Fortify Software  
Document Release Date: May 2024  
What’s New in Fortify Software 24.2.0  
May 2024  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Data Retention  
Administrators can define time period for retaining application version artifacts.  
Customizable UI Theme  
You can now set the UI theme to dark, light, or automatic.  
Customized BIRT Reports  
l
Generate and download customized BIRT reports in XLSX format.  
l
Supports BIRT Report Designer 4.14.0  
Syncronize Audit History Changes in Fortify ScanCentral DAST using Kafka  
You can set up Kafka to synchronize audit history changes for suppressed issues, priority  
override, and analysis tag with Fortify ScanCentral DAST.  
fortfyclient Timeouts  
Set up timeouts for connect, read, and write for fortifyclient.  
OpenText™ Fortify Software (24.2.0)  
Page 1 of 32  
Kubernetes support  
1.29  
Helm support  
3.13 and 3.14  
OpenText™ Fortify Software (24.2.0)  
Page 2 of 32  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Sensor Version Support  
Scan requests initiated from older clients can be assigned and processed by newer sensor  
versions.  
Encoded Tokens  
Added support for encoded tokens (decoded tokens are deprecated).  
ScanCentral SAST Client  
l
Ability to use the Debricked CLI for open source software composition analysis (for use with  
Fortify on Demand only).  
l
Simplified commands by automatically detecting requirements.txtfor Python projects,  
the PHP version for PHP projects, and setting a default value for package name.  
ScanCentral Controller  
You can configure the Controller to disallow queuing multiple scan requests that are uploaded  
to the same application version. If enabled, newer scan requests will replace the one that is in  
the queue while keeping its priority. It can be overridden with an option for individual scan  
requests.  
Updated Build Tool Support  
l
Support for Gradle 8.6  
l
Support for dotnet 8.0  
l
Support for MSBuild 17.9  
OpenText™ Fortify Software (24.2.0)  
Page 3 of 32  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Platforms  
l
macOS 14 support  
Languages  
l
Angular 16.1 and 16.2  
l
Apex 59 and 60  
l
C23  
l
Dart 3.1  
l
Django 5.0  
l
Flutter 3.13  
l
Go 1.21 and 1.22  
l
Java 21  
l
Kotlin 1.9  
l
PHP 8.3  
l
Scala 3, versions 3.3-3.4  
l
Swift 5.10  
l
TypeScript 5.1 and 5.2  
l
Visual Basic (VB.NET) 16.9  
Compilers  
l
gcc 13  
l
g++ 13  
l
Swiftc 5.9.2, 5.10  
Build tools  
l
Bazel 6.4.0  
l
CMake 3.23.3 and later  
l
MSBuild 17.9  
l
xcodebuild 15.3  
OpenText™ Fortify Software (24.2.0)  
Page 4 of 32  
Features/Updates  
l
ARM JSON Templates (IaC)  
l
AWS CloudFormation (IaC)  
l
Scanning .NET requires .NET SDK 8.0.  
l
The default python version is now 3.  
l
The default scan policy has changed from classic to security. The security scan policy  
excludes issues related to code quality from the analysis results.  
l
Ability to specify the location of a custom supported JDK or JRE version that is not included  
in the Fortify Static Code Analyzer installation  
l
Fortify Static Code Analyzer automatically detects the content of files with a .cls extension to  
determine if they are Apex or Visual Basic code. This removes the need to include the -apex  
option, which is now deprecated.  
l
Updated LOC (lines of code) calculation: The LOC calculation returns the total number of new  
lines, including blank lines and comments. The LOC value is closely aligned with what you  
might see in your code editor. Because of changes to how LOC is calculated, these values  
should not be compared to values achieved with previous releases of OpenText Fortify Static  
Code Analyzer.  
OpenText™ Fortify Software (24.2.0)  
Page 5 of 32  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Applications and Tools Installer  
Now includes the standalone Fortify ScanCentral SAST client.  
Fortify Audit Workbench  
Now includes a timeout setting for downloading analysis results from Fortify Software Security  
Center.  
Secure Coding Plugins  
l
Support for Red Hat Enterprise Linux (RHEL) 9  
l
Support for macOS 14  
l
Fortify Visual Studio Extension supports suppressing issues and auditing multiple issues in  
batch when remediating analysis results on Fortify Software Security Center.  
l
Fortify Plugin for Eclipse, Fortify Analysis Plugin for IntelliJ IDEA and Android Studio, and the  
Fortify Extension for Visual Studio support analysis with a standalone ScanCentral SAST  
client.  
l
Support for Eclipse 2023-12 and 2024-03  
l
Support for IntelliJ IDEA 2023.3 and 2024.1  
l
Support for Android Studio 2023.1 and 2023.2  
l
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio, Fortify Plugin for Eclipse,  
and Fortify Extension for Visual Studio will be available in the relevant marketplaces.  
New Issue Reports  
l
DISA STIG 5.3  
l
OWASP Mobile Top 10 2024  
OpenText™ Fortify Software (24.2.0)  
Page 6 of 32  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST.  
Syncing of Suppressed Issues in Fortify Software Security Center  
You can now configure Kafka settings in ScanCentral DAST to provide support for the syncing  
of audit history changes in Fortify Software Security Center, including support for suppressed  
issues. Additionally, you can show or hide suppressed issues in the ScanCentral DAST Scans  
view and scan visualization.  
Regex Editor Tool  
ScanCentral DAST now includes a Regex Editor tool that enables you to construct and test  
regular expressions.  
Perform Actions on Multiple Scans  
You can select multiple scans and then pause, start, stop, delete, or publish them.  
Use an Access Token for Sensor Auto Scaling  
When configuring Sensor Auto Scaling in a Kubernetes environment, you can now configure  
ScanCentral DAST to read an access token from the default path in Kubernetes, to retrieve the  
token from a specific path in the container, or to use a long-lived access token.  
DAST Health Monitoring  
Readiness and liveness probe commands have been added to ScanCentral DAST services to  
enable Kubernetes to detect failures and restart containers.  
OAuth 2.0 Support  
You can now configure Client Credentials Grant and Password Credentials Grant OAuth 2.0  
authentication flows for scans requiring network authentication.  
Mac Version of Event-based Web Macro Recorder Tool  
The Event-based Web Macro Recorder tool is available for Mac, which enables you to create  
login and workflow macros on macOS.  
OpenText™ Fortify Software (24.2.0)  
Page 7 of 32  
Fortify WebInspect  
The following features have been added to WebInspect.  
Docker Images Available in Iron Bank  
The Fortify WebInspect (DAST) scanner Docker image is available on the Iron Bank hardened  
container image repository, along with the 2FA, FAST, OAST, and WISE images.  
Enhanced CycloneDX Export Data  
CycloneDX export data now includes vulnerability details, including CVE ID number, description,  
ratings, affected library versions, and the source provider’s URL (PURL).  
OAuth 2.0 Support  
You can now configure Client Credentials Grant and Password Credentials Grant OAuth 2.0  
authentication flows for scans requiring network authentication.  
Mac Version of Event-based Web Macro Recorder Tool  
The Event-based Web Macro Recorder tool is available for Mac, which enables you to create  
login and workflow macros on macOS.  
Contacting Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
We Welcome Your Feedback  
If you have comments or suggestions about the documentation, you can send these to the  
documentation team at fortifydocteam@opentext.com. Please use the subject line “Feedback on  
<Document_Title> <Product_Version>.” We appreciate your feedback!  
Copyright 2024 Open Text.  
OpenText™ Fortify Software (24.2.0)  
Page 8 of 32  
What’s New in Fortify Software 23.2.0  
December 2023  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Fortify Audit Assistant Gen 2  
Audit Assistant is an optional tool that you can use to help determine whether or not the issues  
returned from your scans represent true vulnerabilities. Generation 2, or Gen 2, of Audit  
assistant is now available. Using advanced AI and machine learning, Gen 2 provides improved  
accuracy, training based on the decisions your auditors have made, and greater speed.  
When upgrading Fortify Software to version 23.2.0, you must also upgrade Audit Assistant to  
use the new Gen 2 version of Audit Assistant.  
BIGINT Data Type Replaces INT in scan_issue(ID) and issue(ID) Fields  
This change affects the scan_issue table in both MSSQL and MySQL databases. During  
database migration, the data type for scan_issue(ID) and issue(ID) will be changed to BIGINT if  
it has not already been done. For information on how this impacts your database migration, see  
"Preparing to Upgrade the Fortify Software Security Center Database" in the OpenText™ Fortify  
Software Security Center User Guide.  
OpenText™ Fortify Software (24.2.0)  
Page 9 of 32  
Debricked SBOM Support  
You can now download Debricked Software Bill Of Materials and view information on the third-  
party components in your application.  
Base URL Attribute  
You can now assign a base URL attribute via the SCANCENTRAL DAST ATTRIBUTES page.  
New Automation Token  
Fortify Software Security Center now has a new SSC API Token type: the AutomationToken.  
This token type is a duplicate of the UnifiedLoginToken type. It provides access to most of the  
REST API and is intended for use in long-running automations and can be configured to last up  
to a year.  
Preserve Issue Detected on Date Across Versions  
Now, when creating a new application version based on a previous version, the Detected on  
date will be carried over to the new version. Previously, the Detected on date was set to the  
current date when basing a new application version on a previous one.  
Change User Assigned to an Issue  
You can now change the user assigned to an issue.  
Custom Banner  
An administrator can create an informational banner that persists until removed or changed.  
New Reports  
The premium report bundle now includes two new issue reports:  
l
OWASP API Top 10 (2023)  
l
CWE Top 25 (2023)  
The following report versions are no longer available in this release:  
l
SANS 2009/2010  
l
STIG 4.10, 4.9 and below  
l
OWASP < 2013  
l
CWE Top 25 2019/2020  
l
WASC 24 + 2  
REST Fortify Client  
The REST fortifyclient replaces the SOAP fortifyclient and is now the default.  
Additions to the System Requirements  
Fortify Software Security Center Database  
l
SQL Server 2022  
OpenText™ Fortify Software (24.2.0)  
Page 10 of 32  
Service Integrations  
l
Jira 9.10  
Software Requirements  
l
Red Hat Enterprise Linux 9 (RHEL 9) support  
l
Kubernetes 1.27 and 1.28 support  
l
Helm 3.12 support  
BIRT Reporting  
l
BIRT Report Designer 4.13.0  
OpenText™ Fortify Software (24.2.0)  
Page 11 of 32  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
l
Support for ScanCentral SAST .NET scanning and packaging on Linux systems  
l
Support for remote translation and scan of COBOL projects  
l
ScanCentral SAST will now retry any failed uploads to Fortify Software Security Center. Use  
the new upload command to resend an FPR file to Fortify Software Security Center after a  
previous upload attempt failed.  
l
REST API documentation for the Fortify ScanCentral SAST Controller is available with  
Swagger UI  
l
You can now package the debug logs from clients, sensors, and Fortify Static Code Analyzer  
into a ZIP archive using the start command option -diagnosis.  
l
Offload translation and scan support with Gradle versions 7.4-8.3 and MSBuild versions 17.4  
- 17.8  
OpenText™ Fortify Software (24.2.0)  
Page 12 of 32  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer:  
Build tools  
l
Ant 1.10.14  
l
Gradle 8.1 and 8.3  
l
Maven 3.9.4  
l
MSBuild 17.6 - 17.8  
l
xcodebuild 15 and 15.0.1  
Languages  
l
Angular 15.1, 15.2, 16.0  
l
Apex 58  
l
Bicep v0.12.x current  
l
0.12.1 0.14.85 (supporting .NET 6)  
l
0.15.31 current (supporting .NET 7)  
l
C# 12  
l
C17  
l
Dart 3.0  
l
ECMAScript 2023  
l
Go 1.20  
l
Kotlin 1.8  
l
.NET 8.0  
l
Python 3.12  
l
Django up to 4.2  
l
React 18.0  
l
Solidity 0.4.12-0.8.21  
l
Swift 5.9  
l
TypeScript 5.0  
Compilers  
l
Clang 15.0.0  
l
Swiftc 5.9  
OpenText™ Fortify Software (24.2.0)  
Page 13 of 32  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
The Fortify Static Code Analyzer installer no longer includes the Fortify Static Code  
Analyzer applications and tools. A separate installer is included for installing the Fortify  
Static Code Analyzer applications and tools.  
Fortify Audit Workbench  
l
Syntax source code highlighting for Terraform, Dart, Bicep, and Solidity.  
l
Installation automatically detects the Fortify Static Code Analyzer versions installed in a  
default location.  
l
By default, Fortify Audit Workbench does not display binary source code  
Secure Coding Plugins  
• Fortify Plugin for Eclipse adds support for 2023-06 and 2023.06  
• Fortify Analysis Plugin for IntelliJ IDEA and Android Studio adds support for IntelliJ IDEA  
2023.2 and Android Studio 2022.2 and 2022.3  
New Report Versions  
OWASP MASVS 2.0  
CWE Top 25 2023  
OWASP API Top 10 2023  
OpenText™ Fortify Software (24.2.0)  
Page 14 of 32  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST  
Fortify Connect  
The new Fortify Connect feature enables you to perform scans of private applications from the  
cloud without exposing the application through your firewall.  
Event-based Logout Conditions  
The Event-based Web Macro Recorder now supports the use of JavaScript during execution to  
detect and notify the Fortify Weblnspect sensor of logout.  
Event Handlers  
The Event-based Web Macro Recorder now supports event handlers that react to unpredictable  
events, such as dialogs opening and popup DOM elements that steal focus.  
Web Storage Keys  
The Event-based Web Macro Recorder now supports the use of web storage keys that enable  
the application to determine and maintain state.  
Support for IMAP in Two-factor Authentication Scans  
Two-factor authentication scanning now supports IMAP email servers.  
OpenText™ Fortify Software (24.2.0)  
Page 15 of 32  
Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Fortify License and Infrastructure Manager  
Linux Version  
A Linux version of the Fortify License and Infrastructure Manager (LIM) is now available for  
download from the Fortify Docker repository.  
Event-based Logout Conditions  
The Event-based Web Macro Recorder now supports the use of JavaScript during execution to  
detect and notify the Fortify Weblnspect sensor of logout.  
Event Handlers  
The Event-based Web Macro Recorder now supports event handlers that react to unpredictable  
events, such as dialogs opening and popup DOM elements that steal focus.  
Web Storage Keys  
The Event-based Web Macro Recorder now supports the use of web storage keys that enable  
the application to determine and maintain state.  
Web Socket Events  
WebInspect now includes a Capture Web Socket Events setting in the JavaScript dialog under  
Scan Settings.  
Support for IMAP in Two-factor Authentication Scans  
Two-factor authentication scanning now supports IMAP email servers.  
What’s New in Fortify Software 23.1.0  
May 2023  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
FIPS-Inside Technology Preview  
OpenText™ Fortify Software (24.2.0)  
Page 16 of 32  
With this release, you can run Fortify Software Security Center functions in RHEL 8.5 and 9.0  
FIPS-only-enabled environments. However, Kerberos SSO authentication is not supported. The  
support is subject to limitations of Red Hat OpenJDK 11 on the RHEL OS in FIPS mode. Since  
this has been released as a Technology Preview, please report any omissions, issues, or gaps in  
functionality so that we can address them prior to the next release.  
Priority Override Signifiers in Reports  
Changes to Fortify priority values (using the priority override feature) are now reflected in issue  
reports. For details, see "Viewing Priority Overrides Information in Issue Reports" in the Fortify  
Software Security Center User Guide, 23.1.0.  
Fortify Insight  
If you have purchased Fortify Insight, you can link your Fortify Software Security Center to your  
Fortify Insight dashboard by adding a Fortify Insight link to your SSC Dashboard.  
OpenText™ Fortify Software (24.2.0)  
Page 17 of 32  
Extended Search Capability for X.509 SSO Implementation  
Previously, for an X.509 SSO implementation, Fortify Software Security Center searched the  
Subject field of the client certificate to retrieve the username for certificate authentication. The  
search now extends to include the Subject Alternative Name field.  
Replacing SOAP fortifyclient with REST fortifyclient  
In an effort to further secure your Fortify Software Security Center deployment, Fortify is  
phasing out SOAP fortifyclientand replacing it with REST fortifyclient. In this release,  
SOAP fortifyclient remains the default, but REST fortifyclientis available to you.  
The file names for both utilities are the same, but the files are in different directories. The SOAP  
fortifyclient files are in <ssc_install_dir>/Tools/fortifyclient/binand the  
REST fortifyclient files are in <ssc_install_dir>/Tools/fortifyclient-new-  
rest/bin.  
To improve security and prepare for the eventual deprecation of SOAP-based fortifyclient,  
Fortify strongly recommends disabling SOAP and testing the REST version of fortifyclient  
in your testing environment. Report any lack of parity or functionality as soon as possible.  
For more information, see the Fortify Software Release Notes 23.1.0.  
Job Queue Redesign  
A new job execution strategy named "Flexible (technical preview)" is introduced in this release.  
Based on the conservative strategy, the flexible strategy makes more efficient use of job queue  
sensors. Users can switch between the new strategy and previous strategies, as needed.  
Improved Event Log Filtering  
Two new options enable you to refine the data displayed on the Event Logs page. You can now  
specify a username and / or an event type to filter the events that you view and export. To  
remove specified filters, click CLEAR.  
Cloud Database Support  
Fortify Software Security Center now supports SQL Server in both Azure and AWS cloud  
database services.  
Windows Server 2022 Support  
Fortify Software Security Center now supports running on the Windows Server 2022 operating  
system.  
Kubernetes Support  
l
Support added for Kubernetes versions 1.25 and 1.26  
l
Support added for Kubernetes Persistent Volumes with optional support for Pod Security  
Context fsGroup option (fsGroup support is required for using a non-default container user  
ID)  
l
Support added for kubectl command-line tool version 1.24, 1.25, and 1.26. Fortify  
recommends the use of the same version of kubectl command-line tool as the Kubernetes  
OpenText™ Fortify Software (24.2.0)  
Page 18 of 32  
cluster version  
l
Support added for version 3.10 and 3.11 of the Helm command-line tool  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Specifying Fortify Static Code Analyzer Options and Properties as -targs and -sargs  
Arguments  
ScanCentral now supports the options specified in -targsand -sargsthat Fortify Static Code  
Analyzer allows, and ignores or blocks those that are not allowed.  
Clients now accept rules, filters, and project templates - not only through the designated  
ScanCentral options, but also from the scan arguments parameter (-sargs). Previously, if  
specified, these options were ignored. For more information, see Appendix A: Fortify  
ScanCentral SAST Command-Line Options in the Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
New Status Command Option: --block-until  
Previously, a ScanCentral client had no way to let you know if an FPR that you uploaded to  
Fortify Software Security Center was processed completely. Now, you can use the --block-  
until option to block additional actions from being performed until processing is complete, so  
that the merged results you later download include all of the audits, comments, suppressed  
issues, and history from the previous scans.  
The new --block-untiloption for the STATUS command polls Fortify Software Security  
Center for the scan merge status, and then returns the following information:  
l
Job status  
l
SSC upload status  
l
SSC application version ID  
l
SSC application name  
l
SSC application version name  
l
SSC artifact ID  
l
SSC artifact status  
Build Tools  
l
Added support for Maven version 3.9.x  
Auto Detection of Build Tool for Remote Translation  
Previously, to perform a remote translation, you had to supply the -bt(--build-tool) option  
with a value that specified the build tool. Now, Fortify ScanCentral SAST detects the build tool  
automatically based on the project files being scanned. For example, if Fortify ScanCentral SAST  
OpenText™ Fortify Software (24.2.0)  
Page 19 of 32  
detects a pom.xml file, it automatically sets -btto mvn. If it detects a build.gradlefile, it  
sets -btto gradle. If Fortify ScanCentral SAST detects a *.slnfile, it sets -btto msbuild  
and sets -bfto the xxx.slnfile.  
If ScanCentral detects multiple file types (for example, pom.xmland build.gradle), it  
prioritizes the build tool selection as follows: Maven > Gradle > MSBuild and prints a message to  
indicate which build tool type was selected based on the multiple file types found.  
Note: If you specify the build tool manually, auto-detection is overridden.  
Configurable Location for the worker-persist.properties File  
For containerized deployments it is useful to determine where certain files are generated so that  
you can customize persistence. For example, the worker-persist.propertiesfile and the  
job files are stored in the same folder (sensor working directory). Now, you can use two new  
properties to specify where the worker-persist.propertiesfile is generated and where the  
job files are generated. This enables you to persist the worker-persist.propertiesfile,  
which is needed to maintain sensor pool assignments, without having to keep all of the old Job  
files.  
Fortify ScanCentral Controller and Sensor Docker Images and Helm Chart  
ScanCentral Controller and Sensor Docker images are now available on Docker Hub. You must  
be a member of the fortifydocker organization to download the images. A Helm Chart is  
available at https://github.com/fortify/helm3-charts.  
Windows Server 2022 Support  
Fortify ScanCentral SAST now runs on the Windows Server 2022 operating system.  
OpenText™ Fortify Software (24.2.0)  
Page 20 of 32  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Features  
l
The Fortify Static Code Analyzer installation program no longer includes the Fortify Static  
Code Analyzer applications and tools. A separate installer is provided to install the Fortify  
Static Code Analyzer applications and tools.  
l
Scan Policy  
You can set a scan policy to identify the most serious vulnerabilities. There are three policies  
to choose from: classic, security, or devops. The classic scan policy is the default; it does not  
prioritize analysis results. The security scan policy is used to exclude issues related to code  
quality from the results. Use this policy to focus on remediation. The devops scan policy  
excludes issues that are also excluded by the security policy and reduces the number of low-  
priority issues. Use this policy when speed is a priority and developers want to review results  
directly (without intermediate auditing).  
l
Filter Files  
You can now set an exclusion threshold value to a filter file by adding one of the following  
exclusion types: priority, impact, likelihood, confidence, probability, and accuracy.  
l
.NET analysis on Linux. You can now translate .NET code on Linux installations of Fortify  
Static Code Analyzer.  
Platforms  
l
Red Hat Enterprise Linux 9.x  
l
macOS 13 on Intel and Apple Silicon (compatibility mode)  
Compilers  
l
Clang 14.0.3  
l
gcc 11  
l
g++ 11  
l
swiftc 5.8  
Build tools  
l
Ant 1.10.13  
l
Gradle 8.0.2  
l
Maven 3.9.1  
l
MSBuild 17.5 (Windows)  
l
Xcodebuild 14.2 and 14.3  
OpenText™ Fortify Software (24.2.0)  
Page 21 of 32  
Languages  
l
.NET 7  
l
Apex 56 and 57  
l
ASP.NET Core 7  
l
C# 11  
l
Dart 2.12 - 2.18 / Flutter 2.0 - 3.3  
Rules for Dart/Flutter will be released in Q2 2023.  
l
ECMAScript 2022  
l
Go 1.18 and 1.19  
l
Kotlin 1.7  
l
PHP 8.2  
l
Python 3.10, 3.11  
l
TypeScript 4.6 - 4.9  
OpenText™ Fortify Software (24.2.0)  
Page 22 of 32  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
The Fortify Static Code Analyzer installer no longer includes the Fortify Static Code  
Analyzer applications and tools. A separate installer is included for installing the Fortify  
Static Code Analyzer applications and tools.  
Platforms and Architectures  
l
Windows 11  
l
macOS 13. All tools run in compatibility mode on Apple M1 and M2 processors  
Secure Code Plugins  
Added support for updated versions of the following IDEs:  
l
Eclipse 2023-03  
l
IntelliJ IDEA 2023.1  
l
Android Studio 2022.1  
l
Visual Studio 2022, version 17.5  
Fortify Extension for Visual Studio  
The remediation phase now supports custom tags that require comments and the priority  
override tag.  
New Report Template Versions  
l
PCI DSS 4.0  
l
PCI SSF 1.2  
l
DISA STIG 5.2  
OpenText™ Fortify Software (24.2.0)  
Page 23 of 32  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the National  
Vulnerability Database (NVD) and Debricked health metrics when configured with a Debricked  
access token.  
Key Stores  
ScanCentral DAST now provides key stores as a way to create variables that you can use in scan  
settings, base settings, and macro parameters. When a scan is run, these variables are replaced  
with the latest values from the key store.  
Artifacts Repositories  
ScanCentral DAST now supports using artifacts repositories where scan artifacts reside. When a  
scan is run that references an artifact in a repository, either a tagged version or the latest copy  
of the artifact is pulled and used to configure and run the scan.  
Private Data Settings  
You can now configure private data settings that remove personally identifiable information  
from the scan and log data upon scan completion.  
Scan Visualization Enhancements for API Scans  
The site tree in scan visualization now includes icons for operations and parameters in API  
scans.  
Postman Scan Enhancements  
You can now import global variables files to use in Postman scans. There are also changes to  
validation and the ability to edit the sessions contained in collection files after validation.  
OpenText™ Fortify Software (24.2.0)  
Page 24 of 32  
Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the National  
Vulnerability Database (NVD) and Debricked health metrics when configured with a Debricked  
access token.  
Two-factor Authentication  
WebInspect has added the ability to automate Two-factor Authentication scans of sites using  
Authenticator Apps. This is in addition to our SMS- and email-based two-factor scanning. Once  
configured, there is no need for user interaction.  
SQLite SecureBase  
WebInspect now uses a SQLite database for SecureBase. The file extension is now  
SecureBase.db.  
Support for Postman Global Variables  
You can now import global variables files to use in Postman scans.  
WebInspect REST API v2  
The WebInspect REST API now includes a version 2, which includes asynchronous versions of  
endpoints that take a long time to complete. These endpoints generate a job token that you can  
use with the v2 Job endpoints to get the status and results from the job.  
Enhanced Support of Localized SecureBase Content  
A new Application Setting for SmartUpdate allows you to select a language to localize the  
security and report content in SecureBase.  
Enhancements to False Positives  
False Positives and ignored items have been renamed as Suppressed Findings in the UI. You can  
now export and import suppressed findings as JSON files.  
Enhanced Support for Client Certificates  
WebInspect now supports client certificates with strong private key (password) protection in  
Guided Scans, Basic Scans, and Interactive Scans.  
Improved Scan Coverage and Performance  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 23.1.0 provides a faster crawl and audit, and better application support with the  
Event-based Web Macro Recorder (formerly called Web Macro Recorder with Macro Engine  
23.1.0).  
OpenText™ Fortify Software (24.2.0)  
Page 25 of 32  
WebInspect Software Requirements  
Added support for Windows Server 2022, SQL Server 2022, and SQL Server Express 2022.  
What’s New in Micro Focus Fortify  
Software 22.2.0  
November 2022  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Priority Override Capability  
Administrators can now enable users to change, or override the priority values assigned to  
issues. With the introduction of priority override capability, the Engine Priority option was  
added to the Group by menu. This grouping selection returns issues based on the original  
priority value assigned by the engine that identified the issue.  
Prioritizing ScanCentral SAST Jobs  
In this release, you can move a pending scan request to the first position in the jobs queue from  
the SCANCENTRAL SAST tab. For details, see "Prioritizing a ScanCentral SAST Scan Request" in  
the user guide.  
Support for Tomcat Access log Pattern for Kubernetes Deployments  
Fortify Software Security Center now supports changing the Tomcat access log pattern for a  
Kubernetes deployment. For details, see "Configuring the Apache Tomcat Access Logs for  
Additional Fields on the Docker Image" in the user guide.  
ScanCentral SAST Tab Enhancements  
The following changes were made to the SAST tab in the SCANCENTRAL view:  
l
The Status column is now the State column, which now displays symbols to indicate the  
current scan state.  
l
The Scan Requests table now includes the Priority column, which shows the order in which  
pending scan requests jobs are to be run. You can sort the listed jobs by selecting the  
OpenText™ Fortify Software (24.2.0)  
Page 26 of 32  
Priority heading. The details for an expanded scan request now include the PRIORITIZE  
SCAN button, which you can select to move the scan request to the top of the job queue for  
the pool. You can also click the arrow icon in the Scan Requests table to move the request to  
the top of the queue. For details, see "Prioritizing a ScanCentral SAST Scan Request" in the  
user guide.  
Viewing and Auditing Debricked Vulnerability Results  
You can now view and audit Debricked scan results for applications in Fortify Software Security  
Center so that, in addition to seeing vulnerabilities in the source code, you can also view the  
open-source vulnerabilities from third-party libraries. For details, see "Viewing Open Source  
Data" in the user guide.  
Creating Clickable Links in Bug Tracking Templates  
As of release 22.1.1, you can use the new HtmlUtil class in the velocity templates for bug  
trackers to create a link to a specific issue in Fortify Software Security Center. For information  
about how to use this class, select the Editing tips link in the EDIT TEMPLATE dialog box (see  
"Customizing Velocity Templates for Bug Tracker Plugins" in the user guide).  
Changes to the About Fortify Software Security Center Box  
The Configuration section of the ADMINISTRATION view now includes the About page, from  
which you configure the SUPPORT link in the About box. For information about how to change  
the SUPPORT link, see "Customizing the Fortify Software Security Center About Box" in the user  
guide.  
Changes to SAML SSO Configuration  
The procedure used to configure Fortify Software Security Center to work with SAML SSO has  
changed (see "Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant  
Single Sign-On Solutions" in the user guide)  
Preventing LDAP Refresh on Startup / Enabling Persisted Cached LDAP Data  
Previously, the LDAP data resided in in-memory cache and was lost at server shutdown. Now,  
you can enable the cached data to persist after shutdown, so that restarting Fortify Software  
Security Center is much faster, especially for large LDAP environments. For more information,  
see "Enabling Persistence of the LDAP Cache" in the user guide.  
Updated Kubernetes Support  
l
Support for Kubernetes 1.23 and 1.24  
l
Support for Helm 3.9  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for Packaging Java 8 Projects  
OpenText™ Fortify Software (24.2.0)  
Page 27 of 32  
If you have a Java 8 project that fails to build because ScanCentral SAST requires Java 11 to  
run, you can set the new SCANCENTRAL_JAVA_HOMEenvironment variable to point Java 11.  
After you do, ScanCentral SAST runs correctly, and the build runs successfully with JAVA_HOME  
set to Java 8for the project build.  
Upgrade of the Internal H2 Database Engine  
The internal H2 database for Fortify ScanCentral SAST was upgraded. As a result, you must run  
an associated migration script. For details, see "Upgrading the ScanCentral SAST Controller" in  
the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
Improved Method for Excluding Files From Scans When Using ScanCentral SAST to  
Package Projects  
Previously, Gradle, Maven, and MSBuild integration relied on internal build procedure logic to  
collect files. The only way to exclude files was either to exclude them from the build file, or use  
an additional translation argument (-targs"-exclude...,"), which required that you knew  
where the file was to be saved in the ScanCentral SAST working directory.  
You can now use the -excludeoption directly from the ScanCentral SAST command line to  
exclude some files from scans for the Maven, Gradle, MSBuild build tools, and for -bt none. For  
details see "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Configuring the Name of FPR Files Uploaded to Fortify Software Security Center  
The FPR files uploaded to Fortify Software Security Center are named scan.fpr. You can now use  
the -fprssc option specify the name to use for generated FPR files uploaded to Fortify Software  
Security Center. For details, see "Submitting Scan Requests and Uploading Results to Fortify  
Software Security Center" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
OpenText™ Fortify Software (24.2.0)  
Page 28 of 32  
Packaging Projects with File Paths that Contain an Umlaut  
Previously, packaging failed if a file name or file path for a project included an umlaut character.  
Now, you can prevent such failures by adding a new property to the fortify-sca.properties file.  
For details, see the cautionary note in "Package Command" in the Micro Focus Fortify  
ScanCentral SAST Installation, Configuration, and Usage Guide.  
Configuring a Proxy for ScanCentral SAST Clients  
If your outbound traffic must go through a proxy, you can now add a proxy configuration for  
that purpose. For details, see "Configuring Proxies for Fortify ScanCentral SAST Clients " in the  
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
(Fortify on Demand only) New Option for Packaging Files for Debricked  
The new -oss packaging option enables you to package additional files that Debricked requires  
for its scans. See "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12 Apple silicon  
l
Ubuntu 22.04.1 LTS  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 14.0.0  
l
Swiftc 5.7  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Xcodebuild 14 and 14.0.1  
OpenText™ Fortify Software (24.2.0)  
Page 29 of 32  
Language and Framework Updates  
l
COBOL  
IBM Enterprise COBOL for zOS 6.2 and 6.3  
Micro Focus Visual COBOL 7.0 and 8.0  
l
Apex 55  
l
Kotlin 1.6  
l
PHP 8.1  
l
TypeScript / JavaScript  
React 17.0  
React Native .68  
Vue 2  
Note: Rules for Vue 2 will be part of the Fortify Software Security Content 2022 R4 release.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
GraphQL Native Support  
WebInspect now supports scanning GraphQL natively. A Postman collection or workflow is no  
longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
WebInspect has added support for gRPC scanning. This popular server-to-server framework can  
now be scanned for security vulnerabilities.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 22.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
WebInspect is now available on a lightweight Linux container. This containerized version of  
WebInspect is a great option for automation scenarios when WebInspect is used through its API.  
Updated SOAP Scanning  
WebInspect will be deprecating its older SOAP scanning option through the Web Service Test  
Designer tool. In preparation, a new mechanism to scan SOAP applications is available through  
the API scanning option.  
OpenText™ Fortify Software (24.2.0)  
Page 30 of 32  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Analysis Plugin for IntelliJ and Android Studio  
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio now supports:  
l
IntelliJ 2022.2  
l
Android Studio 2021.3  
Eclipse Support  
The Fortify Eclipse Complete Plugin now supports Eclipse 2022-06 and 2022-09.  
Updated CWE Top 2022 Report  
Updated to incorporate content from the Fortify Software Security Content 2022 Update 3.  
Updated Custom Rules Editor  
Includes the following generic and category-specific templates for generating custom  
Configuration, Regex, and Infrastructure as Code (IaC) rules:  
l
Configuration Rule for PropertyMatch  
l
Configuration Rule for XPathMatch  
l
Docker Bad Practices: Untrusted Base Image in Use  
l
Credential Management: Hardcoded API Credential  
l
Regex Rule for ContentRegex  
l
Regex Rule for FileNameRegex  
l
Regex Rule for FileNameRegex and ContentRegex  
l
Structural Rule for Cloud Configuration in Nested Objects  
l
Structural Rule for Cloud Configuration in Single Object  
l
Structural Rule for Terraform Configuration in Nested Blocks  
l
Structural Rule for Terraform Configuration in Single Block  
l
Terraform Bad Practices: Untrusted Module in Use  
Additional language support:  
l
Apex  
l
Go  
l
HCL  
l
JavaScript/TypeScript  
l
JSON  
OpenText™ Fortify Software (24.2.0)  
Page 31 of 32  
l
l
l
l
Kotlin  
PHP  
Python  
YAML  
Additional configuration file type support:  
l
configuration  
l
docker  
l
xml  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
GraphQL Native Support  
ScanCentral DAST now supports scanning GraphQL natively. A Postman collection or workflow  
is no longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
ScanCentral DAST has added support for gRPC scanning. This popular server-to-server  
framework can now be scanned for security vulnerabilities.  
SOAP Service Scanning  
ScanCentral DAST now supports scanning SOAP services.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
ScanCentral DAST 22.2.0 provides a faster crawl and audit and better application support from  
the Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
The ScanCentral DAST core components and sensor are now available on a lightweight Linux  
container. This new Linux option provides enhanced support for automation and sensor auto  
scaling.  
Sensor Auto Scaling  
ScanCentral DAST provides optional sensor auto scaling in Kubernetes that automatically starts  
the sensor container, runs the scan, and shuts down the container upon completion.  
OpenText™ Fortify Software (24.2.0)  
Page 32 of 32