workbench User Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Jenkins plugin

Fortify Jenkins Plugin User Guide

Fortify Software Security Center (23.1.0)

Page 42 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Components

Integration Instructions

https://www.microfocus.com/documentation/fortify-jenkins-

plugin

l

Fortify Eclipse plugin

Fortify Plugin for Eclipse User Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Extension for

Fortify Extension for Visual Studio User Guide

Visual Studio

https://www.microfocus.com/documentation/fortify-visual-

studio-code

l

Fortify Extension for

Fortify Visual Studio Code Documentation

Visual Studio Code

https://www.microfocus.com/documentation/fortify-visual-

studio-code

l

Fortify Plugin for

Fortify Plugin for Bamboo User Guide

Bamboo

https://www.microfocus.com/documentation/fortify-plugin-for-

bamboo

l

Fortify Analysis Plugin

for IntelliJ IDEA and

Android Studio

Fortify Analysis Plugin for IntelliJ IDEA and Android Studio User

Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Remediation

Fortify Remediation Plugin for Eclipse User Guide

Plugin for Eclipse

l

Fortify Remediation

Plugin for IntelliJ IDEA

and Android Studio

Fortify Remediation Plugin for IntelliJ IDEA and Android Studio

User Guide

l

Fortify

SourceAndLibScanner

Download Fortify SourceAndLibScanner from the Fortify

Marketplace at

https://marketplace.microfocus.com/cyberres/category/fortify.

The software package comes with documentation.

Fortify Azure DevOps

Extension

https://www.microfocus.com/documentation/fortify-azure-

devops-extension

Fortify Software Security Center (23.1.0)

Page 43 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Components

Integration Instructions

Security training vendors

"Configuring Application Security Training" on page 81

Important! When you integrate Fortify Software Security Center with other Fortify

products (for example, ScanCentral DAST, Audit Workbench, and so on) make sure that you

minimize clock skew between communicating machines. Fortify recommends that you

synchronize computer clock times using, for example, Network Time Protocol (NTP). If that

is not possible, Fortify suggests that you maintain a clock skew of less than five minutes,

compared on a UTC basis. Otherwise, requests to Fortify Software Security Center can fail.

Fortify Software Security Center (23.1.0)

Page 44 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

The Fortify Software Security Center Installation Environment

The following figure illustrates the relationship of Fortify Software Security Center to the

required and optional components listed in "Deployment Overview" on page 40.

The following table provides descriptions of the required and optional Fortify Software Security

Center installation components in the illustration.

Component

Description

Fortify

SSC Server

Fortify Software Security Center is delivered as a Web Archive (WAR) file

run by Tomcat Server or as a Helm chart for Kubernetes deployment.

SSC database

Third-party database that Fortify Software Security Center requires to

store user and artifact data. Before you put Fortify Software Security

Center into production, you must install a supported third-party

database.

Third-party

LDAP

(Optional) You can configure Fortify Software Security Center to use

LDAP authentication.

authentication

server

Defect-tracking

(Optional) You can configure Fortify Software Security Center to enable

Fortify Software Security Center (23.1.0)

Page 45 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Component

Description

server

bug submission directly to Bugzilla, Jira, ALM, Azure DevOps Server, or a

customized bug-tracking system. For information about how to create a

customized bug-tracking system, see "Authoring Bug Tracker Plugins"

on page 406.

Third-party email (Optional) You can configure Fortify Software Security Center to use an

server

external SMTP email server to send alerts to application collaborators.

Fortify Static

Code Analyzer

analysis agent

(Optional) Fortify Static Code Analyzer scans source code and identifies

issues.

Audit Workbench Audit Workbench and Fortify IDE plugins can be used as alternative

and IDE plugins

source-code auditing tools.

Jenkins

Azure DevOps

Bamboo

Use these plugins to scan source code (using Fortify Static Code

Analyzer) and upload scan results.

Fortify

ScanCentral

SAST

(Optional) Fortify Static Code Analyzer users can use ScanCentral SAST

to offload processor-intensive code analysis tasks from their build

machines to a group of machines (sensors) provided for this purpose.

Fortify

ScanCentral

DAST

(Optional) A dynamic application security testing tool that you can use

to configure and run dynamic scans of your web applications from

Fortify Software Security Center.

Fortify

WebInspect

(Optional) Analysis agent that connects with Fortify WebInspect agents

to retrieve potential dynamic issues.

Fortify Security

Content update

server

Used to acquire and update Security Content.

Important! Fortify does not support load balancing across multiple Fortify Software

Security Center servers.

Fortify Software Security Center (23.1.0)

Page 46 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Downloading Fortify Software Security Center Files

Fortify software is only available for download from the Software Licenses and Downloads

(SLD) portal (https://sld.microfocus.com). For descriptions of the Fortify software installation

packages available there, see the Fortify Software System Requirements document.

Download the installation files and the fortify.license file following the instructions in the

Fortify Software System Requirements document. A helpful how-to video at

https://www.youtube.com/playlist?list=PL8yfmcqTN8GE9XCGVgxMQDFFZy9_-R-e3 also

provides instructions on how to download Fortify software.

See Next

"Unpacking and Deploying Fortify Software Security Center Software" below

Unpacking and Deploying Fortify Software Security Center

Software

To unpack and deploy the Fortify Software Security Center installation files:

1. Extract the contents of the installation file into a temporary directory in a secure location.

(The installation file is the file you downloaded using the instructions in "Downloading

Fortify Software Security Center Files" above.)

2.

Locate the distribution file (Fortify_<version>_Server_WAR_Tomcat.zip) and extract

all of the contents into a directory in a secure location. This creates the Fortify-Server-

WAR directory, which contains the resources and tools you need for tasks such as

configuring Fortify Software Security Center and migrating applications from previous

versions.

Note: The directory into which you extract the distribution file content is referred to in

all topics as the <ssc_install_dir> directory.

3.

Copy the seed bundle files from the srg_content folder in the temporary directory to the

<ssc_install_dir> directory. Do not unzip the seed bundle files.

Note: Although you are not required to copy the resource files to the <ssc_install_

dir> directory, the procedures in this document are based on the assumption that you

saved the files to that location.

The seed bundles are described in the following table.

File Name

Description

Process template seed bundle used to seed database tables. It

Fortify_

Process_Seed_ provides a default admin user account and issue template data.

Bundle-2023_

Fortify Software Security Center (23.1.0)

Page 47 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

File Name

Description

Q1_

<build>.zip

Report seed bundle used to seed database tables. It provides the

default set of Fortify Software Security Center reports.

Fortify_

Report_Seed_

Bundle-2023_

Q1_

<build>.zip

(Optional) The PCI Basic seed bundle adds a Payment Card Industry

(PCI) Data Security Standard (DSS) process template and its

associated report to the default set of issue templates and reports.

PCI DSS will remain open for assessment of previously-started, and

newly-started assessments initiated before June 2021, until October

2022. After October 2022, the new PCI Software Security

Fortify_PCI_

Basic_Seed_

Bundle-2023_

Q1_

<build>.zip

Framework (SSF) will be the set of standards for evaluation. Please

use the PCI SSF Basic seed bundle (Fortify_PCI_SSF_Basic_

Seed_Bundle-2023_Q1_<build>.zip) to begin to understand

how software security issues can affect evaluation under these new

PCI SSF standards.

(Optional) The PCI SSF Basic seed bundle adds a Payment Card

Industry (PCI) Software Security Framework (SSF) process template

and its associated report to the default set of issue templates and

reports. PCI SSF was introduced in June 2019 as a set of new

standards used to evaluate systems developed by payment

software vendors. The existing PCI DSS will remain open for

assessment of previously-started, and newly-started assessments

initiated before June 2021, until October 2022. After October 2022,

the new PCI Software Security Framework (SSF) will be the set of

standards for evaluation. Please use the PCI Basic seed bundle

Fortify_PCI_

SSF_Basic_

Seed_Bundle-

2023_Q1_

<build>.zip

(Fortify_PCI_Basic_Seed_Bundle-2023_Q1_<build>.zip)

for evaluation under PCI DSS.

The process templates seed bundle and the reports seed bundle are required for Fortify

Software Security Center deployment. The PCI Basic seed bundles are optional.

4.

Copy the fortify.license file to the <ssc_install_dir> directory. (For information

about how to obtain the fortify.license file, see the Fortify Software System

Requirements document.)

Fortify Software Security Center (23.1.0)

Page 48 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Deploying Fortify Software Security Center to a Kubernetes

Cluster

The following steps describe how to prepare for and perform a Fortify Software Security Center

Kubernetes deployment. For information about supported versions of the required software, see

the Micro Focus Fortify Software System Requirements document for this release.

The following are required in the Kubernetes and helm space :

l

Persistent volume: For configuration file and log files. Kubernetes persistent volume must

support the PodSecurityContext fsGroup field.

l

Secrets file - Responsible for storing everything regarding licenses or connections to the

database, for example, username / password, and such information, and this is important

when it comes to SSL or HTTPS, because SSC in Kubernetes only runs on https so you must

have a TLS or SSL connection. So, all of this information (trust, keystore, license file) is stored

in the secrets file. Must have your license available and your keystore.

l

ssc-values.yaml file - Used to store or set all parameters for your helm chart. The Helm

chart needs data to set up SSC.

You want to store results in SSC, and for that you use the SSC database. And, the version of

database in your Kubernetes space must be the same as the version used for the ssc db.

You also need to grant users access to ssc. For that you need some kind of service (load

balancer, cluster IP, or node port) that are components of Kubernetes

To prepare for your Fortify Software Security Center Kubernetes deployment, do the following:

1. Install and set up kubectl. For instructions, see

https://kubernetes.io/docs/tasks/tools/install-kubectl.

2. Install Helm. (To download the software, see https://github.com/helm/helm/releases. For

installation instructions, see https://helm.sh/docs/intro/install . For upgrade instructions,

see https://helm.sh/docs/hel m/helm_upgrade/#helm .)

3. (Air-gapped installation only) Install Docker. For installation instructions, see

https://docs.docker.com/get-docker.

4. Copy the contents of the helm directory from the Fortify Software Security Center

distribution ZIP file to the <ssc_helm_dir> directory. Navigate to the <ssc_helm_dir>

directory and copy the ssc-values-example.yaml file to ssc-values.yaml.

Fortify Software Security Center Kubernetes Deployment

You can deploy Fortify Software Security Center in an environment with Internet access, or in an

air-gapped environment. If you plan to deploy the application in an environment with Internet

access, you can pull the Fortify Software Security Center Docker image (fortifydocker/ssc-

webapp) from the Docker Hub registry. If you must deploy the application in an air-gapped

environment, you must use a private registry for the deployment and transfer the Fortify

Software Security Center container image to it.

Fortify Software Security Center (23.1.0)

Page 49 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Deploying Fortify SSC to a Kubernetes Cluster

The procedure used to deploy Fortify Software Security Center in an environment that has

Internet access is almost identical to the procedure used to deploy the product in an air-gapped

environment. The only difference is that, for an air-gapped deployment, you must push the

Fortify Software Security Center container image to a private registry that is accessible from

your Kubernetes cluster.

To deploy Fortify Software Security Center to a Kubernetes cluster:

1. Create a Docker Hub account, and then supply your account name to Fortify Customer

Support (https://www.microfocus.com/support).

Note: Fortify Customer Support can give you access to the Fortify repository on the

Docker Hub (fortifydocker organization).

2. To request access to the Fortify Software Security Center Docker image published in the

Docker Hub registry, send an email with the following information to

fortifydocker@microfocus.com:

l

First Name

l

Last Name

l

Company Name

l

Docker ID

l

Customer ID

3. (For an air-gapped installation, or if you want to use a private registry. A running Docker

server and Docker client are assumed to be in place.) Transfer the Fortify Software Security

Center container image to your private registry, as follows:

a.

b.

Log in to the Docker Hub using docker login.

Log in to your private registry using docker login <priv_reg_host_and_port>,

where <priv_reg_host_and_port> represents the host and port of your private

registry.

c. Transfer the Fortify Software Security Center container image, as follows:

i.

docker pull"fortifydocker/ssc-webapp:<tag>"

ii.

docker tag"fortifydocker/ssc-webapp:<tag>""<priv_reg_host_and_

port>/<priv_reg_path>/ssc-webapp:<tag>"

iii.

docker push "<priv_reg_host_and_port>/<priv_reg_path>/ssc-

webapp:<tag>"

Note: To determine the value to use for <tag>, go to the <ssc_helm_dir>

directory and open the ssc-<chart_version>+<ssc_version>.tgz file.

Use the <ssc_version> value (tag for the latest published image build) from

the TGZ file name.

Fortify Software Security Center (23.1.0)

Page 50 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

There are also tags for exact image builds in the format <ssc_

version>.<imageBuildNumber>

You can list available image tags in the docker hub. If you use

<imageBuildNumber>, you must specify it in the image.buildNumber Helm

chart value.

Important! The image name (ssc-webapp) and the tag (<tag>) value must

stay the same.

d.

Enter the <priv_reg_host_and_port>/<priv_reg_path>/ as the value for

image.repositoryPrefix parameter in the <ssc_helm_dir>/ssc-values.yaml

file. (The value you specify for the image.repositoryPrefix parameter must include

a trailing forward slash (/).)

4.

If you want to use the exact image build tag, enter the <imageBuildNumber> value as the

value for the image.buildNumber. Otherwise, leave it empty.

5. Provision a Kubernetes secret for pulling images from the registry (Docker Hub or private

registry). For instructions, see https://kubernetes.io/docs/tasks/configure-pod-

container/pull-image-private-registry and enter the secret name as the value for

the imagePullSecrets parameter in the <ssc_helm_dir>/ssc-values.yaml file. If the

secret is regcred, then the format is:

imagePullSecrets:

- name: regcred

Note: The imagePullSecrets value is required for access to the Docker Hub registry.

If you have a private registry that can be accessed without credentials, then there is no

need to specify imagePullSecrets.

6. Provision another Kubernetes secret that contains the data required for the deployment.

Inspect the secretRef.keys file for the list of data accepted. The minimum required set

includes httpCertificateKeystoreFileEntry,

httpCertificateKeystorePasswordEntry, and

httpCertificateKeyPasswordEntry.

The following example shows how to create the secret manually:

a.

b.

Create a <ssc_secrets_dir> directory.

Create a file for each of the secretRef.keys required entries. You must have at least

three files in the directory: a Java keystore file that contains the HTTPS certificate and

its private key, a file with the password for the keystore, and a file that contains the

password for the secret key of the HTTPS certificate.

c.

Create the secret using the kubectl command:

kubectl create secret generic "<ssc_secret_name>" --from-file

"<ssc_secrets_dir>"

d.

Enter the <ssc_secret_name> as the value for the secretRef.name parameter in

the <ssc_helm_dir>/ssc-values.yaml file.

Fortify Software Security Center (23.1.0)

Page 51 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

e.

For each file provided in <ssc_secrets_dir>, enter the file name as the value for the

related the secretRef.keys.*Entry parameter in the <ssc_helm_dir>/ssc-

values.yaml file.

Note: Changes in the secret are not applied automatically by the deployment. To use a

changed secret with an existing deployment, you must manually remove the Fortify

Software Security Center Pod to trigger automatic re-creation.

7.

Enter any other required parameters to the <ssc_helm_dir>/ssc-values.yaml file.

l

The urlHost must contain the fully-qualified DNS name intended for accessing Fortify

Software Security Center. The address for accessing the Fortify Software Security

Center installation is

<https://<urlHost>:<service.httpsPort>/<sscPathPrefix>. For example,

https://ssc.example.com:443/ssc. If the port is 443, you can omit it from the URL

(https://ssc.example.com/).

l

For ease of use, Fortify recommends that you set the service.type parameter to

LoadBalancer.

l

To apply changes to the Fortify Software Security Center secret referenced by

secretRef.name, you must manually remove the ssc-webapp Pod (it is later

automatically re-created).

Note: If necessary, you can change most values you specify for parameters in the

<ssc_helm_dir>/ssc-values.yaml file later, and then redeploy Fortify Software

Security Center to implement the changes. Depending on the Kubernetes cluster, the

exception might be parameters for a persistentVolumeClaim.

Deployment

To deploy Fortify Software Security Center for the first time, run the following:

helm install "<unique_deployment_name>" "<ssc_helm_dir>/ssc-<chart_

version>+<ssc_version>.tgz" -f "<ssc_helm_dir>/ssc-values.yaml"

For subsequent deployments, run the following:

helm upgrade "<unique_deployment_name>" "<ssc_helm_dir>/ssc-<chart_

version>+<ssc_version>.tgz" -f "<ssc_helm_dir>/ssc-values.yaml"

Next, use the default administrator account to log in to Fortify Software Security Center and

perform post-installation configuration, just as you would after a standard installation. For

details, see "Configuring Fortify Software Security Center for the First Time" on page 68.

Fortify Software Security Center (23.1.0)

Page 52 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Customizing the Apache Tomcat Access Logs

To change the default format for Tomcat access logs on the ssc-webapp container image, set

the HTTP_SERVER_ACCESS_LOG_PATTERN environment variable to the Tomcat Access Log

Valve pattern. For information about the patterns supported, see the Apache Tomcat 9

Configuration Reference website (https://tomcat.apache.org/tomcat-9.0-

doc/config/valve.html#Access_Log_Valve).

You can use the environment Helm chart value, as shown in the following example:

environment:

-

name: HTTP_SERVER_ACCESS_LOG_PATTERN

value: '%h %l %u %t "%r" %s %b'

Troubleshooting a Fortify Software Security Center Deployment to a

Kubernetes Cluster

This section provides information about the error messages that can be encountered during an

attempted deployment.

If you crash during the installation phase, run:

kubectl describe pod <pod_name>

To display logs after installation, run:

kubectl logs <pod_name> -f

To view the status of Pods running on your cluster (Pending, Running, Succeeded, Failed, or

Unknown), run:

kubectl get pods

If no Pods are running, the interactive environment is still reloading its previous state. Wait for

several seconds, and then run kubectl get pods again. Once you see the Pod running,

continue.

To see a list of all services, the assigned IPs (cluster and external) and ports, run:

kubectl get services

To list those names, run:

Fortify Software Security Center (23.1.0)

Page 53 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

helm list

To get values/configuration for a specific deployment installed by helm, run:

helm get values <installation name>

To see information about the volume being mounted or to see whether the image was pulled

successfully or not (if, for example, the wrong credentials were provided), run:

kubectl describe --help

If everything looks fine, but Fortify Software Security Center does not run as expected, and logs

alone do not provide enough information, run the following to inspect the container file system,

check the state of the environment, and perform advanced debugging tasks:

kubectl exec -it <pod_name> bash

This enables you to interactively browse the container, print other internal logs (Tomcat or the

Fortify Software Security Center itself, and run other commands.

Other Troubleshooting Resources

For a visual guide to troubleshooting your deployment, see "A visual guide on troubleshooting

Kubernetes deployments" (https://learnk8s.io/troubleshooting-deployments). For guidance on

debugging common containerized application issues, see "Troubleshooting Applications"

(https://kubernetes.io/docs/tasks/debug/debug-application).

Fortify Software Security Center (23.1.0)

Page 54 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

About the <fortify.home> Directory

The <fortify.home> directory is where the configuration file and other Fortify Software

Security Center resources reside.

Default Directory Locations

After Fortify Software Security Center deployment, you can find <fortify.home> in the

following locations:

l

%USERPROFILE%\.fortify on a Windows system (applies to both a standard user and a

Windows service user)

Note: %USERPROFILE% represents the user running the Tomcat service, which is not

necessarily the user who installed Tomcat.

Named Account = C:\Users\<username>

LocalSystem [Default] = %WinDir%\System32\config\systemprofile

LocalService = %WinDir%\ServiceProfiles\LocalService

NetworkService = %WinDir%\ServiceProfiles\NetworkService

l

$HOME/.fortify on a Linux system

Changing the Default Locations

You can override the default <fortify.home> directory location by setting the fortify.home

system property on the JVM used to start the Tomcat Server. For example, you can specify this

system property using the CATALINA_OPTS environment variable. Alternatively, you can add

the fortify.home property to the Java Options field in the Tomcat service definition on a

Windows system. For detailed information on setting Java system properties, see the Tomcat

documentation.

Example: -Dfortify.home=/home/fortify

Note: If you want to change the <fortify.home> directory location after Fortify Software

Security Center has already been configured (see "Configuring Fortify Software Security

Center for the First Time" on page 68), make sure that you copy or move the contents of

the existing <fortify.home> directory to the new location before you restart the server

with the updated fortify.home system property value.

Fortify Software Security Center (23.1.0)

Page 55 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Directory Contents

The <fortify.home> directory is structured as follows:

<fortify.home>/

<app_context>/

conf/

app.properties

datasource.properties

log4j2.xml

version.properties

secret.key

logs/

ssc.log

...

init.token

...

plugin-framework/

/logs

fortify.license

where

represents the application server context in which Fortify

<app_context>

Software Security Center is deployed. For details, see

"Automating Fortify Software Security Center Configuration"

on page 417 .

is the default log configuration. Although you can change this

configuration manually, Fortify strongly recommends that

you use the log4j2 configuration override feature instead

(see "Customizing Fortify Software Security Center Logging "

on page 157 ).

log4j2.xml

represents a new security token that is generated each time

the Setup wizard is loaded (start of server in configuration

mode). The user who configures Fortify Software Security

Center uses this token to access the Setup wizard at the

init.token

<host>:<port>/init URL.

is a file that contains the application properties that the

customer can configure.

app.properties

Fortify Software Security Center (23.1.0)

Page 56 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

is a file that contains the database connection properties.

datasource.properties

version.properties

is a file that stores information about current and previous

versions of Fortify Software Security Center for application

upgrade purposes.

is an encryption key file used to encrypt and decrypt

sensitive configuration information in Fortify Software

Security Center. (Fortify Software Security Center never

overwrites this file. However, the file is generated if it is

secret.key

missing from the <fortify.home>/<app_context>/conf

directory.)

The datasource.properties file and some database

fields contain encrypted entries that rely on the

secret.key file. If you move your Fortify Software

Security Center instance from one computer to another,

you must also move the secret.key file (not just your

database files).

is the plugin framework configuration and temporary storage

(internal).

plugin-framework

Note: If you encounter a problem with a plugin, you can

usually find more detailed information about it in

plugin-framework/logs than you can in main Fortify

Software Security Center logs.

is the license file for Fortify Software Security Center.

fortify.license

Important! The <fortify.home>/<app_context>/conf directory must always contain

the following files:

- app.properties

- datasource.properties

- secret.key

- version.properties

If any one of these files is missing, Fortify Software Security Center either runs auto-

configuration, or starts the Setup wizard to re-create any missing files.

Fortify Software Security Center (23.1.0)

Page 57 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

About the Fortify Software Security Center Database

If you are deploying a new instance of Fortify Software Security Center, you must first install

and configure the third-party database server software.

Important! Fortify Software Security Center requires that all database schema

collations be case-sensitive.

Important! If you are installing a SQL Server or MySQL database, your installation

requires special attention. For more information, see "Using a Microsoft SQL Server

Database" on page 60 or "Configuring a MySQL Data base" on page 61 .

Later, after you go on to Fortify Software Security Center for the first time, you will use the

Fortify Software Security Center Setup wizard to configure connectivity to the database and

then seed the database. (See "Configuring Fortify Software Security Center for the First Time"

on page 68.)

Topics covered in this section:

About Fortify Software Security Center Database Character Set Support

Installing and Configuring the Database Server Software

Monitoring Disk I/O

Database User Account Privileges

Database-Specific Configuration Requirements

About the Fortify Software Security Center Database Tables and Schema

About Seeding the Fortify Software Security Center Database

Permanently Deleting a Fortify Software Security Center Database

About JDBC Drivers

The JDBC drivers for SQL Server, MySQL server, and Oracle are bundled with Fortify Software

Security Center software.

The MariaDB JDBC driver is used to connect to the MySQL database server. JDBC URL

parameters must use MariaDB driver syntax. Note that the MariaDB is not supported as the

back end database for Fortify Software Security Center.

About Fortify Software Security Center Database Character Set Support

For a list of the supported character sets for each third-party database type that Fortify

Software Security Center supports, see the Micro Focus Fortify Software System Requirements

document.

Fortify Software Security Center (23.1.0)

Page 58 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Installing and Configuring the Database Server Software

Install and configure the database server software following the instructions in the

documentation for your database software.

For information about supported databases, see the Micro Focus Fortify Software System

Requirements document.

Monitoring Disk I/O

Disk I/O encompasses the input/output operations on a physical disk. If you are reading data

from a file on a disk, the processor must wait for the file to be read (the same applies to writing

data to a file). Fortify Software Security Center performs I/O-intensive database operations,

which affects performance. Make sure that your disk subsystem provides low read/write latency.

Fortify recommends that you monitor disk I/O as the database grows.

Database User Account Privileges

Fortify strongly recommends that you create accounts for users who perform the following

tasks on the Fortify Software Security Center database:

l

Perform runtime tasks

A user who performs runtime tasks requires privileges to do the following:

l

Perform Data Manipulation Language (DML) operations to SELECT, UPDATE, INSERT,

and DELETE data in all the database tables and views

l

Execute stored procedures.

l

Execute migration scripts

Important! Fortify strongly recommends that you create a separate user account to be

used for executing migration scripts.

A user who executes migration scripts requires privileges to do the following:

l

Perform Data Manipulation Language (DML) operations to SELECT, UPDATE, INSERT,

and DELETE data in all the database tables and views

l

Execute stored procedures

l

Perform Data Definition Language (DDL) operations to CREATE, ALTER, and DROP

database tables, views, and indexes.

l

For Oracle databases, permission to enable sequences.

l

Create and manage the database

Important! Fortify strongly recommends that you create a separate user account to be

used to create and manage the database.

Fortify Software Security Center (23.1.0)

Page 59 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

A user who creates and manages the database requires privileges to do the following:

l

Perform all the tasks for which the user who executes migration scripts has privileges.

l

Create a Fortify Software Security Center database in a dedicated instance.

l

Back up and then update the existing Fortify Software Security Center dedicated database

instance.

l

Bind a Fortify Software Security Center user account to the dedicated database instance.

l

Assign a Fortify Software Security Center user account the read-write privileges required

to create, initialize, and manage the Fortify Software Security Center database. At a

minimum, this user must have a database account that enables the web application to

connect to the database.

l

Create and generate reports

To add an extra measure of security to reporting, create a database user account with read-

only access to the Fortify Software Security Center database, and then use the account

credentials to configure enhanced security for your BIRT reports (see "Configuring

Security for BIRT Reporting" on page 90).

Database-Specific Configuration Requirements

The following topics describe the configuration requirements for the Fortify Software Security

Center-supported third-party databases and how to configure the databases to work with

Fortify Software Security Center.

Using a Microsoft SQL Server Database

If you are using a SQL Server database as the Fortify Software Security Center database,

perform the following checks:

l

Enable the Auto Update Stats Asynchronously (AUTO_UPDATE_STATISTICS_ASYNC) option

for the database. For instructions, see the Microsoft SQL documentation website

(https://docs.microsoft.com/en-us/sql/?view=sql-server-ver15).

l

Make sure that your SQL Server database schema collation is case-sensitive. The default

installation of SQL Server is case-insensitive.

Caution! Fortify Software Security Center requires that all database schema collations be

case-sensitive. If your database schema collation is case-insensitive, Fortify Software

Security Center does not work correctly.

Important! Before you run the Fortify-provided SQL scripts, verify that there are no

open connections to the database.

l

Make sure that snapshot isolation is enabled (ALLOW_SNAPSHOT_ISOLATION and READ_

COMMITTED_SNAPSHOT are set to ON) on the database schema used for the installation.

Fortify Software Security Center (23.1.0)

Page 60 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

l

During SQL script executions, check the client tool to make sure that its ANSI null default

option is set to ON. To do this, you can either use a SET command (set ANSI_NULL_DFLT_ON

to ON) or the Query Editor.

Windows Domain Authentication

For Windows domain authentication, you must perform the following additional steps before

you deploy Fortify Software Security Center:

1.

2.

Make sure that you add integratedSecurity=true to the JDBC URL.

Obtain the mssql-jdbc_auth-<version>-<arch>.dll file. For more information, see

https://docs.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-

url?view=sqlserver-ver15#Connectingintegrated.

3.

4.

Place the mssql-jdbc_auth-<version>-<arch>.dll file in the directory specified for

the -Djava.library.path parameter of the JDK_JAVA_OPTIONS environment variable.

Place the mssql-jdbc_auth-<version>-<arch>.dll: file in a directory that is included

in the PATH environment variable (for example, C:\Windows\System32).

5. Next, do one of the following:

l

Use the ssc.autoconfig file to configure Fortify Software Security Center.

l

Configure Fortify Software Security Center with SQL authentication, and then remove

the db.username and db.password parameters from the datasource.properties

file.

6. Check to make sure that Tomcat is running with the domain account you want to use to

connect to the database.

Configuring a MySQL Database

If you are using MySQL as the Fortify Software Security Center database, you must configure

the MySQL options file.

Caution! Fortify Software Security Center requires that all database schema collations be

case-sensitive. If your installation is case-insensitive, Fortify Software Security Center

cannot work correctly.

Note: For information about the supported versions of MySQL, see the Fortify Software

System Requirements document.

Tip: If you use SSL to connect Fortify Software Security Center to MySQL, Fortify

recommends that you increase the allowed number of concurrent client connections by

increasing the value of the max_connections system variable (in the my.cnf file). This

can prevent the Too many connections error from occurring.

Fortify Software Security Center (23.1.0)

Page 61 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

To configure the MySQL 8.0 options file:

1. Stop MySQL server.

2. Navigate to the MySQL server installation directory.

3. Open the MySQL options file in a text editor.

Tip: To locate the options files and the order in which they are read, run the following

command from a terminal: mysql --help.

l

On Windows systems, the default options file is my.ini.

Note: The default location for MySQL 8.0 is

c:\ProgramData\MySQL\MySQLServer 8.0.

l

On Linux systems, the default options file is my.cnf.

4.

5.

In both the [mysqld] and [mysqldump] sections, set max_allowed_packet to 1G.

If the [mysqldump] section is not there, create it.

In the [mysqld] section, configure the settings in the following table. If a listed setting is

not included in the file, add it.

Setting

Value

INNODB

default_

storage_

engine

innodb_

buffer_

pool_size

512M (Fortify recommends 10GB or more)

The best performance is achieved when all data and indexes fit.

Together with per-connection memory, the innodb_lock_wait_

timeout value must not exceed the total available memory on the server.

You can roughly estimate the maximum memory usage as follows:

max_connections * max_allowed_packet + innodb_buffer_

pool_size

An innodb_buffer_pool_size value of between 60 and 80 percent of

available memory is appropriate.

The larger the innodb_buffer_pool_size value, the less disk I/O is

needed to access data in tables. On a dedicated database server, you may

set this to up to 80% of the machine physical memory size. However, be

prepared to scale back this value if you see any of the following:

l

Competition for physical memory causes paging in the operating

system.

Fortify Software Security Center (23.1.0)

Page 62 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Setting

Value

l

InnoDB reserves additional memory for buffers and control structures,

so that the total allocated space is approximately 10% greater than the

specified size.

l

The address space must be contiguous, which can cause problems on

Windows systems with DLLs that load at specific addresses.

The time to initialize the buffer pool is roughly proportional to its size.

On large installations, this initialization time may be extensive. For

example, on a modern Linux x86_64 server, initialization of a 10 GB

buffer pool takes approximately 6 seconds. See the MySQL 8.0

Reference Manual (https://dev.mysql.com/doc/refman/8.0/en).

innodb_

lock_

300 (recommended) Expressed in seconds

wait_

timeout

512M

1G

innodb_

log_file_

size

max_

allowed_

packet

sql-mode

"TRADITIONAL"

6. Save the file, and then restart MySQL server.

Configuring an Oracle Database

This section provides information about how to configure an Oracle database to prevent

database-related errors.

Preventing the “No more data to read from socket” Error

If you use Oracle as the Fortify Software Security Center database, you might see an exception

of the type “No more data to read from socket.”

One possible solution to this exception is to do the following:

1.

2.

Navigate to the $ORACLE_HOME/network/admin/ directory.

Open the tnsnames.ora file in a text editor.

Fortify Software Security Center (23.1.0)

Page 63 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

3.

Set the value of SERVER to DEDICATE.

4. To apply the change, restart the active listener associated with the database.

Partitioning an Oracle Database for Improved Performance

The high input and output associated with large volumes of data in an Oracle database can

prevent the database server from effectively operating on data. Database partitioning enhances

database server performance, improving data manageability and availability. (The

partitioning.sql script partitions ISSUE, SCAN_ISSUE, and ISSUECACHE tables using Oracle

hash partitions.)

Preparing to Partition an Oracle Database

Before you run the partitioning.sql script, do the following:

1. Back up your database.

2. Create auxiliary tablespace. (To determine the auxiliary tablespace size required, you can

run the partitioning.sql script.

3. Determine how many partitions best fit your data.

Partitioning is based on application version ID. You want your records distributed evenly

across hash partitions. Ideally, you would specify as many partitions as you have application

versions. The number of partitions must also allow for the number of application versions to

grow.

Try to achieve record distribution that does not exceed a couple hundred thousand records

per partition. Fortify recommends a record distribution of less than one million records per

partition.

4. Schedule enough application downtime to partition data. In doing so, consider the time

required to:

l

Partition the database

Important! The maximum possible number of partitions supported is 700. If you

request more than this, the Oracle partitioning script fails.

l

Move your data to the auxiliary tablespace

l

Move your data back to the original tablespace

Partitioning the Database

To use the partitioning script:

l

Use Oracle SQL*Plus client to run the Oracle partitioning script (partitioning.sql), which

is located in the <ssc_distribution>/sql/oracle/extra directory.

Note: Script execution time depends on the size of your database.

Fortify Software Security Center (23.1.0)

Page 64 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

During script execution:

l

Required parameters are obtained from standard input.

l

Partitioned tables are created in auxiliary tablespace (with *_PART name).

l

Data is moved from the original tablespace to the auxiliary tablespace and partitioned tables

l

New partitioned indexes are created on partitioned tables (with *_PART name).

l

The original tables and indexes are renamed (with *_NPART name).

l

The original names of the partitioned tables and indexes are restored (*_PART name is

removed).

l

The original tables (*_NPART) are dropped.

l

The partitioned tables are moved back to the original tablespace.

Increasing the Number of Job Execution Threads

After you partition your database, make sure that you increase the number of job execution

threads, as follows:

1.

2.

Navigate to <fortify_home>/<context>/conf, and open the app.properties file in a

text editor.

Increase the value of the jobs.threadCount property.

Note: In testing, increasing the value of jobs.threadCount to 18 noticeably

improved performance.

3.

Save and close the app.properties file.

About the Fortify Software Security Center Database Tables and Schema

The Fortify Software Security Center installation directory contains an initialization script for

each supported third-party database type. During initial configuration (see "Configuring Fortify

Software Security Center for the First Time" on page 68), run this script for your database type

to create the database tables and initialize the database schema for Fortify Software Security

Center.

Before you configure Fortify Software Security Center for the first time, make sure that you

review the information contained in the following sections:

l

"Database User Account Privileges" on page 59

l

"Database-Specific Configuration Requirements" on page 60

About Seeding the Fortify Software Security Center Database

When you log in to Fortify Software Security Center for the first time, Fortify Software Security

Center requires a minimum set of data to process your initial login credentials and to provide

basic functionality. Seeding creates the minimum data set for a new database.

Fortify Software Security Center (23.1.0)

Page 65 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Seeding the Fortify Software Security Center database is necessary to maintain a consistent

post-installation configuration. This includes the creation of the default administrator user

account, as well as required entities such as issue templates, report definitions, and other

default data required to make Fortify Software Security Center operational.

Fortify Software Security Center requires two of the downloaded seed bundles (see "Unpacking

and Deploying Fortify Software Security Center Software" on page 47):

l

The issue template seed bundle (Fortify_Process_Seed_Bundle-2023_Q1_<build>.zip)

provides a default admin user account and issue template data.

l

The report seed bundle (Fortify_Report_Seed_Bundle-2023_Q1_<build>.zip) provides the

default set of Fortify Software Security Center reports.

You can also install the optional PCI Basic bundles Fortify_PCI_Basic_Seed_Bundle-2023_

Q1_<build>.zip and Fortify_PCI_SSF_Basic_Seed_Bundle-2023_Q1_<build>.zip),

which add Payment Card Industry process templates and associated reports to the default set

of Fortify Software Security Center templates and reports.

The seed bundle files are included in the Fortify Software Security Center installation package.

After your initial Fortify Software Security Center deployment, you can download off-cycle seed

bundles from the Fortify Support Portal (https://support.fortify.com) under the PREMIUM

CONTENT > FORTIFY EXCHANGE. (Quarterly security content releases can also include

updated seed bundles.)

Caution! Only load the bundles shipped with a Fortify Software Security Center release into

a Fortify Software Security Center instance of that same version (either a fresh install or an

older instance upgraded to the current version).

After you finish seeding the database, you can modify any user-configurable data entities that

were created in the seeding process from the Fortify Software Security Center user interface.

For more information, see "Additional Fortify Software Security Center Configuration" on

page 76.

Releases" on page 192

Permanently Deleting a Fortify Software Security Center Database

If, at some point, you plan to remove Fortify Software Security Center altogether, you can

remove the Fortify Software Security Center database. To permanently delete a Fortify

Software Security Center database schema along with all the data in the database, you run the

drop-tables.sql script.

Caution! Running the drop-tables.sql script permanently removes the Fortify Software

Security Center database schema and all the data in the database. Make sure you have

backed up any data you want to save before running this script.

Fortify Software Security Center (23.1.0)

Page 66 of 428

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

To delete the Fortify Software Security Center database schema and all the data in the

database:

1.

2.

Navigate to the <ssc_install_dir>/sql directory, and open the subdirectory for the

third-party database you plan to use with Fortify Software Security Center:

l

mysql

l

Oracle

l

sqlserver

Copy the drop-tables.sql script from the subdirectory that matches your Fortify

Software Security Center database type to the database server or other location where you

will run the script.

3. In the database client program, log into the database account you created for use with

Fortify Software Security Center.

4. Review the warning in the introduction to this topic.

5. Remove the Fortify Software Security Center database schema and all the data in the

database by running the following script:

drop-tables.sql

Fortify Software Security Center (23.1.0)

Page 67 of 428

Chapter 4: Configuring Fortify Software Security

Center for the First Time

After you deploy Fortify Software Security Center for the first time and then enter the Fortify

Software Security Center URL in a browser window, the Fortify Software Security Center Setup

wizard (Setup wizard) opens. Here, you can complete the steps for the initial server

configuration. The Setup wizard is available to administrators only after you first deploy Fortify

Software Security Center, after you upgrade it, or after you place Fortify Software Security

Center in maintenance mode (see "Placing Fortify Software Security Center in Maintenance

Mode" on page 175).

To configure Fortify Software Security Center for the first time:

1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat

Server, open a browser window and type your Fortify Software Security Center server URL

(https://<host_IP>:<port>/<app_context>/).

Note: For a normal deployment, the default Fortify Software Security Center URL is

<protocol>://<ssc_host>:<port>/ssc. For a deployment to a Kubernetes cluster,

the default URL is <protocol>://<ssc_host>:<port>/ (without ssc at the end).

If you deploy Fortify Software Security Center using a distributed WAR file without

renaming the ssc.war file, app_context will be ssc unless it is overwritten by the

Tomcat server configuration.

2. In the upper right corner of the web page, click ADMINISTRATORS.

OpenText Fortify Software Security Center (23.1.0)

Page 68 of 428

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

3.

Go to the <fortify.home><app_context> directory (see "About the <fortify.home>

Directory" on page 55), and open the init.token file in a text editor. (If Tomcat is running

as Windows service, then you can find the init.token file in

%SystemRoot%\System32\config\systemprofile\.fortify\ssc\init.token).

4.

5.

Copy the contents of the init.token file to the clipboard.

On the web page, paste the string you copied from the init.token file into the text box,

and then click SIGN IN.

6. Read the information on the START page of the Fortify Software Security Center Setup

wizard, and then click NEXT.

7. On the CONFIGURATION step, under UPLOAD FORTIFY LICENSE, do the following:

a. Click UPLOAD.

b.

Browse to and select your fortify.license file, and then click UPLOAD.

If the license you entered is invalid or expired, Fortify Software Security Center displays a

message to that effect.

The right pane displays the default path of the configuration directory in which your

configuration files (app.properties, datasource.properties and

version.properties) are to reside.

8. Read the warning note about sensitive information in the configuration file directory. For

information on how to change the location of this directory, see "About the <fortify.home>

Directory" on page 55.

9. Select the I have read and understood this warning check box, and then click NEXT.

10. On the CORE CONFIGURATION SETTINGS step, do the following:

a. In the FORTIFY SOFTWARE SECURITY CENTER URL box, type the URL for your

Fortify Software Security Center server.

b. In the center pane, select the Enable HTTP host header validation check box to

ensure that the HTTP Host header value matches the value configured in the Fortify

Fortify Software Security Center (23.1.0)

Page 69 of 428

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

Software Security Center URL (host.url property). Both the host and port must

match. This affects both browsers and direct REST APIs access. If validation is turned

off, any HTTP Host header can access Fortify Software Security Center.

c. To enable global searches in Fortify Software Security Center, in the GLOBAL SEARCH

pane, select the Enable global search check box.

d. The text box below the check box displays the default location for the search index

files. If you prefer a different location, type a different directory path for your search

index files. (Passwords are not indexed.)

Note: The optimum disk size for the requisite indexing for global searches varies

based on the characteristics of the data, but the Lucene indexes are much smaller

than the data in the database. For example, the index size required for a database

issue volume of 18 GB (with db indexes) is approximately 2 GB.

Note: Because indexed data can include sensitive information (user names, email

addresses, vulnerability categories, issue file names, and so on), make sure that you

select a secure location to which only Tomcat Server user has read and write

access.

e. Read the warning in the GLOBAL SEARCH pane, and then select the I have read and

understood this warning check box.

11. Click NEXT.

12. On the DATABASE SETUP step, do the following:

a. In the DATABASE TYPE box, select the database type you are using with Fortify

Software Security Center.

b. In the DATABASE USERNAME box, type the username for your Fortify Software

Security Center database. For more information, see "Database User Account

Privileges" on page 59.

c. In the DATABASE PASSWORD box, type the password for your Fortify Software

Security Center database account.

Note: Make sure that the database user credentials specified in the DATABASE

USERNAME and DATABASE PASSWORD boxes are for a user account that has

the privileges required to execute migration scripts. These privileges are described

in "Database User Account Privileges" on page 59.

d. In the JDBC URL box, type the URL for the Fortify Software Security Center.

Caution! (MySQL database type only) If MySQL server is configured to use the

sha256_password or the caching_sha2_password authentication plugin, you

must provide the server RSA public key to the JDBC driver with the

serverRsaPublicKeyFile option. Alternatively, you can use the less secure

allowPublicKeyRetrieval option. For more detail, see the MariaDB Connector/J and

MySQL server documentation (https://mariadb.com/kb/en/mariadb-

connector-j and https://dev.mysql.com/doc).

Fortify Software Security Center (23.1.0)

Page 70 of 428

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

Important! If you are using a MySQL Server database, you must add the following

to the end of the URL:

- rewriteBatchedStatements=true

- sessionVariables=collation_connection=COLLATION

where COLLATION represents the collation type of your database

Examples:

jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_

connection=utf8_bin&rewriteBatchedStatements=true

jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_

connection=latin1_general_cs&rewriteBatchedStatements=true

MariaDB JDBC driver is used to connect to the MySQL database server. Any

additional JDBC URL parameters must use MariaDB driver syntax.

Important! If you are using a MSSQL Server database, you must add the following

property setting to the end of the URL:

sendStringParametersAsUnicode=false

jdbc:sqlserver://<host>:1433;database=<database_

name>;sendStringParametersAsUnicode=false

Caution! Fortify Software Security Center 23.1.0 ships with JDBC Driver version

11.2.1. The MSSQL JDBC driver distributed with Fortify Software Security Center

requires an encrypted connection by default and a trusted server certificate. If

there is no need for an encrypted connection, then you must add encrypt=false

to the end of the JDBC connection string, as shown in the following example:

jdbc:sqlserver://111.1.1.1:1111;database=ssc;

sendStringParametersAsUnicode=false;encrypt=false

e. In the MAXIMUM IDLE CONNECTIONS box, type the maximum number of idle

connections that can remain in the pool. The default value is 50.

f. In the MAXIMUM ACTIVE CONNECTIONS box, type the maximum number of active

connections that can remain in the pool. The default value is 100.

g. In the MAXIMUM WAIT TIME (MS) box, type the maximum number of milliseconds for

the pool to wait for a connection (when no connections are available) before the system

throws an exception. The default value is 60000. To extend the wait indefinitely, set

the value to zero (0).

h. To test your settings, click TEST CONNECTION. Fortify Software Security

Center displays a message to indicate whether the test was successful.

Note: If the connection test fails, check the ssc.log file (<fortify.home>/<app_

context>/logs directory) to determine the cause.

13.

Before you continue on to the DATABASE SEEDING step, run the create-tables.sql

script. For instructions, see "About the Fortify Software Security Center Database Tables

and Schema" on page 65.

Fortify Software Security Center (23.1.0)

Page 71 of 428

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

Note: If you automate Fortify Software Security Center configuration and you have

enabled database migration in the <app_context>.autoconfig file, you do not need

to run the create-tables.sql script. For information about how to automate Fortify

Software Security Center configuration, see "Automating Fortify Software Security

Center Configuration" on page 417.

14. After you initialize the database, click NEXT.

15. (Linux only) If you are using OpenJDK, make sure that you install DejaVu sans fonts and

DejaVu serif fonts on the server. You can download these fonts from

https://github.com/dejavu-fonts/dejavu-fonts. Without these fonts, Fortify Software

Security Center cannot successfully generate reports.

16. On the DATABASE SEEDING step, do the following:

a.

b.

c.

In the left pane, use BROWSE to locate and select your Fortify_Process_Seed_

Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

Use BROWSE to locate and select your Fortify_Report_Seed_Bundle-2023_Q1_

<build>.zip file, and then click SEED DATABASE.

(Optional) Use BROWSE to locate and select your Fortify_PCI_SSF_Basic_Seed_

Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

Note: Use the PCI SSF Basic seed bundle to begin to understand how software

security issues can affect evaluation under these new PCI SSF standards. For more

information, see "Unpacking and Deploying Fortify Software Security Center

Software" on page 47 .

d.

(Optional) Use BROWSE to locate and select your Fortify_PCI_Basic_Seed_

Bundle-2023_Q1_<build>.zip file, and then click SEED DATABASE.

For descriptions of the available seed bundles, see "Unpacking and Deploying Fortify

Software Security Center Software" on page 47.

17. Click NEXT.

18. Click FINISH.

19. Restart Tomcat Server.

After you finish the initial Fortify Software Security Center configuration, complete the

configuration of the core parameters and configure additional settings in the ADMINISTRATION

view. (For information about the ADMINISTRATION view, see "Additional Fortify Software

Security Center Configuration" on page 76.)

Note: If you later find that you need to change any of the configuration settings, you can

place Fortify Software Security Center in maintenance mode, and then make any necessary

changes. For instructions on how to place Fortify Software Security Center in maintenance

mode, see "Placing Fortify Software Security Center in Maintenance Mode" on page 175.

Fortify Software Security Center (23.1.0)

Page 72 of 428

Chapter 5: Logging in to Fortify Software Security

Center

After you create and initialize your Fortify Software Security Center database, configure Tomcat

Server, and deploy Fortify Software Security Center in Tomcat, you can log in to Fortify

Software Security Center.

Important! After you log in, create at least one non-default administrator account, and then

delete the default administrator account. For more information about how to manage

Fortify Software Security Center user accounts and roles, see "About Fortify Software

Security Center User Administration" on page 169.

To log in to Fortify Software Security Center:

1. In a web browser, type the URL for your Fortify Software Security Center instance.

Note: For a normal deployment, the default Fortify Software Security Center URL is

https://<ssc_host>:<port>/ssc. For a deployment to a Kubernetes cluster, the

default URL is https://<ssc_host>:<port>/ (without ssc at the end).

2. Type your username and password.

If you are logging on to Fortify Software Security Center for the first time, type admin in

both the Username and Password fields. These are the default credentials for a

new installation.

3. Click LOGIN.

If you are logging on to Fortify Software Security Center for the first time, you are

prompted to change your password.

4. If Fortify Software Security Center prompts you to change your password, enter a new one.

Make sure that you specify a password that does not include your username or common

phrases (names, movie or song titles, dates, or number or letter sequences). A combination

of three or four unrelated words such as "myredhorsedance" can work well. After your

password is evaluated as strong, you can save it, and then log in.

See Next

"About Session Logout" on the next page

"Additional Fortify Software Security Center Configuration" on page 76

"Setting the Required Password Strength for Fortify Software Security Center Login" on

page 158

OpenText Fortify Software Security Center (23.1.0)

Page 73 of 428

User Guide

Chapter 5: Logging in to Fortify Software Security Center

About Session Logout

If you logged in to Fortify Software Security Center using local login (through the login dialog

box with username and password to LDAP or local account), and you then log out, Fortify

Software Security Center takes you to the logout screen shown here.

If you logged in using an SSO account for which single logout is supported, at logout, you will

see a session logout screen that lets you logout from either your local account, or your

SSO account.

Note: Fortify Software Security Center supports single logout for Central Authorization

Server and for SAML.

If you click LOCAL ACCOUNT LOGOUT, Fortify Software Security Center logs you out of your

current session only and takes you to the logout screen.

If you click SSO LOGOUT, in addition to logging out of Fortify Software Security Center, single

logout is performed, and you are logged out from your SSO provider.

Note: To log out of Fortify Software Security Center completely, close all of your browser

windows.

Fortify Software Security Center (23.1.0)

Page 74 of 428

User Guide

Chapter 5: Logging in to Fortify Software Security Center

Inactive Session Timeout

If you have been inactive and your Fortify Software Security Center session is about to time out,

Fortify Software Security Center displays one of two dialog boxes:

l

If you logged in using local login (through the login dialog box with username and password

to LDAP or local account), and your session is about to time out, you see a dialog box that

lets you either log out or stay logged in.

If you click LOG OUT or your session times out due to further inactivity, Fortify Software

Security Center logs you out of the session and takes you to the logout screen.

l

If you are logged on to Fortify Software Security Center through an SSO provider for which

single logout is supported, you see a dialog box that lets you log out of your local user

account, perform an SSO logout, or stay logged in.

If you click LOCAL ACCOUNT LOGOUT or your session times out due to further inactivity,

Fortify Software Security Center logs you out of the SSC session only and then takes you to

the logout screen.

If you click SSO LOGOUT, Fortify Software Security Center logs you out of the SSC session,

and then logs you out of your SSO provider.

For information about how to configure session timeout, see "Configuring Core Settings" on

page 92.

Note: To log out completely from Fortify Software Security Center, close your browser (all

tabs).

Logout Screen

If you logged in to Fortify Software Security Center using local login, the Click here to log in

again link takes you to the login screen, where you can log in again.

If you logged in to Fortify Software Security Center through an SSO provider, the Click here to

log in again link initiates SSO login.

Fortify Software Security Center (23.1.0)

Page 75 of 428

Chapter 6: Additional Fortify Software Security

Center Configuration

After you finish the preliminary Fortify Software Security Center configuration and deploy the

ssc.war file, you complete the configuration from the Fortify Software Security Center

ADMINISTRATION view.

You can configure and update other settings in the ADMINISTRATION view later, as necessary.

Accessing the Configuration Settings in the

ADMINISTRATION View

You complete the Fortify Software Security Center configuration from the Configuration

category in the ADMINISTRATION view.

To access the Configuration category:

1. Log in to Fortify Software Security Center as an administrator user. For log-in instructions,

see "Logging in to Fortify Software Security Center" on page 73.

2. Do one of the following:

l

If you are accessing Fortify Software Security Center for the first time, a banner similar

to the following is displayed at the top of the page. Click Go to open the Configuration

category in the ADMINISTRATION view.

Otherwise,

a. On the Fortify header, click ADMINISTRATION.

In the ADMINISTRATION view, the navigation pane on the left displays links to the

categories that are available in the ADMINISTRATION view. The Event Logs page is

displayed by default.

b. In the left pane, select Configuration.

The pane displays the configuration category options. For information about these options, see

"Configuration Options Available in the ADMINISTRATION View" on page 79.

OpenText Fortify Software Security Center (23.1.0)

Page 76 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring Issue Stats Thresholds

The Issue Stats dashboard page shows summary information about issues for the application

versions on Fortify Software Security Center, including the number of days that it is taking to

review and fix them. To provide a visual cue as to how quickly issues are being handled, the

Issue Stats page displays colored bars next to the values for the Average Days to Review and

Average Days to Remediate. A green bar indicates that issues are being managed quickly, a

red bar indicates that issue management is too slow, and an orange bar indicates that issue

management is somewhere between these two extremes.

How Average Days to Review and Average Days to Remediate are Calculated

Before it calculates the Average Days to Review and Average Days to Remediate values,

Fortify Software Security Center applies the following rules:

l

Fortify Software Security Center excludes the following issues from its calculations:

l

All issues that were audited or removed 365 days ago or earlier

l

All suppressed issues

l

Issues that have not been either audited or removed

l

To calculate issue aging for audited issues, Fortify Software Security Center uses the date

and time on which the issue was first audited.

l

For issues that were not audited but were removed, Fortify Software Security Center uses the

removal date as the audit date.

l

To calculate issue dates, Fortify Software Security Center performs the following to clean up

dates and times:

l

Adjusts issue found dates and times to 12:00 AM of the date the issues were found.

l

Adjusts issue audited dates and issue removed dates to 12:00 am of next day.

These adjustments are required to calculate average dates correctly. For example, without

these adjustments, the calculated averages would be zero for issues that were found and

audited on the same date, which is not correct. For an issue found on March 2 and audited at

March 5, the days to review is 5 – 2 + 1, or 4 days.

After it applies all of these rules and makes time and date adjustments, Fortify Software

Security Center calculates the average of two values—(auditTime - foundDate) and

(removedDate - foundDate)—to get average number of days to audit and remediate issues

Setting the Issue Stats Thresholds

You set the thresholds that determine what users see when they review summary information

about the application versions to which they have access. By default, the Issue Stats page

displays values of fewer than 100 days (minimum) in a green bar, any values greater that 365

days (maximum) in red, and values in between as yellow.

Fortify Software Security Center (23.1.0)

Page 77 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To set the color thresholds for Average Days to Review and Average Days to Remediate:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, under Metrics & Tracking, select Issue Age.

The Issue Age page opens. The minimum and maximum values for Average Days to

Review and Average Days to Remediate are set to 100 and 365, respectively.

3. To reset the thresholds for the average number of days to review Issues, under for

Average Days to Review, do one of the following:

l

Adjust the slider control.

l

Change the values shown in the Min. and Max. combo boxes.

4. To reset the thresholds for the average number of days to remediate Issues, under for

Average Days to Remediate, do one of the following:

l

Adjust the slider control.

l

Change the values shown in the Min. and Max. combo boxes.

5. Click SAVE.

The color coded values on the Issue Stats dashboard page reflect your changes.

Fortify Software Security Center (23.1.0)

Page 78 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuration Options Available in the ADMINISTRATION

View

The following table lists the configuration options available in the ADMINISTRATION view. (On

the Fortify header, select ADMINISTRATION. Then, in the left pane, select Configuration.)

Note: Changes to some configuration options do not take effect until the system is

restarted.

Option

Description

Instructions

AppSec Training

Use to enable and configure

application security training. This

makes the GET TRAINING button

available on the issue details section

of the AUDIT page.

"Configuring Application

Security Training" on page 81

Audit Assistant

Use to enable and configure Audit

Assistant, which uses Fortify Scan

Analytics to automatically audit

Fortify Static Code Analyzer scans.

"Configuring Audit Assistant"

on page 84

BIRT Reports

Core

Use to apply enhanced security to

reporting in Fortify Software Security BIRT Reporting" on page 90

Center.

"Configuring Security for

Use to configure core Fortify Software "Configuring Core Settings" on

Security Center settings such as the

timeout and lockout settings and the

proxy for secure coding Rulepacks

updates.

page 92

Email

Use to configure the server settings

used to send email alerts to users.

"Configuring Email Alert

Notification Settings" on

page 96

Issue Audit

JMS

Use to select the setting that

determines how issue audit conflicts

are resolved.

"Setting the Strategy for

Resolving Issue Audit Conflicts"

on page 99

Use to configure Fortify Software

Security Center to publish system

"Configuring Java Message

Service Settings" on page 100

Fortify Software Security Center (23.1.0)

Page 79 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Option

Description

Instructions

events to the Java Message Service

(JMS).

LDAP Servers

Maintenance

Use to configure LDAP authentication "Configuring LDAP Servers" on

and LDAP server options for one or

more LDAP servers.

page 104

If, at any time, you need to change

"Placing Fortify Software

any server configuration settings, you Security Center in Maintenance

can place Fortify Software Security

Center in maintenance mode, and

then make the necessary changes.

From here, you can also pause job

execution in preparation for server

shutdown.

Mode" on page 175

Proxy

Use to configure a single proxy for

Rulepack updates, the connection to

Audit Assistant, and for bug tracker

plugins.

"Configuring a Proxy for Fortify

Software Security

Center Integrations" on

page 125

ScanCentral

DAST

Use to configure Fortify Software

Security Center to manage and run

dynamic scans from the

SCANCENTRAL view in Fortify

Software Security Center.

"Enabling the Running and

Management of ScanCentral

DAST Scans from Fortify

Software Security Center" on

page 128

SCIM

SSO

Use to enable SCIM for provisioning of "Enabling SCIM for Provisioning

externally-managed users and

groups.

of Externally Managed Users

and Groups" on page 125

Use to configure Fortify Software

Security Center to work with one of

the following SSO solutions:

"Configuring Fortify Software

Security Center to Work with

Single Sign-On" on page 139

l

CAS SSO

l

SPNEGO/KERBEROS SSO

l

SAML SSO

l

HTTP SSO

Fortify Software Security Center (23.1.0)

Page 80 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Option

Description

Instructions

l

X.509 SSO

ScanCentral SAST Use to configure Fortify Software

Security Center to monitor

"Configuring ScanCentral SAST

Monitoring in Fortify Software

Security Center" on page 127

ScanCentral SAST and to display

ScanCentral SAST results in the

SCANCENTRAL view in Fortify

Software Security Center.

Scheduler

Security

Use to configure the Fortify Software "Configuring Job Scheduler

Security Center job scheduler

settings.

Settings" on page 128

Use to configure the Fortify Software "Configuring Browser Access

Security Center security features.

Security for Fortify Software

Security Center" on page 138

Seed Bundles

Use to seed the database with seed

bundles distributed in a quarterly

security content release.

"Seeding the Database with

Report Seed Bundles Delivered

with Quarterly Security Content

Releases" on page 192

Web Services

Webhooks

Use to configure Fortify Software

Security Center web services.

"Configuring Web Services to

Require Token Authentication"

on page 152

Use to create and manage webhooks "Creating Webhooks" on

that keep your systems updated on

events that occur in Fortify Software

Security Center.

page 276

Configuring Application Security Training

If your organization has access to an application security training platform, you can integrate

that training with Fortify Software Security Center. After you do, your users can access context-

appropriate guidance on the issues they assess and how best to mitigate them as they audit.

To enable application security training on Fortify Software Security Center:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select AppSec Training.

Fortify Software Security Center (23.1.0)

Page 81 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

3. On the AppSec Training page, leave the Enable Training check box selected.

4. To determine whether your online training vendor has integrated with Fortify Software

Security Center and to obtain the corresponding training URL, contact Fortify Customer

Support (https://www.microfocus.com/support).

5. In the Training URL box, type your application security training URL.

6. Click SAVE.

Users can now see the GET TRAINING button in the details section for issues on the AUDIT

page. Users can click GET TRAINING to go to the application security training website you have

specified.

See Also

"Enabling Auto-Apply and Auto-Predict for an Application Version" on page 238

About Audit Assistant

Audit Assistant is an optional tool that you can use with Fortify Scan Analytics to help

determine whether or not the issues returned from Fortify Static Code Analyzer scan results

represent true vulnerabilities. To make its determinations, Audit Assistant needs data to

establish a baseline for its audits. This data consists of the decisions users have made during

scan audits about how to characterize various issues.

You can use Fortify shared data (pooled, anonymized data from Fortify users and Fortify's

security team), or use audit data that your security team has completed. Audit Assistant’s

assessments of the actual threats that issues represent become more accurate as it receives

more training data.

You can submit training data (metadata derived from historical human-audited scan results)

without having submitted anything for prediction.

Audit Assistant can also learn through corrections that are included in the training or prediction

data set. A correction is registered after a user reviews the prediction Audit Assistant assigned

to an issue, disagrees with it, adjusts the value, and then includes the issue in the data set for

additional training.

The following sections describe how to obtain an authentication token from Fortify Scan

Analytics, and then use that token to configure a connection to Fortify Scan Analytics. Later

sections describe how to prepare Scan Analytics for metadata submission, submit data, review

Audit Assistant results, and then submit corrected audit data.

"Using Audit Assistant" on page 343

"About Prediction Policies" on page 344

"Defining Prediction Policies" on page 345

Fortify Software Security Center (23.1.0)

Page 82 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

"Enabling Metadata Sharing" on page 346

"Submitting Training Data to Audit Assistant" on page 346

"Reviewing Audit Assistant Results" on page 347

Fortify Software Security Center (23.1.0)

Page 83 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Getting a Fortify Scan Analytics Authentication Token

To integrate with Audit Assistant, you must first obtain a Fortify Scan Analytics authentication

token.

To obtain a Fortify Scan Analytics authentication token:

1. Log on to Fortify Scan Analytics (https://analytics.fortify.com).

2. On the Fortify header, select ADMINISTRATION, and then select TOKENS.

3. On the Tokens page, click +ADD.

4. In the Name box, type a name for the token to generate.

5. Click SAVE.

The Tokens page lists the new token.

6.

To the right of the token name, click the view icon ( ).

The Token window opens.

7. Select and copy the token text, and then click CLOSE.

Use the copied token to configure the integration with Audit Assistant. (See "Configuring Audit

Assistant" below.)

Configuring Audit Assistant

Audit Assistant works with Fortify Scan Analytics to help determine whether or not the issues

returned from Fortify Static Code Analyzer scan results represent true vulnerabilities.

To configure Fortify Software Security Center to use Audit Assistant with your applications:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Audit Assistant.

3. Configure the settings on the Audit Assistant page as described in the following table.

Field* Required Description

Enable Audit

Assistant

Select this check box to enable the remaining fields.

* Authentication Paste the authentication token you obtained from Fortify Scan

token

Analytics here. For instructions on how to get a token, select How do

I get a token? or, see "Getting a Fortify Scan Analytics

Authentication Token" above .

* Fortify Scan

Specify the URL for the Fortify Scan Analytics server.

Analytics server

Fortify Software Security Center (23.1.0)

Page 84 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field* Required Description

URL

Use SSC proxy

for Audit

Assistant

If you have configured a proxy for

all Fortify Software Security Center integrations (see "Configuring a

Proxy for Fortify Software Security Center Integrations" on

page 125 , you can select this check box to use that proxy for Audit

Assistant.

4. To test the connection to the Application Security Analytics server, click TEST

CONNECTION.

After the connection is successfully tested, you can go ahead and configure the settings in

the Audit settings section.

5. Click REFRESH POLICIES to populate the Default prediction policy list with the current

server policies on the Fortify Scan Analytics server.

Note: Audit Assistant prediction policies set for individual application versions can

become invalid if available policies are changed on the Fortify Scan Analytics server.

Fortify Software Security Center verifies new policies it receives from Fortify Scan

Analytics every time a user clicks REFRESH POLICIES.) If Fortify Software Security

Center detects one or more invalid policies, it displays a table that shows the mapping

from the original policy to the changed policy. You can then identify each obsolete

policy and map its valid replacement. Fortify Software Security Center updates the

policies based on the changes you submit in the mapping table.

6. From the Default prediction policy list, select the name of the prediction policy to apply to

all application versions. (Policies are defined in Fortify Scan Analytics.)

7. If you plan to specify prediction policies at the application version level and override the

default global prediction policy, select Enable specific application version policies.

Otherwise, Audit Assistant uses the default global prediction policy you specified in the

previous step.

Note: You can specify the policy for an application version from the APPLICATION

PROFILE dialog box. For instructions, see "Configuring Audit Assistant Options for an

Application Version" on page 258.

8. To enable Audit Assistant to automatically send issues not yet assessed to Fortify Scan

Analytics for assessment, select the Enable auto-predict check box. (For information

about the auto-predict feature, see "About Audit Assistant Auto-Prediction" on the next

page.)

Note: If you enable auto-predict here, open the APPLICATION PROFILE dialog box for

each application version for which you want to use auto-prediction, and enable it there

as well.

Fortify Software Security Center (23.1.0)

Page 85 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

9. To enable the application of the analysis values that Audit Assistant assesses for issues to

your Analysis custom tag values system-wide, select the Enable auto-apply check box.

After you do, you must enable this functionality on a per-application version project basis

from the APPLICATION PROFILE window.

Note: If you enable auto-apply here, open the APPLICATION PROFILE dialog box for

each application version for which you want to use auto-apply, and enable it there as

well.

Important! Before you can use the auto-apply feature, you must first map Audit

Assistant analysis tag values to Fortify Software Security Center Analysis tag values.

10. If you selected the Enable auto-apply check box, and you want to map Audit Assistant

analysis tag values to Fortify Software Security Center Analysis tag values now, click the

here link to go to the Custom Tags page, and then follow the instructions provided in

"Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom

Tag Values" on the next page .

11. Click SAVE.

About Audit Assistant Auto-Prediction

You can configure Fortify Software Security Center to send issues for Audit Assistant prediction

automatically after FPRs are successfully uploaded and processed. (If you prefer to submit FPRs

for prediction manually, then there is no need to configure auto-prediction.)

If both auto-predict and auto-apply are enabled for an application version, then Audit Assistant

automatically applies predicted values to custom tags on new issues after prediction is

completed. (Audit Assistant prediction results are always applied to an application version, but

if auto-apply is not enabled, the information is stored only in Audit Assistant-specific tags. If

auto-apply is enabled, Audit Assistant-specific values are also mapped to other tags, based on

the configuration.)

Only unpredicted issues (uncovered by a supported analyzer) found at the end of FPR

processing are automatically submitted to Audit Assistant for assessment. Once Audit Assistant

has assessed an issue, it does not revisit that issue.

Enabling Auto-prediction

Auto-prediction enablement for an application version is a two-step process. First, an

administrator enables it system-wide during Audit Assistant configuration. "Configuring Audit

Assistant" on page 84.) After this, users can enable auto-prediction on a per-application-version

basis from the PROFILE window. (See "Enabling Auto-Apply and Auto-Predict for an Application

Version" on page 238.)

Fortify Software Security Center (23.1.0)

Page 86 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom

Tag Values

If, when you configured Audit Assistant ("Configuring Audit Assistant" on page 84), you enabled

Audit Assistant auto-apply, you must next map Audit Assistant analysis tag values to Fortify

Software Security Center custom tag values for one or more list-type custom tags. After you do,

you can start using the automated auditing feature.

Note: For Audit Assistant auto-apply to work, you must designate the mapped custom tag

as the primary custom tag from the APPLICATION PROFILE dialog box for the application

version.

To map Audit Assistant analysis tag values to Fortify Software Security Center list-type custom

tag values:

1. After you configure Audit Assistant (and enable Audit Assistant auto-apply), do one of the

following:

l

In the left pane of the ADMINISTRATION view, select Templates, and then select

Custom Tags.

Or

l

If you enabled auto-apply, click the here link at the bottom of the Audit Assistant page.

2. On the Custom Tags page, expand the row for a list-type custom tag (such as Analysis) for

which you want to map values.

3. At the bottom right of the expanded section, click EDIT.

Fortify Software Security Center (23.1.0)

Page 87 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

The custom tag values listed in the table become editable, and the Audit Assistant

Training section is visible.

4. In the table of tag values, select the Edit value icon ( ) for a listed value.

Fortify Software Security Center (23.1.0)

Page 88 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

5. In the EDIT VALUE dialog box, under AA Custom Tags, select the check box for the

AA custom tag value to map to this custom tag value.

6. Click APPLY.

The list of custom tag values now shows the value you just mapped for Audit Assistant.

7. Complete steps 4 through 6 for all of the values that you want to map for automated

auditing.

8. Click SAVE.

Fortify Software Security Center (23.1.0)

Page 89 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Note that after you save your mapping, Fortify Software Security Center displays a gavel

icon to the right of the custom tag name.

Note: The Audit Assistance Training section is used for data training purposes. For

information about how to configure this section, see "Adding Custom Tags to the System"

on page 259.

Configuring Security for BIRT Reporting

You can add an extra measure of security to BIRT reporting by doing one or both of the

following:

l

Enable the Java security manager

l

Limit access to tables and views in the database

Enabling Java Security Manager

To enable Java Security manager:

1. Log in to Fortify Software Security Center as an administrator.

2. On the Fortify header, click ADMINISTRATION.

3. In the left pane, select Configuration, and then click BIRT Reports.

4. On the BIRT Reports page, under Enhanced security, select the Turn on security

manager check box.

Note: If you try to generate a custom report that depends on functionality that the

BIRT security manager regards as unsafe, the report generation might fail.

5. Click SAVE.

(Linux with OpenJDK only) Installing Required Fonts

If your Fortify Software Security Center is installed on a Linux system, and you are running

OpenJDK, you must install fontconfig, DejaVu Sans fonts, and DejaVu serif fonts on the server to

enable users to successfully generate reports. Otherwise, report generation will fail. You can

download these fonts from https://github.com/dejavu-fonts/dejavu-fonts.

Creating a Database Account for Reporting

To limit write access to tables and views in the database:

1. Create a database user account to use exclusively for BIRT reporting and provide minimum

permission required to generate reports.

2. For the new user account, enable read (only) access to the following tables and views:

Fortify Software Security Center (23.1.0)

Page 90 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Tables

activity

issuecache

reportexecparam

requirement

requirementtemplate

ruledescription

savedreport

scan

attr

measurement

measurementhistory

metadef

auditattachment

auditcomment

catpackexternalcategory

catpackexternallist

catpacklookup

datablob

metadef_t

metaoption

metaoption_t

metavalue

scan_rulepack

seedhistory

sourcefile

documentinfo

eventlogentry

f360global

metavalueselection

project

snapshot

projecttemplate

projectversion

projectversiondependency

reportexecblob

Views

userpreference

variable

filterset

folder

variablehistory

foldercountcache

attrlookupview

auditvalueview

baseissueview

defaultissueview

metadefview

metaoptionview

ruleview

view_standards

3. Log in to Fortify Software Security Center as an administrator.

4. On the Fortify header, click ADMINISTRATION.

5. In the left pane, select Configuration, and then click BIRT Reports.

Fortify Software Security Center displays the BIRT Reports page.

6. In the DB Username and DB Password boxes, type the credentials for the database

account that has read-only database access.

7. To test the database user account access to the database, click VALIDATE CONNECTION.

Fortify Software Security Center (23.1.0)

Page 91 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

8. Click SAVE.

"Setting Report Generation Timeout" below

Allocating Memory for Report Generation

To allocate memory for security for Fortify Software Security Center reports:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then click BIRT Reports.

3. In the Set up BIRT execution section, select the default value in the Maximum heap size

(MB) box, and then type a new value. (For minimum and recommended values for java heap

size, see the Micro Focus Fortify Software System Requirements document.)

4. Click SAVE.

Setting Report Generation Timeout

To set a report generation timeout value (after which report generation is stopped and set as

"failed"):

1. Log in to Fortify Software Security Center as an administrator.

2. On the Fortify header, select ADMINISTRATION.

3. In the left pane, select Configuration, and then click BIRT Reports.

4. Under Set up BIRT execution, select the default value in the Execution timeout

(minutes) box, and then type a new value.

5. Click SAVE.

Configuring Core Settings

In addition to the initial configuration you performed on the Setup wizard, you must also

configure several core attributes in the Configuration section of the ADMINISTRATION view.

These attributes include user account timeout and lockout settings, the display of user

information, maximum events per Fortify WebInspect Agent issue, the base URL for the runtime

event description server, and the user administrator's email address. You also configure the

proxy used for Rulepack updates on this page. For information about the Rulepacks updates

proxy, see "About Configuring a Proxy for Rulepack Updates" on page 95.

To configure Fortify Software Security Center core settings in the ADMINISTRATION view:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

Fortify Software Security Center (23.1.0)

Page 92 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select Core.

3. On the Core page, configure the settings described in the following table.

Field

Description

Absolute session Number of minutes a user can be continuously active before Fortify

timeout

(minutes)

Software Security Center automatically logs a user off.

The default value is 240.

Days before

password reset

Number of days the Fortify Software Security Center password is

valid before the user must change it.

The default value is 30.

Login attempts

Number of times a local user can try to log in to Fortify Software

allowed before a Security Center using invalid credentials before Fortify Software

user is locked out Security Center locks the user's account.

If Fortify Software Security Center locks a user out, that user is

prevented from attempting a new login for the number of minutes

specified in the Lockout time (minutes) box. (For information

about how to unlock a user account, see "Unlocking Local User

Accounts" on page 216. The default value is 3.

Note: This setting does not apply to LDAP users. If the account

lockout threshold was configured using the Group Policy editor,

the LDAP user account could be locked out in Active Directory if

consecutive login attempts have failed.

Lockout time

(minutes)

If a user attempts and fails to log in to Fortify Software Security

Center the number of times specified for Login Attempts before

Lockout, Fortify Software Security Center locks the user account for

the number of minutes specified in the Lockout time (minutes)

box.

The default value is 30.

User lookup

strategy

If LDAP is enabled, select one of the following user lookup strategies

from this list:

l

Local users first, fallback to LDAP users (compatibility)

Search local users first, then search LDAP users. To avoid

potential authorization errors and user confusion, make sure that

Fortify Software Security Center (23.1.0)

Page 93 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

usernames are not duplicated on the LDAP server and local

storage.

l

LDAP users first, fallback to local users

Search LDAP users first, then local users. To avoid potential

authorization errors and user confusion, make sure that user

names are not duplicated on the LDAP server and local storage.

l

LDAP users exclusive, fallback to local administrator

(Recommended strategy for SSO) Search LDAP users only, and

allow local administrator access.

Display user

first/last names

and emails in

Select this check box to display the following user information, when

applicable: login name, first and last names, and email address.

user fields, along

with login names

Maximum events Determines the maximum number of events to log within a single

per WebInspect

Agent Issue

Fortify WebInspect Agent issue. After that threshold is reached, new

events related to the same issue are ignored.

The default value is 5.

Inactive session

timeout

Type the number of minutes a user can be inactive before Fortify

Software Security Center automatically logs the user off.

(minutes)

The default value is 30.

Locale for

Rulepacks

Type one of the following:

l

ja (Japanese)

l

zh_CN (simplified Chinese)

l

zh_TW (traditional Chinese)

l

es (Spanish)

l

pt_BR (Portuguese Brazilian)

Note: There is no need to specify a value for English.

Fortify Software Security Center (23.1.0)

Page 94 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Rulepack update URL for the Fortify Rulepack update site.

URL

Important! Do not change the default value of the Rulepack

Update URL field unless your Fortify Customer Support

representative directs you to do so.

The default value is https://update.fortify.com

Use SSC proxy

for Rulepack

update

Select this check box to enable the use of the Fortify Software

Security Center proxy, if the Rulepack server is behind it.

Note: The Fortify Software Security Center proxy must be

enabled and correctly configured. For information on how to

configure a proxy, see "Configuring a Proxy for Fortify Software

Security Center Integrations" on page 125 .

User

Type the email address of the user who is to receive system email

alerts and notifications when email notifications are enabled.

Administrator's

email address

(for user account

requests)

Requests for new user accounts are sent to this address when the

Can't access or need an account? link is available on the Fortify

Software Security Center login page.

Enable export to Select this check box to enable users to export Fortify Software

CSV from the

Dashboard and

AUDIT views

Security Center data to comma-separated values files.

Note: If you are changing only this property on the Core page, a

server restart is not required to implement the change.

4. Click SAVE.

5. Restart the server.

About Configuring a Proxy for Rulepack Updates

By default, Fortify Software Security Center downloads the current versions of Fortify Secure

Coding Rulepacks you subscribe to from the Fortify Customer Portal at

https://update.fortify.com.

If your organization uses a proxy to access external resources, Fortify recommends that you

configure a proxy for secure coding Rulepacks updates (as well as for bug tracking and, if you

Fortify Software Security Center (23.1.0)

Page 95 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

use it, Audit Assistant). For instructions on how to configure a single proxy for use with all

HTTP(s) protocol-based Fortify Software Security Center integrations, see "Configuring a Proxy

for Fortify Software Security Center Integrations" on page 125.

After you configure a single proxy for use with all HTTP(s) protocol-based integrations, you can

enable of that proxy for Rulepack update. For instructions, see "Configuring Core Settings" on

page 92.

Configuring Email Alert Notification Settings

If you plan to use Fortify Software Security Center to send email alert notifications to your

teams, do the following:

1. Create an SMTP email account for Fortify Software Security Center to use.

2. Configure the email settings as described in this topic.

Note: For information about how to enable or disable the receipt of email alerts, see

"Enabling and Disabling Receipt of Email Alerts" on page 98.

To configure the settings used for sending email alert notifications, do the following.

Important! If you want to enable team members who do not have an account to request

access to Fortify Software Security Center, you must enable and configure the email service

settings.

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Email.

3. On the Email page, configure the email service attribute settings described in the following

table.

Field

Description

Enable email

Select this check box to enable Fortify Software Security Center

to send email messages of all types and to add the "Can't access

or need an account?" link to the login dialog box.

This check box is cleared by default.

From email address

Default encoding of

Type the email address that Fortify Software Security Center

uses to identify emails sent from Fortify Software Security

Center.

For example, fortifyserver@example.com.

Type the encoding method to be used for the email content.

Fortify Software Security Center (23.1.0)

Page 96 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

the email content

SMTP server

The default value is UTF-8.

Type the fully-qualified domain name for the SMTP server.

For example, mail.example.com.

SMTP server port

Type the port number for the SMTP server.

The default value is 25.

SMTP username

SMTP password

If authentication is required on the SMTP server, type the SMTP

username.

If authentication is required on the SMTP server, type the SMTP

password.

Secure email server

connection

Select this check box if you want to configure security for your

email server connection.

Enable SSL/TLS

encryption

If you selected the Secure email server connection check box,

then, from this list, select one of the following:

l

(Optional) If the SMTP server supports it, select STARTTLS

to upgrade to a TLS/SSL-encrypted SMTP connection.

l

Select SSL/TLS Encryption to enable SSL/TLS encryption

when connecting to the SMTP server.

l

Select Force STARTTLS to require an upgrade to TLS/SSL-

encrypted SMTP connection. If the SMTP server does not

support it, the connection will fail.

Trust the certificate

provided by the

SMTP server

Select this check box to trust the certificate that the

SMTP server provides by skipping certificate validation.

Caution! For security reasons, Fortify recommends that you

leave this check box cleared.

4. Click SAVE.

Fortify Software Security Center (23.1.0)

Page 97 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling and Disabling Receipt of Email Alerts

To enable or disable the receipt of email alerts:

1. Log in to Fortify Software Security Center as an administrator.

2. At the right end of the Fortify header, click the user profile icon, and then select

Preferences.

3. In the PREFERENCES dialog box, do one of the following:

l

To disable the receipt of email alerts, clear the Receive email alerts from Software

Security Center check box.

l

To enable the receipt of email alerts, select the Receive email alerts from Software

Fortify Software Security Center (23.1.0)

Page 98 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Security Center check box.

4. Click SAVE.

"Alert Definitions" on page 289

"Creating Alerts" on page 290

"Deleting Alerts" on page 293

Setting the Strategy for Resolving Issue Audit Conflicts

If multiple auditors are working on the same issue using different products (Fortify Software

Security Center, Audit Workbench, or an IDE plugin), they might assign different values to a

given custom tag. Previously, if Fortify Software Security Center detected an audit conflict such

as this, it ignored all client-side changes and resolved the conflict in favor of the existing custom

tag value on Fortify Software Security Center.

Note: Conflict resolution is not necessary if these auditors work within the same Fortify

Software Security Center instance.

Example of the default strategy for resolving audit conflicts:

Audit Workbench users A and B are both auditing the most recent scan results for the same

application version.

User A sets custom tag values for the issues uncovered and uploads the results to Fortify

Software Security Center.

Fortify Software Security Center accepts the upload and changes the custom tag values for

the issues based on the values that user A set for them. Now, the tag values user A set are

the current custom tag values for these issues on Fortify Software Security Center.

On a different Audit Workbench instance, user B sets custom tag values for the same issues

that user A audited and uploads the results to Fortify Software Security Center. Fortify

Software Security Center detects that one or more of the custom tag values that B

submitted conflict with the values that user A submitted for the same issues.

Result: Fortify Software Security Center ignores the audit results from user B and retains

the values set by user A.

Fortify Software Security Center applies this strategy across all application versions.

You can change this strategy so that Fortify Software Security Center resolves audit conflicts in

favor of the most recent changes.

Note: To perform this task, you must have the "Manage issue audit settings" permission.

Fortify Software Security Center (23.1.0)

Page 99 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To set the strategy Fortify Software Security Center uses to resolve audit conflicts:

1. Log in to Fortify Software Security Center as an administrator.

2. On the Fortify header, select ADMINISTRATION.

3. In the left pane, select Configuration, and then select Issue Audit.

The ISSUE AUDIT page opens.

4. From the Issue audit conflict resolving strategy list, select one of the following:

l

Conflicts are resolved in favor of the SSC changes (the default)

l

Conflicts are resolved in favor of the most recent changes

5. Click SAVE.

After you change the setting, the new strategy is applied only to new uploads. All previous

conflict resolution results remain unchanged.

Configuring Java Message Service Settings

If you want to publish system events to the Java Message Service (JMS), configure the

JMS settings in the Configuration category in the Fortify Software Security Center

ADMINISTRATION view.

To configure JMS settings:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select JMS.

3. On the JMS page, configure the settings as described in the following table.

Field

Description

Publish system events Select this check box to publish system events to JMS.

to JMS

JMS server URL

Type the URL for the JMS server.

For example, tcp://123.0.1.2:12345.

Include username in

JMS body

Select this check box to include the user name in the body of

the JMS message.

This check box is selected by default.

JMS topic

Type the JMS message topic.

The default value is Fortify.Advisory.EventNotification.

Fortify Software Security Center (23.1.0)

Page 100 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Click SAVE.

5. To implement your changes, restart Tomcat Server.

About Fortify Software Security Center User Authentication

By default, when a user logs on to Fortify Software Security Center or uses a Fortify client to

upload Fortify project results files (FPRs), Fortify Software Security Center uses its database to

authenticate the user, and then binds the authenticated user to the user's assigned user role

(Administrator, Security Lead, Developer, and so on).

Database-only authentication imposes a separate administrative process for creating and

managing Fortify Software Security Center user accounts and roles. You can augment the

Fortify Software Security Center default database-only authentication using LDAP or an SCIM

2.0 API client. For Information about LDAP user authentication, see "LDAP User Authentication"

below. For Information about SCIM 2.0 user provisioning, see "Imple mentation of SCIM 2.0

Protoc ol" on page 120.

LDAP User Authentication

The topics in this section provide information about user authentication in Fortify Software

Security Center and configuring LDAP authentication and LDAP server options.

Important! Fortify recommends that, before you configure LDAP servers, you create at

least one local administrator account in case you encounter problems with your

LDAP server at some point.

Important! Although Fortify supports the use of multiple LDAP servers, it does not support

the use of multiple LDAP servers behind a load balancer, unless those servers are identical.

Note: For information about how to manage LDAP entities and user roles in Fortify

Software Security Center, see "Registering LDAP Entities" on page 115 and "About

Managing LDAP User Roles" o n page 172 .

Preparing to Configure LDAP Authentication

Before you configure Fortify Software Security Center to use LDAP authentication, complete the

following tasks:

1. Download an LDAP management application.

If you are not familiar with the LDAP schema that your LDAP server uses, you can use a

third-party LDAP management application such as JXplorer to view and modify LDAP

authentication directories. (You can download JXplorer for free under a standard OSI-style

open source license from http://www.jxplorer.org.)

Fortify Software Security Center (23.1.0)

Page 101 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

2. Create an LDAP account for Fortify Software Security Center to use.

Note: For information about how to configure the primary source for looking up users,

see "Configuring Core Settings" on page 92.

Important! Never use a user account name to provide Fortify Software Security Center

access to an LDAP server.

3. Check for conflicts between account names.

If the LDAP directory contains the default Fortify Software Security Center account admin,

a conflict occurs that can disable both accounts. If an existing Fortify Software Security

Center account has the same name as an account defined for the LDAP server, Fortify

Software Security Center account settings and attributes take precedence over those

stored on the LDAP server.

Note: Fortify recommends that no user names in the Fortify Software Security Center

be duplicated on an LDAP server.

4. Gather and record required Information.

5. Fortify recommends that you disable the referrals feature. See "About the LDAP Server

Referrals Feature" on the next page and "Disabling LDAP Refe rrals Support" on page 10 4.

Requirements for Multiple LDAP Servers

If you plan to use more than one LDAP server, the following requirements apply:

l

Usernames must be unique across all of the LDAP servers:

Fortify strongly recommends that usernames be unique across all LDAP configurations.

Fortify Software Security Center searches for users based on the usernameAttribute specified

for a given LDAP server configuration. Because the searches are performed across all the

servers, it is important that the searches return just a single result. Be sure to use username

attributes that result in unique search hits across all your configured LDAP servers. For

example, if you use multiple Active Directories, it may make sense to use

userPrincipalName as the username attribute in your configurations instead of the default

sAMAccountName, which may not be unique across AD servers.

If this requirement is not satisfied…

In some circumstances, it may be difficult for administrators to avoid duplicate usernames. If

Fortify Software Security Center finds a given username in more than one LDAP server

during login, it tries to resolve this by using the password with all instances of the username,

and then uses the instance that the password authenticates first. In most cases, a user with a

non-unique username can successfully log in to Fortify Software Security Center and access

most of the user interface functionality. However, some functionality, including report

generation, token-based authentication, and DAST integration, is not supported for such

users.

l

Separate LDAP server configurations must manage completely independent

namespaces (trees)

Fortify Software Security Center (23.1.0)

Page 102 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

This requirement ensures unique lookup of LDAP DNs by Fortify Software Security Center.

The simplest (and recommended) way to achieve this is to ensure that none of the configured

baseDNs is a suffix of any of the others.

In more complex cases, it may be possible to delegate a subtree to be managed by a second

LDAP server configuration. In that case, however, all transitive DN references (for example,

group member DNs) must also be managed by the second LDAP server. For example, if you

have one LDAP server configuration with the base DN DC=acme,DC=com, but the

OU=org,DC=acme,DC=com subtree is managed by another LDAP server, you can set up a

second LDAP configuration to manage just the OU=org,DC=acme,DC=com LDAP subtree.

But you must ensure that none of the LDAP objects registered in Fortify Software Security

Center from the first LDAP server reference (directly or transitively) the

OU=org,DC=acme,DC=com subtree, and vice versa.

If this requirement is not satisfied…

If an LDAP object DN matches the base DN of more than one LDAP server, Fortify Software

Security Center performs a lookup against the LDAP server whose base DN best matches

match the given LDAP object DN. This may lead to Fortify Software Security Center using the

data of unintended LDAP object in processing and result in unexpected behavior.

About the LDAP Server Referrals Feature

Some LDAP servers use a special feature called referrals. A referral is an entity that contains the

names and locations of other objects. A referral is used to redirect a client request to another

server. It is sent by the server to indicate that the information that the client has requested can

be found at another location (or locations), possibly at another server or several servers.

If Fortify Software Security Center requests an LDAP object and this object is a referral, Fortify

Software Security Center must request additional information about the LDAP object from

another server, the address of which is returned in the REF object attribute. These additional

requests can decrease LDAP communication speed. Even if the LDAP server does not use the

referrals feature, additional operations that support referrals are performed.

If referrals are not used on your LDAP server, Fortify recommends that you disable referrals

support in the LDAP library. Disabling this option on the Fortify Software Security Center server

side makes Fortify Software Security Center-to-LDAP communication much faster. For

instructions, see "Disabling LDAP Referrals Support" on the next page.

Note: For a complete description of referrals, go to

http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/overview.html.

Fortify Software Security Center (23.1.0)

Page 103 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Disabling LDAP Referrals Support

To disable referrals support:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. On the LDAP servers page, click the LDAP server connection for which you want to disable

referrals support.

The row expands to reveal details about the LDAP server.

4. Click EDIT.

5. Scroll down to the ADVANCED INTEGRATION PROPERTIES section.

6. From the LDAP referrals processing strategy list, select ignore.

7. Click SAVE.

Configuring LDAP Servers

The following procedure describes how to configure an LDAP authentication server for use with

Fortify Software Security Center.

Important! Before you configure the properties on the LDAP page, you must prepare for

LDAP authentication as described in "LDAP User Authentication" on page 101. That section

includes requirements and recommendations for configuring multiple LDAP servers.

Important! Fortify recommends that you maintain a couple of local administrator accounts

in case you encounter problems with your LDAP server at some point.

To configure an LDAP server connection for Fortify Software Security Center:

1. On the Fortify header, click ADMINISTRATION.

2. In the navigation pane on the left, select Configuration, and then select LDAP Servers.

3. On the Integration with LDAP servers page, click NEW.

4. In the CREATE NEW LDAP CONFIGURATION dialog box, configure the attributes

described in the following table.

Field

Description

BASIC SERVER PROPERTIES

Enable this LDAP configuration

Select this check box to make this LDAP server

available for Fortify Software Security Center

to use.

Server name

Type a unique name for this server.

Fortify Software Security Center (23.1.0)

Page 104 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Important! If you configure

Description

multiple LDAP servers, make

sure that you specify a unique

server name for each.

Server URL (ldap://<host>:<port>)

Type the LDAP authentication server URL.

If you use unsecured LDAP, enter the URL in

the following format:

ldap://<hostname>:<port>

If you specify an ldap:// protocol, and either

the SSL trust check or the Hostname

validation check box is selected, StartTLS is

used to connect to the LDAP server.

Otherwise, an unencrypted connection is used.

If you use secured LDAPS, enter the URL in

the following format:

ldaps://<hostname>:<port>

LDAPS ensures that only encrypted user

credentials are transmitted.

Base DN

Type the Base Distinguished Name (DN) for

LDAP directory structure searches.

Important! If you

For example, the Base DN for

configure more than one

LDAP server for Fortify

Software Security Center,

then you must set a

unique Base DN for each

of them.

companyName.com is

dc=companyName,dc=com.

All DN values are case-sensitive, must not

contain extra spaces, and must exactly match

LDAP server entries.

If you specify no value, Fortify Software

Security Center searches from the root of

LDAP objects tree. With multiple LDAP

servers, the Base DN must be unique for each.

If the Base DN for one server is empty, it

cannot be empty for another LDAP server.

Fortify Software Security Center (23.1.0)

Page 105 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Bind user DN

Type the full distinguished name (DN) of the

account Fortify Software Security Center uses

to connect to the authentication server.

The general format for an account specifier is:

cn=<accountName>,

ou=users,dc=<domainName>,dc=com

where <accountName> represents the

minimum privilege, read-only authentication

server account you created for exclusive use

by Fortify Software Security Center.

Caution! For security reasons, never

use a real user account name in a

production environment.

If you use Active Directory, specify the domain

name and username in the following format:

<domain_name>\<username>

Bind user password

Type the password for the Bind User DN

account.

Show password

Select this check box to show entered

passwords.

Relative search DNs (1 per line)

(Optional) Type the Relative Distinguished

Name (RDN). An RDN defines the starting

point from the Base DN for LDAP directory

searches. Fortify recommends that you search

from the base DN. However, if your LDAP

directory is so large that searching for Fortify

Software Security Center users takes too long,

use an RDN to limit the number of LDAP

entries searched. You can also use an RDN to

hide some part of the LDAP tree from Fortify

Software Security Center for security reasons.

Fortify Software Security Center (23.1.0)

Page 106 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Example: To search within the base DN

companyName.com and all entries under that

base DN, specify the following to recursively

search all entries under that path:

cn=users

or

cn=users,ou=divisionName

Ignore partial result exception

To avoid search failures when search results

include more records than the LDAP server

can return, leave this check box selected.

You can also enable this flag to hide LDAP

server misconfiguration. For example, if the

LDAP server limits the number of query results

to 500, but there are 600 actual results, with

this flag enabled, Fortify Software Security

Center silently returns only 500 records.

LDAP server type

From this list, select the type of LDAP server

you are connecting with Fortify Software

Security Center (either ACTIVE_DIRECTORY

or OTHER).

SECURITY

SSL trust check

If the domain controller is enabled for SSL,

leave this check box selected to verify that the

certificate presented by the LDAP server was

issued by a trusted authority. If the domain

controller is not configured for SSL, clear this

check box.

Hostname validation

If the domain controller is enabled for SSL,

leave this check box selected to ensure that

the LDAP server hostname matches the

hostname for which the certificate was issued.

If the domain controller is not configured for

Fortify Software Security Center (23.1.0)

Page 107 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

SSL, clear this check box.

Enable user status mapping

(Microsoft Active Directory only) Select this

check box to enable Fortify Software Security

Center to retrieve status information for users

on this LDAP server. The information is used

for enhanced authentication checks during

token-based and SSO-based authentication

schemes.

BASE SCHEMA

Object class attribute

Type the class of the object. For example, if

this is set to objectClass, Fortify Software

Security Center looks at the objectClass

attribute to determine the entity type to

search. The default value is objectClass.

Organizational unit class

User class

Type the object class that defines an LDAP

object as an organizational unit. The default

value is container.

Type the object class that identifies an LDAP

object type as a user. The default value is

organizationalPerson.

Organizational unit name attribute

Group class

Type the group attribute that specifies the

organizational unit name. The default value is

cn.

Type the object class that identifies an LDAP

object type as a group. The default value is

group.

Distinguished name (DN) attribute

Type the value that determines the attribute

Fortify Software Security Center looks at to

find the distinguished name of the entity. The

default value is distinguishedName.

Fortify Software Security Center (23.1.0)

Page 108 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

USER LOOKUP SCHEMA

User firstname attribute

Type the user object attribute that specifies a

user’s first name.

The default value is givenName.

User lastname attribute

Group name attribute

Type the user object attribute that specifies a

user’s last name.

The default value is sn.

Type the group attribute that specifies the

group name.

The default value is cn.

User username attribute

User password attribute

Group member attribute

Type the user object attribute that specifies a

username. The default value is

sAMAccountName.

Type the user object attribute that specifies a

user’s password. The default value is

userPassword.

Type the group attribute that defines the

members of the group. The default value is

member.

User email attribute

Type the user object attribute that specifies a

user’s email address. The default value is mail.

User memberOf attribute

Type the name of an LDAP attribute that

includes the LDAP group names for LDAP

users.

USER PHOTO

User photo enabled

Select this check box to enable the retrieval of

user photos from the LDAP server.

User thumbnail photo attribute

The thumbnailPhoto attribute for Active

Fortify Software Security Center (23.1.0)

Page 109 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

"Importing an LDAP Server Configuration" on the next page

"Registering LDAP Entities" on page 115

"Deleting an LDAP Server Configuration" on the next page

Editing an LDAP Server Configuration

To edit an LDAP server connection:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. On the Integration with LDAP servers page, click the LDAP server connection that you

want to edit.

The row expands to reveal the LDAP server details.

Fortify Software Security Center (23.1.0)

Page 113 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Click EDIT.

5. Make all necessary changes to the attributes described in "Configuring LDAP Servers" on

page 104.

6. To check the validity of the configuration, click VALIDATE CONNECTION.

7. To save the configuration after successful validation, click SAVE.

Deleting an LDAP Server Configuration

If multiple LDAP servers are configured for your Fortify Software Security Center instance, you

can delete any of these, except for the default server, which you can only disable.

To delete an LDAP server connection:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. Do one of the following:

l

On the Integration with LDAP Servers page, select the check box for the LDAP server

that you want to delete, and then, on the LDAP Servers toolbar, click DELETE.

Alternatively,

l

On the Integration with LDAP Servers page, click the LDAP server connection that you

want to delete, and then, at the lower right of the expanded server details section, click

DELETE.

The DELETE LDAP CONFIGURATION dialog box prompts you to confirm that you want to

proceed with the deletion.

4. Click OK.

5. To force all LDAP users to re-authenticate, restart the Fortify Software Security

Center server.

See Also

"Registering LDAP Entities" on the next page

"Registering LDAP Entities" below

Importing an LDAP Server Configuration

As part of upgrading a Fortify Software Security Center instance, you must import your existing

LDAP configuration.

Fortify Software Security Center (23.1.0)

Page 114 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To import your legacy LDAP server configuration:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, select Configuration, and then scroll down and select LDAP Servers.

3. On the LDAP Servers header, click IMPORT.

4. In the IMPORT LEGACY LDAP CONFIGURATION dialog box, manually copy the content of

your legacy ldap.properties file for the LDAP configuration to import, and paste it into

the text box.

If Fortify Software Security Center detects problems with the copied content, it displays an

error message and a link to click for more information.

Note: The encoded Bind User DN (ldap.user.dn) and Bind User Password

(ldap.user.password) values are not imported. You must enter these manually (see

"Configuring LDAP Servers" on page 104).

5. Correct any problems, and then click NEXT.

6. Configure the attributes described in the table in step 4 in "Configuring LDAP Servers" on

page 104.

7. To check the validity of the configuration, click VALIDATE CONNECTION.

8. To check the validity of and save the configuration, click SAVE.

See Also

Registering LDAP Entities

Users who have Administrator-level accounts can add LDAP groups, organizational units, and

users to the list of Fortify Software Security Center users. Fortify Software Security Center

automatically updates access control as users join and leave groups.

To register an LDAP organizational unit, group, or user with Fortify Software Security Center:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane, click Users, and then select LDAP Entities.

3. On the LDAP toolbar, click +ADD.

Fortify Software Security Center (23.1.0)

Page 115 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. In the ADD NEW LDAP ENTITY window, from the LDAP Entity list, select the type of LDAP

entity you want to register (Group, User, or Organizational Unit).

5. In the list of returned entities, select the user, group, or organizational unit that you want to

register.

6. In the Roles section, select the check boxes that correspond to the roles you want to assign

to the selected entity.

7. To provide the LDAP entity access to versions of an application, in the Access section, do

the following.

Note: You can add versions for multiple applications, but you must add them one at a

time using the following steps.

Fortify Software Security Center (23.1.0)

Page 116 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

a. Click + ADD.

b. From the Application list in the SELECT APPLICATION VERSION dialog box , select

the name of an application that you want the LDAP entity to access.

Fortify Software Security Center lists all active versions of the application.

c. To display inactive versions of the application, select the Show inactive versions

check box.

d. Select the check boxes for all of the versions that you want the entity to access.

e. Click DONE.

The Access section lists the application versions you selected.

8. Do one of the following:

l

To save your changes and close the Add New LDAP Entity dialog box, click SAVE.

l

To save your changes and register another LDAP entity, click SAVE AND ADD

ANOTHER.

Fortify Software Security Center adds the entities to its list of users.

Fortify Software Security Center periodically refreshes the LDAP server cache

automatically.

For information about how to configure LDAP servers, see "Configuring LDAP Servers" on

page 104.

See Also

Refreshing LDAP Entities Manually

Fortify Software Security Center periodically refreshes the LDAP server cache automatically. If

you make changes to an LDAP entity, you can initiate the LDAP refresh process manually so

that your changes are evident sooner than they would be otherwise.

To initiate the LDAP refresh process manually:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane, select Users, and then select LDAP Entities.

3. In the list of LDAP entities, select the check box for the LDAP entity to refresh.

4. On the LDAP toolbar, click REFRESH.

For information about how to configure LDAP servers, see "Configuring LDAP Servers" on

page 104.

See Also

"Registering LDAP Entities" on page 115

Fortify Software Security Center (23.1.0)

Page 117 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

"Configuring LDAP Servers" on page 104

Handling LDAP Entries Marked "Invalid"

If a registered LDAP entity is no longer present in the LDAP server and you no longer need it in

Fortify Software Security Center, remove it from the entities list. Alternatively, if the

distinguished name of the LDAP entity was changed, you can update the DN value in Fortify

Software Security Center to reflect that.

Note: The following steps apply to LDAP groups and organizational units, as well as to

individual users.

To update the DN value for an LDAP entity:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Users, and then select LDAP Entities.

3. Select the row for the entity you need to modify, and then click EDIT.

4. Click UPDATE DISTINGUISHED NAME. (This button is visible only if the current DN is

invalid.)

5. In the UPDATE DISTINGUISHED NAME dialog box, select the now invalid value in the

Distinguished name field, and replace it with the updated distinguished name.

6. Click SAVE.

See Also

Enabling Persistence of the LDAP Cache

By default, an LDAP cache is only in memory and is lost during server shutdown. If your

organization has a large volume of LDAP users, the loss of the LDAP cache can significantly

slow the next server startup.

Note: If your organization has a large volume of LDAP users, the next server startup may

take a significant amount of time because the cache must be rebuilt.

To enable the LDAP cache to persist after server shutdown:

1. Shut down Fortify Software Security Center.

2.

Navigate to the <fortify.home>/<app_context>/conf directory and open the

app.properties file in a text editor.

3.

4.

Set the ldap.cache.persistence.enabled property to true.

Save and close your app.properties file.

5. Restart Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 118 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Changing the Default Cache Refresh Interval

The default cache refresh interval is one hour. If large LDAP groups are registered with Fortify

Software Security Center, a frequent cache refresh can place an extra load on Fortify Software

Security Center and the LDAP server and thereby affect performance. To reduce the impact,

you can increase the interval, as follows:

1. Shut down Fortify Software Security Center.

2.

Navigate to the <fortify.home>/<app_context>/conf directory and open the

app.properties file in a text editor.

3. Add the following line:

ldap.cache.refresh.interval.hours=<whole number value between 1 and 12>

4. Restart Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 119 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Implementation of SCIM 2.0 Protocol

When you enable System for Cross-domain Identity Management (SCIM) in Fortify Software

Security Center, a SCIM 2.0 API client pushes users and groups to Fortify Software Security

Center via the SCIM 2.0 protocol for provisioning and managing identity data. So, you do not

have to go through the Fortify Software Security Center ADMINISTRATION view to add users.

Instead, you configure users and groups from the SCIM 2.0 API client.

Note: You can integrate with any SCIM 2.0 API client. However, if you do, you must test its

interoperability with Fortify Software Security Center independently. For now, only Azure

AD integration is officially supported.

Because users provisioned using the SCIM API are externally managed and single sign-on users

only, the following apply:

l

You can only assign roles and application versions to externally managed users from Fortify

Software Security Center.

l

Users can only log in using SSO.

l

If a username created locally (ADMINISTRATION > Users > Local Users) already exists in

Fortify Software Security Center, a user with the same username cannot be provisioned using

SCIM. Users created from the ADMINISTRATION view are read-only for SCIM provisioning.

Supported SCIM Resources

Fortify Software Security Center supports the following SCIM resources:

l

User (urn:ietf:params:scim:schemas:core:2.0:User schema)

Fortify Software Security Center accepts all standard attributes of the User Schema, but

stores only a subset of these (see "User Attribute Mappings" below). Also accepts Enterprise

User extension attributes

(urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema) but

does not store them.

l

Group (urn:ietf:params:scim:schemas:core:2.0:Group schema)

Fortify Software Security Center accepts all standard attributes from the Group Schema, but

stores only a subset of these (see "Group Attribute Mappings" on the next page).

Optional features supported:

l

Resource filtering (RFC 7644 - 3.4.2.2 Filtering)

l

PATCH operations (RFC 7644 - 3.5.2 - Modifying with PATCH)

User Attribute Mappings

The following table shows how SCIM user attributes map to Fortify Software Security Center

user attributes.

Fortify Software Security Center (23.1.0)

Page 120 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

SCIM User Attribute

meta.created

meta.lastModified

id

SSC User Attribute

created

Comment

Read-only

lastModified

N/A

Read-only

Read-only, Unique, Opaque

Unique, Required

userName

active

suspended (not)

The Suspended option in

Fortify Software Security

Center is set accordingly.

name.givenName

firstName

lastName

email

name.familyName

emails[type="work"].value

Group Attribute Mappings

The following table shows how SCIM group attributes map to Fortify Software Security Center

group attributes.

SCIM Group Attribute

meta.created

meta.lastModified

id

SSC Group Attribute

Comment

created

lastModified

N/A

Read-only

Read-only, Unique, Opaque

Required

displayName

members

name

N/A

Must reference existing

users and / or groups

the next page

"Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-On"

on page 141

Fortify Software Security Center (23.1.0)

Page 121 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Using SCIM 2.0 and SAML 2.0 to Configure a Connection to Azure AD for User Provisioning

You can use the System for Cross-domain Identity Management (SCIM) protocol to provision

Fortify Software Security Center with user accounts from Azure Active Directory (Azure AD).

The following table lists the tasks required to use this feature, in the order in which they must

be performed.

Task

For Details

Enable SCIM from Fortify Software Security

Center.

"Enabling SCIM for Provisioning of

Externally Managed Users and Groups"

on page 125

In Microsoft Azure, go to Azure Active Directory

and create an enterprise application.

Microsoft Azure documentation

Note: When Azure AD prompts you

to indicate what you want to do

with the new application, select the

Integrate any other application you

don't find in the gallery (Non-

gallery) option.

From Azure, assign users and groups to the new

application.

Microsoft Azure documentation

From Azure, provision the application.

Note the following:

Microsoft Azure documentation

SCIM for Provisioning of Externally Managed

l

Set Provisioning Mode to Automatic.

l

Use the SSC URL for the Tenant URL value, and

append to it the following string:

/api/scim/v2?aadOptscim062020

Note: /api/scim/v2 is the URL for the

SSC SCIM endpoint. The

aadOptscim062020 query parameter

improves Azure AD compliance with SCIM

v2.0.

Fortify Software Security Center (23.1.0)

Page 122 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Task

For Details

l

For the Secret Token value, use the token you

created in SSC (SCIM Token - see "Enabling

Users and Groups" on page 125 .)

From Azure AD, change the attribute mappings for Microsoft Azure documentation

data flow between Azure AD and Fortify Software (https://docs.microsoft.com/en-

Security Center.

Delete all but the following attributes for your

users (for groups, you change no attribute

mappings):

l

userName

l

active

l

emails[type eg "work"].value

l

name.givenName

l

name.familyName

l

externalID

Make sure that you move the Provisioning Status

toggle to On.

l

Azure AD SAML metadata is signed. For Fortify

Software Security Center to successfully verify the

signature, you must download the SAML signing

certificate from Azure and import it into the

keystore to be used in the SSO SAML

Microsoft Azure Active Directory

documentation

"Configuring Fortify Software

l

configuration (SAML keystore location).

Security Center to Work with SAML

2.0-Compliant Single Sign-On" on

page 141

In Azure, navigate to the created enterprise

application. On the SAML-based Sign-on page,

download the signing certificate, and then import

it into the keystore.

Set up SAML single sign-on from Fortify Software "Configuring Fortify Software Security

Fortify Software Security Center (23.1.0)

Page 123 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Task

For Details

Security Center.

Center to Work with SAML 2.0-

Compliant Single Sign-On" on page 141

Acquire the metadata XML file from Fortify

Software Security Center and save it locally. This

file can be accessed only if SAML SSO is enabled in

Fortify Software Security Center and successfully

initialized.

<ssc_

hostname

>:<

port>/<context>/saml/metadata

In Azure, upload the saved metadata file, and then Microsoft Azure documentation

complete the SAML single sign-on setup using

data from the uploaded metadata file.

"Implementation of SCIM 2.0 Protocol" on page 120

From Fortify Software Security Center, assign roles "Viewing Externally Managed Users and

and application versions to externally managed

users and groups.

Groups" on page 216

Fortify Software Security Center (23.1.0)

Page 124 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling SCIM for Provisioning of Externally Managed Users and Groups

To enable SCIM for provisioning of externally-managed users and groups:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then scroll to and

select SCIM.

3. Select the Enable SCIM check box.

4. In the SCIM Token box, enter the SCIM token you want to use as a bearer token to

authenticate with the Fortify Software Security Center SCIM API. (Use that token as a

Secret Token in Azure AD when you configure the connection between Fortify Software

Security Center and Azure AD.)

Important! The token can include upper and lower case letters, numbers, hyphens and

underscores. The token must contain at least 32 characters, and no more than 512

characters. Because the token allows access to user management in Fortify Software

Security Center, it must be protected. Fortify recommends that you use a secure

random string generator to generate the token.

5. Click SAVE.

on page 141

"Viewing Externally Managed Users and Groups" on page 216

Configuring a Proxy for Fortify Software Security Center Integrations

You can configure a single proxy for use with all HTTP(s) protocol-based integrations with

Fortify Software Security Center. Once you configure the proxy, you can then enable its use

(select the Use SSC proxy for... check box) for components such as Audit Assistant

("Configuring Audit Assistant" on page 84), the Rulepack update URL ("Configuring Core

Settings" on page 92 ), and bug tracker plugins ("Assigning a Bug Trac king System to an

Application Version" on page 246).

To configure a single proxy for use with all HTTP(s) protocol-based Fortify Software Security

Center integrations:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Proxy.

On the Proxy page, provide values for the settings described in the following table.

Fortify Software Security Center (23.1.0)

Page 125 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Setting

Description

Enable SSC proxy Select this check box to enable proxy use.

HTTP proxy

HTTP proxy host Type the name of an HTTP proxy host (without a protocol part and

port number) For example, some.proxy.com.

HTTP proxy port Type the HTTP proxy port number.

HTTP proxy user If HTTP authentication is required, type a user name.

HTTP proxy

password

If HTTP authentication is required, type a password.

HTTPS proxy

Set up a different Select this check box to enable the use of a different secure proxy

HTTPS proxy

for HTTPS requests.

HTTPS proxy

host

Type the name of an HTTPS proxy host (without a protocol part

and port number). For example, some.secureproxy.com.

HTTPS proxy

port

Type the HTTPS proxy port number.

HTTPS proxy

user

If HTTPS authentication is required, type a user name.

If HTTPS authentication is required, type a password.

HTTPS proxy

password

3. Click SAVE.

Fortify Software Security Center displays a message at the upper right to indicate that the

proxy configuration was successful.

"Configuring Core Settings" on page 92

"Assigning a Bug Tracking System to an Application Version" on page 246

Fortify Software Security Center (23.1.0)

Page 126 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring ScanCentral SAST Monitoring in Fortify Software Security Center

With Fortify ScanCentral SAST, Fortify Static Code Analyzer users can maximize their resource

use by offloading the processor-intensive scanning phase to a dedicated Fortify Static Code

Analyzer scan farm. You can monitor ScanCentral SAST and display its results in Fortify

Software Security Center. You can also create and manage ScanCentral SAST sensor pools. To

enable this functionality, you must configure the integration in Fortify Software Security Center.

Note: For information about how to install, configure, and use Fortify ScanCentral SAST to

streamline the static code analysis process, see the Fortify ScanCentral SAST Installation,

Configuration, and Usage Guide.

To configure the integration between Fortify Software Security Center and ScanCentral SAST:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select

ScanCentral SAST.

3. On the ScanCentral SAST page, select the Enable ScanCentral SAST check box.

4. In the ScanCentral Controller URL box, type the URL for your ScanCentral

SAST Controller.

Important! The Controller must be the same or later version as Fortify Software

Security Center.

5. In the ScanCentral poll period (seconds) box, type the number of seconds to elapse

between sessions of data polling from ScanCentral SAST.

6. In the SSC and ScanCentral controller shared secret box, type the shared secret key

(unencrypted) for Fortify Software Security Center to use to request data from the

Controller. (If you use clear text, this string must match the value stored in the Controller

config.properties file for the ssc_scancentral_ctrl_secret key.)

The Controller verifies the shared secret key when requested for administration console

data.

7. Click SAVE.

8. Restart the Fortify Software Security Center server.

"Viewing ScanCentral Controller Information" on page 370

"About ScanCentral SAST Sensor Pools" on page 373

"Creating ScanCentral SAST Sensor Pools" on page 374

Fortify Software Security Center (23.1.0)

Page 127 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling the Running and Management of ScanCentral DAST Scans from

Fortify Software Security Center

Fortify ScanCentral DAST is a dynamic application security testing tool that consists of the

Fortify WebInspect sensor service and other supporting technologies that you can use in

conjunction with Fortify Software Security Center.

To enable the running and management of ScanCentral DAST dynamic scans:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select

ScanCentral DAST.

3. On the ScanCentral DAST page, select the Enable ScanCentral DAST check box.

4. In the ScanCentral DAST server URL box, enter the URL for your ScanCentral DAST

server.

The ScanCentral DAST server URL should resemble one of the following:

http://<DAST_API_Hostname>:<Port>/api/

http://<DAST_API_IP_Address>:<Port>/api/

You can use the https protocol instead.

Important! Make sure that you include the trailing /api/ in the URL.

5. Click SAVE.

For information about how to perform the following tasks, see the ScanCentral DAST

Configuration and Usage Guide:

l

Manage ScanCentral DAST pools and sensors

l

Create, run, change, and delete ScanCentral DAST scans, schedules, and settings

Configuring Job Scheduler Settings

You configure the Fortify Software Security Center job scheduler from the Configuration

section of the ADMINISTRATION view.

To configure job scheduler settings:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration > Scheduler.

3. On the Scheduler page, configure the settings as described in the following table.

Field

Description

Number of days

The number of days after which finished jobs are removed from

Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 128 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

after which

The default value is 1 (day).

executed jobs are

removed

Canceled jobs are removed daily.

Job execution

strategy

Select the job execution strategy to use. Options are as follows:

l

Conservative: Default strategy balancing job concurrency,

throughput and job stability. This job execution strategy works

as follows:

o

Some jobs, such as delete jobs, are considered low

concurrency, or exclusive jobs. Only one such exclusive job

can run at a time. (Running an exclusive job reduces running

jobs to 60 percent of configured capacity.)

o

At most, ${job.numberOfConcurrentReports} report jobs

can run concurrently.

o

At most, ${numberOfConcurrentExclusiveJobs}

exclusive jobs can run concurrently. (The default is 1.)

o

At most, ${jobs.threadCount} jobs can run at the same

time. Of that number,

${job.numberOfDedicatedDataExports} threads are

reserved for comma-separated values (CSV) file export jobs.

Other jobs cannot use those threads.

l

Flexible (technical preview): This strategy provides the same

options as the conservative strategy, but improves job queue

worker use.

l

Aggressive: Enables high concurrency. With this option, the job

scheduler does not enforce any limitations on how jobs are

executed. All jobs are equal and executed on all available

workers.

l

Exclusive jobs: Enables jobs to run in sequence, one at a time.

The default value is Conservative.

Note: Two worker threads are dedicated to exporting to

comma-separated values (CSV) jobs for both conservative and

Fortify Software Security Center (23.1.0)

Page 129 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

aggressive strategies. (See "Exporting Data to Comma-

Separated Values Files" on page 204 .)

Pause job

execution

This check box (not selectable from the Scheduler page) shows

whether job execution has been paused (from the Maintenance

page) in preparation for server shutdown / system maintenance.

To proceed to the Maintenance page to select or clear this check

box, click the here link. A change to this setting takes effect

immediately after you save the change from the Maintenance page.

No server restart is required.

After you pause job execution, jobs (artifact processing, report

generation, data export requests, and so on) that are currently

running continue to completion. Any new jobs submitted are

queued for processing once the Pause job execution check box is

clear and normal processing resumes.

Important! Fortify strongly recommends that you pause job

execution immediately before server shutdown, and keep it

paused for as short a period of time as possible. This will

prevent a high volume of jobs from queuing up for processing

later.

Caution! Job execution does not automatically resume after the

server comes back up after maintenance. To resume job

execution, you must return to the Maintenance page and clear

the Pause job execution check box.

Token management

Token expiration Number of days before token expiration that users are notified of

alerts

the upcoming expiration. Valid values range from 3 to 30 days,

inclusive.

The default value is 7 (days).

Note: The start of the day is 12 AM in the Fortify Software

Security Center server locale.

Fortify Software Security Center (23.1.0)

Page 130 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Snapshot refresh - Use the fields in this section to schedule the snapshot job.

A snapshot is application version information captured at a given moment in time. This

information includes variables and performance indicator values, which are used to

calculate application versions trends at the scheduled times.

Days of week

Type a CRON expression to specify the days of the week on which

the historical snapshot job is to be run. You can enter the value as a

three-letter abbreviation for the day of the week (for example, type

THU for Thursday) or as a single digit, by entering a 1 for Sunday, a

2 for Monday, and so on. To run the scheduler on multiple days,

separate the entries with a comma. For example, type SUN, WED,

FRI or 1, 4, 6.

Note: The three-letter abbreviations must be entered as upper-

case letters. Spaces between the entries are optional.

To enter consecutive days, separate the entries with a dash. For

example, type MON-FRI to run the scheduler on week days only.

Type * if the scheduler is to run every day (the default).

Hours

Type the hour, using 24-hour time notation, at which the recurring

scheduler job is to start running. For example, type 1 to start the job

at 1 A.M.

Type * if the scheduler is to run every hour.

Note: The values you enter in the Days of Week, Hours, and

Minutes fields are concatenated to create the CRON expression

used by the scheduler.

The default value is 0 (midnight).

Minutes

Type the minute at which the recurring scheduler job is to start

running. For example, type 24 to start the job at 24 minutes past

the hour that you entered in the Hours box.

The default value is 0 (indicating the job starts running in the first

minute).

Index maintenance Use the fields in this section to schedule your Fortify Software

Fortify Software Security Center (23.1.0)

Page 131 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Security Center full text search index maintenance. Fortify recommends that you run this

job daily.

Days of week

Type a CRON expression to specify the days of the week on which

the index maintenance job is to be run. You can enter the value as a

three-letter abbreviation for the day of the week (for example, type

THU for Thursday) or as a single digit, by entering a 1 for Sunday, a

2 for Monday, and so on.

To run the scheduler on multiple days, separate the entries with a

comma. For example, type SUN, WED, FRI or 1, 4, 6.

Note: The three-letter abbreviations must be entered as upper-

case letters. Spaces between the entries are optional.

To enter consecutive days, separate the entries with a dash. For

example, type MON-FRI to run the scheduler on week days only.

Type * if the scheduler is to run every day.

The default value is *.

Hours

Type the hour, using 24-hour time notation, at which the recurring

index maintenance job is to start running. For example, type 1 to

start the job at 1 A.M.

Type * if the scheduler is to run every hour.

Note: The values you enter in the Days of Week, Hours, and

Minutes fields are concatenated to create the CRON expression

used by the scheduler.

The default value is 0 (midnight).

Minutes

Type the minute at which the recurring index maintenance job is to

start running. For example, type 24 to start the job at 24 minutes

past the hour that you entered in the Hours box.

The default value is 0 (indicating the job starts running in the first

minute).

Events maintenance

Fortify Software Security Center (23.1.0)

Page 132 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Days to preserve Type the number of days after which OpenText removes past

events. To specify no event removal, type 0 (zero).

Fortify Software Security Center uses the new value during the next

run of the dedicated cleaning job. A new job is created daily at

11:30 p.m. and if it is not blocked, it starts its work immediately.

The default value is 0. (No cleanup occurs.)

Reports maintenance

Days to preserve Type the number of days Fortify Software Security Center is to

retain generated reports. The default value is 0. (No cleanup

occurs.)

To ensure that the cleanup job is not too time- or resource-

intensive, each nightly run clears a maximum of 2000 old reports

(and associated entities). Fortify SSC then gradually cleans up the

remaining reports over the following days.

Data export maintenance

Days to preserve Type the number of days Fortify Software Security Center is to

retain exported audit reports.

The default value is 2.

Note: This job is run every day at 11:45 PM (23:45)

4. Click SAVE.

5. To implement your settings, restart the server.

See Also

"Setting Job Execution Priority" below

"Canceling Scheduled Jobs" on page 135

"Recurring Cleanup Jobs" on page 135

Setting Job Execution Priority

All new jobs in Fortify Software Security Center are scheduled with priority set to "very low."

Multiple jobs that have the same priority are processed in the order in which they are added to

the jobs queue. That is, the first job added to the queue is the first job processed. Jobs with

higher priority values set are processed before those assigned lower priority.

Fortify Software Security Center (23.1.0)

Page 133 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

If you are a Fortify Software Security Center administrator or a security lead, you can change the

priority of scheduled jobs that are in the PREPARED state. (Job state can be PREPARED,

RUNNING, FINISHED, FAILED, or CANCELED.)

To set the priority for a scheduled job:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Metrics & Tracking, and then select

Jobs.

3. On the right end of the Jobs toolbar, from the Filter by list, select Prepared.

4. Scroll through the listed jobs and expand (click) the row for the job you want to re-

prioritize.

5. From the SET PRIORITY list, select one of the following priority values:

l

Very Low

l

Low

l

Medium

l

High

l

Very High

Changing job priority may affect other jobs in the queue. If the priority you set for a job

potentially affects other jobs, Fortify Software Security Center displays a message to advise

you of the potential effect, and prompts you to confirm that you want to continue with the

change.

6. To continue, click OK.

The jobs table now reflects the changed priority setting.

"Configuring Job Scheduler Settings" on page 128

Fortify Software Security Center (23.1.0)

Page 134 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Canceling Scheduled Jobs

If you are a Fortify Software Security Center administrator or a security lead, you can cancel

scheduled jobs that are still in the prepared state. (The job state can be prepared, running,

finished, failed, or cancelled.)

To cancel a job:

1. Log in to Fortify Software Security Center as an administrator or security lead, and then, on

the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, under Metrics & Tracking, select Jobs.

3. On the far right of the Jobs toolbar, from the Filter by list for job state, select Prepared.

4. Scroll through the listed jobs and click the row for the job you want to cancel.

5. Click the row for the job to expand it and view the details.

6. Click CANCEL.

Fortify Software Security Center prompts you to confirm that you want to cancel the job.

7. Confirm that you want to cancel the job.

Recurring Cleanup Jobs

Fortify Software Security Center performs several cleanup jobs on a recurring basis. These are

described in the following table.

Job Name and

Description

Affected Tables

Default Schedule

Data Export Cleanup

dataexport, documentinfo,

and datablob

Daily at 23:45 h

Removes exported data (such

as CSV files) that were more

than the specified number of

days old. (See "Configuring Job

Scheduler Settings" on

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

page 128 .)

Event Log Cleanup

eventlogentry

Daily at 23:30 h

Removes event records older

than the number of days

specified on the Scheduler

page.

For instructions on how to

schedule this job from the

Fortify Software Security

Fortify Software Security Center (23.1.0)

Page 135 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Center user interface, see

Expired Tokens Cleanup

agentcredential

id_table

Daily, every six hours,

starting at 00:00 h

Removes expired tokens with

elapsed expiration dates.

ID Table Cleanup

Daily at 23:00 h

Removes IDs, used for filtering pv_id_table

while working with user

permissions and generating

reports.

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

Job Cleanup

jobqueue

Daily at 23:00 h

Removes finished jobs. (Failed

jobs are removed after the set

number of days, beginning

with their start time. Canceled

jobs are cleaned up without

regard to start time.)

Orphaned Data Cleanup

documentinfo

Every Sunday at 23:30 h

Daily at 00:00 h

Removes metadata associated

with attachments that are no

longer needed.

Orphaned Source Files Cleanup sourcefile

Removes source files that are

no longer referenced by any

existing issue.

Set using

job.sourceFileCleanup.cron

Report Cleanup

savedreport

No cleanup scheduled

Fortify Software Security Center (23.1.0)

Page 136 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Removes generated reports

that are older than the number

of days specified for Days to

preserve on the Scheduler

page.

documentinfo

datablob

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

Webhook History Cleanup

webhookhistory

N/A

Daily at 03:30 h

Removes old webhook event

entries.

Index Maintenance

Daily at 00:00 h

Resolves inconsistencies

between global search

(fulltext) indexes and existing

database entries (for example,

resulting from unclean server

shutdown or indexing job

failures).

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

LDAP Refresh

N/A

Hourly

Updates caches associated

with LDAP entities.

Historical Snapshot

Daily at 00:00 h

Re-creates out-of-date

snapshots.

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

page 128 ."Configuring Job

Settings" on

Scheduler Settings" on

page 128

Fortify Software Security Center (23.1.0)

Page 137 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Alert Reminder

N/A

Daily at 03:00 h

Sends reminder alerts.

Token Expiry Alerts

N/A

Daily at 03:00 h

Notifies users of any tokens to

expire soon.

Configuring Browser Access Security for Fortify Software Security Center

To configure security for browsers that access the Fortify Software Security Center domain:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Security.

3. On the Security page, configure the settings as described in the following table.

Field

Description

Content-Security-Policy

Specify what (if any) level of CSP to use. Using the HTTP

Content-Security-Policy header controls the resources

browsers can load and what actions they can perform on

pages loaded from Fortify Software Security Center. This

helps guard against cross-site scripting attacks.

Select one of the following options:

l

To restrict access to only the base URL configured using

the host.url property (set using the Fortify Software

Security Center configuration wizard), select Strict.

l

To enable a less restrictive policy than strict CSP, select

Relaxed. This is the default setting. It allows access to

the Fortify Software Security Center domain from any

host:port.

l

To disable the Content-Security-Policy header, select

Disabled. Although Fortify recommends that you not

disable the Content-Security-Policy header, this option is

available if CSP causes unexpected problems.

Fortify Software Security Center (23.1.0)

Page 138 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Set value for Strict-

Transport-Security

header

Type the value for the Strict-Transport-Security header.

This header signals to browsers to use HTTPS instead of

HTTP to communicate with Fortify Software Security

Center.

Important! Please use caution when you set this value.

It can have a severe impact on users. For more detail,

see the HTTP Strict Transport Security Cheat Sheet

(https://www.owasp.org/index.php/HTTP_Strict_

Transport_Security_Cheat_Sheet ).

The Strict-Transport-Security header is sent only through a

secure channel determined by Tomcat Server.

Set value for Public-Key- Type the value for the Public-Key-Pins header. This

Pins header

decreases the risk of man-in-the-middle (MitM) attacks.

Important! Please use caution when you set this value.

It can have a severe impact on users. For more detail,

see the HTTP Strict Transport Security Cheat Sheet

(https://www.owasp.org/index.php/HTTP_Strict_

Transport_Security_Cheat_Sheet ).

The Public-Key-Pins header is sent only through a secure

channel determined by Tomcat Server.

4. Click SAVE.

Configuring Fortify Software Security Center to Work with Single Sign-On

The following table lists the single sign-on solutions that Fortify Software Security

Center supports, and provides links to the instructions on how to configure Fortify

Software Security Center to work with these SSO types.

SSO Solution

Instructions

CAS

"Configuring Fortify Software Security Center to Work with a

Central Authorization Server" on page 141

(Central Authorization

Server)

Fortify Software Security Center (23.1.0)

Page 139 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

SSO Solution

Instructions

SPNEGO/ KERBEROS

"Setting up Kerberos Authentication with Fortify Software

Security Center" on page 148

SAML 2.0-compliant single "Configuring Fortify Software Security Center to Work with

sign-on

SAML 2.0-Compliant Single Sign-On" on the next page

HTTP headers

"Configuring Fortify Software Security Center to Work with

Single Sign-On and Single Logout Solutions that use HTTP

Headers" on page 146

X.509 certification

"Configuring Fortify Software Security Center to Use X.509

Certification-based SSO" on page 150

Restrictions on Configuration

Restrictions on configuring Fortify Software Security Center to work with SSO solutions are as

follows:

l

You can only use the SSO solutions that Fortify Software Security Center supports to give

users access to the Fortify Software Security Center user interface.

l

At any given time, you can configure only one SSO solution for use with Fortify Software

Security Center.

l

A user who wants to access Audit Workbench, fortifyclient, or any of the IDE plugins, must

use an LDAP or local Fortify Software Security Center user account and password to log in.

For information about how to enable debug logging for SSO, see "Enabling Debug Logging for

Single Sign-On Authentication" on page 152.

Restricted Local Login (SPNEGO/Kerberos and x.509 solutions only)

Important! This restriction does not apply to the Central Authorization Server

(CAS), SAML, or HTTP Headers SSO solutions. Local login is supported for these

SSO solutions.

To improve application security, if SSO authentication is enabled, Fortify Software Security

Center prevents both LDAP and local users from using usernames and passwords to log in

locally. Users can only use the configured SSO method or an API token to access Fortify

Software Security Center. To enable local login with either the SPNEGO/Kerberos or x.509

SSO solution configured, an administrator must use the sso.localAuthenticationEnabled

property, which is located in the app.properties file. For information, see "Enabling Username

and Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" on page 151 .

Fortify Software Security Center (23.1.0)

Page 140 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

See Also

"About Session Logout" on page 74

Configuring Fortify Software Security Center to Work with a Central Authorization Server

Note: CAS single logout is supported in Fortify Software Security Center.

To configure Fortify Software Security Center to work with a Central Authorization Server

(CAS):

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

3. From the list of available single sign-on solutions on the SINGLE SIGN ON page, select CAS.

4. In the Central Authentication Server URL box, type the URL for the CAS server. The

default is http://localhost:8080/cas.

5.

Verify that the host.url property in <fortify.home>/<app_

context>/conf/app.properties designates a URL that the CAS server can access. The

URL is used as a base URL for the Fortify Software Security Center service parameter,

which is set to <host.url>/login/cas.

6. Click SAVE.

7. To implement the configuration, restart the server.

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 152.

Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-

On

Note: SAML single logout is supported in Fortify Software Security Center. Logout

responses and logout requests sent by IdP must be signed.

Caution! For successful SAML integration, it is critical that the clocks on the client and

server machines (IdP and SP) be synchronized.

Fortify Software Security Center (23.1.0)

Page 141 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To configure Fortify Software Security Center to work with SSO that uses SAML 2.0:

1. If you are using an LDAP directory for users in Fortify Software Security Center and IdP,

configure Fortify Software Security Center to use LDAP authentication. Otherwise, IdP

users must match local users. (For information, see "LDAP User Authentication" on

page 101.)

2. If your IdP runs with SSL (https), configure Fortify Software Security Center to run with

SSL. Otherwise, protocol switching while authenticating against IdP could interfere with

authentication.

3. Prepare a public/private key pair to be used to digitally sign SAML messages and encrypt

SAML Assertions. If your IdP does not require keys signed by a specific certification

authority, you can generate your own self-signed key using, for example, OpenSSL or Java's

keytool. The following example command generates a keystore that stores a self-signed

key under a given alias:

keytool -genkeypair -alias <key_alias> -keyalg <RSA_or_EC

algorithm> -keystore <keystore_filename> -storepass <password_to_

protect_keystore> -keypass <password_to_protect_key> -validity

<number_of_days_the_key_is_valid>

Make a note of the values for the alias and both passwords. You must provide them later in

the Fortify Software Security Center Administration section (ADMINISTRATION >

Configuration > SSO > SAML).

4. Get SAML metadata from the IdP server and store it on the Fortify Software Security

Center file system.

5. Open the metadata file and make a note of the entityID for your IdP EntityDescriptor

(<EntityDescriptor entityID="THE_VALUE_YOU_ARE_LOOKING_FOR">). Also check to see

whether the metadata is signed (the <Signature> section is present). If the metadata is

signed, the signature is verified with the PKIX validation algorithm and uses all public keys

present in the keystore as trust anchors. Make sure that you include the root CA certificate

and intermediary CA certificates of the signature in your keystore.

6. Log in to Fortify Software Security Center and, on the Fortify header, select

ADMINISTRATION.

7. In the left pane of the ADMINISTRATION view, select Configuration, and then select SSO.

Note: You can configure only one single sign-on solution at a time for Fortify Software

Security Center.

Fortify Software Security Center (23.1.0)

Page 142 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

If a single sign-on solution other than SAML is currently configured, its name is displayed in

the list on the SINGLE SIGN ON page.

8. From the list of available single sign-on solutions, select SAML.

9. Provide the information described in the following table.

Field

Description

IdP metadata location

Location of your identity provider metadata (the metadata

obtained in step 3).

Examples

file:///location/of/idp-metadata.xml

https://idp-metadata.example.com

Note: If you are integrating with Azure AD, enter the

value shown in the App Federation Metadata Url

field In Azure. (In the left pane in Azure, under

Manage, select Single sign-on, and then select SAML.

You can see the App Federation Metadata Url field

under SAML Signing Certificate.)

Note: If your IdP is behind a proxy server, you must

download IdP metadata to your local file system and

reference it locally. Current SAML implementation

does not support getting metadata over http proxy.

Default IdP

entityID of your IdP EntityDescriptor (from IdP metadata)

Note: If you are using the SCIM protocol to provision

Fortify Software Security Center with user data from

Azure AD, use the value shown in the Azure

AD Identifier field in Azure. (You can see this field on

the SAML-based Sign-on page under Set up

<application_name>.)

SP entity ID

SP alias

Service provider entity ID value must be a URL that does

not exceed 1024 characters, and is globally unique across

federations. Fortify recommends that you use the URL of a

running Fortify Software Security Center instance.

Service provider alias must include only alphanumeric

Fortify Software Security Center (23.1.0)

Page 143 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

characters, colons, dashes, and underscores. It cannot

contain slashes, hash marks, semicolons, or question marks.

Because this field value plays no significant role, you can

specify any general value. For example, you can use

fortify_ssc.

Keystore location

Location of your keystore that stores the key pair to be

used for signing SAML messages and encrypting SAML

Assertions

Note: If IdP metadata is signed, the signature is

verified with the PKIX validation algorithm and uses all

public keys present in the keystore as trust anchors.

Make sure that you include the root CA certificate and

intermediary CA certificates of the signature in your

keystore.

Keystore password

Keystore file password

Signing & encryption key

Signing/encryption key alias in the keystore file

Signing/encryption key password

Signing & encryption key

password

SAML name identifier

Name of the element in the SAML Assertion sent by IdP

that holds the authenticated user's username, which

matches the Fortify Software Security Center user's

username. Use the NameID value if the username is

released within the <NameID> element. If the username is

released within one of the <Attribute> elements, provide

the name value of the attribute. This information should be

available or configurable in your IdP server.

10. Click SAVE.

11.

Verify that the host.url property in <fortify.home>/<app-

context>/conf/app.properties designates a URL that the IdP server can access. The

URL is used as a base URL for constructing <AssertionConsumerService> and

<SingleLogoutService> locations in Fortify Software Security Center SAML metadata.

Fortify Software Security Center (23.1.0)

Page 144 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

12. Fortify Software Security Center supports HTTP REDIRECT and HTTP POST bindings for

inbound and outbound SAML messages. You can configure both REDIRECT and POST

bindings for single logout. The default binding is set to HTTP POST. To switch to different

binding for inbound single logout messages, add the

sso.saml.logout.binding.consume property to the <fortify.home>/<app_

context>/conf/app.properties file. Set the sso.saml.logout.binding.consume

property value to REDIRECT, POST, or specify both values.

Important! If you are integrating with Azure AD, you must specify REDIRECT single

logout binding.

13. If the SAML assertion sent from IdP is encrypted, make sure that the authentication

response message is signed.

Important! If you are integrating with Active Directory Federation Services (AD FS),

set the IdP parameter SamlResponseSignature to MessageAndAssertion

(recommended) or MessageOnly value.

14.

Recent Chrome or Chromium-based browsers default to a SameSite=Lax cookie policy,

which means that cookies are not sent with sub-requests to third-party sites. As a result,

single logout that is not initiated from Fortify Software Security Center does not work

correctly.

Note: Single logout initiated from Software Security Center works correctly, regardless

of the cookie policy settings.

To make single logout work in Chrome or Chromium-based browsers, you must change the

SameSite policy for session cookies to None. Be advised that this denotes a less secure

policy than the default, so you must determine whether making the change is the best

approach for your organization. To change the policy for container deployments, use the

HTTP_SERVER_SAME_SITE_COOKIES environment variable. For non-container

deployments, add <CookieProcessor sameSiteCookies="none"/> to the context

section of your Tomcat configuration. For details, see https://tomcat.apache.org/tomcat-

9.0-doc/config/context.html#Nested_Components.

15. Restart Fortify Software Security Center.

16. Generate the Fortify Software Security Center (SP) metadata at

<hostname>:<port>/<context>/saml/metadata/<SP_alias>.

17.

Open the metadata generated in previous step and verify that the location URLs in

<AssertionConsumerService> and <SingleLogoutService> are accessible from the

IdP server.

18. Upload the Fortify Software Security Center metadata to the IDP server.

19.

Try to access <hostname>:<port>/<app_context>.

You are redirected to the IdP server, where you can enter your credentials. After successful

authentication, the IdP server redirects you back to Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 145 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 152.

Troubleshooting SAML SSO Integration

Issue: After accessing the <hostname>:<port>/<app-context>/login.jsp page, a user is

not redirected to IdP.

l

The login page is excluded from SSO so that a local administrator can access the application

and correct the SAML SSO configuration.

Issue: Users are authenticated with IdP, but Fortify Software Security Center does not authorize

them.

l

The username received in the SAML assertion from IdP does not match any LDAP or local

Fortify Software Security Center user (based on user lookup strategy). Verify the following:

l

The "SAML name identifier" in your Fortify Software Security Center SAML configuration is

set to an attribute in the SAML assertion that contains the username.

l

The user exists in Fortify Software Security Center and has an assigned role.

l

The user lookup strategy is correctly configured (see "Configuring Core Settings" on

page 92).

Issue: You want to set the IdP metadata location as HTTP URL to IdP instead of referencing the

IdP metadata locally.

l

The configuration accepts the HTTP location but the IdP cannot be behind a proxy server. If

the IdP is behind a proxy server, Fortify Software Security Center cannot access the

metadata, so the data must be referenced locally.

Solutions that use HTTP Headers" below

Configuring Fortify Software Security Center to Work with Single Sign-On and Single Logout

Solutions that use HTTP Headers

To configure Fortify Software Security Center to work with SSO that uses headers:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

Fortify Software Security Center (23.1.0)

Page 146 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

3. From the list of available single sign-on solutions on the SINGLE SIGN ON page, select

HTTP.

4. Under HTTP SSO Integration Attributes, configure the following settings.

Field

Description

HTTP header

for username

Type the HTTP header to use for SSO logons.

The default value is username.

IdP login page

Type the URL for the identity provider login page.

SSO Logout

page

Type the logout page address to which users are to be redirected after

logging out of Fortify Software Security Center.

SSO Logout

Response

Header

Type the dynamic directive header.

SSO Logout

Response Code

Type the dynamic directive code in this box.

Type the dynamic directive message in this box.

SSO Logout

Response Text

5. Click SAVE.

6. Configure Fortify Software Security Center to use LDAP authentication. For details, see

"LDAP User Authentication" on page 101.

7. Restart the server.

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 152.

Fortify Software Security Center (23.1.0)

Page 147 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Setting up Kerberos Authentication with Fortify Software Security Center

To set up Kerberos authentication with Fortify Software Security Center.

Caution! SPNEGO/Kerberos SSO may require the transmission of large amounts of data to

Fortify Software Security Center via HTTP headers. An insufficient header size limit results

in a "Bad Request" error. To increase the header size limit, configure the

maxHttpHeaderSize property on the Tomcat Server Connector.

1. Create an Active Directory account and register the Service Principal Name (SPN) for the

account as follows:

setspn -U -S HTTP/SSCServer.mydomain.lan SSCKerberos

2. Create a keytab file.

Example:

ktpass -out c:\SSCSERVER.keytab -princ HTTP/

SSCServer.mydomain.lan@mydomain -mapUser mydomain\SSCKerberos -

mapOp set -pType KRB5_NT_PRINCIPAL /crypto all /kvno 0 -pass

3o(t&gSp&3hZ4#t9

3.

(Linux only) Make sure that, at a minimum, your krb5.conf file contains the following:

[libdefaults]

default_realm = EXAMPLE.COM

[realms]

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

4. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

5. In the left pane of the ADMINISTRATION view, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

6. From the Enabled SSO list on the SINGLE SIGN ON page, select SPNEGO/KERBEROS.

7. Under SPNEGO/Kerberos Integration Attributes, provide the information described in

the following table.

Fortify Software Security Center (23.1.0)

Page 148 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Service principal

name

Service principal name (SPN) of Fortify Software Security

Center in the Kerberos realm. The value you specify can include

the realm name configured in the Kerberos initialization file.

Keytab location

Location of the keytab file (created in step 2), which contains

Fortify Software Security Center principal keys. The location must

specify the absolute path to the file using the file URI scheme.

Windows example:

file:///C:/Users/fortify/secrets/krb.keytab

Linux example:

file:///home/fortify/secrets/krb.keytab

Krb5.conf location

Location of optional krb5.conf file. This sets the

java.security.krb5.conf property. The location must specify

the absolute path to the file using file the URI scheme. See Keytab

location for examples.

Enable debug

mode

Select this check box to enable debug mode.

8. Click SAVE.

9. Check to make sure that the User username attribute setting for your LDAP server is

correct. (See "Configuring LDAP Servers" on page 104.)

10. Restart the server.

11. Verify that the LDAP user names resolve correctly. Format the LDAP user name values as

follows:

username@domain

12. Check your browser setup, as follows:

l

For Firefox, add the service URL to network.negotiate-auth.trusted-uris

(about:config). For example, service-machine.my.domain.lan.

l

For Chrome, add the service URL to your intranet and trusted sites, configure automatic

logon only for the local intranet zone settings, and enable integrated Windows

authentication.

Important! Check to make sure that the Fortify Software Security Center LDAP

configuration username mapping matches the LDAP User entry attribute, where the

attribute holds a username sent in the Kerberos ticket. In configurations that use Microsoft

Active Directory, the User Principal Name (UPN) attribute should hold the username sent in

Fortify Software Security Center (23.1.0)

Page 149 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

the Kerberos ticket. However, verify this before you change configuration settings.

Caution! If Fortify Software Security Center is configured to use the SPNEGO/Kerberos

SSO solution, and you want users (local and LDAP) to be able to log in using their user

names and passwords, you must directly enable it. For instructions, see "Enabling Username

and Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" on the next page .

Configuring Fortify Software Security Center to Use X.509 Certification-based SSO

To configure Fortify Software Security Center to use X.509 certification-based SSO:

1. Configure x.509 client certification in Tomcat. See certificateVerification and related

options at https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_

Certificate for details.

2. Log in to Fortify Software Security Center as an administrator, and then click the

ADMINISTRATION tab.

3. In the left pane of the ADMINISTRATION view, select Configuration, and then click SSO.

Note: You can configure only a single sign-on solution for Fortify Software Security

Center at a time.

4.

5. From the Enabled SSO list on the SINGLE SIGN ON page, select X.509.

6. In the X.509 certificate username pattern box, type a regular expression for Fortify

Software Security Center to specify how to retrieve the username from the client certificate,

do one of the following:

l

To retrieve the username from the X.509 certificate Subject field, use a regular

expression with capturing groups. The regular expression is then used to match the

username from the Subject field value.

Fortify Software Security Center (23.1.0)

Page 150 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Example: To match the CN attribute of the certificate Subject field, specify the CN=

(.*?) pattern.

l

To retrieve the username from the X.509 certificate Subject Alternative Name (SAN)

extension Other Name, use $0!OID$regex pattern, where:

o

OID represents the identifier of the Other Name from which to retrieve the username.

Only Other Names that contain string values are supported.

o

regex represents the regular expression with capturing group to use to retrieve the

username from the Other Name value.

Example: One of the widely used SAN Other Names is User Principal Name (UPN), with

OID1.3.6.1.4.1.311.20.2.3. Its value takes the form username@domain.

To match the whole username@domain under UPN, specify the following pattern:

$0!1.3.6.1.4.1.311.20.2.3$(\S+@\S+)

To match only the user name before the @ sign, without the domain, under UPN, specify

the following pattern:

$0!1.3.6.1.4.1.311.20.2.3$(.+?(?=@))

7. Click SAVE.

8. To implement the configuration, restart the Fortify Software Security Center server.

Caution! If you configure Fortify Software Security Center to use X.509 certification-based

SSO, and you want users (local and LDAP) to be able to log in using their user names and

passwords, you must directly enable it. For instructions, see "Enabling Username and

Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" below .

Enabling Username and Password Login if Fortify Software Security Center is Configured to

Use the X.509 or Kerberos SSO Solution

If Fortify Software Security Center is configured to use the X.509 or Kerberos SSO solution, local

login is disabled by default. If you want users (local and LDAP) to be able to log in using their

usernames and passwords, you must directly enable local authentication, as follows:

1.

Navigate to <fortify.home>/<app_context>/conf, and open the app.properties

file in a text editor.

2.

3.

Set the sso.localAuthenticationEnabled property to true.

Save and close the app.properties file.

4. Restart the server.

Fortify Software Security Center (23.1.0)

Page 151 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling Debug Logging for Single Sign-On Authentication

If you want to get extra logging information related to single sign-on (SSO) authentication for

Fortify Software Security Center, you can do so by updating the logging configuration.

To obtain extra logging information related to SSO authentication for Fortify Software Security

Center:

1.

Go to the <fortify.home>/<app_context>/conf directory, and then open the

log4j2.xml file in a text editor.

2. For single sign-on solutions that use HTTP headers, add the following logger definition to

the log4j2.xml file:

<Logger

name="com.fortify.manager.web.security.auth.FmHttpSsoAuthenticationFil

ter" level="debug"/>

3.

4.

For SAML 2.0-compliant single sign-on solutions, locate the section marked <!-- SSO

SAML -->, and then change the level of each logger in that section to the appropriate

debug value.

For the CAS single sign-on solution, locate the section marked , and

then change the level of each logger in that section to the appropriate debug value.

Configuring Web Services to Require Token Authentication

You enable or disable token authentication for web services in the Configuration section of the

Fortify Software Security Center ADMINISTRATION view.

Fortify Software Security Center supports two types of authentication when the SOAP web

services API is used:

l

A username and password are provided in every request.

l

A temporary security token is generated and passed for authentication.

Token authentication is enabled by default. If you do not want to use token authentication, you

must disable it on the WEB SERVICE ATTRIBUTES page.

For additional information about authentication tokens, see "fortifyclient Authentication

Tokens" on page 395.

To enable or disable token authentication:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Web Services.

3. On the WEB SERVICE ATTRIBUTES page, do one of the following:

Fortify Software Security Center (23.1.0)

Page 152 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

l

To enable token authentication, select the Allow token authentication check box.

l

To disable token authentication, clear the Allow token authentication check box.

4. Click SAVE.

5. Restart the server.

Changing Log Levels for Fortify Software Security Center

To change the log level setting for Fortify Software Security Center:

1.

Navigate to <fortify.home>/<app_context>/conf, and then open the log4j2.xml file

in a text editor.

2.

On line 98, change <Root level="warn"> to <Root level="debug">.

3. Save and close the file.

The modified configuration takes in approximately 10 seconds (as defined by the value of the

monitorInterval attribute in the configuration).

Note: You cannot add a new logger and set a level for it. Only changes to existing loggers

are picked up dynamically.

Configuring Federal Information Processing Standards (for

integrating Fortify Software Security Center with Fortify

WebInspect Enterprise only)

If you plan to integrate Fortify Software Security Center with Fortify WebInspect Enterprise, you

need to enable Federal Information Processing Standards (FIPS) compliance.

To request that OpenSSL be in FIPS mode, at a minimum, you must set the FIPSMode attribute

to on. To force OpenSSL to enter FIPS mode, set the attribute to enter (an error occurs if

OpenSSL is already in FIPS mode). To require that OpenSSL already be in FIPS mode (an error

occur if OpenSSL is not already in FIPS mode), set the attribute to require.

Important! FIPS mode requires that you have a FIPS-capable OpenSSL library, which you

must build yourself. If you set the FIPSMode attribute to any of the above values, you must

also enable the SSLEngine.

For instructions on how to configure FIPS-compliant cryptography, see the documentation for

your operating system.

Customizing the Fortify Banner for Your Organization

You can customize the Fortify banner to display information about your organization's Fortify

Software Security Center website either when customers log on, or when they switch between

Fortify Software Security Center (23.1.0)

Page 153 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

views (DASHBOARD, APPLICATIONS, REPORTS, and so on).

Caution! Each time you upgrade your Fortify Software Security Center instance, you must

recreate the banner.

To create a custom Fortify Software Security Center logon experience for your users:

1.

2.

Navigate to the <ssc.war>/WEB-INF/lib directory.

Extract the contents of the ssc-htmlui-<version>.jar file into a new directory

(referred to as <new_directory> in the remaining steps).

3.

4.

5.

Navigate to the <new_directory>/META-INF/resources/html/login directory.

Open the login.html file in a text editor.

Uncomment the text <!--<center><font color="red">Add your custom banner

here</font></center>-->, and then specify the HTML elements to set the look, feel,

and content of the message displayed where indicated.

The following example adds a banner with red text to the top center of the web page. The

banner is displayed whenever the user logs on to Fortify Software Security Center.

<center><font color=red size=10>Message_text</font></center>

Caution! Space limitations restrict the message text to a single line. Additional lines

interfere with user interface display.

6.

7.

Change the name of the ssc-htmlui-<version>.jar file to ssc-htmlui-

<version>.jar.orig.

Create a new archive named ssc-htmlui-<version>.jar that contains all of the files

under <new_directory>.

Note: Do not include <new_directory> itself in the new archive.

8. Restart the Fortify Software Security Center server.

To create a message banner to display each time a user switches views in Fortify Software

Security Center (DASHBOARD, APPLICATIONS, REPORTS, and so on):

1.

2.

Navigate to the <ssc.war>/WEB-INF/lib directory.

Extract the contents of the ssc-htmlui-<version>.jar file into a new directory

(referred to as <new_directory> in the remaining steps).

3.

4.

5.

Navigate to the <new_directory>/META-INF/resources/html/ssc directory.

Open the index.html file in a text editor, and then go to line 41.

Uncomment the text <div style="text-align: center;"><span style="color:

red; ">Add your custom banner here</span></div>, and then specify the HTML

elements to set the look, feel, and content of the message displayed where indicated.

The following example adds a banner with red text to the top center of the web page. The

banner is displayed whenever the user logs on to Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 154 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

<div style="text-align: center;"><span style="color: red; "> Message

text x</span></div>

Caution! Space limitations restrict the message text to a single line. Additional lines

interfere with user interface display.

6.

7.

Change the name of the ssc-htmlui-<version>.jar file to ssc-htmlui-

<version>.jar.orig.

Create a new archive named ssc-htmlui-<version>.jar that contains all of the files

and directories under <new_directory>.

8. Restart the Fortify Software Security Center server.

Adding a Fortify Insight Link to the Dashboard

If you have purchased Fortify Insight, you can link your Fortify Software Security Center to your

Fortify Insight dashboard by adding a Fortify Insight link to your Fortify Software Security

Center Dashboard.

To add the Fortify Insight link to your Fortify Software Security Center Dashboard:

1. Log in to Fortify Software Security Center as an administrator user.

2. On the Fortify header, click ADMINISTRATION.

3. In the left pane, expand Configuration, and then select Customization.

Fortify Software Security Center (23.1.0)

Page 155 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Under Fortify Insight URL, select the Enable display of the Fortify Insight URL on

your Dashboard check box.

5. In the Fortify Insight URL box, enter the URL for your Fortify Insight page.

6. Click SAVE.

"Changing the Support Contact Link in the About Fortify Software Security Center Box" below

Changing the Support Contact Link in the About Fortify

Software Security Center Box

By default, the About Fortify Software Security Center <version> box displays a link to the

Support portal. You can replace that link with a link to the support portal for your organization.

To display your support portal in the About Fortify Software Security Center box:

1. Log in to Fortify Software Security Center as an administrator user.

2. On the Fortify header, click ADMINISTRATION.

Fortify Software Security Center (23.1.0)

Page 156 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

3. In the left pane, expand Configuration, and then select Customization.

4. Select the Enable using the support URL for your organization in the About box check

box.

5. In the Support URL for your organization box, enter the URL for the support portal for

your organization.

6. In the Text displayed for your support URL box, type the text to display in the new link

to support.

7. Click SAVE.

"Adding a Fortify Insight Link to the Dashboard" on page 155

Customizing Fortify Software Security Center Logging

To customize logging for a Fortify Software Security Center instance, you can provision a

custom log4j2 configuration file to override or add to the standard log4j2 configuration file in

<fortify.home>/<app_context>/conf.

To provision the custom Log4j2 configuration override file, set the COM_FORTIFY_SSC_

LOG4j2_OVERRIDE system environment variable or the

Fortify Software Security Center (23.1.0)

Page 157 of 428

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

com.fortify.ssc.log4j2.override JVM system property to an absolute path for the

custom Log4j2 XML configuration file.

Fortify strongly recommends that you use one of these methods rather than modifying the

<fortify.home>/<app_context>/conf/log4j2.xml file directly because it provides you

with better control.

Setting the Required Password Strength for Fortify Software

Security Center Login

You can use the password.strength.min.score property (located in

<fortify.home>/<app_context>/conf/app.properties) to adjust the required password

strength. The following table lists the valid values and the strength each represents.

Value

Password Strength

Poor

0

1

2

3

4

Weak

Medium

Strong

Very strong

Password strength is not determined based on requirements such as one upper-case character,

one special character, and so on. Instead, it is calculated based on a dedicated password

strength library that uses methods such as estimating the time to crack the password,

determining whether the password contains predictable character sequences or a username,

and checking against common password dictionaries.

See Next

"About Session Logout" on page 74

"Additional Fortify Software Security Center Configuration" on page 76

Fortify Software Security Center (23.1.0)

Page 158 of 428

Chapter 7: Additional Installation-Related Tasks

This section addresses additional tasks related to a new Fortify Software Security Center

installation.

Blocking Data Export to CSV Files

By default, users can export Fortify Software Security Center data displayed in the Dashboard

and AUDIT views to comma-separated values (CSV) files. You can block this functionality.

To prevent users from exporting Fortify Software Security Center data to CSV files:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Configuration, and then select Core.

3. Scroll to the bottom of the Core page, and then clear the Enable Export to CSV check box.

4. Click SAVE.

See Also

"Configuring Core Settings" on page 92

"Exporting Data to Comma-Separated Values Files" on page 204

About Bug Tracker Integration

Fortify Software Security Center enables your team to submit bugs to your bug tracking system

from Fortify Software Security Center during issue auditing. Fortify Software Security Center

supports integration with the following bug tracking systems:

l

Bugzilla

Note: Integration with the Bugzilla bug tracker plugin requires that you enable XML-RPC

in Bugzilla. For instructions, see

https://www.bugzilla.org/docs/4.4/en/html/api/Bugzilla/WebService/Server/XMLRPC.ht

ml

l

Jira

l

Jira Cloud

Note: If you use Jira Cloud, you must use your Jira authentication token in the Password

field at login.

OpenText Fortify Software Security Center (23.1.0)

Page 159 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

l

ALM

l

Azure DevOps Server

Important! The Repro Steps field in Azure DevOps, which displays Fortify bug

descriptions, is hidden by default for issue work items. If you use Azure DevOps 2019.1

or later version, and you use the Basic process, you must customize Issue work items to

see the Repro Steps field.

Important! If you use Azure DevOps, you must use a personal access token generated

from Azure DevOps in the Password field at login. For information about Azure DevOps

personal access tokens, see https://learn.microsoft.com/en-

us/azure/devops/organizations/accounts/use-personal-access-tokens-to-

authenticate?view=azure-devops&tabs=Windows .

Fortify Software Security Center (23.1.0)

Page 160 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Note: If your organization uses a bug tracking system other than those that Fortify

supplies, you can author a new plugin for that system. For instructions, see "Authoring Bug

Tracker Plugins" on page 406.

For information about how to set up and use bug tracking systems to manage the

security vulnerabilities for your application versions, see "Using Bug Tracking Systems to Help

Manage Security Vulnerabilities" on page 242.

Managing Bug Tracker Plugins

The following sections describe how to add and remove bug tracker plugins to and from the

system.

Important! Successful integration with the Bugzilla bug tracker plugin requires that you

enable XML-RPC in Bugzilla. For instructions, see

https://www.bugzilla.org/docs/4.4/en/html/api/Bugzilla/WebService/Server/XMLRPC.html.

Adding Bug Tracker Plugins

If you are a Fortify Software Security Center administrator, you can connect Fortify Software

Security Center to third-party bug tracker plugins.

Fortify Software Security Center (23.1.0)

Page 161 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Important! Using a proxy with authentication and an https bug-tracker domain does not

work. For a successful connection, use one of the following:

- Proxy with authentication plus http://bugtracker.domain.com

- Proxy without authentication plus https://bugtracker.domain.com

- Proxy without authentication plus http://bugtracker.domain.com

To add a bug tracker plugin to the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Plugins, and then select Bug

Tracking Plugins.

3. On the Bug Tracking page header, click NEW.

Fortify Software Security Center displays the UPLOAD PLUGIN WARNING dialog box.

4. Read the warning and, if you accept the potential risk involved in uploading the plugin, click

OK.

5. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then locate and select the

JAR file for your plugin. You can use either a Fortify Software Security Center-provided

JAR file, or the JAR file for a bug tracker plugin that you have authored (see "Authoring

Bug Tracker Plugins" on page 406).

You can find the JAR files for the bug trackers that Fortify Software Security Center

provides in the following locations.

Bug Tracker

Plugin

Directory/File

Bug Tracker

Plugin for ALM

<ssc_install_dir>/ plugins/BugTrackerPluginAlm/

com.fortify.BugTrackerPluginAlm-<version>.jar

Bug Tracker

<ssc_install_dir>/plugins/BugTrackerPluginBugzilla/

Plugin for Bugzilla com.fortify.BugTrackerPluginBugzilla-<version>.jar

Bug Tracker

Plugin for Jira

<ssc_install_dir>/plugins/BugTrackerPluginJIRA7/

com.fortify.BugTrackerPluginJira7-<version>.jar

Bug Tracker

Plugin for Azure

DevOps

<ssc_install_dir>/plugins/BugTrackerPluginTFS/

com.fortify.BugTrackerPluginTFS-<version>.jar

6. Click START UPLOAD.

After the upload is completed, the Bug Tracking table lists the new plugin.

7. To enable the bug tracker plugin, click ENABLE.

The Plugin State field for the plugin now displays the value ENABLED.

Fortify Software Security Center (23.1.0)

Page 162 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Removing Bug Tracker Plugins

If you are a Fortify Software Security Center administrator, you can remove third-party bug

tracker plugins from the system.

To remove a bug tracker plugin from the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Plugins, and then select Bug

Tracking Plugins.

3. On the Bug Tracking page, expand the row for the plugin you want to remove.

4. Click Disable, and then, after the plugin is disabled, click REMOVE.

"Adding and Managing Parser Plugins" on the next page

"Authoring Bug Tracker Plugins" on page 406

Securing Logon Credentials for Bug Tracking Systems

When you file a bug from Fortify Software Security Center, you provide a username and

password for the bug tracking system. The username and password pair is saved in the HTTP

session and mapped to the bug tracker for each application.

Each bug tracker has a different set of bug parameters and requires different user input. These

parameters are dynamic and could be fetched from the bug-tracking system itself. Default

values may be provided for some parameters.

After you complete and save the bug settings, a bug is created on the bug tracking system and

Fortify Software Security Center saves the bug ID for the issue.

Important! If Fortify Software Security Center is configured to communicate over SSL,

you must also import the required bug tracker certificates to the java virtual machine

where Fortify Software Security Center is deployed.

Bug Tracker Parameters

A bug submitted with a bug tracker requires that a standard summary and bug description be

entered in the Submit Bug dialog box. You can also add values for priority level, a due date for

the fix, and the assignee. Fortify Software Security Center fetches values for the Issue Type and

Fortify Software Security Center (23.1.0)

Page 163 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Affects version fields dynamically from the bug tracking system based on the selected

application.

If your application requires additional fields, you might need to modify the plugin before you use

it. For instructions, see "Authoring Bug Tracker Plugins" on page 406 or contact Fortify Support

(https://www.microfoc us.com/support ).

ALM Parameters

In the Submit Bug dialog box for the ALM defect tracker, you select the parameters that reflect

your ALM installation:

l

Bug Summary

l

Bug Description

l

ALM Domain

l

ALM Project

l

Severity

If your ALM project integrates with ALI (details below) you can see that the defect description

includes candidate changesets that could have introduced the issue.

There are several key points of ALM integration to remember. For changeset discovery to be

functional, the following conditions must be met:

l

Each Fortify Static Code Analyzer scan must be tagged with a build-label, which Fortify

Software Security Center uses to map the scan with a source-control revision number. To do

this, include the -build-label <SVN_Revision_Number> command option when you run

the source analyzer tool to translate source code into the analysis model.

l

You must enable the ALI extension for the individual project in ALM and configure

appropriate source control repositories. If the ALI extension is successfully enabled for the

individual project, you can view the Code Changes tab after you log in to ALM.

l

ALM bugs are logged, regardless of whether the changeset discovery requirements are met.

If the prerequisites are not met, then the changeset discovery message is skipped.

l

Currently, Subversion is the only source control repository supported for changeset

discovery.

Note: To view an ALM bug, you must have the ALM browser plugin installed and use an

ALM-compatible browser.

For more information about ALI and ALM, see the documentation for those products.

Adding and Managing Parser Plugins

If you are a Fortify Software Security Center administrator, you can connect Fortify Software

Security Center to third-party parser plugins.

Fortify Software Security Center (23.1.0)

Page 164 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Tip: You can write your own parser plugin for Fortify Software Security Center. For

instructions, see the "Sample parser plugin" page on GitHub

(https://github.com/fortify/sample-parser).

To add a parser plugin to the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Plugins, and then select Parser Plugins.

3. On the Parsers page header, click NEW.

Fortify Software Security Center displays the Upload Plugin Warning to advise you of the

risk of uploading third-party plugins.

4. To acknowledge the warning and continue, click OK.

5. In the Upload Plugin Bundle dialog box, click BROWSE, and then locate and select the

bundle file (JAR file) for your plugin.

6. Click START UPLOAD.

The Parsers page lists the plugin you uploaded.

7. To expand the row that displayed the parser name, click it.

8. To enable the parser plugin, click ENABLE.

Fortify Software Security Center displays the Enable Plugin Warning to advise you of the

risk of enabling untested plugins.

9. Click OK.

Preparing Fortify Software Security Center to Display Sonatype Results

You can view open source security data from Sonatype's Nexus Lifecycle solution scan results

for an application version from the AUDIT page or from the OPEN SOURCE page in Fortify

Software Security Center. To do so, you must first download and install the required Sonatype

Parser Plugin. After you do, Sonatype scan results uploaded to Fortify Software Security Center

(using Fortify SourceAndLibScanner) are visible.

To obtain Fortify SourceAndLibScanner, go to

https://marketplace.microfocus.com/cyberres/content/fortify-sourceandlibscanner. For

information about how to use SourceAndLibScanner to upload open Sonatype scan results to

Fortify Software Security Center, see the Micro Focus Fortify SourceAndLibScanner User Guide,

which is packaged with the Fortify SourceAndLibScanner utility.

To prepare Fortify Software Security Center to display uploaded Sonatype data:

1. Open a browser window and navigate to the Fortify Marketplace

(https://marketplace.microfocus.com/cyberres/content/sonatype-nexus-lifecycle-

integration-with-ssc ).

Fortify Software Security Center (23.1.0)

Page 165 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

2. On the Sonatype Nexus Lifecycle integration with SSC page, click DOWNLOAD.

3.

Unzip the SonatypeFortifyBundle.zip file contents to a local directory.

4. Log on to Fortify Software Security Center as an administrator.

5. On the Fortify header, select ADMINISTRATION.

6. In the left pane, expand the Plugins section, and then select Parser Plugins.

7. On the Parsers page, click NEW.

8. To dismiss the UPLOAD PLUGIN WARNING, click OK.

9. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then navigate to and

select the sonatype-plugin-<version>.jar file.

Fortify Software Security Center (23.1.0)

Page 166 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

10. In the UPLOAD PLUGIN BUNDLE dialog box, click START UPLOAD.

Fortify Software Security Center displays a message to let you know the upload was

successful. The Parsers page now lists the Sonatype Vulnerability Parser.

11. Expand the row for the Sonatype Vulnerability Parser, and then click ENABLE.

12. Read the ENABLE PLUGIN WARNING, and then click OK.

See Also

"About Susceptibility Analysis of Web Applications" on page 352

Preparing Fortify Software Security Center to Display Debricked Results

You can view open source security data from Debricked and view the scan results from the

AUDIT page or from the OPEN SOURCE page in Fortify Software Security Center. To do so, you

must first download and install the required parser plugin. After you do, the open source scan

results uploaded to Fortify Software Security Center are visible.

To prepare Fortify Software Security Center to display Debricked data:

1.

Open a browser window and navigate to https://github.com/fortify/fortify-ssc-

parser-debricked-cyclonedx/releases.

2. Click (expand) Assets and select one of the following:

l

To download a parser that enables the display of Debricked data on both the AUDIT and

OPENSOURCE pages in Fortify Software Security Center, select fortify-ssc-22.2+-

parser-debricked-cyclonedx-1.0.0.zip.

l

To download a parser that enables the display of Debricked data on only the AUDIT

page in Fortify Software Security Center, select fortify-ssc-parser-debricked-

cyclonedx-1.0.0.zip.

3. Go to your Downloads folder and extract the contents of the downloaded ZIP file to a local

directory.

4. Log on to Fortify Software Security Center as an administrator.

5. On the Fortify header, select ADMINISTRATION.

6. In the left pane, expand the Plugins section, and then select Parser Plugins.

Fortify Software Security Center (23.1.0)

Page 167 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

7. On the Parsers page, click NEW.

8. To dismiss the UPLOAD PLUGIN WARNING, click OK.

9. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then navigate to and

select the extracted JAR file.

10. In the UPLOAD PLUGIN BUNDLE dialog box, click START UPLOAD.

Fortify Software Security Center displays a message to let you know the upload was

successful. The Parsers page now lists the Debricked parser plugin for SSC.

11. Expand the row for the Debricked parser plugin, and then click ENABLE.

12. Read the ENABLE PLUGIN WARNING, and then click OK.

See Also

"Viewing Open Source Data" on page 350

Fortify Software Security Center (23.1.0)

Page 168 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Administrator Accounts

Users who have Administrator accounts have complete access to all Fortify Software Security

Center user and application version data and can manage the entire Fortify Software Security

Center system. Only users who have Administrator accounts can create, edit, or delete other

user accounts. To change a local user account, you must be a local administrator.

Fortify recommends that you create only the Administrator-level accounts necessary to create

and edit local or LDAP Fortify Software Security Center user accounts. The Security Lead and

lesser accounts can perform all other application-related activity.

Fortify Software Security Center permits the explicit addition of Administrator-level accounts to

application versions. This enables Administrator users to be assigned issues from the AUDIT

page.

About Fortify Software Security Center User Administration

This section provides information about the different types of Fortify Software Security Center

user accounts and how to create these accounts for your users.

Topics covered in this section:

Fortify Software Security Center User Accounts

About Creating User Accounts

169

170

Preventing Destructive Library and Template Uploads to Fortify Software Security Center 171

Viewing Permission Information for Fortify Software Security Center Roles

About Managing LDAP User Roles

171

172

Fortify Software Security Center User Accounts

In addition to the administrator-level account used to administer user accounts, Fortify Software

Security Center supports the following user account types, in descending order of level of

authority:

l

Administrator: An Administrator has access to all application versions and can perform all

actions in the system.

l

Security Lead: A Security Lead has access to all administrative operations except user

account creation and editing. The Security Lead can create application versions and edit all

aspects of the versions that they created or to which they are assigned.

l

Manager: A Manager has read-only access to most administrative data. Managers can create

and edit all data for the application versions to which they are assigned.

Fortify Software Security Center (23.1.0)

Page 169 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

l

Developer: A Developer has read-only access to some administrative data. Developers can

create and edit a subset of data for the application versions to which they are assigned.

l

View-Only: A View-Only user can view general information and issues for application

versions to which he has access. A View-Only user cannot upload analysis results or audit

issues.

l

Application Security Tester: An Application Security Tester can perform operations that

pertain to execution of dynamic scan requests. An Application Security Tester can view

application versions, view and generate reports, process dynamic scans, upload results and

audit issues.

l

WebInspect Enterprise System: Users assigned the Fortify WebInspect Enterprise System

role can register and de-register a Fortify WebInspect Enterprise instance from Software

Security Center and can retrieve issue audit information. This role is intended for Fortify

WebInspect Enterprise use only.

For more information about user accounts, see "User Accounts and Access" on page 196.

"Unlocking Local User Accounts" on page 216

Fortify Software Security Center (23.1.0)

Page 170 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Preventing Destructive Library and Template Uploads to Fortify Software

Security Center

Caution! A malicious user might modify a report library or template so that it contains

arbitrary and potentially destructive SQL queries and commands. Upload only libraries and

templates that are written by trusted users and that have been reviewed for malicious

queries and commands.

Only users who have permission to manage report definitions and libraries can upload custom

report libraries and templates to Fortify Software Security Center. To prevent templates that

execute arbitrary and potentially destructive commends from being uploaded to Fortify

Software Security Center, make sure that you:

l

Assign access permissions to trusted users only.

l

Check all custom templates for arbitrary SQL queries and commands before you upload them

to Fortify Software Security Center.

Viewing Permission Information for Fortify Software Security Center Roles

To view detailed information about the actions that users assigned the various Fortify Software

Security Center roles can perform:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Users, and then select Roles.

The Roles page lists the names and descriptions of all of the roles in the system.

3. Select the row for the role you are interested in.

The row expands to reveal details for the role, including a table that lists all of the permissions

granted to users assigned that role.

Fortify Software Security Center (23.1.0)

Page 171 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

For more information about user accounts, see "Managing User Accounts" on page 208.

Handling Failed LDAP User Logins

If you have configured nested LDAP groups for your Fortify Software Security Center server,

and LDAP authentication fails during an attempted login because of incorrect credentials, then

the log includes a message about bad credentials. However, if the log contains the text "user is

not authorized," check the following:

l

Is the user registered in Fortify Software Security Center and assigned a role? Check with the

LDAP administrator to determine whether the user is actually a member of the group to

which it is assumed to belong.

Fortify Software Security Center (23.1.0)

Page 172 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

l

If user does belong to the LDAP group, check to see whether that the group is registered with

Fortify Software Security Center and assigned a role.

l

Special case: If the user belongs to the LDAP group that is registered to Fortify Software

Security Center, but was added to the group only within the last few hours, refresh the LDAP

cache manually or wait a few hours for it to automatically refresh.

To manually request an LDAP cache refresh:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Users, and then select LDAP

Entities.

3. Select the check box for the LDAP server.

4. On the LDAP page header, click REFRESH.

5. To determine whether the LDAP cache refresh has completed, from the ADMINISTRATION

view, check either the Event Logs page or the Jobs page.

Note: An LDAP cache refresh can take a long time to complete.

About Mapping Fortify Software Security Center Roles to LDAP Groups

In most environments, the LDAP directory contains some users who do not need access to

Fortify Software Security Center. Also, certain groups of users may require different access

privileges.

Before you configure LDAP user authorization, you must decide which LDAP groups to

associate with the Fortify Software Security Center roles (Administrator, Manager, Developer,

and Auditor). Fortify recommends that you create new LDAP groups that map directly to the

different Fortify Software Security Center roles. For example, you might create a FORTIFY_

ADMINS group and a FORTIFY_DEVELOPERS group.

Global Search Functionality in Fortify Software Security

Center

Fortify Software Security Center provides global, category-based search functionality that

applies search terms across application versions, issues, reports, comments, and users. Newly

added documents (artifacts, application versions, users) are indexed automatically and

immediately.

You can enable global searches during configuration at first login or after an upgrade. (See

"Configuring Fortify Software Security Center for the First Time" on page 68.)

Fortify Software Security Center (23.1.0)

Page 173 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Note: Indexing of uploaded FPR files is not immediate because it is performed as a separate

Index New Issues job, which is scheduled to occur at the end of an artifact upload job.

To enable global searching on your Fortify Software Security Center server, you must provide

Tomcat Server with read and write access to the search index directory.

Recommended disk size

The optimum disk size for the requisite indexing for global searches varies based on the

characteristics of the data, but the Lucene indexes are much smaller than the data in the

database. For example, the index size required for a database issue volume of 18 GB (with db

indexes) is approximately 2 GB.

See Also

Troubleshooting Search Index Issues

About Global Search Functionality

Fortify Software Security Center provides global, category-based search functionality that

applies search terms across application versions, issues, reports, comments, and users. You can

enable global searches during configuration at first login or after an upgrade. (See "Configuring

Fortify Software Security Center for the First Time" on page 68 or "Configuring For tify Software

Security Center After an Upgrade" on page 187 .)

Recommended disk size

The optimum disk size for the requisite indexing for global searches varies based on the

characteristics of the data, but the Lucene indexes are much smaller than the data in the

database. For example, the index size required for a database issue volume of 18 GB (with db

indexes) is approximately 2 GB.

"Troubleshooting Search Index Issues" below

Troubleshooting Search Index Issues

As an indicator of search index health, the search index directory (specified in the configuration

wizard) includes the marker file healthy.index. If this file is not present in the search index

directory, Fortify Software Security Center attempts to recreate the index on each startup.

If Fortify Software Security Center repeatedly fails to create the initial index, remove the entire

index directory, and then restart Fortify Software Security Center.

If you are working with a very large database (hundreds of GB), the Full Reindex job may fail

because of limited system memory. If this occurs, increase the Java heap size for Fortify

Software Security Center and then restart Fortify Software Security Center. (For minimum and

Fortify Software Security Center (23.1.0)

Page 174 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

recommended values for java heap size, see the OpenText Fortify Software System

Requirements document.)

Search Index Maintenance

The index maintenance job, which is performed once a day, keeps the index healthy. You can

change its run time from the ADMINISTRATION view. Fortify recommends that this job be

scheduled to run once a day. For instructions on how to re-schedule executed jobs, see

"Configuring Job Scheduler Settings" on page 128.

Placing Fortify Software Security Center in Maintenance Mode

If, at any time, you need to change any server configuration settings, you can place Fortify

Software Security Center in maintenance mode, and then make the necessary changes.

To place Fortify Software Security Center in maintenance mode:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Maintenance .

3. On the Maintenance page, select the Set to maintenance mode check box, and then click

SAVE.

4. Restart the server.

5.

6.

Go to the <fortify.home>/<app_context> directory, and open the init.token file.

Copy the contents of the init.token file to the clipboard.

7. Open a web browser window and type the URL for your Fortify Software Security Center

instance.

8. In the upper right corner of the Fortify Software Security Center Setup screen, click

ADMINISTRATORS.

Fortify Software Security Center (23.1.0)

Page 175 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

9.

Paste the string you copied from the init.token file in the text box, and then click SIGN

IN.

The Fortify Software Security Center Setup wizard displays all of the current configuration

settings. For information about server configuration, see "Configuring Fortify Software

Security Center for the First Time" on page 68.

10. After you successfully complete the server configuration, restart Tomcat.

Note: Alternatively, you can set the following Java option to re-initialize the setup

wizard after you complete the setup: -Dcom.fortify.ssc.forceInit

Note: If your Fortify Software Security Center instance appears to be stuck in maintenance

mode, try one of the possible solutions described in "If Fortify Software Security Center is

Stuck in Maintenance Mode" below.

To facilitate server maintenance, you can pause job execution, which allows running jobs to

finish but prevents new jobs from executing. For details, see "Pausing and Resuming Job

Execution" on the next page.

If Fortify Software Security Center is Stuck in Maintenance Mode

Fortify Software Security Center goes into maintenance mode when it is placed there from the

ADMINISTRATION view (see "Placing Fortify Software Security Center in Maintenance Mode" on

the previous page), or it cannot locate the version.properties in the

fortify.home\ssc\conf directory.

Fortify Software Security Center (23.1.0)

Page 176 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

If your Fortify Software Security Center instance is stuck in maintenance mode, try one of the

following:

l

Reconfigure Fortify Software Security Center. For instructions, see "Configuring Fortify

Software Security Center for the First Time" on page 68.

l

Navigate to the fortify.home\ssc\conf directory and, in the version.properties file,

set maintenance.mode to false.

l

Restore the missing files from the fortify.home\ssc\conf directory.

Note: The datasource.properties file and some database fields contain encrypted

entries that rely on the secret.key file. So, if you are moving your Fortify Software

Security Center instance from one computer to another, you must also move the

secret.key file (not just your database files).

Pausing and Resuming Job Execution

If, for any reason, you need to shut down the server, you can temporarily pause user activity and

disable the running of new jobs for all users in the system, while allowing Fortify Software

Security Center to just finish jobs in progress. This helps to ensure that no data are corrupted or

lost when the server is shut down.

To pause job execution on the server:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Fortify

header, select ADMINISTRATION.

2. In the left pane, select Configuration, and then select Maintenance.

Fortify Software Security Center (23.1.0)

Page 177 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

3. On the Maintenance page, select the Pause job execution check box, and then click SAVE.

Immediately after you save the setting:

Important! To prevent the queuing up of a large number of jobs, Fortify recommends

that you avoid leaving this setting enabled for long periods of time. After you pause job

execution, make sure that you allow time for queued jobs to process completely before

you shut down the server.

l

All jobs in progress are allowed to complete.

l

All new jobs that users subsequently submit are queued for running later, after the

Pause jobs execution check box is cleared.

l

Fortify Software Security Center displays a banner to notify users that job execution has

been paused.

4. After you next start the server, return to the Maintenance page, clear the Pause job

execution check box, and then click SAVE.

About Fortify Software Security Content

Fortify products use a knowledge base of rules to enforce secure coding standards applicable to

the codebase for analysis. Fortify software security content consists of Fortify Secure Coding

Rulepacks (Rulepacks) and external metadata:

l

Rulepacks describe general secure coding idioms for popular languages and public APIs.

You can write custom rules that add to the functionality of Fortify analyzers and Rulepacks.

For example, you might need to enforce proprietary security guidelines or analyze an

application that uses third-party libraries or other pre-compiled binaries that are not already

covered by the Secure Coding Rulepacks. For instructions on how to write custom rules, see

the Fortify Static Code Analyzer Custom Rules Guide (available only with the Fortify Static

Code Analyzer product download).

For information on how to manage Rulepacks, see:

l

"Updating Rulepacks from the Fortify Update Server" on the next page

l

"Importing Security Content" on page 180

l

"Deleting Rulepacks" on page 181

l

"Exporting Rulepacks" on page 180

Fortify Software Security Center (23.1.0)

Page 178 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

l

"Seeding the Database with Report Seed Bundles Delivered with Quarterly Security

Content Releases" on page 192

l

External metadata provides mappings from the Fortify vulnerability categories to alternative

categories (such as CWE, OWASP Top 10, and PCI).

Fortify recommends that you not modify the external metadata.xml file. If you do, your

changes are overwritten whenever your Rulepacks are updated quarterly. (See "Seeding the

Database with Report Seed Bundles Delivered with Quarterly Security Content Releases" on

page 192 .) You can, however, create a customexternalmetadata.xml file in which you can

create new, and extend existing, mappings. You can map Fortify issues to different

taxonomies, such as internal application security standards or additional compliance

obligations. This custom file is left undisturbed when you update your security content. For

instructions on how to create your own custom rules or custom external metadata, see the

Fortify Static Code Analyzer Custom Rules Guide.

The schema for external metadata mappings is located in

fortify.home\Core\config\schemas\externalmetadata.xsd.

For information on how to manage your external metadata, see:

l

"Extending a Current Mapping" on page 182

l

"Creating a New Mapping" on page 183

Note: It is important that you work with the newest Rulepacks available. Fortify

recommends that you periodically update your security content.

Updating Rulepacks from the Fortify Update Server

It is important that you work with the newest Rulepacks available. If you want to make sure that

you have the latest Rulepack, you can import it from the Fortify server.

Note: You can use the Fortify Software Security Center proxy to update Rulepacks, if the

Fortify update server is behind it. For information about how to set up a consolidated proxy

for Fortify Software Security Center, see "Configuring a Proxy for Fortify Software Security

Center Integrations" on page 125.

To import the latest Rulepacks:

1. Log in to Fortify Software Security Center as an administrator or security lead, and then, on

the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, under Metrics & Tracking, select

Rulepacks.

3. On the Rulepacks page, click UPDATE FROM SERVER.

Fortify Software Security Center displays information about what the Rulepack update

involves, and prompts you to indicate whether you want to continue.

4. To continue with the download, click OK.

Fortify Software Security Center (23.1.0)

Page 179 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

After the update is complete, Fortify Software Security Center displays a list of any

imported rules.

5. Click CLOSE.

See Also

"Deleting Rulepacks" on the next page

"Seeding the Database with Report Seed Bundles Delivered with Quarterly Security Content

Releases" on page 192

"Exporting Rulepacks" below

"Importing Security Content" below

Exporting Rulepacks

You can, if necessary, move Rulepacks between one Fortify Software Security Center instance

and another instance, or between Fortify Software Security Center and Fortify Audit

Workbench.

Export Rulepacks with the same file names used to import them, including the file extension

(.bin or .xml).

To export a Rulepack:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the Fortify header, click ADMINISTRATION.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select the check boxes for the Rulepacks you want to export, and

then click EXPORT.

Note: If a Rulepack that you select has multiple versions, only the latest version is

exported.

See Also

"Importing Security Content" below

"Deleting Rulepacks" on the next page

Importing Security Content

You can import security content, including custom Rulepacks created using the Fortify Custom

Rules Editor, extended mapping files, and custom mapping files so that they are available to

Fortify Static Code Analyzer and Fortify Audit Workbench.

Fortify Software Security Center (23.1.0)

Page 180 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

To import security content:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the Fortify header, click ADMINISTRATION.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select IMPORT.

4. In the IMPORT RULEPACK dialog box, click + ADD FILES.

5. In the File Upload dialog box, navigate to and select the file(s) to upload.

Note: If you upload an FPR file to that contains an extended mapping, and that mapping is

not present on the server, Fortify Software Security Center displays a processing warning.

"Deleting Rulepacks" below

Deleting Rulepacks

You can remove old Rulepacks from Fortify Software Security Center.

To delete Rulepacks:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the Fortify header, click ADMINISTRATION.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select the check boxes for the Rulepacks to delete, and then click

DELETE.

Fortify Software Security Center prompts you to verify that you want to delete the selected

Rulepack(s) and, if the system contains multiple versions of the Rulepack, all of the versions

it includes are deleted.

4. Click OK.

Fortify Software Security Center displays a message to indicate whether the deletion was

successful.

5. If the deletion fails, click more to open the DETAILS window and find out what caused the

failure.

"Importing Security Content" on the previous page

"Updating Rulepacks from the Fortify Update Server" on page 179

Fortify Software Security Center (23.1.0)

Page 181 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Extending a Current Mapping

You can extend the mappings that Fortify Software Security Center delivers with the external

metadata, or create new mappings. If you do, keep the following in mind:

l

You can only add new mappings.

l

You cannot overwrite existing mappings.

To extend the current mapping, use the following format:

Important! After you extend your mapping file, you must upload it to Fortify Software

Security Center. For instructions, see "Importing Security Content" on page 180.

If you upload an FPR file that contains an extended mapping, and that mapping is not

present on the server, Fortify Software Security Center displays a processing warning.

"About Fortify Software Security Content" on page 178

Fortify Software Security Center (23.1.0)

Page 182 of 428

User Guide

Chapter 7: Additional Installation-Related Tasks

Creating a New Mapping

You can use <ExternalList> to create a custom_metadata.xml file, as follows:

Important! After you create your custom mapping file, you must upload it to Fortify

Software Security Center. For instructions, see "Importing Security Content" on page 180.

If you upload an FPR file that contains a custom mapping, and that mapping is not present

on the server, Fortify Software Security Center displays a processing warning.

"About Fortify Software Security Content" on page 178

Fortify Software Security Center (23.1.0)

Page 183 of 428

Chapter 8: Upgrading Fortify Software Security

Center

To perform a direct upgrade to the latest Fortify Software Security Center version, you must

have one of the last three versions installed. For example, to upgrade to version 22.2.0, you

must have version 21.1.x, 21.2.x or 22.1.x installed. If you have version 20.2.x or earlier installed,

you must first upgrade to a version 21.1.x, 21.2.x or 22.1.x before you can migrate to version

22.2.0.

The following table shows the upgrade path required to upgrade to Fortify Software Security

Center 23.1.0.

Upgrade Paths for Current Fortify Software Security Center Versions

20.2.x > > 21.1.x >22.2.0

21.1.x > 22.2.0 (direct)

21.2.x > 22.2.0 (direct)

22.1.x > 22.2.0 (direct)

If you cannot directly upgrade your current Fortify Software Security Center version to the

latest version, see the version-specific Fortify Software Security Center documentation for

instructions on how to upgrade to the previous release (or the release immediately before that).

Important! Full ScanCentral SAST-related functionality in Fortify Software Security Center

requires updated ScanCentral Controller and sensors. If you do not need sensor metrics, you

can use existing sensors. You can use existing ScanCentral clients without limiting

functionality.

You must upgrade the ScanCentral Controller before you upgrade the ScanCentral sensors

and clients, and before you upgrade the Fortify Software Security Center server. For

information about how to upgrade ScanCentral Components, see the Micro Focus Fortify

ScanCentral Installation, Configuration, and Usage Guide.

OpenText Fortify Software Security Center (23.1.0)

Page 184 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Fortify Software Security Center Database Upgrade Tasks

Upgrade the Fortify Software Security Center database by performing the tasks described in the

following table in the order listed.

Task

Description

1

2

Stop Tomcat Server.

Delete the SSC folder and the SSC WAR file from the <tomcat>/webapps

directory.

4

5

6

Copy the new WAR file to the <tomcat>/webapps directory.

Start Tomcat Server.

Open a browser and enter your Fortify Software Security Center URL to start

Fortify Software Security Center in initialization mode. (See "Configuring

Fortify Software Security Center After an Upgrade" on page 187 .)

7

8

Use the Setup wizard to generate the migration SQL script. (See "Configuring

Fortify Software Security Center After an Upgrade" on page 187.)

Run the migration script on your database. (See "Preparing to Run the

Database Upgrade Script" on the next page.)

Note: Databases that contain over 1 TB of data might take five or more

hours to migrate.

Important! (Microsoft SQL databases only) After you migrate Fortify

Software Security Center to a new SQL database version and back up

and restore the database, make sure that you change the compatibility

level (from SQL Server Management Studio) to reflect the SQL engine

that currently hosts the Fortify Software Security Center database.

9

Use the Setup wizard to reseed the database.

Restart Tomcat Server.

10

11

Bug tracker plugins are not included in the ssc.war file. After you upgrade

and start Fortify Software Security Center, be sure to disable and remove old

bug tracker plugins, and then install new plugins from the current

distribution file. For more information, see "About Bug Tracker Integration"

on page 159.

Fortify Software Security Center (23.1.0)

Page 185 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Preparing to Upgrade the Fortify Software Security Center

Database

The Fortify Software Security Center database migration process creates larger transactions

than those created during regular use. For Fortify Software Security Center databases that have

been successfully run in production environments, database migration does not typically require

changes to your database configuration or resources. For large databases, Fortify recommends

that you review and, if necessary, increase the database resources and settings required to

accommodate the migration process.

If you are upgrading a MySQL database, see "Setting the Innodb Buffer Pool Size when

Upgrading a MySQL Server Database" below .

Setting the Innodb Buffer Pool Size when Upgrading a MySQL Server Database

If you are upgrading a MySQL database, Fortify recommends that you set the innodb_buffer_

pool_size variable to at least 2.5 GB. After the upgrade, revert to your previous setting.

For information about how to configure MySQL for use with Fortify Software Security Center,

see "Configuring a MySQL Database" on page 61.

Preparing to Run the Database Upgrade Script

The Fortify Software Security Center database upgrade scripts require the same database

privileges that the database creation scripts require.

Before you run the database upgrade script, perform the following tasks:

l

Back up your existing Fortify Software Security Center database using your database client

tool.

l

Acquire the database account information that was used to create the existing Fortify

Software Security Center database. See "Database User Account Privileges" on page 59.

Note: Databases that contain over 1 TB of data might take five or more hours to migrate.

Updating and Deploying the WAR File

To update the SSC WAR file:

1. Undeploy the currently deployed SSC WAR file. For instructions, see the documentation for

Tomcat Server.

2. Deploy the new SSC WAR file.

After you deploy the new WAR file, complete the configuration tasks on the Setup wizard steps

and in the ADMINISTRATION view. For information and instructions, see "Configuring Fortify

Fortify Software Security Center (23.1.0)

Page 186 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Software Security Center After an Upgrade" on the next page and "Additional Fortify Software

Security Center Configuration" on page 76 .

Configuring Fortify Software Security Center After an

Upgrade

After you upgrade Fortify Software Security Center and go to your Fortify Software Security

Center URL in a browser window, the Setup wizard opens.

Note: The Setup wizard is available to administrators only, and only after the first

deployment of Fortify Software Security Center, after an upgrade, or after the server is

placed in maintenance mode (see "Placing Fortify Software Security Center in Maintenance

Mode" on page 175).

1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat

Server, open a browser window and type your Fortify Software Security Center server URL.

2.

3.

Go to the <fortify.home>/<app_context> directory, and open the init.token file.

Copy the contents of the init.token file to the clipboard.

4. In the upper right corner of the Fortify Software Security Center screen, click

ADMINISTRATORS.

Fortify Software Security Center (23.1.0)

Page 187 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

5.

Paste the string you copied from the init.token file into the text box, and then click SIGN

IN.

6. If you need to change any configuration settings on the CONFIGURATION or CORE

SETTINGS steps of the Fortify Software Security Center Setup wizard, you can do so using

the instructions provided in "Configuring Fortify Software Security Center for the First

Time" on page 68.

7. Click NEXT until you reach the DATABASE SETUP step.

8. On the DATABASE SETUP step, do the following:

a. In the DATABASE TYPE box, select the type that matches the Fortify Software

Security Center database type.

b. In the DATABASE USERNAME box, type the username for your Fortify Software

Security Center database. For more information, see "Database User Account

Privileges" on page 59.

c. In the DATABASE PASSWORD box, type the password for your Fortify Software

Security Center database.

d. In the JDBC URL box, type the URL for the Fortify Software Security Center database.

Caution! The database name (including letter case) in the JDBC URL must exactly

match your Fortify Software Security Center database name.

Note: The MariaDB JDBC driver is used to connect to the MySQL database server.

Any JDBC URL parameters must use MariaDB driver syntax.

Example of the correct collation parameter syntax:

jdbc:mysql://<host>:3306/<database_

name>?sessionVariables=collation_connection=<collation_name>

(Replace the parameter connectionCollation=<collation_name> with

sessionVariables=collation_connection=<collation_name>.)

Fortify Software Security Center (23.1.0)

Page 188 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

e. To test the connection to your database, click TEST CONNECTION.

If the connection test fails, check the ssc.log file

(<fortify.home>/<appcontext>/logs directory) to determine the cause.

f. After the Setup wizard indicates that the connection was successful, in the right pane,

read the warning and Instructions, and then click DOWNLOAD SCRIPT.

g.

Save and run the ssc-migration.sql script. (For instructions, see "About the Fortify

Software Security Center Database Tables and Schema" on page 65.)

Note: Depending on the size of the source database, data migration may take

several hours to complete.

9.

After you run the ssc-migration.sql script, click NEXT.

10. On the DATABASE SEEDING step, do the following:

a. In the left pane, use BROWSE to locate and select your process seed bundle zip file, and

then click SEED DATABASE.

b. Use BROWSE to locate and select your report seed bundle zip file, and then click SEED

DATABASE.

c. (Optional) Use BROWSE to locate and select your PCI basic seed bundle zip file, and

then click SEED DATABASE.

11. Click NEXT.

12. Click FINISH.

13. Restart Tomcat Server.

Tip: If you later find that you need to change any of the configuration settings, you can

place Fortify Software Security Center in maintenance mode, and then make any necessary

changes. For instructions on how to place Fortify Software Security Center in maintenance

mode, see "Placing Fortify Software Security Center in Maintenance Mode" on page 175.

Upgrading Fortify Static Code Analyzer from Fortify Audit

Workbench

A Fortify Audit Workbench user can check on the availability of new Fortify Static Code

Analyzer and Fortify Apps and Tools versions from the Fortify Audit Workbench user interface.

If a version newer than the one installed is available, the user can download it and upgrade the

local instance. A Fortify Audit Workbench user can also configure Fortify Audit Workbench to

check for, download, and install new versions automatically at startup.

To enable this functionality for Fortify Audit Workbench users, a Fortify Software Security

Center administrator must first set up the auto upgrade capability on the Fortify Software

Security Center host machine.

Fortify Software Security Center (23.1.0)

Page 189 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

For information about how to upgrade Fortify Static Code Analyzer and its associated tools

from Fortify Audit Workbench, see the Micro Focus Fortify Audit Workbench User Guide.

Workbench" below

Enabling Fortify Static Code Analyzer and Fortify Apps and Tools Upgrades

from Audit Workbench

To make new Fortify Static Code Analyzer and Fortify Apps and Tools installers available to

Audit Workbench users for upgrades:

1.

On the Fortify Software Security Center host, navigate to <ssc_install_dir> /WEB-

INF/internal, and then open the securityContext.xml file in a text editor.

2. Locate and uncomment the following line:

<!-- <security:intercept-url pattern="/update-site/**"

access="PERM_ANONYMOUS"/> -->

3.

4.

Save and close the securityContext.xml file.

Copy the Fortify_SCA or Fortify_Apps_and_Tools installer files to the <ssc_install_

dir>/webapps/ssc/update-site/installers directory.

5.

In the <ssc_install_dir>/webapps/ssc/update-site/installers directory, create

an update.xml file for the product that you want to update, as follows:

a. To enable Fortify Static Code Analyzer updates, use the following XML code:

<filename>Fortify_SCA_<version>_windows_x64.exe</filename>

<platform>windows-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_linux_x64.run</filename>

<platform>linux-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_osx_x64.app.zip</filename>

</platformFile>

</platformFileList>

<url>http://localhost:8080/update-site/installers/</url>

</downloadLocation>

Fortify Software Security Center (23.1.0)

Page 190 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

</downloadLocationList>

</installerInformation>

b.

To enable Fortify Applications and Tools updates, create the update.xml file using the

following XML code:

<filename>Fortify_SCA_<version>_windows_x64.exe</filename>

<platform>windows-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_linux_x64.run</filename>

<platform>linux-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_osx_x64.app.zip</filename>

</platformFile>

</platformFileList>

<url>http://localhost:8080/update-site/installers/</url>

</downloadLocation>

</downloadLocationList>

</installerInformation>

6. Restart Tomcat Server.

Audit Workbench users can now check for and install new Fortify Static Code Analyzer and

Fortify Apps and Tools versions.

Note: The BitRock InstallBuilder tool used for the auto upgrade functionality supports only

one Windows tag. If you have different versions of Windows, you must have corresponding

configuration files for those versions. For information about how to create the additional

configuration files, see the readme.txt file located in the <ssc_install_dir>/update-

site/installers directory.

Updating Expired Licenses

For information about how to obtain a Fortify license file, see the Micro Focus Fortify Software

System Requirements document.

To update an annual license that has expired:

1. Stop Tomcat Server.

2.

Place your downloaded fortify.license file in the <fortify.home> directory.

Fortify Software Security Center (23.1.0)

Page 191 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

3. Restart Tomcat Server.

Quarterly Security Content Releases

Micro Focus Fortify notifies you when new security content is available for download. These

updates include Rulepacks and external metadata, and can also contain updated seed bundles.

Important! Updated external metadata files can include changes to mapping that reporting

depend on. If updated security content includes a new report seed bundle, make sure that

you update your rules and mapping before you run reports.

"About Fortify Software Security Content" on page 178

"Updating Rulepacks from the Fortify Update Server" on page 179

Seeding the Database with Report Seed Bundles Delivered with Quarterly

Security Content Releases

Micro Focus Fortify notifies you when new security content is available for download. To

determine whether this updated content includes a new seed bundle, check under the heading

Micro Focus Security Fortify Premium Content in your notification document. That section

will have information about the existence of a new seed bundle. If a new seed bundle is included,

you can use it to re-seed your database. For more information about seed bundles and seeding

the database, see "About Seeding the Fortify Software Security Center Database" on page 65.

Note: Seeding the database blocks the creation of new application versions, and the

execution of report jobs and FPR processing jobs.

To seed the database with the report seed bundle from a quarterly security content release:

1. Download the updated security content, as follows:

a. Log on to the Fortify Support Portal (https://www.microfocus.com/support).

b. In the left column, select PREMIUM CONTENT.

c. On the right, select FORTIFY EXCHANGE.

d. Select and download the latest report seed bundle.

2. Extract the contents of the seed bundle ZIP file.

3. In the left pane, select Configuration, and then select Seed Bundles.

4. On the Seed Bundles page, click BROWSE, and then navigate to and select the

ReportBundle.zip file.

5. Click SEED BUNDLES.

Fortify Software Security Center (23.1.0)

Page 192 of 428

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Fortify Software Security Center displays a message to let you know the bundle upload was

successful.

Part I: Using Fortify Software Security

Center

The following chapters provide information about how to use Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 193 of 428

Chapter 9: Using Fortify Software Security Center

Fortify Software Security Center is a browser-based product that provides a set of capabilities

across the software development life cycle to automate detection of security vulnerabilities in

applications. It helps your security and development teams work together to resolve security

flaws quickly and accurately by making correlated data from Fortify Static Code Analyzer,

Fortify ScanCentral DAST, Fortify ScanCentral SAST, Fortify WebInspect, and third-party tools

available through its collaborative online environment.

Topics covered in this section:

About the Central Role of Fortify Software Security Center

Security Management Workflow

User Accounts and Access

Active Directory/LDAP Integration

Logging in to Fortify Software Security Center for the First Time

Requesting Access to Fortify Software Security Center

Changing Your Password

Setting Preferences: System-Wide and Across Application Versions

About the Fortify Software Security Center Dashboard

Issue Stats Page

Exporting Data to Comma-Separated Values Files

Accessing the Fortify Software Security Center API Documentation

Viewing Fortify Software Security Center Keyboard Hotkeys

About the Central Role of Fortify Software Security Center

Fortify Software Security Center provides a location for collecting, correlating, auditing, and

exporting security analysis results. The Fortify Software Security Center server resides in a

central location and receives results from different security activities, such as static, dynamic,

and real-time analysis.

Fortify Software Security Center is designed to help you:

l

Identify and prioritize a baseline of existing vulnerabilities

l

Prevent new vulnerabilities from being introduced

l

Remediate existing vulnerabilities and lower the baseline

l

Ensure that your code is in compliance with internal and external security mandates

OpenText Fortify Software Security Center (23.1.0)

Page 194 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Fortify Software Security Center works within your organization to answer the following

questions:

l

How do we drive the adoption of good application security practices?

l

How do we get actionable results to development teams?

l

Do we measure application teams on a team-by-team basis or as a unit?

l

How do we track results over time?

Security Management Workflow

The following figure illustrates the flow of security management processes within Fortify

Software Security Center.

As development teams perform scans, they submit periodic scan results from a continuous

integration server into Fortify Software Security Center.

Security teams submit periodic results of a dynamic assessment into Fortify Software Security

Center.

Fortify Software Security Center correlates and tracks the scan results and assessment results

over time, and makes the information available to developers through Audit Workbench, or

through IDE plugins such as the Fortify Plugin for Eclipse, the Fortify Extension for Visual

Studio, and others.

Fortify Software Security Center (23.1.0)

Page 195 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Users can also push issues into defect tracking systems, including ALM, Jira, Azure DevOps

Server, and Bugzilla.

User Accounts and Access

Fortify Software Security Center supports two methods of authentication:

l

Local user accounts created within the interface

l

Active Directory/LDAP accounts associated with standard corporate authentication (Active

Directory/LDAP integration supports user assignment by group or organizational unit)

Topics covered in this section:

Active Directory/LDAP Integration

196

Logging in to Fortify Software Security Center for the First Time

Requesting Access to Fortify Software Security Center

Changing Your Password

Setting Preferences: System-Wide and Across Application Versions

Active Directory/LDAP Integration

Active Directory/LDAP integration enables Fortify Software Security Center to authorize users

based on their existing corporate credentials. In addition, assignment by group or organizational

unit enables Fortify Software Security Center to take advantage of the existing joiners/leavers

processes. A new person who joins a group automatically has access to Fortify Software Security

Center. A person who leaves a group automatically loses access.

The user who deploys Fortify Software Security Center must configure the integration with the

Active Directory/LDAP during installation. For detailed information, see "Configuring LDAP

Servers" on page 104.

See Also

"Registering LDAP Entities" on page 115

"Fortify Software Security Center User Account Management" on page 208

Logging in to Fortify Software Security Center for the First Time

To log in to Fortify Software Security Center, your Fortify Software Security Center

administrator must provide you with the URL for your instance, a username, and a password.

To log in to Fortify Software Security Center for the first time:

1. To make sure that you access the newest version of the Fortify Software Security Center

user interface, clear your web browser’s cache.

Fortify Software Security Center (23.1.0)

Page 196 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

2. In a web browser, type the URL for your Fortify Software Security Center instance, as

follows:

l

If Fortify Software Security Center is configured to use secure HTTP protocol, type the

following URL:

https://<host_ip>:<port>/ssc/

where <port> represents the port number that Tomcat Server uses.

l

If Fortify Software Security Center is configured to use insecure HTTP protocol (not

recommended), type the following URL:

http://<host_ip>:<port>/ssc/

where <port> represents the port number that Tomcat Server uses.

3. In the Username and Password boxes, type the credentials that your administrator has

given you.

4. Click LOGIN.

5. If Fortify Software Security Center prompts you to change your password, do so. For

instructions, see "Changing Your Password" on the next page.

Requesting Access to Fortify Software Security Center

If you do not yet have a Fortify Software Security Center user account, or if you have forgotten

your user name or password, you can request assistance from the login page.

To request access to Fortify Software Security Center:

1. In a web browser, type the URL for your Fortify Software Security Center instance.

Fortify Software Security Center (23.1.0)

Page 197 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

2. At the bottom of the Fortify Software Security Center screen, click the Can’t access or

need an account? link.

Note: This link is available only if your Fortify Software Security Center administrator

has enabled email notification. (See "Configuring Email Alert Notification Settings" on

page 96.)

3. Provide the required information, and then click SEND.

Fortify Software Security Center sends your request to the Fortify Software Security Center

administrator.

Changing Your Password

The following procedure describes how to change your password. Note that you can only

change your password if you are logged on using a local account.

Fortify Software Security Center (23.1.0)

Page 198 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

To change your password:

1. Log in to Fortify Software Security Center.

2. At the right end of the Fortify header, click the user profile icon, and then select Change

Password.

The SAVE button in the Change Password dialog box is enabled only after you type a

strong new password that does not include your username or common phrases (names,

movie or song titles, dates, or number or letter sequences). A combination of three or four

unrelated words like "myredhorsedance" can work well. After your password is evaluated as

strong, you can save it, and then log in.

3. Provide your old password, type a new one, and then confirm the new one.

4. If the password strength is acceptable, click SAVE.

Fortify Software Security Center (23.1.0)

Page 199 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Setting Preferences: System-Wide and Across Application Versions

You can configure preferences for behavior system-wide, and across application versions.

To set system-wide preferences:

1.

On the right side of the Fortify header, click the user profile icon , and then select

Preferences.

2. To set preferences to apply to the entire system, in the PREFERENCES dialog box, under

System-wide Preferences, do the following:

Fortify Software Security Center (23.1.0)

Page 200 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

a. Select the check boxes for the features you want to enable or disable.

b. To apply the YYYY/MMDD date format instead of the default MM/DD/YYYY format,

select it from the Date format list.

c. To apply the 24 Hour time format instead of the default 12 hour AM/PM format, select

it from the Time format list.

3. To set preferences for all application versions, do the following:

Note: To override these settings for a specific application version, go to the

APPLICATION PROFILE dialog box for that application version.

a. To include suppressed issues in the issues list on the AUDIT page, select the Show

suppressed issues check box.

b. To include removed issues on the AUDIT page, select the Show removed issues check

box.

c. To include hidden issues on the AUDIT page, select the Show hidden issues check

box.

d. To display short file names in the issues list on the AUDIT page, select the Use short

file names check box.

4. Click SAVE.

About the Fortify Software Security Center Dashboard

After you log in to Fortify Software Security Center, the dashboard displays data for the

application versions to which you have access and that pose the highest potential business risk

to your organization.

Topics covered in this section:

Exporting Data to Comma-Separated Values Files

Accessing the Fortify Software Security Center API Documentation

Viewing Fortify Software Security Center Keyboard Hotkeys

Issue Stats Page

When you first log in to Fortify Software Security Center, the first thing you see is the ISSUE

STATS page of the Dashboard. This page shows summary information about issues for the

application versions that you can access, including the number of days that it is taking to review

and fix them. To provide a visual cue as to how quickly issues are being handled, the ISSUE

STATS page displays colored bars next to the values for the Average Days to Review and

Average Days to Remediate. A green bar indicates that issues are being managed quickly, a

red bar indicates that issue management is too slow, and an orange bar indicates that issue

management is somewhere between these two extremes.

Fortify Software Security Center (23.1.0)

Page 201 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Note: If you are an administrator or security lead, you can set the thresholds that determine

what users see when they review information on the Issue Stats page. For details, see

"Configuring Issue Stats Thresholds" on page 77.

If you click an application version listed in the table, Fortify Software Security Center takes you

directly to the AUDIT page for that application version. No filters are applied to the data.

The Dashboard provides three settings that you can use alone or in combination to refine the

summary data displayed.

Selecting a grouping attribute

To group your data based on a single application version attribute, select the attribute from the

Group by list. (The default grouping attribute is the application version.)

In addition to the grouping attribute you selected, the resulting data reflects any attributes you

have selected from the Aggregate by and Filter by lists.

Note: You can achieve finer control over the data displayed if your Group by list includes

custom attributes (of the single-select type). For instructions on how to create custom

attributes, see "Creating Custom Attributes" on page 224.

Fortify Software Security Center (23.1.0)

Page 202 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Selecting an aggregating attribute

To aggregate the data shown on the Dashboard based on a single application attribute, select

the attribute from the Aggregate by list. The Dashboard displays your data based on the

aggregating attribute, and any attributes you have selected from the Group by and Filter by

lists.

Note: You can achieve finer control over the data displayed if your Aggregate by list

includes custom attributes (of the single-select type). For instructions on how to create

custom attributes, see "Creating Custom Attributes" on page 224.

Selecting one or more filtering attributes

To selectively display data based on an application attributes, select an attribute from the Filter

by list. You can select multiple attributes, but you must select them one at a time.

Fortify Software Security Center (23.1.0)

Page 203 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

The Dashboard displays your data based on the selected filter attributes, and any other

attributes you have selected from the Group by and Aggregate by lists.

Clearing selections from the custom attributes lists

To clear your attribute selection from a list, click the Clear all icon

.

You can export Fortify Software Security Center data displayed on the ISSUE STATS and AUDIT

pages to comma-separated values (CSV) files. For details, see "Exporting Data to Comma-

Separated Values Files" below.

Exporting Data to Comma-Separated Values Files

You can export selected data for an application version or data for all Fortify Software Security

Center application versions to comma-separated values (CSV) files.

Exporting the Dashboard Summary Table

To export the summary table displayed on the Dashboard:

1. On the Fortify header, click DASHBOARD.

2. On the toolbar, click EXPORT.

Note: A missing EXPORT button indicates that your administrator has disabled this

functionality.

3. In the EXPORT CSV dialog box, in the File Name box, type the name for the file.

4. (Optional) In the Notes box, type information about the data you are exporting.

5. Click SAVE.

6. To view the exported result:

a. On the Fortify header, click REPORTS.

b. On the Reports page, click DATA EXPORTS.

c. Specify whether to save or open the file.

d. In the resulting table, move your cursor to the row for the exported file, and then click

the Download icon

.

To determine how long the system retains your CSV files before they are deleted, see the

instructions provided in "Configuring Job Scheduler Settings" on page 128.

Fortify Software Security Center (23.1.0)

Page 204 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Exporting Selected Data for an Application Version to a CSV File

To export data from the ISSUE STATS or AUDIT page to a CSV file:

1. (Optional) If you are exporting data from the Issue Stats page, you can select attributes to

aggregate or filter by. On the AUDIT page, you can select attributes to filter by.

Note: The EXPORT button is removed if you specify an attribute in the Group by on

either the ISSUE STATS page or the AUDIT page.

2. On the toolbar, click EXPORT.

Note: A missing EXPORT button indicates that your administrator has disabled this

functionality.

3. In the EXPORT CSV dialog box, in the File Name box, type the name for the file.

4. (Optional) In the Notes box, type information about the data you are exporting.

5. Click SAVE.

6. To view the exported result:

a. On the Fortify header, click REPORTS.

b. On the Reports page, click DATA EXPORTS.

c. In the resulting table, move your cursor to the row for the exported file, and then click

the Download icon

.

The CSV file is saved to your Downloads folder.

d. In the status bar, select the arrow next to the CSV file name, and then specify whether

to open the file or view it in the Downloads folder.

Fortify Software Security Center (23.1.0)

Page 205 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

To determine how long the system retains your CSV files before they are deleted, see the

instructions provided in "Configuring Job Scheduler Settings" on page 128.

Accessing the Fortify Software Security Center API Documentation

To access the Fortify Software Security Center API Documentation:

1. On the Fortify header, click the help icon

.

2. In the About Fortify Software Security Center <version> box, click the API Documentation

link.

The FORTIFY SOFTWARE SECURITY CENTER API DOCUMENTATION VERSION <version>

web page opens.

Tip: It is also very useful to leverage a proxy such as the Chrome DevTools to intercept

Fortify Software Security Center traffic and determine the appropriate endpoint call(s) to

make to perform user interface actions.

Fortify Software Security Center (23.1.0)

Page 206 of 428

User Guide

Chapter 9: Using Fortify Software Security Center

Viewing Fortify Software Security Center Keyboard Hotkeys

To view the keyboard hotkeys used to navigate the Fortify Software Security Center user

interface:

1. Log in to Fortify Software Security Center.

2. Do one of the following:

l

At the right end of the Fortify header, click the user profile icon, and then select

Hotkeys.

l

Press the question mark key (?) on your keyboard.

Fortify Software Security Center (23.1.0)

Page 207 of 428

Chapter 10: Managing User Accounts

The topics in this chapter provide information about Fortify Software Security Center user

accounts and how to work with them.

Fortify Software Security Center User Account Management

As described in the secure deployment guidelines, the primary system administrator of a new

Fortify Software Security Center installation creates a non-default Administrator-level account,

and then deletes the default admin account. Use the non-default Fortify Software Security

Center administrator account to create additional Fortify Software Security Center user

accounts.

Fortify Software Security Center supports several default user roles. The following sections

provide information about each of these roles.

This section contains information about Fortify Software Security Center roles, user account

administration, how to register LDAP entities with Fortify Software Security Center, and how to

configure an integration with Microsoft Azure AD.

About Tracking Teams

As an administrator or security lead, you need access to information that enables you to track

and monitor your team’s progress and ensure that good application security practices are in

place and followed. Fortify Software Security Center provides a central point for guiding the

adoption of good security practices. By understanding how information is tracked and reported,

you can accurately measure development team progress based on application security

standards.

About Roles

Roles determine the actions a user can perform in Fortify Software Security Center.

For more fine-grained control over user access to Fortify Software Security Center functionality,

you can create custom roles and assign them permissions from the Fortify Software Security

Center interface. For instructions on how to create a role, see "Creating Custom Roles" on the

next page.

Pre-configured Roles

The following table lists the pre-configured roles you can assign to users in Software Security

Center. For information about how to view the permissions associated with each pre-configured

role, see "Viewing Permission Information for Fortify Software Security Center Roles" on

page 171 .

OpenText Fortify Software Security Center (23.1.0)

Page 208 of 428

User Guide

Chapter 10: Managing User Accounts

Role

Description

Administrator

Has full access to the system and all results

Performs tasks required to execute dynamic scan requests, including:

Application

Security Tester

l

View application versions

l

View and generate reports

l

Process dynamic scans

l

Upload scan results

l

Audit issues

Developer

Manager

Developer responsible for producing security results and taking action to

triage or remediate security issues

Responsible for guiding developers to work on results

Managers cannot create applications but can grant or revoke access to

their team members

Security Lead

View Only

Security team member who can create application versions and users

Can view results, but cannot interfere with the issue triage or the

remediation process.

Example users: system automation account or temporary auditor

WebInspect

Enterprise

System

Can connect a WebInspect Enterprise instance to Fortify Software

Security Center and retrieve issue audit information.

This role is intended for use only by a WebInspect Enterprise instance.

See Also

"About Roles" on the previous page

"Creating Custom Roles" below

Creating Custom Roles

You can define roles of your own and assign them permissions.

To define and configure permissions for a new role:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the Fortify

header, click ADMINISTRATION.

Fortify Software Security Center (23.1.0)

Page 209 of 428

User Guide

Chapter 10: Managing User Accounts

2. In the left pane of the ADMINISTRATION page, select Users, and then select Roles.

3. On the Roles toolbar, click NEW.

4. In the CREATE NEW ROLE dialog box, provide the information described in the following

table.

Important! Except for a new line in the Description field, Name and Description field

values must not start with the characters =, -, +, or @, and must not include control

characters. For a complete list of Unicode characters included in the restricted ranges,

see https://www.aivosto.com/articles/control-characters.html.

Field

Description

Name

Role name

Description

(Optional, but recommended) Role description

Universal

access

To assign the new role access to all application versions, select this

check box.

Note: Fortify strongly recommends that you select universal access

only for administrator-level users.

5. To add permissions (specify the functional areas available to users in this role), click +ADD

PERMISSIONS.

6. In the ADD PERMISSIONS dialog box, scroll through the table and select the check boxes

that correspond to the permissions that you want to grant to the new role.

7. Click DONE.

If any of the permissions you selected requires additional permissions, these are listed next

to a warning sign

.

8. To add the listed dependencies to the new role, click ADD MISSING PERMISSIONS.

The CREATE NEW ROLE dialog box now lists the additional permissions (dependencies).

9. Click SAVE.

Tip: You can also use the ADD MISSING PERMISSIONS to add dependencies when you

edit a custom role.

Fortify Software Security Center checks permissions to guard against states that are known to

be incompatible. If the role and permissions you selected do not conflict, then you are returned

to the Roles page, which displays detailed information about the new role.

Deleting Custom Roles

If a custom role listed on the Roles page is assigned to no user accounts, you can delete that

role.

Fortify Software Security Center (23.1.0)

Page 210 of 428

User Guide

Chapter 10: Managing User Accounts

To delete a role:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then

click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Users, and then select Roles.

3. In the table, select the check box for the custom roles you want to delete.

4. In the Roles toolbar, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the role.

5. Click OK.

See Also

"Creating Custom Roles" on page 209

Fortify Software Security Center Account Administration

Only users who have Administrator accounts can create new user accounts and edit information

for existing accounts. Use Administrator accounts to manage the Fortify Software Security

Center system. Fortify recommends that you create only the Administrator-level accounts

necessary to create and edit local or LDAP Fortify Software Security Center user accounts. The

Security Lead and lesser accounts can perform all other application-related activities.

Fortify Software Security Center permits the explicit addition of Administrator-level accounts to

application versions. This enables Administrator users to be assigned issues from the AUDIT

page.

Topics covered in this section:

Creating Local User Accounts

211

214

216

Editing Local User Accounts

Unlocking Local User Accounts

Viewing Externally Managed Users and Groups

Creating Local User Accounts

Fortify Software Security Center Administrator-level users can add new local user accounts to

the list of Fortify Software Security Center users.

Important! You cannot create externally managed users from Fortify Software Security

Center. These can only be provisioned using the SCIM API.

To create a Fortify Software Security Center user account:

1. Log in to Fortify Software Security Center as an Administrator, and then, in the Fortify

header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Users, and then select Local Users.

Fortify Software Security Center (23.1.0)

Page 211 of 428

User Guide

Chapter 10: Managing User Accounts

The Local Users page lists local users.

3. In the Local Users toolbar, click +ADD.

4. In the CREATE NEW USER dialog box, provide the information listed in the following table.

Important! Values for fields in the following table marked with an asterisk (*) must not

start with the characters =, -, +, or @, and must not include control characters.

Field or

Check Box

*Username

*First Name

*Last Name

*Email

Description

Username for Fortify Software Security Center logon.

(Optional, but strongly recommended) First name of user.

(Optional, but strongly recommended) Last name of user.

(Optional) Email address of user.

Caution! Although an email address is not required, the user cannot

receive email alerts and notifications unless you provide one.

Password

Password for the new user.

The Password Strength indicator displays the relative strength of the

password you entered. You can save the user account information only if

the password is evaluated as strong or very strong.

Confirm

Password for the new user.

Password

User must

change

Leave this check box selected to require the user to change the

password at the next login to Fortify Software Security Center.

password at

next login

Password

Select this check box to allow the user to use the originally assigned

never expires password until he or she wants to change it.

To require the user to change his or her password every thirty days,

leave this check box cleared.

Suspended

Select this check box to suspend user access to Fortify Software Security

Center.

Fortify Software Security Center (23.1.0)

Page 212 of 428

User Guide

Chapter 10: Managing User Accounts

Field or

Check Box

Description

Roles

(Optional, but strongly recommended) Select the check boxes for all

roles to assign to the user.

Caution! Although this is optional, keep in mind that a user who has

no assigned role cannot access Fortify Software Security Center

unless that user belongs to a local group that does have an assigned

role.

Access

To specify the applications that the new user can access:

Note: If you have assigned the user the role of Administrator or

WebInspect Enterprise System, that user has universal access to all

Fortify Software Security Center applications.

a. To open the SELECT APPLICATION VERSION dialog, click ADD.

b. From the APPLICATION list, select an application to which you want

the user to have access.

The VERSIONS list in the center pane displays all active versions of

the selected application.

c. Select the check boxes for all versions that you want the user to be

able to access. To select all versions, select the Select all check box.

On the right, the SELECTED VERSIONS pane lists the versions you

selected.

d. To add another application version or versions, repeat steps a

through c.

e. Click DONE.

5. Do one of the following:

l

To save your settings and exit the CREATE NEW USER dialog box, click SAVE.

l

To save your settings and create another new user, click SAVE AND ADD ANOTHER.

Fortify Software Security Center adds the user account to the list of local users.

"Unlocking Local User Accounts" on page 216

Fortify Software Security Center (23.1.0)

Page 213 of 428

User Guide

Chapter 10: Managing User Accounts

Editing Local User Accounts

The following procedure describes how to edit the account for local user accounts created from

Fortify Software Security Center, as well as user accounts provisioned using the SCIM API.

To edit a local user account:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Users, and then click Local Users.

3. To selectively view externally managed users (provisioned using the SCIM API), from the

User type menu, select SSO.

4. Locate the user account you want to edit, and then click the row to expand it and view

account details.

5. Click EDIT.

Fortify Software Security Center (23.1.0)

Page 214 of 428

User Guide

Chapter 10: Managing User Accounts

6. Make any required changes to values in the First Name, Last Name, and Email boxes.

Important! Values for the First Name, Last Name, and Email fields must not start

with the characters =, -, +, or @, and must not include control characters. For a

complete list of Unicode characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Important! From Fortify Software Security Center, the only changes you can make to

externally-managed user and group accounts are role and application version

assignments. All other configuration (and deletion) must be performed from Azure AD.

7. To change the email address password expiration policy, select or clear the check boxes

below the Email box, as needed.

8. To change the roles assigned to the user, in the Roles section, select or clear the check

boxes for available roles.

9. To remove the user from application versions, in the Access section, select the check boxes

for the application versions, and then click DELETE. To assign the user to different

application versions, click ADD, and then use the SELECT APPLICATION VERSION dialog

box to specify the application versions the user is to work on. (For details, see "Creating

Local User Accounts" on page 211.)

10. To change the password for the user, click CHANGE PASSWORD, and then use the

CHANGE PASSWORD dialog box to specify a new password. (If this is an externally

managed user, the CHANGE PASSWORD button is not available.)

11. Click SAVE.

"Creating Local User Accounts" on page 211

Fortify Software Security Center (23.1.0)

Page 215 of 428

User Guide

Chapter 10: Managing User Accounts

Unlocking Local User Accounts

After a local user tries unsuccessfully to log in to Fortify Software Security Center three times in

a row, Fortify Software Security Center prevents the user from attempting more logins. If email

notifications are enabled, the user receives an email to advise the user that he or she is locked

out and should notify the Fortify Software Security Center administrator. As an administrator,

you can unlock the account for the user.

Note: The locking and unlocking of user accounts does not apply to users provisioned

through the SCIM API.

After a user notifies you that they are locked out of their account, unlock the account as follows:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Users, and then click Local Users.

3. Bring up the locked user account, expand the row to display account details, and then click

UNLOCK USER.

4. Fortify Software Security Center prompts you to confirm that you want to unlock the

account.

5. Click OK.

"Editing Local User Accounts" on page 214

Viewing Externally Managed Users and Groups

To view externally managed users provisioned using SCIM protocol:

1. Log in to Fortify Software Security Center as a local administrator.

2. On the Fortify header, click ADMINISTRATION.

3. In the left pane, select Users, and then select Local Users.

4. At the top of the Local Users page, from the User type list, select SSO.

Fortify Software Security Center lists the users provisioned using SCIM protocol. The

Externally managed user icon ( ) is displayed next to each username listed in the Local

Users table.

To see the groups pushed to Fortify Software Security Center from Azure AD:

1. Log in to Fortify Software Security Center as a local administrator.

2. In the Fortify header, select ADMINISTRATION, select Users, and then select Local

Groups.

Fortify Software Security Center (23.1.0)

Page 216 of 428

User Guide

Chapter 10: Managing User Accounts

Assigning Roles to Externally Managed Users and Groups

A user or member of a local group provisioned from an identity management service such as

Azure AD cannot access Fortify Software Security Center unless the group has been assigned

one or more roles, or the user is assigned a role individually from the Local Users page.

Note: From Fortify Software Security Center, the only changes you can make to externally-

managed user and group accounts are role and application version assignments. All other

configuration (and deletion) must be performed from Azure AD.

Assign roles to externally managed users and groups just as you would to local users created

through the ADMINISTRATION view.

"Enabling SCIM for Provisioning of Externally Managed Users and Groups" on page 125

"Using SCIM 2.0 and SAML 2.0 to Configure a Connection to Azure AD for User Provisioning" on

page 122

"Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-On"

on page 141

Fortify Software Security Center (23.1.0)

Page 217 of 428

Chapter 11: Applications and Application Versions

To obtain consistent measurement results in Fortify Software Security Center, you define an

application for a single code base. Fortify Software Security Center organizes the iterative

development and remediation of code bases into applications and application versions.

l

An application is a code base that serves as a container for one or more application versions.

If you are working with a new code base, you create a new Fortify Software Security Center

application. Fortify Software Security Center automatically creates the first version of that

application.

l

An application version is an instance of the application or code base that is to eventually be

deployed. It contains the data, auditing, and attributes for a particular version of the

application code base. If you are working with an existing code base, you create new

application versions rather than new applications.

An application version is the base unit for team tracking. It provides a destination for security

results that is useful for getting information in front of developers and producing reports and

performance indicators. Code analysis results for an application version are tracked as shown in

the following table.

Existing Analysis Results

+ New Scan Results

= Trending Results

Results of any previous security

analysis from Fortify Static Code

Analyzer, Fortify WebInspect, or

other analyzer

Merge with the existing

results (from the same

analyzer used to perform

this scan)

Identify security issues

that have been fixed,

and issues that remain.

Mark resolved issues

Identify new issues

Keep unchanged issues

Fortify Software Security Center analysis processing rules verify that the new scan is

comparable to the older scan.

This content provides information about applications and application versions. It contains

instructions for viewing and creating applications, configuring application attributes, assigning

issue templates, and more.

Topics covered in this section:

About Tracking Development Teams

About the Application Creation Process

220

OpenText Fortify Software Security Center (23.1.0)

Page 218 of 428

User Guide

Chapter 11: Applications and Application Versions

Strategies for Creating Application Versions

About Annotating Application Versions for Reporting

Viewing a List of Fortify Software Security Center Applications

About Creating Application Versions

Application Version Attributes

About Issue Templates

Creating the First Version of a New Application

Adding a New Version to an Application

Enabling Auto-Apply and Auto-Predict for an Application Version

Searching Applications and Application Versions from the Applications View

Updating the Application Overview Page

Editing Application Version Details

Using Bug Tracking Systems to Help Manage Security Vulnerabilities

Bug Tracker Configuration

Velocity Templates for Bug Filing

Assigning a Bug Tracking System to an Application Version

Submitting a Bug for a Single Issue

Submitting a Bug for Multiple Issues

Bug State Management

Changing the Template Associated with an Application Version

Setting Analysis Results Processing Rules for Application Versions

About Processing Rules that Affect Instance ID Migration

Configuring Audit Assistant Options for an Application Version

Custom Tags

Adding Custom Tags to the System

Modifying Custom Tag Attributes

Globally Hiding Custom Tags

Deleting Custom Tags

Adding Custom Tag Values

Editing Custom Tags

Deleting Custom Tag Values

Associating Custom Tags with Issue Templates

Fortify Software Security Center (23.1.0)

Page 219 of 428

User Guide

Chapter 11: Applications and Application Versions

Removing Custom Tags from Issue Templates

Assigning Custom Tags to Application Versions

Disassociating a Custom Tag from an Application Version

Managing Custom Tags Through Issue Templates

Managing Custom Tags Through an Issue Template in an FPR File

About Deleting Application Versions

Deactivating Application Versions

Reactivating Application Versions

Deleting an Application Version

About Tracking Development Teams

As an administrator or security lead, you need access to information that enables you to track

and monitor your team’s progress and ensure that good application security practices are in

place and followed. Fortify Software Security Center provides a central point for guiding the

adoption of good security practices. By understanding how information is tracked and reported

through applications and applications versions, you can accurately assess development team

progress based on application security standards.

Topics covered in this section:

About the Application Creation Process

220

Strategies for Creating Application Versions

221

222

About Annotating Application Versions for Reporting

Viewing a List of Fortify Software Security Center Applications

About the Application Creation Process

After you log in to Fortify Software Security Center and start to add a new application, the

CREATE NEW APPLICATION VERSION wizard displays a sequence of steps, each of which

presents the team members responsible for creating the application version with one or more

strategic choices. After the team agrees upon and makes their selections, the security lead can

click FINISH to complete the creation process.

Typically, the security team evaluates and decides on all the options before they actually start

to create the application version. The following sections describe the options displayed on the

wizard screens.

See Also

"Template Selection" on page 231

Fortify Software Security Center (23.1.0)

Page 220 of 428

User Guide

Chapter 11: Applications and Application Versions

"Creating the First Version of a New Application" on page 232

"Adding a New Version to an Application" on page 235

Strategies for Creating Application Versions

As a Security Lead, you might choose to create an application version that allows you to track

vulnerabilities within deployed applications. Security vulnerabilities often occur in areas of code

where different components come together. Although teams may work on different

components, it is a good practice to track the entire software component as one piece. As an

example, suppose that a text manipulation library is safe on its own, and a file access library is

safe on its own. The combination of the text manipulation library and file access library is not

necessarily safe, because one may not know the origin of the text being processed.

Strategies for Packaged Software

For software that ships or is deployed as a concrete version, you might use the following

strategies:

l

If you are creating a brand new application, start a new application version.

l

Create a single application version for each release. For example, the Security Lead or

Development Manager may deactivate past versions in Software Security Center to archive

results and remove them from view. For information about how to deactivate an application

version, see "Deactivating Application Versions" on page 272.

Note: Although a deactivated application version is hidden from view, it still exists in the

database. Deleting all versions of an application deletes the application from the

database altogether.

l

If you are working on an existing application with an evolving code base, create an

application version based on an existing version. For example, Application A has several

versions. Each new version is initiated based on the results of the previous version. Each

successive version is just evolved code (versus a complete rewrite).

Strategies for Continuous Deployment

For applications that use continual deployment, running scans with the -build-label xxxx

flag enables you to identify which source control checkout was scanned (where xxxx represents

the ID from your version control system). Relating scans to source control checkout improves

your ability to determine when individual issues were introduced and remediated.

About Annotating Application Versions for Reporting

Fortify Software Security Center provides a set of application attributes that you can apply to

individual application versions. You can use these attributes to group application versions for

reporting, or to associate application versions with external systems.

Fortify Software Security Center (23.1.0)

Page 221 of 428

User Guide

Chapter 11: Applications and Application Versions

Administrators can customize the base set of application attributes that Fortify Software

Security Center provides. Sample customizations can help organizations track onboarding

progress by application ID, line of business, business unit, or regulatory compliance obligations.

Viewing a List of Fortify Software Security Center Applications

To view a list of all Fortify Software Security Center applications:

l

On the Fortify header, click APPLICATIONS.

About Creating Application Versions

You can create a new Fortify Software Security Center application version for an entirely new

application or create one for existing application version. The following topics provide

instructions for each method:

"About the Application Creation Process" on page 220

"Creating the First Version of a New Application" on page 232

"Adding a New Version to an Application" on page 235

Application Version Attributes

Application versions have business attributes, technical attributes, and organization attributes.

These attributes are metadata that Fortify Software Security Center uses to perform

cross-application comparisons and reporting.

When you create a new application version, the CREATE NEW VERSION wizard guides you

through the selection of required and optional business, technical, and organization application

attributes. The application version cannot be finished until you select values for all required

attributes. For example, to create an application version, you must specify values for the

following attributes:

l

Development phase

l

Development strategy

l

Accessibility

In addition to the default attributes that Fortify Software Security Center provides,

Administrators and Security Leads can create custom attributes to assign to application

versions. Custom attributes are extremely useful when you need to focus on a highly specific

subset of data. For instructions on how to create custom attributes, see "Creating Custom

Attributes" on page 224.

Fortify Software Security Center (23.1.0)

Page 222 of 428

User Guide

Chapter 11: Applications and Application Versions

The following tables list the default set of attributes for Fortify Software Security Center

applications. Note that this list does not include custom attributes that a Fortify Software

Security Center administrator may have added to the system. Attributes marked with an

asterisk are required.

Technical Attribute

Description

*Development Phase

Current phase of development the application

version is in.

*Development Strategy

Staffing strategy used for application

development

*Accessibility

Level of access required to use the application

Application Type

Nature of the code base (library, application, or

application component)

Target Deployment Platform

Interfaces

Deployment platform for the application

Interfaces used to access the application

Languages used to develop the application

Development Languages

Authentication System

System used to authenticate users who try to

access to the application

Organization Attributes

Business Unit

Business unit for which the application is to be

developed or business unit to develop the

application

Industry

Region

Industry for which the application is to be

developed

Geographical location of the development team

Business Risk Attributes

Business Risk

Relative risk (high, medium, or low) the

application poses to the business goals of the

organization

Fortify Software Security Center (23.1.0)

Page 223 of 428

User Guide

Chapter 11: Applications and Application Versions

Business Risk Attributes

Known Compliance Obligations

All known compliance obligations that the

application must meet

Data Classification

Types data to be stored by this application

Direct consumers of the application

Application Classification

Creating Custom Attributes

Fortify Software Security Center comes with technical, organization, and business attributes

that enable administrators and security leads to categorize applications and application

versions. As an administrator or a security lead, you can create your own custom attributes that

can be set for application versions.

Note: You can create custom attributes only if you have either an Administrator or Security

Lead user account.

To create an attribute:

1. Log in to Fortify Software Security Center as an administrator or a security lead.

2. On the Fortify header, click ADMINISTRATION.

3. In the left pane, under Templates, click Attributes.

The Attributes page lists the attributes on the right.

4. Click NEW.

Fortify Software Security Center (23.1.0)

Page 224 of 428

User Guide

Chapter 11: Applications and Application Versions

5. In the CREATE NEW ATTRIBUTE dialog box, provide the information described in the

following table.

Field

Description

Name

Type a descriptive name for the attribute.

Important! If you delete an attribute that Fortify Software Security

Center uses out-of-the-box, and you then create a new attribute

with the same name, database migration may fail.

Description

Type a brief description.

The description is displayed under the attribute field in the CREATE

NEW APPLICATION VERSION wizard.

Required

Hidden

Select this check box to require users to set the attribute that you are

defining here when they create an application template.

Select this check box to prevent the new attribute from being displayed

in the CREATE NEW APPLICATION VERSION wizard.

Caution! If you select Hidden to prevent the attribute from showing

in the CREATE NEW APPLICATION VERSION wizard, you must also

Fortify Software Security Center (23.1.0)

Page 225 of 428

User Guide

Chapter 11: Applications and Application Versions

Field

Description

clear the Required check box.

Category

Select an attribute type. Depending on the category you select, the

attribute is displayed on the Business Attributes step, the Technical

Attributes step, or the Organization Attributes step of the CREATE

NEW APPLICATION VERSION wizard.

Type

Select one of the following control types:

l

To create a text field into which a user can type a single line of text,

select Text - Single Line.

l

To create a list from which a user can select only a single value for the

attribute, select List of Values - Single Selection.

Note: If you create a single-select type attribute, users can select

it from the Group by and Aggregate by lists on the Dashboard

to customize the data they view.

l

To create a list from which a user can select multiple values for the

attribute, select List of Values - Multiple Selection.

l

To create a text field into which a user can type multiple lines of text,

select Text - Multiple Lines.

Note: If you select one of the List of Values types, additional

fields are displayed in which you add the values and their

descriptions, and specify whether or not they are hidden.

l

To create a check box for the attribute, select Boolean.

l

To create a field that accepts an integer value, select Integer.

l

To create a calendar selection control for the attribute, select Date.

Note: This type is not available for a Dynamic Scan Request

attribute.

l

To create a file upload field, select File.

l

To create a file upload control in the Dynamic Scan Request dialog

box, select File.

6. Click SAVE.

Fortify Software Security Center (23.1.0)

Page 226 of 428

User Guide

Chapter 11: Applications and Application Versions

The new attribute is available the next time a user uses the CREATE NEW APPLICATION

VERSION wizard.

For instructions on how to specify custom attributes in existing application versions, see

"Specifying New Custom Attributes for Application Versions" on page 229.

Note: By default, an attribute you create through the Fortify Software Security Center user

interface is deletable. You can use the Fortify Software Security Center API to define a non-

deletable attribute. For information about how to access the API see "Accessing the Fortify

Software Security Center API Documentation" on page 206.

"Application Version Attributes" on page 222

Deleting Attributes and Attribute Values

If an attribute or attribute value is no longer of use, you can often delete it from the Fortify

Software Security Center database, event if it is currently associated with one or more

application versions. Doing so removes all traces of the attribute or attribute value from the

system.

Deleting Attributes

To delete an attribute from the Fortify Software Security Center database:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, expand the Templates section, and then select Attributes.

If an attribute can be deleted, the check box to the left of its name is blue. If it cannot be

deleted, the check box to the left of its name is gray, and you cannot select it for deletion.

Fortify Software Security Center (23.1.0)

Page 227 of 428

User Guide

Chapter 11: Applications and Application Versions

To see an explanation of why you cannot delete an attribute, move your cursor over the

check box. (The attribute is either system-defined and non-deletable, or it is user-defined

and has been modified so that it cannot be deleted.)

3. Select the check boxes for the attributes you want to delete, and then click DELETE.

Fortify Software Security Center alerts you to the fact that the selected attributes will be

permanently removed from the system and prompts you to confirm that you want to

continue with the deletion.

4. Click OK.

Note: By default, an attribute you create through the Fortify Software Security Center user

interface is deletable. You can use the Fortify Software Security Center API to define a non-

deletable attribute. For information about how to access the API see "Accessing the Fortify

Software Security Center API Documentation" on page 206 .

Deleting Attribute Values

To delete an attribute value:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, expand the Templates section, and then select Attributes.

3. Expand the row for the attribute that has one or more values that you want to delete.

Fortify Software Security Center (23.1.0)

Page 228 of 428

User Guide

Chapter 11: Applications and Application Versions

The In Use column shows which of the values are currently used with one or more

application versions.

4. Click EDIT.

Fortify Software Security Center displays a warning to remind you that any changes you

make can affect application versions with values based on the attribute, and prompts you

to confirm that you want to edit the attribute.

5. Click OK.

6.

Click the trash icon ( ) to the right of the value you want to delete.

Note: You can delete some attribute values, even if they are currently in use by one or

more application versions. However, you cannot delete:

- Values for system-defined list-type attributes that are in use

- Values for system-defined attributes other than list type

- Values that are both in use and that belong to a dynamic scan type attribute

- Values for user-defined attributes designated as non-deletable that are in use

Fortify Software Security Center removes the value without prompting you for

confirmation. If you decide that you prefer not to delete the value, just click CANCEL to

restore it.

Specifying New Custom Attributes for Application Versions

To apply a new custom attribute to an application version:

Fortify Software Security Center (23.1.0)

Page 229 of 428

User Guide

Chapter 11: Applications and Application Versions

1. On the Fortify header, select APPLICATIONS.

2. In the Applications view, expand the row for the application and then select the version for

which you want to specify a new attribute.

Fortify Software Security Center displays the AUDIT page for that version.

3. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE - <application_name> <application_version> window opens to

the ADVANCED OPTIONS section.

4. Click APPLICATION SETTINGS.

5. In the Version Settings section, click the edit icon.

6. On Step 1. GENERAL of the EDIT VERSION wizard, click NEXT.

7. On Step 2. DEFINE ATTRIBUTES AND RISK, select the attribute category (Technical

Attributes, Organization Attributes, or Business Risk Attributes), and then select the

value or values for the custom attribute.

8. Navigate to Step 4 of the wizard, and then click FINISH.

"Editing Application Version Details" on page 241

About Issue Templates

Applications are defined by issue templates, which determine how Fortify Software Security

Center configures and prioritizes the issues uncovered in your application source code.

An issue template contains the following settings:

l

Folder filters—Controls how issues are sorted into the folders

l

Visibility filters—Controls which issues are shown and hidden

l

Folder properties—Name, color, and which filter set it is active in

l

Custom tags—Specifies which audit fields are displayed and the values for each

Fortify Software Security Center comes with pre-designed issue templates that you can either

use as they are, or modify (from Fortify Audit Workbench) to suit your application needs.

To see descriptions of these out-of-the-box issue templates:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Templates, and then select Issue.

The Issue page lists the issue templates and their descriptions.

You can import a Fortify Software Security Center issue template into Fortify Audit Workbench,

modify it, save it with a new name, and then import it into Fortify Software Security Center. You

can also create a new issue template from scratch in Fortify Audit Workbench. For instructions

Fortify Software Security Center (23.1.0)

Page 230 of 428

User Guide

Chapter 11: Applications and Application Versions

on how to modify or create an issue template in Fortify Audit Workbench, see the Fortify Audit

Workbench User Guide.

Adding Issue Templates to the System

To add an issue template that you created or modified in Fortify Audit Workbench to Fortify

Software Security Center:

1. Log in to Fortify Software Security Center as an administrator.

2. On the Fortify header, click ADMINISTRATION.

3. In the pane on the left, select Templates, and then select Issue.

Fortify Software Security Center lists the system issue templates in a table to the right.

4. Click NEW.

5. In the Name box in the CREATE NEW ISSUE TEMPLATE dialog box, type the template

name.

6. (Optional) in the Description box, type a description that lets users know how to use the

template.

7. Click BROWSE, and then locate and select the new or modified template.

8. Click SAVE.

Creating or Modifying Issue Templates

If you use Fortify Audit Workbench to create a new issue template or modify an existing

template, you must make sure that the template includes the following filter:

For information about how to create or modify issue templates and upload them to Fortify

Software Security Center, see the Fortify Audit Workbench User Guide.

Template Selection

Fortify Software Security Center issue templates provide Fortify client and server products an

optimal means of categorizing, summarizing, and reporting application data. Issue templates

also enable the use of customized application settings at the enterprise level and not just at the

application level.

Although you can change the issue template for an application after you finish creating the

application, your security team must carefully consider its choice of template before completing

the application creation process.

Fortify Software Security Center (23.1.0)

Page 231 of 428

User Guide

Chapter 11: Applications and Application Versions

Creating the First Version of a New Application

A Fortify Software Security Center application version consists of the data and attributes for a

given variant of the application code base. The following procedure describes how to create the

first version of a new application.

To create a new application:

1. Log in to Fortify Software Security Center as either an Administrator or a Security Lead.

2. On the toolbar, click + NEW APPLICATION VERSION.

3. On the GENERAL tab of the CREATE NEW APPLICATION VERSION wizard provide the

information described in the following table.

Important! Values for fields in the following table marked with an asterisk (*) must not

start with the characters =, -, +, or @, and must not include control characters. For a

complete list of Unicode characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Field

Description

Application Setup

*Application

name

(Required) Type the application name.

Application

description

(Optional)Type a description of the new application.

Version Setup

*Version name

(Required) Type a name for the version.

Version

description

(Optional) Type information about this first version of the

application.

Add to existing

application

a. To use the settings of an existing application version, select this

check box. Otherwise, proceed to step 4.

b. To open the SELECT APPLICATION VERSION dialog box, click

BROWSE.

c. Under APPLICATION, type a string into the search box, and then

click FIND to refine the list of applications, and then select the

application that has the settings you want to use for the new

application.

Fortify Software Security Center (23.1.0)

Page 232 of 428

User Guide

Chapter 11: Applications and Application Versions

Field

Description

The VERSIONS pane on the right lists the active versions of the

selected application.

d. To include inactive versions of the application, select the Show

inactive check box.

e. Select the check box for the version you want, and then click

DONE.

By default, Fortify Software Security Center includes all settings

of the selected application version.

f. To exclude one or more settings, clear the corresponding check

boxes for the settings.

g. To copy over all of the issues associated with the selected

application version, select the Application state check box.

4. Click NEXT to advance to the ATTRIBUTES settings.

5. On the TECHNICAL ATTRIBUTES tab, provide the information described in the following

table.

Field

Description

Development Phase

Development Strategy

Leave New selected.

Select the strategy used to develop the application

version.

Accessibility

Select the value that specifies how the application is to

be accessed.

Application Type

Select the application type.

Target Deployment Platform Select the target deployment platform.

Interfaces

Select the check boxes for the interfaces available to

access the application.

Development Languages

Authentication System

Select the check boxes for the languages used to

develop the application version.

Select the check boxes for the authentication systems

used to access the application.

Fortify Software Security Center (23.1.0)

Page 233 of 428

User Guide

Chapter 11: Applications and Application Versions

6. (Optional) Click the ORGANIZATION ATTRIBUTES tab, and then make the following

selections:

l

From the Business Unit list, select the business unit with which to associate the new

application.

l

From the Industry list, select the industry for which this application is being developed.

l

From the Region list, select the region to associate with the application.

7. (Optional) Click the BUSINESS RISK ATTRIBUTES tab, and then do the following:

a. From the Business Risk list, select the value that best represents the relative risk that

this new application poses to the business goals of your organization.

b. In the Known Compliance Obligations section, select the check boxes for all known

compliance obligations that apply to the new application.

c. In the Data Classification section, select the check boxes for all data classifications

that this application stores.

d. In the Application Classification section, select the check boxes for all consumer types

for which this application is being developed.

8. To advance to the TEMPLATE settings, click NEXT.

9. Under Issue Template, select the check box for a template to set the minimum thresholds

for issue detection. To see a description of a template in the pane to the right, select its

check box.

10. To advance to the ACCESS tab, click NEXT.

11. a. To assign a user from the Fortify Software Security Center database, leave LOCAL

selected.

b. Select the check box for the team member or members you want to assign.

Note: To find a specific user, type a user name into the Search by user name box, and

then click FIND.

Alternatively,

a. To assign a user from the LDAP directory (if LDAP authentication is configured for

your Fortify Software Security Center server), click LDAP, and then, from the View by

list, select the attribute to use to display LDAP entities.

b. Select the check box for the team member or members to assign.

Note: To find a specific user, type a username into the Search by user name box, and

then click FIND.

12. Click SAVE.

Fortify Software Security Center indicates that the application was successfully created.

The new application version is now displayed in the APPLICATIONS view. Once data are

uploaded for the application version, it is also displayed in the DASHBOARD view.

13. Click CLOSE.

Fortify Software Security Center (23.1.0)

Page 234 of 428

User Guide

Chapter 11: Applications and Application Versions

Note: A new application is not listed on the Dashboard until you upload analysis results

(artifacts) for it. However, it is listed in the Applications view. For information about how to

upload artifacts for an application version, see "Uploading Scan Artifacts" on page 295.

Adding a New Version to an Application

A version consists of the data and attributes for a given variant of the application code base.

The following procedure describes how to create a new version of an existing application.

To create a new version of an existing application:

1. Log in to Fortify Software Security Center as either an Administrator or Security Lead.

2. From the Dashboard, click + NEW APPLICATION VERSION.

3. On the GENERAL tab of the CREATE NEW APPLICATION VERSION wizard, under

Application Setup, do the following:

a. Select the Add to existing application check box.

b. Click BROWSE, and then, in the SELECT APPLICATION dialog box, locate and select

the application for which you want to create a new version.

c. Click DONE.

The Application name and Application description fields are populated with the name

and description of the selected application.

4. In the Version Setup section, provide the information described in the following table.

Field

Description

Version name Type a name for the version or select a version name from the list.

Important! Values for fields in the following table marked with an

asterisk (*) must not start with the characters =, -, +, or @, and must

not include control characters. For a complete list of Unicode

characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Version

description

(Optional) Type descriptive information about this version of the

application.

Use existing

application

version

a. To use the settings of an existing application version, select this

check box. Otherwise, click NEXT to proceed to the ATTRIBUTES

tab.

Fortify Software Security Center (23.1.0)

Page 235 of 428

User Guide

Chapter 11: Applications and Application Versions

Field

Description

b. To open the SELECT APPLICATION VERSION dialog box, click

BROWSE.

c. Locate and select the application that has the settings you want to

use for the new version.

The VERSIONS pane on the right lists the active versions of the

selected application. (To display inactive versions, select the Show

inactive check box.)

d. From the VERSIONS list, select the check box for the version you

want, and then click DONE.

By default, Fortify Software Security Center includes all settings of

the selected application version.

e. To exclude some of the settings, clear one or more of the following

check boxes:

o

Version attributes

o

Custom tags

o

Analysis processing rules

o

User access settings

o

Bug tracker integration settings

f. To copy over all of the issues associated with the selected

application version, select the Application state check box.

5. To proceed to the ATTRIBUTES settings, click NEXT.

6. On the TECHNICAL ATTRIBUTES tab, provide the information described in the following

table.

Field

Description

Development Phase

From this list, select the current development phase of the new

version.

Development Strategy Select the strategy used to develop the new application

version.

Accessibility

Select the value that specifies how the application is to be

accessed.

Fortify Software Security Center (23.1.0)

Page 236 of 428

User Guide

Chapter 11: Applications and Application Versions

Field

Description

Application Type

Select the application type.

Select the target deployment platform.

Target Deployment

Platform

Interfaces

Select the check boxes for the interfaces available to access

the application.

Development

Languages

Select the check boxes for the languages used to develop the

application version.

Authentication System Select the check boxes for the authentication systems used to

access the application.

7. (Optional) Select the ORGANIZATION ATTRIBUTES tab, and then provide the

information described in the following table.

Field

Description

Business Unit

Select the business unit for which the application version is

being developed.

Industry

Region

Select the industry sector to which the application version

applies.

Select the region for which the application version is being

developed.

8. (Optional) Select the BUSINESS RISK ATTRIBUTES tab.

9. From the Business Risk list, select the value that best represents the risk this application

version poses to your organization.

10. Provide the information described in the following table.

Field

Description

Known Compliance

Obligations

Select the check boxes for all of the known compliance

obligations that the application version must meet.

Data Classification

Select the check boxes for all of the data classifications

that apply to the application version.

Fortify Software Security Center (23.1.0)

Page 237 of 428

User Guide

Chapter 11: Applications and Application Versions

Field

Description

Application Classification

Select the check boxes for all of the application

classifications that apply to this application version.

11. To advance to the template setting, click NEXT.

12. Under Issue Template, select the check box for a template to set the minimum thresholds

for issue detection. To see a description of a template displayed in the pane to the right,

select its check box.

Note: The default template is Prioritized High Risk Issue Template.

13. To advance to the ACCESS tab, click NEXT.

14. Under TEAM, do one of the following:

Note: A user in the administrator role already has full access to all applications. You

cannot assign the user to a team unless the user has also been assigned another role.

This is true whether the Administrator is a local user or an LDAP user.

l

To assign a user from the Fortify Software Security Center database, select LOCAL, and

then select the check boxes for the team member or members you want to assign.

Note: To find a specific user, type a user name into the Search by user name box, and

then click FIND.

l

Or, if LDAP authentication is configured for your Fortify Software Security Center server:

a. Click LDAP, and then, from the View By list, select the attribute to use to display

LDAP entities.

b. Select the check box for the team member or members you want to assign.

Note: To find a specific user, type a username into the Search by user name box, and

then click FIND.

15. Click SAVE.

Fortify Software Security Center indicates that the version was successfully created and

adds the new application version to the application versions list.

16. Click CLOSE.

Enabling Auto-Apply and Auto-Predict for an Application Version

If your administrator has configured Audit Assistant, enabled auto-apply system-wide, and

mapped the appropriate primary tag fields in the Custom Tags section of the

ADMINISTRATION view, you can enable auto-apply for a specific application version.

Fortify Software Security Center (23.1.0)

Page 238 of 428

User Guide

Chapter 11: Applications and Application Versions

If you enable auto-apply for an application version, then whenever you use Audit Assistant to

request a prediction on your static analysis issues, Fortify Software Security Center applies

those predictions to your custom tag values.

When Audit Assistant automatically applies custom tag values to issues, the metadata saved for

the issue shows that it was audited by Audit Assistant. A gray gavel displayed next to the

custom tag name enables users to see that Audit Assistant predicted the issue.

To enable auto-apply for an application version:

1. From the Fortify dashboard, select the link for the application version for which you want to

enable auto-apply.

The AUDIT page lists the issues associated with the application version.

2. On the page header, click PROFILE.

3. Select AUDIT ASSISTANT OPTIONS.

Fortify Software Security Center (23.1.0)

Page 239 of 428

User Guide

Chapter 11: Applications and Application Versions

4. To have Audit Assistant automatically send unaudited issues to Fortify Scan Analytics for

assessment, select the Enable auto-predict check box. (For information on auto-

prediction, see "About Audit Assistant Auto-Prediction" on page 86.)

5. Select the Enable auto-apply check box.

If your primary tag values are not mapped to Audit Assistant, Fortify Software Security

Center displays a warning to that effect and advises you to contact your administrator.

6. Click APPLY.

7. Fortify Software Security Center prompts you to confirm that you want to save your

settings.

8. Click OK.

9. Click CLOSE.

Fortify Software Security Center (23.1.0)

Page 240 of 428

User Guide

Chapter 11: Applications and Application Versions

Searching Applications and Application Versions from the

Applications View

To search for a specific application or application version from the Applications view:

1. In the Search Apps and Versions box above the Applications table, type at least part of

the application name or version name for the application or version you want to find.

2. Click Find.

The Applications table lists all application versions that match your search string.

3. To return to the complete Applications table, clear the text in the search box.

Updating the Application Overview Page

If an application version has pending audit information, its Overview page heading displays the

"more information" icon

.

To recalculate the metrics for the application:

l

Click the icon, and then, in the Refresh application metrics dialog, click Refresh now.

The metrics refresh may take some time, depending on current system activity. After the refresh

is complete, the Overview page displays the latest data for the application.

Note: Metrics are also refreshed automatically according to the system schedule.

Editing Application Version Details

To edit the details of an application version:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications table, select the application version to edit.

3.

To the right of the application name on the AUDIT page, click the edit icon .

4. In the EDIT VERSION: <version> window, click a tab to edit values in any of the fields

described in "Adding a New Version to an Application" on page 235.

5. After you make your changes, click SAVE.

Fortify Software Security Center (23.1.0)

Page 241 of 428

User Guide

Chapter 11: Applications and Application Versions

Using Bug Tracking Systems to Help Manage

Security Vulnerabilities

Developers fixing software defects often use a bug tracking system to help manage their

workload. Security vulnerabilities are a type of bug, and getting vulnerability information into

the bug tracking system helps developers take appropriate remediation measures, in line with

other development activities. The result is more security awareness and faster remediation of

security issues.

From Software Security Center, you can map to any of several bug tracking systems, so that

your development team can file bugs into the bug tracking system you already use.

When a developer files a bug, Software Security Center populates bug tickets with the following

basic vulnerability information:

l

Details that describe the type of issue uncovered

l

Remediation guidance, with instructions on the action to take

l

A link back to Software Security Center for complete issue details

Topics covered in this section:

Bug Tracker Configuration

Velocity Templates for Bug Filing

Assigning a Bug Tracking System to an Application Version

Submitting a Bug for a Single Issue

Submitting a Bug for Multiple Issues

Bug State Management

Bug Tracker Configuration

To enable a team to access and use a bug tracking system from Fortify Software Security

Center, a security lead or development manager must configure Fortify Software Security

Center to connect to a bug tracker instance. Either the developer or security lead can then

submit bugs to address important security issues.

If you are a security lead or development manager, you can enable team access to your bug

tracking system as follows:

1. Edit the application version details.

2. Configure the bug tracker.

See Also

Fortify Software Security Center (23.1.0)

Page 242 of 428

User Guide

Chapter 11: Applications and Application Versions

"Velocity Templates for Bug Filing" below

"Managing Bug Tracker Plugins" on page 161

"Authoring Bug Tracker Plugins" on page 406

Velocity Templates for Bug Filing

Text-based fields for filing bugs in Fortify Software Security Center can be associated with

Apache Velocity templates that reference issue data. When you submit a bug for one or more

issues, the content for the mapped fields is generated using the corresponding template and

data from the issues.

Fortify Software Security Center provides pre-defined templates for the summary and

description fields of the supported bug tracker plugins that ship with Fortify Software Security

Center. You can edit these pre-defined templates or add templates that map other text-based

fields that the plugin provides.

This section contains the following topics:

"Adding Velocity Templates to Bug Tracker Plugins" below

"Customizing Velocity Templates for Bug Tracker Plugins" on the next page

"Deleting Velocity Templates" on page 246

Adding Velocity Templates to Bug Tracker Plugins

Fortify Software Security Center provides pre-defined templates for the summary and

description fields of the supported bug tracker plugins that ship with Fortify Software Security

Center. You can edit these templates or add templates that map other text-based fields that the

plugin provides.

Important! Before you add a new template or edit an existing one, make sure that you

review the pre-defined templates carefully to understand how to correctly reference

variables within the template.

As you create (or edit) a template, keep the following in mind:

l

To avoid runtime errors, Fortify strongly recommends that you validate variables in your

template before you render them. (See the pre-defined templates for examples of how to use

a macro.)

l

Use conditionals if you want to render content differently for a single-issue bug (as opposed

to a bug that includes multiple issues).

To add a Velocity template to a bug tracker plugin:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Templates, and then select Bug Filing.

The Bug Filing page lists the template groups for supported bug trackers.

Fortify Software Security Center (23.1.0)

Page 243 of 428

User Guide

Chapter 11: Applications and Application Versions

3. In the table, click the row that shows the template group for your bug tracker plugin.

The row expands to display details for the pre-defined templates mapped to the

description and summary fields for the plugin.

4. Click EDIT.

5. Click + ADD FIELD.

6. In the Mapped field box in the ADD TEMPLATE dialog box, type the name of the field to

map, as it appears in the bug tracker plugin dialog box. (Note that you can map only text-

based fields.)

7. In the Template box, type your Velocity Template Language (VTL) statement for the

mapping.

For information about format the VTL statement, click the Editing tips link. To access full

instructions on how to write the statement, click the Velocity User Guide link. This takes

you to the Apache Velocity Project website. To see a list of all available variables, click

SHOW VARIABLES .)

Note: Not all variables are available for all issues. In particular, verbose content

such as “ATTRIBUTE_COMMENTS,” “ISSUE_DETAIL,” and “ISSUE_

RECOMMENDATION” is available only if you are filing a bug for a single issue.

8. Click APPLY.

9. To add another template, repeat steps 5 through 8.

10. Click SAVE.

On the Bug Filing page, the details for the bug tracking plugin now include your new template.

"Customizing Velocity Templates for Bug Tracker Plugins" below

"Bug Tracker Configuration" on page 242

"Deleting Velocity Templates" on page 246

Customizing Velocity Templates for Bug Tracker Plugins

To customize the Velocity template for a bug tracker plugin:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION page, select Templates, and then select Bug

Filing Templates.

3. In the table on the right, click the template group for the bug tracker plugin you use.

The row expands to display details for the pre-configured Velocity templates that are

mapped to the description and summary fields that the plugin provides.

4. Click EDIT.

Fortify Software Security Center (23.1.0)

Page 244 of 428

User Guide

Chapter 11: Applications and Application Versions

5. To the right of the mapped field you want to modify, click the Edit field icon.

6. To see useful tips on how to edit the template, click Editing tips. To access detailed

instructions on how to modify the template, click the Velocity User Guide link. This takes

you to the Apache Velocity Project website. To see a list of all available variables, click

SHOW VARIABLES .

7. Make any necessary changes to the content in the Mapped field and Template boxes.

8. Click APPLY.

9. Click SAVE.

The details displayed for the bug tracker plugin now include your changes.

"Velocity Templates for Bug Filing" on page 243

"Adding Velocity Templates to Bug Tracker Plugins" on page 243

Fortify Software Security Center (23.1.0)

Page 245 of 428

User Guide

Chapter 11: Applications and Application Versions

Deleting Velocity Templates

If a bug tracker plugin is not associated with any application versions, you can delete its

associated template group.

To delete the templates group associated with a bug tracker plugin:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the Bug Filing page, select Templates, and then select Bug Filing.

3. In the list of template groups , click the name of your bug tracker plugin.

The row expands to display details for the pre-configured templates mapped to the

description and summary fields that the plugin provides.

4. Click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

template group.

Caution! Fortify strongly recommends that you not delete the pre-defined template

groups.

5. To continue with the deletion click OK.

The Bug Filing page no longer lists the velocity templates for the bug tracker plugin.

"Adding Velocity Templates to Bug Tracker Plugins" on page 243

"Customizing Velocity Templates for Bug Tracker Plugins" on page 244

Assigning a Bug Tracking System to an Application Version

Use the following procedure to assign a bug tracking system to an application version. Before

you can do this, the bug tracker plugin must already be in the system. For information about

how to add a bug tracker to Fortify Software Security Center, see "Managing Bug Tracker

Plugins" on page 161.

To integrate with a bug tracking system:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications table, click the application version to which you want to assign a bug

tracker.

The AUDIT page for the selected application version lists the issues with the version.

3. At the upper right, click PROFILE.

4. In the APPLICATION PROFILE - <Application_Name><Application_Version> dialog box,

click the BUG TRACKER tab.

Fortify Software Security Center (23.1.0)

Page 246 of 428

User Guide

Chapter 11: Applications and Application Versions

5. From the Bug Tracker Integration list, select the application to use for tracking bugs for

this application version.

6. Complete the required fields, and then click VALIDATE CONNECTION.

7. In the TEST BUG TRACKER PLUGIN CONFIGURATION dialog box, type your bug tracker

authentication credentials, and then click TEST.

After Fortify Software Security Center verifies your connection to your bug tracker, it

displays a message to indicate that the test was successful.

8. Click OK.

You can enable bug state management for the application version. With bug state

management enabled, Fortify Software Security Center can update bugs as the states of

the issues within those bugs change.

9. (Optional) To enable bug state management, select the Bug state management check

box.

10. In the Username and Password boxes, provide the credentials for your bug tracker, and

then click APPLY.

The SUCCESS dialog box advises you that bug configuration was successful.

11. Click OK.

12. Click CLOSE.

See Also

Fortify Software Security Center (23.1.0)

Page 247 of 428

User Guide

Chapter 11: Applications and Application Versions

"About Bug Tracker Integration" on page 159

"Managing Bug Tracker Plugins" on page 161

"Submitting a Bug for Multiple Issues" on the next page

"Authoring Bug Tracker Plugins" on page 406

Submitting a Bug for a Single Issue

If a bug tracking plugin is specified for an application version (see "Assigning a Bug Tracking

System to an Application Version" on page 246), you can use that bug tracker to submit bugs

that cover one or multiple issues.

To submit a bug for a single issue:

1. From the AUDIT page for an application version, expand the row for an issue for which you

want to submit a bug.

2. Click FILE BUG.

Note: If the FILE BUG button is not available, a bug tracker may not have been

assigned to the application version. (To address this, see "Managing Bug Tracker

Plugins" on page 161 and "Assigning a Bug Tracking Sys tem to an Application Ve rsion"

on page 246 .)

Note too, that if a bug is already submitted for the issue, you cannot submit a new bug

against it.

3. In the FILE ISSUES (1) dialog box, under Login, provide the username and password for the

bug tracker associated with this application version, and then click LOGIN.

Fortify Software Security Center retains your credentials for the duration of your work

session so you do not have to provide them to file additional bugs during that session.

The Login section displays the fields for the bug tracker specified for the application

version.

4. Provide input for all fields required for the bug tracker, and then click SUBMIT.

Fortify Software Security Center (23.1.0)

Page 248 of 428

User Guide

Chapter 11: Applications and Application Versions

After a successful submission, a bug icon is displayed for the issue in the Bug submitted

column of the issues table.

"Viewing Bugs Submitted for Issues" on page 341

Submitting a Bug for Multiple Issues

If a bug tracking plugin has been specified for an application version (see "Assigning a Bug

Tracking System to an Application Version" on page 246), you can submit bugs that cover one

or multiple issues. (For information about how to file a bug for just one issue, see "Submitting a

Bug for a Single Issue" on the previous page.)

To submit a single bug that covers multiple issues:

1. From the AUDIT page for an application version, select the check boxes for all issues that

you want to include in a bug, and then, above the issues table, click the File Bug icon

.

Note: If, after you select check boxes, the File Bug icon is not visible, you first need to

set up a bug tracker for the application version. (See "Assigning a Bug Tracking System

to an Application Version" on page 246.)

Note: If a bug was previously submitted for a selected issue, you cannot submit a new

bug against that issue. The FILE ISSUES dialog box displays the message, "Some

selected issues have already been filed and will be ignored," and displays a bug icon

for the issue in the Previously Filed column.

2. In the FILE ISSUES dialog box , under Login, provide the username and password for the

bug tracker associated with this application version, and then click LOGIN.

Fortify Software Security Center (23.1.0)

Page 249 of 428

User Guide

Chapter 11: Applications and Application Versions

Fortify Software Security Center retains your credentials for the duration of your work

session so you do not have to provide them to file additional bugs during that session.

The Login section displays the fields for the bug tracker specified for the application

version.

3. Provide input for all required fields, and then click SUBMIT.

After a successful submission, a bug icon is displayed for the selected issues in the Bug

submitted column of the issues table.

"Viewing Bugs Submitted for Issues" on page 341

Bug State Management

Bug state management enables Fortify Software Security Center to make specific updates to

bugs as the states of the issues within those bugs change. Fortify Software Security Center

checks new security scans to determine whether filed bugs are to remain open, or can be closed.

If scan results indicate that one of more security issues associated with a previously submitted

bug persist (and match the selection criteria), Fortify Software Security Center checks the bug

tracking system to ensure that the bug is in a valid open state and, if necessary, reopens the

bug.

If all issues associated with a bug are removed (either because the issues were remediated or no

longer match the selection criteria), Fortify Software Security Center updates the bug to

indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability,

Fortify Software Security Center does not automatically resolve or close bugs.

For instructions on how to enable bug state management for an application version, see

"Assigning a Bug Tracking System to an Application Version" on page 246.

Changing the Template Associated with an Application

Version

You can modify many settings for an existing application version, including its issue template.

However, keep in mind that assigning a different issue template to an application version or

updating an issue template on the server results in loss of synchronization between the

database cache and existing audit sessions.

Caution! Fortify recommends that you change the template associated with an application

version only if no results have yet been processed for that application version. If you change

the issue template for an application version for which results have already been processed,

Fortify Software Security Center does not recalculate the issue metrics and metrics

generated based on the previously assigned template are unavailable and cannot be

deleted.

Fortify Software Security Center (23.1.0)

Page 250 of 428

User Guide

Chapter 11: Applications and Application Versions

To change the template associated with an application version:

1. Log in to Fortify Software Security Center as either an Administrator or Security Lead.

2. From the Dashboard ISSUE STATS page, click the name of the application version you want

to modify.

3. On the application version toolbar of the AUDIT page, click PROFILE.

4. In the APPLICATION PROFILE <application_version> dialog box, click APPLICATION

SETTINGS.

5.

Under Version Settings, click the edit icon .

Caution! Changing the template can alter the metrics calculated for the application

version. Existing metrics will not be recalculated.

6. In the EDIT VERSION dialog box, click the TEMPLATE tab.

In the list of templates, the currently assigned template is marked as selected.

Fortify Software Security Center (23.1.0)

Page 251 of 428

User Guide

Chapter 11: Applications and Application Versions

7. Select the check box for the template you prefer to use for the application version.

8. Click SAVE.

After you change the template, Fortify Software Security Center invalidates any auditing

session of the affected application version (for example, by a different user) and displays an

error message to advise you that the application version audit session must be restarted.

Note: A Fortify Audit Workbench user auditing the affected application version does

not see this information.

Setting Analysis Results Processing Rules for Application

Versions

Analysis results processing rules enable management approval and oversight of code scans.

You can specify the rules to be followed when analysis results for an application version are

processed during scan artifact uploads.

To configure the analysis results processing rules for an application version:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Dashboard,

click the link for the application version for which you want to configure the processing

rules for analysis results.

2. On the application version toolbar of the AUDIT page, click PROFILE.

3. In the APPLICATION PROFILE - <Application_Version> dialog box, select the PROCESSING

RULES tab, and then review the listed processing rules.

4. Select or clear the check boxes for the processing rules you want to apply to the application

version. These rules are described in the following table.

Rule

Description

Require approval if the Build Project is

different between scans

Fortify Software Security Center compares

the Build Project for the scan and the scan

that preceded it. If the Build Projects differ,

management approval is required before

the scan can be uploaded.

Check external metadata file versions in

scan against versions on server

If a user attempts to upload an FPR file,

Fortify Software Security Center compares

the external metadata version for the file

with the external metadata version on the

Fortify Software Security Center server. If

the external metadata version for the FPR

Fortify Software Security Center (23.1.0)

Page 252 of 428

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

file is later (higher) than the external

metadata file version on the server, Fortify

Software Security Center requires approval

for the file upload. If the external metadata

version for the FPR file is earlier (lower)

than, or the same as, the external metadata

file version on the server, then Fortify

Software Security Center allows the FPR

file upload.

Require approval if file count differs by

more than 10%

Fortify Software Security Center compares

the file count for the scan and the scan that

preceded it. If the count differs by more

than ten percent, management approval is

required before the scan can be uploaded.

Perform Force Instance ID migration on

upload

A newer version of Fortify Static Code

Analyzer or of a Rulepack can change an

instance ID from one created in a previous

scan by an older version of Fortify Static

Code Analyzer (or a Rulepack). Both

instance IDs identify the same issue. When

enabled, this rule migrates old instance IDs

to the corresponding new instance IDs,

even if the Fortify Static Code Analyzer

version (or Rulepack) versions are the

same. For detailed information about how

this rule works, see "About Processing

Rules that Affect Instance ID Migration" on

page 257 .

Require approval if result has Fortify Java Fortify Software Security Center checks the

Annotations

results to determine whether they include

Fortify Java annotations. If Fortify Software

Security Center finds any of the

annotations, management approval is

required before the scan can be uploaded.

Fortify Software Security Center (23.1.0)

Page 253 of 428

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

Require approval if line count differs by

more than 10%

Fortify Software Security Center compares

the line count for the scan and the scan

that preceded it. If the count differs by

more than ten percent, management

approval is required before the scan can be

uploaded.

Automatically perform Instance ID

migration on upload

A newer version of Fortify Static Code

Analyzer or of a Rulepack can change an

instance ID from one that was created in a

previous scan by an older version of Fortify

Static Code Analyzer or a Rulepack. Both

instance IDs identify the same issue. When

enabled, this rule automatically migrates

old instance IDs to the corresponding new

instance IDs to preserve the history of the

issues. (It is sometimes useful to disable

this rule as a troubleshooting measure for

customer support.)

For detailed information about how this

rule works, see "About Processing Rules

that Affect Instance ID Migration" on

page 257 .

Require approval if the engine version of a Fortify Software Security Center checks to

scan is newer than the engine version of

the previous scan

determine whether any scan engine

(Fortify Static Code Analyzer, Fortify

WebInspect, Fortify WebInspect Agent)

version is newer than the one already used

in the application. If it detects newer

versions, it flags the upload for

management approval.

Ignore SCA quick scan results and SCA

Blocks the processing of Fortify Static Code

speed dial results performed with a setting Analyzer scans done in quick can mode,

of less than four.

which searches for high-confidence,

high-severity issues. This rule also prevents

Fortify Software Security Center (23.1.0)

Page 254 of 428

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

the upload of speed dial analysis results

performed at a level of less than four.

To enable the uploading speed dial analysis

results, clear this check box.

Caution! After you choose between

uploading a full scan or uploading

speed dial analysis results, Fortify

recommends that future scan results

uploaded for the application version be

of the same type.

Require approval if the Rulepacks used in Fortify Software Security Center checks to

the scan do not match the Rulepacks used determine whether you have added or

in the previous scan

removed a Rulepack, and whether a

Rulepack version has changed. If it detects

that a Rulepack has been added, removed,

or updated, it flags the upload for

management approval.

Require approval if Fortify SCA or Fortify

WebInspect Agent scan does not have

valid certification

Fortify Software Security Center checks to

see that a Fortify Static Code Analyzer or

WebInspect Agent scan has valid

certification. If the certification is not valid,

then someone may have tampered with the

results in the upload. If the certification is

missing, it is not possible to detect

tampering. If certification is missing or is

not valid, the rule requires management

approval.

Require approval if result has analysis

warnings

Fortify Software Security Center checks to

see whether a Fortify Static Code Analyzer

or Fortify WebInspect Agent scan contains

analysis warnings. If it detects analysis

warnings, the rule requires management

approval.

Fortify Software Security Center (23.1.0)

Page 255 of 428

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

Note: This rule applies only to the first

upload of a given results file, and does

not apply to subsequent uploads of the

file. For example, if audit Information is

added to a previously-uploaded FPR

file that contains analysis warnings,

Fortify Software Security Center does

not require management approval

when the changed file is again

uploaded.

Warn if audit information includes

unknown custom tag

If audit information includes an unknown

custom tag, the rule requires management

approval.

Require the issue audit permission to

upload audited analysis files

If a user attempts to upload audited

analysis files, but does not have the

permissions required to audit issues (edit

custom tag values for issues, add

comments to issues, and suppress and

unsuppress issues), this rule blocks the

upload.

Disallow upload of analysis results if there If an analysis result still requires approval,

is one pending approval

this rule blocks its upload.

Disallow approval for processing if an

earlier artifact requires approval

If an earlier scan artifact requires approval,

and was not approved, this rule blocks the

user from approving the current scan

artifact.

If this processing rule is not selected, then

when a user approves the current FPR, all

previous FPRs are automatically approved.

Fortify Software Security Center prompts you to confirm that you want to save the settings

for analysis result processing rules.

5. Click APPLY.

Fortify Software Security Center (23.1.0)

Page 256 of 428

User Guide

Chapter 11: Applications and Application Versions

About Processing Rules that Affect Instance ID Migration

Two processing rules affect instance ID migration; Perform Force Instance ID migration on

upload, and Automatically perform Instance ID mi gration on upload . It is useful to understand

how these are used.

An issue instance ID can mutate for any one of the following reasons:

l

The IID-generation algorithm changes with a new Fortify Static Code Analyzer version

l

Use of a new Rulepack versions

l

Changes to scan settings (For example, using extra rules are specified for a scan.)

l

Vulnerable code is duplicated (For example, the same vulnerable code is copied and pasted

multiple times in an application version. In this case, Fortify Static Code Analyzer generates a

unique instance ID for the first duplicate fragment, and then increments this generated

instance ID for all remaining duplicated fragments. So, two separate scans can produce

different instance IDs for the same code fragments, depending on the order in which the two

scans uncover them.)

The Automatically perform Instance ID migration on upload rule addresses issue instance ID

mutation that results either from an IID-generation algorithm change with a new Fortify Static

Code Analyzer version, or from a change in Rulepack version. For example, Fortify Software

Security Center detects that the Fortify Static Code Analyzer version used in the latest scan is

newer than the version used for previous scans. With "Automatically perform Instance ID

migration on upload" selected, Fortify Software Security Center runs the migration. If Fortify

Software Security Center detects no changes in the Fortify Static Code Analyzer version used, it

does not run the migration (even if "Automatically perform Instance ID migration on upload" is

selected).

The Perform Force Instance ID migration on upload rule addresses instance ID mutation that

results from changes in scan settings or from vulnerable code duplication. Fortify Software

Security Center can easily determine whether the Fortify Static Code Analyzer version or

Rulepack version has changed. If Fortify Software Security Center detects such a change, it

performs the migration automatically. However, in other cases (duplicate code, scan settings),

Fortify Software Security Center cannot make this determination. You can use this processing

rule to force Fortify Software Security Center to perform the migration in such cases.

If you suspect that the issue instance ID changed as a result of either changes in scan settings

or vulnerable code duplication, Fortify recommends that you select the Perform Force Instance

ID migration on upload processing rule.

Note: Instance ID migration takes a noticeable amount of time, which is why these two rules

exist. Because you may not really want to run IID migration every time, these rules let you

determine whether or not to run instance ID migration after each scan upload.

See Also

"Approving Analysis Results for an Application Version" on page 300

Fortify Software Security Center (23.1.0)

Page 257 of 428

User Guide

Chapter 11: Applications and Application Versions

Configuring Audit Assistant Options for an Application

Version

To configure Audit Assistant options for an application version:

1. Check to make sure that Fortify Software Security Center has been configured to use Audit

Assistant with your applications. (See "Configuring Audit Assistant" on page 84.)

2. From the Dashboard, select the application version for which you want to configure Audit

Assistant options.

3. On the AUDIT page, click PROFILE.

The APPLICATION PROFILE - <application_name> <application_version> window opens to

the ADVANCED OPTIONS section.

4. Click AUDIT ASSISTANT OPTIONS.

5. From the Application version prediction policy list, select the prediction policy that you

want Audit Assistant to apply to this application version.

Note: You can specify an application version prediction policy only if the Enable

specific application version policies option is enabled system-wide. (See "Configuring

Audit Assistant" on page 84.) Otherwise, Audit Assistant uses the default prediction

policy.

If you choose not to specify a prediction policy for the application version, Audit

Assistant uses the default prediction policy.

6. To have Audit Assistant automatically send unaudited issues for this application version to

the Fortify Scan Analytics server for assessment, select the Enable auto-prediction check

box.

Note: The Enable auto-prediction and Enable auto-apply check boxes are available

only if those audit settings are enabled system-wide. (See "Configuring Audit Assistant"

on page 84.)

7. To have Audit Assistant automatically assign predicted values from the Scan Analytics

server to the mapped custom tag values, select the Enable auto-apply check box.

8. Click APPLY.

Custom Tags

To audit code in Fortify Software Security Center, the security team examines analysis results

and assigns values to “tags” that are associated with application issues. The development team

can then use these tag values to determine which issues to address and in what order.

Fortify Software Security Center (23.1.0)

Page 258 of 428

User Guide

Chapter 11: Applications and Application Versions

Fortify Software Security Center provides a single default tag named “Analysis” to enable

application auditing out of the box. Valid values for the Analysis tag are Exploitable, Not an

Issue, Suspicious, Reliability Issue, and Bad Practice. You can modify the Analysis tag attributes,

revise the tag values, or add new tag values based on your auditing needs.

To refine your auditing process, you can define your own custom tags. Like the Analysis tag,

your custom tag definitions are stored in an issue template that you can associate with an

application version. For example, you could create a custom tag used track the sign-off process

for an issue. After a developer audits the issues to which he or she is assigned, a security expert

can review those issues and mark each as “approved” or “not approved.”

Note: Fortify Audit Workbench users can add custom tags to their projects as they audit

them. However, if these custom tags are not defined in Fortify Software Security Center for

the issue template associated with the corresponding application version, then the new

custom tags are lost after the Audit Workbench user uploads an FPR file to Fortify Software

Security Center.

Topics covered in this section:

Adding Custom Tags to the System

Modifying Custom Tag Attributes

Globally Hiding Custom Tags

Deleting Custom Tags

Adding Custom Tag Values

Editing Custom Tags

Deleting Custom Tag Values

Associating Custom Tags with Issue Templates

Removing Custom Tags from Issue Templates

Assigning Custom Tags to Application Versions

Disassociating a Custom Tag from an Application Version

Managing Custom Tags Through Issue Templates

Managing Custom Tags Through an Issue Template in an FPR File

Adding Custom Tags to the System

If you are a Fortify Software Security Center administrator, you can add custom tags to the

system. The following topics describe how to add each of the supported custom tag types to

Fortify Software Security Center.

Note: You can filter issues based on the values for custom tags you create and assign to an

application version. For information, see "Filtering Issues for Display on the OVERVIEW and

AUDIT Pages" on page 315.

Fortify Software Security Center (23.1.0)

Page 259 of 428

User Guide

Chapter 11: Applications and Application Versions

To add a custom tag:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION view, select Templates, and then select Custom

Tags.

3. On the Custom Tags page header, click NEW.

4. In the CREATE NEW CUSTOM TAG dialog box, type a name for the new tag in the Name

box.

Important! Make sure that the name you specify for a custom tag is not a database

reserved word.

5. (Optional) In the Description box, type content that describes how to use the custom tag.

6. From the Type list, select one of the tag types listed in the following table.

Type

Values Accepted

Date

Calendar date in the format specified in the PREFERENCES dialog box (see

"Setting Preferences: System-Wide and Across Application Versions" on

page 200 ).

Decimal

Number with a precision of up to 18 (up to 9 decimal places)

Fortify Software Security Center (23.1.0)

Page 260 of 428

User Guide

Chapter 11: Applications and Application Versions

Type

List

Values Accepted

Selection from the list of values that you specify for the tag

Text

String with up to 500 characters (HTML/XML tags and newlines are not

allowed)

7. (Optional) Select any or all of the following optional tag features:

l

To allow only users with specific permission (managers, security leads, administrators)

to modify the tag, select the Restricted check box.

l

(List-type only) A list-type custom tag can be extensible, which means that auditors can

add values to it as they audit issues. To enable users to add new values to the list tag

during audits, select the Extensible check box.

l

To prevent the display of the tag in the ASSIGN dialog box or in Audit Workbench, select

the Hidden check box.

l

To require users to leave a comment whenever the value of this custom tag changes,

select the Requires comment check box. If a custom tag that requires a comment is

changed, the system automatically adds a comment to indicate the changes made to the

tag.

Note: If the new custom tag that requires a comment is a date-type tag, the date

users select for the tag while auditing is always in the format specified in the

PREFERENCES dialog box.

8. If your new custom tag is a date-, decimal-, or text-type tag, click SAVE. If your new custom

tag is a list-type tag, continue to the next step.

Fortify Software Security Center (23.1.0)

Page 261 of 428

User Guide

Chapter 11: Applications and Application Versions

9. (Required) To specify a value for the new tag:

a. Click + ADD.

b. In the ADD VALUE dialog box, type a value in the Name box.

A value can be a discrete attribute for the issue that this tag addresses. For example,

you might specify that this custom tag addresses a due date or server quality issue.

c. (Optional) In the Description box, type a description of what the value represents.

d. To prevent the tag from being displayed in the Assign dialog box and in Audit

Workbench, select the Hidden check box.

e. Click APPLY.

f. Repeat these steps (a through f) until you have defined all of the values you need for

the new custom tag.

10. (Optional) From the Default Value list, select the default value for this tag. (If the custom

tag has a default value, then issues with no value set for the tag acquire that default value.

If no default value is defined, then the tag value is empty.)

Note: You can designate a list-type tag as the primary tag for auditing an application

version after you assign it to an application version. For instructions on how to assign a

tag to an application version, see "Assigning Custom Tags to Application Versions" on

page 269.

11. If Fortify Software Security Center is integrated with Audit Assistant, it is important that

you provide Audit Assistant with information that it can use to distinguish list tag values

that signify true issues from those that signify non issues (true positives versus false

positives). You do this in the Audit Assistant Training section of the CREATE NEW

CUSTOM TAG dialog box, where the Non-Issue list initially contains all values you added

for the new tag.

Fortify Software Security Center (23.1.0)

Page 262 of 428

User Guide

Chapter 11: Applications and Application Versions

12. (For a Fortify Software Security Center instance integrated with Audit Assistant only) From

the Non-Issue list, select at least one tag value which, if selected, indicates a true

vulnerability (use the Ctrl and Shift keys to select multiple values) and use the right-

pointing arrow to move the selection to the True Issue list.

Important! The Non-Issue list and the True Issue list must each contain at least one

value.

13. Click SAVE.

Note: To use a new custom tag to audit application version issues, you must first assign the

tag to the application version. For instructions, see "Assigning Custom Tags to Application

Fortify Software Security Center (23.1.0)

Page 263 of 428

User Guide

Chapter 11: Applications and Application Versions

Versions" on page 269.

Values" on page 87

"Globally Hiding Custom Tags" below

"Deleting Custom Tags" on the next page

"Custom Tags" on page 258

"Editing Custom Tags" on page 267

"Associating Custom Tags with Issue Templates" on page 268

"Managing Custom Tags Through Issue Templates" on page 271

"Managing Custom Tags Through an Issue Template in an FPR File" on page 271

Modifying Custom Tag Attributes

To modify the attributes of a custom tag:

1. From the left pane of the ADMINISTRATION page, click Templates, and then click Custom

Tags.

2. On the Custom Tags page, click the row that displays the tag you want to modify.

The row expands to reveal the details.

3. Click EDIT.

4. Modify the tag attributes, and then save your changes.

Caution! Make sure that the name you specify for a custom tag is not a database

reserved word.

Custom Tags from Issue Templates" on page 268.

Globally Hiding Custom Tags

To globally hide a custom tag:

1. From the left pane in the ADMINISTRATION view, click Templates, and then select Custom

Tags.

The Custom Tags page lists all existing custom tags.

2. Click the row for the tag you want to hide.

Fortify Software Security Center (23.1.0)

Page 264 of 428

User Guide

Chapter 11: Applications and Application Versions

The row expands to display the details for the tag.

3. Click EDIT.

4. Select the Hidden check box.

5. Click SAVE.

The custom tag no longer appears on the AUDIT page or in Fortify Audit Workbench.

Deleting Custom Tags

If you are an Administrator or a Security Lead, you can delete custom tags.

Note: You cannot delete a custom tag if:

l

It is set as the primary tag.

l

It has been used in auditing issues.

l

It is currently associated with an application version or issue template. For information on

how to remove a custom tag from an application version, see "" on page 270. For

information on how to remove a custom tag from an issue template, see "Rem oving

You can never delete the Analysis tag.

To delete custom tags:

1. From the left pane in the ADMINISTRATION page, select Templates, and then select

Custom Tags.

The Custom Tags page opens. Existing custom tags are listed on the right.

2. Select the check boxes for the custom tags you want to delete.

3. In the Custom Tags toolbar, click DELETE.

4. When prompted to confirm that you want to delete the tag (or tags), click OK.

See Also

"Custom Tags" on page 258

Adding Custom Tag Values

If you are a Fortify Software Security Center administrator, you can add values to the list-type

custom tags in the system.

Note: If a custom tag is assigned the extensible attribute, then you can add values to it as

you audit issues.

To add a value to a list-type custom tag:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, click Templates, and then click Custom Tags.

Fortify Software Security Center (23.1.0)

Page 265 of 428

User Guide

Chapter 11: Applications and Application Versions

The Custom Tags page lists the custom tags in the system.

3. Click the row for the tag to which you want to add a value.

The row expands to display the details for the tag.

4. Below the table of values, click EDIT.

5. Above the table of values, click + ADD.

6. In the ADD VALUE dialog box, type a name and, optionally, a description for the new value.

If Fortify Software Security Center is configured to use Audit Assistant and if auto-apply is

enabled, you must map an Audit Assistant tag to the new tag value.

7. To map an Audit Assistant tag to the new tag value, under AA Custom Tags, select the

check box for the Audit Assistant tag that corresponds to your new tag value. (If necessary,

you can change the mapping later.)

8. To prevent the tag from being displayed in the Assign dialog box or in Audit Workbench,

select the Hidden check box.

9. Click APPLY.

10. On the Custom Tags page, under Audit Assistant Training, the new value is listed in the

Non-Issue list. If it is not a real issue, leave it as is. If the value does, in fact, apply to real

issues, then select it and move it to the True Issue list.

Note: Both the Non-Issue list and the True Issue list must each contain at least one

value.

11. Click SAVE.

See Also

"Editing Custom Tags" on the next page

"Deleting Custom Tag Values" on the next page

"Assigning Custom Tags to Application Versions" on page 269

Fortify Software Security Center (23.1.0)

Page 266 of 428

User Guide

Chapter 11: Applications and Application Versions

Editing Custom Tags

If you are an Administrator-level user, you can modify custom tags in the system.

To edit a custom tag:

1. From the left pane in the ADMINISTRATION view, click Templates, and then select Custom

Tags.

The Custom Tags page lists all custom tags in the system.

2. Click the row for the tag you want to edit to expand it and display the details.

3. Below the table of values, click EDIT.

4. Edit the values for any of the displayed fields, and then click SAVE.

For information about the displayed fields, see "Adding Custom Tags to the System" on

page 259.

See Also

"Deleting Custom Tag Values" below

"Assigning Custom Tags to Application Versions" on page 269

Deleting Custom Tag Values

If you are an administrator or a security lead, you can delete custom tag values.

To delete a value for a custom tag:

Note: You cannot delete a custom tag value that is currently associated with an application

version, issue template, or if an issue is audited using the value.

1. From the left pane in the ADMINISTRATION view, select Templates, and then select

Custom Tags.

The Custom Tags page lists all custom tags in the system.

2. Click the row for the tag from which you want to delete a value.

The row expands to display the details for the tag.

3. Below the table of values, click EDIT.

4. In the table of values, click the Remove value icon

in the row for the value you want to

delete.

5. Click SAVE.

See Also

"Editing Custom Tags" above

"Adding Custom Tag Values" on page 265

Fortify Software Security Center (23.1.0)

Page 267 of 428

User Guide

Chapter 11: Applications and Application Versions

Associating Custom Tags with Issue Templates

After you first create an issue template and upload an issue template file, the custom tags

defined in that issue template file are the custom tags that are initially associated with the issue

template. Updates to existing custom tags are ignored because tags are designed to be updated

using the procedures described in previous sections, but newly-defined custom tags in that

issue template file are added to the system and associated with the issue template.

Note: The custom tags associated with an issue template are the default tag set assigned

to an application version when it is first created using that issue template.

To associate a custom tag with an issue template:

1. On the Fortify header, click ADMINISTRATION.

2. In the left pane, select Templates, and then select Issue.

3. Click the row that displays the issue template that you want to associate with the custom

tag.

The row expands to reveal the template details.

4. Click EDIT.

5. In the CUSTOM TAGS section, click + ADD CUSTOM TAG.

6. In the ADD CUSTOM TAG dialog box, select the check box for the custom tag to associate

with the issue template, and then click +ADD.

The CUSTOM TAGS table now lists the tag you added.

7. Click SAVE.

Removing Custom Tags from Issue Templates

To remove a custom tag from an issue template:

1. From the left pane in the ADMINISTRATION page, select Templates, and then select Issue.

The table on the right lists all of the issue templates in the system.

2. Click the row that displays the issue template associated with the custom tag you want to

remove.

The row expands to reveal the issue template details. The CUSTOM TAGS section lists the

custom tags currently associated with the template.

Fortify Software Security Center (23.1.0)

Page 268 of 428

User Guide

Chapter 11: Applications and Application Versions

3. At the bottom of the expanded row, click EDIT.

4. In the last column, click the remove icon for the custom tag that you want to remove

from the template.

Note: You cannot remove the designated primary tag from an issue template.

5. Click SAVE.

See Also

"Custom Tags" on page 258

Assigning Custom Tags to Application Versions

To use a new custom tag to audit application version issues, you must first assign the tag to the

application version.

To assign a custom tag to an application version:

1. From the Applications view, expand the row for the application, and then select the name of

the version you plan to audit.

2. On the application version toolbar of the AUDIT page, click PROFILE.

3. In the APPLICATION PROFILE dialog box, select the CUSTOM TAGS tab.

4. Click ASSIGN/ REMOVE.

Fortify Software Security Center (23.1.0)

Page 269 of 428

User Guide

Chapter 11: Applications and Application Versions

The CUSTOM TAGS tab lists all of the tags available for auditing issues.

5. Select the check box for the custom tag you want to assign to the application version (you

can select multiple tags), and then click DONE.

The selected tag is now listed as an assigned tag.

To successfully complete the audit of an issue in Fortify Software Security Center, you must

specify a value for the custom tag that is designated as the primary tag. By default, the

Analysis tag is the primary tag.

During an audit, the primary tag is listed first. If list-type custom tags other than Analysis

exist in your Fortify Software Security Center instance and are assigned to the application

version, you can select one of these (instead of Analysis) as the primary tag.

6. (Optional) To assign a tag other than the current primary tag as primary:

Note: You can only assign list-type custom tags as primary tags.

a. Click SELECT PRIMARY.

b. From the Select Primary Tag list in the SELECT PRIMARY TAG dialog box, select the

tag to set as the primary custom tag.

Note: If you use Audit Assistant, and you have not provided Audit Assistant

guidance information, make sure that you edit the tag to include that information.

For information about how to provide Audit Assistant guidance, see "Adding

Custom Tags to the System" on page 259. For information about how to edit a

custom tag, see "Editing Custom Tags" on page 267.

c. Click DONE.

7. Click CLOSE.

The assigned custom tag will be available the next time a team member audits issues for the

application version.

Disassociating a Custom Tag from an Application Version

You can disassociate a custom tag from an application version if it has not been used in auditing

that application version.

To disassociate a custom tag from an application version:

1. On the Fortify header, click APPLICATIONS.

2. Click the application version name to which the custom tag is assigned.

3. On the application version toolbar of the AUDIT page, click PROFILE.

4. In the APPLICATION PROFILE window, select the CUSTOM TAGS tab.

5. Click ASSIGN/REMOVE.

Fortify Software Security Center (23.1.0)

Page 270 of 428

User Guide

Chapter 11: Applications and Application Versions

The CUSTOM TAGS tab lists all custom tags in the system. The check boxes for tags

associated with the application version are selected.

6. Clear the check box for the custom tag that you want to remove, and then click DONE.

7. Click CLOSE.

The AUDIT tab in the issue details on the AUDIT page for this application version no longer lists

the custom tag.

After you remove the custom tag from all application versions and issue templates to which it

has been assigned, you can delete the tag.

"Assigning Custom Tags to Application Versions" on page 269

Managing Custom Tags Through Issue Templates

Custom tags defined in an issue template file are assigned to that specific issue template. You

cannot update existing custom tags through direct issue template upload. If Fortify Software

Security Center detects an updated custom tag, it displays a warning and prompts you to

confirm that you want to continue.

You must update existing custom tags through the custom tag administration section of Fortify

Software Security Center, as follows:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane of the ADMINISTRATION page, select Templates, and then select Custom

Tags.

3. Complete the update.

You can add a new custom tag through an issue template upload. This could, for example, allow

a member of a security team who is not part of a software audit to define the issue template and

the custom tags in the issue template.

Managing Custom Tags Through an Issue Template in an FPR File

FPR files typically contain an issue template. If an FPR file uploaded to Fortify Software Security

Center contains an issue template with a custom tag that has been set as editable, you can add

a value to the tag.

About Deleting Application Versions

You cannot directly delete an application in Fortify Software Security Center. Fortify Software

Security Center removes an application automatically after all of its versions are deleted.

Fortify Software Security Center (23.1.0)

Page 271 of 428

User Guide

Chapter 11: Applications and Application Versions

If you are assigned the Administrator role in Fortify Software Security Center, you can delete

any application version. If you are in the Security Lead or Manager role, then you can delete any

application version to which you are assigned.

If you would rather not delete a version, but prefer instead to remove it from display on the

DASHBOARD and Applications pages, you can deactivate it. For instructions on how to

deactivate an application version, see "Deactivating Application Versions" below.

Deactivating Application Versions

Deactivating an application version hides that version in the Applications view. Note that

deleting all versions of an application deletes the application altogether.

To deactivate an application version:

1. From the Applications view, expand the row for the application and then select the version

you want to deactivate.

2. On the AUDIT page for the selected version, click PROFILE.

3. In the APPLICATION PROFILE dialog box, click APPLICATION SETTINGS.

4. In the Version Settings pane, click DEACTIVATE.

Fortify Software Security Center prompts you to confirm that you want to deactivate the

version.

5. Click OK.

The DEACTIVATE button is now the ACTIVATE button. If you need to, you can re-activate

the version later.

6. Close the APPLICATION PROFILE dialog box.

"Deleting an Application Version " on the next page

Reactivating Application Versions

If a specific application version has been deactivated and is not listed on the DASHBOARD or in

the Applications view, you can reactivate it to make it visible again.

If the deactivated application version was the only version of the application that exists, you can

do the following to access and reactivate it:

l

Create a new version of the deactivated application, and then follow the procedure described

below.

Fortify Software Security Center (23.1.0)

Page 272 of 428

User Guide

Chapter 11: Applications and Application Versions

To reactivate an application version when another version of the application exists:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications view, select the Show inactive versions check box.

3. In the table, click the deactivated application version number.

4. On the application version toolbar of the AUDIT page, click PROFILE.

5. In the APPLICATION PROFILE - <application_version> dialog box, select the

APPLICATION SETTINGS tab.

6. Click ACTIVATE.

Fortify Software Security Center prompts you to confirm the activation.

7. Click OK.

8. Click CLOSE.

The application version is again displayed on the Fortify Software Security Center Dashboard

and in the Applications view.

Deleting an Application Version

If you would rather not delete an application version, but prefer instead to remove it from

display on the Fortify Software Security Center Dashboard and in the Applications view, see

Fortify Software Security Center (23.1.0)

Page 273 of 428

User Guide

Chapter 11: Applications and Application Versions

"Deactivating Application Versions" on page 272

Important! If you delete all versions of an application, Fortify Software Security

Center automatically deletes the application.

To delete a Fortify Software Security Center application version:

1. From the Applications view, select the name of the application version you want to delete.

Fortify Software Security Center opens the OVERVIEW page for the selected version.

2. On the application version toolbar, click PROFILE.

3. In the APPLICATION PROFILE dialog box, click APPLICATION SETTINGS.

4. In the Version Settings pane, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

version.

5. Click OK.

Fortify Software Security Center removes the version from the database.

Fortify Software Security Center (23.1.0)

Page 274 of 428

Chapter 12: About Webhooks

You can create webhooks to update external systems about events that occur in Fortify

Software Security Center.

Topics covered in this section:

Viewing Webhook Payloads

Redelivering Webhook Payloads

Deleting Webhooks

Webhooks Permissions

The following table shows which Fortify Software Security Center roles have permission to

perform which webhook-related tasks.

Roles

Permissions

Administrator

Security Lead

User can create, view, and manage webhooks to monitor any kind of event.

l

User can view webhooks. Application versions that webhooks monitor

will be filtered to include only those for which the user has explicit view

permission.

l

User can create and manage webhooks monitoring events only on

entities for which the user has explicit view permission.

A Security Lead cannot create or manage the following:

l

Webhooks with the Send me everything! option selected

l

Webhooks with the Monitor All Application Versions option selected

l

Webhooks set to monitor any events that require universal access

To see all of the actions each Fortify Software Security Center role can perform:

1. On the Fortify header, select ADMINISTRATION.

2. In the left pane, select Users, and then select Roles.

OpenText Fortify Software Security Center (23.1.0)

Page 275 of 428

User Guide

Chapter 12: About Webhooks

The Roles table lists all of the roles to which you can assign users.

3. To see all of the actions a user in a given role can perform, click the row for the role.

Creating Webhooks

If you are an Administrator, you can create webhooks to monitor any kind of event, whether

global or application version-specific. If you are a Security Lead, you can create webhooks that

monitor events on the entities that you have permission to view.

Note: For information on which roles have which permissions to work with webhooks, see

"Webhooks Permissions" on the previous page.

To create a new webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the Fortify header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION page, select Configuration, and then select

Webhooks.

The Webhooks page lists any webhooks already configured.

3. On the Webhooks page, click NEW.

Fortify Software Security Center (23.1.0)

Page 276 of 428

User Guide

Chapter 12: About Webhooks

4. In the CREATE NEW WEBHOOK dialog box, provide the information described in the

following table.

Field

Description

Payload URL

In this box, specify the URL to which you want the

requested payload sent.

Description

(Optional) Provide a description of the webhook and its

payload.

SSL Verification

Specify whether SSL certificate verification is required to

invoke the webhook based on the specified URL.

Fortify Software Security Center (23.1.0)

Page 277 of 428

User Guide

Chapter 12: About Webhooks

Field

Description

Use SSC proxy

(Optional) If you have set up a proxy for Fortify Software

Security Center integrations, you can select this check box

to use it for webhooks. For information about how to

configure a proxy for Fortify Software Security Center

integrations, see "Configuring a Proxy for Fortify Software

Security Center Integrations" on page 125 .

Content Type

Secret

Displays the format used for the payload to be delivered.

Note: For this release, JSON is the only content type

supported.

(Optional) Enter a webhook secret to be used to verify the

data integrity and authenticity of POST requests. The

secret is used to calculate a hash-based message

authentication code (HMAC), which is communicated to the

payload destination via the "X-SSC-Signature" header. The

code is calculated using the HMAC-SHA256 algorithm. The

secret is used as a key and the payload body (with HTTP

"Date" header value appended) is used as a message. The

HMAC value is then encoded as a hexadecimal number with

the prefix sha256=.

Which events would you

like to trigger this

webhook?

Do one of the following:

l

To have the following events included in the payload,

select Send me everything! (This applies to all current

and future events.)

l

To include a focused subset of events in the payload,

select Let me select individual events, and then, in the

Global Events and Application version events lists,

(described below) select the check boxes for the events

to include in the payload.

Global events (system-wide)

USER_CREATED: A new local user, local group, or LDAP entity was added to Fortify

Software Security Center.

Fortify Software Security Center (23.1.0)

Page 278 of 428

User Guide

Chapter 12: About Webhooks

Field

Description

USER_DELETED: A local user, local group, or LDAP entity was deleted from Fortify

Software Security Center.

USER_UPDATED: A local user, local group, or LDAP entity was updated.

LOCAL_USER_ACCOUNT_LOCKED: A local user was locked out of Fortify Software

Security Center as a result of too many login attempts with invalid credentials.

APP_VERSION_CREATED: A new application version was created in SSC.

APP_VERSION_DELETED: An application version was deleted from Fortify Software

Security Center.

REPORT_GENERATION_COMPLETE: A new requested report is available for viewing

and download.

REPORT_GENERATION_REQUESTED: A new report was requested.

Application Version Events (application version-specific)

ANALYSIS_RESULT_UPLOAD_COMPLETE_SUCCESS: An uploaded artifact was

successfully processed to Fortify Software Security Center, and its data are available.

ANALYSIS_RESULT_UPLOAD_FAILURE: An uploaded artifact was not successfully

processed.

ANALYSIS_RESULT_UPLOAD_REQUIRES_APPROVAL: An uploaded scan artifact

requires approval before it can be processed.

ANALYSIS_RESULT_INDEXING_COMPLETED: Indexing of data for global searches

after Fortify Software Security Center finished processing an uploaded FPR was

completed.

ANALYSIS_RESULT_UPLOAD_APPROVE: An artifact was approved for uploading.

APP_VERSION_UPDATED: An application version was updated from the APPLICATION

PROFILE dialog box.

Application version events

ANALYSIS_RESULT_UPLOAD_COMPLETE_SUCCESS: Analysis results were

successfully uploaded.

ANALYSIS_RESULT_UPLOAD_FAILURE: An analysis results upload failed.

ANALYSIS_RESULT_UPLOAD_REQUIRES_APPROVAL: An analysis upload requires

approval.

ANALYSIS_RESULT_INDEXING_COMPLETED: Indexing of an analysis result was

Fortify Software Security Center (23.1.0)

Page 279 of 428

User Guide

Chapter 12: About Webhooks

Field

Description

completed.

ANALYSIS_RESULT_UPLOAD_APPROVED: Analysis upload results were approved.

APP_VERSION_UPDATED: An application version was updated.

Which application versions Do one of the following:

would you like to monitor?

l

To monitor all application versions (existing application

versions and application versions to be created in the

future), select the Monitor All Application Versions

option.

l

To monitor just a subset of application versions:

i. Select the Select Individual Application Versions

option.

ii. Click ADD.

iii. In the SELECT APPLICATION VERSION dialog box,

from the APPLICATION list, select an application

to monitor.

iv. To select all versions, select the Select All check

box. Otherwise select the check boxes for the

versions.

v. Click DONE.

vi. To add another application version or versions,

repeat these steps.

Active

Select this check box to make the webhook active. To leave

the webhook inactive for now, leave the check box cleared.

5. After you finish configuring the webhook, click SAVE.

"Deleting Webhooks" on page 285

Fortify Software Security Center (23.1.0)

Page 280 of 428

User Guide

Chapter 12: About Webhooks

Editing Webhooks

To edit a webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the Fortify header, click ADMINISTRATION.

Note: If you are a Security Lead, you can only edit webhooks that monitor the entities

for which you have explicit view permission.

2. In the left pane of the ADMINISTRATION page, select Configuration, and then select

Webhooks.

The Webhooks page lists any webhooks already configured.

3. Select the row to see the details for the webhook you want to edit.

4. Change any values for the fields described in "Creating Webhooks" on page 276.

5. (Optional) To request redelivery of a payload after you finish making changes, under

Recent deliveries, select the row for the payload you want redelivered, and then click

REDELIVER.

6. Click SAVE.

See Also

"Viewing Webhook Payloads" below

"Deleting Webhooks" on the next page

Viewing Webhook Payloads

If you are an Administrator, you can view all webhook payloads. If you are a Security Lead, you

can view only webhook payloads for application versions that you have explicit permission to

view.

To view webhook payloads:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the Fortify header, click ADMINISTRATION.

2. In the left pane of the ADMINISTRATION page, select Configuration, and then select

Webhooks.

The Webhooks table lists all existing webhooks and displays the status of each, as follows:

A green check mark indicates that the last payload request was successful.

A red x indicates that the webhook is active but could not deliver the last payload

requested.

Note: If the Status field for a listed webhook displays no icon, in the Webhooks table,

expand its row and check to make sure that the Active check box, located above the

Recent deliveries table, is selected.

Fortify Software Security Center (23.1.0)

Page 281 of 428

User Guide

Chapter 12: About Webhooks

3. In the Webhooks table, select a webhook to expand its details and examine its recently-

delivered payloads (up to ten), if any.

The Recent deliveries section lists the payloads (up to ten) most recently delivered.

Fortify Software Security Center (23.1.0)

Page 282 of 428

User Guide

Chapter 12: About Webhooks

4. Click the row for the payload you want to examine.

5. To see body or header details for the response, select the RESPONSE tab.

Fortify Software Security Center (23.1.0)

Page 283 of 428

User Guide

Chapter 12: About Webhooks

For details about the content of delivered payloads, see "Webhook Payloads" on page 420.

See Also

"Editing Webhooks" on page 281

Redelivering Webhook Payloads

If changes are made that affect the payload delivered to the payload URL for a webhook. you

can request that the payload be redelivered.

To request redelivery of a webhook payload:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the Fortify header, click ADMINISTRATION.

Note: If you are a Security Lead, you can only edit webhooks that monitor the entities

for which you have explicit view permission.

2. In the left pane of the ADMINISTRATION page, select Configuration, and then select

Webhooks.

The Webhooks page lists any webhooks configured.

3. Select the row for the webhook for which you want a payload redelivered.

Fortify Software Security Center (23.1.0)

Page 284 of 428

User Guide

Chapter 12: About Webhooks

4. Under Recent deliveries, select the row for the payload you want redelivered, and then

click REDELIVER.

See Also

"Editing Webhooks" on page 281

"Viewing Webhook Payloads" on page 281

Deleting Webhooks

To delete a webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the Fortify header, click ADMINISTRATION.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks page lists all existing webhooks and their current status.

3. In the table, select the check box for the webhook you want to delete, and then click

DELETE.

See Also

"Editing Webhooks" on page 281

Fortify Software Security Center (23.1.0)

Page 285 of 428

Chapter 13: Variables, Performance Indicators,

and Alerts

Fortify Software Security Center lets you store measured values and event conditions for

application versions as variables. A Fortify Software Security Center variable is a definition of a

metric that is to be evaluated periodically for each application version. Variables count issues,

conditions, and other categories of numeric data.

Performance indicators combine variables into metrics that are normalized across application

version boundaries, and that can represent complex higher-level abstractions such as monetary

costs. Fortify Software Security Center variables and performance indicators provide the

building blocks that you can use to create customized metrics, which you can then incorporate

into customized alert definitions.

You can use the values of variables to trigger alerts, which Fortify Software Security Center then

displays on the dashboards of users specified as recipients in alert definitions. Fortify Software

Security Center can also email alert notifications to members of an application version team.

Topics covered in this section:

Working with Variables

Performance Indicators

Creating Performance Indicators

Viewing and Marking Alerts

Working with Variables

If you are a Security Lead or an Administrator, you can define variables for your applications.

The following topics provide information about Fortify Software Security Center variable syntax

and search strings, and include instructions on how to create variables.

OpenText Fortify Software Security Center (23.1.0)

Page 286 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

Creating Variables

To create a Fortify Software Security Center variable:

1. Log in as a Security Lead or an Administrator, and then click ADMINISTRATION.

Note: Users who have Developer accounts cannot create Fortify Software Security

Center variables.

2. In the pane on the left, under Metrics & Tracking, select Variables.

3. In the Variables toolbar, click NEW.

4. In the CREATE NEW VARIABLE dialog box, provide the information described in the

following table.

Field

Description

Name

Type a variable name that begins with a letter (a-z, A-Z), and that

contains only letters, numerals (0-9), and the underscore character (_).

Description

(Optional) Type a description so that other users can understand how to

use the variable.

Search String Type a valid Fortify Software Security Center variable search string. (For

information about how to construct search strings, select the Syntax

Guide link below the Search String box, or see "Variable Syntax" below.)

Folder

From this list, select a folder from the default filter set to associate with

the variable.

The Folder list displays the unique folder names associated with all

available issue templates. The variable value is calculated if the folder

name is associated with the issue template for the application version.

5. After Fortify Software Security Center validates the variable, click SAVE.

The Variables table now lists your new variable.

Variable Syntax

The Fortify Software Security Center variable format is modifier:searchstring.

Example: [Fortify Priority Order]:critical audited:false

To search for an exact match of the string, enclose the string in quotation marks (""). To search

for a string without qualifications, type the string without quotation marks.

Fortify Software Security Center (23.1.0)

Page 287 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

The following table lists the Fortify Software Security Center relational operators.

Relational

Operator

Description

Example

Number

range

A comma-separated pair of numbers used to

specify the beginning and end of a range of

numbers.

(2,4]

Indicates a range of

greater than two, and less

than or equal to four

Use a left or right bracket (“[ ]”) to specify that

the range includes the adjoining number.

Use a begin or end parenthesis (“( )”) to specify

that the range excludes (is greater than or less

than) the adjoining number.

Negate a modifier with an exclamation character

! (not equal)

file:!Main.java

(!).

Returns all issues that are

not in Main.java.

Performance Indicators

Fortify Software Security Center performance indicators enable you to combine variables into

metrics that are normalized across application version boundaries, and that can represent

complex, high-level abstractions such as monetary costs. This section provides information

about performance indicator syntax and instructions on how to create performance indicators.

The general format for a Fortify Software Security Center performance indicator formula is as

follows:

Variable[operator]Variable

where operator is a standard mathematical operator (+, -, *, /).

For instructions on how to create performance indicators, see "Creating Performance Indicators"

below.

Creating Performance Indicators

To create a Fortify Software Security Center performance indicator:

1. Log in to Fortify Software Security Center as a Security Lead, and then click the

ADMINISTRATION tab.

Note: Users who are assigned the Manager or Developer role cannot create Fortify

Software Security Center performance indicators.

Fortify Software Security Center (23.1.0)

Page 288 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

2. In the pane on the left, under Metrics & Tracking, select Performance Indicators.

The table to the right lists existing performance indicators.

3. Click NEW.

4. In the CREATE NEW PERFORMANCE INDICATOR dialog box, provide the information

described in the following table.

Field

Description

Name

Type a performance indicator name.

(Optional) Type a description of this performance indicator.

Description

Equation

Type a valid Fortify Software Security Center performance indicator

equation.

The format for a performance indicator formula is as follows:

Variable[operator]Variable

where operator is a standard mathematical operator (+, -, *, /).

Return Type From this list, select the value type to return.

5. After you configure and successfully validate the new performance indicator, click SAVE.

The Performance Indicators table lists your new indicator.

Alert Definitions

Alert definitions can include variables or performance indicators to determine when Fortify

Software Security Center is to generate an alert notification in the Todo List pane of the

Dashboard.

Note: This functionality is available only if a Fortify Software Security Center administrator

has enabled email notifications.

You can configure alert notifications to send email messages about one or more alert

notifications to users assigned to a given application version.

"Enabling and Disabling Receipt of Email Alerts" on page 98

"Deleting Alerts" on page 293

Fortify Software Security Center (23.1.0)

Page 289 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

Creating Alerts

You can define alerts for any application versions to which you have been granted access.

To create a Fortify Software Security Center alert:

1. On the Fortify header, click ADMINISTRATION.

2. In the pane on the left, click Templates, and then select Alerts.

The Alerts page displays any alerts defined to date.

3. In the Alerts toolbar, click NEW.

4. In the CREATE NEW ALERT dialog box, in the Name box, type a name for the alert.

5. (Optional) In the Description box, type text that describes what the alert is for.

6. To create the alert without enabling it, clear the Enable Alert check box. To enable this

alert, leave the check box selected.

7. Next to Type, select the type of alert you want to create.

Note: Only administrators can create scheduled alerts.

8. Next to Recipients, do one of the following:

l

To have the alert sent only to you, leave the Me only option selected.

l

To have the alert sent to users assigned to application version assignees, select the

Version assignees option.

l

(For scheduled alerts only) To have the alert sent to all Fortify Software Security Center

users, select All system users.

Note: Regardless of the option you select, you will receive the notification.

9. Provide the information for the alert type you selected, as shown in one of the following

tables.

Performance indicator

a. From the Alert when list, select a performance indicator.

b. From the list of operators, select an operator.

c. Type a numeric value. The type of performance indicator selected determines

whether the value represents an integer or a percentage.

By default, performance indicator alerts are triggered just once, when the

performance indicator value meets the criterion set for Alert when. For example, an

alert with the trigger criterion set to Critical Exposure Issues < 50 is triggered only

once, even if many new critical issues are uncovered in subsequent scans.

d. To have Fortify Software Security Center reset your alert after each new artifact

Fortify Software Security Center (23.1.0)

Page 290 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

upload, select the Reset after triggering check box.

Variable

a. From the Alert when list, select a variable.

b. From the list of operators, select the appropriate operator.

c. Type a numeric value. The type of variable you selected determines whether the

value represents an integer or a percentage.

By default, variable alerts are triggered just once, when the variable value meets the

criterion set for Alert when. For example, an alert with the trigger criterion set to

NEWIssues = 0 is triggered only once, even if new issues are uncovered in

subsequent scans.

d. To have Fortify Software Security Center reset your alert after each new artifact

upload, select the Reset after triggering check box.

System event

l

From the Alert when list, select the Fortify Software Security Center system event to

trigger the alert.

Scheduled alert (Administrators only)

Under Alert when, do the following:

a. Use the calendar control to specify the date on which Fortify Software Security

Center is to send the alert.

b. In the two boxes to the right, type the hour and minute (hh:mm) at which to send the

alert.

c. Toggle between AM and PM to determine whether the alert is sent in the morning or

afternoon.

d. From the list of countries and regions, select the country or region to which your

time and date settings apply.

e. From the time zone list, select the time zone to which your time and date settings

apply.

10. If you are creating a performance indicator alert or variable alert, do the following to specify

the application versions for which you want to use the alert:

a. Click ADD.

b. In the SELECT APPLICATION VERSION dialog box, from the APPLICATION list, select

an application for which you want to use the alert.

Fortify Software Security Center (23.1.0)

Page 291 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

The VERSIONS pane (center) lists the active versions of the selected application.

c. To include inactive versions of the application in the VERSIONS list, select the Show

inactive check box.

d. To use the alert for all application versions, select the Select all check box. Otherwise,

in the VERSIONS list, select the check boxes for the versions for which you want to use

the alert.

The pane on the right lists the application versions you selected to receive the new

alert.

e. To select versions of another application, repeat steps b through d.

f. Click DONE.

11. In the Message box, type a message to tell recipients why they have received the alert.

Note: If you are creating a scheduled alert, message text is required.

12. Click SAVE.

If you selected Version assignees as recipients, Fortify Software Security Center displays

the following alert:

"Are you sure you want to notify all application versions users? This could potentially notify

a large amount of users every time the alert triggers."

13. To proceed, click OK. Otherwise, click CANCEL, and then select Me Only as the recipient.

Fortify Software Security Center displays the details for your new alert.

See Also

"Deleting Alerts" on the next page

"Configuring Email Alert Notification Settings" on page 96

"Enabling and Disabling Receipt of Email Alerts" on page 98

"Alert Definitions" on page 289

Editing Alerts

To edit a Fortify Software Security Center alert:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the Fortify

header, click ADMINISTRATION.

2. In the pane on the left, click Templates, and then select Alerts.

The Alerts page displays all alerts you have defined.

3. In the Alerts table, locate and select the row for the alert you want to edit.

The row expands to reveal the alert settings.

4. At the bottom right of the alert settings, click EDIT.

5. Make the necessary changes and then click SAVE.

Fortify Software Security Center (23.1.0)

Page 292 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

Deleting Alerts

To delete a Fortify Software Security Center alert:

1. Log in to Fortify Software Security Center as an Administrator, and then click the

ADMINISTRATION tab.

2. In the pane on the left, select Templates, and then select Alerts.

The Alerts page displays all alerts you have defined.

3. In the Alerts table, select the check box to the left of the alerts you want to delete.

4. In the Alerts toolbar, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to proceed with the

deletion.

5. Click OK.

"Alert Definitions" on page 289

"Creating Alerts" on page 290

Viewing and Marking Alerts

Fortify Software Security Center flags any unread alerts that either you or another user has set

up for you to receive. These flags are visible in the collapsible pane on the right of

the Dashboard, and on the right end of the Fortify header in every view.

To view your unread alerts, do one of the following:

l

At the right end of the Fortify header, click the red circle that shows the number of unread

alerts.

l

On the Dashboard, in the Todo List section of the collapsible pane, click the red circle that

shows the number of unread alerts.

The ALERTS window opens and lists any unread alerts.

To mark an alert as having been read:

l

In the ALERTS window, select the check box to the left of the alert name, and then click

MARK AS READ.

To mark an alert as unread:

l

In the ALERTS window, select the check box to the left of the alert name, and then click

MARK AS UNREAD.

Fortify Software Security Center (23.1.0)

Page 293 of 428

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

To view alerts that you have already read:

l

From the View list, select Read.

To view unread alerts:

l

From the View list, select Unread.

To view all of your alerts (read and unread):

l

From the View list, select All.

If you have marked all of your alerts as read, the read alert flag is no longer displayed. To see

these alerts, go to the Dashboard and, in the Todo List section of the collapsible pane, click

Show all alert notifications.

Fortify Software Security Center (23.1.0)

Page 294 of 428

Chapter 14: About Working with Scan Artifacts

The following sections describe all of the various aspects of working with scan artifacts.

Uploading Scan Artifacts

The following procedure describes how to upload your scan artifacts to the Fortify Software

Security Center database. For information about how to submit training metadata to Fortify

Audit Assistant, see "Submitting Training Data to Audit Assistant" on page 346.

Note: As it inserts data into the database, Fortify Software Security Center truncates HTTP

responses that contain more than 100,000 characters. Such responses are either cut off at

the end, or contain \n\n...\n\n elsewhere in the response. This does not affect

downloaded scans. It affects only the data displayed on the Fortify Software Security Center

AUDIT page.

Important! The files you upload to Fortify Software Security Center must not exceed 2 GB.

Important! To upload third-party artifacts, you must have the correct parser configured.

For information, see "Adding and Managing Parser Plugins" on page 164.

Also note that any raw scan file that contains third-party data must be packed into a ZIP file

along with a scan.info metadata file. The scan.info property file must provide a value

for the engineType property to identify the scanning engine that produced the results.

That engine type must match the engine type registered by the parser plugin configured.

The scan.info file can also provide a scanDate property value in ISO-8601 format. You

can obtain the scan.info contents from https://github.com/fortify/sample-parser.

To upload a scan artifact to the Fortify Software Security Center database:

1. On the Dashboard or, for new applications, the Applications view, move your cursor to the

application version for which you want to upload an artifact, and then select Artifacts from

the shortcut menu.

2. The ARTIFACT HISTORY table lists any and all scan artifacts uploaded for the application

version.

OpenText Fortify Software Security Center (23.1.0)

Page 295 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

3. Click ARTIFACT.

4. In the UPLOAD ARTIFACT dialog box, click + ADD FILES.

5. Navigate to and select one or more (up to five) artifact files to upload.

Formats supported for artifact upload are FPR, XML, GZ, and, for third-party artifacts, ZIP.

The UPLOAD ARTIFACT dialog box lists the selected files.

6. To remove a file from the list, click the trash icon for that file. To remove all of the listed

files, click CLEAR.

7. Click START UPLOAD.

The dialog box displays a progress bar as each file is uploaded.

8. After your files are successfully uploaded, click CLOSE.

Note: If a scan artifact requires approval based on analysis result processing rules, it

must be approved before Fortify Software Security Center can process it. For

information, see "Approving Analysis Results for an Application Version" on page 300.

Fortify Software Security Center (23.1.0)

Page 296 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

Viewing File Processing Errors

If there was an error in processing an uploaded artifact, the Status column of the ARTIFACT

HISTORY table displays Error Processing, along with a circled number that indicates the

number of processing rules violated.

To view information about the processing rules violated:

l

Click the circled number.

The Artifact Processing Messages box opens to display details about problems encountered

during the upload.

"Setting Analysis Results Processing Rules for Application Versions" on page 252

"Using an Application Identifier to Upload FPR Files" on page 400

"Using an Application Name and Version to Upload FPR Files" on page 401

Viewing Scan Artifact Details

The following procedure describes the details available for uploaded scan artifacts. (For

information about how to upload scan artifacts, see "Uploading Scan Artifacts" on page 295.)

To upload a scan artifact to the Fortify Software Security Center database:

1. On the Dashboard or Applications view, move your cursor to the application version for

which you want to view artifact details, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. To view details for one of the listed artifacts, click the corresponding row.

Fortify Software Security Center (23.1.0)

Page 297 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

The details shown include the analysis engine version, number of files and lines of code

scanned, the analysis date, and more.

If an error occurred in processing the uploaded artifact, the Status column of the

ARTIFACT HISTORY table displays Error Processing. A number on the right indicates the

number of processing rules violated.

3. To view the line(s) of code associated with any processing errors for the scan, click the

circled number ( ).

The SCAN WARNING box displays the line of code where processing rules were violated,

along with a description of the violation.

The field displays the Rulepack versions used in generating the scan.

4. To view a list of the coding rules applied during the scan, grouped by Rulepack version,

click the Rulepacks link.

Note: If a scan artifact requires approval based on analysis result processing rules, it must

be approved before Fortify Software Security Center can process it. For information, see

"Approving Analysis Results for an Application Version" on page 300.

"Purging Scan Artifacts" on page 306

"Setting Analysis Results Processing Rules for Application Versions" on page 252

"Using an Application Identifier to Upload FPR Files" on page 400

"Using an Application Name and Version to Upload FPR Files" on page 401

Fortify Software Security Center (23.1.0)

Page 298 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

Downloading Scan Artifacts

From the ARTIFACT HISTORY page, you can download the latest merged FPR file for an

application version, or you can download FPR files that result from individual scans.

Downloading the Merged FPR File for an Application Version

To download the latest merged scan results for an application version in FPR format:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications view, expand the row for the application and then select the version you

are interested in.

3. On the application version toolbar, click ARTIFACTS.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

4. Do one of the following:

l

To download the latest merged scan results for an application version, at the top of the

ARTIFACT HISTORY table, click APPLICATION FILE.

l

To download the current merged application scan results in FPR format with sources, at

the top of the ARTIFACT HISTORY table, click APPLICATION & SOURCES.

5. To open the scan results in Fortify Audit Workbench, in your Downloads folder, double-

click the downloaded FPR file.

Downloading Individual Scan Results

To download results for a given processed scan:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications view, expand the row for the application and then select the version you

are interested in.

3. On the application version toolbar, click ARTIFACTS.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

4. Click the row for the artifact you want to download to expand it and see the artifact details.

5. To download the artifact, click DOWNLOAD.

See Also

"Deleting Artifacts" on page 307

Fortify Software Security Center (23.1.0)

Page 299 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

Approving Analysis Results for an Application Version

Depending on the processing rules configured for an application version, and whether the

Rulepack used in processing a scan was outdated (older than the server Rulepacks), analysis

results may require approval. (See "Setting Analysis Results Processing Rules for Application

Versions" on page 252.) If analysis results require approval, this is indicated by an alert icon ( )

next to the version name in the Applications view and by the Requires Approvalvalue in the

Status column of the ARTIFACT HISTORY table.

Note: If an artifact was uploaded by mistake or, for some other reason, you do not want

Fortify Software Security Center to process the artifact, follow the steps described in

"Denying Processing Approval" on the next page.

To approve analysis results for an application version so that Fortify Software Security Center

can process the artifact:

1. In the Applications view, expand the application row, move your cursor to the version

number, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the selected application

version.

2. Expand a row with the value Requires Approval in the Status column.

3. At the bottom of the expanded section, click APPROVE.

The APPROVE UPLOAD OF ANALYSIS RESULTS dialog box opens. The Processing

Messages section shows an explanation of what, specifically, triggered the approval

requirement.

4. In the Approval Comment box, type a comment to indicate why you are approving these

results.

5. Click APPROVE.

Fortify Software Security Center proceeds to process the artifact.

Fortify Software Security Center (23.1.0)

Page 300 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

Denying Processing Approval

If an artifact was uploaded by mistake or, for some other reason, you do not want Fortify

Software Security Center to process the artifact, you can either delete it, or, if you want to retain

a record of the artifact upload, you can deny approval.

To deny approval of an artifact:

1. In the Applications view, expand the application row, move your cursor to the version

number, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the selected application

version.

2. Expand the row for the artifact that requires approval, and which you do not want Fortify

Software Security Center to process.

3. At the bottom of the expanded details section, click DENY.

The DENY UPLOAD OF ANALYSIS RESULTS dialog box opens. The Processing Messages

section lists explanations of what, specifically, triggered the approval requirement.

4. In the Comment box, type a comment to indicate why you want to deny approval of these

results.

5. Click DENY.

The Status value for the artifact changes to Approval Denied.

Viewing High-Level Summary Results

Fortify Software Security Center offers several ways to view high-level summary results for

application versions from the Fortify Software Security Center Dashboard or from the Overview

page.

Viewing Summary Metrics on the Issue Stats Page

To view summary metrics for application versions (individually and collectively) from the Issue

Stats page:

l

On the Fortify header, select DASHBOARD.

The following three portlets on the Issue Stats page (the default Dashboard view in Fortify

Software Security Center) displays consolidated metrics for all of the applications to which you

have access:

Fortify Software Security Center (23.1.0)

Page 301 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

l

The Issues Remediated portlet shows the total number of issues remediated to date, the

average number of days it took to review them, and the average number of days required to

remediate them.

l

The Issues Pending Review portlet shows the total number of open issues, and the number

of these that have been reviewed.

l

The Application Versions portlet shows the total number of application versions to which

you have access the number of files scanned and the number of lines of code scanned for

those application versions.

The table on the Issue Stats page displays summary metrics for each of the application versions

to which you have access. If you click an application version listed in the table, Fortify Software

Security Center takes you directly to the AUDIT page for that application version.

Together, the portlets and table enable you to see how quickly issues are being reviewed and

remediated.

Viewing Summary Metrics on the CHART Page

You can view a graphical representation of summary metrics for individual application versions

from the CHART page.

To view summary metrics for application versions from the Chart page:

1. On the Dashboard toolbar, click CHART.

Fortify Software Security Center opens to the REVIEWED tab.

2. In the list of application versions, move your cursor to a colored bar for an application

version.

Fortify Software Security Center shows the summary findings for the version. In the example

shown here, the pie chart of the left shows the security ratings for the 97% of findings (779 of

805) that have been audited to date for this application version. The chart on the right shows

Fortify Software Security Center (23.1.0)

Page 302 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

the percentage of findings audited (97) and the percentage of the total that has yet to be

audited (3).

Note: To go from here to the AUDIT page for the application version, click AUDIT.

Viewing Summary Metrics on the Overview Page

To view high-level summary results for an application version from the Overview page:

1. On the Fortify Dashboard, hover your cursor over the link for the version you are interested

in, and then select Overview from the shortcut menu.

2. On the Overview page, if the pane on the right is collapsed, expand it.

The Version Progress section displays summary information with trending arrows.

3. To display a metric other than Fortify Security Rating, click the edit icon , and then select

Fortify Software Security Center (23.1.0)

Page 303 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

a different metric to display from the list.

See Also

"Deleting Artifacts" below

Viewing Issue Metadata

To view metadata for an issue:

1. Navigate to the AUDIT page for the application version of interest.

2. In the issues table, if you have selected a grouping, expand a group to view issues it

contains.

3. Click the row that displays the issue name.

The Code tab displays an overview of the issue, the Analysis value (if set), the stack trace,

and the section of code in which the issue was uncovered.

4. At the bottom left of the issue details section, click METADATA.

Fortify Software Security Center (23.1.0)

Page 304 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

The METADATA box displays the unique issue identifier (Instance ID), the unique identifier

for the rule that generated the issue (Primary Rule ID), priority metadata values, and legacy

priority metadata values.

Note: The instance ID displayed is unique to the specific application version and is not

associated with any other Fortify Software Security Center application versions.

5. To go to the website that provides detailed information about software security errors,

select the Fortify Taxonomy: Software Security errors link.

Mapping Scan Results to External Lists

Fortify distributes an external metadata document with Rulepacks. This document includes

mappings from the Fortify categories to alternative categories (such as OWASP 2010, PCI, or

CWE). Security leads can create their own files to map issues to different taxonomies, such as

internal application security standards or additional compliance obligations.

Note: For detailed information about how to create custom mappings, see the Micro Focus

Fortify Static Code Analyzer Custom Rules Guide.

To apply the modified or new external metadata document across all applications, you must first

import it into Fortify Software Security Center.

Fortify Software Security Center (23.1.0)

Page 305 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

To import a new or modified external metadata document into Fortify Software Security Center:

1. Log in as Administrator, and then, on the Fortify header, click the ADMINISTRATION tab.

2. In the left pane, under Metrics &Tracking, select Rulepacks.

3. In the upper right corner of the Rulepacks page, click IMPORT.

4. In the IMPORT RULEPACK dialog box, click + ADD FILES.

5. Navigate to and select your document, and then click START UPLOAD.

If you are conducting a collaborative audit between Fortify Software Security Center and Audit

Workbench, you can import the changed mapping document to Fortify Software Security

Center, and then open the FPR file in Audit Workbench to see how the mapping works with the

scan results.

Purging Scan Artifacts

Purging an artifact recovers space from the Fortify Software Security Center database by

removing the uploaded artifact, the temporary results of artifact processing, and the cross-

reference information for source files.

Before you purge artifacts for an application version, consider the following:

l

After the purge, you cannot delete the purged artifacts, or the earliest artifact not purged.

l

Purging does not affect any issue-base metrics in the system.

l

If you have custom reports, consult Fortify Customer Support

(https://www.microfocus.com/support) first to determine whether an artifact purge will affect

them.

l

Purging removes all artifacts that have the same or earlier analysis date.

You can purge an artifact if it meets all of the following conditions:

l

It has not already been purged.

l

It does not contain just one scan generated from a given analysis engine type. For example, if

only one Fortify Static Code Analyzer-generated artifact exists for an application version, you

cannot purge it. If two artifacts from the same analysis engine were uploaded for the

application version, you can purge only the older of the two artifacts.

l

Its status is one of the following:

l

PROCESS_COMPLETE

l

ERROR_PURGING

l

ERROR_DELETING

You cannot purge an artifact if:

l

It is being processed

l

An error occurred during processing

Fortify Software Security Center (23.1.0)

Page 306 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

l

It contains the latest scan for the analysis engine type.

You cannot delete an artifact if it is being processed or if it has already been purged.

To purge a scan artifact from the Fortify Software Security Center database:

1. From the DASHBOARD, move your cursor to the application version with artifacts that you

want to purge, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. Click the row that displays the artifact you want to purge from the database.

The table expands to show the details for the selected artifact.

3. Below the artifact details, click PURGE.

Fortify Software Security Center prompts you to confirm that you intend to purge the

artifact.

4. Click OK.

See Also

Deleting Artifacts

Deleting an artifact removes all traces of the artifact. Use this option if you upload an artifact by

mistake.

Fortify Software Security Center (23.1.0)

Page 307 of 428

User Guide

Chapter 14: About Working with Scan Artifacts

Note: You cannot delete an artifact that is being processed or one that has already been

purged.

To delete a scan artifact from the Fortify Software Security Center database:

1. From the DASHBOARD, move your cursor to the application version with artifacts that you

want to delete, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. Click the row that displays the scan artifact you want to delete.

The table expands to show the details for the selected artifact.

3. Below the artifact details, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

artifact.

4. Click OK.

See Also

"Purging Scan Artifacts" on page 306

Fortify Software Security Center (23.1.0)

Page 308 of 428

Chapter 15: Collaborative Auditing

When an analysis engine (analyzer such as Fortify Static Code Analyzer) scans source code, all

of its discoveries are presented as potential vulnerabilities, not actual vulnerabilities. Because

every application is unique and all functionality runs within a particular context understood best

by the development team, no technology can fully determine if a suspect behavior should be

considered a vulnerability without direct developer confirmation.

Issue audits, whether performed in Fortify Software Security Center or Audit Workbench, or by

Audit Assistant, accomplish the following:

l

Condense and focus application information

l

Enable the security team to collaboratively decide which issues represent real vulnerabilities

l

Enable the security team to collaboratively prioritize issues based on vulnerability

Fortify Software Security Center uses issue templates to categorize and display issues.

Fortify Software Security Center provides a web-based collaborative environment for auditing

issues associated with Fortify Software Security Center applications. The following sections

provide an overview of the auditing process and instructions on how to display and use the

auditing interface.

The information in these topics is presented based on the assumption that you know how to

create and configure Fortify Software Security Center application versions. (For information

about Fortify Software Security Center applications and application versions, see "Applications

and Application Versions" on page 218.)

Topics covered in this section:

About Current Issues State

Viewing Information About Issues to Audit

Viewing Issues Based on Folders

Viewing Issues Assigned to You

Filtering Issues for Display on the OVERVIEW and AUDIT Pages

Searching Issues

Search Modifiers

Search Query Examples

Auditing Scan Results

Auditing Correlated Issues

About Suppressed, Removed, and Hidden Issues

Changing Displayed Issues Using Filter Sets

OpenText Fortify Software Security Center (23.1.0)

Page 309 of 428

User Guide

Chapter 15: Collaborative Auditing

Overriding Assigned Issue Priority

Viewing Bugs Submitted for Issues

Auditing a Batch of Issues

Using Audit Assistant

Audit Assistant Workflow

About Prediction Policies

Defining Prediction Policies

Enabling Metadata Sharing

Submitting Training Data to Audit Assistant

Reviewing Audit Assistant Results

Searching Globally in Fortify Software Security Center

Viewing Open Source Data

Viewing Open Source Data from the AUDIT Page

Viewing Open Source Data from the OPEN SOURCE Page

About Susceptibility Analysis of Web Applications

Susceptibility Analysis Requirements

Typical Workflow to Optimize Results for an Application

Exporting Open Source Data

Integrating Fortify Software Security Center with Fortify WebInspect Enterprise

Viewing Fortify WebInspect Scan Results in Fortify Software Security Center

WebInspect Audit Data

False Positives

Submitting Dynamic Scan Requests to Fortify WebInspect Enterprise

Processing Dynamic Scan Requests from Fortify WebInspect Enterprise

Editing and Cancelling Dynamic Scan Requests

About Current Issues State

Fortify Software Security Center keeps track of which analysis engine (analyzer) uncovers each

issue in an application version and merges any new information into the existing body of results

for the application version. After new audit information is uploaded to the server or entered on

the AUDIT page, Fortify Software Security Center merges that information into any existing

audit information for a given issue. Fortify Software Security Center also marks an issue as

removed after the analysis engine no longer finds the issue.

Fortify Software Security Center (23.1.0)

Page 310 of 428

User Guide

Chapter 15: Collaborative Auditing

Whenever new scan results are uploaded, Fortify Software Security Center checks every issue to

determine whether it was uncovered in a previous scan.

Viewing Information About Issues to Audit

To display the issues you want to audit:

1. Upload scan results for the application version you want to audit (see "Uploading Scan

Artifacts" on page 295).

2. Open the AUDIT page for the application version.

3. To selectively display the issues you want to audit, apply filters to the issues list. (See

"Filtering Issues for Display on the OVERVIEW and AUDIT Pages" on page 315 and

"Viewing Issues Based on Folders" on page 313 .)

4. In the issues table, if you have selected a grouping, expand a group to view the issues it

contains.

Fortify Software Security Center (23.1.0)

Page 311 of 428

User Guide

Chapter 15: Collaborative Auditing

The following table lists the columns in the issues table and a description of each. To sort listed

issues, click a column heading.

Note: You cannot sort the Contains attachment ( ), Contains comments ( ), or Bug

submitted ( ) columns.

Column

Description

Category

Displays the category of issue uncovered (Sort is alpha-

numeric.)

Primary Location

Shows the file scanned and line of code on which the issue

was detected (Sort is alpha-numeric.)

Analysis Type

Priority

Displays the analysis engine used in the scan

Shows the relative threat the issue represents (Sort is from

high to low or low to high priority.)

Tagged

Displays the custom tag value applied to the issue, if any

Indicates whether any attachments are associated with the

issue

Attachments

Indicates whether any comments were added to the issue

Contains comments

Indicates whether any defects were submitted against the

issue

Bug submitted

Indicates that static and dynamic results for the issue are

correlated. If they are, the issue is listed twice in the table,

once for each analysis type.

Has correlated issues

If either a subsequent static scan or dynamic scan shows

an issue was fixed, the correlation icon is removed.

(Sort displays correlated issues first or last.)

See Also

"Searching Issues" on the next page

Fortify Software Security Center (23.1.0)

Page 312 of 428

User Guide

Chapter 15: Collaborative Auditing

Viewing Issues Based on Folders

The OVERVIEW and AUDIT pages include Critical, High, Medium, Low, and All links, which you

can use to view issues based on their assignment to a Fortify folder. By default, the folders

correspond to Fortify priority values (and the potential risk they pose to the enterprise),

However, the folders displayed can include any custom folders created in and added to a filter

set (and then an issue template) from Fortify Audit Workbench (see the Fortify Audit

Workbench User Guide).

To view issues from the OVERVIEW page based on Fortify folder assignment:

1. On the Dashboard, hover your cursor over the version number of the application of interest,

and then select Overview.

The OVERVIEW page for the application version opens. To the left of the Group by and

Filter by lists, the you can see the total number of issues in their respective folders. By

default, all issues are shown. (If you select attributes to filter by, the numbers displayed for

the folders changes accordingly.)

2. To see the number of issues in a folder that have been reviewed, move your cursor to the

folder.

The number of reviewed issues is on the left, and the total number of issues is on the right.

In the example shown here, you can see that 79 of 84 total high priority issues were

reviewed.

3. To view issue charts on the OVERVIEW page based on an assigned folder, select the folder

or the folder label.

To view issues from the AUDIT page based on Fortify folder assignment:

1. On the Dashboard, hover your cursor over the version number of the application of interest,

and then select Audit.

Fortify Software Security Center (23.1.0)

Page 313 of 428

User Guide

Chapter 15: Collaborative Auditing

The OVERVIEW page for the application version opens. Below the search field, you can see

the number of issues in their respectiveassigned folders. By default, all issues are shown. (If

you select attributes to filter by, the numbers displayed for the folders changes

accordingly.)

2. To see the number of issues assigned to a given folder that have been reviewed, move your

cursor to the folder.

The number of reviewed issues is on the left, and the total number of issues is on the right.

In the example shown here, 79 of 84 total high priority issues were reviewed.

3. To list issues on the AUDIT page based on folder assignment, select the folder.

Viewing Issues Assigned to You

To view all issues assigned to you:

1. On the Fortify header, click APPLICATIONS.

2. In the Applications view, select the My assigned issues check box.

The Applications view lists the application versions and shows the number of issues for

each that are assigned to you. If Fortify Software Security Center finds no issues assigned

to you, it displays a message to let you know.

Fortify Software Security Center (23.1.0)

Page 314 of 428

User Guide

Chapter 15: Collaborative Auditing

Filtering Issues for Display on the OVERVIEW and AUDIT

Pages

Use the following steps to filter issues for display for an application version from either the

OVERVIEW page or from the AUDIT page.

Note: You can also select a filter set to change the issues displayed on the OVERVIEW and

AUDIT pages. For information and instructions, see "Changing Displayed Issues Using Filter

Sets" on page 335.

To filter issues for display on the OVERVIEW or AUDIT page:

1. From the Group by list, select the attribute to use to group the issues in the issues table.

(To remove the selected attribute, click the Clear all icon.)

2. From the Filter by list, select the attributes to use to filter the issues for display in the

issues table. You can select multiple attributes from this list. (You must select attributes

one at a time.)

(To remove a selected attribute, click the x icon next to its name. To remove all selected

attributes, click the Clear all icon.)

3. To filter issues based on values for a custom tag other than Analysis, or based on risks

related to OWASP, WASC, or other security threat classifications:

a. Click the Advanced link which is located under the Filter by list.

Fortify Software Security Center (23.1.0)

Page 315 of 428

User Guide

Chapter 15: Collaborative Auditing

b. In the ADVANCED ISSUE FILTERS window, from the Select filter category list, select a

category. To refine the categories listed, type a text string in the Filter categories box,

and then click FIND.

The Select filters list is populated with the filters available for the selected category.

c. To refine the Select filters list further, type a text string in the Filter options box, and

then click FIND.

The Select filters list displays the filters that contain the matching text.

To see the complete list of filters again, click the x in the Filter categories box.

d. In the Select filters list, click each of the filters you want to add to the Selected filters

list to the right.

e. To add filters for another filter category, repeat these steps.

f. Click APPLY.

Fortify Software Security Center (23.1.0)

Page 316 of 428

User Guide

Chapter 15: Collaborative Auditing

The Filter by box now displays all of the filters you have selected.

4. To remove one of the filters, click the close symbol to its left.

5. To clear all Group by, Filter by, and advanced filter selections, click CLEAR ALL.

6. For information about viewing correlated issues, see "Auditing Correlated Issues" on

page 331.

See Also

"Viewing Issues Based on Folders" on page 313

"Searching Globally in Fortify Software Security Center" on page 348

Fortify Software Security Center (23.1.0)

Page 317 of 428

User Guide

Chapter 15: Collaborative Auditing

Searching Issues

You can create search queries to refine the list of issues displayed for an application version.

To create a query to search issues:

1. In the application version summary table on the Dashboard, move your cursor to the

application version of interest, and then select Audit.

2. In the Search Issues box, type a search query using the following syntax. To indicate the

type of comparison to perform, wrap search terms with delimiters.

Comparison

contains

equals

Description

Searches for a term without any special qualifying delimiters

Searches for an exact match if the term is enclosed in quotation marks

( )

""

number range

not equal

Uses standard mathematical syntax, such as “(” and “)” for exclusive

range and “[” and “]” for inclusive range where (2,4] means greater

than two less than or equal to four

Excludes issues specified by the string by preceding the string with an

exclamation character (!) Example: file:!Main.java returns all

issues that are not in Main.java

Note: To see example search strings, click the Syntax Guide link.

You can further qualify your search terms with modifiers using the syntax

modifier:<search_term>. (See "Search Modifiers" on the next page.)

Note: If an application version is assigned a date-type custom tag, and you want to

search for issues based on that tag, use one of the following formats:

Fortify Software Security Center (23.1.0)

Page 318 of 428

User Guide

Chapter 15: Collaborative Auditing

l

To search for date tags that have no value set:

l

To search for date tags that have a (any) date set:

To search for date tags with a specific date:

<DateCustomTag>: yyyy-mm-dd

A search string can contain multiple modifiers and search terms. If you specify more than

one modifier, Fortify Software Security Center returns only issues that match all of the

modified search terms. For example, file:ApplicationContext.java category:SQL

Injection returns only SQL injection issues found in ApplicationContext.java.

If you use the same modifier more than once in a search string, then the search terms

qualified by those modifiers are treated as an OR comparison. For example,

file:ApplicationContext.java category:SQL Injection category:Cross-

Site Scripting returns SQL injection issues and cross-site scripting issues found in

ApplicationContext.java.

For complex searches, you can also insert the AND or the OR keyword between your search

queries. Note that AND and OR operations have the same priority in searches.

3. Click Find.

Fortify Software Security Center lists all issues that match your search string.

4. To return to the complete issues list, clear the text in the search box.

"Search Query Examples" on page 322

"Searching Globally in Fortify Software Security Center" on page 348

Search Modifiers

You can use a search modifier to specify which attribute of an issue the search term should

apply to. To use a modifier that contains a space in the name, such as the name of the custom

tag, you must delimit the modifier with brackets. For example, to search for issues that are new,

enter [issue age]:new.

A search that you do not qualify using a modifier matches the search string based on the

following attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function

name, instance id, package, confidence, type, subtype, taint flags, category, sink, and source.

To apply the search to all modifiers, enter a string such as control flow. This searches all

modifiers and returns any result that contains the specified string.

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results whose analyzer is control flow.

Fortify Software Security Center (23.1.0)

Page 319 of 428

User Guide

Chapter 15: Collaborative Auditing

The following table lists the search modifiers. A few of these have a shortened names, which are

indicated in parentheses. You can use either modifier string.

Modifier

Description

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

Searches the specified custom tag. Note that tag names

that contain spaces must be delimited by square

brackets.

<custom_tagname>

Example: [my tag]:value

Searches for issues that have the specified audit analysis

analysis

value (such as exploitable, not an issue, and so on).

Searches the issues for the specified analyzer

analyzer

audience

Searches for issues by intended audience. Valid values

are targeted, medium, and broad.

Note: This metadata is legacy information that is no

longer used and will be removed in a future release.

Fortify recommends that you not use this search

modifier.

audited

Searches the issues to find true if the primary custom

tag is set and false if the primary custom tag is not set.

The default primary tag is the Analysis tag.

Searches for the given category or category substring.

category (cat)

Searches for issues that contain the search term in the

comments that have been submitted on the issue.

comments

(comment, com)

Searches for issues with comments from the specified

user.

commentuser

Searches for issues that have the specified confidence

value. Fortify Static Code Analyzer calculates the

confidence value based on the number of assumptions

made in code analysis. The more assumptions made, the

confidence (con)

Fortify Software Security Center (23.1.0)

Page 320 of 428

User Guide

Chapter 15: Collaborative Auditing

Modifier

Description

lower the confidence value.

[engine priority]

Searches for issues based on the original priority value

determined by the engine that identified the issue.

Searches for issues where the primary location or sink

node function call occurs in the specified file.

file

Searches for issues that have a priority level that

matches the specified priority. Valid values are

[fortify priority order]

critical, high, medium, and low.

Searches for issues that have audit data modified by the

specified user.

historyuser

Searches for all issues in the specified kingdom.

kingdom

maxconf

Searches for all issues that have a confidence value equal

to or less than the number specified as the search term.

Searches the specified metadata external list. Metadata

external lists include [OWASP Top 10 2013], [SANS Top

25 2011], and [PCI <version>], and others. Square braces

delimit field names that include spaces.

<metadata_listname>

Searches for all issues that have a confidence value equal

to or greater than the number specified as the search

term.

minconf

Searches for issues where the primary location occurs in

the specified package or namespace. For dataflow issues,

the primary location is the sink function.

package

Searches for issues where the primary location or sink

node function call occurs in the specified code context.

Also see sink and [source context].

[primary context]

Searches for all issues related to the specified sink rule.

primaryrule (rule)

sink

Searches for issues that have the specified sink function

name. Also see [primary context].

Fortify Software Security Center (23.1.0)

Page 321 of 428

User Guide

Chapter 15: Collaborative Auditing

Modifier

Description

Searches for dataflow issues that have the specified

source function name. Also see [source context].

source

Searches for dataflow issues that have the source

function call contained in the specified code context

[source context]

sourcefile

status

Also see source and [primary context].

Searches for dataflow issues with the source function call

that the specified file contains.

Also see file.

Searches issues that have the status reviewed, not

reviewed, or under review.

Searches for suppressed issues.

suppressed

taint

Searches for issues that have the specified taint flag.

For examples of search queries that use modifiers, see "Search Query Examples" below.

See Also

"Searching Issues" on page 318

Search Query Examples

The following are search query examples that use search modifiers.

l

To search for all privacy violations in file names that contain jsp with getSSN() as a source,

type:

category:"privacy violation" source:getssn file:jsp

l

To search for all file names that contain com/fortify/ssc, type:

file:com/fortify/ssc

l

To search for all issues that contain cleanse as part of any modifier, type:

cleanse

l

To search for all audited issues that have the [my tag] assigned and set to P1, type:

[my tag]:P1

l

To search for all suppressed vulnerabilities with asdf in the comments, type:

suppressed:true comments:asdf

Fortify Software Security Center (23.1.0)

Page 322 of 428

User Guide

Chapter 15: Collaborative Auditing

l

To search for all categories except for SQL Injection, type:

category:!SQL Injection

l

To search for all issues in file names that contain either java or jsp, type:

filename:java OR filename:jsp

l

To search for all issues in file names that contain java and that occur on line number 12,

type:

filename:java AND line:12

See Also

"Searching Issues" on page 318

"Search Modifiers" on page 319

Auditing Scan Results

Note: The following procedure describes how to audit scan results from the AUDIT page. If

you are working with open source results, you can audit these from either the AUDIT page

or from the OPENSOURCE page.

To display the issues you want to audit:

1. Upload scan results for the application version you want to audit. For instructions, see

"Uploading Scan Artifacts" on page 295.

2. Open the AUDIT view for the application version.

The table in the AUDIT view lists issues based on their assigned folders (by default, critical

to low).

3. To selectively display the issues you want to audit, apply filters to the issues list. (See

"Filtering Issues for Display on the OVERVIEW and AUDIT Pages" on page 315 and

"Viewing Issues Based on Folders" on page 313 .)

4. In the issues table, if you have selected an attribute to group by, expand a group to view

Fortify Software Security Center (23.1.0)

Page 323 of 428

User Guide

Chapter 15: Collaborative Auditing

the issues it contains.

To audit an issue:

1. To expand an issue and view its details, click its row in the table.

The following screen capture shows the details for an issue uncovered during a Fortify

Static Code Analyzer scan. For information about viewing Fortify WebInspect results, see

"Viewing Fortify WebInspect Scan Results in Fortify Software Security Center" on page 355.

Fortify Software Security Center (23.1.0)

Page 324 of 428

User Guide

Chapter 15: Collaborative Auditing

Tip: To view the details for the issue in a new browser window, click the Open in a new

tab button ( ). To copy the issue link so that you can easily access it later, click the

Copy issue link to clipboard button ( ).

The CODE tab displays the path the tainted data have taken in the source code associated

with the issue.

2. To view summary details about a step along the course that tainted data has taken, under

Analysis Trace, move your cursor to that step.

3. To view code associated with a step, click the step under Analysis Trace.

The corresponding line of code is highlighted on the CODE tab.

Fortify Software Security Center (23.1.0)

Page 325 of 428

User Guide

Chapter 15: Collaborative Auditing

4. To search for a specific string in the code associated with the issue:

a. Click the search icon .

b.

In the text box displayed, type a character string. Use the next

icons to move through the search results.

and previous

5. To view any audit history available for the issue, in the right pane, select the HISTORY tab.

Fortify Software Security Center (23.1.0)

Page 326 of 428

User Guide

Chapter 15: Collaborative Auditing

6. To see an issue overview, details about the finding, recommendations for remediation, issue

metadata, references to additional resources, and implications for your application version,

in the right pane, select the INFO tab.

7. To expand a row and view a class of information, select the corresponding arrow ( ).

Fortify Software Security Center (23.1.0)

Page 327 of 428

User Guide

Chapter 15: Collaborative Auditing

8. When you have enough information to start your audit, in the right pane, select the AUDIT

tab.

9. (Optional) To exclude an issue from display because you know it is fixed or it is not of

immediate concern, click SUPPRESS.

10. (Optional) If your administrator has configured application security training in Fortify

Software Security Center (see "Configuring Application Security Training" on page 81) you

can click GET TRAINING to get contextually-appropriate guidance on how to mediate the

selected issue. A message advises you that you are about to leave Fortify Software Security

Center. Click OK.

Fortify Software Security Center opens the application security training website in a new

browser tab that displays training content based on the category, subcategory, and

language of the selected issue.

Note: After a file is attached to an issue, you can modify only its description.

11. To attach a file to the issue:

Fortify Software Security Center (23.1.0)

Page 328 of 428

User Guide

Chapter 15: Collaborative Auditing

a. In the left pane, click ATTACHMENTS.

b. Click CLICK HERE TO ADD.

c. In the UPLOAD ATTACHMENT dialog box, click BROWSE, and then navigate to and

select the file to upload.

Supported file formats are TXT, LOG, DOC, DOCX, PDF, PPT, PPTX, JPG, JPEG, BMP,

PNG, TIFF, GIF, ZIP, GZIP, TAR, and 7ZIP. (Documents in XML format are not

supported.)

Note: The file size must not exceed 3 MB.

d. (Optional) In the Description box, type a description of the file.

e. Click SAVE.

If you attached an image file, Fortify Software Security Center displays a preview of the

image on the right, under Image Preview.

12. Click CODE, and then, in the right pane, select the AUDIT tab.

Fortify Software Security Center (23.1.0)

Page 329 of 428

User Guide

Chapter 15: Collaborative Auditing

13. To assign a user to the issue:

a. Under USER, click the Edit assigned user icon

.

b. To locate a user to assign to the issue from the SELECT USER dialog box, in the Find

user box, type part or all of a user's name, and then click FIND.

c. In the list of returned names, click the name of the user to assign to the issue.

d. Click DONE.

The AUDIT tab now displays the selected user name and avatar (if available).

14. From the <Primary_Tag_Name> list, select a value that reflects your assessment of this

issue. Fortify Software Security Center treats the issue as unaudited.

15. If additional custom tags are associated with the application version, specify the values for

those tags.

Note: If an administrator specified that a comment is required for a custom tag you

assign, then you must type a comment in the box outlined in red, which appears under

the custom tag value list.

Fortify Software Security Center (23.1.0)

Page 330 of 428

User Guide

Chapter 15: Collaborative Auditing

Note: If Audit Assistant assessed the issues, the right pane displays additional fields

AA_Prediction, AA_Confidence, and AA_Training). For information about how to use

these fields, see "Reviewing Audit Assistant Results" on page 347.

16. In the COMMENTS box, type a comment about this issue audit. (After you save your audit

settings, the COMMENTS section lists your comment, as well as any other comments

previously saved.)

17. At the bottom of the AUDIT tab, click SAVE.

Auditing Correlated Issues

If the artifacts uploaded for the application version include results from both static (Fortify

Static Code Analyzer) and dynamic (WebInspect) analyses, some issues may be correlated with

one another.

If an issue is correlated with one or more other issues uncovered using a different analysis

engine, the Has correlated issues icon is displayed, along with the number of correlated issues

that either target or originate from the selected issue.

To list issues that are correlated with other issues at the top of the table, click the Has

correlated issues icon twice.

The number shown in the blue circle indicates how many issues are correlated with an issue.

To list the correlated issue or issues:

Fortify Software Security Center (23.1.0)

Page 331 of 428

User Guide

Chapter 15: Collaborative Auditing

l

Click the circle or the Has correlated issues icon,

You can audit the listed issues as described in "Auditing Scan Results" on page 323.

Note: If, following an audit, a developer fixes the root problem uncovered in one issue, the

remaining correlated issues may also be fixed.

To return to the complete issues table, to the right of the Filter by list, click CLEAR ALL.

"About Audit Assistant" on page 82

About Suppressed, Removed, and Hidden Issues

You can control whether the issues pane lists suppressed, removed, and hidden issues.

Suppressed issues

As you assess successive scans of an application version, you might want to completely

suppress some exposed issues. It is useful to mark an issue as suppressed if you are sure that

the specific vulnerability is not, and will never be, an issue of concern. You might also want to

suppress warnings for specific types of issues that might not be high priority or of immediate

concern. For example, you can suppress issues that are fixed, or issues that you plan not to fix.

Suppressed issues are not included in the Total Issues value shown in the Version Progress

section of the expandable pane of the OVERVIEW page. Suppressed issues are also not included

in the calculation of application version metrics. For information about how to suppress an issue,

see "Auditing Scan Results" on page 323. For information on how to see suppressed issues, see

"Set ting Issue Viewing Preferences" on th e next page.

Fortify Software Security Center (23.1.0)

Page 332 of 428

User Guide

Chapter 15: Collaborative Auditing

Removed issues

As multiple scans are run on an application over time, issues are often remediated or become

obsolete. As Fortify Software Security Center merges scan results, it marks issues that were

uncovered in a previous scan, but are no longer evident in the most recent analysis results as

Removed.

Removed issues are not included in the Total Issues value shown in the Version Progress

section of the expandable pane on the OVERVIEW page. For information on how to see

removed issues, see "Setting Issue Viewing Preferences" below.

Hidden issues

In Fortify Audit Workbench, users typically hide a group of issues temporarily so that they can

focus on other issues. For example, you might hide all issues except those assigned to you.

For information on how to see hidden Issues, see "Setting Issue Viewing Preferences" below.

Setting Issue Viewing Preferences

You can set certain viewing preferences for individual application versions from the Application

Profile dialog box.

Viewing Suppressed Issues

To view the suppressed issues associated with an application version:

1. From the Dashboard or Applications view, select the version for the application version you

are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

Fortify Software Security Center (23.1.0)

Page 333 of 428

User Guide

Chapter 15: Collaborative Auditing

Note: The filter set you select does not affect the number of suppressed issues shown.

For example, if a suppressed issue is hidden in the selected filter set, it is still included

in the count of suppressed issues.

3. Select the Show suppressed issues check box.

4. Click APPLY, and then click CLOSE.

Now, the AUDIT page displays all suppressed issues. Each suppressed issue is tagged with an

"S" icon in the Primary Location column.

Viewing Removed Issues

When Fortify Software Security Center merges uploaded scan results, it removes issues that

were uncovered in the previous analysis but are no longer evident in the most recent results.

To view the issues that were removed for an application version:

1. From the Dashboard or Applications view, select the version name for the application

version you are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

Note: The filter set you have selected does not affect the number of removed issues

shown. For example, if a suppressed issue is hidden in the selected filter set, it is still

included in the count of removed issues.

3. Select the Show removed issues check box.

4. Click APPLY, and then click CLOSE.

Now, the AUDIT page displays all removed issues. Each removed issue is tagged with an "R" icon

in the Primary Location column.

Fortify Software Security Center (23.1.0)

Page 334 of 428

User Guide

Chapter 15: Collaborative Auditing

Viewing Hidden Issues

In Fortify Software Security Center, hidden issues are the issues that are not shown because of

the filter set rules currently in effect.

To reveal any hidden issues associated with an application version:

1. From the Dashboard or Applications view, select the version for the application version you

are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

3. Select the Show hidden issues check box.

4. Click APPLY, and then click CLOSE.

Now, the AUDIT page displays all hidden issues. Each hidden issue is tagged with an "H" icon in

the Primary Location column.

Changing Displayed Issues Using Filter Sets

Note: The filter sets listed depend on the issue template assigned to the application

version. The three filter sets shown here are included in the issue templates that Fortify

provides. However, you can use other issue templates that have different filter set names

and filter conditions.

Fortify Software Security Center provides the following filter sets for changing the display of

application version issues on the OVERVIEW, AUDIT, and OPEN SOURCE pages:

l

Quick View

The Quick View filter set provides a view of issues in the Critical folder (these have a

potentially high impact and a high likelihood of occurring) and the High folder (these have a

Fortify Software Security Center (23.1.0)

Page 335 of 428

User Guide

Chapter 15: Collaborative Auditing

potentially high impact and a low likelihood of occurring). This filter set provides a useful first

look at results that enables you to quickly address the most pressing issues.

l

Security Auditor View

This view reveals a broad set of security issues to be audited. The Security Auditor View filter

contains no visibility filters, so all issues are shown.

l

PCI Auditor View

This view is defined for individuals responsible for auditing an application with respect to its

compliance with Payment Card Industry Security Standards.

Overriding Assigned Issue Priority

When scan results are parsed and loaded into Fortify Software Security Center, the scan parser

for each supported engine type assigns a priority value to each issue. However, this priority

value does not reflect the full context of the affected code or application. Other factors that

concern the use of the affected code may justify assigning a different priority. For example, a

vulnerability assigned the "critical" priority value may be better classified as "medium" or "low"

priority if the section of code in question is never invoked in the application, or if the application

is intended for use exclusively by a small department and has no connections to other

applications and systems, so the identified vulnerability would have a low likelihood of being

exploited. To enable such a use case, Fortify Software Security Center provides the capability

for trusted users to change the priority originally assigned to an issue. Such priority changes are

reflected in generated reports.

Caution! Enabling or disabling this feature must be considered as a long-term change in

that it affects generated reports, computed metrics, and so on, depending on the data in the

system. Make sure that, before you enable or disable it, you discuss the planned change

with your security lead.

Fortify Software Security Center (23.1.0)

Page 336 of 428

User Guide

Chapter 15: Collaborative Auditing

Enabling and Disabling Priority Override Capability on Fortify Software Security Center

You can enable priority overrides on your system either during a new deployment of Fortify

Software Security Center, or on an existing Fortify Software Security Center instance.

Enabling the Priority Override Capability

To enable the priority override capability:

1. In the left pane of the ADMINISTRATION view, select Configuration, and then select Issue

Audit.

2. Select the Enable priority override check box.

3. Click SAVE.

4. Restart the server.

After server restart, the feature is enabled and is applied to all application versions. On the

AUDIT page, the issue details (AUDIT tab) now includes the PRIORITY OVERRIDE list tag.

Enabling Trusted Users to Override Issue Priority

To enable your users to make use of this functionality, create a new user role for them that

includes the "Edit restricted custom tag values" permission. Grant these roles only to trusted

users who have the knowledge and diligence to accurately assess issue priority. For information

about how to create a user role, see "Creating Custom Roles" on page 209.

Note: Any user roles with permission to edit restricted custom tag values can override issue

priority. (The system-defined Security Lead role already has the ability to edit restricted

custom tags.)

Disabling the Priority Override Capability

To disable the priority override capability:

1. In the left pane of the ADMINISTRATION view, select Configuration, and then select Issue

Audit.

2. Clear the Enable priority override check box.

3. Click SAVE.

4. Restart the server.

After server restart, the feature is disabled system-wide, and the PRIORITY OVERRIDE list tag

is no longer visible in the issue details.

Fortify Software Security Center (23.1.0)

Page 337 of 428

User Guide

Chapter 15: Collaborative Auditing

Overriding Priority Values During an Audit

To override the priority value for an issue during an audit:

1. On the AUDIT page, expand the row that contains the issue.

2. On the AUDIT tab in the right pane, from the PRIORITY OVERRIDE list, select the

preferred priority value.

3. (Required) In the box outlined in red below the list, type a comment to explain why you

changed the value.

Note: If you want to undo the override before you save the audit, click UNDO at the

bottom of the pane.

4. To save the new priority value and associated comments, click SAVE.

Viewing Issues That Have Changed Priority Values

To view issues that have priority values that you and others have manually assigned,

from the Group by list, selectPriority Override.

The issues table lists issues with overridden priorities, grouped by PRIORITY OVERRIDE tag

value. Issues with unchanged priority values are grouped under Not Set.

To see how the Priority value was changed, hover your cursor over the information icon.

Fortify Software Security Center (23.1.0)

Page 338 of 428

User Guide

Chapter 15: Collaborative Auditing

Viewing Priority Override Information in Issue Reports

If the priority override tag was used in auditing an application version, you can include the

information in the issue reports you generate.

To include priority override information in a new issue report, as you specify the parameters for

the report, leave the Detailed Report and Categories by Fortify Priority check boxes

selected.

If an issue report includes issues that have overridden priority values (and have Detailed

Report and Categories by Fortify Priority options selected), a note to that effect is displayed

on the cover page, as shown here:

If the priority override feature is used, and the Detailed Report and Categories by Priority

parameters are selected (either manually or by default), the Issues by Priority cube in the

Executive Summary displays a double asterisk where issues have changed priority values.

Fortify Software Security Center (23.1.0)

Page 339 of 428

User Guide

Chapter 15: Collaborative Auditing

The Issue Details sections of these reports show the current priority values, along with the

original priority values.

Reverting to Original Priority Values

If you overrode the originally-assigned priority value for an issue, and then saved it, but you

now want to revert the priority value to its original value:

1. On the AUDIT page, expand the row that contains the issue.

2. To the right of the PRIORITY OVERRIDE list tag, click the revert icon ( ).

3. (Required) In the box outlined in red below the list, type a comment to explain why you

changed the value.

4. To save the new priority value and associated comments, click SAVE.

Reports reflect the current effective priority value, whether that is the original priority set by the

engine (if unmodified) or the overridden value. If a user changed the priority value, those

reports show the changed value. If not, the reports show the original priority.

Fortify Software Security Center (23.1.0)

Page 340 of 428

User Guide

Chapter 15: Collaborative Auditing

Viewing Bugs Submitted for Issues

The issues table on the AUDIT page includes a Bug submitted column

a bug has been submitted against a listed issue.

that shows whether

To view the bug, click the VIEW BUG icon , and log in to the assigned bug tracking

application.

Tip: To view a bug, you must use a browser supported by the bug tracker application.

Auditing a Batch of Issues

To audit multiple issues at a time for an application version:

1. Open the AUDIT view for the application version.

2. In the issues list, select all of the check boxes for the issues you want to include in the batch

audit.

3. Click AUDIT.

Fortify Software Security Center (23.1.0)

Page 341 of 428

User Guide

Chapter 15: Collaborative Auditing

The AUDIT/ASSIGN dialog box opens.

4. To assign a user to the selected issues:

a. To open the SELECT USER dialog box, select the Edit assigned user icon

.

b. To locate a user to assign to these issues, in the Find user box, type part or all of a

user's name, and then click FIND.

c. In the list of returned names, click the name of the user to assign.

d. Click DONE.

The USER section now displays the selected user name and avatar (if available).

5. From the ANALYSIS list, select a value that reflects your assessment of this batch of

issues.

6. (Optional) In the COMMENTS box at the bottom, type a comment about this issue audit.

7. Click APPLY.

See Also

"About Prediction Policies" below

Fortify Software Security Center (23.1.0)

Page 342 of 428

User Guide

Chapter 15: Collaborative Auditing

Using Audit Assistant

The following sections provide information about Audit Assistant workflow, prediction policies

and how to use them, how to enable metadata sharing, how to submit data to Audit Assistant,

and how to review Audit Assistant results.

Audit Assistant Workflow

The workflow for using Audit Assistant is as follows:

1. Obtain a Fortify Scan Analytics account, as follows:

a. Go to https://analytics.fortify.com.

b. Click Need an Account?

c. Complete the fields on the Request a Fortify Scan Analytics Tenant form, and then click

Request Now.

Fortify sends an email with information about how to connect to Fortify Scan Analytics.

2. From Fortify Scan Analytics, create one or more policies.

3. (Optional) Choose to share anonymous metadata.

4. Obtain a Fortify Scan Analytics token.

5. From Fortify Software Security Center:

l

Configure and test the connection to Fortify Scan Analytics and then, on the Audit

Assistant Configuration page, click REFRESH POLICIES to populate the Default

prediction policy list (see "Configuring Audit Assistant" on page 84).

l

Specify a default prediction policy.

l

(Optional) Enable Audit Assistant to automatically send unaudited issues to Fortify Scan

Analytics for prediction.

l

(Optional) Enable Audit Assistant to automatically apply predicted values to custom

tags.

Fortify Software Security Center (23.1.0)

Page 343 of 428

User Guide

Chapter 15: Collaborative Auditing

6. From Fortify Software Security Center, open an application version, and submit the latest

completely audited scan to Audit Assistant. This step is referred to as training.

7. From Fortify Software Security Center, open an application version and submit its Fortify

Static Code Analyzer scan results to Audit Assistant.

8. After Audit Assistant completes its assessment, view those results and, if necessary, adjust

them.

9. Submit corrected results to Audit Assistant.

The following sections describe how to obtain an authentication token from Fortify Scan

Analytics, and then use that token to configure a connection to Fortify Scan Analytics. Later

sections describe how to prepare Scan Analytics for metadata submission, submit data, review

Audit Assistant results, and then submit corrected audit data.

See Also

"Defining Prediction Policies" on the next page

"Enabling Auto-Apply and Auto-Predict for an Application Version" on page 238

"Enabling Metadata Sharing" on page 346

"Submitting Training Data to Audit Assistant" on page 346

"Reviewing Audit Assistant Results" on page 347

About Prediction Policies

To use Audit Assistant to process your scan results, you must first define at least one prediction

policy in Fortify Scan Analytics. Prediction policies determine the confidence thresholds that

Audit Assistant (and Fortify Scan Analytics) uses to determine which issues to treat as

indeterminate - that is, neither a true issue nor a non-issue.

Note: During Audit Assistant configuration, the administrator selects a default global

prediction policy, which Scan Analytics uses for the application version if no prediction

policy is specified for that application version. If a prediction policy is specified for an

application version, then Scan Analytics uses that policy to assess issues.

"Configuring Audit Assistant Options for an Application Version" on page 258 "Configuring Audit

Assistant" on page 84

"About Audit Assistant Auto-Prediction" on page 86

Fortify Software Security Center (23.1.0)

Page 344 of 428

User Guide

Chapter 15: Collaborative Auditing

Defining Prediction Policies

To use Audit Assistant, you must define at least one prediction policy that Audit Assistant can

use to determine which issues to treat as indeterminate (neither a true issue nor a non-issue).

For more information, see "About Prediction Policies" on the previous page.

To define a prediction policy:

1. Log in to Fortify Scan Analytics (https://analytics.fortify.com).

2. On the Fortify header, select PREDICTION POLICIES.

3. On the Prediction Policies page, click +ADD.

4. In the Policy Name box on the Prediction Policies > Add page, type a name for the policy.

The Prediction Policies | Add page contains two confidence threshold settings. You use

these to configure which issues Audit Assistant is to treat as indeterminate - that is, neither

a true issue nor a non-issue.

Audit Assistant results include the following:

l

The AA_Prediction value groups issues based on Audit Assistant’s assessment of their

exploitability. Possible values are Exploitable, Below Threshold – Exploitable, Not an

issue, Below Threshold – Not an issue and Not Predicted.

Note: Audit Assistant only predicts on dataflow and control flow static analysis

issues.

l

The AA_Confidence value (percentage value that ranges from 0.00 to 1.00) shows

Audit Assistant's level of confidence in the AA_Prediction value.

If the AA_Confidence value falls below either of the confidence thresholds you set here for

the prediction policy, then Audit Assistant treats the issue as indeterminate, and assigns it

the AA_Prediction value Not Predicted.

5. Set the Confidence Threshold - Not an Issue and the Confidence Threshold -

Exploitable sliders to acceptable levels for the applications on Fortify Software Security

Center.

Note: The higher you set the threshold values, the less likely it is that the Audit

Assistant results contain false negatives. (Tests using the default 80% threshold values

result in false negative occurrence of less than one percent.)

6. (Optional) In the Description box, type a policy description.

7. Click SAVE.

"Configuring Audit Assistant Options for an Application Version" on page 258

Fortify Software Security Center (23.1.0)

Page 345 of 428

User Guide

Chapter 15: Collaborative Auditing

Enabling Metadata Sharing

You can contribute your audit metadata to the Fortify Community Intelligence data set (pool of

anonymous auditing metadata from Fortify users). If you do, you can take advantage of the

Fortify Community Intelligence data pool to assess your own data. Otherwise, Audit Assistant

restricts the metadata it uses to assess your issues to just the training metadata you submit.

Note: If you submit no training data and you do not enable metadata sharing, then Fortify

Scan Analytics Fortify Scan Analytics assesses no issues.

To enable data sharing:

1. Log in to Fortify Scan Analytics (https://analytics.fortify.com).

2. In the left pane, select Settings.

3. Select the Share anonymous issue metrics check box.

4. Click Save.

"About Prediction Policies" on page 344

Submitting Training Data to Audit Assistant

The following procedure describes how to submit training data to Audit Assistant for

assessment. Keep in mind that all data transferred from the Fortify Software Security Center

environment is anonymized and contains no sensitive information. Also, be aware that only the

primary custom tag for an application version is included in the data sent to Audit Assistant for

training.

To submit training data to Audit Assistant:

1. From the Dashboard, open the OVERVIEW, ARTIFACTS, AUDIT or TREND page for the

application version of interest.

2. On the application version toolbar, click PROFILE.

3. In the APPLICATION PROFILE dialog box, click the AUDIT ASSISTANT TRAINING tab.

Note: The AUDIT ASSISTANT TRAINING tab is visible only if an administrator has

configured Audit Assistant integration with Fortify Software Security Center. For

information about Audit Assistant configuration, see "Configuring Audit Assistant" on

page 84.

The Data last sent for training field shows the date and time training data for the

application version was last submitted.

4. To submit new training data, click SEND FOR TRAINING.

The Data last sent for training field displays the Sending status.

Fortify Software Security Center (23.1.0)

Page 346 of 428

User Guide

Chapter 15: Collaborative Auditing

5. After the Data last sent for training field is refreshed with the updated date and time,

close the APPLICATION PROFILE dialog box.

6. On the application version toolbar, click ARTIFACTS, and then check to see whether the

Status field for your upload is Processing Complete.

After processing is completed, you can view the results from the AUDIT page. For instructions,

see "Reviewing Audit Assistant Results" below.

See Also

"About Audit Assistant" on page 82

"Enabling Auto-Apply and Auto-Predict for an Application Version" on page 238

Reviewing Audit Assistant Results

After you submit scan results to Audit Assistant and Audit Assistant finishes its assessment of

the issues, you can examine the results.

To view Audit Assistant results:

1. Navigate to the AUDIT page for the application version.

2. Use the Fortify Priority risk links, the Group by list, and Filter by lists to display the issues

you want to audit. (See "Viewing Issues Based on Folders" on page 313 and "Filtering Issues

for Display on the OVE RVIEW and AUDIT Pages" on page 315 .)

3. In the issues table, if you have selected a grouping, expand a group to view the issues it

contains.

4. To expand an issue and view its details, click its row in the table.

5. In addition to the Analysis tag and any other custom tags associated with the application

version, the right pane displays:

Fortify Software Security Center (23.1.0)

Page 347 of 428

User Guide

Chapter 15: Collaborative Auditing

l

AA_PREDICTION - Exploitability level that Audit Assistant assigned to the issue.

l

AA_CONFIDENCE - Audit Assistant's level of confidence in the accuracy of its AA_

PREDICTION value. This is a percentage, expressed in values that range from 0.000 to

1.000. For example, the value 0.982 Indicates a confidence level of 98.2 percent.

6. If your exploitability assessment agrees with the AA_Prediction value displayed, you can

select the value that corresponds to the AA assessment from the list of custom tag values.

Otherwise, select a different custom tag value.

7. Click SAVE.

See Also

"About Audit Assistant" on page 82