Fortify Audit Assistant Best Practices

Audit Assistant Workflow

About Audit Assistant

Consistent Use of Tags

Manage Your Prediction Thresholds

Train Your Model Using Decisions Your Auditors Have Made

About Prediction Policies

Defining Prediction Policies

Updating the Fortify Audit Assistant Configuration

Configuring Audit Assistant

Audit Assistant Workflow

Getting a Fortify Audit Assistant Authentication Token

Configuring Audit Assistant Options for an Application Version

Enabling Auto-Apply and Auto-Predict for an Application Version

Mapping Audit Assistant Analysis Tag Values to Fortify Software Security

OpenText™ Fortify Software Security Center (24.2.0)

Page 12 of 459

User Guide

Center Custom Tag Values

Reviewing Audit Assistant Results

About Audit Assistant Training

Selecting an Audit Assistant Training Tag

Submitting Training Data to Audit Assistant

Searching Globally in Fortify Software Security Center

About Susceptibility Analysis of Web Applications

Susceptibility Analysis Requirements

Typical Workflow to Optimize Results for an Application

Exporting Open Source Data

Integrating Fortify Software Security Center with Fortify WebInspect Enterprise 382

Viewing Fortify WebInspect Scan Results in Fortify Software Security Center 382

WebInspect Audit Data

Submitting Dynamic Scan Requests to Fortify WebInspect Enterprise

Processing Dynamic Scan Requests from Fortify WebInspect Enterprise

Editing and Cancelling Dynamic Scan Requests

Dynamic Scan Request States

Editing Dynamic Scan Requests

Cancelling Dynamic Scan Requests

Viewing Open Source Data

Viewing Open Source Data from the AUDIT Page

Viewing Open Source Data from the OPEN SOURCE Page

Downloading a Debricked SBOM

Chapter 16: Working with Fortify ScanCentral SAST

ScanCentral SAST Permissions

Viewing ScanCentral SAST Scan Request Details

Prioritizing a ScanCentral SAST Scan Request

Canceling ScanCentral SAST Scan Requests

Viewing ScanCentral SAST Sensor Information

Viewing ScanCentral Controller Information

Stopping the Controller

Placing the ScanCentral SAST Controller in Maintenance Mode

Safely Shutting Down Sensors

Removing the ScanCentral SAST Controller from Maintenance Mode

About ScanCentral SAST Sensor Pools

Pre-defined Sensor Pools

OpenText™ Fortify Software Security Center (24.2.0)

Page 13 of 459

User Guide

Creating ScanCentral SAST Sensor Pools

Moving ScanCentral SAST Sensors Between Pools

Deleting ScanCentral Pools

404

406

407

Chapter 17: Working with Fortify ScanCentral DAST

ScanCentral DAST Permissions

408

410

Submitting Requests for Dynamic Scans to ScanCentral DAST

Synchronizing Audit History Changes in Fortify ScanCentral DAST using Kafka

Chapter 18: BIRT Reports

Importing Report Libraries

Generating and Viewing Reports

Customizing BIRT Reports

Acquiring the BIRT Report Designer

Downloading Report Templates

Generating and Downloading Customized BIRT Reports in XLSX Format

Importing Report Definitions

Chapter 19: Authentication Tokens

Generating Authentication Tokens

Generating a Token from the Administration View

Generating a Token from the Command Line

Editing Authentication Tokens

420

422

424

Deleting Authentication Tokens

Appendix A: Using the fortifyclient Utility

425

fortifyclient Requirements

425

426

About Specifying the Fortify Software Security Center URL

fortifyclient Authentication Tokens

fortifyclient HTTP Timeouts

Listing fortifyclient Options and Parameters

427

About Upload Authentication Tokens

427

428

Acquiring an Upload Authentication Token Using fortifyclient

Specifying DaysToLive for fortifyclient Authentication Tokens

Listing fortifyclient Authentication Tokens

Listing Application Versions

OpenText™ Fortify Software Security Center (24.2.0)

Page 14 of 459

User Guide

Purging Application Versions

Using an Application Identifier to Upload FPR Files

Using an Application Name and Version to Upload FPR Files

About Downloading FPRs

433

434

Downloading an FPR Using an Application Identifier

Downloading an FPR Using an Application Name and Version

Importing Content Bundles

434

436

Downloading Audit Attachment Files

Appendix B: Authoring Bug Tracker Plugins

Plugin Methods and Method Calls

Plugin Helper

Error Handling

Almost Stateless

Debugging a Bug Tracker Plugin

Deploying a Customized Bug Tracker Plugin

Appendix C: Automating Fortify Software Security Center Configuration

448

Appendix D: Webhook Payloads

Artifact Upload Approved Payload

Project Version Payload

Project Version Updated Payload

Project Version Created From Previous Payload

Report Generation Payload

User Payload

OpenText™ Fortify Software Security Center (24.2.0)

Page 15 of 459

User Guide

Send Documentation Feedback

459

OpenText™ Fortify Software Security Center (24.2.0)

Page 16 of 459

User Guide

Contacting Customer Support

Preface

Contacting Customer Support

Visit the Support website to:

l

Manage licenses and entitlements

l

Create and manage technical assistance requests

l

Browse documentation and knowledge articles

l

Download software

l

Explore the Community

https://www.microfocus.com/support

For More Information

For more information about Fortify software products:

https://www.microfocus.com/cyberres/application-security

About the Documentation Set

The Fortify Software documentation set contains installation, user, and deployment guides for

all Fortify Software products and components. In addition, you will find technical notes and

release notes that describe new features, known issues, and last-minute updates. You can

access the latest versions of these documents from the following Product Documentation

website:

https://www.microfocus.com/support/documentation

To be notified of documentation updates between releases, subscribe to Fortify Product

Announcements on the OpenText Fortify Community:

https://community.microfocus.com/cyberres/fortify/w/announcements

OpenText™ Fortify Software Security Center (24.2.0)

Page 17 of 459

User Guide

Fortify Product Feature Videos

You can find videos that highlight Fortify products and features on the Fortify Unplugged

YouTube channel:

https://www.youtube.com/c/FortifyUnplugged

OpenText™ Fortify Software Security Center (24.2.0)

Page 18 of 459

User Guide

Fortify Product Feature Videos

Change Log

The following table lists changes made to ID and this document.

A document revision is published only if the changes made affect product functionality.

Software

Release /

Document

Revision

Changes

24.2.0

Added

l

Administrators can enable Data Retention to define the time period for

retaining application version artifacts. For more information, see "About

Data Retention" on page 280.

l

You can change the UI theme. For more information, see "Setting

Preferences: System-Wide and Across Application Versions" on

page 207 .

"Generating and Downloading Customized BIRT Reports in

XLSX Format" on page 417 provides instructions on downloading

customized BIRT reports in XLSX format.

You can set up Kafka to synchronize audit history changes for

suppressed issues, priority override, and analysis tag with Fortify

ScanCentral DAST. For more information, "Synchronizing Audit History

Changes in Fortify ScanCentral DAST using Kafka" on page 410 and

"Configuring Kafka" on page 103 .

l

You can set up timeouts for connect, read, and write for

fortifyclient. For more information, see "fortifyclient

HTTP Timeouts" on page 426.

Updated

l

An informational note was added to "Monitoring Disk I/O" on page 59.

l

The default schedule for LDAP Refresh was modified in "Recurring

Cleanup Jobs" on page 138.

The IdP metadata location and keystore location was modified in

"Configuring Fortify Software Security Center to Work with SAML 2.0-

Compliant Single Sign-On" on page 144 .

l

Updated the list of supported operators in "Performance Indicators" on

OpenText™ Fortify Software Security Center (24.2.0)

Page 19 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

page 302 and "Creating Performance Indicators" on page 302.

l

A description for the Issue State was added to the Set Issue State

section of "Adding Custom Tag Values" on page 271.

l

Changed the default Job execution strategy to Flexible in "Configuring

Job Scheduler Settings" on page 131.

Removed

l

The activity, requirement, and requirementtemplatetable

names from "Configuring Security for BIRT Reporting" on page 91.

l

The AuditToken from the Generating a Token from the Command Line

section of "Generating Authentication Tokens" on page 420.

The Bug Tracker Plugin for Bugzilla from the Adding Bug Tracker

Plugins section of "Managing Bug Tracker Plugins" on page 166.

23.2.0

Added

l

"Fortify Audit Assistant Best Practices" on page 358 describes the best

practices for Fortify Audit Assistant when upgrading to the latest

version of OpenText Fortify Audit Assistant powered by the new Gen 2

engine.

l

Fortify Audit Assistant has been upgraded to version 23.2.0 and the

topics on Fortify Audit Assistant have been updated to address the

changes.

"Updating the Fortify Audit Assistant Configuration" on page 361

provides instructions on configuring Fortify Audit Assistant to use Audit

Assistant's new G2 prediction engine.

l

"Running Fortify Software Security Center in a Federal Information

Processing Standards (FIPS) Environment " on page 156

The scan_issue(ID)for MySQL and MS SQL database users has been

changed from INT to BIGINT. For more information, see "Preparing to

Upgrade the Fortify Software Security Center Database" on page 190 .

l

Fortify ScanCentral DAST now supports setting a Base URL application

OpenText™ Fortify Software Security Center (24.2.0)

Page 20 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

version attribute. The Base URL can be set when "Creating the First

Version of a New Application" on page 239 or "Adding a New Version to

an Application" on page 242 .

l

AutomationToken is a new API token that provides access to most of

the REST API. For more information, see "Generating Authentication

Tokens" on page 420.

Support for downloading a Debricked Software Bill of Materials (SBOM).

For more information, see "Downloading a Debricked SBOM" on

page 392.

New system-wide banner allows administrators to post a message to

SSC that persists until removed. For information, see "Create a System-

wide Banner" on page 158.

Updated

l

All references to Microsoft Azure AD and Azure Active Directory were

changed to Microsoft Entra ID and Microsoft Entra, respectively.

l

Replaced Micro Focus with OpenText throughout the UI and

documentation.

Previously, during an audit, there was no way to remove a user from an

issue once the user was assigned. With this release, you can remove or

change an assigned user from an issue on the Audit page. For more

information, refer to the note at step 13 of "Auditing Scan Results" on

page 337.

l

Added instructions on setting up Issue State to the Set Issue State

section of "Adding Custom Tag Values" on page 271

Previously, when you created a new application version and chose to

base it on an existing application version and save the application state,

the Detected on date wasn't persisted. The detected on date was

changed to the date of the most recent scan of the application version

the issues were copied from. The Detected on date is now persisted and

available in the new application version.

OpenText™ Fortify Software Security Center (24.2.0)

Page 21 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

Removed

l

The PackageFinder and ProjectProvisioning samples have been

removed from the Samples folder (<ssc_install_dir>/Samples/) and are

no longer supported.

l

The topic Enabling Metadata Sharing has been removed as the Fortify

Audit Assistant G2 model uses a different training method.

The follow reports have been deprecated: SANS 2009 and 2010,

STIG 4.10, 4.9, and earlier, OWASP 2013 and earler, CWE Top 25 2019

and 2020, and WASC 24 +2.

l

SOAP API is disabled by default and all SOAP API requests are rejected

with a "410 Gone" response. Use REST API (/api/v1/*, /download/*, and

co /transfer/*) endpoints instead of SOAP API (/fm-ws/*) endpoints. For

more information, see the Fortify Software, Version 23.2.0 Release

Notes.

l

The REST API-based fortifyclient is the primary fortifyclient utility. It is

in the Tools/fortifyclient folder. For more information, see the Fortify

Software, Version 23.2.0 Release Notes.

23.1.0

Most references to Micro Focus were removed to reflect changed corporate

ownership.

Added:

l

"Adding a Fortify Insight Link to the Dashboard" on page 159

l

"Setting the Required Password Strength for Fortify Software Security

Center Login" on page 163

Updated:

l

Information about using secure cipher suites was added to "Securing

Tomcat Server" on page 35.

l

The URL for a how-to video was changed in "Downloading Fortify

Software Security Center Files" on page 47.

l

A cautionary note was added to "About Seeding the Fortify Software

OpenText™ Fortify Software Security Center (24.2.0)

Page 22 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

Security Center Database" on page 65.

l

An informational note was added to "Configuring Fortify Software

Security Center for the First Time" on page 68 .

A note about cached LDAP user data was modified in "Configuring LDAP

Servers" on page 107.

A description of the newly introduced flexible job execution strategy

was added to "Configuring Job Scheduler Settings" on page 131.

A note indicating that logout responses and logout requests sent by IdP

must be signed and a new step were added to "Configuring Fortify

Software Security Center to Work with SAML 2.0-Compliant Single Sign-

On" on page 144 .

l

Information about the ability to search the Subject Alternative Name

(SAN) extension was added to "Configuring Fortify Software Security

Center to Use X.509 Certification-based SSO" on page 153 .

The procedure for changing the support contact link in the About box

was modified in "Changing the Support Contact Link in the About Fortify

Software Security Center Box" on page 160 .

l

Troubleshooting information for handling failed LDAP user logins was

added to "Handling Failed LDAP User Logins" on page 177.

The procedure for enabling Fortify Static Code Analyzer and Fortify

Apps and Tools upgrades from Fortify Software Security Center was

modified in "Enabling Fortify Static Code Analyzer and Fortify Apps and

Tools Upgrades from Audit Workbench" on page 194 to reflect the

separation of installation files with this release.

l

Descriptions of global events and application version events were added

to "Creating Webhooks" on page 290.

Obsolete search query examples were removed from "Search Query

Examples" on page 336.

A new section, "Viewing Priority Override Information in Issue Reports,"

was added to "Overriding Assigned Issue Priority" on page 349 to show

how priority overrides are now represented in reports. The "Limitations"

section was removed from this topic.

OpenText™ Fortify Software Security Center (24.2.0)

Page 23 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

Removed:

What's New in Micro Focus Fortify Software Security Center 22.2.0

Configuring an Eclipse Plugin Update Site

22.2.0

Added:

l

What's New in Micro Focus Fortify Software Security Center 22.2.0

l

"Setting the Required Password Strength for Fortify Software Security

Center Login" on page 163

l

"Deploying Fortify Software Security Center to a Kubernetes Cluster" on

page 49 contains the new section "Customizing the Apache Tomcat

Access Logs" on page 53. The deployment procedure was also modified.

l

"Enabling Persistence of the LDAP Cache" on page 121

l

"Changing the Support Contact Link in the About Fortify Software

Security Center Box" on page 160

l

"Customizing Fortify Software Security Center Logging " on page 162

l

"Preparing Fortify Software Security Center to Display Debricked

Results" on page 172

l

"Overriding Assigned Issue Priority" on page 349

l

"Viewing Open Source Data" on page 390

l

"Prioritizing a ScanCentral SAST Scan Request" on page 398

l

"Moving ScanCentral SAST Sensors Between Pools" on page 406

Updated:

l

Changed the URL for file downloads in"About Integrating Components

with Fortify Software Security Center" on page 41 .

l

Some descriptions of the <fortify.home>directory content were

modified in "About the <fortify.home> Directory" on page 55.

l

An important note regarding non-GUI Linux operating systems was

added to "Configuring Security for BIRT Reporting" on page 91.

OpenText™ Fortify Software Security Center (24.2.0)

Page 24 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

l

The topic title "Updating the Distinguished Name for LDAP Entities" was

changed to "Handling LDAP Entries Marked "Invalid"" on page 121.

l

The procedure for configuring Fortify Software Security Center to work

with SSO that uses SAML 2.0 was extensively revised in "Configuring

Fortify Software Security Center to Work with SAML 2.0-Compliant

Single Sign-On" on page 144 .

l

Added an important note regarding the personal access token required

for Azure DevOps to "About Bug Tracker Integration" on page 164.

Edited the procedure and changed the URL for file downloads in

"Preparing Fortify Software Security Center to Display Sonatype Results"

on page 170 .

l

Updated the version numbers for upgrades in "Upgrading Fortify

Software Security Center" on page 188.

An important note regarding Microsoft SQL databases was added to

"Fortify Software Security Center Database Upgrade Tasks" on

page 189 .

l

"Accessing the Fortify Software Security Center API Documentation" on

page 213 was revised to reflect changes in the About Fortify Software

Security Center <version> box.

The heading "Editing Velocity Templates for Bug Tracker Plugins" was

changed to "Customizing Velocity Templates for Bug Tracker Plugins"

on page 252 .

A note about column sorting was added to "Viewing Information About

Issues to Audit" on page 325.

l

Information on how to search issues for date-type custom tags was

added to"Searching Issues" on page 332.

The [fortify priority order]modifier description was changed in,

and the [engine priority]modifier was added to the table of

modifiers in "Search Modifiers" on page 333.

l

The "Auditing Fortify Scan Results" heading was changed to "Auditing

Scan Results" on page 337.

OpenText™ Fortify Software Security Center (24.2.0)

Page 25 of 459

User Guide

Fortify Product Feature Videos

Software

Release /

Document

Revision

Changes

l

The URL for file downloads in "About Susceptibility Analysis of Web

Applications" on page 379 was changed.

l

The topic "Exporting Sonatype Data" was changed to "Exporting Open

Source Data" on page 381.

An important note regarding generating reports from a non-GUI Linux

operating system was added to "BIRT Libraries" on page 411 and to

"Importing Report Libraries" on page 411 .

l

"Acquiring the BIRT Report Designer" on page 415 includes a corrected

URL for the Eclipse Downloads page and the URL for instructions on

how to install the Eclipse BIRT Report Designer.

A misstatement about extending the life of a token was corrected in

"Generating Authentication Tokens" on page 420.

Removed:

l

What's New in Micro Focus Fortify Software Security Center 22.1.0

l

Configuring SAML 2.0 Single Sign-On for SCIM / Entra ID Integration

OpenText™ Fortify Software Security Center (24.2.0)

Page 26 of 459

Chapter 1: Introduction

Fortify Software Security Center is a browser-based product that provides a set of capabilities

across the software development life cycle to automate detection of security vulnerabilities in

applications. It helps your security and development teams work together to resolve security

flaws quickly and accurately by making correlated data from Fortify Static Code Analyzer,

Fortify ScanCentral SAST, ScanCentral DAST, and Sonatype available through its collaborative

online environment.

Intended Audience

This content is written for users who are responsible for deploying and maintaining Fortify

Software Security Center. It provides all of the information needed to acquire, install, and

configure Fortify Software Security Center.

The information presented here is intended for users who are at least moderately

knowledgeable about enterprise application development and skilled in enterprise system and

database administration. It is written for:

l

System and instance administrators

l

Database administrators

For information about how to access the Software Security Center API Documentation, see

"Accessing the Fortify Software Security Center API Documentation" on page 213.

Document Structure

This document is divided into two main parts. Part I ("Deploying Fortify Software Security

Center" on page 34) includes chapters that describe the deployment environment and provide

instructions for installing and configuring Fortify Software Security Center. Part II ("Using Fortify

Software Security Center" on page 199) includes chapters that describe how to use Fortify

Software Security Center.

Related Documents

This topic describes documents that provide information about Fortify software products.

OpenText™ Fortify Software Security Center (24.2.0)

Page 27 of 459

User Guide

Related Documents

Note: You can find the Fortify Product Documentation at

https://www.microfocus.com/support/documentation. Most guides are available in both

PDF and HTML formats. Product help is available within the Fortify LIM product and the

Fortify WebInspect products.

All Products

The following documents provide general information for all products. Unless otherwise noted,

these documents are available on the Product Documentation website.

Document / File Name

Description

About Fortify Software

Documentation

This paper provides information about how to access

Fortify product documentation.

About_Fortify_Docs_<version>.pdf

Note: This document is included only with the

product download.

Fortify License and Infrastructure

Manager Installation and Usage

Guide

This document describes how to install, configure, and

use the Fortify License and Infrastructure Manager

(LIM), which is available for installation on a local

Windows server and as a container image on the

Docker platform.

LIM_Guide_<version>.pdf

Fortify Software System

Requirements

This document provides the details about the

environments and products supported for this version

of Fortify Software.

Fortify_Sys_Reqs_<version>.pdf

Fortify Software Release Notes

This document provides an overview of the changes

made to Fortify Software for this release and important

information not included elsewhere in the product

documentation.

FortifySW_RN_<version>.pdf

What’s New in Fortify Software

This document describes the new features in Fortify

Software products.

Fortify_Whats_New_<version>.pdf

Fortify ScanCentral DAST

The following document provides information about Fortify ScanCentral DAST. Unless

otherwise noted, this document is available on the Product Documentation website at

OpenText™ Fortify Software Security Center (24.2.0)

Page 28 of 459

User Guide

Related Documents

https://www.microfocus.com/documentation/fortify-ScanCentral-DAST.

Document / File Name

Description

Fortify ScanCentral DAST

Configuration and Usage Guide

This document provides information about how to

configure and use Fortify ScanCentral DAST to

conduct dynamic scans of Web applications.

SC_DAST_Guide_<version>.pdf

Fortify ScanCentral SAST

The following document provides information about Fortify ScanCentral SAST. Unless otherwise

noted, this document is available on the Product Documentation website at

https://www.microfocus.com/documentation/fortify-software-security-center.

Document / File Name

Description

Fortify ScanCentral SAST

Installation, Configuration, and

Usage Guide

This document provides information about how to

install, configure, and use Fortify ScanCentral SAST to

streamline the static code analysis process. It is written

for anyone who intends to install, configure, or use

Fortify ScanCentral SAST to offload the resource-

intensive translation and scanning phases of their

Fortify Static Code Analyzer process.

SC_SAST_Guide_<version>.pdf

Fortify Static Code Analyzer

The following documents provide information about Fortify Static Code Analyzer. Unless

otherwise noted, these documents are available on the Product Documentation website at

https://www.microfocus.com/documentation/fortify-static-code.

Document / File Name

Description

Fortify Static Code Analyzer

User Guide

This document describes how to install and use Fortify

Static Code Analyzer to scan code on many of the

major programming platforms. It is intended for people

responsible for security audits and secure coding.

SCA_Guide_<version>.pdf

Fortify Static Code Analyzer

Applications and Tools Guide

This document describes how to install Fortify Static

Code Analyzer applications and tools. It provides an

overview of the applications and command-line tools

SCA_Apps_Tools_<version>.pdf

OpenText™ Fortify Software Security Center (24.2.0)

Page 29 of 459

User Guide

Related Documents

Document / File Name

Description

that enable you to scan your code with Fortify Static

Code Analyzer, review analysis results, work with

analysis results files, and more.

Fortify Static Code Analyzer

Custom Rules Guide

This document provides the information that you need

to create custom rules for Fortify Static Code Analyzer.

This guide includes examples that apply rule-writing

concepts to real-world security issues.

SCA_Cust_Rules_Guide_

<version>.zip

Note: This document is included only with the

product download.

Fortify Audit Workbench User

Guide

This document describes how to use Fortify Audit

Workbench to scan software projects and audit

analysis results. This guide also includes how to

integrate with bug trackers, produce reports, and

perform collaborative auditing.

AWB_Guide_<version>.pdf

Fortify Plugin for Eclipse User

Guide

This document provides information about how to

install and use the Fortify Complete Plugin for Eclipse.

Eclipse_Plugin_Guide_

<version>.pdf

Fortify Analysis Plugin for IntelliJ

IDEA and Android Studio User

Guide

This document describes how to install and use Fortify

Analysis Plugin for IntelliJ IDEA and Android Studio.

IntelliJ_AnalysisPlugin_Guide_

<version>.pdf

Fortify Extension for Visual Studio

User Guide

This document provides information about how to

install and use the Fortify extension for Visual Studio

to analyze, audit, and remediate your code to resolve

security-related issues in solutions and projects.

VS_Ext_Guide_<version>.pdf

Fortify WebInspect

The following documents provide information about Fortify WebInspect. Unless otherwise

noted, these documents are available on the Product Documentation website at

OpenText™ Fortify Software Security Center (24.2.0)

Page 30 of 459

User Guide

Related Documents

https://www.microfocus.com/documentation/fortify-webinspect.

Document / File Name

Description

Fortify WebInspect Installation Guide

This document provides an overview of Fortify

WebInspect and instructions for installing Fortify

WebInspect and activating the product license.

WI_Install_<version>.pdf

Fortify WebInspect User Guide

This document describes how to configure and use

Fortify WebInspect to scan and analyze Web

applications and Web services.

WI_Guide_<version>.pdf

Note: This document is a PDF version of the

Fortify WebInspect help. This PDF file is

provided so you can easily print multiple

topics from the help information or read the

help in PDF format. Because this content was

originally created to be viewed as help in a

web browser, some topics may not be

formatted properly. Additionally, some

interactive topics and linked content may not

be present in this PDF version.

Fortify WebInspect and OAST on

Docker User Guide

This document describes how to download,

configure, and use Fortify WebInspect and Fortify

OAST that are available as container images on the

Docker platform. The Fortify WebInspect image is

intended to be used in automated processes as a

headless sensor configured by way of the

WI_Docker_Guide_<version>.pdf

command line interface (CLI) or the application

programming interface (API). It can also be run as

a Fortify ScanCentral DAST sensor and used in

conjunction with Fortify Software Security Center.

Fortify OAST is an out-of-band application security

testing (OAST) server that provides DNS service

for the detection of OAST vulnerabilities.

Fortify WebInspect Tools Guide

This document describes how to use the Fortify

WebInspect diagnostic and penetration testing

tools and configuration utilities packaged with

Fortify WebInspect and Fortify WebInspect

WI_Tools_Guide_<version>.pdf

OpenText™ Fortify Software Security Center (24.2.0)

Page 31 of 459

User Guide

Related Documents

Document / File Name

Description

Enterprise.

Fortify WebInspect Agent Installation

Guide

This document describes how to install the Fortify

WebInspect Agent for applications running under a

supported Java Runtime Environment (JRE) on a

supported application server or service and

applications running under a supported .NET

Framework on a supported version of IIS.

WI_Agent_Install_<version>.pdf

Fortify WebInspect Agent Rulepack Kit This document describes the detection capabilities

Guide

of Fortify WebInspect Agent Rulepack Kit. Fortify

WebInspect Agent Rulepack Kit runs atop the

Fortify WebInspect Agent, allowing it to monitor

your code for software security vulnerabilities as it

runs. Fortify WebInspect Agent Rulepack Kit

provides the runtime technology to help connect

your dynamic results to your static ones.

WI_Agent_Rulepack_Guide_

<version>.pdf

Fortify WebInspect Enterprise

The following documents provide information about Fortify WebInspect Enterprise. Unless

otherwise noted, these documents are available on the Product Documentation website at

https://www.microfocus.com/documentation/fortify-webinspect-enterprise.

Document / File Name

Description

Fortify WebInspect Enterprise

Installation and Implementation

Guide

This document provides an overview of Fortify

WebInspect Enterprise and instructions for installing

Fortify WebInspect Enterprise, integrating it with Fortify

Software Security Center and Fortify WebInspect, and

troubleshooting the installation. It also describes how to

configure the components of the Fortify WebInspect

Enterprise system, which include the Fortify WebInspect

Enterprise application, database, sensors, and users.

WIE_Install_<version>.pdf

Fortify WebInspect Enterprise

User Guide

This document describes how to use Fortify WebInspect

Enterprise to manage a distributed network of Fortify

WebInspect sensors to scan and analyze Web

applications and Web services.

WIE_Guide_<version>.pdf

OpenText™ Fortify Software Security Center (24.2.0)

Page 32 of 459

User Guide

Related Documents

Document / File Name

Description

Note: This document is a PDF version of the Fortify

WebInspect Enterprise help. This PDF file is provided

so you can easily print multiple topics from the help

information or read the help in PDF format. Because

this content was originally created to be viewed as

help in a web browser, some topics may not be

formatted properly. Additionally, some interactive

topics and linked content may not be present in this

PDF version.

Fortify WebInspect Tools Guide

This document describes how to use the Fortify

WebInspect diagnostic and penetration testing tools and

configuration utilities packaged with Fortify WebInspect

and Fortify WebInspect Enterprise.

WI_Tools_Guide_<version>.pdf

OpenText™ Fortify Software Security Center (24.2.0)

Page 33 of 459

Part I: Deploying Fortify Software Security

Center

The following chapters describe the Fortify Software Security Center deployment environment

and provide instructions for installing and configuring Fortify Software Security Center.

OpenText Fortify Software Security Center (24.2.0)

Page 34 of 459

Chapter 2: Providing for Secure Deployment

Just as you apply security precautions to analyzed source code, you must also secure access to

the Fortify Software Security Center analysis products that access the source code. Moreover,

the concentrated summarization of security vulnerabilities that the Fortify Software Security

Center family of products provides might mandate an even higher level of secure deployment.

The topics in this section summarize some of the ways to securely deploy Fortify Software

Security Center.

Securing Access to Facilities

Fortify Software Security Center stores and renders the source code of applications it has

analyzed and any issues discovered in those applications as HTML. Because program source

code and any detected vulnerabilities it contains offer various opportunities for mishandling or

abuse, Fortify recommends that administrators deploy Fortify Software Security Center in a

secure operations facility. You must also secure the underlying Fortify Software Security Center

file system and restrict access to the Fortify Software Security Center installation directory.

Securing Tomcat Server

You must ensure the operational security of the application server that runs Fortify Software

Security Center. At a minimum, configure Tomcat Server to use HTTPS in conjunction with an

SSL certificate issued by a trusted certificate authority. Also, take any additional steps

necessary to secure Tomcat Server in your operating environment.

Using More Secure Cipher Suites

Fortify recommends that you disable weak SSL/TLS cipher suites in Tomcat in favor of more

secure suites.

APR-based SSL Connections

If you use an APR-based SSL connection, use the SSLCipherSuite directive. For detailed

information, see https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite and

Cipher Suites and Enforcing Strong Security (https://httpd.apache.org/docs/current/ssl/ssl_

howto.html).

JSSE-based SSL Connections

If you use a JSSE-based SSL connection, use the ciphersand the honorCipherOrder

attributes. For details, see Apache Tomcat 9 Configuration Reference - The HTTP Connector.

OpenText™ Fortify Software Security Center (24.2.0)

Page 35 of 459

User Guide

Chapter 2: Providing for Secure Deployment

Because of trade-offs between improved security and improved interoperability, better

performance, and so on, there is no correct cipher suite choice. However, Apache provides

information that can help you make your choice (see

https://cwiki.apache.org/confluence/display/TOMCAT/Ciphers).

Setting Tomcat Server Attributes to Protect Sensitive Data in

Cookies

Some Tomcat Server settings might make the sensitive information in some cookies vulnerable

to unnecessary disclosure.

To protect sensitive data, Fortify recommends that you add the following attributes (flags) for

cookies on the Tomcat application server:

l

Secure:The Secureattribute prevents the cookie from being transmitted on requests that

are not protected with SSL or TLS. Use this option to prevent cookies that could disclose

sensitive information (for example, session identifiers) from leaking information over insecure

channels (such as HTTP).

l

HttpOnly:The HttpOnlyattribute prevents the cookie value from being accessed through

client-side scripting routines. Fortify recommends that you keep this attribute enabled

unless the cookie is being read by client-side JavaScript routines.

For information about how to set the Secureand HttpOnlyattributes, see the Apache Tomcat

configuration reference documentation.

About Using HTTPS and SSL Communications

Fortify strongly recommends that you configure Fortify Software Security Center and Fortify

client products (including Audit Workbench, fortifyclient, the Eclipse Complete plugin, and the

Visual Studio extension) to use HTTPS and Secure Sockets Layer (SSL) for all communications.

Configuring Fortify Static Code Analyzer Applications to Communicate with

Fortify Software Security Center Using HTTPS

If you are using a third-party certificate purchased from and signed by a trusted root CA such as

VeriSign, Entrust, or Thawte, you do not need to do anything on the client side to use https to

communicate with Fortify Software Security Center. The certificate is trusted because these root

CA certificates are in the keystore that Fortify client products use.

However, by default, Fortify Software Security Center, Audit Workbench, fortifyclient, the

Eclipse Complete plugin, and the Visual Studio extension do not trust self-signed certificates or

certificates signed by an internal or local signing authority. In this case, to use https to

communicate with Fortify Software Security Center, you must import the self- or locally-signed

certificate into the Java Runtime certificate store.

OpenText™ Fortify Software Security Center (24.2.0)

Page 36 of 459

User Guide

Chapter 2: Providing for Secure Deployment

Important! If you used a third-party Certification Authority to issue a locally-signed

certificate, make sure that you import the CA certificate chain you used to issue the

certificate.

To install a self-signed or locally-signed certificate into the keystore that Fortify Software

Security Center and Fortify Static Code Analyzer tools use, do the following on every machine

on which any of these products is installed:

Open a command prompt, and then run the following:

cd "<sca_install_dir>\jre\bin"

keytool -importcert -alias SSC -keystore ..\lib\security\cacerts -file

"YourCertFile.cer" -trustcacerts

where YourCertFile.ceris the same certificate file that you imported on Tomcat Server.

If, for some reason, the certificate file is not available, you can export it from the keystore used

by Tomcat Server, as follows:

cd <java_home>\jre\bin

keytool -exportcert -alias SSC -keystore <keystore_used_by_tomcat> -

file

YourCertFile.cer

Note that you can use any name you want for the alias. These examples use SSC.

Additional Information

When you create a self-signed certificate interactively with the java keytool, you are prompted

to provide your first and last names. Provide the fully-qualified domain name of the server that

hosts Fortify Software Security Center. Do not simply use the short hostname or "localhost."

When you create a connector in the server.xmlfile for HTTPS, make sure that you include the

attribute keyAlias, using the name of the alias for the certificate in your keystore. Otherwise, if

the keystore contains multiple certificates, it uses the first certificate it finds.

About Securing Passwords and User Roles

Fortify recommends that, after you deploy Fortify Software Security Center and log in for the

first time, you immediately create one or more new local administrator accounts and delete the

default administrator account. For information about how to log in to Fortify Software Security

Center, see "Logging in to Fortify Software Security Center" on page 74.

Fortify Software Security Center account security features include:

l

The ability for administrators to suspend accounts that have become temporarily inactive

l

The automatic lock-out of accounts on the basis of failed log-on attempts

OpenText™ Fortify Software Security Center (24.2.0)

Page 37 of 459

User Guide

Chapter 2: Providing for Secure Deployment

For more information about Fortify Software Security Center account management, see

"Managing User Accounts" on page 215.

If you are using LDAP to authenticate Fortify Software Security Center users, configure your

LDAP server to use secure LDAP communications. For information about how to configure

Fortify Software Security Center to use LDAP authentication, see "LDAP User Authentication"

on page 104.

Managing Computer Services and Accounts

When you install Fortify Software Security Center, configure it as a service running under a

least-privileged user account. Also, because Fortify Software Security Center temporarily stores

files that are uploaded from a user account to the computer’s file system, always install and run

updated anti-virus software on the machine that hosts Fortify Software Security Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 38 of 459

Chapter 3: Preparing for Fortify Software Security

Center Deployment

This section describes how to prepare to deploy Fortify Software Security Center for the first

time.

High-Level Deployment Tasks

The following table lists the high-level tasks you need to perform to prepare for Fortify Software

Security Center deployment. It also provides links to the topics that describe these tasks.

Note: If you are upgrading Fortify Software Security Center, see "Upgrading Fortify

Software Security Center" on page 188.

Task

Description

Information and Instructions

1

Download the Fortify Software Security Center

"Downloading Fortify Software

Security Center Files" on

page 47

software files and the fortify.licensefile.

2

3

4

5

Unpack and deploy the installation bundle. Then "Unpacking and Deploying

deploy Fortify Software Security Center in

Tomcat Server.

Fortify Software Security

Center Software" on page 47

Install and configure the software for the

database server you plan to use for the Fortify

Software Security Center database.

"About the Fortify Software

Security Center Database" on

page 58

Start Tomcat server, and then log in to Fortify

Software Security Center. (See "Logging in to

Fortify Software Security Center" on page 74 .)

"Logging in to Fortify Software

Security Center" on page 74

Use the Fortify Software Security Center Setup

wizard to perform initial configuration. (Locate

your Fortify license, create the Fortify Software

Security Center database tables and initialize the

database schema, seed the database, and so on.)

"Configuring Fortify Software

Security Center for the First

Time" on page 68

Tip: Advanced users only: You can automate

OpenText™ Fortify Software Security Center (24.2.0)

Page 39 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Task

Description

Information and Instructions

configuration before you deploy Fortify

Software Security Center. After you do, the

Setup wizard retrieves your configuration

settings at server startup and automates the

entire installation. For details, see

"Automating Fortify Software Security Center

Configuration" on page 448 .

6

7

Restart the Fortify Software Security Center

server.

Complete the Fortify Software Security Center

"Additional Fortify Software

configuration settings in the Administration view. Security Center Configuration"

(For the list of the options to configure in the

Administration view, see "Configuration Options

Available in the Administration View" on

page 80 .)

on page 78

8

Perform additional tasks such as configuring an

"Additional Installation-Related

Eclipse plugin update site, setting up bug tracker Tasks" on page 164

integration, configuring single sign-on,

administering users, registering LDAP entities,

managing LDAP user roles, and creating custom

attributes that users can assign to their

applications.

If you plan to remove Fortify Software Security Center and no longer need the Fortify Software

Security Center database, you can find instructions on how to permanently delete it in

"Permanently Deleting a Fortify Software Security Center Database" on page 66.

Deployment Overview

Fortify Software Security Center provides a centralized management and analysis facility for

application data gathered and processed using Fortify analysis products and tools (Fortify

Static Code Analyzer, Fortify WebInspect Agent, Fortify ScanCentral, and Audit Workbench)

across the complete Secure Development Lifecycle (SDL).

Fortify Software Security Center is packaged as a Web Archive (WAR) file. It runs under Tomcat

Server and requires a supported third-party database.

OpenText™ Fortify Software Security Center (24.2.0)

Page 40 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

After initial deployment, you use the Fortify Software Security Center Setup wizard to complete

preliminary configuration. This enables Fortify Software Security Center to work with required

entities such as the third-party database.

Tip: For advanced users only. You can automate configuration before you deploy Fortify

Software Security Center.

After you finish the initial Fortify Software Security Center configuration, complete the

configuration of the core parameters and configure additional settings from the Administration

view. For instructions, see "Additional Fortify Software Security Center Configuration" on

page 78.

Important! Fortify only supports the deployment of a single Fortify Software Security

Center instance. Furthermore, that instance must not be behind a load balancer.

For system requirements information, see the OpenText™ Fortify Software System

Requirements document.

To provide centralized management, Fortify Software Security Center inter-operates with the

following external components:

l

Required components

l

Apache Tomcat Server

l

Third-party database

l

Fortify Security Content Server

l

Optional components

l

Third-party LDAP authentication server

l

Defect-tracking system

l

Parser plugin

l

SMTP email server

l

One or more Fortify analysis agents and tools

l

Kubernetes

About Integrating Components with Fortify Software Security Center

You can integrate the following components with Fortify Software Security Center:

Components

Integration Instructions

System for Cross-domain

Identity Management

(SCIM)

"Enabling SCIM for Provisioning of Externally Managed Users

and Groups" on page 128

OpenText™ Fortify Software Security Center (24.2.0)

Page 41 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Components

Integration Instructions

"Configuring Fortify Software Security Center to Work with

SAML 2.0-Compliant Single Sign-On" on page 144

Fortify Audit Assistant

"Configuring Audit Assistant" on page 364

Java Message Service

(JMS)

"Configuring Java Message Service Settings" on page 102

LDAP servers

"Configuring LDAP Servers" on page 107

Single-sign on (SSO)

providers:

l

Central Authentication

Service (CAS)

"Configuring Fortify Software Security Center to Work with a

Central Authentication Service" on page 144

l

SPNEGO/Kerberos

"Setting up Kerberos Authentication with Fortify Software

Security Center" on page 151

l

SAML

"Configuring Fortify Software Security Center to Work with

SAML 2.0-Compliant Single Sign-On" on page 144

l

HTTP

"Configuring Fortify Software Security Center to Work with

Single Sign-On and Single Logout Solutions that use HTTP

Headers" on page 150

l

x509

"Configuring Fortify Software Security Center to Use X.509

Certification-based SSO" on page 153

Fortify ScanCentral SAST

"Configuring ScanCentral SAST Monitoring in Fortify Software

Security Center" on page 130

Fortify ScanCentral DAST "Enabling the Running and Management of ScanCentral DAST

Scans from Fortify Software Security Center" on page 131

Fortify Static Code Analyzer Applications and Tools:

l

Fortify Audit

Workbench

Fortify Audit Workbench User Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Jenkins plugin

Fortify Jenkins Plugin User Guide

OpenText™ Fortify Software Security Center (24.2.0)

Page 42 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Components

Integration Instructions

https://www.microfocus.com/documentation/fortify-jenkins-

plugin

l

Fortify Eclipse plugin

Fortify Plugin for Eclipse User Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Extension for

Fortify Extension for Visual Studio User Guide

Visual Studio

https://www.microfocus.com/documentation/fortify-visual-

studio-code

l

Fortify Extension for

Fortify Visual Studio Code Documentation

Visual Studio Code

https://www.microfocus.com/documentation/fortify-visual-

studio-code

l

Fortify Plugin for

Fortify Plugin for Bamboo User Guide

Bamboo

https://www.microfocus.com/documentation/fortify-plugin-for-

bamboo

l

Fortify Analysis Plugin

for IntelliJ IDEA and

Android Studio

Fortify Analysis Plugin for IntelliJ IDEA and Android Studio User

Guide

https://www.microfocus.com/documentation/fortify-static-

code-analyzer-and-tools

l

Fortify Remediation

Fortify Remediation Plugin for Eclipse User Guide

Plugin for Eclipse

l

Fortify Remediation

Plugin for IntelliJ IDEA

and Android Studio

Fortify Remediation Plugin for IntelliJ IDEA and Android Studio

User Guide

l

Fortify

SourceAndLibScanner

Download Fortify SourceAndLibScanner from the Fortify

Marketplace at

https://marketplace.microfocus.com/cyberres/category/fortify.

The software package comes with documentation.

Fortify Azure DevOps

Extension

https://www.microfocus.com/documentation/fortify-azure-

devops-extension

OpenText™ Fortify Software Security Center (24.2.0)

Page 43 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Components

Integration Instructions

Security training vendors

"Configuring Application Security Training" on page 83

Important! When you integrate Fortify Software Security Center with other Fortify

products (for example, ScanCentral DAST, Audit Workbench, and so on) make sure that you

minimize clock skew between communicating machines. Fortify recommends that you

synchronize computer clock times using, for example, Network Time Protocol (NTP). If that

is not possible, Fortify suggests that you maintain a clock skew of less than five minutes,

compared on a UTC basis. Otherwise, requests to Fortify Software Security Center can fail.

OpenText™ Fortify Software Security Center (24.2.0)

Page 44 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

The Fortify Software Security Center Installation Environment

The following figure illustrates the relationship of Fortify Software Security Center to the

required and optional components listed in " Deployment Overview" on page 40.

The following table provides descriptions of the required and optional Fortify Software Security

Center installation components in the illustration.

Component

Description

Fortify

SSC Server

Fortify Software Security Center is delivered as a Web Archive (WAR) file

run by Tomcat Server or as a Helm chart for Kubernetes deployment.

SSC database

Third-party database that Fortify Software Security Center requires to

store user and artifact data. Before you put Fortify Software Security

Center into production, you must install a supported third-party

database.

Third-party

LDAP

(Optional) You can configure Fortify Software Security Center to use

LDAP authentication.

authentication

server

Defect-tracking

(Optional) You can configure Fortify Software Security Center to enable

OpenText™ Fortify Software Security Center (24.2.0)

Page 45 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Component

Description

server

bug submission directly to Bugzilla, Jira, ALM, Azure DevOps Server, or a

customized bug-tracking system. For information about how to create a

customized bug-tracking system, see "Authoring Bug Tracker Plugins"

on page 437.

Third-party email (Optional) You can configure Fortify Software Security Center to use an

server

external SMTP email server to send alerts to application collaborators.

Fortify Static

Code Analyzer

analysis agent

(Optional) Fortify Static Code Analyzer scans source code and identifies

issues.

Audit Workbench Audit Workbench and Fortify IDE plugins can be used as alternative

and IDE plugins

source-code auditing tools.

Jenkins

Azure DevOps

Bamboo

Use these plugins to scan source code (using Fortify Static Code

Analyzer) and upload scan results.

Fortify

ScanCentral

SAST

(Optional) Fortify Static Code Analyzer users can use ScanCentral SAST

to offload processor-intensive code analysis tasks from their build

machines to a group of machines (sensors) provided for this purpose.

Fortify

ScanCentral

DAST

(Optional) A dynamic application security testing tool that you can use

to configure and run dynamic scans of your web applications from

Fortify Software Security Center.

Fortify

WebInspect

(Optional) Analysis agent that connects with Fortify WebInspect agents

to retrieve potential dynamic issues.

Fortify Security

Content update

server

Used to acquire and update Security Content.

Important! Fortify does not support load balancing across multiple Fortify Software

Security Center servers.

OpenText™ Fortify Software Security Center (24.2.0)

Page 46 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Downloading Fortify Software Security Center Files

Fortify software is only available for download from the Software Licenses and Downloads

(SLD) portal (https://sld.microfocus.com). For descriptions of the Fortify software installation

packages available there, see the Fortify Software System Requirements document.

Download the installation files and the fortify.licensefile following the instructions in the

Fortify Software System Requirements document. A helpful how-to video at

https://www.youtube.com/playlist?list=PL8yfmcqTN8GE9XCGVgxMQDFFZy9_-R-e3 also

provides instructions on how to download Fortify software.

See Next

"Unpacking and Deploying Fortify Software Security Center Software" below

Unpacking and Deploying Fortify Software Security Center

Software

To unpack and deploy the Fortify Software Security Center installation files:

1. Extract the contents of the installation file into a temporary directory in a secure location.

(The installation file is the file you downloaded using the instructions in "Downloading

Fortify Software Security Center Files" above.)

2.

Locate the distribution file (Fortify_<version>_Server_WAR_Tomcat.zip) and extract

all of the contents into a directory in a secure location. This creates the Fortify-Server-

WARdirectory, which contains the resources and tools you need for tasks such as

configuring Fortify Software Security Center and migrating applications from previous

versions.

Note: The directory into which you extract the distribution file content is referred to in

all topics as the <ssc_install_dir>directory.

3.

Copy the seed bundle files from the srg_contentfolder in the temporary directory to the

<ssc_install_dir>directory. Do not unzip the seed bundle files.

Note: Although you are not required to copy the resource files to the <ssc_install_

dir>directory, the procedures in this document are based on the assumption that you

saved the files to that location.

The seed bundles are described in the following table.

File Name

Description

Process template seed bundle used to seed database tables. It

Fortify_

Process_Seed_ provides a default admin user account and issue template data.

Bundle-2024_

OpenText™ Fortify Software Security Center (24.2.0)

Page 47 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

File Name

Description

Q2_

<build>.zip

Report seed bundle used to seed database tables. It provides the

default set of Fortify Software Security Center reports.

Fortify_

Report_Seed_

Bundle-2024_

Q2_

<build>.zip

(Optional) The PCI Basic seed bundle adds a Payment Card Industry

(PCI) Data Security Standard (DSS) process template and its

associated report to the default set of issue templates and reports.

PCI DSS will remain open for assessment of previously-started, and

newly-started assessments initiated before June 2021, until October

2022. After October 2022, the new PCI Software Security

Fortify_PCI_

Basic_Seed_

Bundle-2024_

Q2_

<build>.zip

Framework (SSF) will be the set of standards for evaluation. Please

use the PCI SSF Basic seed bundle (Fortify_PCI_SSF_Basic_

Seed_Bundle-2024_Q2_<build>.zip) to begin to understand

how software security issues can affect evaluation under these new

PCI SSF standards.

(Optional) The PCI SSF Basic seed bundle adds a Payment Card

Industry (PCI) Software Security Framework (SSF) process template

and its associated report to the default set of issue templates and

reports. PCI SSF was introduced in June 2019 as a set of new

standards used to evaluate systems developed by payment

software vendors. The existing PCI DSS will remain open for

assessment of previously-started, and newly-started assessments

initiated before June 2021, until October 2022. After October 2022,

the new PCI Software Security Framework (SSF) will be the set of

standards for evaluation. Please use the PCI Basic seed bundle

Fortify_PCI_

SSF_Basic_

Seed_Bundle-

2024_Q2_

<build>.zip

(Fortify_PCI_Basic_Seed_Bundle-2024_Q2_<build>.zip)

for evaluation under PCI DSS.

The process templates seed bundle and the reports seed bundle are required for Fortify

Software Security Center deployment. The PCI Basic seed bundles are optional.

4.

Copy the fortify.licensefile to the <ssc_install_dir>directory. (For information

about how to obtain the fortify.licensefile, see the Fortify Software System

Requirements document.)

OpenText™ Fortify Software Security Center (24.2.0)

Page 48 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Deploying Fortify Software Security Center to a Kubernetes

Cluster

The following steps describe how to prepare for and perform a Fortify Software Security Center

Kubernetes deployment. For information about supported versions of the required software, see

the OpenText™ Fortify Software System Requirements document for this release.

The following are required in the Kubernetes and helm space:

l

Persistent volume: For the configuration file and log files. Kubernetes persistent volume must

support the PodSecurityContext fsGroupfield. Fortify Software Security Center Helm chart

deployment supports changing the default UID and GID using the "user" Helm chart values

("user.uid", "user.gid"). With fsGroupsupported, you can change both the UID and GID

without affecting Fortify Software Security Center functionality.

If Fortify Software Security Center runs on Kubernetes with persistent volume without

fsGroupsupport, or if the Fortify Software Security Center container image is used outside

of Kubernetes, Fortify Software Security Center cannot start if run with a non-default GID. In

this case, you must manually configure permission on Fortify Software Security Center

volume directories and files before you can start it.

l

Secrets file - Responsible for storing everything regarding licenses or connections to the

database, for example, username / password, and such information, and this is important

when it comes to SSL or HTTPS, because Fortify Software Security Center in Kubernetes only

runs on HTTPS. So, you must have a TLS or SSL connection. All of this information (trust,

keystore, license file) is stored in the secrets file. You must have your license and keystore

available.

l

ssc-values.yamlfile - Used to store or set all parameters for your helm chart. The Helm

chart needs data to set up SSC.

You want to store results in SSC, and for that you use the SSC database. And, the version of

database in your Kubernetes space must be the same as the version used for the ssc db.

You also need to grant users access to ssc. For that you need some kind of service (load

balancer, cluster IP, or node port) that are components of Kubernetes

To prepare for your Fortify Software Security Center Kubernetes deployment, do the following:

1. Install and set up kubectl. For instructions, see

https://kubernetes.io/docs/tasks/tools/install-kubectl.

2. Install Helm. (To download the software, see https://github.com/helm/helm/releases. For

installation instructions, see https://helm.sh/docs/intro/install . For upgrade instructions,

see https://helm.sh/docs/helm/helm_upgrade/#helm .)

3. (Air-gapped installation only) Install Docker. For installation instructions, see

https://docs.docker.com/get-docker.

4. Copy the contents of the helm directory from the Fortify Software Security Center

distribution ZIP file to the <ssc_helm_dir>directory. Navigate to the <ssc_helm_dir>

directory and copy the ssc-values-example.yamlfile to ssc-values.yaml.

OpenText™ Fortify Software Security Center (24.2.0)

Page 49 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Fortify Software Security Center Kubernetes Deployment

You can deploy Fortify Software Security Center in an environment with Internet access, or in an

air-gapped environment. If you plan to deploy the application in an environment with Internet

access, you can pull the Fortify Software Security Center Docker image (fortifydocker/ssc-

webapp) from the Docker Hub registry. If you must deploy the application in an air-gapped

environment, you must use a private registry for the deployment and transfer the Fortify

Software Security Center container image to it.

Deploying Fortify SSC to a Kubernetes Cluster

The procedure used to deploy Fortify Software Security Center in an environment that has

Internet access is almost identical to the procedure used to deploy the product in an air-gapped

environment. The only difference is that, for an air-gapped deployment, you must push the

Fortify Software Security Center container image to a private registry that is accessible from

your Kubernetes cluster.

To deploy Fortify Software Security Center to a Kubernetes cluster:

1. Create a Docker Hub account, and then supply your account name to Customer Support

(https://www.microfocus.com/support).

Note: Customer Support can give you access to the Fortify repository on the Docker

Hub (fortifydocker organization).

2. To request access to the Fortify Software Security Center Docker image published in the

Docker Hub registry, send an email with the following information to

fortifydocker@microfocus.com:

l

First Name

l

Last Name

l

Company Name

l

Docker ID

l

Customer ID

3. (For an air-gapped installation, or if you want to use a private registry. A running Docker

server and Docker client are assumed to be in place.) Transfer the Fortify Software Security

Center container image to your private registry, as follows:

a.

b.

Log in to the Docker Hub using dockerlogin.

Log in to your private registry using docker login <priv_reg_host_and_port>,

where <priv_reg_host_and_port>represents the host and port of your private

registry.

c. Transfer the Fortify Software Security Center container image, as follows:

i.

docker pull"fortifydocker/ssc-webapp:<tag>"

ii.

docker tag"fortifydocker/ssc-webapp:<tag>""<priv_reg_host_and_

port>/<priv_reg_path>/ssc-webapp:<tag>"

OpenText™ Fortify Software Security Center (24.2.0)

Page 50 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

iii.

docker push "<priv_reg_host_and_port>/<priv_reg_path>/ssc-

webapp:<tag>"

Note: To determine the value to use for <tag>, go to the <ssc_helm_dir>

directory and open the ssc-<chart_version>+<ssc_version>.tgzfile.

Use the <ssc_version>value (tag for the latest published image build) from

the TGZ file name.

There are also tags for exact image builds in the format <ssc_

version>.<imageBuildNumber>

You can list available image tags in the docker hub. If you use

<imageBuildNumber>, you must specify it in the image.buildNumberHelm

chart value.

Important! The image name (ssc-webapp) and the tag (<tag>) value must

stay the same.

d.

Enter the <priv_reg_host_and_port>/<priv_reg_path>/as the value for

image.repositoryPrefixparameter in the <ssc_helm_dir>/ssc-values.yaml

file. (The value you specify for the image.repositoryPrefixparameter must include

a trailing forward slash (/).)

4.

If you want to use the exact image build tag, enter the <imageBuildNumber>value as the

value for the image.buildNumber. Otherwise, leave it empty.

5. Provision a Kubernetes secret for pulling images from the registry (Docker Hub or private

registry). For instructions, see https://kubernetes.io/docs/tasks/configure-pod-

container/pull-image-private-registryand enter the secret name as the value for

the imagePullSecretsparameter in the <ssc_helm_dir>/ssc-values.yamlfile. If the

secret is regcred, then the format is:

imagePullSecrets:

- name: regcred

Note: The imagePullSecretsvalue is required for access to the Docker Hub registry.

If you have a private registry that can be accessed without credentials, then there is no

need to specify imagePullSecrets.

6. Provision another Kubernetes secret that contains the data required for the deployment.

Inspect the secretRef.keysfile for the list of data accepted. The minimum required set

includes httpCertificateKeystoreFileEntry,

httpCertificateKeystorePasswordEntry, and

httpCertificateKeyPasswordEntry.

The following example shows how to create the secret manually:

a.

b.

Create a <ssc_secrets_dir>directory.

Create a file for each of the secretRef.keysrequired entries. You must have at least

three files in the directory: a Java keystore file that contains the HTTPS certificate and

its private key, a file with the password for the keystore, and a file that contains the

OpenText™ Fortify Software Security Center (24.2.0)

Page 51 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

password for the secret key of the HTTPS certificate.

c.

Create the secret using the kubectlcommand:

kubectl create secret generic "<ssc_secret_name>" --from-file

"<ssc_secrets_dir>"

d.

e.

Enter the <ssc_secret_name>as the value for the secretRef.nameparameter in

the <ssc_helm_dir>/ssc-values.yamlfile.

For each file provided in <ssc_secrets_dir>, enter the file name as the value for the

related the secretRef.keys.*Entryparameter in the <ssc_helm_dir>/ssc-

values.yamlfile.

Note: Changes in the secret are not applied automatically by the deployment. To use a

changed secret with an existing deployment, you must manually remove the Fortify

Software Security Center Pod to trigger automatic re-creation.

7.

Enter any other required parameters to the <ssc_helm_dir>/ssc-values.yamlfile.

l

The urlHostmust contain the fully-qualified DNS name intended for accessing Fortify

Software Security Center. The address for accessing the Fortify Software Security

Center installation is

<https://<urlHost>:<service.httpsPort>/<sscPathPrefix>. For example,

https://ssc.example.com:443/ssc. If the port is 443, you can omit it from the URL

(https://ssc.example.com/).

l

For ease of use, Fortify recommends that you set the service.typeparameter to

LoadBalancer.

l

To apply changes to the Fortify Software Security Center secret referenced by

secretRef.name, you must manually remove the ssc-webapp Pod (it is later

automatically re-created).

Note: If necessary, you can change most values you specify for parameters in the

<ssc_helm_dir>/ssc-values.yamlfile later, and then redeploy Fortify Software

Security Center to implement the changes. Depending on the Kubernetes cluster, the

exception might be parameters for a persistentVolumeClaim.

Deployment

To deploy Fortify Software Security Center for the first time, run the following:

helm install "<unique_deployment_name>" "<ssc_helm_dir>/ssc-<chart_

version>+<ssc_version>.tgz" -f "<ssc_helm_dir>/ssc-values.yaml"

For subsequent deployments, run the following:

helm upgrade "<unique_deployment_name>" "<ssc_helm_dir>/ssc-<chart_

version>+<ssc_version>.tgz" -f "<ssc_helm_dir>/ssc-values.yaml"

Next, use the default administrator account to log in to Fortify Software Security Center and

perform post-installation configuration, just as you would after a standard installation. For

details, see "Configuring Fortify Software Security Center for the First Time" on page 68.

OpenText™ Fortify Software Security Center (24.2.0)

Page 52 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Customizing the Apache Tomcat Access Logs

To change the default format for Tomcat access logs on the ssc-webapp container image, set

the HTTP_SERVER_ACCESS_LOG_PATTERNenvironment variable to the Tomcat Access Log

Valve pattern. For information about the patterns supported, see the Apache Tomcat 9

Configuration Reference website (https://tomcat.apache.org/tomcat-9.0-

doc/config/valve.html#Access_Log_Valve).

You can use the environment Helm chart value, as shown in the following example:

environment:

-

name: HTTP_SERVER_ACCESS_LOG_PATTERN

value: '%h %l %u %t "%r" %s %b'

Troubleshooting a Fortify Software Security Center Deployment to a

Kubernetes Cluster

This section provides information about the error messages that can be encountered during an

attempted deployment.

If you crash during the installation phase, run:

kubectl describe pod <pod_name>

To display logs after installation, run:

kubectl logs <pod_name> -f

To view the status of Pods running on your cluster (Pending, Running, Succeeded, Failed, or

Unknown), run:

kubectl get pods

If no Pods are running, the interactive environment is still reloading its previous state. Wait for

several seconds, and then run kubectl get podsagain. Once you see the Pod running,

continue.

To see a list of all services, the assigned IPs (cluster and external) and ports, run:

kubectl get services

To list those names, run:

OpenText™ Fortify Software Security Center (24.2.0)

Page 53 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

helm list

To get values/configuration for a specific deployment installed by helm, run:

helm get values <installation name>

To see information about the volume being mounted or to see whether the image was pulled

successfully or not (if, for example, the wrong credentials were provided), run:

kubectl describe --help

If everything looks fine, but Fortify Software Security Center does not run as expected, and logs

alone do not provide enough information, run the following to inspect the container file system,

check the state of the environment, and perform advanced debugging tasks:

kubectl exec -it <pod_name> bash

This enables you to interactively browse the container, print other internal logs (Tomcat or the

Fortify Software Security Center itself, and run other commands.

Other Troubleshooting Resources

For a visual guide to troubleshooting your deployment, see "A visual guide on troubleshooting

Kubernetes deployments" (https://learnk8s.io/troubleshooting-deployments). For guidance on

debugging common containerized application issues, see "Troubleshooting Applications"

(https://kubernetes.io/docs/tasks/debug/debug-application).

OpenText™ Fortify Software Security Center (24.2.0)

Page 54 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

About the <fortify.home> Directory

The <fortify.home>directory is where the configuration file and other Fortify Software

Security Center resources reside.

Default Directory Locations

After Fortify Software Security Center deployment, you can find <fortify.home>in the

following locations:

l

%USERPROFILE%\.fortifyon a Windows system (applies to both a standard user and a

Windows service user)

Note: %USERPROFILE%represents the user running the Tomcat service, which is not

necessarily the user who installed Tomcat.

Named Account = C:\Users\<username>

LocalSystem [Default] = %WinDir%\System32\config\systemprofile

LocalService = %WinDir%\ServiceProfiles\LocalService

NetworkService = %WinDir%\ServiceProfiles\NetworkService

l

$HOME/.fortifyon a Linux system

Changing the Default Locations

You can override the default <fortify.home> directory location by setting the fortify.home

system property on the JVM used to start the Tomcat Server. For example, you can specify this

system property using the CATALINA_OPTSenvironment variable. Alternatively, you can add

the fortify.homeproperty to the Java Options field in the Tomcat service definition on a

Windows system. For detailed information on setting Java system properties, see the Tomcat

documentation.

Example: -Dfortify.home=/home/fortify

Note: If you want to change the <fortify.home>directory location after Fortify Software

Security Center has already been configured (see "Configuring Fortify Software Security

Center for the First Time" on page 68), make sure that you copy or move the contents of

the existing <fortify.home >directory to the new location before you restart the server

with the updated fortify.homesystem property value.

OpenText™ Fortify Software Security Center (24.2.0)

Page 55 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Directory Contents

The <fortify.home>directory is structured as follows:

<fortify.home>/

<app_context>/

conf/

app.properties

datasource.properties

log4j2.xml

version.properties

secret.key

logs/

ssc.log

...

init.token

...

plugin-framework/

/logs

fortify.license

where

represents the application server context in which Fortify

<app_context>

Software Security Center is deployed. For details, see

"Automating Fortify Software Security Center Configuration"

on page 448 .

is the default log configuration. Although you can change this

configuration manually, Fortify strongly recommends that

you use the log4j2 configuration override feature instead

(see "Customizing Fortify Software Security Center Logging "

on page 162 ).

log4j2.xml

represents a new security token that is generated each time

the Setup wizard is loaded (start of server in configuration

mode). The user who configures Fortify Software Security

Center uses this token to access the Setup wizard at the

init.token

<host>:<port>/initURL.

is a file that contains the application properties that the

customer can configure.

app.properties

OpenText™ Fortify Software Security Center (24.2.0)

Page 56 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

is a file that contains the database connection properties.

datasource.properties

version.properties

is a file that stores information about current and previous

versions of Fortify Software Security Center for application

upgrade purposes.

is an encryption key file used to encrypt and decrypt

sensitive configuration information in Fortify Software

Security Center. (Fortify Software Security Center never

overwrites this file. However, the file is generated if it is

secret.key

missing from the <fortify.home>/<app_context>/conf

directory.)

The datasource.propertiesfile and some database

fields contain encrypted entries that rely on the

secret.keyfile. If you move your Fortify Software

Security Center instance from one computer to another,

you must also move the secret.keyfile (not just your

database files).

is the plugin framework configuration and temporary storage

(internal).

plugin-framework

Note: If you encounter a problem with a plugin, you can

usually find more detailed information about it in

plugin-framework/logsthan you can in main Fortify

Software Security Center logs.

is the license file for Fortify Software Security Center.

fortify.license

Important! The <fortify.home>/<app_context>/confdirectory must always contain

the following files:

- app.properties

- datasource.properties

- secret.key

- version.properties

If any one of these files is missing, Fortify Software Security Center either runs auto-

configuration, or starts the Setup wizard to re-create any missing files.

OpenText™ Fortify Software Security Center (24.2.0)

Page 57 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

About the Fortify Software Security Center Database

If you are deploying a new instance of Fortify Software Security Center, you must first install

and configure the third-party database server software.

Important! Fortify Software Security Center requires that all database schema

collations be case-sensitive.

Important! If you are installing a SQL Server or MySQL database, your installation

requires special attention. For more information, see "Using a Microsoft SQL Server

Database" on page 60 or "Configuring a MySQL Database" on page 61 .

Later, after you go on to Fortify Software Security Center for the first time, you will use the

Fortify Software Security Center Setup wizard to configure connectivity to the database and

then seed the database. (See "Configuring Fortify Software Security Center for the First Time"

on page 68.)

Topics covered in this section:

About JDBC Drivers

58

About Fortify Software Security Center Database Character Set Support

Installing and Configuring the Database Server Software

Database User Account Privileges

Database-Specific Configuration Requirements

About the Fortify Software Security Center Database Tables and Schema

About Seeding the Fortify Software Security Center Database

Permanently Deleting a Fortify Software Security Center Database

About JDBC Drivers

The JDBC drivers for SQL Server, MySQL server, and Oracle are bundled with Fortify Software

Security Center software.

The MariaDB JDBC driver is used to connect to the MySQL database server. JDBC URL

parameters must use MariaDB driver syntax. Note that the MariaDB is not supported as the

back end database for Fortify Software Security Center.

About Fortify Software Security Center Database Character Set Support

For a list of the supported character sets for each third-party database type that Fortify

Software Security Center supports, see the OpenText™ Fortify Software System Requirements

document.

OpenText™ Fortify Software Security Center (24.2.0)

Page 58 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Installing and Configuring the Database Server Software

Install and configure the database server software following the instructions in the

documentation for your database software.

For information about supported databases, see the OpenText™ Fortify Software System

Requirements document.

Monitoring Disk I/O

Disk I/O encompasses the input/output operations on a physical disk. If you are reading data

from a file on a disk, the processor must wait for the file to be read (the same applies to writing

data to a file). Fortify Software Security Center performs I/O-intensive database operations,

which affects performance. Make sure that your disk subsystem provides low read/write latency.

Fortify recommends that you monitor disk I/O as the database grows.

Note: Cleanup actions on Fortify Software Security Center objects, such as application

versions, artifacts, saved reports, data exports, event logs, and so on, might not result in

actual reduction of database storage allocation until the database administrator re-

optimizes the database. Fortify recommends regular monitoring and optimization of the

Fortify Software Security Center databases.

Database User Account Privileges

Fortify strongly recommends that you create accounts for users who perform the following

tasks on the Fortify Software Security Center database:

l

Perform runtime tasks

A user who performs runtime tasks requires privileges to do the following:

l

Perform Data Manipulation Language (DML) operations to SELECT, UPDATE, INSERT,

and DELETE data in all the database tables and views

l

Execute stored procedures.

l

Execute migration scripts

Important! Fortify strongly recommends that you create a separate user account to be

used for executing migration scripts.

A user who executes migration scripts requires privileges to do the following:

l

Perform Data Manipulation Language (DML) operations to SELECT, UPDATE, INSERT,

and DELETE data in all the database tables and views

l

Execute stored procedures

l

Perform Data Definition Language (DDL) operations to CREATE, ALTER, and DROP

database tables, views, and indexes.

l

For Oracle databases, permission to enable sequences.

OpenText™ Fortify Software Security Center (24.2.0)

Page 59 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

l

Create and manage the database

Important! Fortify strongly recommends that you create a separate user account to be

used to create and manage the database.

A user who creates and manages the database requires privileges to do the following:

l

Perform all the tasks for which the user who executes migration scripts has privileges.

l

Create a Fortify Software Security Center database in a dedicated instance.

l

Back up and then update the existing Fortify Software Security Center dedicated database

instance.

l

Bind a Fortify Software Security Center user account to the dedicated database instance.

l

Assign a Fortify Software Security Center user account the read-write privileges required

to create, initialize, and manage the Fortify Software Security Center database. At a

minimum, this user must have a database account that enables the web application to

connect to the database.

l

Create and generate reports

To add an extra measure of security to reporting, create a database user account with read-

only access to the Fortify Software Security Center database, and then use the account

credentials to configure enhanced security for your BIRT reports (see "Configuring

Security for BIRT Reporting" on page 91).

Database-Specific Configuration Requirements

The following topics describe the configuration requirements for the Fortify Software Security

Center-supported third-party databases and how to configure the databases to work with

Fortify Software Security Center.

Using a Microsoft SQL Server Database

If you are using a SQL Server database as the Fortify Software Security Center database,

perform the following checks:

l

Enable the Auto Update Stats Asynchronously (AUTO_UPDATE_STATISTICS_ASYNC) option

for the database. For instructions, see the Microsoft SQL documentation website

(https://docs.microsoft.com/en-us/sql/?view=sql-server-ver15).

l

Make sure that your SQL Server database schema collation is case-sensitive. The default

installation of SQL Server is case-insensitive.

Caution! Fortify Software Security Center requires that all database schema collations be

case-sensitive. If your database schema collation is case-insensitive, Fortify Software

Security Center does not work correctly.

OpenText™ Fortify Software Security Center (24.2.0)

Page 60 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Important! Before you run the Fortify-provided SQL scripts, verify that there are no

open connections to the database.

l

Make sure that snapshot isolation is enabled (ALLOW_SNAPSHOT_ISOLATIONand READ_

COMMITTED_SNAPSHOTare set to ON) on the database schema used for the installation.

l

During SQL script executions, check the client tool to make sure that its ANSI null default

option is set to ON. To do this, you can either use a SETcommand (set ANSI_NULL_DFLT_ON

to ON) or the Query Editor.

Windows Domain Authentication

For Windows domain authentication, you must perform the following additional steps before

you deploy Fortify Software Security Center:

1.

2.

Make sure that you add integratedSecurity=trueto the JDBC URL.

Obtain the mssql-jdbc_auth-<version>-<arch>.dllfile. For more information, see

https://docs.microsoft.com/en-us/sql/connect/jdbc/building-the-connection-

url?view=sqlserver-ver15#Connectingintegrated.

3.

4.

Place the mssql-jdbc_auth-<version>-<arch>.dllfile in the directory specified for

the -Djava.library.pathparameter of the JDK_JAVA_OPTIONSenvironment variable.

Place the mssql-jdbc_auth-<version>-<arch>.dll: file in a directory that is included

in the PATHenvironment variable (for example, C:\Windows\System32).

5. Next, do one of the following:

l

Use the ssc.autoconfigfile to configure Fortify Software Security Center.

l

Configure Fortify Software Security Center with SQL authentication, and then remove

the db.usernameand db.passwordparameters from the datasource.properties

file.

6. Check to make sure that Tomcat is running with the domain account you want to use to

connect to the database.

Configuring a MySQL Database

If you are using MySQL as the Fortify Software Security Center database, you must configure

the MySQL options file.

Caution! Fortify Software Security Center requires that all database schema collations be

case-sensitive. If your installation is case-insensitive, Fortify Software Security Center

cannot work correctly.

Note: For information about the supported versions of MySQL, see the Fortify Software

System Requirements document.

Tip: If you use SSL to connect Fortify Software Security Center to MySQL, Fortify

recommends that you increase the allowed number of concurrent client connections by

OpenText™ Fortify Software Security Center (24.2.0)

Page 61 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

increasing the value of the max_connectionssystem variable (in the my.cnffile). This

can prevent the Too many connectionserror from occurring.

To configure the MySQL 8.0 options file:

1. Stop MySQL server.

2. Navigate to the MySQL server installation directory.

3. Open the MySQL options file in a text editor.

Tip: To locate the options files and the order in which they are read, run the following

command from a terminal: mysql --help.

l

On Windows systems, the default options file is my.ini.

Note: The default location for MySQL 8.0 is

c:\ProgramData\MySQL\MySQLServer8.0.

l

On Linux systems, the default options file is my.cnf.

4.

5.

In both the [mysqld]and [mysqldump]sections, set max_allowed_packetto 1G.

If the [mysqldump]section is not there, create it.

In the [mysqld]section, configure the settings in the following table. If a listed setting is

not included in the file, add it.

Setting

Value

INNODB

default_

storage_

engine

innodb_

buffer_

pool_size

512M(Fortify recommends 10GBor more)

The best performance is achieved when all data and indexes fit.

Together with per-connection memory, the innodb_lock_wait_

timeoutvalue must not exceed the total available memory on the server.

You can roughly estimate the maximum memory usage as follows:

max_connections * max_allowed_packet + innodb_buffer_

pool_size

An innodb_buffer_pool_sizevalue of between 60 and 80 percent of

available memory is appropriate.

The larger the innodb_buffer_pool_sizevalue, the less disk I/O is

needed to access data in tables. On a dedicated database server, you may

set this to up to 80% of the machine physical memory size. However, be

prepared to scale back this value if you see any of the following:

OpenText™ Fortify Software Security Center (24.2.0)

Page 62 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Setting

Value

l

Competition for physical memory causes paging in the operating

system.

l

InnoDB reserves additional memory for buffers and control structures,

so that the total allocated space is approximately 10% greater than the

specified size.

l

The address space must be contiguous, which can cause problems on

Windows systems with DLLs that load at specific addresses.

The time to initialize the buffer pool is roughly proportional to its size.

On large installations, this initialization time may be extensive. For

example, on a modern Linux x86_64 server, initialization of a 10 GB

buffer pool takes approximately 6 seconds. See the MySQL 8.0

Reference Manual (https://dev.mysql.com/doc/refman/8.0/en).

innodb_

lock_

300(recommended) Expressed in seconds

wait_

timeout

innodb_log_ 512M

file_size

1G

max_

allowed_

packet

sql-mode

"TRADITIONAL"

6. Save the file, and then restart MySQL server.

Configuring an Oracle Database

This section provides information about how to configure an Oracle database to prevent

database-related errors.

Preventing the “No more data to read from socket” Error

If you use Oracle as the Fortify Software Security Center database, you might see an exception

of the type “No more data to read from socket.”

One possible solution to this exception is to do the following:

OpenText™ Fortify Software Security Center (24.2.0)

Page 63 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

1.

2.

3.

Navigate to the $ORACLE_HOME/network/admin/directory.

Open the tnsnames.orafile in a text editor.

Set the value of SERVERto DEDICATE.

4. To apply the change, restart the active listener associated with the database.

Partitioning an Oracle Database for Improved Performance

The high input and output associated with large volumes of data in an Oracle database can

prevent the database server from effectively operating on data. Database partitioning enhances

database server performance, improving data manageability and availability. (The

partitioning.sqlscript partitions ISSUE, SCAN_ISSUE, and ISSUECACHE tables using Oracle

hash partitions.)

Preparing to Partition an Oracle Database

Before you run the partitioning.sqlscript, do the following:

1. Back up your database.

2. Create auxiliary tablespace. (To determine the auxiliary tablespace size required, you can

run the partitioning.sqlscript.

3. Determine how many partitions best fit your data.

Partitioning is based on application version ID. You want your records distributed evenly

across hash partitions. Ideally, you would specify as many partitions as you have application

versions. The number of partitions must also allow for the number of application versions to

grow.

Try to achieve record distribution that does not exceed a couple hundred thousand records

per partition. Fortify recommends a record distribution of less than one million records per

partition.

4. Schedule enough application downtime to partition data. In doing so, consider the time

required to:

l

Partition the database

Important! The maximum possible number of partitions supported is 700. If you

request more than this, the Oracle partitioning script fails.

l

Move your data to the auxiliary tablespace

l

Move your data back to the original tablespace

Partitioning the Database

To use the partitioning script:

l

Use Oracle SQL*Plus client to run the Oracle partitioning script (partitioning.sql), which

is located in the <ssc_distribution>/sql/oracle/extradirectory.

OpenText™ Fortify Software Security Center (24.2.0)

Page 64 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

Note: Script execution time depends on the size of your database.

During script execution:

l

Required parameters are obtained from standard input.

l

Partitioned tables are created in auxiliary tablespace (with *_PART name).

l

Data is moved from the original tablespace to the auxiliary tablespace and partitioned tables

l

New partitioned indexes are created on partitioned tables (with *_PART name).

l

The original tables and indexes are renamed (with *_NPART name).

l

The original names of the partitioned tables and indexes are restored (*_PART name is

removed).

l

The original tables (*_NPART) are dropped.

l

The partitioned tables are moved back to the original tablespace.

Increasing the Number of Job Execution Threads

After you partition your database, make sure that you increase the number of job execution

threads, as follows:

1.

2.

Navigate to <fortify_home>/<context>/conf, and open the app.propertiesfile in a

text editor.

Increase the value of the jobs.threadCountproperty.

Note: In testing, increasing the value of jobs.threadCountto 18 noticeably

improved performance.

3.

Save and close the app.propertiesfile.

About the Fortify Software Security Center Database Tables and Schema

The Fortify Software Security Center installation directory contains an initialization script for

each supported third-party database type. During initial configuration (see "Configuring Fortify

Software Security Center for the First Time" on page 68), run this script for your database type

to create the database tables and initialize the database schema for Fortify Software Security

Center.

Before you configure Fortify Software Security Center for the first time, make sure that you

review the information contained in the following sections:

l

"Database User Account Privileges" on page 59

l

"Database-Specific Configuration Requirements" on page 60

About Seeding the Fortify Software Security Center Database

When you log in to Fortify Software Security Center for the first time, Fortify Software Security

Center requires a minimum set of data to process your initial login credentials and to provide

OpenText™ Fortify Software Security Center (24.2.0)

Page 65 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

basic functionality. Seeding creates the minimum data set for a new database.

Seeding the Fortify Software Security Center database is necessary to maintain a consistent

post-installation configuration. This includes the creation of the default administrator user

account, as well as required entities such as issue templates, report definitions, and other

default data required to make Fortify Software Security Center operational.

Fortify Software Security Center requires two of the downloaded seed bundles (see "Unpacking

and Deploying Fortify Software Security Center Software" on page 47):

l

The issue template seed bundle (Fortify_Process_Seed_Bundle-2024_Q2_<build>.zip)

provides a default admin user account and issue template data.

l

The report seed bundle (Fortify_Report_Seed_Bundle-2024_Q2_<build>.zip) provides the

default set of Fortify Software Security Center reports.

You can also install the optional PCI Basic bundles Fortify_PCI_Basic_Seed_Bundle-2024_

Q2_<build>.zipand Fortify_PCI_SSF_Basic_Seed_Bundle-2024_Q2_<build>.zip),

which add Payment Card Industry process templates and associated reports to the default set

of Fortify Software Security Center templates and reports.

The seed bundle files are included in the Fortify Software Security Center installation package.

After your initial Fortify Software Security Center deployment, you can download off-cycle seed

bundles from the Fortify Support Portal (https://support.fortify.com) under the PREMIUM

CONTENT > FORTIFY EXCHANGE. (Quarterly security content releases can also include

updated seed bundles.)

Caution! Only load the bundles shipped with a Fortify Software Security Center release into

a Fortify Software Security Center instance of that same version (either a fresh install or an

older instance upgraded to the current version).

After you finish seeding the database, you can modify any user-configurable data entities that

were created in the seeding process from the Fortify Software Security Center user interface.

For more information, see "Additional Fortify Software Security Center Configuration" on

page 78.

Releases" on page 197

Permanently Deleting a Fortify Software Security Center Database

If, at some point, you plan to remove Fortify Software Security Center altogether, you can

remove the Fortify Software Security Center database. To permanently delete a Fortify

Software Security Center database schema along with all the data in the database, you run the

drop-tables.sqlscript.

Caution! Running the drop-tables.sqlscript permanently removes the Fortify Software

Security Center database schema and all the data in the database. Make sure you have

OpenText™ Fortify Software Security Center (24.2.0)

Page 66 of 459

User Guide

Chapter 3: Preparing for Fortify Software Security Center Deployment

backed up any data you want to save before running this script.

To delete the Fortify Software Security Center database schema and all the data in the

database:

1.

Navigate to the <ssc_install_dir>/sqldirectory, and open the subdirectory for the

third-party database you plan to use with Fortify Software Security Center:

l

mysql

l

Oracle

l

sqlserver

2.

Copy the drop-tables.sqlscript from the subdirectory that matches your Fortify

Software Security Center database type to the database server or other location where you

will run the script.

3. In the database client program, log into the database account you created for use with

Fortify Software Security Center.

4. Review the warning in the introduction to this topic.

5. Remove the Fortify Software Security Center database schema and all the data in the

database by running the following script:

drop-tables.sql

OpenText™ Fortify Software Security Center (24.2.0)

Page 67 of 459

Chapter 4: Configuring Fortify Software Security

Center for the First Time

After you deploy Fortify Software Security Center for the first time and then enter the Fortify

Software Security Center URL in a browser window, the Fortify Software Security Center Setup

wizard (Setup wizard) opens. Here, you can complete the steps for the initial server

configuration. The Setup wizard is available to administrators only after you first deploy Fortify

Software Security Center, after you upgrade it, or after you place Fortify Software Security

Center in maintenance mode (see "Placing Fortify Software Security Center in Maintenance

Mode" on page 179).

To configure Fortify Software Security Center for the first time:

1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat

Server, open a browser window and type your Fortify Software Security Center server URL

(https://<host_IP>:<port>/<app_context>/).

Note: For a normal deployment, the default Fortify Software Security Center URL is

<protocol>://<ssc_host>:<port>/ssc. For a deployment to a Kubernetes cluster,

the default URL is <protocol>://<ssc_host>:<port>/(without sscat the end).

If you deploy Fortify Software Security Center using a distributed WAR file without

renaming the ssc.warfile, app_contextwill be sscunless it is overwritten by the

Tomcat server configuration.

2. In the upper right corner of the web page, click ADMINISTRATORS.

OpenText™ Fortify Software Security Center (24.2.0)

Page 68 of 459

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

3.

Go to the <fortify.home><app_context>directory (see "About the <fortify.home>

Directory" on page 55), and open the init.tokenfile in a text editor. (If Tomcat is running

as Windows service, then you can find the init.tokenfile in

%SystemRoot%\System32\config\systemprofile\.fortify\ssc\init.token).

4.

5.

Copy the contents of the init.tokenfile to the clipboard.

On the web page, paste the string you copied from the init.tokenfile into the text box,

and then click SIGN IN.

6. Read the information on the START page of the Fortify Software Security Center Setup

wizard, and then click NEXT.

7. On the CONFIGURATION step, under UPLOAD FORTIFY LICENSE, do the following:

a. Click UPLOAD.

b.

Browse to and select your fortify.licensefile, and then click UPLOAD.

If the license you entered is invalid or expired, Fortify Software Security Center displays a

message to that effect.

The right pane displays the default path of the configuration directory in which your

configuration files (app.properties, datasource.propertiesand

version.properties) are to reside.

8. Read the warning note about sensitive information in the configuration file directory. For

information on how to change the location of this directory, see "About the <fortify.home>

Directory" on page 55.

OpenText™ Fortify Software Security Center (24.2.0)

Page 69 of 459

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

9. Select the I have read and understood this warning check box, and then click NEXT.

10. On the CORE CONFIGURATION SETTINGS step, do the following:

a. In the left pane, under FORTIFY SOFTWARE SECURITY CENTER URL, type the

URL for your Fortify Software Security Center server.

b. In the center pane, select the Enable HTTP host header validation check box to

ensure that the HTTP Host header value matches the value configured in the Fortify

Software Security Center URL (host.urlproperty). Both the host and port must

match. This affects both browsers and direct REST APIs access. If validation is turned

off, any HTTP Host header can access Fortify Software Security Center.

c. To enable global searches in Fortify Software Security Center, in the GLOBAL SEARCH

pane, select the Enable global search check box.

d. The text box below the check box displays the default location for the search index

files. If you prefer a different location, type a different directory path for your search

index files. (Passwords are not indexed.)

Note: The optimum disk size for the requisite indexing for global searches varies

based on the characteristics of the data, but the Lucene indexes are much smaller

than the data in the database. For example, the index size required for a database

issue volume of 18 GB (with db indexes) is approximately 2 GB.

Note: Because indexed data can include sensitive information (user names, email

addresses, vulnerability categories, issue file names, and so on), make sure that you

select a secure location to which only Tomcat Server user has read and write

access.

e. Read the warning in the GLOBAL SEARCH pane, and then select the I have read and

understood this warning check box.

11. Click NEXT.

12. On the DATASOURCE step, do the following:

a. From the DATABASE TYPE list, select the database type you are using with Fortify

Software Security Center.

b. Under DATABASE USERNAME, type the username for your Fortify Software Security

Center database. For more information, see "Database User Account Privileges" on

page 59.

c. Under DATABASE PASSWORD, type the password for your Fortify Software Security

Center database account.

Note: Make sure that the database user credentials specified in the DATABASE

USERNAME and DATABASE PASSWORD fields are for a user account that has

the privileges required to execute migration scripts. These privileges are described

in "Database User Account Privileges" on page 59.

d. Under JDBC URL, type the URL for the Fortify Software Security Center, keeping in

mind the following:

OpenText™ Fortify Software Security Center (24.2.0)

Page 70 of 459

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

For MySQL databases -

o

If MySQL server is configured to use the sha256_passwordor the caching_sha2_

passwordauthentication plugin, you must provide the server RSA public key to the

JDBC driver with the serverRsaPublicKeyFile option. Alternatively, you can use the

less secure allowPublicKeyRetrieval option. For more detail, see the MariaDB

Connector/J and MySQL server documentation

(https://mariadb.com/kb/en/mariadb-connector-j

andhttps://dev.mysql.com/doc).

If you are using a MySQL Server database, you must add the following to the end of

o

the URL:

- rewriteBatchedStatements=true

- sessionVariables=collation_connection=COLLATION

where COLLATIONrepresents the collation type of your database

Examples:

jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_

connection=utf8_bin&rewriteBatchedStatements=true

jdbc:mysql://localhost:3306/ssc?sessionVariables=collation_

connection=latin1_general_cs&rewriteBatchedStatements=true

MariaDB JDBC driver is used to connect to the MySQL database server. Any

additional JDBC URL parameters must use MariaDB driver syntax.

For MSSQL Server databases -

o

If you are using a MSSQL Server database, you must add the following property

setting to the end of the URL:

sendStringParametersAsUnicode=false

jdbc:sqlserver://<host>:1433;database=<database_name>;

sendStringParametersAsUnicode=false

o

Caution! Fortify Software Security Center ships with a MSSQL JDBC Driver

version that requires an encrypted connection and a trusted server certificate

by default. If the connection fails as a result of certificate verification, Fortify

recommends that you provide the trust store. If providing a trust store is not an

option, you can disable trust verification. If the certificate is trusted but the

certificate DNS name does not match the database server hostname, use the

hostNameInCertificateconnection property to provide the correct

hostname.

For more information, see hostNameInCertificate,

trustServerCertificate, and trustStore* JDBC URLproperties in the

"Setting the connection properties" article at https://learn.microsoft.com/en-

us/sql/connect/jdbc/setting-the-connection-properties .

OpenText™ Fortify Software Security Center (24.2.0)

Page 71 of 459

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

e. MAXIMUM IDLE CONNECTIONS, type the maximum number of idle connections that

can remain in the pool. The default value is 50.

f. MAXIMUM ACTIVE CONNECTIONS, type the maximum number of active connections

that can remain in the pool. The default value is 100.

g. MAXIMUM WAIT TIME (MS), type the maximum number of milliseconds for the pool

to wait for a connection (when no connections are available) before the system throws

an exception. The default value is 60000. To extend the wait indefinitely, set the value

to zero (0).

h. To test your settings, click TEST CONNECTION. Fortify Software Security

Center displays a message to indicate whether the test was successful.

Note: If the connection test fails, check the ssc.logfile (<fortify.home>/<app_

context>/logsdirectory) to determine the cause.

13.

Before you continue on to the DATABASE SEEDING step, the create-tables.sqlscript.

For instructions, see "About the Fortify Software Security Center Database Tables and

Schema" on page 65.

Note: If you automate Fortify Software Security Center configuration and you have

enabled database migration in the <app_context>.autoconfigfile, you do not need

to run the create-tables.sqlscript. For information about how to automate Fortify

Software Security Center configuration, see "Automating Fortify Software Security

Center Configuration" on page 448.

14. After you initialize the database, click NEXT.

15. (Linux only) On Linux systems, make sure the fontconfig library, DejaVu sans fonts, and

DejaVu serif fonts are installed on the server.

16. On the DATABASE SEEDING step, do the following:

a.

b.

c.

In the left pane, use BROWSE to locate and select your Fortify_Process_Seed_

Bundle-2024_Q2_<build>.zipfile, and then click SEED DATABASE.

Use BROWSE to locate and select your Fortify_Report_Seed_Bundle-2024_Q2_

<build>.zipfile, and then click SEED DATABASE.

(Optional) Use BROWSE to locate and select your Fortify_PCI_SSF_Basic_Seed_

Bundle-2024_Q2_<build>.zipfile, and then click SEED DATABASE.

Note: Use the PCI SSF Basic seed bundle to begin to understand how software

security issues can affect evaluation under these new PCI SSF standards. For more

information, see "Unpacking and Deploying Fortify Software Security Center

Software" on page 47 .

d.

(Optional) Use BROWSE to locate and select your Fortify_PCI_Basic_Seed_

Bundle-2024_Q2_<build>.zipfile, and then click SEED DATABASE.

For descriptions of the available seed bundles, see "Unpacking and Deploying Fortify

Software Security Center Software" on page 47.

17. Click NEXT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 72 of 459

User Guide

Chapter 4: Configuring Fortify Software Security Center for the First Time

18. Click FINISH.

19. Restart Tomcat Server.

After you finish the initial Fortify Software Security Center configuration, complete the

configuration of the core parameters and configure additional settings in the Administration

view. (For information about the Administration view, see "Additional Fortify Software Security

Center Configuration" on page 78.)

Note: If you later find that you need to change any of the configuration settings, you can

place Fortify Software Security Center in maintenance mode, and then make any necessary

changes. For instructions on how to place Fortify Software Security Center in maintenance

mode, see "Placing Fortify Software Security Center in Maintenance Mode" on page 179.

OpenText™ Fortify Software Security Center (24.2.0)

Page 73 of 459

Chapter 5: Logging in to Fortify Software Security

Center

After you create and initialize your Fortify Software Security Center database, configure Tomcat

Server, and deploy Fortify Software Security Center in Tomcat, you can log in to Fortify

Software Security Center.

Important! After you log in, create at least one non-default administrator account, and then

delete the default administrator account. For more information about how to manage

Fortify Software Security Center user accounts and roles, see "About Fortify Software

Security Center User Administration" on page 173.

To log in to Fortify Software Security Center:

1. In a web browser, type the URL for your Fortify Software Security Center instance.

Note: For a normal deployment, the default Fortify Software Security Center URL is

https://<ssc_host>:<port>/ssc. For a deployment to a Kubernetes cluster, the

default URL is https://<ssc_host>:<port>/(without sscat the end).

2. Type your username and password.

If you are logging on to Fortify Software Security Center for the first time, type admin in

both the Username and Password fields. These are the default credentials for a

new installation.

3. Click LOGIN.

If you are logging on to Fortify Software Security Center for the first time, you are

prompted to change your password.

4. If Fortify Software Security Center prompts you to change your password, enter a new one.

Make sure that you specify a password that does not include your username or common

phrases (names, movie or song titles, dates, or number or letter sequences). A combination

of three or four unrelated words such as "myredhorsedance" can work well. After your

password is evaluated as strong, you can save it, and then log in.

See Next

"About Session Logout" on the next page

"Additional Fortify Software Security Center Configuration" on page 78

"Setting the Required Password Strength for Fortify Software Security Center Login" on

page 163

OpenText™ Fortify Software Security Center (24.2.0)

Page 74 of 459

User Guide

Chapter 5: Logging in to Fortify Software Security Center

About Session Logout

If you logged in to Fortify Software Security Center using local login (through the login dialog

box with username and password to LDAP or local account), and you then log out, Fortify

Software Security Center takes you to the logout screen shown here.

If you logged in using an SSO account for which single logout is supported, at logout, you will

see a session logout screen that lets you logout from either your local account, or your

SSO account.

Note: Fortify Software Security Center supports single logout for Central Authentication

Service and for SAML.

If you click LOCAL ACCOUNT LOGOUT, Fortify Software Security Center logs you out of your

current session only and takes you to the logout screen.

If you click SSO LOGOUT, in addition to logging out of Fortify Software Security Center, single

logout is performed, and you are logged out from your SSO provider.

OpenText™ Fortify Software Security Center (24.2.0)

Page 75 of 459

User Guide

Chapter 5: Logging in to Fortify Software Security Center

Note: To log out of Fortify Software Security Center completely, close all of your browser

windows.

Inactive Session Timeout

If you have been inactive and your Fortify Software Security Center session is about to time out,

Fortify Software Security Center displays one of two dialog boxes:

l

If you logged in using local login (through the login dialog box with username and password

to LDAP or local account), and your session is about to time out, you see a dialog box that

lets you either log out or stay logged in.

If you click LOG OUT or your session times out due to further inactivity, Fortify Software

Security Center logs you out of the session and takes you to the logout screen.

l

If you are logged on to Fortify Software Security Center through an SSO provider for which

single logout is supported, you see a dialog box that lets you log out of your local user

account, perform an SSO logout, or stay logged in.

If you click LOCAL ACCOUNT LOGOUT or your session times out due to further inactivity,

Fortify Software Security Center logs you out of the SSC session only and then takes you to

the logout screen.

If you click SSO LOGOUT, Fortify Software Security Center logs you out of the SSC session,

and then logs you out of your SSO provider.

For information about how to configure session timeout, see "Configuring Core Settings" on

page 94.

Note: To log out completely from Fortify Software Security Center, close your browser (all

tabs).

OpenText™ Fortify Software Security Center (24.2.0)

Page 76 of 459

User Guide

Chapter 5: Logging in to Fortify Software Security Center

Logout Screen

If you logged in to Fortify Software Security Center using local login, the Click here to log in

again link takes you to the login screen, where you can log in again.

If you logged in to Fortify Software Security Center through an SSO provider, the Click here to

log in again link initiates SSO login.

OpenText™ Fortify Software Security Center (24.2.0)

Page 77 of 459

Chapter 6: Additional Fortify Software Security

Center Configuration

After you finish the preliminary Fortify Software Security Center configuration and deploy the

ssc.warfile, you complete the configuration from the Fortify Software Security Center

Administration view.

You can configure and update other settings in the Administration view later, as necessary.

Accessing the Configuration Settings in the Administration

View

You complete the Fortify Software Security Center configuration from the Configuration

category in the Administration view.

To access the Configuration category:

1. Log in to Fortify Software Security Center as an administrator user. For log-in instructions,

see "Logging in to Fortify Software Security Center" on page 74.

2. Do one of the following:

l

If you are accessing Fortify Software Security Center for the first time, a banner similar

to the following is displayed at the top of the page. Click Go to open the Configuration

category in the Administration view.

Otherwise,

a. On the OpenText header, click Administration.

The navigation pane on the left displays links to the categories that are available in the

Administration view. The Event Logs page is displayed by default.

b. In the left pane, select Configuration.

The pane displays the configuration category options. For information about these options, see

"Configuration Options Available in the Administration View" on page 80.

OpenText™ Fortify Software Security Center (24.2.0)

Page 78 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring Issue Stats Thresholds

The Issue Stats dashboard page shows summary information about issues for the application

versions on Fortify Software Security Center, including the number of days that it is taking to

review and fix them. To provide a visual cue as to how quickly issues are being handled, the

Issue Stats page displays colored bars next to the values for the Average Days to Review and

Average Days to Remediate. A green bar indicates that issues are being managed quickly, a

red bar indicates that issue management is too slow, and an orange bar indicates that issue

management is somewhere between these two extremes.

How Average Days to Review and Average Days to Remediate are Calculated

Before it calculates the Average Days to Review and Average Days to Remediate values,

Fortify Software Security Center applies the following rules:

l

Fortify Software Security Center excludes the following issues from its calculations:

l

All issues that were audited or removed 365 days ago or earlier

l

All suppressed issues

l

Issues that have not been either audited or removed

l

To calculate issue aging for audited issues, Fortify Software Security Center uses the date

and time on which the issue was first audited.

l

For issues that were not audited but were removed, Fortify Software Security Center uses the

removal date as the audit date.

l

To calculate issue dates, Fortify Software Security Center performs the following to clean up

dates and times:

l

Adjusts issue found dates and times to 12:00 AM of the date the issues were found.

l

Adjusts issue audited dates and issue removed dates to 12:00 am of next day.

These adjustments are required to calculate average dates correctly. For example, without

these adjustments, the calculated averages would be zero for issues that were found and

audited on the same date, which is not correct. For an issue found on March 2 and audited at

March 5, the days to review is 5 – 2 + 1, or 4 days.

After it applies all of these rules and makes time and date adjustments, Fortify Software

Security Center calculates the average of two values—(auditTime - foundDate) and

(removedDate - foundDate)—to get average number of days to audit and remediate issues

Setting the Issue Stats Thresholds

You set the thresholds that determine what users see when they review summary information

about the application versions to which they have access. By default, the Issue Stats page

displays values of fewer than 100 days (minimum) in a green bar, any values greater that 365

days (maximum) in red, and values in between as yellow.

OpenText™ Fortify Software Security Center (24.2.0)

Page 79 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To set the color thresholds for Average Days to Review and Average Days to Remediate:

1. On the OpenText header, select Administration.

2. In the left pane, under Metrics & Tracking, select Issue Age.

The Issue Age page opens. The minimum and maximum values for Average Days to

Review and Average Days to Remediate are set to 100 and 365, respectively.

3. To reset the thresholds for the average number of days to review Issues, under for

Average Days to Review, do one of the following:

l

Adjust the slider control.

l

Change the values shown in the Min. and Max. combo boxes.

4. To reset the thresholds for the average number of days to remediate Issues, under for

Average Days to Remediate, do one of the following:

l

Adjust the slider control.

l

Change the values shown in the Min. and Max. combo boxes.

5. Click SAVE.

The color coded values on the Issue Stats dashboard page reflect your changes.

Configuration Options Available in the Administration View

The following table lists the configuration options available in the Administration view. (On the

OpenText header, select Administration. Then, in the left pane, select Configuration.)

Note: Changes to some configuration options do not take effect until the system is

restarted.

OpenText™ Fortify Software Security Center (24.2.0)

Page 80 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Option

Description

Instructions

AppSec Training

Use to enable and configure

application security training. This

makes the GET TRAINING button

available on the issue details section

of the AUDIT page.

"Configuring Application

Security Training" on page 83

Audit Assistant

BIRT Reports

Use to automatically audit Fortify

Static Code Analyzer scans.

"Configuring Audit Assistant"

on page 364

Use to apply enhanced security to

"Configuring Security for

reporting in Fortify Software Security BIRT Reporting" on page 91

Center.

Core

Use to configure core Fortify Software "Configuring Core Settings" on

Security Center settings such as the

timeout and lockout settings and the

proxy for secure coding Rulepacks

updates.

page 94

Email

Use to configure the server settings

used to send email alerts to users.

"Configuring Email Alert

Notification Settings" on

page 97

Issue Audit

JMS

Use to select the setting that

determines how issue audit conflicts

are resolved.

"Setting the Strategy for

Resolving Issue Audit Conflicts"

on page 101

Use to configure Fortify Software

Security Center to publish system

events to the Java Message Service

(JMS).

"Configuring Java Message

Service Settings" on page 102

LDAP Servers

Maintenance

Use to configure LDAP authentication "Configuring LDAP Servers" on

and LDAP server options for one or

more LDAP servers.

page 107

If, at any time, you need to change

"Placing Fortify Software

any server configuration settings, you Security Center in Maintenance

can place Fortify Software Security

Center in maintenance mode, and

Mode" on page 179

OpenText™ Fortify Software Security Center (24.2.0)

Page 81 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Option

Description

Instructions

then make the necessary changes.

From here, you can also pause job

execution in preparation for server

shutdown.

Proxy

Use to configure a single proxy for

Rulepack updates, the connection to

Audit Assistant, and for bug tracker

plugins.

"Configuring a Proxy for

Fortify Software Security

Center Integrations" on

page 128

ScanCentral

DAST

Use to configure Fortify Software

Security Center to manage and run

dynamic scans from the

SCANCENTRAL view in Fortify

Software Security Center.

"Enabling the Running and

Management of ScanCentral

DAST Scans from Fortify

Software Security Center" on

page 131

SCIM

SSO

Use to enable SCIM for provisioning of "Enabling SCIM for Provisioning

externally-managed users and

groups.

of Externally Managed Users

and Groups" on page 128

Use to configure Fortify Software

Security Center to work with one of

the following SSO solutions:

"Configuring Fortify Software

Security Center to Work with

Single Sign-On" on page 142

l

CAS SSO

l

SPNEGO/KERBEROS SSO

l

SAML SSO

l

HTTP SSO

l

X.509 SSO

ScanCentral SAST Use to configure Fortify Software

Security Center to monitor

"Configuring ScanCentral SAST

Monitoring in Fortify Software

Security Center" on page 130

ScanCentral SAST and to display

ScanCentral SAST results in the

SCANCENTRAL view in Fortify

Software Security Center.

Scheduler

Use to configure the Fortify Software "Configuring Job Scheduler

Security Center job scheduler Settings" on page 131

OpenText™ Fortify Software Security Center (24.2.0)

Page 82 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Option

Description

Instructions

settings.

Security

Use to configure the Fortify Software "Configuring Browser Access

Security Center security features.

Security for Fortify Software

Security Center" on page 141

Seed Bundles

Use to seed the database with seed

bundles distributed in a quarterly

security content release.

"Seeding the Database with

Report Seed Bundles Delivered

with Quarterly Security Content

Releases" on page 197

Web Services

Webhooks

Use to configure Fortify Software

Security Center web services.

"Configuring Web Services to

Require Token Authentication"

on page 155

Use to create and manage webhooks "Creating Webhooks" on

that keep your systems updated on

events that occur in Fortify Software

Security Center.

page 290

Configuring Application Security Training

If your organization has access to an application security training platform, you can integrate

that training with Fortify Software Security Center. After you do, your users can access context-

appropriate guidance on the issues they assess and how best to mitigate them as they audit.

To enable application security training on Fortify Software Security Center:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select AppSec Training.

3. On the AppSec Training page, leave the Enable Training check box selected.

4. To determine whether your online training vendor has integrated with Fortify Software

Security Center and to obtain the corresponding training URL, contact Customer Support

(https://www.microfocus.com/support).

5. In the Training URL box, type your application security training URL.

6. Click SAVE.

Users can now see the GET TRAINING button in the details section for issues on the AUDIT

page. Users can click GET TRAINING to go to the application security training website you have

specified.

See Also

"Enabling Auto-Apply and Auto-Predict for an Application Version" on page 368

OpenText™ Fortify Software Security Center (24.2.0)

Page 83 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

About Audit Assistant

Audit Assistant is an optional tool that you can use to help determine whether or not the issues

returned from a scan represent true vulnerabilities. To make its determinations, Audit Assistant

needs data to establish a baseline for its predictions. This data is based on the decisions Fortify

on Demand auditors have made during scan audits about how to characterize various issues.

The data, which is pooled and anonymized, can be used in conjunction with training data based

on decisions your auditors have made. Audit Assistant’s assessments of the actual threats that

issues represent become more accurate as it receives more training data.

The following sections describe how to obtain an authentication token from OpenText Fortify

Audit Assistant, and then use that token to configure a connection to OpenText Fortify

Software Security Center. This section also describes the best practices for Fortify Audit

Assistant when upgrading to the latest version of OpenText Fortify Audit Assistant powered by

the new Gen 2 engine. For more information, see "Fortify Audit Assistant Best Practices" on

page 358.

Later sections describe how to set up Audit Assistant training, submit data, and review Audit

Assistant results.

"Using Audit Assistant" on page 362

"About Prediction Policies" on page 359

"Defining Prediction Policies" on page 360

"Submitting Training Data to Audit Assistant" on page 376

"Reviewing Audit Assistant Results" on page 374

OpenText™ Fortify Software Security Center (24.2.0)

Page 84 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Getting a Fortify Audit Assistant Authentication Token

To integrate with Fortify Audit Assistant, you must first obtain a Fortify Audit Assistant

authentication token.

To obtain an Fortify Audit Assistant authentication token:

1. Log on to Fortify Audit Assistant.

2. On the OpenText header, select ADMINISTRATION, and then select TOKENS.

3. On the Tokens page, click +ADD.

4. In the Name field, type a name for the token to generate.

5. Click SAVE.

The Tokens page lists the new token.

6.

To the right of the token name, click the view icon ( ).

7. In the Token window, select and copy the token text, and then click CLOSE.

Use the copied token to configure the integration with Audit Assistant. (See "Configuring Audit

Assistant" on page 364.)

Configuring Audit Assistant

Fortify Software Security Center can work with Fortify Audit Assistant to help determine

whether or not the issues returned in Fortify Static Code Analyzer scan results represent true

vulnerabilities.

To configure Fortify Software Security Center to use Fortify Audit Assistant with your

applications:

OpenText™ Fortify Software Security Center (24.2.0)

Page 85 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Configuration, and then select Audit Assistant.

3. Configure the settings on the Audit Assistant page as described in the following table.

Field *Required Description

Enable Audit

Assistant check

box

Select this check box to enable the remaining fields.

* Authentication Paste the authentication token you obtained from Fortify Audit

token

Assistant here. For instructions on how to get a token, select How

do I get a token? or, see "Getting a Fortify Audit Assistant

Authentication Token" on page 367 .

* Fortify Audit

Assistant server

URL

Specify the URL for the Fortify Audit Assistant server.

Use SSC proxy

for Audit

Assistant

If you have configured a proxy for

all Fortify Software Security Center integrations (see "Configuring a

Proxy for Fortify Software Security Center Integrations" on

page 128 , you can select this check box to use that proxy for Fortify

Audit Assistant.

4. To test the connection to the Fortify Audit Assistant server, click TEST CONNECTION.

After the connection is successfully tested, you can go ahead and configure the following

settings in the Audit settings section.

5. Click REFRESH POLICIES to populate the Default prediction policy list with the current

server policies on the Fortify Audit Assistant server.

Note: Audit Assistant prediction policies set for individual application versions can

become invalid if available policies are changed on the Fortify Audit Assistant server.

Fortify Software Security Center verifies new policies it receives from Fortify Audit

Assistant every time a user clicks REFRESH POLICIES.) If Fortify Software Security

Center detects one or more invalid policies, it displays a table that shows the mapping

from the original policy to the changed policy. You can then identify each obsolete

policy and map its valid replacement. Fortify Software Security Center updates the

policies based on the changes you submit in the mapping table.

6. From the Default prediction policy list, select the name of the prediction policy to apply to

all application versions. (Policies are defined in Fortify Audit Assistant.)

OpenText™ Fortify Software Security Center (24.2.0)

Page 86 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

7. If you plan to specify prediction policies at the application version level and override the

default global prediction policy, select Enable specific application version policies.

Otherwise, Fortify Audit Assistant uses the default global prediction policy you specified in

the previous step.

Note: You can specify the policy for an application version from the APPLICATION

PROFILE dialog box. For instructions, see "Configuring Audit Assistant Options for an

Application Version" on page 367.

8. To enable Fortify Software Security Center to automatically send issues not yet audited to

Fortify Audit Assistant for assessment, select the Enable auto-predict check box. After

you do, you must enable this functionality on a per-application version basis from the

APPLICATION PROFILE window. (For information about the auto-predict feature, see

"About Audit Assistant Auto-Prediction " below.)

Note: If you enable auto-predict here, open the APPLICATION PROFILE dialog box for

each application version for which you want to use auto-predict, and enable it there as

well.

9. To enable the application of the analysis values that Audit Assistant assesses for issues to

your Analysis custom tag values system-wide, select the Enable auto-apply check box.

After you do, you must enable this functionality on a per-application version basis from the

APPLICATION PROFILE window.

Note: If you enable auto-apply here, open the APPLICATION PROFILE dialog box for

each application version for which you want to use auto-apply, and enable it there as

well.

Important! Before you can use the auto-apply feature, you must first map Audit

Assistant analysis tag values to Fortify Software Security Center Analysis tag values.

10. If you selected the Enable auto-apply check box, and you want to map Audit Assistant

analysis tag values to Fortify Software Security Center Analysis tag values now, click the

here link to go to the Custom Tags page, and then follow the instructions provided in

"Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom

Tag Values" on page 371 .

11. Click SAVE.

About Audit Assistant Auto-Prediction

By setting auto-predict to yes, you can configure Fortify Software Security Center to

automatically send issues for Fortify Audit Assistant predictions after FPRs are successfully

OpenText™ Fortify Software Security Center (24.2.0)

Page 87 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

uploaded and processed. (If you prefer to submit FPRs for prediction manually, then there is no

need to configure auto-prediction.)

If both auto-predict and auto-apply are enabled for an application version, then Fortify Audit

Assistant automatically applies predicted values to custom tags on new issues after prediction

is completed. (Audit Assistant prediction results are always applied to an application version,

but if auto-apply is not enabled, the information is stored only in Audit Assistant-specific tags. If

auto-apply is enabled, Audit Assistant-specific values are also mapped to other tags, based on

the configuration.)

Only unpredicted issues (uncovered by a supported analyzer) found at the end of FPR

processing are automatically submitted to Fortify Audit Assistant for assessment. Once Fortify

Audit Assistant has assessed an issue, it does not revisit that issue.

Enabling Auto-prediction

Auto-prediction enablement for an application version is a two-step process. First, an

administrator enables it system wide during Fortify Audit Assistant configuration.

(See"Configuring Audit Assistant" on page 364.) After this, users need to enable auto-prediction

on a per-application-version basis from the PROFILE window. (See "Enabling Auto-Apply and

Auto-Predict for an Application Version" on page 368.)

Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom

Tag Values

In order to use Fortify Audit Assistant with Fortify Software Security Center, you must map

Fortify Audit Assistant analysis tag values to Fortify Software Security Center list-type custom

tag values. You can map the Fortify Audit Assistant analysis tag values to the Analysis custom

tag that is installed with Fortify Software Security Center and is required to identify a

vulnerability as audited, or you can choose a different list-type custom tag for this purpose.

If you selected the Enable auto-apply checkbox when configuring Fortify Audit Assistant, you

can also tell AA which Fortify Audit Assistant analysis tag values to automatically apply to the

list-type custom tag values.

Note: If you have not created your custom tag values yet, see "Adding Custom Tag Values"

on page 271for instructions on how to create the values and map them to Fortify Audit

Assistant. If you are using the default Analysis custom tag or a custom tag you have already

created, continue with the instructions here.

To map Fortify Audit Assistant analysis tag values to Fortify Software Security Center list-type

custom tag values:

1. On the OpenText menu bar, click Administration.

2. In the left pane, click Templates, and then click Custom Tags.

The Custom Tags page lists your custom tags.

3. Click the row for the custom tag to which you want to edit a value.

The row expands to display the details for the tag.

OpenText™ Fortify Software Security Center (24.2.0)

Page 88 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. In the lower right corner of the screen, click EDIT.

The values in the table now have an EDIT icon ( ) at the end of the row.

5. Click the EDIT icon ( ) for a value.

The ADD VALUE dialog box appears.

OpenText™ Fortify Software Security Center (24.2.0)

Page 89 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

6. If Fortify Software Security Center is configured to use Fortify Audit Assistant and auto-

apply is enabled, the ADD VALUE dialog has an AA Custom Tag Auto Assignment section

and an AA Training Classification for the Custom Tag's Value section.

7. If the new value aligns with an Audit Assistant prediction value in the AA Custom Tag Auto

Assignment section, select its check box to automatically map the list value to the selected

Audit Assistant prediction value. This will enable automated auditing for all application

versions where you have selected Enable auto-apply in the Audit Assistant Options

section of the application version Profile.

OpenText™ Fortify Software Security Center (24.2.0)

Page 90 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

8. In the AA Training Classification for the Custom Tag's Value section, select a radio button if

you want the new value to be used when training the Fortify Audit Assistant model. In

order for Fortify Audit Assistant Training Tags to function, you must map at least two list

values to Audit Assistant Training Tags. One must be mapped to the False positive Fortify

Audit Assistant Training Tag and another list value must be mapped to the Exploitable

Fortify Audit Assistant Training Tag.

9. Repeat steps 6 - 9 to map additional list values.

10. Once you have edited all of the list values you need to map to Fortify Audit Assistant

Training Tags, click APPLY and then click SAVE.

"Adding Custom Tag Values" on page 271

Configuring Security for BIRT Reporting

You can add an extra measure of security to BIRT reporting by doing one or both of the

following:

l

Enable the Java security manager

l

Limit access to tables and views in the database

Enabling Java Security Manager

To enable Java Security manager:

1. Log in to Fortify Software Security Center as an administrator.

2. On the OpenText header, click Administration.

3. In the left pane, select Configuration, and then click BIRT Reports.

4. On the BIRT Reports page, under Enhanced security, select the Turn on security

manager check box.

Note: If you try to generate a custom report that depends on functionality that the

BIRT security manager regards as unsafe, the report generation might fail.

5. Click SAVE.

(Linux with OpenJDK only) Installing Required Fonts

If your Fortify Software Security Center is installed on a Linux system, and you are running

OpenJDK, you must install fontconfig, DejaVu Sans fonts, and DejaVu serif fonts on the server to

enable users to successfully generate reports. Otherwise, report generation will fail. You can

download these fonts from https://github.com/dejavu-fonts/dejavu-fonts.

OpenText™ Fortify Software Security Center (24.2.0)

Page 91 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Creating a Database Account for Reporting

To limit write access to tables and views in the database:

1. Create a database user account to use exclusively for BIRT reporting and provide minimum

permission required to generate reports.

2. For the new user account, enable read (only) access to the following tables and views:

Tables

attr

issuecache

reportexecblob

reportexecparam

ruledescription

savedreport

scan

auditattachment

auditcomment

catpackexternalcategory

catpackexternallist

catpacklookup

datablob

measurement

measurementhistory

metadef

metadef_t

metaoption

scan_rulepack

seedhistory

sourcefile

metaoption_t

metavalue

documentinfo

eventlogentry

f360global

metavalueselection

project

snapshot

userpreference

variable

filterset

projecttemplate

projectversion

projectversiondependency

Views

folder

variablehistory

foldercountcache

attrlookupview

auditvalueview

baseissueview

defaultissueview

metadefview

metaoptionview

ruleview

view_standards

3. Log in to Fortify Software Security Center as an administrator.

4. On the OpenText header, click Administration.

5. In the left pane, select Configuration, and then click BIRT Reports.

OpenText™ Fortify Software Security Center (24.2.0)

Page 92 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Fortify Software Security Center displays the BIRT Reports page.

6. In the DB Username and DB Password boxes, type the credentials for the database

account that has read-only database access.

7. To test the database user account access to the database, click VALIDATE CONNECTION.

8. Click SAVE.

"Setting Report Generation Timeout" below

Allocating Memory for Report Generation

To allocate memory for security for Fortify Software Security Center reports:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then click BIRT Reports.

3. In the Set up BIRT execution section, select the default value in the Maximum heap size

(MB) box, and then type a new value.

4. Click SAVE.

Setting Report Generation Timeout

To set a report generation timeout value (after which report generation is stopped and set as

"failed"):

1. Log in to Fortify Software Security Center as an administrator.

2. On the OpenText header, select Administration.

3. In the left pane, select Configuration, and then click BIRT Reports.

4. Under Set up BIRT execution, select the default value in the Execution timeout

(minutes) box, and then type a new value.

5. Click SAVE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 93 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring Core Settings

In addition to the initial configuration you performed on the Setup wizard, you must also

configure several core attributes in the Configuration section of the Administration view. These

attributes include user account timeout and lockout settings, the display of user information,

maximum events per Fortify WebInspect Agent issue, the base URL for the runtime event

description server, and the user administrator's email address. You also configure the proxy

used for Rulepack updates on this page. For information about the Rulepacks updates proxy,

see "About Configuring a Proxy for Rulepack Updates" on page 97.

To configure Fortify Software Security Center core settings in the Administration view:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then select Core.

3. On the Core page, configure the settings described in the following table.

Field

Description

Absolute session Number of minutes a user can be continuously active before Fortify

timeout

(minutes)

Software Security Center automatically logs a user off.

The default value is 240.

Days before

password reset

Number of days the Fortify Software Security Center password is

valid before the user must change it.

The default value is 30.

Login attempts

Number of times a local user can try to log in to Fortify Software

allowed before a Security Center using invalid credentials before Fortify Software

user is locked out Security Center locks the user's account.

If Fortify Software Security Center locks a user out, that user is

prevented from attempting a new login for the number of minutes

specified in the Lockout time (minutes) box. (For information

about how to unlock a user account, see "Unlocking Local User

Accounts" on page 223. The default value is 3.

Note: This setting does not apply to LDAP users. If the account

lockout threshold was configured using the Group Policy editor,

the LDAP user account could be locked out in Active Directory if

consecutive login attempts have failed.

Lockout time

If a user attempts and fails to log in to Fortify Software Security

OpenText™ Fortify Software Security Center (24.2.0)

Page 94 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

(minutes)

Center the number of times specified for Login Attempts before

Lockout, Fortify Software Security Center locks the user account for

the number of minutes specified in the Lockout time (minutes)

box.

The default value is 30.

User lookup

strategy

If LDAP is enabled, select one of the following user lookup strategies

from this list:

l

Local users first, fallback to LDAP users (compatibility)

Search local users first, then search LDAP users. To avoid

potential authorization errors and user confusion, make sure that

usernames are not duplicated on the LDAP server and local

storage.

l

LDAP users first, fallback to local users

Search LDAP users first, then local users. To avoid potential

authorization errors and user confusion, make sure that user

names are not duplicated on the LDAP server and local storage.

l

LDAP users exclusive, fallback to local administrator

(Recommended strategy for SSO) Search LDAP users only, and

allow local administrator access.

Display user

first/last names

and emails in

Select this check box to display the following user information, when

applicable: login name, first and last names, and email address.

user fields, along

with login names

Maximum events Determines the maximum number of events to log within a single

per WebInspect

Agent Issue

Fortify WebInspect Agent issue. After that threshold is reached, new

events related to the same issue are ignored.

The default value is 5.

Inactive session

timeout

Type the number of minutes a user can be inactive before Fortify

Software Security Center automatically logs the user off.

(minutes)

The default value is 30.

OpenText™ Fortify Software Security Center (24.2.0)

Page 95 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Locale for

Rulepacks

Type one of the following:

l

ja (Japanese)

l

zh_CN (simplified Chinese)

l

zh_TW (traditional Chinese)

l

es (Spanish)

l

pt_BR (Portuguese Brazilian)

Note: There is no need to specify a value for English.

Rulepack update URL for the Fortify Rulepack update site.

URL

Important! Do not change the default value of the Rulepack

Update URL field unless your Customer Support representative

directs you to do so.

The default value is https://update.fortify.com

Use SSC proxy

for Rulepack

update

Select this check box to enable the use of the Fortify Software

Security Center proxy, if the Rulepack server is behind it.

Note: The Fortify Software Security Center proxy must be

enabled and correctly configured. For information on how to

configure a proxy, see "Configuring a Proxy for Fortify Software

Security Center Integrations" on page 128 .

User

Type the email address of the user who is to receive system email

alerts and notifications when email notifications are enabled.

Administrator's

email address

(for user account

requests)

Requests for new user accounts are sent to this address when the

Can't access or need an account? link is available on the Fortify

Software Security Center login page.

Enable export to Select this check box to enable users to export Fortify Software

CSV from the

Dashboard and

AUDIT views

Security Center data to comma-separated values files.

Note: If you are changing only this property on the Core page, a

server restart is not required to implement the change.

4. Click SAVE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 96 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

5. Restart the server.

About Configuring a Proxy for Rulepack Updates

By default, Fortify Software Security Center downloads the current versions of Fortify Secure

Coding Rulepacks you subscribe to from the Fortify Customer Portal at

https://update.fortify.com.

If your organization uses a proxy to access external resources, Fortify recommends that you

configure a proxy for secure coding Rulepacks updates (as well as for bug tracking and, if you

use it, Audit Assistant). For instructions on how to configure a single proxy for use with all

HTTP(s) protocol-based Fortify Software Security Center integrations, see "Configuring a Proxy

for Fortify Software Security Center Integrations" on page 128.

After you configure a single proxy for use with all HTTP(s) protocol-based integrations, you can

enable of that proxy for Rulepack update. For instructions, see "Configuring Core Settings" on

page 94.

Configuring Email Alert Notification Settings

If you plan to use Fortify Software Security Center to send email alert notifications to your

teams, do the following:

1. Create an SMTP email account for Fortify Software Security Center to use.

2. Configure the email settings as described in this topic.

Note: For information about how to enable or disable the receipt of email alerts, see

"Enabling and Disabling Receipt of Email Alerts" on page 99.

To configure the settings used for sending email alert notifications, do the following.

Important! If you want to enable team members who do not have an account to request

access to Fortify Software Security Center, you must enable and configure the email service

settings.

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Configuration, and then select Email.

3. On the Email page, configure the email service attribute settings described in the following

table.

Field

Description

Enable email

Select this check box to enable Fortify Software Security Center

OpenText™ Fortify Software Security Center (24.2.0)

Page 97 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

to send email messages of all types and to add the "Can't access

or need an account?" link to the login dialog box.

This check box is cleared by default.

From email address

Type the email address that Fortify Software Security Center

uses to identify emails sent from Fortify Software Security

Center.

For example, fortifyserver@example.com.

Default encoding of

the email content

Type the encoding method to be used for the email content.

The default value is UTF-8.

SMTP server

Type the fully-qualified domain name for the SMTP server.

For example, mail.example.com.

SMTP server port

Type the port number for the SMTP server.

The default value is 25.

SMTP username

SMTP password

If authentication is required on the SMTP server, type the SMTP

username.

If authentication is required on the SMTP server, type the SMTP

password.

Secure email server

connection

Select this check box if you want to configure security for your

email server connection.

Enable SSL/TLS

encryption

If you selected the Secure email server connection check box,

then, from this list, select one of the following:

l

(Optional) If the SMTP server supports it, select STARTTLS

to upgrade to a TLS/SSL-encrypted SMTP connection.

l

Select SSL/TLS Encryption to enable SSL/TLS encryption

when connecting to the SMTP server.

l

Select Force STARTTLS to require an upgrade to TLS/SSL-

encrypted SMTP connection. If the SMTP server does not

support it, the connection will fail.

OpenText™ Fortify Software Security Center (24.2.0)

Page 98 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Trust the certificate

provided by the

SMTP server

Select this check box to trust the certificate that the

SMTP server provides by skipping certificate validation.

Caution! For security reasons, Fortify recommends that you

leave this check box cleared.

4. Click SAVE.

Enabling and Disabling Receipt of Email Alerts

To enable or disable the receipt of email alerts:

1. Log in to Fortify Software Security Center as an administrator.

2. At the right end of the OpenText header, click the user profile icon, and then select

Preferences.

OpenText™ Fortify Software Security Center (24.2.0)

Page 99 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

3. In the PREFERENCES dialog box, do one of the following:

l

To disable the receipt of email alerts, clear the Receive email alerts from Software

Security Center check box.

l

To enable the receipt of email alerts, select the Receive email alerts from Software

Security Center check box.

4. Click SAVE.

"Alert Definitions" on page 303

"Creating Alerts" on page 304

OpenText™ Fortify Software Security Center (24.2.0)

Page 100 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

"Deleting Alerts" on page 307

Setting the Strategy for Resolving Issue Audit Conflicts

If multiple auditors are working on the same issue using different products (Fortify Software

Security Center, Audit Workbench, or an IDE plugin), they might assign different values to a

given custom tag. Previously, if Fortify Software Security Center detected an audit conflict such

as this, it ignored all client-side changes and resolved the conflict in favor of the existing custom

tag value on Fortify Software Security Center.

Note: Conflict resolution is not necessary if these auditors work within the same Fortify

Software Security Center instance.

Example of the default strategy for resolving audit conflicts:

Audit Workbench users A and B are both auditing the most recent scan results for the same

application version.

User A sets custom tag values for the issues uncovered and uploads the results to Fortify

Software Security Center.

Fortify Software Security Center accepts the upload and changes the custom tag values for

the issues based on the values that user A set for them. Now, the tag values user A set are

the current custom tag values for these issues on Fortify Software Security Center.

On a different Audit Workbench instance, user B sets custom tag values for the same issues

that user A audited and uploads the results to Fortify Software Security Center. Fortify

Software Security Center detects that one or more of the custom tag values that B

submitted conflict with the values that user A submitted for the same issues.

Result: Fortify Software Security Center ignores the audit results from user B and retains

the values set by user A.

Fortify Software Security Center applies this strategy across all application versions.

You can change this strategy so that Fortify Software Security Center resolves audit conflicts in

favor of the most recent changes.

Note: To perform this task, you must have the "Manage issue audit settings" permission.

To set the strategy Fortify Software Security Center uses to resolve audit conflicts:

1. Log in to Fortify Software Security Center as an administrator.

2. On the OpenText header, select Administration.

3. In the left pane, select Configuration, and then select Issue Audit.

The ISSUE AUDIT page opens.

OpenText™ Fortify Software Security Center (24.2.0)

Page 101 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. From the Issue audit conflict resolving strategy list, select one of the following:

l

Conflicts are resolved in favor of the SSC changes (the default)

l

Conflicts are resolved in favor of the most recent changes

5. Click SAVE.

After you change the setting, the new strategy is applied only to new uploads. All previous

conflict resolution results remain unchanged.

Configuring Java Message Service Settings

If you want to publish system events to the Java Message Service (JMS), configure the

JMS settings in the Configuration category in the Fortify Software Security Center

Administration view.

To configure JMS settings:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select JMS.

3. On the JMS page, configure the settings as described in the following table.

Field

Description

Publish system events Select this check box to publish system events to JMS.

to JMS

JMS server URL

Type the URL for the JMS server.

For example, tcp://123.0.1.2:12345.

Include username in

JMS body

Select this check box to include the user name in the body of

the JMS message.

This check box is selected by default.

JMS topic

Type the JMS message topic.

The default value is Fortify.Advisory.EventNotification.

4. Click SAVE.

5. To implement your changes, restart Tomcat Server.

OpenText™ Fortify Software Security Center (24.2.0)

Page 102 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring Kafka

As an optional configuration, the Kafka service can be deployed with Fortify Software Security

Center to synchronize issue audit changes in Fortify Software Security Center with Fortify

ScanCentral DAST.

To configure Fortify Software Security Center to stream audit history changes to Kafka:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select Kafka Stream.

3. On the Kafka Stream page, configure the settings as described in the following table.

Field

Description

Enable streaming audit updates to

Kafka

Select this check box to synchronize changes to

audit history from Fortify Software Security

Center to Kafka.

A comma-separated list of Kafka

bootstrap servers

Specifies a comma-separated list of brokers for

the Kafka instance.

Use the following syntax for this list:

<host1>:<port1>,<host2>:<port2>,...

The Kafka topic to which audit

updates are published

Specifies the Kafka topic for finding audit

events.

Kafka Security

Enable TLS mutual auth for Kafka

streaming

Select this check box to enable mutual

authentication using two-way SSL protocol to

communicate with the Kafka brokers.

If you do not select this check box, PLAINTEXT

is used as the security protocol to communicate

with the Kafka brokers.

Note: Fortify Software Security Center

supports two-way SSL using TLSv1.2 and

TLSv1.3.

Truststore file location

Specifies the path to the trust store file that

contains trust store certificates in .jksfile

format.

OpenText™ Fortify Software Security Center (24.2.0)

Page 103 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Truststore password

Keystore location

Specifies the password for the trust store file.

Specifies the path to the key store file that

contains the client's public and private keys in

.jksfile format.

Keystore password

Specifies the password for the key store file.

Private key password

Specifies the password for the private key.

Enable hostname validation of Kafka

server

Select this check box to verify the Kafka

server's fully qualified domain name (FQDN) or

IP address against the actual hostname or IP

address of that Kafka server to ensure that you

are connecting to the correct Kafka server.

For more information about generating valid credentials and configuring client security, see the

Apache Kafka documentation.

About Fortify Software Security Center User Authentication

By default, when a user logs on to Fortify Software Security Center or uses a Fortify client to

upload Fortify project results files (FPRs), Fortify Software Security Center uses its database to

authenticate the user, and then binds the authenticated user to the user's assigned user role

(Administrator, Security Lead, Developer, and so on).

Database-only authentication imposes a separate administrative process for creating and

managing Fortify Software Security Center user accounts and roles. You can augment the

Fortify Software Security Center default database-only authentication using LDAP or an SCIM

2.0 API client. For Information about LDAP user authentication, see "LDAP User Authentication"

below. For Information about SCIM 2.0 user provisioning, see "Implementation of SCIM 2.0

Protocol" on page 123.

LDAP User Authentication

The topics in this section provide information about user authentication in Fortify Software

Security Center and configuring LDAP authentication and LDAP server options.

Important! Fortify recommends that, before you configure LDAP servers, you create at

least one local administrator account in case you encounter problems with your

LDAP server at some point.

OpenText™ Fortify Software Security Center (24.2.0)

Page 104 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Important! Although Fortify supports the use of multiple LDAP servers, it does not support

the use of multiple LDAP servers behind a load balancer, unless those servers are identical.

Note: For information about how to manage LDAP entities and user roles in Fortify

Software Security Center, see "Registering LDAP Entities" on page 118 and "About

Managing LDAP User Roles" on page 176 .

Preparing to Configure LDAP Authentication

Before you configure Fortify Software Security Center to use LDAP authentication, complete the

following tasks:

1. Download an LDAP management application.

If you are not familiar with the LDAP schema that your LDAP server uses, you can use a

third-party LDAP management application such as JXplorer to view and modify LDAP

authentication directories. (You can download JXplorer for free under a standard OSI-style

open source license from http://www.jxplorer.org.)

2. Create an LDAP account for Fortify Software Security Center to use.

Note: For information about how to configure the primary source for looking up users,

see "Configuring Core Settings" on page 94.

Important! Never use a user account name to provide Fortify Software Security Center

access to an LDAP server.

3. Check for conflicts between account names.

If the LDAP directory contains the default Fortify Software Security Center account admin,

a conflict occurs that can disable both accounts. If an existing Fortify Software Security

Center account has the same name as an account defined for the LDAP server, Fortify

Software Security Center account settings and attributes take precedence over those

stored on the LDAP server.

Note: Fortify recommends that no user names in the Fortify Software Security Center

be duplicated on an LDAP server.

4. Gather and record required Information.

5. Fortify recommends that you disable the referrals feature. See "About the LDAP Server

Referrals Feature" on the next page and "Disabling LDAP Referrals Support" on page 107.

Requirements for Multiple LDAP Servers

If you plan to use more than one LDAP server, the following requirements apply:

l

Usernames must be unique across all of the LDAP servers:

Fortify strongly recommends that usernames be unique across all LDAP configurations.

Fortify Software Security Center searches for users based on the usernameAttribute specified

OpenText™ Fortify Software Security Center (24.2.0)

Page 105 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

for a given LDAP server configuration. Because the searches are performed across all the

servers, it is important that the searches return just a single result. Be sure to use username

attributes that result in unique search hits across all your configured LDAP servers. For

example, if you use multiple Active Directories, it may make sense to use

userPrincipalNameas the username attribute in your configurations instead of the default

sAMAccountName, which may not be unique across AD servers.

If this requirement is not satisfied…

In some circumstances, it may be difficult for administrators to avoid duplicate usernames. If

Fortify Software Security Center finds a given username in more than one LDAP server

during login, it tries to resolve this by using the password with all instances of the username,

and then uses the instance that the password authenticates first. In most cases, a user with a

non-unique username can successfully log in to Fortify Software Security Center and access

most of the user interface functionality. However, some functionality, including report

generation, token-based authentication, and DAST integration, is not supported for such

users.

l

Separate LDAP server configurations must manage completely independent

namespaces (trees)

This requirement ensures unique lookup of LDAP DNs by Fortify Software Security Center.

The simplest (and recommended) way to achieve this is to ensure that none of the configured

baseDNs is a suffix of any of the others.

In more complex cases, it may be possible to delegate a subtree to be managed by a second

LDAP server configuration. In that case, however, all transitive DN references (for example,

group member DNs) must also be managed by the second LDAP server. For example, if you

have one LDAP server configuration with the base DN DC=acme,DC=com, but the

OU=org,DC=acme,DC=comsubtree is managed by another LDAP server, you can set up a

second LDAP configuration to manage just the OU=org,DC=acme,DC=comLDAP subtree.

But you must ensure that none of the LDAP objects registered in Fortify Software Security

Center from the first LDAP server reference (directly or transitively) the

OU=org,DC=acme,DC=comsubtree, and vice versa.

If this requirement is not satisfied…

If an LDAP object DN matches the base DN of more than one LDAP server, Fortify Software

Security Center performs a lookup against the LDAP server whose base DN best matches

match the given LDAP object DN. This may lead to Fortify Software Security Center using the

data of unintended LDAP object in processing and result in unexpected behavior.

About the LDAP Server Referrals Feature

Some LDAP servers use a special feature called referrals. A referral is an entity that contains the

names and locations of other objects. A referral is used to redirect a client request to another

server. It is sent by the server to indicate that the information that the client has requested can

be found at another location (or locations), possibly at another server or several servers.

OpenText™ Fortify Software Security Center (24.2.0)

Page 106 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

If Fortify Software Security Center requests an LDAP object and this object is a referral, Fortify

Software Security Center must request additional information about the LDAP object from

another server, the address of which is returned in the REF object attribute. These additional

requests can decrease LDAP communication speed. Even if the LDAP server does not use the

referrals feature, additional operations that support referrals are performed.

If referrals are not used on your LDAP server, Fortify recommends that you disable referrals

support in the LDAP library. Disabling this option on the Fortify Software Security Center server

side makes Fortify Software Security Center-to-LDAP communication much faster. For

instructions, see "Disabling LDAP Referrals Support" below.

Note: For a complete description of referrals, go to

http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/overview.html.

Disabling LDAP Referrals Support

To disable referrals support:

1. On the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. On the LDAP servers page, click the LDAP server connection for which you want to disable

referrals support.

The row expands to reveal details about the LDAP server.

4. Click EDIT.

5. Scroll down to the ADVANCED INTEGRATION PROPERTIES section.

6. From the LDAP referrals processing strategy list, select ignore.

7. Click SAVE.

Configuring LDAP Servers

The following procedure describes how to configure an LDAP authentication server for use with

Fortify Software Security Center.

Important! Before you configure the properties on the LDAP page, you must prepare for

LDAP authentication as described in "LDAP User Authentication" on page 104. That section

includes requirements and recommendations for configuring multiple LDAP servers.

Important! Fortify recommends that you maintain a couple of local administrator accounts

in case you encounter problems with your LDAP server at some point.

To configure an LDAP server connection for Fortify Software Security Center:

1. On the OpenText header, click Administration.

2. In the navigation pane on the left, select Configuration, and then select LDAP Servers.

3. On the Integration with LDAP servers page, click NEW.

OpenText™ Fortify Software Security Center (24.2.0)

Page 107 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. In the CREATE NEW LDAP CONFIGURATION dialog box, configure the attributes

described in the following table.

Field

Description

BASIC SERVER PROPERTIES

Enable this LDAP configuration

Select this check box to make this LDAP server

available for Fortify Software Security Center

to use.

Server name

Type a unique name for this server.

Important! If you configure

multiple LDAP servers, make

sure that you specify a unique

server name for each.

Server URL (ldap://<host>:<port>)

Type the LDAP authentication server URL.

If you use unsecured LDAP, enter the URL in

the following format:

ldap://<hostname>:<port>

If you specify an ldap://protocol, and either

the SSL trust check or the Hostname

validation check box is selected, StartTLS is

used to connect to the LDAP server.

Otherwise, an unencrypted connection is used.

If you use secured LDAPS, enter the URL in

the following format:

ldaps://<hostname>:<port>

LDAPS ensures that only encrypted user

credentials are transmitted.

Base DN

Type the Base Distinguished Name (DN) for

LDAP directory structure searches.

Important! If you

For example, the Base DN for

configure more than one

LDAP server for Fortify

companyName.comis

dc=companyName,dc=com.

OpenText™ Fortify Software Security Center (24.2.0)

Page 108 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

All DN values are case-sensitive, must not

contain extra spaces, and must exactly match

LDAP server entries.

Software Security Center,

then you must set a

unique Base DN for each

of them.

If you specify no value, Fortify Software

Security Center searches from the root of

LDAP objects tree. With multiple LDAP

servers, the Base DN must be unique for each.

If the Base DN for one server is empty, it

cannot be empty for another LDAP server.

Bind user DN

Type the full distinguished name (DN) of the

account Fortify Software Security Center uses

to connect to the authentication server.

The general format for an account specifier is:

cn=<accountName>,

ou=users,dc=<domainName>,dc=com

where <accountName>represents the

minimum privilege, read-only authentication

server account you created for exclusive use

by Fortify Software Security Center.

Caution! For security reasons, never

use a real user account name in a

production environment.

If you use Active Directory, specify the domain

name and username in the following format:

<domain_name>\<username>

Bind user password

Type the password for the Bind User DN

account.

Show password

Select this check box to show entered

passwords.

Relative search DNs (1 per line)

(Optional) Type the Relative Distinguished

OpenText™ Fortify Software Security Center (24.2.0)

Page 109 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Name (RDN). An RDN defines the starting

point from the Base DN for LDAP directory

searches. Fortify recommends that you search

from the base DN. However, if your LDAP

directory is so large that searching for Fortify

Software Security Center users takes too long,

use an RDN to limit the number of LDAP

entries searched. You can also use an RDN to

hide some part of the LDAP tree from Fortify

Software Security Center for security reasons.

Example: To search within the base DN

companyName.com and all entries under that

base DN, specify the following to recursively

search all entries under that path:

cn=users

or

cn=users,ou=divisionName

Ignore partial result exception

To avoid search failures when search results

include more records than the LDAP server

can return, leave this check box selected.

You can also enable this flag to hide LDAP

server misconfiguration. For example, if the

LDAP server limits the number of query results

to 500, but there are 600 actual results, with

this flag enabled, Fortify Software Security

Center silently returns only 500 records.

LDAP server type

From this list, select the type of LDAP server

you are connecting with Fortify Software

Security Center (either ACTIVE_DIRECTORY

or OTHER).

SECURITY

SSL trust check

If the domain controller is enabled for SSL,

OpenText™ Fortify Software Security Center (24.2.0)

Page 110 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

leave this check box selected to verify that the

certificate presented by the LDAP server was

issued by a trusted authority. If the domain

controller is not configured for SSL, clear this

check box.

Hostname validation

If the domain controller is enabled for SSL,

leave this check box selected to ensure that

the LDAP server hostname matches the

hostname for which the certificate was issued.

If the domain controller is not configured for

SSL, clear this check box.

Enable user status mapping

(Microsoft Active Directory only) Select this

check box to enable Fortify Software Security

Center to retrieve status information for users

on this LDAP server. The information is used

for enhanced authentication checks during

token-based and SSO-based authentication

schemes.

BASE SCHEMA

Object class attribute

Type the class of the object. For example, if

this is set to objectClass, Fortify Software

Security Center looks at the objectClass

attribute to determine the entity type to

search. The default value is objectClass.

Organizational unit class

User class

Type the object class that defines an LDAP

object as an organizational unit. The default

value is container.

Type the object class that identifies an LDAP

object type as a user. The default value is

organizationalPerson.

Organizational unit name attribute

Type the group attribute that specifies the

OpenText™ Fortify Software Security Center (24.2.0)

Page 111 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

organizational unit name. The default value is

cn.

Group class

Type the object class that identifies an LDAP

object type as a group. The default value is

group.

Distinguished name (DN) attribute

Type the value that determines the attribute

Fortify Software Security Center looks at to

find the distinguished name of the entity. The

default value is distinguishedName.

USER LOOKUP SCHEMA

User firstname attribute

Type the user object attribute that specifies a

user’s first name.

The default value is givenName.

User lastname attribute

Group name attribute

Type the user object attribute that specifies a

user’s last name.

The default value is sn.

Type the group attribute that specifies the

group name.

The default value is cn.

User username attribute

User password attribute

Group member attribute

Type the user object attribute that specifies a

username. The default value is

sAMAccountName.

Type the user object attribute that specifies a

user’s password. The default value is

userPassword.

Type the group attribute that defines the

members of the group. The default value is

member.

OpenText™ Fortify Software Security Center (24.2.0)

Page 112 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

User email attribute

Type the user object attribute that specifies a

user’s email address. The default value is mail.

User memberOf attribute

Type the name of an LDAP attribute that

includes the LDAP group names for LDAP

users.

USER PHOTO

User photo enabled

Select this check box to enable the retrieval of

user photos from the LDAP server.

User thumbnail photo attribute

The thumbnailPhoto attribute for Active

"Importing an LDAP Server Configuration" on page 118

"Registering LDAP Entities" on page 118

"Deleting an LDAP Server Configuration" on the next page

OpenText™ Fortify Software Security Center (24.2.0)

Page 116 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Editing an LDAP Server Configuration

To edit an LDAP server connection:

1. On the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. On the Integration with LDAP servers page, click the LDAP server connection that you

want to edit.

The row expands to reveal the LDAP server details.

4. Click EDIT.

5. Make all necessary changes to the attributes described in "Configuring LDAP Servers" on

page 107.

6. To check the validity of the configuration, click VALIDATE CONNECTION.

7. To save the configuration after successful validation, click SAVE.

Deleting an LDAP Server Configuration

If multiple LDAP servers are configured for your Fortify Software Security Center instance, you

can delete any of these, except for the default server, which you can only disable.

To delete an LDAP server connection:

1. On the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select LDAP Servers.

3. Do one of the following:

l

On the Integration with LDAP Servers page, select the check box for the LDAP server

that you want to delete, and then, on the LDAP Servers toolbar, click DELETE.

Alternatively,

l

On the Integration with LDAP Servers page, click the LDAP server connection that you

want to delete, and then, at the lower right of the expanded server details section, click

DELETE.

The DELETE LDAP CONFIGURATION dialog box prompts you to confirm that you want to

proceed with the deletion.

4. Click OK.

5. To force all LDAP users to re-authenticate, restart the Fortify Software Security

Center server.

OpenText™ Fortify Software Security Center (24.2.0)

Page 117 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

See Also

"Registering LDAP Entities" below

"Registering LDAP Entities" below

Importing an LDAP Server Configuration

As part of upgrading a Fortify Software Security Center instance, you must import your existing

LDAP configuration.

To import your legacy LDAP server configuration:

1. On the OpenText header, click Administration.

2. In the left pane, select Configuration, and then scroll down and select LDAP Servers.

3. On the LDAP Servers header, click IMPORT.

4. In the IMPORT LEGACY LDAP CONFIGURATION dialog box, manually copy the content of

your legacy ldap.propertiesfile for the LDAP configuration to import, and paste it into

the text box.

If Fortify Software Security Center detects problems with the copied content, it displays an

error message and a link to click for more information.

Note: The encoded Bind User DN (ldap.user.dn) and Bind User Password

(ldap.user.password) values are not imported. You must enter these manually (see

"Configuring LDAP Servers" on page 107).

5. Correct any problems, and then click NEXT.

6. Configure the attributes described in the table in step 4 in "Configuring LDAP Servers" on

page 107.

7. To check the validity of the configuration, click VALIDATE CONNECTION.

8. To check the validity of and save the configuration, click SAVE.

See Also

Registering LDAP Entities

Users who have Administrator-level accounts can add LDAP groups, organizational units, and

users to the list of Fortify Software Security Center users. Fortify Software Security Center

automatically updates access control as users join and leave groups.

OpenText™ Fortify Software Security Center (24.2.0)

Page 118 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To register an LDAP organizational unit, group, or user with Fortify Software Security Center:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, click Users, and then select LDAP Entities.

3. On the LDAP toolbar, click +ADD.

4. In the ADD NEW LDAP ENTITY window, from the LDAP Entity list, select the type of LDAP

entity you want to register (Group, User, or Organizational Unit).

5. In the list of returned entities, select the user, group, or organizational unit that you want to

register.

6. In the Roles section, select the check boxes that correspond to the roles you want to assign

to the selected entity.

7. To provide the LDAP entity access to versions of an application, in the Access section, do

the following.

OpenText™ Fortify Software Security Center (24.2.0)

Page 119 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Note: You can add versions for multiple applications, but you must add them one at a

time using the following steps.

a. Click + ADD.

b. From the Application list in the SELECT APPLICATION VERSION dialog box , select

the name of an application that you want the LDAP entity to access.

Fortify Software Security Center lists all active versions of the application.

c. To display inactive versions of the application, select the Show inactive versions

check box.

d. Select the check boxes for all of the versions that you want the entity to access.

e. Click DONE.

The Access section lists the application versions you selected.

8. Do one of the following:

l

To save your changes and close the Add New LDAP Entity dialog box, click SAVE.

l

To save your changes and register another LDAP entity, click SAVE AND ADD

ANOTHER.

Fortify Software Security Center adds the entities to its list of users.

Fortify Software Security Center periodically refreshes the LDAP server cache

automatically.

For information about how to configure LDAP servers, see "Configuring LDAP Servers" on

page 107.

See Also

Refreshing LDAP Entities Manually

Fortify Software Security Center periodically refreshes the LDAP server cache automatically. If

you make changes to an LDAP entity, you can initiate the LDAP refresh process manually so

that your changes are evident sooner than they would be otherwise.

To initiate the LDAP refresh process manually:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Users, and then select LDAP Entities.

3. In the list of LDAP entities, select the check box for the LDAP entity to refresh.

4. On the LDAP toolbar, click REFRESH.

For information about how to configure LDAP servers, see "Configuring LDAP Servers" on

page 107.

OpenText™ Fortify Software Security Center (24.2.0)

Page 120 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

See Also

"Registering LDAP Entities" on page 118

"Configuring LDAP Servers" on page 107

Handling LDAP Entries Marked "Invalid"

If a registered LDAP entity is no longer present in the LDAP server and you no longer need it in

Fortify Software Security Center, remove it from the entities list. Alternatively, if the

distinguished name of the LDAP entity was changed, you can update the DN value in Fortify

Software Security Center to reflect that.

Note: The following steps apply to LDAP groups and organizational units, as well as to

individual users.

To update the DN value for an LDAP entity:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then select LDAP Entities.

3. Select the row for the entity you need to modify, and then click EDIT.

4. Click UPDATE DISTINGUISHED NAME. (This button is visible only if the current DN is

invalid.)

5. In the UPDATE DISTINGUISHED NAME dialog box, select the now invalid value in the

Distinguished name field, and replace it with the updated distinguished name.

6. Click SAVE.

See Also

Enabling Persistence of the LDAP Cache

By default, an LDAP cache is only in memory and is lost during server shutdown. If your

organization has a large volume of LDAP users, the loss of the LDAP cache can significantly

slow the next server startup.

Note: If your organization has a large volume of LDAP users, the next server startup may

take a significant amount of time because the cache must be rebuilt.

To enable the LDAP cache to persist after server shutdown:

1. Shut down Fortify Software Security Center.

2.

Navigate to the <fortify.home>/<app_context>/confdirectory and open the

app.propertiesfile in a text editor.

3.

Set the ldap.cache.persistence.enabledproperty to true.

OpenText™ Fortify Software Security Center (24.2.0)

Page 121 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4.

Save and close your app.propertiesfile.

5. Restart Fortify Software Security Center.

Changing the Default Cache Refresh Interval

The default cache refresh interval is one hour. If large LDAP groups are registered with Fortify

Software Security Center, a frequent cache refresh can place an extra load on Fortify Software

Security Center and the LDAP server and thereby affect performance. To reduce the impact,

you can increase the interval, as follows:

1. Shut down Fortify Software Security Center.

2.

Navigate to the <fortify.home>/<app_context>/confdirectory and open the

app.propertiesfile in a text editor.

3. Add the following line:

ldap.cache.refresh.interval.hours=<whole number value between 1 and 12>

4. Restart Fortify Software Security Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 122 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Implementation of SCIM 2.0 Protocol

When you enable System for Cross-domain Identity Management (SCIM) in Fortify Software

Security Center, a SCIM 2.0 API client pushes users and groups to Fortify Software Security

Center using the SCIM 2.0 protocol for provisioning and managing identity data. This means

that you do not have to go through the Fortify Software Security Center Administrationview to

add users. Instead, you configure users and groups from the SCIM 2.0 API client.

Note: You can integrate with any SCIM 2.0 API client. However, if you do, you must test its

interoperability with Fortify Software Security Center independently. For now, only

Microsoft Entra ID integration is officially supported.

Because users provisioned using the SCIM API are externally managed and single sign-on users

only, the following apply:

l

You can only assign roles and application versions to externally managed users from Fortify

Software Security Center.

l

Users can only log in using SSO.

l

If a username created locally (Administration > Users > Local Users) already exists in

Fortify Software Security Center, a user with the same username cannot be provisioned using

SCIM. Users created from the Administration view are read-only for SCIM provisioning.

Supported SCIM Resources

Fortify Software Security Center supports the following SCIM resources:

l

User (urn:ietf:params:scim:schemas:core:2.0:User schema)

Fortify Software Security Center accepts all standard attributes of the User Schema, but

stores only a subset of these (see "User Attribute Mappings" on the next page). Also accepts

Enterprise User extension attributes

(urn:ietf:params:scim:schemas:extension:enterprise:2.0:User schema) but

does not store them.

l

Group (urn:ietf:params:scim:schemas:core:2.0:Group schema)

Fortify Software Security Center accepts all standard attributes from the Group Schema, but

stores only a subset of these (see "Group Attribute Mappings" on the next page).

Optional features supported:

l

Resource filtering (RFC 7644 - 3.4.2.2 Filtering)

l

PATCH operations (RFC 7644 - 3.5.2 - Modifying with PATCH)

OpenText™ Fortify Software Security Center (24.2.0)

Page 123 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

User Attribute Mappings

The following table shows how SCIM user attributes map to Fortify Software Security Center

user attributes.

SCIM User Attribute

meta.created

meta.lastModified

id

SSC User Attribute

created

Comment

Read-only

lastModified

N/A

Read-only

Read-only, Unique, Opaque

Unique, Required

userName

active

suspended (not)

The Suspended option in

Fortify Software Security

Center is set accordingly.

name.givenName

firstName

lastName

email

name.familyName

emails[type="work"].value

Group Attribute Mappings

The following table shows how SCIM group attributes map to Fortify Software Security Center

group attributes.

SCIM Group Attribute

meta.created

meta.lastModified

id

SSC Group Attribute

Comment

created

lastModified

N/A

Read-only

Read-only, Unique, Opaque

Required

displayName

members

name

N/A

Must reference existing

users and / or groups

OpenText™ Fortify Software Security Center (24.2.0)

Page 124 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Provisioning" below

"Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-On"

on page 144

Using SCIM 2.0 and SAML 2.0 to Configure a Connection to Microsoft Entra ID for User

Provisioning

You can use the System for Cross-domain Identity Management (SCIM) protocol to provision

Fortify Software Security Center with user accounts from Microsoft Entra ID. The following table

lists the tasks required to use this feature, in the order in which they must be performed.

Task

For Details

Enable SCIM from Fortify Software Security

Center.

"Enabling SCIM for Provisioning of

Externally Managed Users and Groups"

on page 128

In Microsoft Entra, go to Microsoft Entra ID and

create an enterprise application.

Microsoft Entra ID documentation

Note: When Entra ID prompts you

to indicate what you want to do

with the new application, select the

Integrate any other application you

don't find in the gallery (Non-

gallery) option.

FromEntra, assign users and groups to the new

application.

Microsoft Entra ID documentation

From Entra, provision the application.

Note the following:

Microsoft Entra ID documentation

SCIM for Provisioning of Externally Managed

l

Set Provisioning Mode to Automatic.

l

Use the SSC URL for the Tenant URL value, and

append to it the following string:

/api/scim/v2?aadOptscim062020

OpenText™ Fortify Software Security Center (24.2.0)

Page 125 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Task

Note: /api/scim/v2is the URL for the

For Details

SSC SCIM endpoint. The

aadOptscim062020query parameter

improves Entra ID compliance with SCIM

v2.0.

l

For the Secret Token value, use the token you

created in SSC (SCIM Token - see "Enabling

Users and Groups" on page 128 .)

From Entra ID, change the attribute mappings for

data flow between Entra ID and Fortify Software

Security Center.

Microsoft Entra ID documentation

Delete all but the following attributes for your

users (for groups, you change no attribute

mappings):

l

userName

l

active

l

emails[type eg "work"].value

l

name.givenName

l

name.familyName

l

externalID

Make sure that you move the Provisioning Status

toggle to On.

l

Entra ID SAML metadata is signed. For Fortify

Software Security Center to successfully verify the

signature, you must download the SAML signing

certificate from Entra and import it into the

keystore to be used in the SSO SAML

Microsoft Entra ID documentation

"Configuring Fortify Software

l

Security Center to Work with SAML

2.0-Compliant Single Sign-On" on

configuration (SAML keystore location).

OpenText™ Fortify Software Security Center (24.2.0)

Page 126 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Task

For Details

InEntra, navigate to the created enterprise

application. On the SAML-based Sign-on page,

download the signing certificate, and then import

it into the keystore.

page 144

Set up SAML single sign-on from Fortify Software "Configuring Fortify Software Security

Security Center.

Center to Work with SAML 2.0-

Compliant Single Sign-On" on page 144

Acquire the metadata XML file from Fortify

Software Security Center and save it locally. This

file can be accessed only if SAML SSO is enabled in

Fortify Software Security Center and successfully

initialized.

<ssc_hostname>:<port>/<context>

/saml/<metadata>

In Entra, upload the saved metadata file, and then Microsoft Entra ID documentation

complete the SAML single sign-on setup using

data from the uploaded metadata file.

"Implementation of SCIM 2.0 Protocol" on page 123

From Fortify Software Security Center, assign roles "Viewing Externally Managed Users and

and application versions to externally managed

users and groups.

Groups" on page 223

OpenText™ Fortify Software Security Center (24.2.0)

Page 127 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling SCIM for Provisioning of Externally Managed Users and Groups

To enable SCIM for provisioning of externally-managed users and groups:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then scroll to and select SCIM.

3. Select the Enable SCIM check box.

4. In the SCIM Token box, enter the SCIM token you want to use as a bearer token to

authenticate with the Fortify Software Security Center SCIM API. (Use that token as a

Secret Token in Entra ID when you configure the connection between Fortify Software

Security Center and Entra ID.)

Important! The token can include upper and lower case letters, numbers, hyphens and

underscores. The token must contain at least 32 characters, and no more than 512

characters. Because the token allows access to user management in Fortify Software

Security Center, it must be protected. Fortify recommends that you use a secure

random string generator to generate the token.

5. Click SAVE.

on page 144

"Viewing Externally Managed Users and Groups" on page 223

Configuring a Proxy for Fortify Software Security Center Integrations

You can configure a single proxy for use with all HTTP(s) protocol-based integrations with

Fortify Software Security Center. Once you configure the proxy, you can then enable its use

(select the Use SSC proxy for... check box) for components such as Audit Assistant

("Configuring Audit Assistant" on page 364), the Rulepack update URL ("Configuring Core

Settings" on page 94 ), and bug tracker plugins ("Assigning a Bug Tracking System to an

Application Version" on page 254).

To configure a single proxy for use with all HTTP(s) protocol-based Fortify Software Security

Center integrations:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select Proxy.

OpenText™ Fortify Software Security Center (24.2.0)

Page 128 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

On the Proxy page, provide values for the settings described in the following table.

Setting

Description

Enable SSC proxy Select this check box to enable proxy use.

HTTP proxy

HTTP proxy host Type the name of an HTTP proxy host (without a protocol part and

port number) For example, some.proxy.com.

HTTP proxy port Type the HTTP proxy port number.

HTTP proxy user If HTTP authentication is required, type a user name.

HTTP proxy

password

If HTTP authentication is required, type a password.

HTTPS proxy

Set up a different Select this check box to enable the use of a different secure proxy

HTTPS proxy

for HTTPS requests.

HTTPS proxy

host

Type the name of an HTTPS proxy host (without a protocol part

and port number). For example, some.secureproxy.com.

HTTPS proxy

port

Type the HTTPS proxy port number.

HTTPS proxy

user

If HTTPS authentication is required, type a user name.

If HTTPS authentication is required, type a password.

HTTPS proxy

password

3. Click SAVE.

Fortify Software Security Center displays a message at the upper right to indicate that the

proxy configuration was successful.

"Configuring Core Settings" on page 94

"Assigning a Bug Tracking System to an Application Version" on page 254

OpenText™ Fortify Software Security Center (24.2.0)

Page 129 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring ScanCentral SAST Monitoring in Fortify Software Security Center

With Fortify ScanCentral SAST, Fortify Static Code Analyzer users can maximize their resource

use by offloading the processor-intensive scanning phase to a dedicated Fortify Static Code

Analyzer scan farm. You can monitor ScanCentral SAST and display its results in Fortify

Software Security Center. You can also create and manage ScanCentral SAST sensor pools. To

enable this functionality, you must configure the integration in Fortify Software Security Center.

Note: For information about how to install, configure, and use Fortify ScanCentral SAST to

streamline the static code analysis process, see the Fortify ScanCentral SAST Installation,

Configuration, and Usage Guide.

To configure the integration between Fortify Software Security Center and ScanCentral SAST:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then select ScanCentral SAST.

3. On the ScanCentral SAST page, select the Enable ScanCentral SAST check box.

4. In the ScanCentral Controller URL box, type the URL for your ScanCentral

SAST Controller.

Important! The Controller must be the same or later version as Fortify Software

Security Center.

5. In the ScanCentral poll period (seconds) box, type the number of seconds to elapse

between sessions of data polling from ScanCentral SAST.

6. In the SSC and ScanCentral controller shared secret box, type the shared secret key

(unencrypted) for Fortify Software Security Center to use to request data from the

Controller. (If you use clear text, this string must match the value stored in the Controller

config.propertiesfile for the ssc_scancentral_ctrl_secretkey.)

The Controller verifies the shared secret key when requested for administration console

data.

7. Click SAVE.

8. Restart the Fortify Software Security Center server.

"Viewing ScanCentral Controller Information" on page 400

"About ScanCentral SAST Sensor Pools" on page 403

"Creating ScanCentral SAST Sensor Pools" on page 404

OpenText™ Fortify Software Security Center (24.2.0)

Page 130 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling the Running and Management of ScanCentral DAST Scans from

Fortify Software Security Center

Fortify ScanCentral DAST is a dynamic application security testing tool that consists of the

Fortify WebInspect sensor service and other supporting technologies that you can use in

conjunction with Fortify Software Security Center.

To enable the running and management of ScanCentral DAST dynamic scans:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then select ScanCentral DAST.

3. On the ScanCentral DAST page, select the Enable ScanCentral DAST check box.

4. In the ScanCentral DAST server URL box, enter the URL for your ScanCentral DAST

server.

The ScanCentral DAST server URL should resemble one of the following:

http://<DAST_API_Hostname>:<Port>/api/

http://<DAST_API_IP_Address>:<Port>/api/

You can use the https protocol instead.

Important! Make sure that you include the trailing /api/ in the URL.

5. Click SAVE.

For information about how to perform the following tasks, see the ScanCentral DAST

Configuration and Usage Guide:

l

Manage ScanCentral DAST pools and sensors

l

Create, run, change, and delete ScanCentral DAST scans, schedules, and settings

Configuring Job Scheduler Settings

You configure the Fortify Software Security Center job scheduler from the Configuration

section of the Administration view.

To configure job scheduler settings:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration > Scheduler.

3. On the Scheduler page, configure the settings as described in the following table.

Field

Description

Number of days

after which

The number of days after which finished jobs are removed from

Fortify Software Security Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 131 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

executed jobs are The default value is 1 (day).

removed

Canceled jobs are removed daily.

Job execution

strategy

Select the job execution strategy to use. Options are as follows:

l

Conservative: Default strategy balancing job concurrency,

throughput and job stability. This job execution strategy works

as follows:

o

Some jobs, such as delete jobs, are considered low

concurrency, or exclusive jobs. Only one such exclusive job

can run at a time. (Running an exclusive job reduces running

jobs to 60 percent of configured capacity.)

o

At most, ${job.numberOfConcurrentReports}report jobs

can run concurrently.

o

At most, ${numberOfConcurrentExclusiveJobs}

exclusive jobs can run concurrently. (The default is 1.)

o

At most, ${jobs.threadCount}jobs can run at the same

time. Of that number,

${job.numberOfDedicatedDataExports}threads are

reserved for comma-separated values (CSV) file export jobs.

Other jobs cannot use those threads.

l

Flexible: This strategy provides the same options as the

conservative strategy, but improves job queue worker use.

Aggressive: Enables high concurrency. With this option, the job

scheduler does not enforce any limitations on how jobs are

executed. All jobs are equal and executed on all available

workers.

l

Exclusive jobs: Enables jobs to run in sequence, one at a time.

The default value is Flexible.

Note: Two worker threads are dedicated to exporting to

comma-separated values (CSV) jobs for both conservative and

aggressive strategies. (See "Exporting Data to Comma-

Separated Values Files" on page 211 .)

OpenText™ Fortify Software Security Center (24.2.0)

Page 132 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Pause job

execution

This check box (not selectable from the Scheduler page) shows

whether job execution has been paused (from the Maintenance

page) in preparation for server shutdown / system maintenance.

To proceed to the Maintenance page to select or clear this check

box, click the here link. A change to this setting takes effect

immediately after you save the change from the Maintenance page.

No server restart is required.

After you pause job execution, jobs (artifact processing, report

generation, data export requests, and so on) that are currently

running continue to completion. Any new jobs submitted are

queued for processing once the Pause job execution check box is

clear and normal processing resumes.

Important! Fortify strongly recommends that you pause job

execution immediately before server shutdown, and keep it

paused for as short a period of time as possible. This will

prevent a high volume of jobs from queuing up for processing

later.

Caution! Job execution does not automatically resume after the

server comes back up after maintenance. To resume job

execution, you must return to the Maintenance page and clear

the Pause job execution check box.

Token management

Token expiration Number of days before token expiration that users are notified of

alerts

the upcoming expiration. Valid values range from 3 to 30 days,

inclusive.

The default value is 7 (days).

Note: The start of the day is 12 AM in the Fortify Software

Security Center server locale.

Snapshot refresh - Use the fields in this section to schedule the snapshot job.

A snapshot is application version information captured at a given moment in time. This

OpenText™ Fortify Software Security Center (24.2.0)

Page 133 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

information includes variables and performance indicator values, which are used to

calculate application versions trends at the scheduled times.

Days of week

Type a CRON expression to specify the days of the week on which

the historical snapshot job is to be run. You can enter the value as a

three-letter abbreviation for the day of the week (for example, type

THU for Thursday) or as a single digit, by entering a 1 for Sunday, a

2 for Monday, and so on. To run the scheduler on multiple days,

separate the entries with a comma. For example, type SUN, WED,

FRI or 1, 4, 6.

Note: The three-letter abbreviations must be entered as upper-

case letters. Spaces between the entries are optional.

To enter consecutive days, separate the entries with a dash. For

example, type MON-FRI to run the scheduler on week days only.

Type * if the scheduler is to run every day (the default).

Hours

Type the hour, using 24-hour time notation, at which the recurring

scheduler job is to start running. For example, type 1 to start the job

at 1 A.M.

Type * if the scheduler is to run every hour.

Note: The values you enter in the Days of Week, Hours, and

Minutes fields are concatenated to create the CRON expression

used by the scheduler.

The default value is 0 (midnight).

Minutes

Type the minute at which the recurring scheduler job is to start

running. For example, type 24 to start the job at 24 minutes past

the hour that you entered in the Hours box.

The default value is 0 (indicating the job starts running in the first

minute).

Index maintenance Use the fields in this section to schedule your Fortify Software

Security Center full text search index maintenance. Fortify recommends that you run this

job daily.

OpenText™ Fortify Software Security Center (24.2.0)

Page 134 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Days of week

Type a CRON expression to specify the days of the week on which

the index maintenance job is to be run. You can enter the value as a

three-letter abbreviation for the day of the week (for example, type

THU for Thursday) or as a single digit, by entering a 1 for Sunday, a

2 for Monday, and so on.

To run the scheduler on multiple days, separate the entries with a

comma. For example, type SUN, WED, FRI or 1, 4, 6.

Note: The three-letter abbreviations must be entered as upper-

case letters. Spaces between the entries are optional.

To enter consecutive days, separate the entries with a dash. For

example, type MON-FRI to run the scheduler on week days only.

Type * if the scheduler is to run every day.

The default value is *.

Hours

Type the hour, using 24-hour time notation, at which the recurring

index maintenance job is to start running. For example, type 1 to

start the job at 1 A.M.

Type * if the scheduler is to run every hour.

Note: The values you enter in the Days of Week, Hours, and

Minutes fields are concatenated to create the CRON expression

used by the scheduler.

The default value is 0 (midnight).

Minutes

Type the minute at which the recurring index maintenance job is to

start running. For example, type 24 to start the job at 24 minutes

past the hour that you entered in the Hours box.

The default value is 0 (indicating the job starts running in the first

minute).

Events maintenance

Days to preserve Type the number of days after which OpenText removes past

events. To specify no event removal, type 0 (zero).

OpenText™ Fortify Software Security Center (24.2.0)

Page 135 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Fortify Software Security Center uses the new value during the next

run of the dedicated cleaning job. A new job is created daily at

11:30 p.m. and if it is not blocked, it starts its work immediately.

The default value is 0. (No cleanup occurs.)

Reports maintenance

Days to preserve Type the number of days Fortify Software Security Center is to

retain generated reports. The default value is 0. (No cleanup

occurs.)

To ensure that the cleanup job is not too time- or resource-

intensive, each nightly run clears a maximum of 2000 old reports

(and associated entities). Fortify SSC then gradually cleans up the

remaining reports over the following days.

Data export maintenance

Days to preserve Type the number of days Fortify Software Security Center is to

retain exported audit reports.

The default value is 2.

Note: This job is run every day at 11:45 PM (23:45)

4. Click SAVE.

5. To implement your settings, restart the server.

See Also

"Setting Job Execution Priority" below

"Canceling Scheduled Jobs" on page 138

"Recurring Cleanup Jobs" on page 138

Setting Job Execution Priority

All new jobs in Fortify Software Security Center are scheduled with priority set to "very low."

Multiple jobs that have the same priority are processed in the order in which they are added to

the jobs queue. That is, the first job added to the queue is the first job processed. Jobs with

higher priority values set are processed before those assigned lower priority.

If you are a Fortify Software Security Center administrator or a security lead, you can change the

priority of scheduled jobs that are in the PREPARED state. (Job state can be PREPARED,

RUNNING, FINISHED, FAILED, or CANCELED.)

OpenText™ Fortify Software Security Center (24.2.0)

Page 136 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To set the priority for a scheduled job:

1. On the OpenText header, select Administration.

2. In the left pane, select Metrics & Tracking, and then select Jobs.

3. On the right end of the Jobs toolbar, from the Filter by list, select Prepared.

4. Scroll through the listed jobs and expand (click) the row for the job you want to re-

prioritize.

5. From the SET PRIORITY list, select one of the following priority values:

l

Very Low

l

Low

l

Medium

l

High

l

Very High

Changing job priority may affect other jobs in the queue. If the priority you set for a job

potentially affects other jobs, Fortify Software Security Center displays a message to advise

you of the potential effect, and prompts you to confirm that you want to continue with the

change.

6. To continue, click OK.

The jobs table now reflects the changed priority setting.

"Configuring Job Scheduler Settings" on page 131

OpenText™ Fortify Software Security Center (24.2.0)

Page 137 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Canceling Scheduled Jobs

If you are a Fortify Software Security Center administrator or a security lead, you can cancel

scheduled jobs that are still in the prepared state. (The job state can be prepared, running,

finished, failed, or cancelled.)

To cancel a job:

1. Log in to Fortify Software Security Center as an administrator or security lead, and then, on

the OpenText header, select Administration.

2. In the left pane, under Metrics & Tracking, select Jobs.

3. On the far right of the Jobs toolbar, from the Filter by list for job state, select Prepared.

4. Scroll through the listed jobs and click the row for the job you want to cancel.

5. Click the row for the job to expand it and view the details.

6. Click CANCEL.

Fortify Software Security Center prompts you to confirm that you want to cancel the job.

7. Confirm that you want to cancel the job.

Recurring Cleanup Jobs

Fortify Software Security Center performs several cleanup jobs on a recurring basis. These are

described in the following table.

Job Name and

Description

Affected Tables

Default Schedule

Data Export Cleanup

dataexport, documentinfo,

and datablob

Daily at 23:45 h

Removes exported data (such

as CSV files) that were more

than the specified number of

days old. (See "Configuring Job

Scheduler Settings" on

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

page 131 .)

Event Log Cleanup

eventlogentry

Daily at 23:30 h

Removes event records older

than the number of days

specified on the Scheduler

page.

For instructions on how to

schedule this job from the

Fortify Software Security

OpenText™ Fortify Software Security Center (24.2.0)

Page 138 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Center user interface, see

Expired Tokens Cleanup

agentcredential

id_table

Daily, every six hours,

starting at 00:00 h

Removes expired tokens with

elapsed expiration dates.

ID Table Cleanup

Daily at 23:00 h

Removes IDs, used for filtering pv_id_table

while working with user

permissions and generating

reports.

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

Job Cleanup

jobqueue

Daily at 23:00 h

Removes finished jobs. (Failed

jobs are removed after the set

number of days, beginning

with their start time. Canceled

jobs are cleaned up without

regard to start time.)

Orphaned Data Cleanup

documentinfo

Every Sunday at 23:30 h

Daily at 00:00 h

Removes metadata associated

with attachments that are no

longer needed.

Orphaned Source Files Cleanup sourcefile

Removes source files that are

no longer referenced by any

existing issue.

Set using

job.sourceFileCleanup.cron

Report Cleanup

savedreport

No cleanup scheduled

OpenText™ Fortify Software Security Center (24.2.0)

Page 139 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Removes generated reports

that are older than the number

of days specified for Days to

preserve on the Scheduler

page.

documentinfo

datablob

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

Webhook History Cleanup

webhookhistory

N/A

Daily at 03:30 h

Removes old webhook event

entries.

Index Maintenance

Daily at 00:00 h

Resolves inconsistencies

between global search

(fulltext) indexes and existing

database entries (for example,

resulting from unclean server

shutdown or indexing job

failures).

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

LDAP Refresh

N/A

Every 6 hours

Updates caches associated

with LDAP entities.

Historical Snapshot

Daily at 00:00 h

Re-creates out-of-date

snapshots.

For instructions on how to

schedule this job from the

Fortify Software Security

Center user interface, see

page 131 ."Configuring Job

Settings" on

Scheduler Settings" on

page 131

OpenText™ Fortify Software Security Center (24.2.0)

Page 140 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Job Name and

Description

Affected Tables

Default Schedule

Alert Reminder

N/A

Daily at 03:00 h

Sends reminder alerts.

Token Expiry Alerts

N/A

Daily at 03:00 h

Notifies users of any tokens to

expire soon.

Configuring Browser Access Security for Fortify Software Security Center

To configure security for browsers that access the Fortify Software Security Center domain:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select Security.

3. On the Security page, configure the settings as described in the following table.

Field

Description

Content-Security-Policy

Specify what (if any) level of CSP to use. Using the HTTP

Content-Security-Policy header controls the resources

browsers can load and what actions they can perform on

pages loaded from Fortify Software Security Center. This

helps guard against cross-site scripting attacks.

Select one of the following options:

l

To restrict access to only the base URL configured using

the host.urlproperty (set using the Fortify Software

Security Center configuration wizard), select Strict.

l

To enable a less restrictive policy than strict CSP, select

Relaxed. This is the default setting. It allows access to

the Fortify Software Security Center domain from any

host:port.

l

To disable the Content-Security-Policy header, select

Disabled. Although Fortify recommends that you not

disable the Content-Security-Policy header, this option is

available if CSP causes unexpected problems.

OpenText™ Fortify Software Security Center (24.2.0)

Page 141 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Set value for Strict-

Transport-Security

header

Type the value for the Strict-Transport-Security header.

This header signals to browsers to use HTTPS instead of

HTTP to communicate with Fortify Software Security

Center.

Important! Please use caution when you set this value.

It can have a severe impact on users. For more detail,

see the HTTP Strict Transport Security Cheat Sheet

(https://www.owasp.org/index.php/HTTP_Strict_

Transport_Security_Cheat_Sheet ).

The Strict-Transport-Security header is sent only through a

secure channel determined by Tomcat Server.

Set value for Public-Key- Type the value for the Public-Key-Pins header. This

Pins header

decreases the risk of man-in-the-middle (MitM) attacks.

Important! Please use caution when you set this value.

It can have a severe impact on users. For more detail,

see the HTTP Strict Transport Security Cheat Sheet

(https://www.owasp.org/index.php/HTTP_Strict_

Transport_Security_Cheat_Sheet ).

The Public-Key-Pins header is sent only through a secure

channel determined by Tomcat Server.

4. Click SAVE.

Configuring Fortify Software Security Center to Work with Single Sign-On

The following table lists the single sign-on solutions that Fortify Software Security

Center supports, and provides links to the instructions on how to configure Fortify

Software Security Center to work with these SSO types.

SSO Solution

Instructions

CAS

"Configuring Fortify Software Security Center to Work with a

Central Authentication Service" on page 144

(Central Authentication

Service)

OpenText™ Fortify Software Security Center (24.2.0)

Page 142 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

SSO Solution

Instructions

SPNEGO/ KERBEROS

"Setting up Kerberos Authentication with Fortify Software

Security Center" on page 151

SAML 2.0-compliant single "Configuring Fortify Software Security Center to Work with

sign-on

SAML 2.0-Compliant Single Sign-On" on the next page

HTTP headers

"Configuring Fortify Software Security Center to Work with

Single Sign-On and Single Logout Solutions that use HTTP

Headers" on page 150

X.509 certification

"Configuring Fortify Software Security Center to Use X.509

Certification-based SSO" on page 153

Restrictions on Configuration

Restrictions on configuring Fortify Software Security Center to work with SSO solutions are as

follows:

l

You can only use the SSO solutions that Fortify Software Security Center supports to give

users access to the Fortify Software Security Center user interface.

l

At any given time, you can configure only one SSO solution for use with Fortify Software

Security Center.

l

A user who wants to access Audit Workbench, fortifyclient, or any of the IDE plugins, must

use an LDAP or local Fortify Software Security Center user account and password to log in.

For information about how to enable debug logging for SSO, see "Enabling Debug Logging for

Single Sign-On Authentication" on page 155.

Restricted Local Login (SPNEGO/Kerberos and x.509 solutions only)

Important! This restriction does not apply to the Central Authentication Service

(CAS), SAML, or HTTP Headers SSO solutions. Local login is supported for these

SSO solutions.

To improve application security, if SSO authentication is enabled, Fortify Software Security

Center prevents both LDAP and local users from using usernames and passwords to log in

locally. Users can only use the configured SSO method or an API token to access Fortify

Software Security Center. To enable local login with either the SPNEGO/Kerberos or x.509

SSO solution configured, an administrator must use the sso.localAuthenticationEnabled

property, which is located in the app.propertiesfile. For information, see "Enabling Username

and Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" on page 154 .

OpenText™ Fortify Software Security Center (24.2.0)

Page 143 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

See Also

"About Session Logout" on page 75

Configuring Fortify Software Security Center to Work with a Central Authentication Service

Note: CAS single logout is supported in Fortify Software Security Center.

To configure Fortify Software Security Center to work with a Central Authentication Service

(CAS):

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

3. From the list of available single sign-on solutions on the SINGLE SIGN ON page, select CAS.

4. In the Central Authentication Service URL box, type the URL for the CAS. The default is

http://localhost:8080/cas.

5.

Verify that the host.urlproperty in <fortify.home>/<app_

context>/conf/app.propertiesdesignates a URL that the CAS can access. The URL is

used as a base URL for the Fortify Software Security Center service parameter, which is set

to <host.url>/login/cas.

6. Click SAVE.

7. To implement the configuration, restart the server.

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 155.

Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-

On

Before you configure Fortify Software Security Center to work with SAML 2.0 single sign-on, be

aware of the following:

l

Fortify Software Security CenterFortify Software Security Center supports HTTP REDIRECT

and HTTP POST bindings for inbound and outbound SAML messages.

OpenText™ Fortify Software Security Center (24.2.0)

Page 144 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

l

SAML single logout is supported in Fortify Software Security Center. Logout responses and

logout requests sent by IdP must be signed.

l

For successful SAML integration, the clocks on the client and server machines (IdP and

SP) must be synchronized.

To configure Fortify Software Security Center to work with SSO that uses SAML 2.0:

1. If you are using an LDAP directory for users in Fortify Software Security Center and IdP,

configure Fortify Software Security Center to use LDAP authentication. Otherwise, IdP

users must match local users. (For information, see "LDAP User Authentication" on

page 104.)

2. If your IdP runs with SSL (https), configure Fortify Software Security Center to run with

SSL. Otherwise, protocol switching while authenticating against IdP could interfere with

authentication.

3. Prepare a public/private key pair to be used to digitally sign SAML messages and encrypt

SAML Assertions. If your IdP does not require keys signed by a specific certification

authority, you can generate your own self-signed key using, for example, OpenSSL or Java's

keytool. The following example command generates a keystore that stores a self-signed

key under a given alias:

keytool -genkeypair -alias <key_alias> -keyalg <RSA_or_EC

algorithm> -keystore <keystore_filename> -storepass <password_to_

protect_keystore> -keypass <password_to_protect_key> -validity

<number_of_days_the_key_is_valid>

Make a note of the values for the alias and both passwords. You must provide them later in

the Fortify Software Security Center Administration section (Administration >

Configuration > SSO > SAML).

4. Get SAML metadata from the IdP server and store it on the Fortify Software Security

Center file system.

5. Open the metadata file and make a note of the entityID for your IdP EntityDescriptor

(<EntityDescriptor entityID="THE_VALUE_YOU_ARE_LOOKING_FOR">). Also check to see

whether the metadata is signed (the <Signature> section is present). If the metadata is

signed, the signature is verified with the PKIX validation algorithm and uses all public keys

present in the keystore as trust anchors. Make sure that you include the root CA certificate

and intermediary CA certificates of the signature in your keystore.

6. Log in to Fortify Software Security Center and, on the OpenText header, select

Administration.

7. In the left pane, select Configuration, and then select SSO.

Note: You can configure only one single sign-on solution at a time for Fortify Software

Security Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 145 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

If a single sign-on solution other than SAML is currently configured, its name is displayed in

the list on the SINGLE SIGN ON page.

8. From the list of available single sign-on solutions, select SAML.

9. Provide the information described in the following table.

Field

Description

IdP metadata location

Location of your identity provider metadata (the metadata

obtained in step 3).

Examples

l

For Windows:

file:///C:/fortify/federation-metadata.xml

l

For Linux:

file:///home/fortify/federation-metadata.xml

Note: If you are integrating with Entra ID, enter the value

shown in the App Federation Metadata Url field In

Azure. (In the left pane in Azure, under Manage, select

Single sign-on, and then select SAML. You can see the

App Federation Metadata Url field under SAML Signing

Certificate.)

Note: If your IdP is behind a proxy server, you must

download IdP metadata to your local file system and

reference it locally. Current SAML implementation does

not support getting metadata over http proxy.

Default IdP

entityID of your IdP EntityDescriptor (from IdP metadata)

Note: If you are using the SCIM protocol to provision

Fortify Software Security Center with user data from

Azure AD, use the value shown in the Azure AD Identifier

field in Azure. (You can see this field on the SAML-based

OpenText™ Fortify Software Security Center (24.2.0)

Page 146 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Sign-on page under Set up <application_name>.)

SP entity ID

Service provider entity ID value must be a URL that does not

exceed 1024 characters, and is globally unique across

federations. Fortify recommends that you use the URL of a

running Fortify Software Security Center instance.

SP alias

Service provider alias must include only alphanumeric

characters, colons, dashes, and underscores. It cannot contain

slashes, hash marks, semicolons, or question marks.

Because this field value plays no significant role, you can

specify any general value. For example, you can use fortify_

ssc.

Keystore location

Location of your keystore that stores the key pair to be used

for signing SAML messages and encrypting SAML Assertions.

Examples

l

For Windows:

file:///C:/fortify/keystore.jks

l

For Linux:

file:///home/fortify/keystore.jks

Note: If IdP metadata is signed, the signature is verified

with the PKIX validation algorithm and uses all public keys

present in the keystore as trust anchors. Make sure that

you include the root CA certificate and intermediary CA

certificates of the signature in your keystore.

Keystore password

Keystore file password

Signing & encryption

key

Signing/encryption key alias in the keystore file

Signing & encryption

key password

Signing/encryption key password

OpenText™ Fortify Software Security Center (24.2.0)

Page 147 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

SAML name identifier

Name of the element in the SAML Assertion sent by IdP that

holds the authenticated user's username, which matches the

Fortify Software Security Center user's username. Use the

NameID value if the username is released within the

<NameID> element. If the username is released within one of

the <Attribute> elements, provide the name value of the

attribute. This information should be available or configurable

in your IdP server.

10. Click SAVE.

11.

Verify that the host.urlproperty in <fortify.home>/<app-

context>/conf/app.propertiesdesignates a URL that the IdP server can access. The

URL is used as a base URL for constructing <AssertionConsumerService> and

<SingleLogoutService> locations in Fortify Software Security Center SAML metadata.

12. If the SAML assertion sent from IdP is encrypted, make sure that the authentication

response message is signed.

Important! If you are integrating with Active Directory Federation Services (AD FS),

set the IdP parameter SamlResponseSignatureto MessageAndAssertion

(recommended) or MessageOnlyvalue.

13.

Recent Chrome or Chromium-based browsers default to a SameSite=Laxcookie policy,

which means that cookies are not sent with sub-requests to third-party sites. As a result,

single logout that is not initiated from Fortify Software Security Center does not work

correctly.

Note: Single logout initiated from Software Security Center works correctly, regardless

of the cookie policy settings.

To make single logout work in Chrome or Chromium-based browsers, you must change the

SameSitepolicy for session cookies to None. Be advised that this denotes a less secure

policy than the default, so you must determine whether making the change is the best

approach for your organization. To change the policy for container deployments, use the

HTTP_SERVER_SAME_SITE_COOKIESenvironment variable. For non-container

deployments, add <CookieProcessor sameSiteCookies="none"/>to the context

section of your Tomcat configuration. For details, see https://tomcat.apache.org/tomcat-

9.0-doc/config/context.html#Nested_Components.

14. Restart Fortify Software Security Center.

15. Generate the Fortify Software Security Center (SP) metadata at

<hostname>:<port>/<context>/saml/metadata/<SP_alias>.

OpenText™ Fortify Software Security Center (24.2.0)

Page 148 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

16.

Open the metadata generated in previous step and verify that the location URLs in

<AssertionConsumerService>and <SingleLogoutService>are accessible from the

IdP server.

17. Upload the Fortify Software Security Center metadata to the IDP server.

18.

Try to access <hostname>:<port>/<app_context>.

You are redirected to the IdP server, where you can enter your credentials. After successful

authentication, the IdP server redirects you back to Fortify Software Security Center.

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 155.

Troubleshooting SAML SSO Integration

Issue: After accessing the <hostname>:<port>/<app-context>/login.jsppage, a user is

not redirected to IdP.

l

The login page is excluded from SSO so that a local administrator can access the application

and correct the SAML SSO configuration.

Issue: Users are authenticated with IdP, but Fortify Software Security Center does not authorize

them.

l

The username received in the SAML assertion from IdP does not match any LDAP or local

Fortify Software Security Center user (based on user lookup strategy). Verify the following:

l

The "SAML name identifier" in your Fortify Software Security Center SAML configuration is

set to an attribute in the SAML assertion that contains the username.

l

The user exists in Fortify Software Security Center and has an assigned role.

l

The user lookup strategy is correctly configured (see "Configuring Core Settings" on

page 94).

Issue: You want to set the IdP metadata location as HTTP URL to IdP instead of referencing the

IdP metadata locally.

l

The configuration accepts the HTTP location but the IdP cannot be behind a proxy server. If

the IdP is behind a proxy server, Fortify Software Security Center cannot access the

metadata, so the data must be referenced locally.

Solutions that use HTTP Headers" on the next page

OpenText™ Fortify Software Security Center (24.2.0)

Page 149 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Configuring Fortify Software Security Center to Work with Single Sign-On and Single Logout

Solutions that use HTTP Headers

To configure Fortify Software Security Center to work with SSO that uses headers:

1. On the OpenText header, select Administration.

2. In the left pane, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

3. From the list of available single sign-on solutions on the SINGLE SIGN ON page, select

HTTP.

4. Under HTTP SSO Integration Attributes, configure the following settings.

Field

Description

HTTP header

for username

Type the HTTP header to use for SSO logons.

The default value is username.

IdP login page

Type the URL for the identity provider login page.

SSO Logout

page

Type the logout page address to which users are to be redirected after

logging out of Fortify Software Security Center.

SSO Logout

Response

Header

Type the dynamic directive header.

SSO Logout

Response Code

Type the dynamic directive code in this box.

Type the dynamic directive message in this box.

SSO Logout

Response Text

5. Click SAVE.

6. Configure Fortify Software Security Center to use LDAP authentication. For details, see

"LDAP User Authentication" on page 104.

7. Restart the server.

Note: For information about how to obtain extra logging information related to SSO

authentication for Fortify Software Security Center, see "Enabling Debug Logging for Single

Sign-On Authentication" on page 155.

OpenText™ Fortify Software Security Center (24.2.0)

Page 150 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Setting up Kerberos Authentication with Fortify Software Security Center

To set up Kerberos authentication with Fortify Software Security Center.

Caution! SPNEGO/Kerberos SSO may require the transmission of large amounts of data to

Fortify Software Security Center via HTTP headers. An insufficient header size limit results

in a "Bad Request" error. To increase the header size limit, configure the

maxHttpHeaderSizeproperty on the Tomcat Server Connector.

1. Create an Active Directory account and register the Service Principal Name (SPN) for the

account as follows:

setspn -U -S HTTP/SSCServer.mydomain.lan SSCKerberos

2. Create a keytab file.

Example:

ktpass -out c:\SSCSERVER.keytab -princ HTTP/

SSCServer.mydomain.lan@mydomain -mapUser mydomain\SSCKerberos -

mapOp set -pType KRB5_NT_PRINCIPAL /crypto all /kvno 0 -pass

3o(t&gSp&3hZ4#t9

3.

(Linux only) Make sure that, at a minimum, your krb5.conffile contains the following:

[libdefaults]

default_realm = EXAMPLE.COM

[realms]

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

4. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

5. In the left pane, select Configuration, and then select SSO.

Note: Only one single sign-on solution can be configured for Fortify Software Security

Center at a time.

6. From the Enabled SSO list on the SINGLE SIGN ON page, select SPNEGO/KERBEROS.

7. Under SPNEGO/Kerberos Integration Attributes, provide the information described in

the following table.

OpenText™ Fortify Software Security Center (24.2.0)

Page 151 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Field

Description

Service principal

name

Service principal name (SPN) of Fortify Software Security

Center in the Kerberos realm. The value you specify can include

the realm name configured in the Kerberos initialization file.

Keytab location

Location of the keytab file (created in step 2), which contains

Fortify Software Security Center principal keys. The location must

specify the absolute path to the file using the file URI scheme.

Windows example:

file:///C:/Users/fortify/secrets/krb.keytab

Linux example:

file:///home/fortify/secrets/krb.keytab

Krb5.conf location

Location of optional krb5.conffile. This sets the

java.security.krb5.confproperty. The location must specify

the absolute path to the file using file the URI scheme. See Keytab

location for examples.

Enable debug

mode

Select this check box to enable debug mode.

8. Click SAVE.

9. Check to make sure that the User username attribute setting for your LDAP server is

correct. (See "Configuring LDAP Servers" on page 107.)

10. Restart the server.

11. Verify that the LDAP user names resolve correctly. Format the LDAP user name values as

follows:

username@domain

12. Check your browser setup, as follows:

l

For Firefox, add the service URL to network.negotiate-auth.trusted-uris

(about:config). For example, service-machine.my.domain.lan.

l

For Chrome, add the service URL to your intranet and trusted sites, configure automatic

logon only for the local intranet zone settings, and enable integrated Windows

authentication.

Important! Check to make sure that the Fortify Software Security Center LDAP

configuration username mapping matches the LDAP User entry attribute, where the

attribute holds a username sent in the Kerberos ticket. In configurations that use Microsoft

Active Directory, the User Principal Name (UPN) attribute should hold the username sent in

OpenText™ Fortify Software Security Center (24.2.0)

Page 152 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

the Kerberos ticket. However, verify this before you change configuration settings.

Caution! If Fortify Software Security Center is configured to use the SPNEGO/Kerberos

SSO solution, and you want users (local and LDAP) to be able to log in using their user

names and passwords, you must directly enable it. For instructions, see "Enabling Username

and Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" on the next page .

Configuring Fortify Software Security Center to Use X.509 Certification-based SSO

To configure Fortify Software Security Center to use X.509 certification-based SSO:

1. Configure x.509 client certification in Tomcat. See certificateVerification and related

options at https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_

Certificate for details.

2. Log in to Fortify Software Security Center as an administrator and, on the OpenText

header, select Administration.

3. In the left pane, select Configuration, and then click SSO.

Note: You can configure only one sign-on solution for Fortify Software Security Center

at a time.

4. From the Enabled SSO list on the SINGLE SIGN ON page, select X.509.

5. In the X.509 certificate username pattern box, type a regular expression for Fortify

Software Security Center to specify how to retrieve the username from the client certificate,

do one of the following:

l

To retrieve the username from the X.509 certificate Subject field, use a regular

expression with capturing groups. The regular expression is then used to match the

username from the Subject field value.

OpenText™ Fortify Software Security Center (24.2.0)

Page 153 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Example: To match the CN attribute of the certificate Subject field, specify the CN=(.*?)

pattern.

l

To retrieve the username from the X.509 certificate Subject Alternative Name (SAN)

extension Other Name, use $0!OID$regexpattern, where:

o

OIDrepresents the identifier of the Other Name from which to retrieve the username.

Only Other Names that contain string values are supported.

o

regexrepresents the regular expression with capturing group to use to retrieve the

username from the Other Name value.

Example: One of the widely used SAN Other Names is User Principal Name (UPN), with

OID1.3.6.1.4.1.311.20.2.3. Its value takes the form username@domain.

To match the whole username@domainunder UPN, specify the following pattern:

$0!1.3.6.1.4.1.311.20.2.3$(\S+@\S+)

To match only the user name before the @sign, without the domain, under UPN, specify

the following pattern:

$0!1.3.6.1.4.1.311.20.2.3$(.+?(?=@))

6. Click SAVE.

7. To implement the configuration, restart the Fortify Software Security Center server.

Caution! If you configure Fortify Software Security Center to use X.509 certification-based

SSO, and you want users (local and LDAP) to be able to log in using their user names and

passwords, you must directly enable it. For instructions, see "Enabling Username and

Password Login if Fortify Software Security Center is Configured to Use the X.509 or

Kerberos SSO Solution" below .

Enabling Username and Password Login if Fortify Software Security Center is Configured to

Use the X.509 or Kerberos SSO Solution

If Fortify Software Security Center is configured to use the X.509 or Kerberos SSO solution, local

login is disabled by default. If you want users (local and LDAP) to be able to log in using their

usernames and passwords, you must directly enable local authentication, as follows:

1.

Navigate to <fortify.home>/<app_context>/conf, and open the app.properties

file in a text editor.

2.

3.

Set the sso.localAuthenticationEnabledproperty to true.

Save and close the app.propertiesfile.

4. Restart the server.

OpenText™ Fortify Software Security Center (24.2.0)

Page 154 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Enabling Debug Logging for Single Sign-On Authentication

If you want to get extra logging information related to single sign-on (SSO) authentication for

Fortify Software Security Center, you can do so by updating the logging configuration.

To obtain extra logging information related to SSO authentication for Fortify Software Security

Center:

1.

Go to the <fortify.home>/<app_context>/confdirectory, and then open the

log4j2.xmlfile in a text editor.

2. For single sign-on solutions that use HTTP headers, add the following logger definition to

the log4j2.xmlfile:

<Logger

name="com.fortify.manager.web.security.auth.FmHttpSsoAuthenticationFil

ter" level="debug"/>

3.

4.

For SAML 2.0-compliant single sign-on solutions, locate the section marked <!-- SSO

SAML -->, and then change the level of each logger in that section to the appropriate

debug value.

For the CAS single sign-on solution, locate the section marked , and

then change the level of each logger in that section to the appropriate debug value.

Configuring Web Services to Require Token Authentication

You enable or disable token authentication for web services in the Configuration section of the

Fortify Software Security Center Administration view.

Fortify Software Security Center supports two types of authentication when the SOAP web

services API is used:

l

A username and password are provided in every request.

l

A temporary security token is generated and passed for authentication.

Token authentication is enabled by default. If you do not want to use token authentication, you

must disable it on the WEB SERVICE ATTRIBUTES page.

For additional information about authentication tokens, see "fortifyclient Authentication

Tokens" on page 426.

To enable or disable token authentication:

1. Log in to Fortify Software Security Center as an administrator, and on the OpenText

header, select Administration.

2. In the left pane, select Configuration, and then select Web Services.

3. On the WEB SERVICE ATTRIBUTES page, do one of the following:

OpenText™ Fortify Software Security Center (24.2.0)

Page 155 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

l

To enable token authentication, select the Allow token authentication check box.

l

To disable token authentication, clear the Allow token authentication check box.

4. Click SAVE.

5. Restart the server.

Changing Log Levels for Fortify Software Security Center

To change the log level setting for Fortify Software Security Center:

1.

Navigate to <fortify.home>/<app_context>/conf, and then open the log4j2.xmlfile

in a text editor.

2.

On line 98, change <Root level="warn">to <Root level="debug">.

3. Save and close the file.

The modified configuration takes in approximately 10 seconds (as defined by the value of the

monitorIntervalattribute in the configuration).

Note: You cannot add a new logger and set a level for it. Only changes to existing loggers

are picked up dynamically.

Running Fortify Software Security Center in a Federal

Information Processing Standards (FIPS) Environment

FIPS is a set of standards and guidelines for cryptographic modules and algorithms used by the

U.S. government and other organizations. To be FIPS-compliant means that you are meeting the

minimum security requirements defined by FIPS publications. You can run Fortify Software

Security Center in a FIPS-compliant environment running on Red Hat Enterprise Linux 9

(RHEL 9). While there are no configuration tasks required to run Fortify Software Security

Center in a FIPS environment, you must ensure that LDAP servers, SMTP servers, and

webhooks are configured as secure connections or you will receive an error in Fortify Software

Security Center.

For instructions on how to configure FIPS-compliant cryptography, see the RHEL 9

documentation.

Customizing the Fortify Banner for Your Organization

You can customize the Fortify banner to display information about your organization's Fortify

Software Security Center website either when customers log on, or when they switch between

views (Dashboard, Applications, Reports, and so on).

Caution! Each time you upgrade your Fortify Software Security Center instance, you must

recreate the banner.

OpenText™ Fortify Software Security Center (24.2.0)

Page 156 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To create a custom Fortify Software Security Center logon experience for your users:

1.

2.

Navigate to the <ssc.war>/WEB-INF/libdirectory.

Extract the contents of the ssc-htmlui-<version>.jarfile into a new directory

(referred to as <new_directory>in the remaining steps).

3.

4.

5.

Navigate to the <new_directory>/META-INF/resources/html/logindirectory.

Open the login.htmlfile in a text editor.

Uncomment the text <!--<center><font color="red">Add your custom banner

here</font></center>-->, and then specify the HTML elements to set the look, feel,

and content of the message displayed where indicated.

The following example adds a banner with red text to the top center of the web page. The

banner is displayed whenever the user logs on to Fortify Software Security Center.

<center><font color=red size=10>Message_text</font></center>

Caution! Space limitations restrict the message text to a single line. Additional lines

interfere with user interface display.

6.

7.

Change the name of the ssc-htmlui-<version>.jarfile to ssc-htmlui-

<version>.jar.orig.

Create a new archive named ssc-htmlui-<version>.jarthat contains all of the files

under <new_directory>.

Note: Do not include <new_directory>itself in the new archive.

8. Restart the Fortify Software Security Center server.

To create a message banner to display each time a user switches views in Fortify Software

Security Center (Dashboard, Applications, Reports, and so on):

1.

2.

Navigate to the <ssc.war>/WEB-INF/libdirectory.

Extract the contents of the ssc-htmlui-<version>.jarfile into a new directory

(referred to as <new_directory>in the remaining steps).

3.

4.

5.

Navigate to the <new_directory>/META-INF/resources/html/sscdirectory.

Open the index.htmlfile in a text editor, and then go to line 41.

Uncomment the text <div style="text-align: center;"><span style="color:

red; ">Add your custom banner here</span></div>, and then specify the HTML

elements to set the look, feel, and content of the message displayed where indicated.

The following example adds a banner with red text to the top center of the web page. The

banner is displayed whenever the user logs on to Fortify Software Security Center.

<div style="text-align: center;"><span style="color: red; "> Message

text x</span></div>

Caution! Space limitations restrict the message text to a single line. Additional lines

interfere with user interface display.

OpenText™ Fortify Software Security Center (24.2.0)

Page 157 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

6.

7.

Change the name of the ssc-htmlui-<version>.jarfile to ssc-htmlui-

<version>.jar.orig.

Create a new archive named ssc-htmlui-<version>.jarthat contains all of the files

and directories under <new_directory>.

8. Restart the Fortify Software Security Center server.

"Create a System-wide Banner" below

Create a System-wide Banner

An administrator can create a system-wide banner that will display centered below the

OpenText header on all pages in the application. Your banner can be up to 1,024 characters in

length. If your banner content takes up more than two lines, there will be a Show More link to

reveal the remainder of the message.

To create a system-wide banner:

1. Log in to Fortify Software Security Center as an administrator.

2. On the OpenText header, click Administration.

3. In the left pane, expand Configuration, and then select Customization.

OpenText™ Fortify Software Security Center (24.2.0)

Page 158 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Select the Display a custom banner system-wide check box.

5. In the text box, enter the text for your banner.

6. Click SAVE.

"Adding a Fortify Insight Link to the Dashboard" below

Adding a Fortify Insight Link to the Dashboard

If you have purchased Fortify Insight, you can link your Fortify Software Security Center to your

Fortify Insight dashboard by adding a Fortify Insight link to your Fortify Software Security

Center Dashboard.

To add the Fortify Insight link to your Fortify Software Security Center Dashboard:

1. Log in to Fortify Software Security Center as an administrator user.

2. On the OpenText header, click Administration.

3. In the left pane, expand Configuration, and then select Customization.

OpenText™ Fortify Software Security Center (24.2.0)

Page 159 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Under Fortify Insight URL, select the Enable display of the Fortify Insight URL on

your Dashboard check box.

5. In the Fortify Insight URL box, enter the URL for your Fortify Insight page.

6. Click SAVE.

"Changing the Support Contact Link in the About Fortify Software Security Center Box" below

"Create a System-wide Banner" on page 158

Changing the Support Contact Link in the About Fortify

Software Security Center Box

By default, the About Fortify Software Security Center <version> box displays a link to the

Support portal. You can replace that link with a link to the support portal for your organization.

OpenText™ Fortify Software Security Center (24.2.0)

Page 160 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

To display your support portal in the About Fortify Software Security Center box:

1. Log in to Fortify Software Security Center as an administrator user.

2. On the OpenText header, click Administration.

3. In the left pane, expand Configuration, and then select Customization.

OpenText™ Fortify Software Security Center (24.2.0)

Page 161 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

4. Select the Enable using the support URL for your organization in the About box check

box.

5. In the Support URL for your organization box, enter the URL for the support portal for

your organization.

6. In the Text displayed for your support URL box, type the text to display in the new link

to support.

7. Click SAVE.

"Adding a Fortify Insight Link to the Dashboard" on page 159

Customizing Fortify Software Security Center Logging

To customize logging for a Fortify Software Security Center instance, you can provision a

custom log4j2configuration file to override or add to the standard log4j2configuration file in

<fortify.home>/<app_context>/conf.

To provision the custom Log4j2configuration override file, set the COM_FORTIFY_SSC_

LOG4j2_OVERRIDEsystem environment variable or the

com.fortify.ssc.log4j2.overrideJVM system property to an absolute path for the

custom Log4j2XML configuration file.

OpenText™ Fortify Software Security Center (24.2.0)

Page 162 of 459

User Guide

Chapter 6: Additional Fortify Software Security Center Configuration

Fortify strongly recommends that you use one of these methods rather than modifying the

<fortify.home>/<app_context>/conf/log4j2.xmlfile directly because it provides you

with better control.

Setting the Required Password Strength for Fortify Software

Security Center Login

You can use the password.strength.min.scoreproperty (located in

<fortify.home>/<app_context>/conf/app.properties) to adjust the required password

strength. The following table lists the valid values and the strength each represents.

Value

Password Strength

Poor

0

1

2

3

4

Weak

Medium

Strong

Very strong

Password strength is not determined based on requirements such as one upper-case character,

one special character, and so on. Instead, it is calculated based on a dedicated password

strength library that uses methods such as estimating the time to crack the password,

determining whether the password contains predictable character sequences or a username,

and checking against common password dictionaries.

See Next

"About Session Logout" on page 75

"Additional Fortify Software Security Center Configuration" on page 78

OpenText™ Fortify Software Security Center (24.2.0)

Page 163 of 459

Chapter 7: Additional Installation-Related Tasks

This section addresses additional tasks related to a new Fortify Software Security Center

installation.

Blocking Data Export to CSV Files

By default, users can export Fortify Software Security Center data displayed in the Dashboard

and AUDIT views to comma-separated values (CSV) files. You can block this functionality.

To prevent users from exporting Fortify Software Security Center data to CSV files:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, click Administration.

2. In the left pane, select Configuration, and then select Core.

3. Scroll to the bottom of the Core page, and then clear the Enable Export to CSV check box.

4. Click SAVE.

See Also

"Configuring Core Settings" on page 94

"Exporting Data to Comma-Separated Values Files" on page 211

About Bug Tracker Integration

Fortify Software Security Center enables your team to submit bugs to your bug tracking system

from Fortify Software Security Center during issue auditing. Fortify Software Security Center

supports integration with the following bug tracking systems:

l

Jira

l

Jira Cloud

Note: If you use Jira Cloud, you must use your Jira authentication token in the Password

field at login.

OpenText™ Fortify Software Security Center (24.2.0)

Page 164 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

l

ALM

l

Azure DevOps Server

Important! The Repro Steps field in Azure DevOps, which displays Fortify bug

descriptions, is hidden by default for issue work items. If you use Azure DevOps 2019.1

or later version, and you use the Basic process, you must customize Issue work items to

see the Repro Steps field.

Important! If you use Azure DevOps, you must use a personal access token generated

from Azure DevOps in the Password field at login. For information about Azure DevOps

personal access tokens, see https://learn.microsoft.com/en-

us/azure/devops/organizations/accounts/use-personal-access-tokens-to-

authenticate?view=azure-devops&tabs=Windows .

OpenText™ Fortify Software Security Center (24.2.0)

Page 165 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Note: If your organization uses a bug tracking system other than those that Fortify

supplies, you can author a new plugin for that system. For instructions, see "Authoring Bug

Tracker Plugins" on page 437.

For information about how to set up and use bug tracking systems to manage the

security vulnerabilities for your application versions, see "Using Bug Tracking Systems to Help

Manage Security Vulnerabilities" on page 250.

Managing Bug Tracker Plugins

The following sections describe how to add and remove bug tracker plugins to and from the

system.

Adding Bug Tracker Plugins

If you are a Fortify Software Security Center administrator, you can connect Fortify Software

Security Center to third-party bug tracker plugins.

Important! Using a proxy with authentication and an https bug-tracker domain does not

work. For a successful connection, use one of the following:

- Proxy with authentication plus http://bugtracker.domain.com

- Proxy without authentication plus https://bugtracker.domain.com

OpenText™ Fortify Software Security Center (24.2.0)

Page 166 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

- Proxy without authentication plus http://bugtracker.domain.com

To add a bug tracker plugin to the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Plugins, and then select Bug Tracking Plugins.

3. On the Bug Tracking page header, click NEW.

Fortify Software Security Center displays the UPLOAD PLUGIN WARNING dialog box.

4. Read the warning and, if you accept the potential risk involved in uploading the plugin, click

OK.

5. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then locate and select the

JAR file for your plugin. You can use either a Fortify Software Security Center-provided

JAR file, or the JAR file for a bug tracker plugin that you have authored (see "Authoring

Bug Tracker Plugins" on page 437).

You can find the JAR files for the bug trackers that Fortify Software Security Center

provides in the following locations.

Bug Tracker

Plugin

Directory/File

Bug Tracker Plugin

for ALM

<ssc_install_dir>/plugins/BugTrackerPluginAlm/

com.fortify.BugTrackerPluginAlm-<version>.jar

Bug Tracker Plugin

for Jira

<ssc_install_dir>/plugins/BugTrackerPluginJira/

com.fortify.BugTrackerPluginJira-<version>.jar

Bug Tracker Plugin

for Azure DevOps

<ssc_install_dir>/plugins/BugTrackerPluginAzure/

com.fortify.BugTrackerPluginAzure-<version>.jar

6. Click START UPLOAD.

After the upload is completed, the Bug Tracking table lists the new plugin.

7. To enable the bug tracker plugin, click ENABLE.

The Plugin State field for the plugin now displays the value ENABLED.

OpenText™ Fortify Software Security Center (24.2.0)

Page 167 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Removing Bug Tracker Plugins

If you are a Fortify Software Security Center administrator, you can remove third-party bug

tracker plugins from the system.

To remove a bug tracker plugin from the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Plugins, and then select Bug Tracking Plugins.

3. On the Bug Tracking page, expand the row for the plugin you want to remove.

4. Click Disable, and then, after the plugin is disabled, click REMOVE.

"Adding and Managing Parser Plugins" on the next page

"Authoring Bug Tracker Plugins" on page 437

Securing Logon Credentials for Bug Tracking Systems

When you file a bug from Fortify Software Security Center, you provide a username and

password for the bug tracking system. The username and password pair is saved in the HTTP

session and mapped to the bug tracker for each application.

Each bug tracker has a different set of bug parameters and requires different user input. These

parameters are dynamic and could be fetched from the bug-tracking system itself. Default

values may be provided for some parameters.

After you complete and save the bug settings, a bug is created on the bug tracking system and

Fortify Software Security Center saves the bug ID for the issue.

Important! If Fortify Software Security Center is configured to communicate over SSL,

you must also import the required bug tracker certificates to the java virtual machine

where Fortify Software Security Center is deployed.

Bug Tracker Parameters

A bug submitted with a bug tracker requires that a standard summary and bug description be

entered in the Submit Bug dialog box. You can also add values for priority level, a due date for

the fix, and the assignee. Fortify Software Security Center fetches values for the Issue Type and

Affects version fields dynamically from the bug tracking system based on the selected

application.

If your application requires additional fields, you might need to modify the plugin before you use

it. For instructions, see "Authoring Bug Tracker Plugins" on page 437 or contact Customer

Support (https://www.microfocus.com/support ).

OpenText™ Fortify Software Security Center (24.2.0)

Page 168 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

ALM Parameters

In the Submit Bug dialog box for the ALM defect tracker, you select the parameters that reflect

your ALM installation:

l

Bug Summary

l

Bug Description

l

ALM Domain

l

ALM Project

l

Severity

If your ALM project integrates with ALI (details below) you can see that the defect description

includes candidate changesets that could have introduced the issue.

There are several key points of ALM integration to remember. For changeset discovery to be

functional, the following conditions must be met:

l

Each Fortify Static Code Analyzer scan must be tagged with a build-label, which Fortify

Software Security Center uses to map the scan with a source-control revision number. To do

this, include the -build-label <SVN_Revision_Number>command option when you run

the source analyzer tool to translate source code into the analysis model.

l

You must enable the ALI extension for the individual project in ALM and configure

appropriate source control repositories. If the ALI extension is successfully enabled for the

individual project, you can view the Code Changes tab after you log in to ALM.

l

ALM bugs are logged, regardless of whether the changeset discovery requirements are met.

If the prerequisites are not met, then the changeset discovery message is skipped.

l

Currently, Subversion is the only source control repository supported for changeset

discovery.

Note: To view an ALM bug, you must have the ALM browser plugin installed and use an

ALM-compatible browser.

For more information about ALI and ALM, see the documentation for those products.

Adding and Managing Parser Plugins

If you are a Fortify Software Security Center administrator, you can connect Fortify Software

Security Center to third-party parser plugins.

Tip: You can write your own parser plugin for Fortify Software Security Center. For

instructions, see the "Sample parser plugin" page on GitHub

(https://github.com/fortify/sample-parser).

OpenText™ Fortify Software Security Center (24.2.0)

Page 169 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

To add a parser plugin to the system:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

heaer, select Administration.

2. In the left pane, select Plugins, and then select Parser Plugins.

3. On the Parsers page header, click NEW.

Fortify Software Security Center displays the Upload Plugin Warning to advise you of the

risk of uploading third-party plugins.

4. To acknowledge the warning and continue, click OK.

5. In the Upload Plugin Bundle dialog box, click BROWSE, and then locate and select the

bundle file (JAR file) for your plugin.

6. Click START UPLOAD.

The Parsers page lists the plugin you uploaded.

7. To expand the row that displayed the parser name, click it.

8. To enable the parser plugin, click ENABLE.

Fortify Software Security Center displays the Enable Plugin Warning to advise you of the

risk of enabling untested plugins.

9. Click OK.

Preparing Fortify Software Security Center to Display Sonatype Results

You can view open source security data from Sonatype's Nexus Lifecycle solution scan results

for an application version from the AUDIT page or from the OPEN SOURCE page in Fortify

Software Security Center. To do so, you must first download and install the required Sonatype

Parser Plugin. After you do, Sonatype scan results uploaded to Fortify Software Security Center

(using Fortify SourceAndLibScanner) are visible.

To obtain Fortify SourceAndLibScanner, go to

https://marketplace.microfocus.com/cyberres/content/fortify-sourceandlibscanner. For

information about how to use SourceAndLibScanner to upload open Sonatype scan results to

Fortify Software Security Center, see the OpenText™ Fortify SourceAndLibScanner User Guide,

which is packaged with the Fortify SourceAndLibScanner utility.

To prepare Fortify Software Security Center to display uploaded Sonatype data:

1. Open a browser window and navigate to the Fortify Marketplace

(https://marketplace.microfocus.com/cyberres/content/sonatype-nexus-lifecycle-

integration-with-ssc ).

2. On the Sonatype Nexus Lifecycle integration with SSC page, click GET NEWEST.

3.

Unzip the SonatypeFortifyBundle-<version>.zipfile contents to a local directory.

4. Log on to Fortify Software Security Center as an administrator.

OpenText™ Fortify Software Security Center (24.2.0)

Page 170 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

5. On the OpenText header, select Administration.

6. In the left pane, expand the Plugins section, and select Parser Plugins.

7. On the Parsers page, click NEW.

8. To dismiss the UPLOAD PLUGIN WARNING, click OK.

9. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then navigate to and

select the sonatype-plugin-<version>.jarfile.

10. In the UPLOAD PLUGIN BUNDLE dialog box, click START UPLOAD.

Fortify Software Security Center displays a message to let you know the upload was

successful. The Parsers page now lists the Sonatype Vulnerability Parser.

11. Expand the row for the Sonatype Vulnerability Parser, and then click ENABLE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 171 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

12. Read the ENABLE PLUGIN WARNING, and then click OK.

See Also

"About Susceptibility Analysis of Web Applications" on page 379

Preparing Fortify Software Security Center to Display Debricked Results

You can view open source security data from Debricked on the AUDIT page or on the

OPEN SOURCE page in Fortify Software Security Center. To do so, you must first download and

install the required parser plugin. After you do, the open source scan results uploaded to Fortify

Software Security Center are visible.

To prepare Fortify Software Security Center to display Debricked data:

1. Open a browser window and navigate to https://github.com/fortify/fortify-ssc-parser-

debricked-cyclonedx/releases.

2. Click (expand) Assets and select the latest version of the parser. At the time of writing, the

latest version is: fortify-ssc-23.2+-parser-debricked-cyclonedx-1.10.zip.

3. Go to your Downloads folder and extract the contents of the downloaded ZIP file to a local

directory.

4. Log on to Fortify Software Security Center as an administrator.

5. On the OpenText header, select Administration.

6. In the left pane, expand the Plugins section, and then select Parser Plugins.

7. On the Parsers page, click NEW.

8. To dismiss the UPLOAD PLUGIN WARNING, click OK.

9. In the UPLOAD PLUGIN BUNDLE dialog box, click BROWSE, and then navigate to and

select the extracted JAR file.

OpenText™ Fortify Software Security Center (24.2.0)

Page 172 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

10. In the UPLOAD PLUGIN BUNDLE dialog box, click START UPLOAD.

Fortify Software Security Center displays a message to let you know the upload was

successful. The Parsers page now lists the Debricked parser plugin for Fortify Software

Security Center.

11. Expand the row for the Debricked parser plugin, and then click ENABLE.

12. Read the ENABLE PLUGIN WARNING, and then click OK.

See Also

"Viewing Open Source Data" on page 390

Administrator Accounts

Users who have Administrator accounts have complete access to all Fortify Software Security

Center user and application version data and can manage the entire Fortify Software Security

Center system. Only users who have Administrator accounts can create, edit, or delete other

user accounts. To change a local user account, you must be a local administrator.

Fortify recommends that you create only the Administrator-level accounts necessary to create

and edit local or LDAP Fortify Software Security Center user accounts. The Security Lead and

lesser accounts can perform all other application-related activity.

Fortify Software Security Center permits the explicit addition of Administrator-level accounts to

application versions. This enables Administrator users to be assigned issues from the AUDIT

page.

About Fortify Software Security Center User Administration

This section provides information about the different types of Fortify Software Security Center

user accounts and how to create these accounts for your users.

Topics covered in this section:

Fortify Software Security Center User Accounts

174

OpenText™ Fortify Software Security Center (24.2.0)

Page 173 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

About Creating User Accounts

174

Preventing Destructive Library and Template Uploads to Fortify Software Security Center 175

Viewing Permission Information for Fortify Software Security Center Roles

About Managing LDAP User Roles

175

176

Fortify Software Security Center User Accounts

In addition to the administrator-level account used to administer user accounts, Fortify Software

Security Center supports the following user account types, in descending order of level of

authority:

l

Administrator: An Administrator has access to all application versions and can perform all

actions in the system.

l

Security Lead: A Security Lead has access to all administrative operations except user

account creation and editing. The Security Lead can create application versions and edit all

aspects of the versions that they created or to which they are assigned.

l

Manager: A Manager has read-only access to most administrative data. Managers can create

and edit all data for the application versions to which they are assigned.

l

Developer: A Developer has read-only access to some administrative data. Developers can

create and edit a subset of data for the application versions to which they are assigned.

l

View-Only: A View-Only user can view general information and issues for application

versions to which he has access. A View-Only user cannot upload analysis results or audit

issues.

l

Application Security Tester: An Application Security Tester can perform operations that

pertain to execution of dynamic scan requests. An Application Security Tester can view

application versions, view and generate reports, process dynamic scans, upload results and

audit issues.

l

WebInspect Enterprise System: Users assigned the Fortify WebInspect Enterprise System

role can register and de-register a Fortify WebInspect Enterprise instance from Software

Security Center and can retrieve issue audit information. This role is intended for Fortify

WebInspect Enterprise use only.

For more information about user accounts, see "User Accounts and Access" on page 202.

"Unlocking Local User Accounts" on page 223

Preventing Destructive Library and Template Uploads to Fortify Software

Security Center

Caution! A malicious user might modify a report library or template so that it contains

arbitrary and potentially destructive SQL queries and commands. Upload only libraries and

templates that are written by trusted users and that have been reviewed for malicious

queries and commands.

Only users who have permission to manage report definitions and libraries can upload custom

report libraries and templates to Fortify Software Security Center. To prevent templates that

execute arbitrary and potentially destructive commends from being uploaded to Fortify

Software Security Center, make sure that you:

l

Assign access permissions to trusted users only.

l

Check all custom templates for arbitrary SQL queries and commands before you upload them

to Fortify Software Security Center.

Viewing Permission Information for Fortify Software Security Center Roles

To view detailed information about the actions that users assigned the various Fortify Software

Security Center roles can perform:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then select Roles.

OpenText™ Fortify Software Security Center (24.2.0)

Page 175 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

The Roles page lists the names and descriptions of all of the roles in the system.

3. Select the row for the role you are interested in.

The row expands to reveal details for the role, including a table that lists all of the permissions

granted to users assigned that role.

For more information about user accounts, see "Managing User Accounts" on page 215.

Handling Failed LDAP User Logins

If you have configured nested LDAP groups for your Fortify Software Security Center server,

and LDAP authentication fails during an attempted login because of incorrect credentials, then

the log includes a message about bad credentials. However, if the log contains the text "user is

not authorized," check the following:

l

Is the user registered in Fortify Software Security Center and assigned a role? Check with the

LDAP administrator to determine whether the user is actually a member of the group to

which they are assumed to belong.

l

If user does belong to the LDAP group, check to see whether that the group is registered with

Fortify Software Security Center and assigned a role.

l

Special case: If the user belongs to the LDAP group that is registered to Fortify Software

Security Center, but was added to the group only within the last few hours, refresh the LDAP

cache manually or wait a few hours for it to automatically refresh.

To manually request an LDAP cache refresh:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then select LDAP Entities.

3. Select the check box for the LDAP server.

4. On the LDAP page header, click REFRESH.

5. To determine whether the LDAP cache refresh has completed, from the Administration

view, check either the Event Logs page or the Jobs page.

Note: An LDAP cache refresh can take a long time to complete.

OpenText™ Fortify Software Security Center (24.2.0)

Page 177 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

About Mapping Fortify Software Security Center Roles to LDAP Groups

In most environments, the LDAP directory contains some users who do not need access to

Fortify Software Security Center. Also, certain groups of users may require different access

privileges.

Before you configure LDAP user authorization, you must decide which LDAP groups to

associate with the Fortify Software Security Center roles (Administrator, Manager, Developer,

and Auditor). Fortify recommends that you create new LDAP groups that map directly to the

different Fortify Software Security Center roles. For example, you might create a FORTIFY_

ADMINS group and a FORTIFY_DEVELOPERS group.

Global Search Functionality in Fortify Software Security

Center

Fortify Software Security Center provides global, category-based search functionality that

applies search terms across application versions, issues, reports, comments, and users. Newly

added documents (artifacts, application versions, users) are indexed automatically and

immediately.

You can enable global searches during configuration at first login or after an upgrade. (See

"Configuring Fortify Software Security Center for the First Time" on page 68.)

Note: Indexing of uploaded FPR files is not immediate because it is performed as a separate

Index New Issues job, which is scheduled to occur at the end of an artifact upload job.

To enable global searching on your Fortify Software Security Center server, you must provide

Tomcat Server with read and write access to the search index directory.

Recommended disk size

The optimum disk size for the requisite indexing for global searches varies based on the

characteristics of the data, but the Lucene indexes are much smaller than the data in the

database. For example, the index size required for a database issue volume of 18 GB (with db

indexes) is approximately 2 GB.

See Also

Troubleshooting Search Index Issues

About Global Search Functionality

Fortify Software Security Center provides global, category-based search functionality that

applies search terms across application versions, issues, reports, comments, and users. You can

enable global searches during configuration at first login or after an upgrade. (See "Configuring

Fortify Software Security Center for the First Time" on page 68 or "Configuring Fortify Software

Security Center After an Upgrade" on page 191 .)

OpenText™ Fortify Software Security Center (24.2.0)

Page 178 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Recommended disk size

The optimum disk size for the requisite indexing for global searches varies based on the

characteristics of the data, but the Lucene indexes are much smaller than the data in the

database. For example, the index size required for a database issue volume of 18 GB (with db

indexes) is approximately 2 GB.

"Troubleshooting Search Index Issues" below

Troubleshooting Search Index Issues

As an indicator of search index health, the search index directory (specified in the configuration

wizard) includes the marker file healthy.index. If this file is not present in the search index

directory, Fortify Software Security Center attempts to recreate the index on each startup.

If Fortify Software Security Center repeatedly fails to create the initial index, remove the entire

index directory, and then restart Fortify Software Security Center.

If you are working with a very large database (hundreds of GB), the Full Reindex job may fail

because of limited system memory. If this occurs, increase the Java heap size for Fortify

Software Security Center and then restart Fortify Software Security Center. (For minimum and

recommended values for java heap size, see the OpenText Fortify Software System

Requirements document.)

Search Index Maintenance

The index maintenance job, which is performed once a day, keeps the index healthy. You can

change its run time from the Administration view. Fortify recommends that you schedule this

job to run once a day. For instructions on how to re-schedule executed jobs, see "Configuring

Job Scheduler Settings" on page 131.

Placing Fortify Software Security Center in Maintenance Mode

If, at any time, you need to change any server configuration settings, you can place Fortify

Software Security Center in maintenance mode, and then make the necessary changes.

To place Fortify Software Security Center in maintenance mode:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Configuration, and then select Maintenance .

3. On the Maintenance page, select the Set to maintenance mode check box, and then click

SAVE.

4. Restart the server.

OpenText™ Fortify Software Security Center (24.2.0)

Page 179 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

5.

6.

Go to the <fortify.home>/<app_context>directory, and open the init.tokenfile.

Copy the contents of the init.tokenfile to the clipboard.

7. Open a web browser window and type the URL for your Fortify Software Security Center

instance.

8. In the upper right corner of the Fortify Software Security Center Setup screen, click

ADMINISTRATORS.

9.

Paste the string you copied from the init.tokenfile in the text box, and then click SIGN

IN.

The Fortify Software Security Center Setup wizard displays all of the current configuration

settings. For information about server configuration, see "Configuring Fortify Software

Security Center for the First Time" on page 68.

10. After you successfully complete the server configuration, restart Tomcat.

Note: Alternatively, you can set the following Java option to re-initialize the setup

wizard after you complete the setup: -Dcom.fortify.ssc.forceInit

OpenText™ Fortify Software Security Center (24.2.0)

Page 180 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Note: If your Fortify Software Security Center instance appears to be stuck in maintenance

mode, try one of the possible solutions described in "If Fortify Software Security Center is

Stuck in Maintenance Mode" below.

To facilitate server maintenance, you can pause job execution, which allows running jobs to

finish but prevents new jobs from executing. For details, see "Pausing and Resuming Job

Execution" on the next page.

If Fortify Software Security Center is Stuck in Maintenance Mode

Fortify Software Security Center goes into maintenance mode when it is placed there from the

Administration view (see "Placing Fortify Software Security Center in Maintenance Mode" on

page 179), or it cannot locate the version.propertie s in the fortify.home\ssc\conf

directory.

If your Fortify Software Security Center instance is stuck in maintenance mode, try one of the

following:

l

Reconfigure Fortify Software Security Center. For instructions, see "Configuring Fortify

Software Security Center for the First Time" on page 68.

l

Navigate to the fortify.home\ssc\confdirectory and, in the version.propertiesfile,

set maintenance.modeto false.

l

Restore the missing files from the fortify.home\ssc\confdirectory.

Note: The datasource.propertiesfile and some database fields contain encrypted

entries that rely on the secret.keyfile. So, if you are moving your Fortify Software

Security Center instance from one computer to another, you must also move the

secret.keyfile (not just your database files).

OpenText™ Fortify Software Security Center (24.2.0)

Page 181 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Pausing and Resuming Job Execution

If, for any reason, you need to shut down the server, you can temporarily pause user activity and

disable the running of new jobs for all users in the system, while allowing Fortify Software

Security Center to just finish jobs in progress. This helps to ensure that no data are corrupted or

lost when the server is shut down.

To pause job execution on the server:

1. Log in to Fortify Software Security Center as an administrator, and then, on the OpenText

header, select Administration.

2. In the left pane, select Configuration, and then select Maintenance.

3. On the Maintenance page, select the Pause job execution check box, and then click SAVE.

Immediately after you save the setting:

Important! To prevent the queuing up of a large number of jobs, Fortify recommends

that you avoid leaving this setting enabled for long periods of time. After you pause job

execution, make sure that you allow time for queued jobs to process completely before

you shut down the server.

l

All jobs in progress are allowed to complete.

l

All new jobs that users subsequently submit are queued for running later, after the

Pause jobs execution check box is cleared.

l

Fortify Software Security Center displays a banner to notify users that job execution has

been paused.

4. After you next start the server, return to the Maintenance page, clear the Pause job

execution check box, and then click SAVE.

About Fortify Software Security Content

Fortify products use a knowledge base of rules to enforce secure coding standards applicable to

the codebase for analysis. Fortify software security content consists of Fortify Secure Coding

Rulepacks (Rulepacks) and external metadata:

OpenText™ Fortify Software Security Center (24.2.0)

Page 182 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

l

Rulepacks describe general secure coding idioms for popular languages and public APIs.

You can write custom rules that add to the functionality of Fortify analyzers and Rulepacks.

For example, you might need to enforce proprietary security guidelines or analyze an

application that uses third-party libraries or other pre-compiled binaries that are not already

covered by the Secure Coding Rulepacks. For instructions on how to write custom rules, see

the Fortify Static Code Analyzer Custom Rules Guide (available only with the Fortify Static

Code Analyzer product download).

For information on how to manage Rulepacks, see:

l

"Updating Rulepacks from the Fortify Update Server" below

l

"Importing Security Content" on page 185

l

"Deleting Rulepacks" on page 185

l

"Exporting Rulepacks" on the next page

l

"Seeding the Database with Report Seed Bundles Delivered with Quarterly Security

Content Releases" on page 197

l

External metadata provides mappings from the Fortify vulnerability categories to alternative

categories (such as CWE, OWASP Top 10, and PCI).

Fortify recommends that you not modify the external metadata.xmlfile. If you do, your

changes are overwritten whenever your Rulepacks are updated quarterly. (See "Seeding the

Database with Report Seed Bundles Delivered with Quarterly Security Content Releases" on

page 197 .) You can, however, create a customexternalmetadata.xm l file in which you can

create new, and extend existing, mappings. You can map Fortify issues to different

taxonomies, such as internal application security standards or additional compliance

obligations. This custom file is left undisturbed when you update your security content. For

instructions on how to create your own custom rules or custom external metadata, see the

Fortify Static Code Analyzer Custom Rules Guide.

The schema for external metadata mappings is located in

fortify.home\Core\config\schemas\externalmetadata.xsd.

For information on how to manage your external metadata, see:

l

"Extending a Current Mapping" on page 186

l

"Creating a New Mapping" on page 187

Note: It is important that you work with the newest Rulepacks available. Fortify

recommends that you periodically update your security content.

Updating Rulepacks from the Fortify Update Server

It is important that you work with the newest Rulepacks available. If you want to make sure that

you have the latest Rulepack, you can import it from the Fortify server.

Note: You can use the Fortify Software Security Center proxy to update Rulepacks, if the

Fortify update server is behind it. For information about how to set up a consolidated proxy

OpenText™ Fortify Software Security Center (24.2.0)

Page 183 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

for Fortify Software Security Center, see "Configuring a Proxy for Fortify Software Security

Center Integrations" on page 128.

To import the latest Rulepacks:

1. Log in to Fortify Software Security Center as an administrator or security lead, and then, on

the OpenText header, select Administration.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, click UPDATE FROM SERVER.

Fortify Software Security Center displays information about what the Rulepack update

involves, and prompts you to indicate whether you want to continue.

4. To continue with the download, click OK.

After the update is complete, Fortify Software Security Center displays a list of any

imported rules.

5. Click CLOSE.

See Also

"Deleting Rulepacks" on the next page

"Seeding the Database with Report Seed Bundles Delivered with Quarterly Security Content

Releases" on page 197

"Exporting Rulepacks" below

"Importing Security Content" on the next page

Exporting Rulepacks

You can, if necessary, move Rulepacks between one Fortify Software Security Center instance

and another instance, or between Fortify Software Security Center and Fortify Audit

Workbench.

Export Rulepacks with the same file names used to import them, including the file extension

(.binor .xml).

To export a Rulepack:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the OpenText header, click Administration.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select the check boxes for the Rulepacks you want to export, and

then click EXPORT.

Note: If a Rulepack that you select has multiple versions, only the latest version is

exported.

OpenText™ Fortify Software Security Center (24.2.0)

Page 184 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

See Also

"Importing Security Content" below

"Deleting Rulepacks" below

Importing Security Content

You can import security content, including custom Rulepacks created using the Fortify Custom

Rules Editor, extended mapping files, and custom mapping files so that they are available to

Fortify Static Code Analyzer and Fortify Audit Workbench.

To import security content:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the OpenText header, click Administration.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select IMPORT.

4. In the IMPORT RULEPACK dialog box, click + ADD FILES.

5. In the File Upload dialog box, navigate to and select the file(s) to upload.

Note: If you upload an FPR file to that contains an extended mapping, and that mapping is

not present on the server, Fortify Software Security Center displays a processing warning.

"Deleting Rulepacks" below

Deleting Rulepacks

You can remove old Rulepacks from Fortify Software Security Center.

To delete Rulepacks:

1. Log in to Fortify Software Security Center as an administrator or security lead.

On the OpenText header, click Administration.

2. In the left pane, under Metrics & Tracking, select Rulepacks.

3. On the Rulepacks page, select the check boxes for the Rulepacks to delete, and then click

DELETE.

Fortify Software Security Center prompts you to verify that you want to delete the selected

Rulepack(s) and, if the system contains multiple versions of the Rulepack, all of the versions

it includes are deleted.

4. Click OK.

OpenText™ Fortify Software Security Center (24.2.0)

Page 185 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Fortify Software Security Center displays a message to indicate whether the deletion was

successful.

5. If the deletion fails, click more to open the DETAILS window and find out what caused the

failure.

See Also

"Exporting Rulepacks" on page 184

"Importing Security Content" on the previous page

"Updating Rulepacks from the Fortify Update Server" on page 183

Extending a Current Mapping

You can extend the mappings that Fortify Software Security Center delivers with the external

metadata, or create new mappings. If you do, keep the following in mind:

l

You can only add new mappings.

l

You cannot overwrite existing mappings.

To extend the current mapping, use the following format:

Important! After you extend your mapping file, you must upload it to Fortify Software

Security Center. For instructions, see "Importing Security Content" on the previous page.

If you upload an FPR file that contains an extended mapping, and that mapping is not

present on the server, Fortify Software Security Center displays a processing warning.

"About Fortify Software Security Content" on page 182

OpenText™ Fortify Software Security Center (24.2.0)

Page 186 of 459

User Guide

Chapter 7: Additional Installation-Related Tasks

Creating a New Mapping

You can use <ExternalList>to create a custom_metadata.xmlfile, as follows:

Important! After you create your custom mapping file, you must upload it to Fortify

Software Security Center. For instructions, see "Importing Security Content" on page 185.

If you upload an FPR file that contains a custom mapping, and that mapping is not present

on the server, Fortify Software Security Center displays a processing warning.

"About Fortify Software Security Content" on page 182

OpenText™ Fortify Software Security Center (24.2.0)

Page 187 of 459

Chapter 8: Upgrading Fortify Software Security

Center

To perform a direct upgrade to the latest Fortify Software Security Center version, you must

have one of the last three versions installed. For example, to upgrade to version 24.2.x, you

must have version 22.2.x, 23.1.x, or 23.2.x installed. If you have version 22.1.x or earlier

installed, you must first upgrade to version 22.2.x, 23.1.x, or 23.2.x before you can migrate to

version 24.2.x.

The following table shows the upgrade path required to upgrade to Fortify Software Security

Center 24.2.0.

Upgrade Paths for

Fortify Software Security Center Versions

22.1.x (or earlier) > 22.2.x > 23.1.x > 24.2.x

22.2.x > 24.2.x (direct)

23.1.x > 24.2.x (direct)

23.2.x > 24.2.x (direct)

Note: Fortify Software Security Center version 24.2.x needs Java 17. If an earlier version

has Java 11, you must upgrade to Java version 17 before you upgrade to Fortify Software

Security Center version 24.2.x.

If you cannot directly upgrade your current Fortify Software Security Center version to the

latest version, see the version-specific Fortify Software Security Center documentation for

instructions on how to upgrade to the previous release (or the release immediately before that).

Important! Full ScanCentral SAST-related functionality in Fortify Software Security Center

requires updated ScanCentral Controller and sensors. If you do not need sensor metrics, you

can use existing sensors. You can use existing ScanCentral clients without limiting

functionality.

You must upgrade the ScanCentral Controller before you upgrade the ScanCentral sensors

and clients, and before you upgrade the Fortify Software Security Center server. For

information about how to upgrade ScanCentral Components, see the OpenText™ Fortify

ScanCentral Installation, Configuration, and Usage Guide.

OpenText™ Fortify Software Security Center (24.2.0)

Page 188 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Fortify Software Security Center Database Upgrade Tasks

Upgrade the Fortify Software Security Center database by performing the tasks described in the

following table in the order listed.

Task

Description

1

2

Stop Tomcat Server.

Delete the SSC folder and the SSC WAR file from the <tomcat>/webapps

directory.

4

5

6

Copy the new WAR file to the <tomcat>/webappsdirectory.

Start Tomcat Server.

Open a browser and enter your Fortify Software Security Center URL to start

Fortify Software Security Center in initialization mode. (See "Configuring

Fortify Software Security Center After an Upgrade" on page 191 .)

7

8

Use the Setup wizard to generate the migration SQL script. (See "Configuring

Fortify Software Security Center After an Upgrade" on page 191 .)

Run the migration script on your database. (See "Preparing to Run the

Database Upgrade Script" on the next page.)

Note: Databases that contain over 1 TB of data might take five or more

hours to migrate.

Important! (Microsoft SQL databases only) After you migrate Fortify

Software Security Center to a new SQL database version and back up

and restore the database, make sure that you change the compatibility

level (from SQL Server Management Studio) to reflect the SQL engine

that currently hosts the Fortify Software Security Center database.

9

Use the Setup wizard to reseed the database.

Restart Tomcat Server.

10

11

Bug tracker plugins are not included in the ssc.warfile. After you upgrade

and start Fortify Software Security Center, be sure to disable and remove old

bug tracker plugins, and then install new plugins from the current

distribution file. For more information, see "About Bug Tracker Integration"

on page 164.

OpenText™ Fortify Software Security Center (24.2.0)

Page 189 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Preparing to Upgrade the Fortify Software Security Center

Database

The Fortify Software Security Center database migration process creates larger transactions

than those created during regular use. For Fortify Software Security Center databases that have

been successfully run in production environments, database migration does not typically require

changes to your database configuration or resources. For large databases, Fortify recommends

that you review and, if necessary, increase the database resources and settings required to

accommodate the migration process.

If you are upgrading to Fortify Software Security Center version 23.2.0 or later, you need to be

aware that during migration the scan_issuetable type of id column will be changed from

INT to BIGINT on MySQL and SQL Server databases to avoid reaching the maximum 32b

integer limit.

If you have already applied the recommended workaround for SQL Server to reset the identity

value on the scan_issuetable to a negative number with DBCC CHECKIDENT(scan_

issue, reseed, -2147483648), then you must perform an additional manual migration

step. Reset the identity value back to a positive number after the migration to 23.2.0. The reset

is achieved by running query: DBCC CHECKIDENT(scan_issue, RESEED). The user

running the query must be either an owner of the schema that contains the table or must have

sysadmin, db_owner, or db_ddladmin fixed database role.

If you are upgrading a MySQL database, see "Setting the Innodb Buffer Pool Size when

Upgrading a MySQL Server Database" below .

Setting the Innodb Buffer Pool Size when Upgrading a MySQL Server Database

If you are upgrading a MySQL database, Fortify recommends that you set the innodb_buffer_

pool_sizevariable to at least 2.5 GB. After the upgrade, revert to your previous setting.

For information about how to configure MySQL for use with Fortify Software Security Center,

see "Configuring a MySQL Database" on page 61.

Preparing to Run the Database Upgrade Script

The Fortify Software Security Center database upgrade scripts require the same database

privileges that the database creation scripts require.

Before you run the database upgrade script, perform the following tasks:

l

Back up your existing Fortify Software Security Center database using your database client

tool.

l

Acquire the database account information that was used to create the existing Fortify

Software Security Center database. See "Database User Account Privileges" on page 59.

OpenText™ Fortify Software Security Center (24.2.0)

Page 190 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

Note: Databases that contain over 1 TB of data might take five or more hours to migrate.

Updating and Deploying the WAR File

To update the SSC WAR file:

1. Undeploy the currently deployed SSC WAR file. For instructions, see the documentation for

Tomcat Server.

2. Deploy the new SSC WAR file.

After you deploy the new WAR file, complete the configuration tasks on the Setup wizard steps

and in the Administration view. For information and instructions, see "Configuring Fortify

Software Security Center After an Upgrade" below and "Additional Fortify Software Security

Center Configuration" on page 78 .

Configuring Fortify Software Security Center After an

Upgrade

After you upgrade Fortify Software Security Center and go to your Fortify Software Security

Center URL in a browser window, the Setup wizard opens.

Note: The Setup wizard is available to administrators only, and only after the first

deployment of Fortify Software Security Center, after an upgrade, or after the server is

placed in maintenance mode (see "Placing Fortify Software Security Center in Maintenance

Mode" on page 179).

1. After you deploy a new version of the Fortify Software Security Center WAR file in Tomcat

Server, open a browser window and type your Fortify Software Security Center server URL.

OpenText™ Fortify Software Security Center (24.2.0)

Page 191 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

2.

3.

Go to the <fortify.home>/<app_context>directory, and open the init.tokenfile.

Copy the contents of the init.tokenfile to the clipboard.

4. In the upper right corner of the Fortify Software Security Center screen, click

ADMINISTRATORS.

OpenText™ Fortify Software Security Center (24.2.0)

Page 192 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

5.

Paste the string you copied from the init.tokenfile into the, and then click SIGN IN.

6. If you need to change any configuration settings on the CONFIGURATION or CORE

SETTINGS steps of the Fortify Software Security Center Setup wizard, you can do so using

the instructions provided in "Configuring Fortify Software Security Center for the First

Time" on page 68.

7. Click NEXT until you reach the DATABASE SETUP step.

8. On the DATABASE SETUP step, do the following:

a. In the DATABASE TYPE box, select the type that matches the Fortify Software

Security Center database type.

b. In the DATABASE USERNAME box, type the username for your Fortify Software

Security Center database. For more information, see "Database User Account

Privileges" on page 59.

c. In the DATABASE PASSWORD box, type the password for your Fortify Software

Security Center database.

d. In the JDBC URL box, type the URL for the Fortify Software Security Center database.

Caution! The database name (including letter case) in the JDBC URL must exactly

match your Fortify Software Security Center database name.

Note: The MariaDB JDBC driver is used to connect to the MySQL database server.

Any JDBC URL parameters must use MariaDB driver syntax.

Example of the correct collation parameter syntax:

jdbc:mysql://<host>:3306/<database_

name>?sessionVariables=collation_connection=<collation_name>

(Replace the parameter connectionCollation=<collation_name>with

sessionVariables=collation_connection=<collation_name>.)

e. To test the connection to your database, click TEST CONNECTION.

If the connection test fails, check the ssc.logfile

(<fortify.home>/<appcontext>/logsdirectory) to determine the cause.

f. After the Setup wizard indicates that the connection was successful, in the right pane,

read the warning and Instructions, and then click DOWNLOAD SCRIPT.

g.

Save and run the ssc-migration.sqlscript. (For instructions, see "About the Fortify

Software Security Center Database Tables and Schema" on page 65 .)

Note: Depending on the size of the source database, data migration may take

several hours to complete.

9.

After you run the ssc-migration.sqlscript, click NEXT.

10. On the DATABASE SEEDING step, do the following:

a. In the left pane, use BROWSE to locate and select your process seed bundle zip file, and

then click SEED DATABASE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 193 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

b. Use BROWSE to locate and select your report seed bundle zip file, and then click SEED

DATABASE.

c. (Optional) Use BROWSE to locate and select your PCI basic seed bundle zip file, and

then click SEED DATABASE.

11. Click NEXT.

12. Click FINISH.

13. Restart Tomcat Server.

Tip: If you later find that you need to change any of the configuration settings, you can

place Fortify Software Security Center in maintenance mode, and then make any necessary

changes. For instructions on how to place Fortify Software Security Center in maintenance

mode, see "Placing Fortify Software Security Center in Maintenance Mode" on page 179.

Upgrading Fortify Static Code Analyzer from Fortify Audit

Workbench

A Fortify Audit Workbench user can check on the availability of new Fortify Static Code

Analyzer and and Fortify Apps and Tools versions from the Fortify Audit Workbench user

interface. If a version newer than the one installed is available, the user can download it and

upgrade the local instance. A Fortify Audit Workbench user can also configure Fortify Audit

Workbench to check for, download, and install new versions automatically at startup.

To enable this functionality for Fortify Audit Workbench users, a Fortify Software Security

Center administrator must first set up the auto upgrade capability on the Fortify Software

Security Center host machine.

For information about how to upgrade Fortify Static Code Analyzer and its associated tools

from Fortify Audit Workbench, see the OpenText™ Fortify Audit Workbench User Guide.

Workbench" below

Enabling Fortify Static Code Analyzer and Fortify Apps and Tools Upgrades

from Audit Workbench

To make new Fortify Static Code Analyzer and Fortify Apps and Tools installers available to

Audit Workbench users for upgrades:

1.

On the Fortify Software Security Center host, navigate to <ssc_install_dir>/WEB-

INF/internal, and then open the securityContext.xmlfile in a text editor.

2. Locate and uncomment the following line:

OpenText™ Fortify Software Security Center (24.2.0)

Page 194 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

<!-- <security:intercept-url pattern="/update-site/**"

access="PERM_ANONYMOUS"/> -->

3.

4.

Save and close the securityContext.xmlfile.

Copy the Fortify_SCA or Fortify_Apps_and_Tools installer files to the <ssc_install_

dir>/webapps/ssc/update-site/installersdirectory.

5.

In the <ssc_install_dir>/webapps/ssc/update-site/installersdirectory, create

an update.xml filefor the product that you want to update, as follows:

a. To enable Fortify Static Code Analyzer updates, use the following XML code:

<filename>Fortify_SCA_<version>_windows_x64.exe</filename>

<platform>windows-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_linux_x64.run</filename>

<platform>linux-x64</platform>

</platformFile>

<filename>Fortify_SCA_<version>_osx_x64.app.zip</filename>

</platformFile>

</platformFileList>

<url>http://localhost:8080/update-site/installers/</url>

</downloadLocation>

</downloadLocationList>

</installerInformation>

b.

To enable Fortify Applications and Tools updates, create the update.xmlfile using the

following XML code:

<filename>Fortify_Apps_Tools_<version>_windows_x64.exe</filename>

<platform>windows-x64</platform>

</platformFile>

<filename>Fortify_Apps_Tools_<version>_linux_x64.run</filename>

<platform>linux-x64</platform>

</platformFile>

OpenText™ Fortify Software Security Center (24.2.0)

Page 195 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

<filename>Fortify_Apps_Tools_<version>_osx_x64.app.zip</filename>

</platformFile>

</platformFileList>

<url>http://localhost:8080/update-site/installers/</url>

</downloadLocation>

</downloadLocationList>

</installerInformation>

6. Restart Tomcat Server.

Audit Workbench users can now check for and install new Fortify Static Code Analyzer and

Fortify Applications and Tools versions.

Note: The BitRock InstallBuilder tool used for the auto upgrade functionality supports only

one Windows tag. If you have different versions of Windows, you must have corresponding

configuration files for those versions. For information about how to create the additional

configuration files, see the readme.txtfile located in the <ssc_install_dir>/update-

site/installersdirectory.

Updating the Fortify Audit Assistant Configuration

After upgrading your Fortify Software Security Center installation to version 23.2.0 or later, you

will need to configure it to work with Fortify Audit Assistant 23.2.0 or later. Fortify Audit

Assistant adds a second generation (G2) prediction engine and is required for use with Fortify

Software Security Center 23.2.0 or later.

To update the Fortify Software Security Center connection to Fortify Audit Assistant:

1. Create one or more G2 Prediction Policies. For more information, see "Defining Prediction

Policies" on page 360.

Note: You cannot use the Prediction Policies created with versions of Fortify Audit

Assistant earlier than 23.2.0. After you upgrade Fortify Software Security Center to

version 23.2.0 or later, first generation (G1) policies are no longer available. They were

removed during the upgrade. You must create new Prediction Policies that work with

the G2 engine.

2. On the OpenText header, click Administration.

3. In the left pane, click Configuration and then click Audit Assistant

The Audit Assistant page appears.

4. Select the Enable Audit Assistant check box.

5. Click the Refresh Policies button and then save the configuration.

OpenText™ Fortify Software Security Center (24.2.0)

Page 196 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

If Audit Assistant is correctly configured, the

AUDIT ASSISTANT REFRESH POLICIES window appears with the message: Refresh was

successful. All prediction policies in SSC are now consistent. Click OK.

6. In the Default prediction policy box, select a policy to use as the default. If you don't assign

a prediction policy to an application version, the default you select here will be used. Click

SAVE.

7. (Optional) Select the Enable specific application version policies check box if you would

like to be able to set prediction policies at the application-version level.

8. (Optional) Select the Enable auto-predict check box if you would like Fortify Audit

Assistant to automatically apply predictions to the unaudited issues in your project.

9. (Optional) Select the Enable auto-apply check box if you would like Fortify Audit Assistant

to automatically apply predicted values your custom tags.

Updating Expired Licenses

For information about how to obtain a Fortify license file, see the Fortify Software System

Requirements document.

To update an annual license that has expired:

1. Stop Tomcat Server.

2.

Place your downloaded fortify.licensefile in the <fortify.home> directory.

3. Restart Tomcat Server.

Quarterly Security Content Releases

OpenText Fortify notifies you when new security content is available for download. These

updates include Rulepacks and external metadata, and can also contain updated seed bundles.

Important! Updated external metadata files can include changes to mapping that reporting

depend on. If updated security content includes a new report seed bundle, make sure that

you update your rules and mapping before you run reports.

"About Fortify Software Security Content" on page 182

"Updating Rulepacks from the Fortify Update Server" on page 183

Seeding the Database with Report Seed Bundles Delivered with Quarterly

Security Content Releases

OpenText Fortify notifies you when new security content is available for download. To

determine whether this updated content includes a new seed bundle, check under the heading

OpenText™ Fortify Software Security Center (24.2.0)

Page 197 of 459

User Guide

Chapter 8: Upgrading Fortify Software Security Center

OpenText™ Security Fortify Premium Content in your notification document. That section

will have information about the existence of a new seed bundle. If a new seed bundle is included,

you can use it to re-seed your database. For more information about seed bundles and seeding

the database, see "About Seeding the Fortify Software Security Center Database" on page 65.

Note: Seeding the database blocks the creation of new application versions, and the

execution of report jobs and FPR processing jobs.

To seed the database with the report seed bundle from a quarterly security content release:

1. Download the updated security content, as follows:

a. Log on to the Customer Support Portal (https://www.microfocus.com/support).

b. In the left column, select PREMIUM CONTENT.

c. On the right, select FORTIFY EXCHANGE.

d. Select and download the latest report seed bundle.

2. Extract the contents of the seed bundle ZIP file.

3. In the left pane, select Configuration, and then select Seed Bundles.

4. On the Seed Bundles page, click BROWSE, and then navigate to and select the

ReportBundle.zipfile.

5. Click SEED BUNDLES.

Fortify Software Security Center displays a message to let you know the bundle upload was

successful.

OpenText™ Fortify Software Security Center (24.2.0)

Page 198 of 459

Part II: Using Fortify Software Security

Center

The following chapters provide information about how to use Fortify Software Security Center.

OpenText Fortify Software Security Center (24.2.0)

Page 199 of 459

Chapter 9: Using Fortify Software Security Center

Fortify Software Security Center is a browser-based product that provides a set of capabilities

across the software development life cycle to automate detection of security vulnerabilities in

applications. It helps your security and development teams work together to resolve security

flaws quickly and accurately by making correlated data from Fortify Static Code Analyzer,

Fortify ScanCentral DAST, Fortify ScanCentral SAST, Fortify WebInspect, and third-party tools

available through its collaborative online environment.

Topics covered in this section:

About the Central Role of Fortify Software Security Center

Security Management Workflow

User Accounts and Access

Active Directory/LDAP Integration

Logging in to Fortify Software Security Center for the First Time

Requesting Access to Fortify Software Security Center

Changing Your Password

Setting Preferences: System-Wide and Across Application Versions

About the Fortify Software Security Center Dashboard

Issue Stats Page

Exporting Data to Comma-Separated Values Files

Accessing the Fortify Software Security Center API Documentation

Viewing Fortify Software Security Center Keyboard Hotkeys

About the Central Role of Fortify Software Security Center

Fortify Software Security Center provides a location for collecting, correlating, auditing, and

exporting security analysis results. The Fortify Software Security Center server resides in a

central location and receives results from different security activities, such as static, dynamic,

and real-time analysis.

Fortify Software Security Center is designed to help you:

l

Identify and prioritize a baseline of existing vulnerabilities

l

Prevent new vulnerabilities from being introduced

l

Remediate existing vulnerabilities and lower the baseline

l

Ensure that your code is in compliance with internal and external security mandates

OpenText™ Fortify Software Security Center (24.2.0)

Page 200 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Fortify Software Security Center works within your organization to answer the following

questions:

l

How do we drive the adoption of good application security practices?

l

How do we get actionable results to development teams?

l

Do we measure application teams on a team-by-team basis or as a unit?

l

How do we track results over time?

Security Management Workflow

The following figure illustrates the flow of security management processes within Fortify

Software Security Center.

As development teams perform scans, they submit periodic scan results from a continuous

integration server into Fortify Software Security Center.

Security teams submit periodic results of a dynamic assessment into Fortify Software Security

Center.

Fortify Software Security Center correlates and tracks the scan results and assessment results

over time, and makes the information available to developers through Audit Workbench, or

through IDE plugins such as the Fortify Plugin for Eclipse, the Fortify Extension for Visual

Studio, and others.

OpenText™ Fortify Software Security Center (24.2.0)

Page 201 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Users can also push issues into defect tracking systems, including ALM, Jira, Azure DevOps

Server, and Bugzilla.

User Accounts and Access

Fortify Software Security Center supports two methods of authentication:

l

Local user accounts created within the interface

l

Active Directory/LDAP accounts associated with standard corporate authentication (Active

Directory/LDAP integration supports user assignment by group or organizational unit)

Topics covered in this section:

Active Directory/LDAP Integration

202

Logging in to Fortify Software Security Center for the First Time

Requesting Access to Fortify Software Security Center

Changing Your Password

Setting Preferences: System-Wide and Across Application Versions

Active Directory/LDAP Integration

Active Directory/LDAP integration enables Fortify Software Security Center to authorize users

based on their existing corporate credentials. In addition, assignment by group or organizational

unit enables Fortify Software Security Center to take advantage of the existing joiners/leavers

processes. A new person who joins a group automatically has access to Fortify Software Security

Center. A person who leaves a group automatically loses access.

The user who deploys Fortify Software Security Center must configure the integration with the

Active Directory/LDAP during installation. For detailed information, see "Configuring LDAP

Servers" on page 107.

See Also

"Registering LDAP Entities" on page 118

"Fortify Software Security Center User Account Management" on page 215

Logging in to Fortify Software Security Center for the First Time

To log in to Fortify Software Security Center, your Fortify Software Security Center

administrator must provide you with the URL for your instance, a username, and a password.

To log in to Fortify Software Security Center for the first time:

1. To make sure that you access the newest version of the Fortify Software Security Center

user interface, clear your web browser’s cache.

OpenText™ Fortify Software Security Center (24.2.0)

Page 202 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

2. In a web browser, type the URL for your Fortify Software Security Center instance, as

follows:

l

If Fortify Software Security Center is configured to use secure HTTP protocol, type the

following URL:

https://<host_ip>:<port>/ssc/

where <port>represents the port number that Tomcat Server uses.

l

If Fortify Software Security Center is configured to use insecure HTTP protocol (not

recommended), type the following URL:

http://<host_ip>:<port>/ssc/

where <port>represents the port number that Tomcat Server uses.

3. In the Username and Password boxes, type the credentials that your administrator has

given you.

4. Click LOGIN.

5. If Fortify Software Security Center prompts you to change your password, do so. For

instructions, see "Changing Your Password" on page 205.

OpenText™ Fortify Software Security Center (24.2.0)

Page 203 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Requesting Access to Fortify Software Security Center

If you do not yet have a Fortify Software Security Center user account, or if you have forgotten

your user name or password, you can request assistance from the login page.

To request access to Fortify Software Security Center:

1. In a web browser, type the URL for your Fortify Software Security Center instance.

2. At the bottom of the Fortify Software Security Center screen, click Can’t access or need an

account?

Note: This link is available only if your Fortify Software Security Center administrator

has enabled email notification. (See "Configuring Email Alert Notification Settings" on

page 97.)

OpenText™ Fortify Software Security Center (24.2.0)

Page 204 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

3. Provide the required information and click SEND.

Fortify Software Security Center sends your request to the Fortify Software Security Center

administrator.

Changing Your Password

The following procedure describes how to change your password. Note that you can only

change your password if you are logged on using a local account.

OpenText™ Fortify Software Security Center (24.2.0)

Page 205 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

To change your password:

1. Log in to Fortify Software Security Center.

2. At the right end of the OpenText header, click the user profile icon, and then select Change

Password.

The SAVE button in the Change Password dialog box is enabled only after you type a

strong new password that does not include your username or common phrases (names,

movie or song titles, dates, or number or letter sequences). A combination of three or four

unrelated words like "myredhorsedance" can work well. After your password is evaluated as

strong, you can save it, and then log in.

3. Provide your old password, type a new one, and then confirm the new one.

4. If the password strength is acceptable, click SAVE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 206 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Setting Preferences: System-Wide and Across Application Versions

You can configure preferences for behavior system-wide, and across application versions.

To set system-wide preferences:

1.

On the right side of the OpenText header, click the user profile icon , and then select

Preferences.

2. To set preferences to apply to the entire system, in the PREFERENCES dialog box, under

System-wide Preferences, do the following:

a. Select the check boxes for the features you want to enable or disable.

b. To apply the YYYY/MMDD date format instead of the default MM/DD/YYYY format,

select it from the Date format list.

c. To apply the 24 Hour time format instead of the default 12 hour AM/PM format, select

it from the Time format list.

d. To change the theme, select Light, Dark, or Automatic from the UI Theme list.

OpenText™ Fortify Software Security Center (24.2.0)

Page 207 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Note: If you apply the Automatic theme, your UI theme will be based on the

operating system or your browser theme.

3. To set preferences for all application versions, do the following:

Note: To override these settings for a specific application version, go to the

APPLICATION PROFILE dialog box for that application version.

a. To include suppressed issues in the issues list on the AUDIT page, select the Show

suppressed issues check box.

b. To include removed issues on the AUDIT page, select the Show removed issues check

box.

c. To include hidden issues on the AUDIT page, select the Show hidden issues check

box.

d. To display short file names in the issues list on the AUDIT page, select the Use short

file names check box.

4. Click SAVE.

About the Fortify Software Security Center Dashboard

After you log in to Fortify Software Security Center, the dashboard displays data for the

application versions to which you have access and that pose the highest potential business risk

to your organization.

Topics covered in this section:

Exporting Data to Comma-Separated Values Files

Accessing the Fortify Software Security Center API Documentation

Viewing Fortify Software Security Center Keyboard Hotkeys

Issue Stats Page

When you first log in to Fortify Software Security Center, the first thing you see is the ISSUE

STATS page of the Dashboard. This page shows summary information about issues for the

application versions that you can access, including the number of days that it is taking to review

and fix them. To provide a visual cue as to how quickly issues are being handled, the ISSUE

STATS page displays colored bars next to the values for the Average Days to Review and

Average Days to Remediate. A green bar indicates that issues are being managed quickly, a

red bar indicates that issue management is too slow, and an orange bar indicates that issue

management is somewhere between these two extremes.

Note: If you are an administrator or security lead, you can set the thresholds that determine

what users see when they review information on the Issue Stats page. For details, see

"Configuring Issue Stats Thresholds" on page 79.

OpenText™ Fortify Software Security Center (24.2.0)

Page 208 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

If you click an application version listed in the table, Fortify Software Security Center takes you

directly to the AUDIT page for that application version. No filters are applied to the data.

The Dashboard provides three settings that you can use alone or in combination to refine the

summary data displayed.

Selecting a grouping attribute

To group your data based on a single application version attribute, select the attribute from the

Group by list. (The default grouping attribute is the application version.)

In addition to the grouping attribute you selected, the resulting data reflects any attributes you

have selected from the Aggregate by and Filter by lists.

Note: You can achieve finer control over the data displayed if your Group by list includes

custom attributes (of the single-select type). For instructions on how to create custom

attributes, see "Creating Custom Attributes" on page 231.

Selecting an aggregating attribute

OpenText™ Fortify Software Security Center (24.2.0)

Page 209 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

To aggregate the data shown on the Dashboard based on a single application attribute, select

the attribute from the Aggregate by list. The Dashboard displays your data based on the

aggregating attribute, and any attributes you have selected from the Group by and Filter by

lists.

Note: You can achieve finer control over the data displayed if your Aggregate by list

includes custom attributes (of the single-select type). For instructions on how to create

custom attributes, see "Creating Custom Attributes" on page 231.

Selecting one or more filtering attributes

To selectively display data based on an application attributes, select an attribute from the Filter

by list. You can select multiple attributes, but you must select them one at a time.

The Dashboard displays your data based on the selected filter attributes, and any other

attributes you have selected from the Group by and Aggregate by lists.

Clearing selections from the custom attributes lists

To clear your attribute selection from a list, click the Clear all icon

.

You can export Fortify Software Security Center data displayed on the ISSUE STATS and AUDIT

pages to comma-separated values (CSV) files. For details, see "Exporting Data to Comma-

Separated Values Files" on the next page.

OpenText™ Fortify Software Security Center (24.2.0)

Page 210 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Exporting Data to Comma-Separated Values Files

You can export selected data for an application version or data for all Fortify Software Security

Center application versions to comma-separated values (CSV) files.

Exporting the Dashboard Summary Table

To export the summary table displayed on the Dashboard:

1. On the OpenText header, click Dashboard.

2. On the toolbar, click EXPORT.

Note: A missing EXPORT button indicates that your administrator has disabled this

functionality.

3. In the EXPORT CSV dialog box, in the File Name box, type the name for the file.

4. (Optional) In the Notes box, type information about the data you are exporting.

5. Click SAVE.

6. To view the exported result:

a. On the OpenText header, click Reports.

b. Click DATA EXPORTS.

c. Specify whether to save or open the file.

d. In the resulting table, move your cursor to the row for the exported file, and then click

the Download icon

.

To determine how long the system retains your CSV files before they are deleted, see the

instructions provided in "Configuring Job Scheduler Settings" on page 131.

Exporting Selected Data for an Application Version to a CSV File

To export data from the ISSUE STATS tab on the Dashboard or from the AUDIT page to a CSV

file:

1. (Optional) If you are exporting data from the Issue Stats page, you can select attributes to

aggregate or filter by. On the AUDIT page, you can select attributes to filter by.

Note: The EXPORT button is removed if you specify an attribute in the Group by on

either the ISSUE STATS page or the AUDIT page.

2. On the toolbar, click EXPORT.

Note: A missing EXPORT button indicates that your administrator has disabled this

functionality.

OpenText™ Fortify Software Security Center (24.2.0)

Page 211 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

3. In the File Name box in the EXPORT CSV dialog box, type a name for the file.

4. (Optional) In the Notes box, type information about the data you are exporting.

5. Click SAVE.

6. To view the exported result:

a. Click Reports.

b. Click DATA EXPORTS.

c. In the resulting table, move your cursor to the row for the exported file, and then click

the Download icon

.

The CSV file is saved to your Downloads folder.

To determine how long the system retains your CSV files before they are deleted, see the

instructions provided in "Configuring Job Scheduler Settings" on page 131.

OpenText™ Fortify Software Security Center (24.2.0)

Page 212 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Accessing the Fortify Software Security Center API Documentation

To access the Fortify Software Security Center API Documentation:

1. On the OpenText header, click the help icon

.

2. In the About Fortify Software Security Center <version> box, click the API Documentation

link.

The FORTIFY SOFTWARE SECURITY CENTER API DOCUMENTATION VERSION <version>

web page opens.

Tip: It is also very useful to leverage a proxy such as the Chrome DevTools to intercept

Fortify Software Security Center traffic and determine the appropriate endpoint call(s) to

make to perform user interface actions.

OpenText™ Fortify Software Security Center (24.2.0)

Page 213 of 459

User Guide

Chapter 9: Using Fortify Software Security Center

Viewing Fortify Software Security Center Keyboard Hotkeys

To view the keyboard hotkeys used to navigate the Fortify Software Security Center user

interface:

1. Log in to Fortify Software Security Center.

2. Do one of the following:

l

At the right end of the OpenText header, click the user profile icon, and then select

Hotkeys.

l

Press the question mark key (?) on your keyboard.

OpenText™ Fortify Software Security Center (24.2.0)

Page 214 of 459

Chapter 10: Managing User Accounts

The topics in this chapter provide information about Fortify Software Security Center user

accounts and how to work with them.

Fortify Software Security Center User Account Management

As described in the secure deployment guidelines, the primary system administrator of a new

Fortify Software Security Center installation creates a non-default Administrator-level account,

and then deletes the default admin account. Use the non-default Fortify Software Security

Center administrator account to create additional Fortify Software Security Center user

accounts.

Fortify Software Security Center supports several default user roles. The following sections

provide information about each of these roles.

This section contains information about Fortify Software Security Center roles, user account

administration, how to register LDAP entities with Fortify Software Security Center, and how to

configure an integration with Microsoft Entra ID.

About Tracking Teams

As an administrator or security lead, you need access to information that enables you to track

and monitor your team’s progress and ensure that good application security practices are in

place and followed. Fortify Software Security Center provides a central point for guiding the

adoption of good security practices. By understanding how information is tracked and reported,

you can accurately measure development team progress based on application security

standards.

About Roles

Roles determine the actions a user can perform in Fortify Software Security Center.

For more fine-grained control over user access to Fortify Software Security Center functionality,

you can create custom roles and assign them permissions from the Fortify Software Security

Center interface. For instructions on how to create a role, see "Creating Custom Roles" on the

next page.

Pre-configured Roles

The following table lists the pre-configured roles you can assign to users in Software Security

Center. For information about how to view the permissions associated with each pre-configured

role, see "Viewing Permission Information for Fortify Software Security Center Roles" on

page 175 .

OpenText™ Fortify Software Security Center (24.2.0)

Page 215 of 459

User Guide

Chapter 10: Managing User Accounts

Role

Description

Administrator

Has full access to the system and all results

Performs tasks required to execute dynamic scan requests, including:

Application

Security Tester

l

View application versions

l

View and generate reports

l

Process dynamic scans

l

Upload scan results

l

Audit issues

Developer

Manager

Developer responsible for producing security results and taking action to

triage or remediate security issues

Responsible for guiding developers to work on results

Managers cannot create applications but can grant or revoke access to

their team members

Security Lead

View Only

Security team member who can create application versions and users

Can view results, but cannot interfere with the issue triage or the

remediation process.

Example users: system automation account or temporary auditor

WebInspect

Enterprise

System

Can connect a WebInspect Enterprise instance to Fortify Software

Security Center and retrieve issue audit information.

This role is intended for use only by a WebInspect Enterprise instance.

See Also

"About Roles" on the previous page

"Creating Custom Roles" below

Creating Custom Roles

You can define roles of your own and assign them permissions.

To define and configure permissions for a new role:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the OpenText

header, click Administration.

OpenText™ Fortify Software Security Center (24.2.0)

Page 216 of 459

User Guide

Chapter 10: Managing User Accounts

2. In the left pane, select Users, and then select Roles.

3. On the Roles toolbar, click NEW.

4. In the CREATE NEW ROLE dialog box, provide the information described in the following

table.

Important! Except for a new line in the Description field, Name and Description field

values must not start with the characters =, -, +, or @, and must not include control

characters. For a complete list of Unicode characters included in the restricted ranges,

see https://www.aivosto.com/articles/control-characters.html.

Field

Description

Name

Role name

Description

(Optional, but recommended) Role description

Universal

access

To assign the new role access to all application versions, select this

check box.

Note: Fortify strongly recommends that you select universal access

only for administrator-level users.

5. To add permissions (specify the functional areas available to users in this role), click +ADD

PERMISSIONS.

6. In the ADD PERMISSIONS dialog box, scroll through the table and select the check boxes

that correspond to the permissions that you want to grant to the new role.

7. Click DONE.

If any of the permissions you selected requires additional permissions, these are listed next

to a warning sign

.

8. To add the listed dependencies to the new role, click ADD MISSING PERMISSIONS.

The CREATE NEW ROLE dialog box now lists the additional permissions (dependencies).

9. Click SAVE.

Tip: You can also use the ADD MISSING PERMISSIONS to add dependencies when you

edit a custom role.

Fortify Software Security Center checks permissions to guard against states that are known to

be incompatible. If the role and permissions you selected do not conflict, then you are returned

to the Roles page, which displays detailed information about the new role.

Deleting Custom Roles

If a custom role listed on the Roles page is assigned to no user accounts, you can delete that

role.

OpenText™ Fortify Software Security Center (24.2.0)

Page 217 of 459

User Guide

Chapter 10: Managing User Accounts

To delete a role:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then

click Administration.

2. In the left pane, select Users, and then select Roles.

3. In the table, select the check box for the custom roles you want to delete.

4. In the Roles toolbar, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the role.

5. Click OK.

See Also

"Creating Custom Roles" on page 216

Fortify Software Security Center Account Administration

Only users who have Administrator accounts can create new user accounts and edit information

for existing accounts. Use Administrator accounts to manage the Fortify Software Security

Center system. Fortify recommends that you create only the Administrator-level accounts

necessary to create and edit local or LDAP Fortify Software Security Center user accounts. The

Security Lead and lesser accounts can perform all other application-related activities.

Fortify Software Security Center permits the explicit addition of Administrator-level accounts to

application versions. This enables Administrator users to be assigned issues from the AUDIT

page.

Topics covered in this section:

Creating Local User Accounts

218

221

223

Editing Local User Accounts

Unlocking Local User Accounts

Viewing Externally Managed Users and Groups

Creating Local User Accounts

Fortify Software Security Center Administrator-level users can add new local user accounts to

the list of Fortify Software Security Center users.

Important! You cannot create externally managed users from Fortify Software Security

Center. These can only be provisioned using the SCIM API.

To create a Fortify Software Security Center user account:

1. Log in to Fortify Software Security Center as an Administrator, and then, in the OpenText

header, click Administration.

2. In the left pane, select Users, and then select Local Users.

OpenText™ Fortify Software Security Center (24.2.0)

Page 218 of 459

User Guide

Chapter 10: Managing User Accounts

The Local Users page lists local users.

3. In the Local Users toolbar, click +ADD.

4. In the CREATE NEW USER dialog box, provide the information listed in the following table.

Important! Values for fields in the following table marked with an asterisk (*) must not

start with the characters =, -, +, or @, and must not include control characters.

Field or

Check Box

*Username

*First Name

*Last Name

*Email

Description

Username for Fortify Software Security Center logon.

(Optional, but strongly recommended) First name of user.

(Optional, but strongly recommended) Last name of user.

(Optional) Email address of user.

Caution! Although an email address is not required, the user cannot

receive email alerts and notifications unless you provide one.

Password

Password for the new user.

The Password Strength indicator displays the relative strength of the

password you entered. You can save the user account information only if

the password is evaluated as strong or very strong.

Confirm

Password for the new user.

Password

User must

change

Leave this check box selected to require the user to change the

password at the next login to Fortify Software Security Center.

password at

next login

Password

Select this check box to allow the user to use the originally assigned

never expires password until he or she wants to change it.

To require the user to change his or her password every thirty days,

leave this check box cleared.

Suspended

Select this check box to suspend user access to Fortify Software Security

Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 219 of 459

User Guide

Chapter 10: Managing User Accounts

Field or

Check Box

Description

Roles

(Optional, but strongly recommended) Select the check boxes for all

roles to assign to the user.

Caution! Although this is optional, keep in mind that a user who has

no assigned role cannot access Fortify Software Security Center

unless that user belongs to a local group that does have an assigned

role.

Access

To specify the applications that the new user can access:

Note: If you have assigned the user the role of Administrator or

WebInspect Enterprise System, that user has universal access to all

Fortify Software Security Center applications.

a. To open the SELECT APPLICATION VERSION dialog, click ADD.

b. From the APPLICATION list, select an application to which you want

the user to have access.

The VERSIONS list in the center pane displays all active versions of

the selected application.

c. Select the check boxes for all versions that you want the user to be

able to access. To select all versions, select the Select all check box.

On the right, the SELECTED VERSIONS pane lists the versions you

selected.

d. To add another application version or versions, repeat steps a

through c.

e. Click DONE.

5. Do one of the following:

l

To save your settings and exit the CREATE NEW USER dialog box, click SAVE.

l

To save your settings and create another new user, click SAVE AND ADD ANOTHER.

Fortify Software Security Center adds the user account to the list of local users.

"Unlocking Local User Accounts" on page 223

OpenText™ Fortify Software Security Center (24.2.0)

Page 220 of 459

User Guide

Chapter 10: Managing User Accounts

Editing Local User Accounts

The following procedure describes how to edit the account for local user accounts created from

Fortify Software Security Center, as well as user accounts provisioned using the SCIM API.

To edit a local user account:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then click Local Users.

3. To selectively view externally managed users (provisioned using the SCIM API), from the

User type menu, select SSO.

4. Locate the user account you want to edit, and then click the row to expand it and view

account details.

5. Click EDIT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 221 of 459

User Guide

Chapter 10: Managing User Accounts

6. Make any required changes to values in the First Name, Last Name, and Email boxes.

Important! Values for the First Name, Last Name, and Email fields must not start

with the characters =, -, +, or @, and must not include control characters. For a

complete list of Unicode characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Important! From Fortify Software Security Center, the only changes you can make to

externally-managed user and group accounts are role and application version

assignments. All other configuration (and deletion) must be performed from Entra ID.

7. To change the email address password expiration policy, select or clear the check boxes

below the Email box, as needed.

8. To change the roles assigned to the user, in the Roles section, select or clear the check

boxes for available roles.

9. To remove the user from application versions, in the Access section, select the check boxes

for the application versions, and then click DELETE. To assign the user to different

application versions, click ADD, and then use the SELECT APPLICATION VERSION dialog

box to specify the application versions the user is to work on. (For details, see "Creating

Local User Accounts" on page 218.)

10. To change the password for the user, click CHANGE PASSWORD, and then use the

CHANGE PASSWORD dialog box to specify a new password. (If this is an externally

managed user, the CHANGE PASSWORD button is not available.)

11. Click SAVE.

"Creating Local User Accounts" on page 218

OpenText™ Fortify Software Security Center (24.2.0)

Page 222 of 459

User Guide

Chapter 10: Managing User Accounts

Unlocking Local User Accounts

After a local user tries unsuccessfully to log in to Fortify Software Security Center three times in

a row, Fortify Software Security Center prevents the user from attempting more logins. If email

notifications are enabled, the user receives an email to advise the user that he or she is locked

out and should notify the Fortify Software Security Center administrator. As an administrator,

you can unlock the account for the user.

Note: The locking and unlocking of user accounts does not apply to users provisioned

through the SCIM API.

After a user notifies you that they are locked out of their account, unlock the account as follows:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then click Local Users.

3. Bring up the locked user account, expand the row to display account details, and then click

UNLOCK USER.

4. Fortify Software Security Center prompts you to confirm that you want to unlock the

account.

5. Click OK.

"Editing Local User Accounts" on page 221

Viewing Externally Managed Users and Groups

To view externally managed users provisioned using SCIM protocol:

1. Log in to Fortify Software Security Center as a local administrator.

2. On the OpenText header, click Administration.

3. In the left pane, select Users, and then select Local Users.

4. At the top of the Local Users page, from the User type list, select SSO.

Fortify Software Security Center lists the users provisioned using SCIM protocol. The

Externally managed user icon ( ) is displayed next to each username listed in the Local

Users table.

To see the groups pushed to Fortify Software Security Center from Entra ID:

1. Log in to Fortify Software Security Center as a local administrator.

2. In the OpenText header, select Administration, select Users, and then select Local

Groups.

OpenText™ Fortify Software Security Center (24.2.0)

Page 223 of 459

User Guide

Chapter 10: Managing User Accounts

Assigning Roles to Externally Managed Users and Groups

A user or member of a local group provisioned from an identity management service such as

Entra ID cannot access Fortify Software Security Center unless the group has been assigned one

or more roles, or the user is assigned a role individually from the Local Users page.

Note: From Fortify Software Security Center, the only changes you can make to externally-

managed user and group accounts are role and application version assignments. All other

configuration (and deletion) must be performed from Entra ID.

Assign roles to externally managed users and groups just as you would to local users created

through the Administration view.

"Enabling SCIM for Provisioning of Externally Managed Users and Groups" on page 128

"Using SCIM 2.0 and SAML 2.0 to Configure a Connection to Microsoft Entra ID for User

Provisioning" on page 125

"Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant Single Sign-On"

on page 144

OpenText™ Fortify Software Security Center (24.2.0)

Page 224 of 459

Chapter 11: Applications and Application Versions

To obtain consistent measurement results in Fortify Software Security Center, you define an

application for a single code base. Fortify Software Security Center organizes the iterative

development and remediation of code bases into applications and application versions.

l

An application is a code base that serves as a container for one or more application versions.

If you are working with a new code base, you create a new Fortify Software Security Center

application. Fortify Software Security Center automatically creates the first version of that

application.

l

An application version is an instance of the application or code base that is to eventually be

deployed. It contains the data, auditing, and attributes for a particular version of the

application code base. If you are working with an existing code base, you create new

application versions rather than new applications.

An application version is the base unit for team tracking. It provides a destination for security

results that is useful for getting information in front of developers and producing reports and

performance indicators. Code analysis results for an application version are tracked as shown in

the following table.

Existing Analysis Results

+ New Scan Results

= Trending Results

Results of any previous security

analysis from Fortify Static Code

Analyzer, Fortify WebInspect, or

other analyzer

Merge with the existing

results (from the same

analyzer used to perform

this scan)

Identify security issues

that have been fixed,

and issues that remain.

Mark resolved issues

Identify new issues

Keep unchanged issues

Fortify Software Security Center analysis processing rules verify that the new scan is

comparable to the older scan.

This content provides information about applications and application versions. It contains

instructions for viewing and creating applications, configuring application attributes, assigning

issue templates, and more.

Topics covered in this section:

About Tracking Development Teams

About the Application Creation Process

227

OpenText™ Fortify Software Security Center (24.2.0)

Page 225 of 459

User Guide

Chapter 11: Applications and Application Versions

Strategies for Creating Application Versions

About Annotating Application Versions for Reporting

Viewing a List of Fortify Software Security Center Applications

About Creating Application Versions

Application Version Attributes

About Issue Templates

Creating the First Version of a New Application

Adding a New Version to an Application

Enabling Auto-Apply and Auto-Predict for an Application Version

Searching Applications and Application Versions from the Applications View

Updating the Application Overview Page

Editing Application Version Details

Configuring an Application Version to Opt-out of the Default Data Retention Policy

Using Bug Tracking Systems to Help Manage Security Vulnerabilities

Bug Tracker Configuration

Velocity Templates for Bug Filing

Assigning a Bug Tracking System to an Application Version

Submitting a Bug for a Single Issue

Submitting a Bug for Multiple Issues

Bug State Management

Changing the Template Associated with an Application Version

Setting Analysis Results Processing Rules for Application Versions

About Processing Rules that Affect Instance ID Migration

Configuring Audit Assistant Options for an Application Version

Custom Tags

Adding Custom Tags to the System

Modifying Custom Tag Attributes

Globally Hiding Custom Tags

Deleting Custom Tags

Adding Custom Tag Values

Editing Custom Tags

Deleting Custom Tag Values

OpenText™ Fortify Software Security Center (24.2.0)

Page 226 of 459

User Guide

Chapter 11: Applications and Application Versions

Associating Custom Tags with Issue Templates

Removing Custom Tags from Issue Templates

Assigning Custom Tags to Application Versions

Disassociating a Custom Tag from an Application Version

Managing Custom Tags Through Issue Templates

Managing Custom Tags Through an Issue Template in an FPR File

Enabling Data Retention

Editing the Default Data Retention Policy

About Deleting Application Versions

Deactivating Application Versions

Reactivating Application Versions

Deleting an Application Version

About Tracking Development Teams

As an administrator or security lead, you need access to information that enables you to track

and monitor your team’s progress and ensure that good application security practices are in

place and followed. Fortify Software Security Center provides a central point for guiding the

adoption of good security practices. By understanding how information is tracked and reported

through applications and applications versions, you can accurately assess development team

progress based on application security standards.

Topics covered in this section:

About the Application Creation Process

227

Strategies for Creating Application Versions

228

229

About Annotating Application Versions for Reporting

Viewing a List of Fortify Software Security Center Applications

About the Application Creation Process

After you log in to Fortify Software Security Center and start to add a new application, the

CREATE NEW APPLICATION VERSION wizard displays a sequence of steps, each of which

presents the team members responsible for creating the application version with one or more

strategic choices. After the team agrees upon and makes their selections, the security lead can

click FINISH to complete the creation process.

OpenText™ Fortify Software Security Center (24.2.0)

Page 227 of 459

User Guide

Chapter 11: Applications and Application Versions

Typically, the security team evaluates and decides on all the options before they actually start

to create the application version. The following sections describe the options displayed on the

wizard screens.

See Also

"Template Selection" on page 239

"Creating the First Version of a New Application" on page 239

"Adding a New Version to an Application" on page 242

Strategies for Creating Application Versions

As a Security Lead, you might choose to create an application version that allows you to track

vulnerabilities within deployed applications. Security vulnerabilities often occur in areas of code

where different components come together. Although teams may work on different

components, it is a good practice to track the entire software component as one piece. As an

example, suppose that a text manipulation library is safe on its own, and a file access library is

safe on its own. The combination of the text manipulation library and file access library is not

necessarily safe, because one may not know the origin of the text being processed.

Strategies for Packaged Software

For software that ships or is deployed as a concrete version, you might use the following

strategies:

l

If you are creating a brand new application, start a new application version.

l

Create a single application version for each release. For example, the Security Lead or

Development Manager may deactivate past versions in Software Security Center to archive

results and remove them from view. For information about how to deactivate an application

version, see "Deactivating Application Versions" on page 285.

Note: Although a deactivated application version is hidden from view, it still exists in the

database. Deleting all versions of an application deletes the application from the

database altogether.

l

If you are working on an existing application with an evolving code base, create an

application version based on an existing version. For example, Application A has several

versions. Each new version is initiated based on the results of the previous version. Each

successive version is just evolved code (versus a complete rewrite).

Strategies for Continuous Deployment

For applications that use continual deployment, running scans with the -build-label xxxx

flag enables you to identify which source control checkout was scanned (where xxxxrepresents

OpenText™ Fortify Software Security Center (24.2.0)

Page 228 of 459

User Guide

Chapter 11: Applications and Application Versions

the ID from your version control system). Relating scans to source control checkout improves

your ability to determine when individual issues were introduced and remediated.

About Annotating Application Versions for Reporting

Fortify Software Security Center provides a set of application attributes that you can apply to

individual application versions. You can use these attributes to group application versions for

reporting, or to associate application versions with external systems.

Administrators can customize the base set of application attributes that Fortify Software

Security Center provides. Sample customizations can help organizations track onboarding

progress by application ID, line of business, business unit, or regulatory compliance obligations.

Viewing a List of Fortify Software Security Center Applications

To view a list of all Fortify Software Security Center applications:

l

On the OpenText header, click Applications.

About Creating Application Versions

You can create a new Fortify Software Security Center application version for an entirely new

application or create one for existing application version. The following topics provide

instructions for each method:

"About the Application Creation Process" on page 227

"Creating the First Version of a New Application" on page 239

"Adding a New Version to an Application" on page 242

Application Version Attributes

Application versions have business attributes, technical attributes, and organization attributes.

These attributes are metadata that Fortify Software Security Center uses to perform

cross-application comparisons and reporting.

When you create a new application version, the CREATE NEW VERSION wizard guides you

through the selection of required and optional technical, organization, business, and Scancentral

DAST application attributes. The application version cannot be finished until you select values

for all required attributes. For example, to create an application version, you must specify values

for the following attributes:

l

Development phase

l

Development strategy

OpenText™ Fortify Software Security Center (24.2.0)

Page 229 of 459

User Guide

Chapter 11: Applications and Application Versions

l

Accessibility

In addition to the default attributes that Fortify Software Security Center provides,

Administrators and Security Leads can create custom attributes to assign to application

versions. Custom attributes are extremely useful when you need to focus on a highly specific

subset of data. For instructions on how to create custom attributes, see "Creating Custom

Attributes" on the next page.

The following tables list the default set of attributes for Fortify Software Security Center

applications. Note that this list does not include custom attributes that a Fortify Software

Security Center administrator may have added to the system. Attributes marked with an

asterisk are required.

Technical Attribute

Description

*Development Phase

Current phase of development the application

version is in.

*Development Strategy

Staffing strategy used for application

development

*Accessibility

Level of access required to use the application

Application Type

Nature of the code base (library, application, or

application component)

Target Deployment Platform

Interfaces

Deployment platform for the application

Interfaces used to access the application

Languages used to develop the application

Development Languages

Authentication System

System used to authenticate users who try to

access to the application

Organization Attributes

Business Unit

Business unit for which the application is to be

developed or business unit to develop the

application

Industry

Region

Industry for which the application is to be

developed

Geographical location of the development team

OpenText™ Fortify Software Security Center (24.2.0)

Page 230 of 459

User Guide

Chapter 11: Applications and Application Versions

Business Risk Attributes

Business Risk

Relative risk (high, medium, or low) the

application poses to the business goals of the

organization

Known Compliance Obligations

All known compliance obligations that the

application must meet

Data Classification

Types data to be stored by this application

Direct consumers of the application

Application Classification

ScanCentral DAST Attributes

Base URL

URL prefix that all pages in your application start

with. Useful in establishing relative pathways.

Creating Custom Attributes

Fortify Software Security Center comes with technical, organization, and business attributes

that enable administrators and security leads to categorize applications and application

versions. As an administrator or a security lead, you can create your own custom attributes that

can be set for application versions.

Note: You can create custom attributes only if you have either an Administrator or Security

Lead user account.

To create an attribute:

1. Log in to Fortify Software Security Center as an administrator or a security lead.

2. On the OpenText header, click Administration.

3. In the left pane, under Templates, click Attributes.

The Attributes page lists the attributes on the right.

4. Click NEW.

OpenText™ Fortify Software Security Center (24.2.0)

Page 231 of 459

User Guide

Chapter 11: Applications and Application Versions

5. In the CREATE NEW ATTRIBUTE dialog box, provide the information described in the

following table.

Field

Description

Name

Type a descriptive name for the attribute.

Important! If you delete an attribute that Fortify Software Security

Center uses out-of-the-box, and you then create a new attribute

with the same name, database migration may fail.

Description

Type a brief description.

The description is displayed under the attribute field in the CREATE

NEW APPLICATION VERSION wizard.

Required

Hidden

Select this check box to require users to set the attribute that you are

defining here when they create an application template.

Select this check box to prevent the new attribute from being displayed

in the CREATE NEW APPLICATION VERSION wizard.

Caution! If you select Hidden to prevent the attribute from showing

in the CREATE NEW APPLICATION VERSION wizard, you must also

OpenText™ Fortify Software Security Center (24.2.0)

Page 232 of 459

User Guide

Chapter 11: Applications and Application Versions

Field

Description

clear the Required check box.

Category

Select an attribute type. Depending on the category you select, the

attribute is displayed on the Business Attributes step, the Technical

Attributes step, or the Organization Attributes step of the CREATE

NEW APPLICATION VERSION wizard.

Type

Select one of the following control types:

l

To create a text field into which a user can type a single line of text,

select Text - Single Line.

l

To create a list from which a user can select only a single value for the

attribute, select List of Values - Single Selection.

Note: If you create a single-select type attribute, users can select

it from the Group by and Aggregate by lists on the Dashboard

to customize the data they view.

l

To create a list from which a user can select multiple values for the

attribute, select List of Values - Multiple Selection.

l

To create a text field into which a user can type multiple lines of text,

select Text - Multiple Lines.

Note: If you select one of the List of Values types, additional

fields are displayed in which you add the values and their

descriptions, and specify whether or not they are hidden.

l

To create a check box for the attribute, select Boolean.

l

To create a field that accepts an integer value, select Integer.

l

To create a calendar selection control for the attribute, select Date.

Note: This type is not available for a Dynamic Scan Request

attribute.

l

To create a file upload field, select File.

l

To create a file upload control in the Dynamic Scan Request dialog

box, select File.

6. Click SAVE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 233 of 459

User Guide

Chapter 11: Applications and Application Versions

The new attribute is available the next time a user uses the CREATE NEW APPLICATION

VERSION wizard.

For instructions on how to specify custom attributes in existing application versions, see

"Specifying New Custom Attributes for Application Versions" on page 236.

Note: By default, an attribute you create through the Fortify Software Security Center user

interface is deletable. You can use the Fortify Software Security Center API to define a non-

deletable attribute. For information about how to access the API see "Accessing the Fortify

Software Security Center API Documentation" on page 213.

"Application Version Attributes" on page 229

Deleting Attributes and Attribute Values

If an attribute or attribute value is no longer of use, you can often delete it from the Fortify

Software Security Center database, event if it is currently associated with one or more

application versions. Doing so removes all traces of the attribute or attribute value from the

system.

Deleting Attributes

To delete an attribute from the Fortify Software Security Center database:

1. On the OpenText header, select Administration.

2. In the left pane, expand the Templates section, and then select Attributes.

If an attribute can be deleted, the check box to the left of its name is blue. If it cannot be

deleted, the check box to the left of its name is gray, and you cannot select it for deletion.

OpenText™ Fortify Software Security Center (24.2.0)

Page 234 of 459

User Guide

Chapter 11: Applications and Application Versions

To see an explanation of why you cannot delete an attribute, move your cursor over the

check box. (The attribute is either system-defined and non-deletable, or it is user-defined

and has been modified so that it cannot be deleted.)

3. Select the check boxes for the attributes you want to delete, and then click DELETE.

Fortify Software Security Center alerts you to the fact that the selected attributes will be

permanently removed from the system and prompts you to confirm that you want to

continue with the deletion.

4. Click OK.

Note: By default, an attribute you create through the Fortify Software Security Center user

interface is deletable. You can use the Fortify Software Security Center API to define a non-

deletable attribute. For information about how to access the API see "Accessing the Fortify

Software Security Center API Documentation" on page 213 .

Deleting Attribute Values

To delete an attribute value:

1. On the OpenText header, select Administration.

2. In the left pane, expand the Templates section, and then select Attributes.

3. Expand the row for the attribute that has one or more values that you want to delete.

OpenText™ Fortify Software Security Center (24.2.0)

Page 235 of 459

User Guide

Chapter 11: Applications and Application Versions

The In Use column shows which of the values are currently used with one or more

application versions.

4. Click EDIT.

Fortify Software Security Center displays a warning to remind you that any changes you

make can affect application versions with values based on the attribute, and prompts you

to confirm that you want to edit the attribute.

5. Click OK.

6.

Click the trash icon ( ) to the right of the value you want to delete.

Note: You can delete some attribute values, even if they are currently in use by one or

more application versions. However, you cannot delete:

- Values for system-defined list-type attributes that are in use

- Values for system-defined attributes other than list type

- Values that are both in use and that belong to a dynamic scan type attribute

- Values for user-defined attributes designated as non-deletable that are in use

Fortify Software Security Center removes the value without prompting you for

confirmation. If you decide that you prefer not to delete the value, just click CANCEL to

restore it.

Specifying New Custom Attributes for Application Versions

To apply a new custom attribute to an application version:

OpenText™ Fortify Software Security Center (24.2.0)

Page 236 of 459

User Guide

Chapter 11: Applications and Application Versions

1. On the OpenText header, select Applications.

2. In the Applications view, expand the row for the application and then select the version for

which you want to specify a new attribute.

Fortify Software Security Center displays the AUDIT page for that version.

3. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE - <application_name> <application_version> window opens to

the ADVANCED OPTIONS section.

4. Click APPLICATION SETTINGS.

5. In the Version Settings section, click the edit icon.

6. On Step 1. GENERAL of the EDIT VERSION wizard, click NEXT.

7. On Step 2. DEFINE ATTRIBUTES AND RISK, select the attribute category (Technical

Attributes, Organization Attributes, or Business Risk Attributes), and then select the

value or values for the custom attribute.

8. Navigate to Step 4 of the wizard, and then click FINISH.

"Editing Application Version Details" on page 249

About Issue Templates

Applications are defined by issue templates, which determine how Fortify Software Security

Center configures and prioritizes the issues uncovered in your application source code.

An issue template contains the following settings:

l

Folder filters—Controls how issues are sorted into the folders

l

Visibility filters—Controls which issues are shown and hidden

l

Folder properties—Name, color, and which filter set it is active in

l

Custom tags—Specifies which audit fields are displayed and the values for each

Fortify Software Security Center comes with pre-designed issue templates that you can either

use as they are, or modify (from Fortify Audit Workbench) to suit your application needs.

To see descriptions of these out-of-the-box issue templates:

1. On the OpenText header, select Administration.

2. In the left pane, select Templates, and then select Issue.

The Issue page lists the issue templates and their descriptions.

You can import a Fortify Software Security Center issue template into Fortify Audit Workbench,

modify it, save it with a new name, and then import it into Fortify Software Security Center. You

can also create a new issue template from scratch in Fortify Audit Workbench.

OpenText™ Fortify Software Security Center (24.2.0)

Page 237 of 459

User Guide

Chapter 11: Applications and Application Versions

Note: When editing or creating filter sets and folders in Fortify Audit Workbench, be aware

that the search modifiers used by Fortify Audit Workbench and Fortify Software Security

Center may produce different results. Not all searches, filters, or folders based on search

expressions will produce the same results. For example, if your search expression contains

external metadata categories such as OWASP or CWE, your results might not match

because the expressions may differ on Fortify Software Security Center and Fortify Audit

Workbench. When there are multiple matched external categories, Fortify Software Security

Center matches any of them, but Fortify Audit Workbench expects an exact match of all

external categories. If you encounter this issue when editing or creating issue templates for

use in Fortify Software Security Center, contact Customer Support for assistance.

For instructions on how to modify or create an issue template in Fortify Audit Workbench, see

the Fortify Audit Workbench User Guide.

Adding Issue Templates to the System

To add an issue template that you created or modified in Fortify Audit Workbench to Fortify

Software Security Center:

1. Log in to Fortify Software Security Center as an administrator.

2. On the OpenText header, click Administration.

3. In the pane on the left, select Templates, and then select Issue.

Fortify Software Security Center lists the system issue templates in a table to the right.

4. Click NEW.

5. In the Name box in the CREATE NEW ISSUE TEMPLATE dialog box, type the template

name.

6. (Optional) in the Description box, type a description that lets users know how to use the

template.

7. Click BROWSE, and then locate and select the new or modified template.

8. Click SAVE.

Creating or Modifying Issue Templates

If you use Fortify Audit Workbench to create a new issue template or modify an existing

template, you must make sure that the template includes the following filter:

For information about how to create or modify issue templates and upload them to Fortify

Software Security Center, see the Fortify Audit Workbench User Guide.

OpenText™ Fortify Software Security Center (24.2.0)

Page 238 of 459

User Guide

Chapter 11: Applications and Application Versions

Template Selection

Fortify Software Security Center issue templates provide Fortify client and server products an

optimal means of categorizing, summarizing, and reporting application data. Issue templates

also enable the use of customized application settings at the enterprise level and not just at the

application level.

Although you can change the issue template for an application after you finish creating the

application, your security team must carefully consider its choice of template before completing

the application creation process.

Creating the First Version of a New Application

A Fortify Software Security Center application version consists of the data and attributes for a

given variant of the application code base. The following procedure describes how to create the

first version of a new application.

To create a new application:

1. Log in to Fortify Software Security Center as either an Administrator or a Security Lead.

2. On the toolbar, click + NEW APPLICATION VERSION.

3. On the GENERAL tab of the CREATE NEW APPLICATION VERSION wizard provide the

information described in the following table.

Important! Values for fields in the following table marked with an asterisk (*) must not

start with the characters =, -, +, or @, and must not include control characters. For a

complete list of Unicode characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Field

Description

Application Setup

*Application

name

(Required) Type the application name.

Application

description

(Optional)Type a description of the new application.

Version Setup

*Version name

(Required) Type a name for the version.

Version

description

(Optional) Type information about this first version of the

application.

OpenText™ Fortify Software Security Center (24.2.0)

Page 239 of 459

User Guide

Chapter 11: Applications and Application Versions

Field

Description

Use existing

application

version

a. To use the settings of an existing application version, select this

check box. Otherwise, proceed to step 4.

b. To open the SELECT APPLICATION VERSION dialog box, click

BROWSE.

c. Under APPLICATION, type a string into the search box, and then

click FIND to refine the list of applications, and then select the

application that has the settings you want to use for the new

application.

The VERSIONS pane on the right lists the active versions of the

selected application.

d. To include inactive versions of the application, select the Show

inactive check box.

e. Select the check box for the version you want, and then click

DONE.

By default, Fortify Software Security Center includes all settings

of the selected application version.

f. To exclude one or more settings, clear the corresponding check

boxes for the settings.

g. To copy over all of the issues associated with the selected

application version, select the Application state check box.

4. Click NEXT to advance to the ATTRIBUTES settings.

5. On the TECHNICAL ATTRIBUTES tab, provide the information described in the following

table.

Field

Description

Development Phase

Development Strategy

Select New.

Select the strategy used to develop the application

version.

Accessibility

Select the value that specifies how the application is to

be accessed.

OpenText™ Fortify Software Security Center (24.2.0)

Page 240 of 459

User Guide

Chapter 11: Applications and Application Versions

Field

Description

Select the application type.

Application Type

Target Deployment Platform Select the target deployment platform.

Interfaces

Select the check boxes for the interfaces available to

access the application.

Development Languages

Authentication System

Select the check boxes for the languages used to

develop the application version.

Select the check boxes for the authentication systems

used to access the application.

6. (Optional) Click the ORGANIZATION ATTRIBUTES tab, and then make the following

selections:

l

From the Business Unit list, select the business unit with which to associate the new

application.

l

From the Industry list, select the industry for which this application is being developed.

l

From the Region list, select the region to associate with the application.

7. (Optional) Click the BUSINESS RISK ATTRIBUTES tab, and then do the following:

a. From the Business Risk list, select the value that best represents the relative risk that

this new application poses to the business goals of your organization.

b. In the Known Compliance Obligations section, select the check boxes for all known

compliance obligations that apply to the new application.

c. In the Data Classification section, select the check boxes for all data classifications

that this application stores.

d. In the Application Classification section, select the check boxes for all consumer types

for which this application is being developed.

8. (Optional) Click the SCANCENTRAL DAST ATTRIBUTES tab if you are using Fortify

ScanCentral DASTand do the following:

a. Enter the Base URL to set the prefix for all of the pages in your application.

To advance to the TEMPLATE settings, click NEXT.

9. Under Issue Template, select the check box for a template to set the minimum thresholds

for issue detection. To see a description of a template in the pane to the right, select its

check box.

10. To advance to the ACCESS tab, click NEXT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 241 of 459

User Guide

Chapter 11: Applications and Application Versions

11. a. To assign a user from the Fortify Software Security Center database, leave LOCAL

selected.

b. Select the check box for the team member or members you want to assign.

Note: To find a specific user, type a user name into the Search by user name box, and

then click FIND.

Alternatively,

a. To assign a user from the LDAP directory (if LDAP authentication is configured for

your Fortify Software Security Center server), click LDAP, and then, from the View by

list, select the attribute to use to display LDAP entities.

b. Select the check box for the team member or members to assign.

Note: To find a specific user, type a username into the Search by user name box, and

then click FIND.

12. Click SAVE.

Fortify Software Security Center indicates that the application was successfully created.

The new application version is now displayed in the Applications view. Once data are

uploaded for the application version, it is also displayed in the Dashboard view.

13. Click CLOSE.

Note: A new application is not listed on the Dashboard until you upload analysis results

(artifacts) for it. However, it is listed in the Applications view. For information about how to

upload artifacts for an application version, see "Uploading Scan Artifacts" on page 309.

Adding a New Version to an Application

A version consists of the data and attributes for a given variant of the application code base.

The following procedure describes how to create a new version of an existing application.

To create a new version of an existing application:

1. Log in to Fortify Software Security Center as either an Administrator or Security Lead.

2. From the Dashboard, click + NEW APPLICATION VERSION.

3. On the GENERAL tab of the CREATE NEW APPLICATION VERSION wizard, under

Application Setup, do the following:

a. Select the Add to existing application check box.

b. Click BROWSE, and then, in the SELECT APPLICATION dialog box, locate and select

the application for which you want to create a new version.

c. Click DONE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 242 of 459

User Guide

Chapter 11: Applications and Application Versions

The Application name and Application description fields are populated with the name

and description of the selected application.

4. In the Version Setup section, provide the information described in the following table.

Field

Description

Version name Type a name for the version or select a version name from the list.

Important! Values for fields in the following table marked with an

asterisk (*) must not start with the characters =, -, +, or @, and must

not include control characters. For a complete list of Unicode

characters included in these restricted ranges, see

https://www.aivosto.com/articles/control-characters.html.

Version

description

(Optional) Type descriptive information about this version of the

application.

Use existing

application

version

a. To use the settings of an existing application version, select this

check box. Otherwise, click NEXT to proceed to the ATTRIBUTES

tab.

b. To open the SELECT APPLICATION VERSION dialog box, click

BROWSE.

c. Locate and select the application that has the settings you want to

use for the new version.

The VERSIONS pane on the right lists the active versions of the

selected application. (To display inactive versions, select the Show

inactive check box.)

d. From the VERSIONS list, select the check box for the version you

want, and then click DONE.

By default, Fortify Software Security Center includes all settings of

the selected application version.

e. To exclude some of the settings, clear one or more of the following

check boxes:

o

Version attributes

o

Custom tags

o

Analysis processing rules

o

User access settings

OpenText™ Fortify Software Security Center (24.2.0)

Page 243 of 459

User Guide

Chapter 11: Applications and Application Versions

Field

Description

o

Bug tracker integration settings

f. To copy over all of the issues associated with the selected

application version, select the Application state check box.

5. To proceed to the ATTRIBUTES settings, click NEXT.

6. On the TECHNICAL ATTRIBUTES tab, provide the information described in the following

table.

Field

Description

Development Phase

From this list, select the current development phase of the new

version.

Development Strategy Select the strategy used to develop the new application

version.

Accessibility

Select the value that specifies how the application is to be

accessed.

Application Type

Select the application type.

Target Deployment

Platform

Select the target deployment platform.

Interfaces

Select the check boxes for the interfaces available to access

the application.

Development

Languages

Select the check boxes for the languages used to develop the

application version.

Authentication System Select the check boxes for the authentication systems used to

access the application.

7. (Optional) Select the ORGANIZATION ATTRIBUTES tab, and then provide the

information described in the following table.

Field

Description

Business Unit

Select the business unit for which the application version is

being developed.

OpenText™ Fortify Software Security Center (24.2.0)

Page 244 of 459

User Guide

Chapter 11: Applications and Application Versions

Field

Description

Industry

Select the industry sector to which the application version

applies.

Region

Select the region for which the application version is being

developed.

8. (Optional) Select the BUSINESS RISK ATTRIBUTES tab.

9. From the Business Risk list, select the value that best represents the risk this application

version poses to your organization.

10. Provide the information described in the following table.

Field

Description

Known Compliance

Obligations

Select the check boxes for all of the known compliance

obligations that the application version must meet.

Data Classification

Select the check boxes for all of the data classifications

that apply to the application version.

Application Classification

Select the check boxes for all of the application

classifications that apply to this application version.

11. (Optional) Click the SCANCENTRAL DAST ATTRIBUTES tab if you are using Fortify

ScanCentral DASTand do the following:

a. Enter the Base URL to set the prefix for all of the pages in your application.

12. To advance to the template setting, click NEXT.

13. Under Issue Template, select the check box for a template to set the minimum thresholds

for issue detection. To see a description of a template displayed in the pane to the right,

select its check box.

Note: The default template is Prioritized High Risk Issue Template.

14. To advance to the ACCESS tab, click NEXT.

15. Under TEAM, do one of the following:

Note: A user in the administrator role already has full access to all applications. You

cannot assign the user to a team unless the user has also been assigned another role.

This is true whether the Administrator is a local user or an LDAP user.

l

To assign a user from the Fortify Software Security Center database, select LOCAL, and

then select the check boxes for the team member or members you want to assign.

OpenText™ Fortify Software Security Center (24.2.0)

Page 245 of 459

User Guide

Chapter 11: Applications and Application Versions

Note: To find a specific user, type a user name into the Search by user name box, and

then click FIND.

l

Or, if LDAP authentication is configured for your Fortify Software Security Center server:

a. Click LDAP, and then, from the View By list, select the attribute to use to display

LDAP entities.

b. Select the check box for the team member or members you want to assign.

Note: To find a specific user, type a username into the Search by user name box, and

then click FIND.

16. Click SAVE.

Fortify Software Security Center indicates that the version was successfully created and

adds the new application version to the application versions list.

17. Click CLOSE.

Enabling Auto-Apply and Auto-Predict for an Application Version

If your administrator has configured Fortify Audit Assistant, enabled auto-apply system-wide,

and mapped the appropriate primary tag fields in the Custom Tags section of the

Administration view, you can enable auto-apply for a specific application version.

If you enable auto-apply for an application version, then whenever you use Fortify Audit

Assistant to request a prediction on your static analysis issues, Fortify Software Security Center

applies those predictions to your custom tag values.

When Fortify Audit Assistant automatically applies custom tag values to issues, the metadata

saved for the issue shows that it was audited by Fortify Audit Assistant. A gray gavel displayed

next to the custom tag name enables users to see that Fortify Audit Assistant predicted the

issue.

To enable auto-apply for an application version:

1. From the Fortify dashboard, select the link for the application version for which you want to

enable auto-apply.

The AUDIT page lists the issues associated with the application version.

2. On the page header, click PROFILE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 246 of 459

User Guide

Chapter 11: Applications and Application Versions

3. Select AUDIT ASSISTANT OPTIONS.

OpenText™ Fortify Software Security Center (24.2.0)

Page 247 of 459

User Guide

Chapter 11: Applications and Application Versions

4. To have Fortify Audit Assistant automatically assess unaudited issues, select the Enable

auto-predict check box. (For information on auto-prediction, see "About Audit Assistant

Auto-Prediction " on page 87.)

5. Select the Enable auto-apply check box.

If your primary tag values are not mapped to Audit Assistant, Fortify Software Security

Center displays a warning to that effect and advises you to contact your administrator.

6. Click APPLY.

7. Fortify Software Security Center prompts you to confirm that you want to save your

settings.

8. Click OK.

9. Click CLOSE.

Searching Applications and Application Versions from the

Applications View

To search for a specific application or application version from the Applications view:

1. In the Search Apps and Versions box above the Applications table, type at least part of

the application name or version name for the application or version you want to find.

2. Click Find.

The Applications table lists all application versions that match your search string.

3. To return to the complete Applications table, clear the text in the search box.

Updating the Application Overview Page

If an application version has pending audit information, its Overview page heading displays the

"more information" icon

.

To recalculate the metrics for the application:

l

Click the icon, and then, in the Refresh application metrics dialog, click Refresh now.

The metrics refresh may take some time, depending on current system activity. After the refresh

is complete, the Overview page displays the latest data for the application.

OpenText™ Fortify Software Security Center (24.2.0)

Page 248 of 459

User Guide

Chapter 11: Applications and Application Versions

Note: Metrics are also refreshed automatically according to the system schedule.

Editing Application Version Details

To edit the details of an application version:

1. On the OpenText header, click Applications.

2. In the Applications table, select the application version to edit.

3.

To the right of the application name on the AUDIT page, click the edit icon .

4. In the EDIT VERSION: <version> window, click a tab to edit values in any of the fields

described in "Adding a New Version to an Application" on page 242.

5. After you make your changes, click SAVE.

"Configuring an Application Version to Opt-out of the Default Data Retention Policy" below

Configuring an Application Version to Opt-out of the Default Data Retention

Policy

If you enable Data Retention Policy across all application versions and select the Allow

application versions to opt-out of the default policy option, you can configure individual

application versions to opt-out of the default Data Retention Policy.

To opt-out of the default Data Retention Policy:

1. Login to Fortify Software Security Center and then click the Applications tab.

2. In the Applications table, select the application version to opt-out of the default Data

Retention Policy.

3.

To the right of the application name on the AUDIT page, click the edit icon .

4. In the EDIT VERSION window, click the Policies tab.

5. Under DATA RETENTION POLICY, change the value of the Data Retention Policy to

Follow to None (Opt-out of Default).

6. Click SAVE.

See Also

"About Data Retention" on page 280

OpenText™ Fortify Software Security Center (24.2.0)

Page 249 of 459

User Guide

Chapter 11: Applications and Application Versions

Using Bug Tracking Systems to Help Manage

Security Vulnerabilities

Developers fixing software defects often use a bug tracking system to help manage their

workload. Security vulnerabilities are a type of bug, and getting vulnerability information into

the bug tracking system helps developers take appropriate remediation measures, in line with

other development activities. The result is more security awareness and faster remediation of

security issues.

From Software Security Center, you can map to any of several bug tracking systems, so that

your development team can file bugs into the bug tracking system you already use.

When a developer files a bug, Software Security Center populates bug tickets with the following

basic vulnerability information:

l

Details that describe the type of issue uncovered

l

Remediation guidance, with instructions on the action to take

l

A link back to Software Security Center for complete issue details

Topics covered in this section:

Bug Tracker Configuration

Velocity Templates for Bug Filing

Assigning a Bug Tracking System to an Application Version

Submitting a Bug for a Single Issue

Submitting a Bug for Multiple Issues

Bug State Management

Bug Tracker Configuration

To enable a team to access and use a bug tracking system from Fortify Software Security

Center, a security lead or development manager must configure Fortify Software Security

Center to connect to a bug tracker instance. Either the developer or security lead can then

submit bugs to address important security issues.

If you are a security lead or development manager, you can enable team access to your bug

tracking system as follows:

1. Edit the application version details.

2. Configure the bug tracker.

"Managing Bug Tracker Plugins" on page 166

"Authoring Bug Tracker Plugins" on page 437

OpenText™ Fortify Software Security Center (24.2.0)

Page 250 of 459

User Guide

Chapter 11: Applications and Application Versions

Velocity Templates for Bug Filing

Text-based fields for filing bugs in Fortify Software Security Center can be associated with

Apache Velocity templates that reference issue data. When you submit a bug for one or more

issues, the content for the mapped fields is generated using the corresponding template and

data from the issues.

Fortify Software Security Center provides pre-defined templates for the summary and

description fields of the supported bug tracker plugins that ship with Fortify Software Security

Center. You can edit these pre-defined templates or add templates that map other text-based

fields that the plugin provides.

This section contains the following topics:

"Adding Velocity Templates to Bug Tracker Plugins" below

"Customizing Velocity Templates for Bug Tracker Plugins" on the next page

"Deleting Velocity Templates" on page 253

Adding Velocity Templates to Bug Tracker Plugins

Fortify Software Security Center provides pre-defined templates for the summary and

description fields of the supported bug tracker plugins that ship with Fortify Software Security

Center. You can edit these templates or add templates that map other text-based fields that the

plugin provides.

Important! Before you add a new template or edit an existing one, make sure that you

review the pre-defined templates carefully to understand how to correctly reference

variables within the template.

As you create (or edit) a template, keep the following in mind:

l

To avoid runtime errors, Fortify strongly recommends that you validate variables in your

template before you render them. (See the pre-defined templates for examples of how to use

a macro.)

l

Use conditionals if you want to render content differently for a single-issue bug (as opposed

to a bug that includes multiple issues).

To add a Velocity template to a bug tracker plugin:

1. On the OpenText header, select Administration.

2. In the left pane, select Templates, and then select Bug Filing Templates.

The Bug Filing page lists the template groups for supported bug trackers.

3. In the table, click the row that shows the template group for your bug tracker plugin.

The row expands to display details for the pre-defined templates mapped to the

description and summary fields for the plugin.

4. Click EDIT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 251 of 459

User Guide

Chapter 11: Applications and Application Versions

5. Click + ADD FIELD.

6. In the Mapped field box in the ADD TEMPLATE dialog box, type the name of the field to

map, as it appears in the bug tracker plugin dialog box. (Note that you can map only text-

based fields.)

7. In the Template box, type your Velocity Template Language (VTL) statement for the

mapping.

For information about format the VTL statement, click the Editing tips link. To access full

instructions on how to write the statement, click the Velocity User Guide link. This takes

you to the Apache Velocity Project website. To see a list of all available variables, click

SHOW VARIABLES .)

Note: Not all variables are available for all issues. In particular, verbose content

such as “ATTRIBUTE_COMMENTS,” “ISSUE_DETAIL,” and “ISSUE_

RECOMMENDATION” is available only if you are filing a bug for a single issue.

8. Click APPLY.

9. To add another template, repeat steps 5 through 8.

10. Click SAVE.

On the Bug Filing page, the details for the bug tracking plugin now include your new template.

"Customizing Velocity Templates for Bug Tracker Plugins" below

"Bug Tracker Configuration" on page 250

"Deleting Velocity Templates" on the next page

Customizing Velocity Templates for Bug Tracker Plugins

To customize the Velocity template for a bug tracker plugin:

1. On the OpenText header, select Administration.

2. In the left pane, select Templates, and then select Bug Filing Templates.

3. In the table on the right, click the template group for the bug tracker plugin you use.

The row expands to display details for the pre-configured Velocity templates that are

mapped to the description and summary fields that the plugin provides.

4. Click EDIT.

5. To the right of the mapped field you want to modify, click the Edit field icon.

OpenText™ Fortify Software Security Center (24.2.0)

Page 252 of 459

User Guide

Chapter 11: Applications and Application Versions

6. To see useful tips on how to edit the template, click Editing tips. To access detailed

instructions on how to modify the template, click the Velocity User Guide link. This takes

you to the Apache Velocity Project website. To see a list of all available variables, click

SHOW VARIABLES .

7. Make any necessary changes to the content in the Mapped field and Template boxes.

8. Click APPLY.

9. Click SAVE.

The details displayed for the bug tracker plugin now include your changes.

See Also

"Deleting Velocity Templates" below

"Velocity Templates for Bug Filing" on page 251

"Adding Velocity Templates to Bug Tracker Plugins" on page 251

Deleting Velocity Templates

If a bug tracker plugin is not associated with any application versions, you can delete its

associated template group.

OpenText™ Fortify Software Security Center (24.2.0)

Page 253 of 459

User Guide

Chapter 11: Applications and Application Versions

To delete the templates group associated with a bug tracker plugin:

1. On the Fortify header, select Administration.

2. In the left pane, select Templates, and then select Bug Filing Templates.

3. In the list of template groups, click the name of your bug tracker plugin.

The row expands to display details for the pre-configured templates mapped to the

description and summary fields that the plugin provides.

4. Click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

template group.

Caution! Fortify strongly recommends that you not delete the pre-defined template

groups.

5. To continue with the deletion click OK.

The Bug Filing page no longer lists the velocity templates for the bug tracker plugin.

"Adding Velocity Templates to Bug Tracker Plugins" on page 251

"Customizing Velocity Templates for Bug Tracker Plugins" on page 252

Assigning a Bug Tracking System to an Application Version

Use the following procedure to assign a bug tracking system to an application version. Before

you can do this, the bug tracker plugin must already be in the system. For information about

how to add a bug tracker to Fortify Software Security Center, see "Managing Bug Tracker

Plugins" on page 166.

To integrate with a bug tracking system:

1. On the OpenText header, click Applications.

2. In the Applications table, click the application version to which you want to assign a bug

tracker.

The AUDIT page for the selected application version lists the issues with the version.

3. At the upper right, click PROFILE.

4. In the APPLICATION PROFILE - <Application_Name><Application_Version> dialog box,

click the BUG TRACKER tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 254 of 459

User Guide

Chapter 11: Applications and Application Versions

5. From the Bug Tracker Integration list, select the application to use for tracking bugs for

this application version.

6. Complete the required fields, and then click VALIDATE CONNECTION.

7. In the TEST BUG TRACKER PLUGIN CONFIGURATION dialog box, type your bug tracker

authentication credentials, and then click TEST.

After Fortify Software Security Center verifies your connection to your bug tracker, it

displays a message to indicate that the test was successful.

8. Click OK.

You can enable bug state management for the application version. With bug state

management enabled, Fortify Software Security Center can update bugs as the states of

the issues within those bugs change.

9. (Optional) To enable bug state management, select the Bug state management check

box.

10. In the Username and Password boxes, provide the credentials for your bug tracker, and

then click APPLY.

The SUCCESS dialog box advises you that bug configuration was successful.

11. Click OK.

12. Click CLOSE.

See Also

OpenText™ Fortify Software Security Center (24.2.0)

Page 255 of 459

User Guide

Chapter 11: Applications and Application Versions

"About Bug Tracker Integration" on page 164

"Managing Bug Tracker Plugins" on page 166

"Submitting a Bug for Multiple Issues" on the next page

"Authoring Bug Tracker Plugins" on page 437

Submitting a Bug for a Single Issue

If a bug tracking plugin is specified for an application version (see "Assigning a Bug Tracking

System to an Application Version" on page 254), you can use that bug tracker to submit bugs

that cover one or multiple issues.

To submit a bug for a single issue:

1. From the AUDIT page for an application version, expand the row for an issue for which you

want to submit a bug.

2. Click FILE BUG.

Note: If the FILE BUG button is not available, a bug tracker may not have been

assigned to the application version. (To address this, see "Managing Bug Tracker

Plugins" on page 166 and "Assigning a Bug Tracking System to an Application Version"

on page 254 .)

Note too, that if a bug is already submitted for the issue, you cannot submit a new bug

against it.

3. In the FILE ISSUES (1) dialog box, under Login, provide the username and password for the

bug tracker associated with this application version, and then click LOGIN.

Fortify Software Security Center retains your credentials for the duration of your work

session so you do not have to provide them to file additional bugs during that session.

The Login section displays the fields for the bug tracker specified for the application

version.

4. Provide input for all fields required for the bug tracker, and then click SUBMIT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 256 of 459

User Guide

Chapter 11: Applications and Application Versions

After a successful submission, a bug icon is displayed for the issue in the Bug submitted

column of the issues table.

"Viewing Bugs Submitted for Issues" on page 354

Submitting a Bug for Multiple Issues

If a bug tracking plugin has been specified for an application version (see "Assigning a Bug

Tracking System to an Application Version" on page 254), you can submit bugs that cover one

or multiple issues. (For information about how to file a bug for just one issue, see "Submitting a

Bug for a Single Issue" on the previous page.)

To submit a single bug that covers multiple issues:

1. From the AUDIT page for an application version, select the check boxes for all issues that

you want to include in a bug, and then, above the issues table, click the File Bug icon

.

Note: If, after you select check boxes, the File Bug icon is not visible, you first need to

set up a bug tracker for the application version. (See "Assigning a Bug Tracking System

to an Application Version" on page 254.)

Note: If a bug was previously submitted for a selected issue, you cannot submit a new

bug against that issue. The FILE ISSUES dialog box displays the message, "Some

selected issues have already been filed and will be ignored," and displays a bug icon

for the issue in the Previously Filed column.

2. In the FILE ISSUES dialog box , under Login, provide the username and password for the

bug tracker associated with this application version, and then click LOGIN.

OpenText™ Fortify Software Security Center (24.2.0)

Page 257 of 459

User Guide

Chapter 11: Applications and Application Versions

Fortify Software Security Center retains your credentials for the duration of your work

session so you do not have to provide them to file additional bugs during that session.

The Login section displays the fields for the bug tracker specified for the application

version.

3. Provide input for all required fields, and then click SUBMIT.

After a successful submission, a bug icon is displayed for the selected issues in the Bug

submitted column of the issues table.

"Viewing Bugs Submitted for Issues" on page 354

Bug State Management

Bug state management enables Fortify Software Security Center to make specific updates to

bugs as the states of the issues within those bugs change. Fortify Software Security Center

checks new security scans to determine whether filed bugs are to remain open, or can be closed.

If scan results indicate that one of more security issues associated with a previously submitted

bug persist (and match the selection criteria), Fortify Software Security Center checks the bug

tracking system to ensure that the bug is in a valid open state and, if necessary, reopens the

bug.

If all issues associated with a bug are removed (either because the issues were remediated or no

longer match the selection criteria), Fortify Software Security Center updates the bug to

indicate that stakeholders may resolve or close this ticket. To enable auditing and traceability,

Fortify Software Security Center does not automatically resolve or close bugs.

For instructions on how to enable bug state management for an application version, see

"Assigning a Bug Tracking System to an Application Version" on page 254.

Changing the Template Associated with an Application

Version

You can modify many settings for an existing application version, including its issue template.

However, keep in mind that assigning a different issue template to an application version or

updating an issue template on the server results in loss of synchronization between the

database cache and existing audit sessions.

Caution! Fortify recommends that you change the template associated with an application

version only if no results have yet been processed for that application version. If you change

the issue template for an application version for which results have already been processed,

Fortify Software Security Center does not recalculate the issue metrics and metrics

generated based on the previously assigned template are unavailable and cannot be

deleted.

OpenText™ Fortify Software Security Center (24.2.0)

Page 258 of 459

User Guide

Chapter 11: Applications and Application Versions

To change the template associated with an application version:

1. Log in to Fortify Software Security Center as either an Administrator or Security Lead.

2. From the Dashboard ISSUE STATS page, click the name of the application version you want

to modify.

3. On the application version toolbar of the AUDIT page, click PROFILE.

4. In the APPLICATION PROFILE <application_version> dialog box, click APPLICATION

SETTINGS.

5.

Under Version Settings, click the edit icon .

Caution! Changing the template can alter the metrics calculated for the application

version. Existing metrics will not be recalculated.

6. In the EDIT VERSION dialog box, click the TEMPLATE tab.

In the list of templates, the currently assigned template is marked as selected.

OpenText™ Fortify Software Security Center (24.2.0)

Page 259 of 459

User Guide

Chapter 11: Applications and Application Versions

7. Select the check box for the template you prefer to use for the application version.

8. Click SAVE.

After you change the template, Fortify Software Security Center invalidates any auditing

session of the affected application version (for example, by a different user) and displays an

error message to advise you that the application version audit session must be restarted.

Note: A Fortify Audit Workbench user auditing the affected application version does

not see this information.

Setting Analysis Results Processing Rules for Application

Versions

Analysis results processing rules enable management approval and oversight of code scans.

You can specify the rules to be followed when analysis results for an application version are

processed during scan artifact uploads.

To configure the analysis results processing rules for an application version:

1. Log in to Fortify Software Security Center as an administrator, and then, on the Dashboard,

click the link for the application version for which you want to configure the processing

rules for analysis results.

2. On the application version toolbar of the AUDIT page, click PROFILE.

3. In the APPLICATION PROFILE - <Application_Version> dialog box, select the PROCESSING

RULES tab, and then review the listed processing rules.

4. Select or clear the check boxes for the processing rules you want to apply to the application

version. These rules are described in the following table.

Rule

Description

Require approval if the Build Project is

different between scans

Fortify Software Security Center compares

the Build Project for the scan and the scan

that preceded it. If the Build Projects differ,

management approval is required before

the scan can be uploaded.

Check external metadata file versions in

scan against versions on server

If a user attempts to upload an FPR file,

Fortify Software Security Center compares

the external metadata version for the file

with the external metadata version on the

Fortify Software Security Center server. If

the external metadata version for the FPR

OpenText™ Fortify Software Security Center (24.2.0)

Page 260 of 459

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

file is later (higher) than the external

metadata file version on the server, Fortify

Software Security Center requires approval

for the file upload. If the external metadata

version for the FPR file is earlier (lower)

than, or the same as, the external metadata

file version on the server, then Fortify

Software Security Center allows the FPR

file upload.

Require approval if file count differs by

more than 10%

Fortify Software Security Center compares

the file count for the scan and the scan that

preceded it. If the count differs by more

than ten percent, management approval is

required before the scan can be uploaded.

Perform Force Instance ID migration on

upload

A newer version of Fortify Static Code

Analyzer or of a Rulepack can change an

instance ID from one created in a previous

scan by an older version of Fortify Static

Code Analyzer (or a Rulepack). Both

instance IDs identify the same issue. When

enabled, this rule migrates old instance IDs

to the corresponding new instance IDs,

even if the Fortify Static Code Analyzer

version (or Rulepack) versions are the

same. For detailed information about how

this rule works, see "About Processing

Rules that Affect Instance ID Migration" on

page 265 .

Require approval if result has Fortify Java Fortify Software Security Center checks the

Annotations

results to determine whether they include

Fortify Java annotations. If Fortify Software

Security Center finds any of the

annotations, management approval is

required before the scan can be uploaded.

OpenText™ Fortify Software Security Center (24.2.0)

Page 261 of 459

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

Require approval if line count differs by

more than 10%

Fortify Software Security Center compares

the line count for the scan and the scan

that preceded it. If the count differs by

more than ten percent, management

approval is required before the scan can be

uploaded.

Automatically perform Instance ID

migration on upload

A newer version of Fortify Static Code

Analyzer or of a Rulepack can change an

instance ID from one that was created in a

previous scan by an older version of Fortify

Static Code Analyzer or a Rulepack. Both

instance IDs identify the same issue. When

enabled, this rule automatically migrates

old instance IDs to the corresponding new

instance IDs to preserve the history of the

issues. (It is sometimes useful to disable

this rule as a troubleshooting measure for

customer support.)

For detailed information about how this

rule works, see "About Processing Rules

that Affect Instance ID Migration" on

page 265 .

Require approval if the engine version of a Fortify Software Security Center checks to

scan is newer than the engine version of

the previous scan

determine whether any scan engine

(Fortify Static Code Analyzer, Fortify

WebInspect, Fortify WebInspect Agent)

version is newer than the one already used

in the application. If it detects newer

versions, it flags the upload for

management approval.

Ignore SCA quick scan results and SCA

Blocks the processing of Fortify Static Code

speed dial results performed with a setting Analyzer scans done in quick can mode,

of less than four.

which searches for high-confidence,

high-severity issues. This rule also prevents

OpenText™ Fortify Software Security Center (24.2.0)

Page 262 of 459

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

the upload of speed dial analysis results

performed at a level of less than four.

To enable the uploading speed dial analysis

results, clear this check box.

Caution! After you choose between

uploading a full scan or uploading

speed dial analysis results, Fortify

recommends that future scan results

uploaded for the application version be

of the same type.

Require approval if the Rulepacks used in Fortify Software Security Center checks to

the scan do not match the Rulepacks used determine whether you have added or

in the previous scan

removed a Rulepack, and whether a

Rulepack version has changed. If it detects

that a Rulepack has been added, removed,

or updated, it flags the upload for

management approval.

Require approval if Fortify SCA or Fortify

WebInspect Agent scan does not have

valid certification

Fortify Software Security Center checks to

see that a Fortify Static Code Analyzer or

WebInspect Agent scan has valid

certification. If the certification is not valid,

then someone may have tampered with the

results in the upload. If the certification is

missing, it is not possible to detect

tampering. If certification is missing or is

not valid, the rule requires management

approval.

Require approval if result has analysis

warnings

Fortify Software Security Center checks to

see whether a Fortify Static Code Analyzer

or Fortify WebInspect Agent scan contains

analysis warnings. If it detects analysis

warnings, the rule requires management

approval.

OpenText™ Fortify Software Security Center (24.2.0)

Page 263 of 459

User Guide

Chapter 11: Applications and Application Versions

Rule

Description

Note: This rule applies only to the first

upload of a given results file, and does

not apply to subsequent uploads of the

file. For example, if audit Information is

added to a previously-uploaded FPR

file that contains analysis warnings,

Fortify Software Security Center does

not require management approval

when the changed file is again

uploaded.

Warn if audit information includes

unknown custom tag

If audit information includes an unknown

custom tag, the rule requires management

approval.

Require the issue audit permission to

upload audited analysis files

If a user attempts to upload audited

analysis files, but does not have the

permissions required to audit issues (edit

custom tag values for issues, add

comments to issues, and suppress and

unsuppress issues), this rule blocks the

upload.

Disallow upload of analysis results if there If an analysis result still requires approval,

is one pending approval

this rule blocks its upload.

Disallow approval for processing if an

earlier artifact requires approval

If an earlier scan artifact requires approval,

and was not approved, this rule blocks the

user from approving the current scan

artifact.

If this processing rule is not selected, then

when a user approves the current FPR, all

previous FPRs are automatically approved.

Fortify Software Security Center prompts you to confirm that you want to save the settings

for analysis result processing rules.

5. Click APPLY.

OpenText™ Fortify Software Security Center (24.2.0)

Page 264 of 459

User Guide

Chapter 11: Applications and Application Versions

About Processing Rules that Affect Instance ID Migration

Two processing rules affect instance ID migration; Perform Force Instance ID migration on

upload, and Automatically perform Instance ID migration on upload . It is useful to understand

how these are used.

An issue instance ID can mutate for any one of the following reasons:

l

The IID-generation algorithm changes with a new Fortify Static Code Analyzer version

l

Use of a new Rulepack versions

l

Changes to scan settings (For example, using extra rules are specified for a scan.)

l

Vulnerable code is duplicated (For example, the same vulnerable code is copied and pasted

multiple times in an application version. In this case, Fortify Static Code Analyzer generates a

unique instance ID for the first duplicate fragment, and then increments this generated

instance ID for all remaining duplicated fragments. So, two separate scans can produce

different instance IDs for the same code fragments, depending on the order in which the two

scans uncover them.)

The Automatically perform Instance ID migration on upload rule addresses issue instance ID

mutation that results either from an IID-generation algorithm change with a new Fortify Static

Code Analyzer version, or from a change in Rulepack version. For example, Fortify Software

Security Center detects that the Fortify Static Code Analyzer version used in the latest scan is

newer than the version used for previous scans. With "Automatically perform Instance ID

migration on upload" selected, Fortify Software Security Center runs the migration. If Fortify

Software Security Center detects no changes in the Fortify Static Code Analyzer version used, it

does not run the migration (even if "Automatically perform Instance ID migration on upload" is

selected).

The Perform Force Instance ID migration on upload rule addresses instance ID mutation that

results from changes in scan settings or from vulnerable code duplication. Fortify Software

Security Center can easily determine whether the Fortify Static Code Analyzer version or

Rulepack version has changed. If Fortify Software Security Center detects such a change, it

performs the migration automatically. However, in other cases (duplicate code, scan settings),

Fortify Software Security Center cannot make this determination. You can use this processing

rule to force Fortify Software Security Center to perform the migration in such cases.

If you suspect that the issue instance ID changed as a result of either changes in scan settings

or vulnerable code duplication, Fortify recommends that you select the Perform Force Instance

ID migration on upload processing rule.

Note: Instance ID migration takes a noticeable amount of time, which is why these two rules

exist. Because you may not really want to run IID migration every time, these rules let you

determine whether or not to run instance ID migration after each scan upload.

See Also

"Approving Analysis Results for an Application Version" on page 314

OpenText™ Fortify Software Security Center (24.2.0)

Page 265 of 459

User Guide

Chapter 11: Applications and Application Versions

Configuring Audit Assistant Options for an Application

Version

You can override the default settings for an application version if you selected Enable specific

application version policies when configuring Fortify Audit Assistant. If you did not make this

selection, the default settings will be used for all application versions. See "Configuring Audit

Assistant" on page 364 if you would like the ability to override default settings at the

application version level.

To configure Fortify Audit Assistant options for an application version:

1. Check to make sure that Fortify Software Security Center has been configured to use Audit

Assistant with your applications. (See "Configuring Audit Assistant" on page 364.)

2. From the Dashboard, select the application version for which you want to configure Fortify

Audit Assistant options.

3. On the AUDIT page, click PROFILE.

The APPLICATION PROFILE - <application_name> <application_version> window opens to

the ADVANCED OPTIONS section.

4. Click AUDIT ASSISTANT OPTIONS.

5. From the Application version prediction policy list, select the prediction policy that you

want Audit Assistant to apply to this application version.

Note: You can specify an application version prediction policy only if the Enable

specific application version policies option is enabled system-wide. (See "Configuring

Audit Assistant" on page 364.) Otherwise, Fortify Audit Assistant uses the default

prediction policy.

If you choose not to specify a prediction policy for the application version, Fortify Audit

Assistant uses the default prediction policy.

6. To have unaudited issues for this application version sent to the Fortify Audit Assistant

server for assessment, select the Enable auto-predict check box.

Note: The Enable auto-prediction and Enable auto-apply check boxes are available

only if those audit settings are enabled system-wide. (See "Configuring Audit Assistant"

on page 364.)

7. To have Fortify Audit Assistant automatically apply predicted values to the mapped

custom tag values, select the Enable auto-apply check box.

8. Click APPLY.

9. Fortify Software Security Center prompts you to confirm that you want to save these

options. Click OK.

10. Click CLOSE.

See Also

OpenText™ Fortify Software Security Center (24.2.0)

Page 266 of 459

User Guide

Chapter 11: Applications and Application Versions

"Configuring Audit Assistant" on page 364

Custom Tags

To audit code in Fortify Software Security Center, the security team examines analysis results

and assigns values to “tags” that are associated with application issues. The development team

can then use these tag values to determine which issues to address and in what order.

Fortify Software Security Center provides a single default tag named “Analysis” to enable

application auditing out of the box. Valid values for the Analysis tag are Exploitable, Not an

Issue, Suspicious, Reliability Issue, and Bad Practice. You can modify the Analysis tag attributes,

revise the tag values, or add new tag values based on your auditing needs.

To refine your auditing process, you can define your own custom tags. Like the Analysis tag,

your custom tag definitions are stored in an issue template that you can associate with an

application version. For example, you could create a custom tag used to track the sign-off

process for an issue. After a developer audits the issues to which he or she is assigned, a

security expert can review those issues and mark each as “approved” or “not approved.”

Note: Fortify Audit Workbench users can add custom tags to their projects as they audit

them. However, if these custom tags are not defined in Fortify Software Security Center for

the issue template associated with the corresponding application version, then the new

custom tags are lost after the Audit Workbench user uploads an FPR file to Fortify Software

Security Center.

Topics covered in this section:

Adding Custom Tags to the System

Modifying Custom Tag Attributes

Globally Hiding Custom Tags

Deleting Custom Tags

Adding Custom Tag Values

Editing Custom Tags

Deleting Custom Tag Values

Associating Custom Tags with Issue Templates

Removing Custom Tags from Issue Templates

Assigning Custom Tags to Application Versions

Disassociating a Custom Tag from an Application Version

Managing Custom Tags Through Issue Templates

Managing Custom Tags Through an Issue Template in an FPR File

OpenText™ Fortify Software Security Center (24.2.0)

Page 267 of 459

User Guide

Chapter 11: Applications and Application Versions

Adding Custom Tags to the System

If you are a Fortify Software Security Center administrator, you can add custom tags to the

system. The following topics describe how to add each of the supported custom tag types to

Fortify Software Security Center.

Note: You can filter issues based on the values for custom tags you create and assign to an

application version. For information, see "Filtering Issues for Display on the OVERVIEW and

AUDIT Pages" on page 329.

To add a custom tag:

1. On the OpenText header, click Administration.

2. In the left pane, select Templates, and then select Custom Tags.

3. On the Custom Tags page header, click NEW.

The CREATE NEW CUSTOM TAG screen appears.

4. In the CREATE NEW CUSTOM TAG dialog box, type a name for the new tag in the Name

box.

Important! Make sure that the name you specify for a custom tag is not a database

reserved word.

5. (Optional) In the Description box, type content that describes how to use the custom tag.

6. From the Type list, select one of the tag types listed in the following table.

Type

Values Accepted

Date

Calendar date in the format specified in the PREFERENCES dialog box (see

"Setting Preferences: System-Wide and Across Application Versions" on

page 207 ).

OpenText™ Fortify Software Security Center (24.2.0)

Page 268 of 459

User Guide

Chapter 11: Applications and Application Versions

Type

Decimal

List

Values Accepted

Number with a precision of up to 18 (up to 9 decimal places)

Selection from the list of values that you specify for the tag

Text

String with up to 500 characters (HTML/XML tags and newlines are not

allowed)

7. (Optional) Select any or all of the following optional tag features:

l

Restricted: To allow only users with specific permission (managers, security leads,

administrators) to modify the tag, select this check box.

l

Extensible: (List-type only) A list-type custom tag can be extensible, which means that

auditors can add values to it as they audit issues. To enable users to add new values to

the list tag during audits, select this check box.

l

Hidden: To prevent the display of the tag in the ASSIGN dialog box or in Audit

Workbench, select this check box.

l

Requires comment: To require users to leave a comment whenever the value of this

custom tag changes, select the checkbox. If a custom tag that requires a comment is

changed, the system automatically adds a comment to indicate the changes made to the

tag.

Note: If the new custom tag that requires a comment is a date-type tag, the date

users select for the tag while auditing is always in the format specified in the

PREFERENCES dialog box.

8. If your new custom tag is a date-, decimal-, or text-type tag, click SAVE. If your new custom

tag is a list-type tag, you need to add values. For information on creating values for your

list-type custom tag, see "Adding Custom Tag Values" on page 271.

Values" on page 371

"Globally Hiding Custom Tags" on the next page

"Deleting Custom Tags" on the next page

"Custom Tags" on page 267

"Editing Custom Tags" on page 275

"Associating Custom Tags with Issue Templates" on page 276

"Managing Custom Tags Through Issue Templates" on page 279

"Managing Custom Tags Through an Issue Template in an FPR File" on page 280

OpenText™ Fortify Software Security Center (24.2.0)

Page 269 of 459

User Guide

Chapter 11: Applications and Application Versions

Modifying Custom Tag Attributes

To modify the attributes of a custom tag:

1. From the left pane of the Administration page, click Templates, and then click Custom

Tags.

2. On the Custom Tags page, click the row that displays the tag you want to modify.

The row expands to reveal the details.

3. Click EDIT.

4. Modify the tag attributes, and then save your changes.

Caution! Make sure that the name you specify for a custom tag is not a database

reserved word.

custom tag from an issue template, see "Removing Custom Tags from Issue Templates"

Globally Hiding Custom Tags

To globally hide a custom tag:

1. From the left pane in the Administration view, click Templates, and then select Custom

Tags.

The Custom Tags page lists all existing custom tags.

2. Click the row for the tag you want to hide.

The row expands to display the details for the tag.

3. Click EDIT.

4. Select the Hidden check box.

5. Click SAVE.

The custom tag no longer appears on the AUDIT page or in Fortify Audit Workbench.

Deleting Custom Tags

If you are an Administrator or a Security Lead, you can delete custom tags.

Note: You cannot delete a custom tag if:

l

It is set as the primary tag.

l

It has been used in auditing issues.

l

It is currently associated with an application version or issue template. For information on

how to remove a custom tag from an application version, see "Disassociating a Custom

OpenText™ Fortify Software Security Center (24.2.0)

Page 270 of 459

User Guide

Chapter 11: Applications and Application Versions

Tag from an Application Version" on page 279. For information on how to remove a

on page 277.

You can never delete the Analysis tag.

To delete custom tags:

1. From the left pane on the Administration view, select Templates, and then select Custom

Tags.

The Custom Tags page opens. Existing custom tags are listed on the right.

2. Select the check boxes for the custom tags you want to delete.

3. In the Custom Tags toolbar, click DELETE.

4. When prompted to confirm that you want to delete the tag (or tags), click OK.

See Also

"Custom Tags" on page 267

Adding Custom Tag Values

If you are a Fortify Software Security Center administrator, you can add values to list-type

custom tags.

Note: If a custom tag is assigned the extensible attribute, then you can add values to it as

you audit issues.

When adding or editing a custom value, you will:

l

Create a name for the new value

l

(Optional) Create a description for the new value

l

(Optional) If Fortify Audit Assistant is configured, map your custom values to Fortify Audit

Assistant values and decide whether or not the value should be used in training the Fortify

Audit Assistant model

l

Assign the value to an Issue State (Fortify Audit Assistant must be enabled)

Add a Custom Tag Value

Note: If Fortify Audit Assistant is configured, see "Add a Custom Tag Value (Fortify Audit

Assistant Configured)" on the next page.

To add a value to a list-type custom tag:

1. On the OpenText menu bar, click Administration.

2. In the left pane, click Templates, and then click Custom Tags.

The Custom Tags page lists your custom tags.

3. Click the row for the custom tag.

OpenText™ Fortify Software Security Center (24.2.0)

Page 271 of 459

User Guide

Chapter 11: Applications and Application Versions

The row expands to display the details for the tag.

4. In the lower right corner of the screen, click EDIT.

5. Above the table of values, click + ADD.

The Add Value dialog box appears.

6. In the ADD VALUE dialog box, type a Name and, optionally, a Description for the new value.

7. (Optional) To prevent the tag from being displayed in the Assign dialog box or in Audit

Workbench, select the Hidden check box.

8. Click APPLYand click SAVE.

9. (Optional) Set Issue State for each value.

10. Repeat steps 5-9 for any addition values you need to add.

Add a Custom Tag Value (Fortify Audit Assistant Configured)

To add a value to a list-type custom tag when Audit Assistant has been configured:

1. On the OpenText menu bar, click Administration.

2. In the left pane, click Templates, and then click Custom Tags.

The Custom Tags page lists the custom tags in the system.

3. Click the row for the tag to which you want to add a value.

The row expands to display the details for the tag.

4. Below the table of values, click EDIT.

5. Above the table of values, click + ADD.

6. If Fortify Software Security Center is configured to use Fortify Audit Assistant and auto-

apply is enabled, the ADD VALUE dialog box has an AA Custom Tag Auto Assignment

section and an AA Training Classification for the Custom Tag's Value section.

OpenText™ Fortify Software Security Center (24.2.0)

Page 272 of 459

User Guide

Chapter 11: Applications and Application Versions

OpenText™ Fortify Software Security Center (24.2.0)

Page 273 of 459

User Guide

Chapter 11: Applications and Application Versions

If the new value aligns with an Audit Assistant prediction value in the AA Custom Tag Auto

Assignment section, select its check box to automatically map the list value to the selected

Audit Assistant prediction value. This will enable automated mapping of values for all

application versions where you have selected Enable auto-apply in the AUDIT

ASSISTANT OPTIONS section of the application version's PROFILE.

7. In order to train Fortify Audit Assistant, select what this custom tag value means to Fortify

Audit Assistant. By setting this tag value for your issue, Fortify Audit Assistant will learn

how you view the issue based on how you classified it here. While you do not have to use all

of the list values in training, you must assign at least two for training to occur. One must be

assigned to Exploitable and one must be assigned to False Positive. Repeat this step for

each list value you want to use in training Fortify Audit Assistant.

8. Click APPLY and then click SAVE.

9. (Optional) Set Issue State for each value.

Note: To use a new custom tag to audit application version issues, you must first assign the

tag to the application version. For instructions, see "Assigning Custom Tags to Application

Versions" on page 278.

Set Issue State

Custom Groups audited issues by whether the issue is an Open Issue or Not an Issue based on

the level of analysis set for the primary tag. Values equivalent to Suspicious and Exploitable are

considered open issue states in the Analysis tag.

When adding values to your custom tag, you can set their Issue State if Fortify Audit Assistant is

enabled. The Issue State allows you to assign issues to one of two categories: Not an Issue or

Open Issue. When auditing your results, you can select Issue State from the Group By menu to

quickly assess which and how many issues are still open and need to be addressed. As you audit

your issues and assign values to the Analysis custom tag value, the Issue State folders will

update based on the value you selected.

When adding a list-type custom tag values, it will appear in the Not an issue side of the Issue

State section.

To set the Issue State for your custom tag values:

Note: If you are already on the Custom Tags page and are in edit mode, begin with step 5.

1. On the OpenText menu bar, click Administration.

2. In the left pane, click Templates, and then click Custom Tags.

The Custom Tags page lists the custom tags in the system.

3. Click the row for the custom tag to which you want to edit a value.

OpenText™ Fortify Software Security Center (24.2.0)

Page 274 of 459

User Guide

Chapter 11: Applications and Application Versions

The row expands to display the details for the tag.

4. Below the table of values, click EDIT.

5. In the Issue State section, select a value that should be considered an Open issue.

6. Use the arrow button to move the selected value from the Not an issue box to the Open

issue box.

If you make a mistake or change your mind, select the value in the Open issue box and use

the back arrow button to move it back to the Not an issue box.

7. Continue steps 5 - 6 until all values are in the appropriate Issue State box.

8. Click the SAVE button.

See Also

"Editing Custom Tags" below

"Deleting Custom Tag Values" on the next page

"Assigning Custom Tags to Application Versions" on page 278

Editing Custom Tags

If you are an Administrator-level user, you can modify custom tags in the system.

To edit a custom tag:

1. From the left pane in the Administration view, click Templates, and then select Custom

Tags.

The Custom Tags page lists all custom tags in the system.

2. Click the row for the tag you want to edit to expand it and display the details.

3. Below the table of values, click EDIT.

4. Edit the values for any of the displayed fields, and then click SAVE.

For information about the displayed fields, see "Adding Custom Tags to the System" on

page 268.

OpenText™ Fortify Software Security Center (24.2.0)

Page 275 of 459

User Guide

Chapter 11: Applications and Application Versions

"Assigning Custom Tags to Application Versions" on page 278

Deleting Custom Tag Values

If you are an administrator or a security lead, you can delete custom tag values.

To delete a value for a custom tag:

Note: You cannot delete a custom tag value that is currently associated with an application

version, issue template, or if an issue is audited using the value.

1. From the left pane in the Administration view, select Templates, and then select Custom

Tags.

The Custom Tags page lists all custom tags in the system.

2. Click the row for the tag from which you want to delete a value.

The row expands to display the details for the tag.

3. Below the table of values, click EDIT.

4. In the table of values, click the Remove value icon

in the row for the value you want to

delete.

5. Click SAVE.

"Adding Custom Tag Values" on page 271

Associating Custom Tags with Issue Templates

After you first create an issue template and upload an issue template file, the custom tags

defined in that issue template file are the custom tags that are initially associated with the issue

template. Updates to existing custom tags are ignored because tags are designed to be updated

using the procedures described in previous sections, but newly-defined custom tags in that

issue template file are added to the system and associated with the issue template.

Note: The custom tags associated with an issue template are the default tag set assigned

to an application version when it is first created using that issue template.

To associate a custom tag with an issue template:

1. On the OpenText header, click Administration.

2. In the left pane, select Templates, and then select Issue.

3. Click the row that displays the issue template that you want to associate with the custom

tag.

The row expands to reveal the template details.

OpenText™ Fortify Software Security Center (24.2.0)

Page 276 of 459

User Guide

Chapter 11: Applications and Application Versions

4. Click EDIT.

5. In the CUSTOM TAGS section, click + ADD CUSTOM TAG.

6. In the ADD CUSTOM TAG dialog box, select the check box for the custom tag to associate

with the issue template, and then click +ADD.

The CUSTOM TAGS table now lists the tag you added.

7. Click SAVE.

Removing Custom Tags from Issue Templates

To remove a custom tag from an issue template:

1. From the left pane in the Administration page, select Templates, and then select Issue.

The table on the right lists all of the issue templates in the system.

2. Click the row that displays the issue template associated with the custom tag you want to

remove.

The row expands to reveal the issue template details. The CUSTOM TAGS section lists the

custom tags currently associated with the template.

3. At the bottom of the expanded row, click EDIT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 277 of 459

User Guide

Chapter 11: Applications and Application Versions

4. In the last column, click the remove icon for the custom tag that you want to remove

from the template.

Note: You cannot remove the designated primary tag from an issue template.

5. Click SAVE.

See Also

"Custom Tags" on page 267

Assigning Custom Tags to Application Versions

To use a new custom tag to audit application version issues, you must first assign the tag to the

application version.

To assign a custom tag to an application version:

1. From the Applications view, expand the row for the application, and then select the name of

the version you plan to audit.

2. On the application version toolbar of the AUDIT page, click PROFILE.

3. In the APPLICATION PROFILE dialog box, select the CUSTOM TAGS tab.

4. Click ASSIGN/ REMOVE.

The CUSTOM TAGS tab lists all of the tags available for auditing issues.

5. Select the check box for the custom tag you want to assign to the application version (you

can select multiple tags), and then click DONE.

The selected tag is now listed as an assigned tag.

To successfully complete the audit of an issue in Fortify Software Security Center, you must

specify a value for the custom tag that is designated as the primary tag. By default, the

Analysis tag is the primary tag.

During an audit, the primary tag is listed first. If list-type custom tags other than Analysis

exist in your Fortify Software Security Center instance and are assigned to the application

version, you can select one of these (instead of Analysis) as the primary tag.

6. (Optional) To assign a tag other than the current primary tag as primary:

Note: You can only assign list-type custom tags as primary tags.

a. Click SELECT PRIMARY.

b. From the Select Primary Tag list in the SELECT PRIMARY TAG dialog box, select the

tag to set as the primary custom tag.

Note: If you use Audit Assistant, and you have not provided Audit Assistant

guidance information, make sure that you edit the tag to include that information.

For information about how to provide Audit Assistant guidance, see "Adding

Custom Tags to the System" on page 268. For information about how to edit a

OpenText™ Fortify Software Security Center (24.2.0)

Page 278 of 459

User Guide

Chapter 11: Applications and Application Versions

custom tag, see "Editing Custom Tags" on page 275.

c. Click DONE.

7. Click CLOSE.

The assigned custom tag will be available the next time a team member audits issues for the

application version.

Disassociating a Custom Tag from an Application Version

You can disassociate a custom tag from an application version if it has not been used in auditing

that application version.

To disassociate a custom tag from an application version:

1. On the OpenText header, click Applications.

2. Click the application version name to which the custom tag is assigned.

3. On the application version toolbar of the AUDIT page, click PROFILE.

4. In the APPLICATION PROFILE window, select the CUSTOM TAGS tab.

5. Click ASSIGN/REMOVE.

The CUSTOM TAGS tab lists all custom tags in the system. The check boxes for tags

associated with the application version are selected.

6. Clear the check box for the custom tag that you want to remove, and then click DONE.

7. Click CLOSE.

The AUDIT tab in the issue details on the AUDIT page for this application version no longer lists

the custom tag.

After you remove the custom tag from all application versions and issue templates to which it

has been assigned, you can delete the tag.

"Assigning Custom Tags to Application Versions" on the previous page

Managing Custom Tags Through Issue Templates

Custom tags defined in an issue template file are assigned to that specific issue template. You

cannot update existing custom tags through direct issue template upload. If Fortify Software

Security Center detects an updated custom tag, it displays a warning and prompts you to

confirm that you want to continue.

OpenText™ Fortify Software Security Center (24.2.0)

Page 279 of 459

User Guide

Chapter 11: Applications and Application Versions

You must update existing custom tags through the custom tag administration section of Fortify

Software Security Center, as follows:

1. On the OpenText header, select Administration.

2. In the left pane, select Templates, and then select Custom Tags.

3. Complete the update.

You can add a new custom tag through an issue template upload. This could, for example, allow

a member of a security team who is not part of a software audit to define the issue template and

the custom tags in the issue template.

Managing Custom Tags Through an Issue Template in an FPR File

FPR files typically contain an issue template. If an FPR file uploaded to Fortify Software Security

Center contains an issue template with a custom tag that has been set as editable, you can add

a value to the tag.

About Data Retention

Administrators can enable Data Retention and configure the default Data Retention Policy to

define the time period for which artifacts are retained in Fortify Software Security Center. You

can configure advanced options to define the time period to retain the artifacts and the number

of artifacts to retain per application version.

After the defined retention time period is reached, the artifacts are eligible for purging from

Fortify Software Security Center. You can schedule the cleanup service to purge artifacts from

Fortify Software Security Center.

Caution! After an artifact is purged, the artifact is permanently removed from Fortify

Software Security Center and cannot be recovered.

When you enable Data Retention, Fortify Software Security Center applies the default Data

Retention Policy across all applications.

You can also configure individual application versions to opt-out of the default Data Retention

Policy.

Topics covered in this section:

Enabling Data Retention

280

283

Editing the Default Data Retention Policy

Enabling Data Retention

To enable Fortify Software Security Center Data Retention Policy:

1. Login to Fortify Software Security Center as an Administrator, and then click the

Administration tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 280 of 459

User Guide

Chapter 11: Applications and Application Versions

2. In the left pane, under Policies, select Data Retention Policy.

The Data Retention Policy page lists the default Data Retention Policy and any application

versions that have no data retention policy applied.

3. Configure the settings on the Data Retention Policy page as described in the following

table.

Field *Required Description

Enable Data

Select this check box to enable the data retention feature.

Retention Policy

Allow application Select this check box to allow individual application versions to opt-

versions to opt-

out of the default

policy

out of the default policy.

For more information, see "Configuring an Application Version to

Opt-out of the Default Data Retention Policy" on page 249

*Days of week

Specify one or more days of the week to schedule the data cleanup

service.

Use values of 1 to 7 to specify the day of the week as follows:

1=Sunday, 2=Monday, 3=Tuesday, 4=Wednesday, 5=Thursday,

6=Friday, and 7=Saturday

Use one of the following cron syntax to specify one or more days of

the week.

l

Single Value: To run the data cleanup only on a single day of the

OpenText™ Fortify Software Security Center (24.2.0)

Page 281 of 459

User Guide

Chapter 11: Applications and Application Versions

Field *Required Description

week, enter a single digit.

For example, enter 3 to run the data cleanup only on Tuesdays at

the specified hours defined in the Hours field.

l

Multiple Values: To run the scheduler on multiple days, separate

the entries with a comma.

For example, type 1,4,6 to run the cleanup service on Sunday,

Wednesday, and Friday at the specified hours defined in the

Hours field.

l

Range of Values: To enter consecutive days, separate the entries

with a dash. For example, type 2-6 to run the data cleanup service

from Monday through Friday at the specified hours defined in the

Hours field.

l

Every Day: Type *an asterisk (*) to schedule the cleanup service

every day at the specified hours defined in the Hours field.

Note: To minimize the impact on the responsiveness of the

system, Fortify strongly recommends that you enable the

cleanup service only when the system is idle.

*Hours

Allows you to choose which hour(s) of the day the data cleanup

service will run.

Use values of 0 to 23 to specify the hour of the day, using 24-hour

time notation, where 0 represents 12 AM and 23 represents 11 PM.

Use one of the following cron syntax to specify one or more hours of

the day.

l

Single Value: To run the data cleanup only at a certain hour of the

day, enter a single digit.

For example, enter 3 to run the data cleanup only at 3 AM on the

specified day(s) defined in the Days of week field.

l

Multiple Values: To run the scheduler at multiple hours in a day,

separate the entries with a comma.

For example, type 2,4,6,18,20,22 to run the cleanup service at

even hours between 6 PM and 6 AM on the specified day(s)

OpenText™ Fortify Software Security Center (24.2.0)

Page 282 of 459

User Guide

Chapter 11: Applications and Application Versions

Field *Required Description

defined in the Days of week field.

l

Range of Values: To run the scheduler at consecutive hours in a

day, separate the entries with a dash.

For example, type 0-6 to run the data cleanup service every hour

from 12 AM to 6 AM on the specified day(s) defined in the Days

of week field.

l

Multiple Range/Values: To run the scheduler for consecutive

hours in a day more than once or for consecutive hours in a day

and at certain hours, separate the multiple range or values with a

comma.

For example, type 0-5,17-23 to run the data cleanup service

every hour from 5 PM to 5 AM on the specified day(s) defined in

the Days of week field.

For example, type 0-5,12,18-20,23 to run the data cleanup

service every hour from 11 PM to 5 AM, at 12 PM, and every hour

from 6 PM to 8PM on the specified day(s) defined in the Days of

week field

l

Every Hour: Type *an asterisk (*) to schedule the cleanup service

every hour on the specified day(s) defined in the Days of week

field.

Note: To minimize the impact on the responsiveness of the

system, Fortify strongly recommends that you enable the

cleanup service only when the system is idle.

4. Click SAVE.

Editing the Default Data Retention Policy

When you first enable Software Security Center to use the Data Retention Policy, Fortify

recommends that you leave the policy properties set to the maximum allowed values for a time

to allow individual application versions to opt-out of the policy before the policy dictates to

begin removing artifacts.

You can edit the default Data Retention Policy based on your requirements.

To edit the default Data Retention Policy:

OpenText™ Fortify Software Security Center (24.2.0)

Page 283 of 459

User Guide

Chapter 11: Applications and Application Versions

1. On the Data Retention Policy page, click Default Data Retention Policy to expand it and

then click Edit Policy.

2. In the Edit Policy dialog box, configure the following settings based on your requirements.

Note: Purging of artifacts under the default Data Retention Policy depends on the

following two rules affect. Purging of artifacts under the default Data Retention Policy

depends on the following two rules affect.

l

Rule 1: Number of artifacts > Maximum number of unpurged artifacts AND Artifacts

Age > Minimum Age of the artifacts

l

Rule 2: Age > Maximum Age AND Number of artifacts > Minimum number of

unpurged artifacts

Data Retention Policy guidelines are evaluated for each analysis type and artifacts

must satisfy at least one of the rules to be eligible for purging. If none of the rules are

satisfied, the artifacts are retained regardless of the maximum value of artifact count or

age that you have specified.

Consider the following scenario:

An application version contains 12 artifacts has a data retention policy enabled and the

default data retention policy is set with the following values.

The following diagram shows examples of how artifacts become eligible for purging under

the default Data Retention Policy.

OpenText™ Fortify Software Security Center (24.2.0)

Page 284 of 459

User Guide

Chapter 11: Applications and Application Versions

Fortify Software Security Center purges the artifacts that satisfy at least one rule.

Therefore, Fortify Software Security Center will purge artifacts A1 to A4.

3. Click SAVE.

About Deleting Application Versions

You cannot directly delete an application in Fortify Software Security Center. Fortify Software

Security Center removes an application automatically after all of its versions are deleted.

If you are assigned the Administrator role in Fortify Software Security Center, you can delete

any application version. If you are in the Security Lead or Manager role, then you can delete any

application version to which you are assigned.

If you would rather not delete a version, but prefer instead to remove it from display on the

Dashboard and Applications pages, you can deactivate it. For instructions on how to deactivate

an application version, see "Deactivating Application Versions" below.

Deactivating Application Versions

Deactivating an application version hides that version in the Applications view. Note that

deleting all versions of an application deletes the application altogether.

To deactivate an application version:

1. From the Applications view, expand the row for the application and then select the version

you want to deactivate.

2. On the AUDIT page for the selected version, click PROFILE.

3. In the APPLICATION PROFILE dialog box, click APPLICATION SETTINGS.

OpenText™ Fortify Software Security Center (24.2.0)

Page 285 of 459

User Guide

Chapter 11: Applications and Application Versions

4. In the Version Settings pane, click DEACTIVATE.

Fortify Software Security Center prompts you to confirm that you want to deactivate the

version.

5. Click OK.

The DEACTIVATE button is now the ACTIVATE button. If you need to, you can re-activate

the version later.

6. Close the APPLICATION PROFILE dialog box.

"Deleting an Application Version " on the next page

Reactivating Application Versions

If a specific application version has been deactivated and is not listed on the Dashboard or in

the Applications view, you can reactivate it to make it visible again.

If the deactivated application version was the only version of the application that exists, you can

do the following to access and reactivate it:

l

Create a new version of the deactivated application, and then follow the procedure described

below.

To reactivate an application version when another version of the application exists:

1. On the OpenText header, click Applications.

2. Select the Show inactive versions check box.

3. In the table, click the deactivated application version number.

4. On the application version toolbar of the AUDIT page, click PROFILE.

5. In the APPLICATION PROFILE - <application_version> dialog box, select the

APPLICATION SETTINGS tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 286 of 459

User Guide

Chapter 11: Applications and Application Versions

6. Click ACTIVATE.

Fortify Software Security Center prompts you to confirm the activation.

7. Click OK.

8. Click CLOSE.

The application version is again displayed on the Fortify Software Security Center Dashboard

and in the Applications view.

Deleting an Application Version

If you would rather not delete an application version, but prefer instead to remove it from

display on the Fortify Software Security Center Dashboard and in the Applications view, see

"Deactivating Application Versions" on page 285

Important! If you delete all versions of an application, Fortify Software Security

Center automatically deletes the application.

To delete a Fortify Software Security Center application version:

1. From the Applications view, select the name of the application version you want to delete.

Fortify Software Security Center opens the OVERVIEW page for the selected version.

OpenText™ Fortify Software Security Center (24.2.0)

Page 287 of 459

User Guide

Chapter 11: Applications and Application Versions

2. On the application version toolbar, click PROFILE.

3. In the APPLICATION PROFILE dialog box, click APPLICATION SETTINGS.

4. In the Version Settings pane, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

version.

5. Click OK.

Fortify Software Security Center removes the version from the database.

OpenText™ Fortify Software Security Center (24.2.0)

Page 288 of 459

Chapter 12: About Webhooks

You can create webhooks to update external systems about events that occur in Fortify

Software Security Center.

Topics covered in this section:

Viewing Webhook Payloads

Redelivering Webhook Payloads

Deleting Webhooks

Webhooks Permissions

The following table shows which Fortify Software Security Center roles have permission to

perform which webhook-related tasks.

Roles

Permissions

Administrator

Security Lead

User can create, view, and manage webhooks to monitor any kind of event.

l

User can view webhooks. Application versions that webhooks monitor

will be filtered to include only those for which the user has explicit view

permission.

l

User can create and manage webhooks monitoring events only on

entities for which the user has explicit view permission.

A Security Lead cannot create or manage the following:

l

Webhooks with the Send me everything! option selected

l

Webhooks with the Monitor All Application Versions option selected

l

Webhooks set to monitor any events that require universal access

To see all of the actions each Fortify Software Security Center role can perform:

1. On the OpenText header, select Administration.

2. In the left pane, select Users, and then select Roles.

OpenText™ Fortify Software Security Center (24.2.0)

Page 289 of 459

User Guide

Chapter 12: About Webhooks

The Roles table lists all of the roles to which you can assign users.

3. To see all of the actions a user in a given role can perform, click the row for the role.

Creating Webhooks

If you are an Administrator, you can create webhooks to monitor any kind of event, whether

global or application version-specific. If you are a Security Lead, you can create webhooks that

monitor events on the entities that you have permission to view.

Note: For information on which roles have which permissions to work with webhooks, see

"Webhooks Permissions" on the previous page.

To create a new webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks page lists any webhooks already configured.

3. On the Webhooks page, click NEW.

OpenText™ Fortify Software Security Center (24.2.0)

Page 290 of 459

User Guide

Chapter 12: About Webhooks

4. In the CREATE NEW WEBHOOK dialog box, provide the information described in the

following table.

Field

Description

Payload URL

In this box, specify the URL to which you want the

requested payload sent.

Description

(Optional) Provide a description of the webhook and its

payload.

SSL Verification

Specify whether SSL certificate verification is required to

invoke the webhook based on the specified URL.

OpenText™ Fortify Software Security Center (24.2.0)

Page 291 of 459

User Guide

Chapter 12: About Webhooks

Field

Description

Use SSC proxy

(Optional) If you have set up a proxy for Fortify Software

Security Center integrations, you can select this check box

to use it for webhooks. For information about how to

configure a proxy for Fortify Software Security Center

integrations, see "Configuring a Proxy for Fortify Software

Security Center Integrations" on page 128 .

Content Type

Secret

Displays the format used for the payload to be delivered.

Note: For this release, JSON is the only content type

supported.

(Optional) Enter a webhook secret to be used to verify the

data integrity and authenticity of POST requests. The

secret is used to calculate a hash-based message

authentication code (HMAC), which is communicated to the

payload destination via the "X-SSC-Signature" header. The

code is calculated using the HMAC-SHA256 algorithm. The

secret is used as a key and the payload body (with HTTP

"Date" header value appended) is used as a message. The

HMAC value is then encoded as a hexadecimal number with

the prefix sha256=.

Which events would you

like to trigger this

webhook?

Do one of the following:

l

To have the following events included in the payload,

select Send me everything! (This applies to all current

and future events.)

l

To include a focused subset of events in the payload,

select Let me select individual events, and then, in the

Global Events and Application version events lists,

(described below) select the check boxes for the events

to include in the payload.

Global events (system-wide)

USER_CREATED: A new local user, local group, or LDAP entity was added to Fortify

Software Security Center.

OpenText™ Fortify Software Security Center (24.2.0)

Page 292 of 459

User Guide

Chapter 12: About Webhooks

Field

Description

USER_DELETED: A local user, local group, or LDAP entity was deleted from Fortify

Software Security Center.

USER_UPDATED: A local user, local group, or LDAP entity was updated.

LOCAL_USER_ACCOUNT_LOCKED: A local user was locked out of Fortify Software

Security Center as a result of too many login attempts with invalid credentials.

APP_VERSION_CREATED: A new application version was created in SSC.

APP_VERSION_DELETED: An application version was deleted from Fortify Software

Security Center.

REPORT_GENERATION_COMPLETE: A new requested report is available for viewing

and download.

REPORT_GENERATION_REQUESTED: A new report was requested.

Application Version Events (application version-specific)

ANALYSIS_RESULT_UPLOAD_COMPLETE_SUCCESS: An uploaded artifact was

successfully processed to Fortify Software Security Center, and its data are available.

ANALYSIS_RESULT_UPLOAD_FAILURE: An uploaded artifact was not successfully

processed.

ANALYSIS_RESULT_UPLOAD_REQUIRES_APPROVAL: An uploaded scan artifact

requires approval before it can be processed.

ANALYSIS_RESULT_INDEXING_COMPLETED: Indexing of data for global searches

after Fortify Software Security Center finished processing an uploaded FPR was

completed.

ANALYSIS_RESULT_UPLOAD_APPROVE: An artifact was approved for uploading.

APP_VERSION_UPDATED: An application version was updated from the APPLICATION

PROFILE dialog box.

Application version events

ANALYSIS_RESULT_UPLOAD_COMPLETE_SUCCESS: Analysis results were

successfully uploaded.

ANALYSIS_RESULT_UPLOAD_FAILURE: An analysis results upload failed.

ANALYSIS_RESULT_UPLOAD_REQUIRES_APPROVAL: An analysis upload requires

approval.

ANALYSIS_RESULT_INDEXING_COMPLETED: Indexing of an analysis result was

OpenText™ Fortify Software Security Center (24.2.0)

Page 293 of 459

User Guide

Chapter 12: About Webhooks

Field

Description

completed.

ANALYSIS_RESULT_UPLOAD_APPROVED: Analysis upload results were approved.

APP_VERSION_UPDATED: An application version was updated.

Which application versions Do one of the following:

would you like to monitor?

l

To monitor all application versions (existing application

versions and application versions to be created in the

future), select the Monitor All Application Versions

option.

l

To monitor just a subset of application versions:

i. Select the Select Individual Application Versions

option.

ii. Click ADD.

iii. In the SELECT APPLICATION VERSION dialog box,

from the APPLICATION list, select an application

to monitor.

iv. To select all versions, select the Select All check

box. Otherwise select the check boxes for the

versions.

v. Click DONE.

vi. To add another application version or versions,

repeat these steps.

Active

Select this check box to make the webhook active. To leave

the webhook inactive for now, leave the check box cleared.

5. After you finish configuring the webhook, click SAVE.

"Deleting Webhooks" on page 299

OpenText™ Fortify Software Security Center (24.2.0)

Page 294 of 459

User Guide

Chapter 12: About Webhooks

Editing Webhooks

To edit a webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the OpenText header, click Administration.

Note: If you are a Security Lead, you can only edit webhooks that monitor the entities

for which you have explicit view permission.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks page lists any webhooks already configured.

3. Select the row to see the details for the webhook you want to edit.

4. Change any values for the fields described in "Creating Webhooks" on page 290.

5. (Optional) To request redelivery of a payload after you finish making changes, under

Recent deliveries, select the row for the payload you want redelivered, and then click

REDELIVER.

6. Click SAVE.

See Also

"Viewing Webhook Payloads" below

"Deleting Webhooks" on the next page

Viewing Webhook Payloads

If you are an Administrator, you can view all webhook payloads. If you are a Security Lead, you

can view only webhook payloads for application versions that you have explicit permission to

view.

To view webhook payloads:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks table lists all existing webhooks and displays the status of each, as follows:

A green check mark indicates that the last payload request was successful.

A red x indicates that the webhook is active but could not deliver the last payload

requested.

Note: If the Status field for a listed webhook displays no icon, in the Webhooks table,

expand its row and check to make sure that the Active check box, located above the

Recent deliveries table, is selected.

OpenText™ Fortify Software Security Center (24.2.0)

Page 295 of 459

User Guide

Chapter 12: About Webhooks

3. In the Webhooks table, select a webhook to expand its details and examine its recently-

delivered payloads (up to ten), if any.

The Recent deliveries section lists the payloads (up to ten) most recently delivered.

OpenText™ Fortify Software Security Center (24.2.0)

Page 296 of 459

User Guide

Chapter 12: About Webhooks

4. Click the row for the payload you want to examine.

5. To see body or header details for the response, select the RESPONSE tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 297 of 459

User Guide

Chapter 12: About Webhooks

For details about the content of delivered payloads, see "Webhook Payloads" on page 451.

See Also

"Editing Webhooks" on page 295

Redelivering Webhook Payloads

If changes are made that affect the payload delivered to the payload URL for a webhook. you

can request that the payload be redelivered.

To request redelivery of a webhook payload:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the OpenText header, click Administration.

Note: If you are a Security Lead, you can only edit webhooks that monitor the entities

for which you have explicit view permission.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks page lists any webhooks configured.

3. Select the row for the webhook for which you want a payload redelivered.

OpenText™ Fortify Software Security Center (24.2.0)

Page 298 of 459

User Guide

Chapter 12: About Webhooks

4. Under Recent deliveries, select the row for the payload you want redelivered, and then

click REDELIVER.

See Also

"Editing Webhooks" on page 295

"Viewing Webhook Payloads" on page 295

Deleting Webhooks

To delete a webhook:

1. Log in to Fortify Software Security Center as an Administrator or Security Lead, and then,

on the OpenText header, click Administration.

2. In the left pane, select Configuration, and then select Webhooks.

The Webhooks page lists all existing webhooks and their current status.

3. In the table, select the check box for the webhook you want to delete, and then click

DELETE.

See Also

"Editing Webhooks" on page 295

OpenText™ Fortify Software Security Center (24.2.0)

Page 299 of 459

Chapter 13: Variables, Performance Indicators,

and Alerts

Fortify Software Security Center lets you store measured values and event conditions for

application versions as variables. A Fortify Software Security Center variable is a definition of a

metric that is to be evaluated periodically for each application version. Variables count issues,

conditions, and other categories of numeric data.

Performance indicators combine variables into metrics that are normalized across application

version boundaries, and that can represent complex higher-level abstractions such as monetary

costs. Fortify Software Security Center variables and performance indicators provide the

building blocks that you can use to create customized metrics, which you can then incorporate

into customized alert definitions.

You can use the values of variables to trigger alerts, which Fortify Software Security Center then

displays on the dashboards of users specified as recipients in alert definitions. Fortify Software

Security Center can also email alert notifications to members of an application version team.

Topics covered in this section:

Working with Variables

Performance Indicators

Creating Performance Indicators

Viewing and Marking Alerts

Working with Variables

If you are a Security Lead or an Administrator, you can define variables for your applications.

The following topics provide information about Fortify Software Security Center variable syntax

and search strings, and include instructions on how to create variables.

OpenText™ Fortify Software Security Center (24.2.0)

Page 300 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

Creating Variables

To create a Fortify Software Security Center variable:

1. Log in as a Security Lead or an Administrator, and then click Administration.

Note: Users who have Developer accounts cannot create Fortify Software Security

Center variables.

2. In the pane on the left, under Metrics & Tracking, select Variables.

3. In the Variables toolbar, click NEW.

4. In the CREATE NEW VARIABLE dialog box, provide the information described in the

following table.

Field

Description

Name

Type a variable name that begins with a letter (a-z, A-Z), and that

contains only letters, numerals (0-9), and the underscore character (_).

Description

(Optional) Type a description so that other users can understand how to

use the variable.

Search String Type a valid Fortify Software Security Center variable search string. (For

information about how to construct search strings, select the Syntax

Guide link below the Search String box, or see "Variable Syntax" below.)

Folder

From this list, select a folder from the default filter set to associate with

the variable.

The Folder list displays the unique folder names associated with all

available issue templates. The variable value is calculated if the folder

name is associated with the issue template for the application version.

5. After Fortify Software Security Center validates the variable, click SAVE.

The Variables table now lists your new variable.

Variable Syntax

The Fortify Software Security Center variable format is modifier:searchstring.

Example: [Fortify Priority Order]:critical audited:false

To search for an exact match of the string, enclose the string in quotation marks (""). To search

for a string without qualifications, type the string without quotation marks.

OpenText™ Fortify Software Security Center (24.2.0)

Page 301 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

The following table lists the Fortify Software Security Center relational operators.

Relational

Operator

Description

Example

Number

range

A comma-separated pair of numbers used to

specify the beginning and end of a range of

numbers.

(2,4]

Indicates a range of

greater than two, and less

than or equal to four

Use a left or right bracket (“[ ]”) to specify that

the range includes the adjoining number.

Use a begin or end parenthesis (“( )”) to specify

that the range excludes (is greater than or less

than) the adjoining number.

Negate a modifier with an exclamation character

!(not equal)

file:!Main.java

(!).

Returns all issues that are

not in Main.java.

Performance Indicators

Fortify Software Security Center performance indicators enable you to combine variables into

metrics that are normalized across application version boundaries, and that can represent

complex, high-level abstractions such as monetary costs. This section provides information

about performance indicator syntax and instructions on how to create performance indicators.

The general format for a Fortify Software Security Center performance indicator formula is as

follows:

Variable[operator]Variable

where operatorcan be a standard mathematical operator (+, -, *, /), a comparator (==, >, <), or

the ternary operator (?).

For instructions on how to create performance indicators, see "Creating Performance Indicators"

below.

Creating Performance Indicators

To create a Fortify Software Security Center performance indicator:

1. Log in to Fortify Software Security Center as a Security Lead, and then click the

Administration tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 302 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

Note: Users who are assigned the Manager or Developer role cannot create Fortify

Software Security Center performance indicators.

2. In the pane on the left, under Metrics & Tracking, select Performance Indicators.

The table to the right lists existing performance indicators.

3. Click NEW.

4. In the CREATE NEW PERFORMANCE INDICATOR dialog box, provide the information

described in the following table.

Field

Description

Name

Type a performance indicator name.

(Optional) Type a description of this performance indicator.

Description

Equation

Type a valid Fortify Software Security Center performance indicator

equation.

The format for a performance indicator formula is as follows:

Variable[operator]Variable

where operatorcan be a standard mathematical operator (+, -, *, /), a

comparator (==, >, <), or the ternary operator (?).

Return Type From this list, select the value type to return.

5. After you configure and successfully validate the new performance indicator, click SAVE.

The Performance Indicators table lists your new indicator.

Alert Definitions

Alert definitions can include variables or performance indicators to determine when Fortify

Software Security Center is to generate an alert notification in the Todo List pane of the

Dashboard.

Note: This functionality is available only if a Fortify Software Security Center administrator

has enabled email notifications.

You can configure alert notifications to send email messages about one or more alert

notifications to users assigned to a given application version.

OpenText™ Fortify Software Security Center (24.2.0)

Page 303 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

"Enabling and Disabling Receipt of Email Alerts" on page 99

"Deleting Alerts" on page 307

Creating Alerts

You can define alerts for any application versions to which you have been granted access.

To create a Fortify Software Security Center alert:

1. On the OpenText header, click Administration.

2. In the pane on the left, click Templates, and then select Alerts.

The Alerts page displays any alerts defined to date.

3. In the Alerts toolbar, click NEW.

4. In the CREATE NEW ALERT dialog box, in the Name box, type a name for the alert.

5. (Optional) In the Description box, type text that describes what the alert is for.

6. To create the alert without enabling it, clear the Enable Alert check box. To enable this

alert, leave the check box selected.

7. Next to Type, select the type of alert you want to create.

Note: Only administrators can create scheduled alerts.

8. Next to Recipients, do one of the following:

l

To have the alert sent only to you, leave the Me only option selected.

l

To have the alert sent to users assigned to application version assignees, select the

Version assignees option.

l

(For scheduled alerts only) To have the alert sent to all Fortify Software Security Center

users, select All system users.

Note: Regardless of the option you select, you will receive the notification.

9. Provide the information for the alert type you selected, as shown in one of the following

tables.

Performance indicator

a. From the Alert when list, select a performance indicator.

b. From the list of operators, select an operator.

c. Type a numeric value. The type of performance indicator selected determines

whether the value represents an integer or a percentage.

By default, performance indicator alerts are triggered just once, when the

performance indicator value meets the criterion set for Alert when. For example, an

OpenText™ Fortify Software Security Center (24.2.0)

Page 304 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

alert with the trigger criterion set to Critical Exposure Issues < 50 is triggered only

once, even if many new critical issues are uncovered in subsequent scans.

d. To have Fortify Software Security Center reset your alert after each new artifact

upload, select the Reset after triggering check box.

Variable

a. From the Alert when list, select a variable.

b. From the list of operators, select the appropriate operator.

c. Type a numeric value. The type of variable you selected determines whether the

value represents an integer or a percentage.

By default, variable alerts are triggered just once, when the variable value meets the

criterion set for Alert when. For example, an alert with the trigger criterion set to

NEWIssues = 0 is triggered only once, even if new issues are uncovered in

subsequent scans.

d. To have Fortify Software Security Center reset your alert after each new artifact

upload, select the Reset after triggering check box.

System event

l

From the Alert when list, select the Fortify Software Security Center system event to

trigger the alert.

Scheduled alert (Administrators only)

Under Alert when, do the following:

a. Use the calendar control to specify the date on which Fortify Software Security

Center is to send the alert.

b. In the two boxes to the right, type the hour and minute (hh:mm) at which to send the

alert.

c. Toggle between AM and PM to determine whether the alert is sent in the morning or

afternoon.

d. From the list of countries and regions, select the country or region to which your

time and date settings apply.

e. From the time zone list, select the time zone to which your time and date settings

apply.

OpenText™ Fortify Software Security Center (24.2.0)

Page 305 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

10. If you are creating a performance indicator alert or variable alert, do the following to specify

the application versions for which you want to use the alert:

a. Click ADD.

b. In the SELECT APPLICATION VERSION dialog box, from the APPLICATION list, select

an application for which you want to use the alert.

The VERSIONS pane (center) lists the active versions of the selected application.

c. To include inactive versions of the application in the VERSIONS list, select the Show

inactive check box.

d. To use the alert for all application versions, select the Select all check box. Otherwise,

in the VERSIONS list, select the check boxes for the versions for which you want to use

the alert.

The pane on the right lists the application versions you selected to receive the new

alert.

e. To select versions of another application, repeat steps b through d.

f. Click DONE.

11. In the Message box, type a message to tell recipients why they have received the alert.

Note: If you are creating a scheduled alert, message text is required.

12. Click SAVE.

If you selected Version assignees as recipients, Fortify Software Security Center displays

the following alert:

"Are you sure you want to notify all application versions users? This could potentially notify

a large amount of users every time the alert triggers."

13. To proceed, click OK. Otherwise, click CANCEL, and then select Me Only as the recipient.

Fortify Software Security Center displays the details for your new alert.

See Also

"Deleting Alerts" on the next page

"Configuring Email Alert Notification Settings" on page 97

"Enabling and Disabling Receipt of Email Alerts" on page 99

"Alert Definitions" on page 303

Editing Alerts

To edit a Fortify Software Security Center alert:

1. Log in to Fortify Software Security Center as an Administrator, and then, on the OpenText

header, click Administration.

2. In the pane on the left, click Templates, and then select Alerts.

The Alerts page displays all alerts you have defined.

OpenText™ Fortify Software Security Center (24.2.0)

Page 306 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

3. In the Alerts table, locate and select the row for the alert you want to edit.

The row expands to reveal the alert settings.

4. At the bottom right of the alert settings, click EDIT.

5. Make the necessary changes and then click SAVE.

Deleting Alerts

To delete a Fortify Software Security Center alert:

1. Log in to Fortify Software Security Center as an administrator, and on the OpenText

header, select Administration.

2. In the pane on the left, select Templates, and then select Alerts.

The Alerts page displays all alerts you have defined.

3. In the Alerts table, select the check box to the left of the alerts you want to delete.

4. In the Alerts toolbar, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to proceed with the

deletion.

5. Click OK.

"Alert Definitions" on page 303

"Creating Alerts" on page 304

Viewing and Marking Alerts

Fortify Software Security Center flags any unread alerts that either you or another user has set

up for you to receive. These flags are visible in the collapsible pane on the right of

the Dashboard, and on the right end of the OpenText header in every view.

To view your unread alerts, do one of the following:

l

At the right end of the OpenText header, click the red circle that shows the number of unread

alerts.

l

On the Dashboard, in the Todo List section of the collapsible pane, click the red circle that

shows the number of unread alerts.

The ALERTS window opens and lists any unread alerts.

OpenText™ Fortify Software Security Center (24.2.0)

Page 307 of 459

User Guide

Chapter 13: Variables, Performance Indicators, and Alerts

To mark an alert as having been read:

l

In the ALERTS window, select the check box to the left of the alert name, and then click

MARK AS READ.

To mark an alert as unread:

l

In the ALERTS window, select the check box to the left of the alert name, and then click

MARK AS UNREAD.

To view alerts that you have already read:

l

From the View list, select Read.

To view unread alerts:

l

From the View list, select Unread.

To view all of your alerts (read and unread):

l

From the View list, select All.

If you have marked all of your alerts as read, the read alert flag is no longer displayed. To see

these alerts, go to the Dashboard and, in the Todo List section of the collapsible pane, click

Show all alert notifications.

OpenText™ Fortify Software Security Center (24.2.0)

Page 308 of 459

Chapter 14: About Working with Scan Artifacts

The following sections describe all of the various aspects of working with scan artifacts.

Uploading Scan Artifacts

The following procedure describes how to upload your scan artifacts to the Fortify Software

Security Center database. For information about how to submit training metadata to Fortify

Audit Assistant, see "Submitting Training Data to Audit Assistant" on page 376.

Note: As it adds data to the database, Fortify Software Security Center truncates HTTP

responses that contain more than 100,000 characters. Such responses are either cut off at

the end, or contain \n\n...\n\nelsewhere in the response. This does not affect

downloaded scans. It affects only the data displayed on the Fortify Software Security Center

AUDIT page.

Important! The files you upload to Fortify Software Security Center must not exceed 2 GB.

Important! To upload third-party artifacts, you must have the correct parser configured.

For information, see "Adding and Managing Parser Plugins" on page 169.

To upload a scan artifact to the Fortify Software Security Center database:

1. On the Dashboard or, for new applications, the Applications view, move your cursor to the

application version for which you want to upload an artifact, and then select Artifacts from

the shortcut menu.

2. The ARTIFACT HISTORY table lists any and all scan artifacts uploaded for the application

version.

3. Click ARTIFACT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 309 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

4. In the UPLOAD ARTIFACT dialog box, click + ADD FILES.

5. Navigate to and select one or more (up to five) artifact files to upload.

If the Sonatype or Debricked third-party parser is enabled, you can select the artifact type

from a list.

6.

OpenText™ Fortify Software Security Center (24.2.0)

Page 310 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

The UPLOAD ARTIFACT dialog box lists the selected files.

7. To remove a file from the list, click the trash icon for that file. To remove all of the listed

files, click CLEAR.

8. Click START UPLOAD.

The dialog box displays a progress bar as each file is uploaded.

9. After your files are successfully uploaded, click CLOSE.

Note: If a scan artifact requires approval based on analysis result processing rules, it

must be approved before Fortify Software Security Center can process it. For

information, see "Approving Analysis Results for an Application Version" on page 314.

Viewing File Processing Errors

If there was an error in processing an uploaded artifact, the Status column of the ARTIFACT

HISTORY table displays Error Processing, along with a circled number that indicates the

number of processing rules violated.

To view information about the processing rules violated:

l

Click the circled number.

The Artifact Processing Messages box opens to display details about problems encountered

during the upload.

"Setting Analysis Results Processing Rules for Application Versions" on page 260

"Using an Application Identifier to Upload FPR Files" on page 431

"Using an Application Name and Version to Upload FPR Files" on page 432

Viewing Scan Artifact Details

The following procedure describes the details available for uploaded scan artifacts. (For

information about how to upload scan artifacts, see "Uploading Scan Artifacts" on page 309.)

To upload a scan artifact to the Fortify Software Security Center database:

1. On the Dashboard or Applications view, move your cursor to the application version for

which you want to view artifact details, and then select Artifacts from the shortcut menu.

OpenText™ Fortify Software Security Center (24.2.0)

Page 311 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. To view details for one of the listed artifacts, click the corresponding row.

The details shown include the analysis engine version, number of files and lines of code

scanned, the analysis date, and more.

If an error occurred in processing the uploaded artifact, the Status column of the

ARTIFACT HISTORY table displays Error Processing. A number on the right indicates the

number of processing rules violated.

3. To view the line(s) of code associated with any processing errors for the scan, click the

circled number ( ).

The SCAN WARNING box displays the line of code where processing rules were violated,

along with a description of the violation.

The field displays the Rulepack versions used in generating the scan.

4. To view a list of the coding rules applied during the scan, grouped by Rulepack version,

click the Rulepacks link.

OpenText™ Fortify Software Security Center (24.2.0)

Page 312 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

Note: If a scan artifact requires approval based on analysis result processing rules, it must

be approved before Fortify Software Security Center can process it. For information, see

"Approving Analysis Results for an Application Version" on the next page.

See Also

"Downloading Scan Artifacts" below

"Purging Scan Artifacts" on page 320

"Setting Analysis Results Processing Rules for Application Versions" on page 260

"Using an Application Identifier to Upload FPR Files" on page 431

"Using an Application Name and Version to Upload FPR Files" on page 432

Downloading Scan Artifacts

From the ARTIFACT HISTORY page, you can download the latest merged FPR file for an

application version, or you can download FPR files that result from individual scans.

Downloading the Merged FPR File for an Application Version

To download the latest merged scan results for an application version in FPR format:

1. On the OpenText header, click Applications.

2. In the Applications view, expand the row for the application and then select the version you

are interested in.

3. On the application version toolbar, click ARTIFACTS.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

4. Do one of the following:

l

To download the latest merged scan results for an application version, at the top of the

ARTIFACT HISTORY table, click APPLICATION FILE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 313 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

l

To download the current merged application scan results in FPR format with sources, at

the top of the ARTIFACT HISTORY table, click APPLICATION & SOURCES.

5. To open the scan results in Fortify Audit Workbench, in your Downloads folder, double-

click the downloaded FPR file.

Downloading Individual Scan Results

To download results for a given processed scan:

1. On the OpenText header, click Applications.

2. Expand the row for the application and then select the version you are interested in.

3. On the application version toolbar, click ARTIFACTS.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

4. Click the row for the artifact you want to download to expand it and see the artifact details.

5. To download the artifact, click DOWNLOAD.

See Also

"Deleting Artifacts" on page 321

Approving Analysis Results for an Application Version

Depending on the processing rules configured for an application version, and whether the

Rulepack used in processing a scan was outdated (older than the server Rulepacks), analysis

results may require approval. (See "Setting Analysis Results Processing Rules for Application

Versions" on page 260.) If analysis results require approval, this is indicated by an alert icon ( )

next to the version name in the Applications view and by the Requires Approvalvalue in the

Status column of the ARTIFACT HISTORY table.

OpenText™ Fortify Software Security Center (24.2.0)

Page 314 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

Note: If an artifact was uploaded by mistake or, for some other reason, you do not want

Fortify Software Security Center to process the artifact, follow the steps described in

"Denying Processing Approval" below.

To approve analysis results for an application version so that Fortify Software Security Center

can process the artifact:

1. In the Applications view, expand the application row, move your cursor to the version

number, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the selected application

version.

2. Expand a row with the value Requires Approval in the Status column.

3. At the bottom of the expanded section, click APPROVE.

The APPROVE UPLOAD OF ANALYSIS RESULTS dialog box opens. The Processing

Messages section shows an explanation of what, specifically, triggered the approval

requirement.

4. In the Approval Comment box, type a comment to indicate why you are approving these

results.

5. Click APPROVE.

Fortify Software Security Center proceeds to process the artifact.

Denying Processing Approval

If an artifact was uploaded by mistake or, for some other reason, you do not want Fortify

Software Security Center to process the artifact, you can either delete it, or, if you want to retain

a record of the artifact upload, you can deny approval.

To deny approval of an artifact:

1. In the Applications view, expand the application row, move your cursor to the version

number, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the selected application

version.

2. Expand the row for the artifact that requires approval, and which you do not want Fortify

Software Security Center to process.

3. At the bottom of the expanded details section, click DENY.

The DENY UPLOAD OF ANALYSIS RESULTS dialog box opens. The Processing Messages

section lists explanations of what, specifically, triggered the approval requirement.

OpenText™ Fortify Software Security Center (24.2.0)

Page 315 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

4. In the Comment box, type a comment to indicate why you want to deny approval of these

results.

5. Click DENY.

The Status value for the artifact changes to Approval Denied.

Viewing High-Level Summary Results

Fortify Software Security Center offers several ways to view high-level summary results for

application versions from the Fortify Software Security Center Dashboard or from the Overview

page.

Viewing Summary Metrics on the Issue Stats Page

To view summary metrics for application versions (individually and collectively) from the Issue

Stats page:

l

On the OpenText header, select Dashboard.

The following three portlets on the Issue Stats page (the default Dashboard view in Fortify

Software Security Center) displays consolidated metrics for all of the applications to which you

have access:

l

The Issues Remediated portlet shows the total number of issues remediated to date, the

average number of days it took to review them, and the average number of days required to

remediate them.

l

The Issues Pending Review portlet shows the total number of open issues, and the number

of these that have been reviewed.

l

The Application Versions portlet shows the total number of application versions to which

you have access the number of files scanned and the number of lines of code scanned for

those application versions.

The table on the Issue Stats page displays summary metrics for each of the application versions

to which you have access. If you click an application version listed in the table, Fortify Software

Security Center takes you directly to the AUDIT page for that application version.

Together, the portlets and table enable you to see how quickly issues are being reviewed and

remediated.

Viewing Summary Metrics on the CHART Page

You can view a graphical representation of summary metrics for individual application versions

from the CHART page.

To view summary metrics for application versions from the Chart page:

1. On the Dashboard toolbar, click CHART.

Fortify Software Security Center opens to the REVIEWED tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 316 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

2. In the list of application versions, move your cursor to a colored bar for an application

version.

Fortify Software Security Center shows the summary findings for the version. In the example

shown here, the pie chart of the left shows the security ratings for the 97% of findings (779 of

805) that have been audited to date for this application version. The chart on the right shows

the percentage of findings audited (97) and the percentage of the total that has yet to be

audited (3).

Note: To go from here to the AUDIT page for the application version, click AUDIT.

Viewing Summary Metrics on the Overview Page

To view high-level summary results for an application version from the Overview page:

1. On the Fortify Dashboard, hover your cursor over the link for the version you are interested

in, and then select Overview from the shortcut menu.

2. On the Overview page, if the pane on the right is collapsed, expand it.

OpenText™ Fortify Software Security Center (24.2.0)

Page 317 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

The Version Progress section displays summary information with trending arrows.

3. To display a metric other than Fortify Security Rating, click the edit icon , and then select

a different metric to display from the list.

See Also

"Deleting Artifacts" below

Viewing Issue Metadata

To view metadata for an issue:

OpenText™ Fortify Software Security Center (24.2.0)

Page 318 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

1. Navigate to the AUDIT page for the application version of interest.

2. In the issues table, if you have selected a grouping, expand a group to view issues it

contains.

3. Click the row that displays the issue name.

The Code tab displays an overview of the issue, the Analysis value (if set), the stack trace,

and the section of code in which the issue was uncovered.

4. At the bottom left of the issue details section, click METADATA.

The METADATA box displays the unique issue identifier (Instance ID), the unique identifier

for the rule that generated the issue (Primary Rule ID), priority metadata values, and legacy

priority metadata values.

Note: The instance ID displayed is unique to the specific application version and is not

associated with any other Fortify Software Security Center application versions.

5. To go to the website that provides detailed information about software security errors,

select the Fortify Taxonomy: Software Security errors link.

Mapping Scan Results to External Lists

Fortify distributes an external metadata document with Rulepacks. This document includes

mappings from the Fortify categories to alternative categories (such as OWASP 2010, PCI, or

CWE). Security leads can create their own files to map issues to different taxonomies, such as

internal application security standards or additional compliance obligations.

OpenText™ Fortify Software Security Center (24.2.0)

Page 319 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

Note: For detailed information about how to create custom mappings, see the OpenText™

Fortify Static Code Analyzer Custom Rules Guide.

To apply the modified or new external metadata document across all applications, you must first

import it into Fortify Software Security Center.

To import a new or modified external metadata document into Fortify Software Security Center:

1. Log in as Administrator, and then, on the OpenText header, click the Administration tab.

2. In the left pane, under Metrics &Tracking, select Rulepacks.

3. In the upper right corner of the Rulepacks page, click IMPORT.

4. In the IMPORT RULEPACK dialog box, click + ADD FILES.

5. Navigate to and select your document, and then click START UPLOAD.

If you are conducting a collaborative audit between Fortify Software Security Center and Audit

Workbench, you can import the changed mapping document to Fortify Software Security

Center, and then open the FPR file in Audit Workbench to see how the mapping works with the

scan results.

Purging Scan Artifacts

Purging an artifact recovers space from the Fortify Software Security Center database by

removing the uploaded artifact, the temporary results of artifact processing, and the cross-

reference information for source files.

Before you purge artifacts for an application version, consider the following:

l

After the purge, you cannot delete the purged artifacts, or the earliest artifact not purged.

l

Purging does not affect any issue-base metrics in the system.

l

If you have custom reports, consult Customer Support (https://www.microfocus.com/support)

first to determine whether an artifact purge will affect them.

l

Purging removes all artifacts that have the same or earlier analysis date.

You can purge an artifact if it meets all of the following conditions:

l

It has not already been purged.

l

It does not contain just one scan generated from a given analysis engine type. For example, if

only one Fortify Static Code Analyzer-generated artifact exists for an application version, you

cannot purge it. If two artifacts from the same analysis engine were uploaded for the

application version, you can purge only the older of the two artifacts.

l

Its status is one of the following:

l

PROCESS_COMPLETE

l

ERROR_PURGING

l

ERROR_DELETING

You cannot purge an artifact if:

OpenText™ Fortify Software Security Center (24.2.0)

Page 320 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

l

It is being processed

l

An error occurred during processing

l

It contains the latest scan for the analysis engine type.

To purge a scan artifact from the Fortify Software Security Center database:

1. From the Dashboard, move your cursor to the application version with artifacts that you

want to purge, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. Click the row that displays the artifact you want to purge from the database.

The table expands to show the details for the selected artifact.

3. Below the artifact details, click PURGE.

Fortify Software Security Center prompts you to confirm that you intend to purge the

artifact.

4. Click OK.

See Also

Deleting Artifacts

Deleting an artifact removes all traces of the artifact. Use this option if you upload an artifact by

mistake.

OpenText™ Fortify Software Security Center (24.2.0)

Page 321 of 459

User Guide

Chapter 14: About Working with Scan Artifacts

Note: You cannot delete an artifact that is being processed or one that has already been

purged.

To delete a scan artifact from the Fortify Software Security Center database:

1. From the Dashboard, move your cursor to the application version with artifacts that you

want to delete, and then select Artifacts from the shortcut menu.

The ARTIFACT HISTORY table lists all scan artifacts uploaded for the application version.

2. Click the row that displays the scan artifact you want to delete.

The table expands to show the details for the selected artifact.

3. Below the artifact details, click DELETE.

Fortify Software Security Center prompts you to confirm that you want to delete the

artifact.

4. Click OK.

See Also

"Purging Scan Artifacts" on page 320

OpenText™ Fortify Software Security Center (24.2.0)

Page 322 of 459

Chapter 15: Collaborative Auditing

When an analysis engine (analyzer such as Fortify Static Code Analyzer) scans source code, all

of its discoveries are presented as potential vulnerabilities, not actual vulnerabilities. Because

every application is unique and all functionality runs within a particular context understood best

by the development team, no technology can fully determine if a suspect behavior should be

considered a vulnerability without direct developer confirmation.

Issue audits, whether performed in Fortify Software Security Center or Audit Workbench, or by

Audit Assistant, accomplish the following:

l

Condense and focus application information

l

Enable the security team to collaboratively decide which issues represent real vulnerabilities

l

Enable the security team to collaboratively prioritize issues based on vulnerability

Fortify Software Security Center uses issue templates to categorize and display issues.

Fortify Software Security Center provides a web-based collaborative environment for auditing

issues associated with Fortify Software Security Center applications. The following sections

provide an overview of the auditing process and instructions on how to display and use the

auditing interface.

The information in these topics is presented based on the assumption that you know how to

create and configure Fortify Software Security Center application versions. (For information

about Fortify Software Security Center applications and application versions, see "Applications

and Application Versions" on page 225.)

Topics covered in this section:

About Current Issues State

Viewing Information About Issues to Audit

Viewing Issues Based on Folders

Viewing Issues Assigned to You

Filtering Issues for Display on the OVERVIEW and AUDIT Pages

Searching Issues

Search Modifiers

Search Query Examples

Auditing Scan Results

Auditing Correlated Issues

About Suppressed, Removed, and Hidden Issues

Changing Displayed Issues Using Filter Sets

OpenText™ Fortify Software Security Center (24.2.0)

Page 323 of 459

User Guide

Chapter 15: Collaborative Auditing

Overriding Assigned Issue Priority

Viewing Bugs Submitted for Issues

Auditing a Batch of Issues

About Prediction Policies

Audit Assistant Workflow

About Audit Assistant

Updating the Fortify Audit Assistant Configuration

Configuring Audit Assistant

Getting a Fortify Audit Assistant Authentication Token

Configuring Audit Assistant Options for an Application Version

Enabling Auto-Apply and Auto-Predict for an Application Version

Mapping Audit Assistant Analysis Tag Values to Fortify Software Security Center Custom

Reviewing Audit Assistant Results

About Audit Assistant Training

Searching Globally in Fortify Software Security Center

About Susceptibility Analysis of Web Applications

Susceptibility Analysis Requirements

Typical Workflow to Optimize Results for an Application

Exporting Open Source Data

Integrating Fortify Software Security Center with Fortify WebInspect Enterprise

Viewing Fortify WebInspect Scan Results in Fortify Software Security Center

WebInspect Audit Data

False Positives

Submitting Dynamic Scan Requests to Fortify WebInspect Enterprise

Processing Dynamic Scan Requests from Fortify WebInspect Enterprise

Editing and Cancelling Dynamic Scan Requests

Viewing Open Source Data

Viewing Open Source Data from the AUDIT Page

Viewing Open Source Data from the OPEN SOURCE Page

OpenText™ Fortify Software Security Center (24.2.0)

Page 324 of 459

User Guide

Chapter 15: Collaborative Auditing

Downloading a Debricked SBOM

392

About Current Issues State

Fortify Software Security Center keeps track of which analysis engine (analyzer) uncovers each

issue in an application version and merges any new information into the existing body of results

for the application version. After new audit information is uploaded to the server or entered on

the AUDIT page, Fortify Software Security Center merges that information into any existing

audit information for a given issue. Fortify Software Security Center also marks an issue as

removed after the analysis engine no longer finds the issue.

Whenever new scan results are uploaded, Fortify Software Security Center checks every issue to

determine whether it was uncovered in a previous scan.

Viewing Information About Issues to Audit

To display the issues you want to audit:

1. Upload scan results for the application version you want to audit (see "Uploading Scan

Artifacts" on page 309).

2. Open the AUDIT page for the application version.

3. To selectively display the issues you want to audit, apply filters to the issues list. (See

"Filtering Issues for Display on the OVERVIEW and AUDIT Pages" on page 329 and

"Viewing Issues Based on Folders" on page 327 .)

4. In the issues table, if you have selected a grouping, expand a group to view the issues it

OpenText™ Fortify Software Security Center (24.2.0)

Page 325 of 459

User Guide

Chapter 15: Collaborative Auditing

contains.

The following table lists the columns in the issues table and a description of each. To sort listed

issues, click a column heading.

Note: You cannot sort the Contains attachment ( ), Contains comments ( ), or Bug

submitted ( ) columns.

Column

Description

Category

Displays the category of issue uncovered (Sort is alpha-

numeric.)

Primary Location

Shows the file scanned and line of code on which the issue

was detected (Sort is alpha-numeric.)

Analysis Type

Priority

Displays the analysis engine used in the scan

Shows the relative threat the issue represents (Sort is from

high to low or low to high priority.)

Tagged

Displays the custom tag value applied to the issue, if any

Indicates whether any attachments are associated with the

issue

Attachments

Indicates whether any comments were added to the issue

Contains comments

Bug submitted

Indicates whether any defects were submitted against the

issue

OpenText™ Fortify Software Security Center (24.2.0)

Page 326 of 459

User Guide

Chapter 15: Collaborative Auditing

Column

Description

Indicates that static and dynamic results for the issue are

correlated. If they are, the issue is listed twice in the table,

once for each analysis type.

Has correlated issues

If either a subsequent static scan or dynamic scan shows

an issue was fixed, the correlation icon is removed.

(Sort displays correlated issues first or last.)

See Also

"Searching Issues" on the next page

Viewing Issues Based on Folders

The OVERVIEW and AUDIT pages include Critical, High, Medium, Low, and All links, which you

can use to view issues based on their assignment to a Fortify folder. By default, the folders

correspond to Fortify priority values (and the potential risk they pose to the enterprise),

However, the folders displayed can include any custom folders created in and added to a filter

set (and then an issue template) from Fortify Audit Workbench (see the Fortify Audit

Workbench User Guide).

Note: When editing or creating filter sets and folders in Fortify Audit Workbench, be aware

that the search modifiers used by Fortify Audit Workbench and Fortify Software Security

Center may not match. Not all searches, filters, or folders based on search expressions will

produce the same results. In addition, if your search expression contains an external

metadata categories such as OWASP or CWE, your results might not match because the

expressions may differ on Fortify Software Security Center and Fortify Audit Workbench.

When there are multiple matched external categories, Fortify Software Security

Centermatches any of them, but Fortify Audit Workbench expects an exact match of all

external categories. If you encounter this issue when editing or creating issue templates for

use in Fortify Software Security Center, contact Customer Support for assistance.

To view issues from the OVERVIEW page based on Fortify folder assignment:

1. On the Dashboard, hover your cursor over the version number of the application of interest,

and then select Overview.

OpenText™ Fortify Software Security Center (24.2.0)

Page 327 of 459

User Guide

Chapter 15: Collaborative Auditing

The OVERVIEW page for the application version opens. To the left of the Group by and

Filter by lists, the you can see the total number of issues in their respective folders. By

default, all issues are shown. (If you select attributes to filter by, the numbers displayed for

the folders changes accordingly.)

2. To see the number of issues in a folder that have been reviewed, move your cursor to the

folder.

The number of reviewed issues is on the left, and the total number of issues is on the right.

In the example shown here, you can see that 79 of 84 total high priority issues were

reviewed.

3. To view issue charts on the OVERVIEW page based on an assigned folder, select the folder

or the folder label.

To view issues from the AUDIT page based on Fortify folder assignment:

1. On the Dashboard, hover your cursor over the version number of the application of interest,

and then select Audit.

The OVERVIEW page for the application version opens. Below the search field, you can see

the number of issues in their respectiveassigned folders. By default, all issues are shown. (If

you select attributes to filter by, the numbers displayed for the folders changes

accordingly.)

2. To see the number of issues assigned to a given folder that have been reviewed, move your

cursor to the folder.

The number of reviewed issues is on the left, and the total number of issues is on the right.

In the example shown here, 79 of 84 total high priority issues were reviewed.

3. To list issues on the AUDIT page based on folder assignment, select the folder.

OpenText™ Fortify Software Security Center (24.2.0)

Page 328 of 459

User Guide

Chapter 15: Collaborative Auditing

Viewing Issues Assigned to You

To view all issues assigned to you:

1. On the OpenText header, click Applications.

2. Select the My assigned issues check box.

The Applications view lists the application versions and shows the number of issues for

each that are assigned to you. If Fortify Software Security Center finds no issues assigned

to you, it displays a message to let you know.

Filtering Issues for Display on the OVERVIEW and AUDIT

Pages

Use the following steps to filter issues for display for an application version from either the

OVERVIEW page or from the AUDIT page.

Note: You can also select a filter set to change the issues displayed on the OVERVIEW and

AUDIT pages. For information and instructions, see "Changing Displayed Issues Using Filter

Sets" on page 348.

To filter issues for display on the OVERVIEW or AUDIT page:

1. From the Group by list, select the attribute to use to group the issues in the issues table.

(To remove the selected attribute, click the Clear all icon.)

2. From the Filter by list, select the attributes to use to filter the issues for display in the

issues table. You can select multiple attributes from this list. (You must select attributes

one at a time.)

(To remove a selected attribute, click the x icon next to its name. To remove all selected

attributes, click the Clear all icon.)

OpenText™ Fortify Software Security Center (24.2.0)

Page 329 of 459

User Guide

Chapter 15: Collaborative Auditing

3. To filter issues based on values for a custom tag other than Analysis, or based on risks

related to OWASP, WASC, or other security threat classifications:

a. Click the Advanced link which is located under the Filter by list.

b. In the ADVANCED ISSUE FILTERS window, from the Select filter category list, select a

category. To refine the categories listed, type a text string in the Filter categories box,

and then click FIND.

The Select filters list is populated with the filters available for the selected category.

c. To refine the Select filters list further, type a text string in the Filter options box, and

then click FIND.

The Select filters list displays the filters that contain the matching text.

To see the complete list of filters again, click the x in the Filter categories box.

OpenText™ Fortify Software Security Center (24.2.0)

Page 330 of 459

User Guide

Chapter 15: Collaborative Auditing

d. In the Select filters list, click each of the filters you want to add to the Selected filters

list to the right.

e. To add filters for another filter category, repeat these steps.

f. Click APPLY.

The Filter by box now displays all of the filters you have selected.

4. To remove one of the filters, click the close symbol to its left.

5. To clear all Group by, Filter by, and advanced filter selections, click CLEAR ALL.

6. For information about viewing correlated issues, see "Auditing Correlated Issues" on

page 344.

See Also

"Viewing Issues Based on Folders" on page 327

"Searching Globally in Fortify Software Security Center" on page 377

OpenText™ Fortify Software Security Center (24.2.0)

Page 331 of 459

User Guide

Chapter 15: Collaborative Auditing

Searching Issues

You can create search queries to refine the list of issues displayed for an application version.

To create a query to search issues:

1. In the application version summary table on the Dashboard, move your cursor to the

application version of interest, and then select Audit.

2. In the Search Issues box, type a search query using the following syntax. To indicate the

type of comparison to perform, wrap search terms with delimiters.

Comparison

contains

equals

Description

Searches for a term without any special qualifying delimiters

Searches for an exact match if the term is enclosed in quotation marks

( )

""

number range

not equal

Uses standard mathematical syntax, such as “(” and “)” for exclusive

range and “[” and “]” for inclusive range where (2,4]means greater

than two less than or equal to four

Excludes issues specified by the string by preceding the string with an

exclamation character (!) Example: file:!Main.javareturns all

issues that are not in Main.java

Note: To see example search strings, click the Syntax Guide link.

You can further qualify your search terms with modifiers using the syntax

modifier:<search_term>. (See "Search Modifiers" on the next page.)

Note: If an application version is assigned a date-type custom tag, and you want to

search for issues based on that tag, use one of the following formats:

OpenText™ Fortify Software Security Center (24.2.0)

Page 332 of 459

User Guide

Chapter 15: Collaborative Auditing

l

To search for date tags that have no value set:

l

To search for date tags that have a (any) date set:

To search for date tags with a specific date:

<DateCustomTag>: yyyy-mm-dd

A search string can contain multiple modifiers and search terms. If you specify more than

one modifier, Fortify Software Security Center returns only issues that match all of the

modified search terms. For example, file:ApplicationContext.java category:SQL

Injectionreturns only SQL injection issues found in ApplicationContext.java.

If you use the same modifier more than once in a search string, then the search terms

qualified by those modifiers are treated as an OR comparison. For example,

file:ApplicationContext.java category:SQL Injection category:Cross-

Site Scriptingreturns SQL injection issues and cross-site scripting issues found in

ApplicationContext.java.

For complex searches, you can also insert the ANDor the ORkeyword between your search

queries. Note that ANDand ORoperations have the same priority in searches.

3. Click Find.

Fortify Software Security Center lists all issues that match your search string.

4. To return to the complete issues list, clear the text in the search box.

"Search Query Examples" on page 336

"Searching Globally in Fortify Software Security Center" on page 377

Search Modifiers

You can use a search modifier to specify which attribute of an issue the search term should

apply to. To use a modifier that contains a space in the name, such as the name of the custom

tag, you must delimit the modifier with brackets. For example, to search for issues that are new,

enter [issue age]:new.

A search that you do not qualify using a modifier matches the search string based on the

following attributes: kingdom, primary rule id, analyzer, filename, severity, class name, function

name, instance id, package, confidence, type, subtype, taint flags, category, sink, and source.

To apply the search to all modifiers, enter a string such as control flow. This searches all

modifiers and returns any result that contains the specified string.

To apply the search to a specific modifier, type the modifier name and the string as follows:

analyzer:control flow. This returns all results whose analyzer is control flow.

OpenText™ Fortify Software Security Center (24.2.0)

Page 333 of 459

User Guide

Chapter 15: Collaborative Auditing

The following table lists the search modifiers. A few of these have a shortened names, which are

indicated in parentheses. You can use either modifier string.

Modifier

Description

[issue age]

Searches for the issue age, which is new, updated,

reintroduced, or removed.

Searches the specified custom tag. Note that tag names

that contain spaces must be delimited by square

brackets.

<custom_tagname>

Example: [my tag]:value

Searches for issues that have the specified audit analysis

analysis

value (such as exploitable, not an issue, and so on).

Searches the issues for the specified analyzer

analyzer

audience

Searches for issues by intended audience. Valid values

are targeted, medium, and broad.

Note: This metadata is legacy information that is no

longer used and will be removed in a future release.

Fortify recommends that you not use this search

modifier.

audited

Searches the issues to find trueif the primary custom

tag is set and falseif the primary custom tag is not set.

The default primary tag is the Analysis tag.

Searches for the given category or category substring.

category (cat)

Searches for issues that contain the search term in the

comments that have been submitted on the issue.

comments

(comment, com)

Searches for issues with comments from the specified

user.

commentuser

Searches for issues that have the specified confidence

value. Fortify Static Code Analyzer calculates the

confidence value based on the number of assumptions

made in code analysis. The more assumptions made, the

confidence (con)

OpenText™ Fortify Software Security Center (24.2.0)

Page 334 of 459

User Guide

Chapter 15: Collaborative Auditing

Modifier

Description

lower the confidence value.

[engine priority]

Searches for issues based on the original priority value

determined by the engine that identified the issue.

Searches for issues where the primary location or sink

node function call occurs in the specified file.

file

Searches for issues that have a priority level that

matches the specified priority. Valid values are

[fortify priority order]

critical, high, medium, and low.

Searches for issues that have audit data modified by the

specified user.

historyuser

Searches for all issues in the specified kingdom.

kingdom

maxconf

Searches for all issues that have a confidence value equal

to or less than the number specified as the search term.

Searches the specified metadata external list. Metadata

external lists include [OWASP Top 10 2013], [SANS Top

25 2011], and [PCI <version>], and others. Square braces

delimit field names that include spaces.

<metadata_listname>

Searches for all issues that have a confidence value equal

to or greater than the number specified as the search

term.

minconf

Searches for issues where the primary location occurs in

the specified package or namespace. For dataflow issues,

the primary location is the sink function.

package

Searches for issues where the primary location or sink

node function call occurs in the specified code context.

Also see sink and [source context].

[primary context]

Searches for all issues related to the specified sink rule.

primaryrule (rule)

sink

Searches for issues that have the specified sink function

name. Also see [primary context].

OpenText™ Fortify Software Security Center (24.2.0)

Page 335 of 459

User Guide

Chapter 15: Collaborative Auditing

Modifier

Description

Searches for dataflow issues that have the specified

source function name. Also see [source context].

source

Searches for dataflow issues that have the source

function call contained in the specified code context

[source context]

sourcefile

status

Also see source and [primary context].

Searches for dataflow issues with the source function call

that the specified file contains.

Also see file.

Searches issues that have the status reviewed, not

reviewed, or under review.

Searches for suppressed issues.

suppressed

taint

Searches for issues that have the specified taint flag.

For examples of search queries that use modifiers, see "Search Query Examples" below.

See Also

"Searching Issues" on page 332

Search Query Examples

The following are search query examples that use search modifiers.

l

To search for all privacy violations in file names that contain jspwith getSSN()as a source,

type:

category:"privacy violation" source:getssn file:jsp

l

To search for all file names that contain com/fortify/ssc, type:

file:com/fortify/ssc

l

To search for all issues that contain cleanseas part of any modifier, type:

cleanse

l

To search for all audited issues that have the [my tag]assigned and set to P1, type:

[my tag]:P1

l

To search for all suppressed vulnerabilities with asdfin the comments, type:

suppressed:true comments:asdf

OpenText™ Fortify Software Security Center (24.2.0)

Page 336 of 459

User Guide

Chapter 15: Collaborative Auditing

l

To search for all categories except for SQL Injection, type:

category:!SQL Injection

l

To search for all issues in file names that contain either javaor jsp, type:

filename:java OR filename:jsp

l

To search for all issues in file names that contain java and that occur on line number 12,

type:

filename:java AND line:12

See Also

"Searching Issues" on page 332

"Search Modifiers" on page 333

Auditing Scan Results

Note: The following procedure describes how to audit scan results from the AUDIT page. If

you are working with open source results, you can audit these from either the AUDIT page

or from the OPENSOURCE page.

To display the issues you want to audit:

1. Upload scan results for the application version you want to audit. For instructions, see

"Uploading Scan Artifacts" on page 309.

2. Open the AUDIT view for the application version.

The table in the AUDIT view lists issues based on their assigned folders (by default, critical

to low).

3. To selectively display the issues you want to audit, apply filters to the issues list. (See

"Filtering Issues for Display on the OVERVIEW and AUDIT Pages" on page 329 and

"Viewing Issues Based on Folders" on page 327 .)

4. In the issues table, if you have selected an attribute to group by, expand a group to view

OpenText™ Fortify Software Security Center (24.2.0)

Page 337 of 459

User Guide

Chapter 15: Collaborative Auditing

the issues it contains.

To audit an issue:

1. To expand an issue and view its details, click its row in the table.

The following screen capture shows the details for an issue uncovered during a Fortify

Static Code Analyzer scan. For information about viewing Fortify WebInspect results, see

"Viewing Fortify WebInspect Scan Results in Fortify Software Security Center" on page 382.

Tip: To view the details for the issue in a new browser window, click the Open in a new

tab button ( ). To copy the issue link so that you can easily access it later, click the

Copy issue link to clipboard button ( ).

OpenText™ Fortify Software Security Center (24.2.0)

Page 338 of 459

User Guide

Chapter 15: Collaborative Auditing

The CODE tab displays the path the tainted data have taken in the source code associated

with the issue.

2. To view summary details about a step along the course that tainted data has taken, under

Analysis Trace, move your cursor to that step.

3. To view code associated with a step, click the step under Analysis Trace.

The corresponding line of code is highlighted on the CODE tab.

4. To search for a specific string in the code associated with the issue:

a. At the top right of the CODE tab, click the search icon .

b.

In the text box displayed, type a character string. Use the next

icons to move through the search results.

and previous

OpenText™ Fortify Software Security Center (24.2.0)

Page 339 of 459

User Guide

Chapter 15: Collaborative Auditing

5. To view any audit history available for the issue, in the right pane, select the HISTORY tab.

6. To see an issue overview, details about the finding, recommendations for remediation, issue

metadata, references to additional resources, and implications for your application version,

in the right pane, select the INFO tab.

7. To expand a row and view a class of information, select the corresponding arrow ( ).

OpenText™ Fortify Software Security Center (24.2.0)

Page 340 of 459

User Guide

Chapter 15: Collaborative Auditing

8. When you have enough information to start your audit, in the right pane, select the AUDIT

tab.

9. (Optional) To exclude an issue from display because you know it is fixed or it is not of

immediate concern, click SUPPRESS.

10. (Optional) If your administrator has configured application security training in Fortify

Software Security Center (see "Configuring Application Security Training" on page 83) you

can click GET TRAINING to get contextually-appropriate guidance on how to mediate the

selected issue. A message advises you that you are about to leave Fortify Software Security

Center. Click OK.

Fortify Software Security Center opens the application security training website in a new

browser tab that displays training content based on the category, subcategory, and

language of the selected issue.

Note: After a file is attached to an issue, you can modify only its description.

11. To attach a file to the issue:

OpenText™ Fortify Software Security Center (24.2.0)

Page 341 of 459

User Guide

Chapter 15: Collaborative Auditing

a. In the left pane, click ATTACHMENTS.

b. Click CLICK HERE TO ADD.

c. In the UPLOAD ATTACHMENT dialog box, click BROWSE, and then navigate to and

select the file to upload.

Supported file formats are TXT, LOG, DOC, DOCX, PDF, PPT, PPTX, JPG, JPEG, BMP,

PNG, TIFF, GIF, ZIP, GZIP, TAR, and 7ZIP. (Documents in XML format are not

supported.)

Note: The file size must not exceed 3 MB.

d. (Optional) In the Description box, type a description of the file.

e. Click SAVE.

If you attached an image file, Fortify Software Security Center displays a preview of the

image on the right, under Image Preview.

12. Click CODE, and then, in the right pane, select the AUDIT tab.

OpenText™ Fortify Software Security Center (24.2.0)

Page 342 of 459

User Guide

Chapter 15: Collaborative Auditing

13. To assign a user to the issue:

a. Under USER, click the Edit assigned user icon .

b. To locate a user to assign to the issue from the SELECT USER dialog box, in the Find

user box, type part or all of a user's name, and then click FIND.

c. In the list of returned names, click the name of the user to assign to the issue.

d. Click DONE.

Note: To remove the assigned user and revert to Not assigned, click the Unassign

User icon . Alternatively, to replace the assigned user with a different user, select

the Edit assigned user icon and select the preferred user.

The AUDIT tab now displays the selected user name and avatar (if available).

14. From the <Primary_Tag_Name> list, select a value that reflects your assessment of this

issue. Fortify Software Security Center treats the issue as unaudited.

OpenText™ Fortify Software Security Center (24.2.0)

Page 343 of 459

User Guide

Chapter 15: Collaborative Auditing

15. If additional custom tags are associated with the application version, specify the values for

those tags.

Note: If an administrator specified that a comment is required for a custom tag you

assign, then you must type a comment in the box outlined in red, which appears under

the custom tag value list.

Note: If Audit Assistant assessed the issues, the right pane displays additional fields

AA_Prediction, AA_Confidence, and AA_Training). For information about how to use

these fields, see "Reviewing Audit Assistant Results" on page 374.

16. In the COMMENTS box, type a comment about this issue audit. (After you save your audit

settings, the COMMENTS section lists your comment, as well as any other comments

previously saved.)

17. At the bottom of the AUDIT tab, click SAVE.

Auditing Correlated Issues

If the artifacts uploaded for the application version include results from both static (Fortify

Static Code Analyzer) and dynamic (WebInspect) analyses, some issues may be correlated with

one another.

If an issue is correlated with one or more other issues uncovered using a different analysis

engine, the Has correlated issues icon is displayed, along with the number of correlated issues

that either target or originate from the selected issue.

To list issues that are correlated with other issues at the top of the table, click the Has

correlated issues icon twice.

OpenText™ Fortify Software Security Center (24.2.0)

Page 344 of 459

User Guide

Chapter 15: Collaborative Auditing

The number shown in the blue circle indicates how many issues are correlated with an issue.

To list the correlated issue or issues:

l

Click the circle or the Has correlated issues icon,

You can audit the listed issues as described in "Auditing Scan Results" on page 337.

Note: If, following an audit, a developer fixes the root problem uncovered in one issue, the

remaining correlated issues may also be fixed.

To return to the complete issues table, to the right of the Filter by list, click CLEAR ALL.

"About Audit Assistant" on page 357

About Suppressed, Removed, and Hidden Issues

You can control whether the issues pane lists suppressed, removed, and hidden issues.

Suppressed issues

As you assess successive scans of an application version, you might want to completely

suppress some exposed issues. It is useful to mark an issue as suppressed if you are sure that

the specific vulnerability is not, and will never be, an issue of concern. You might also want to

suppress warnings for specific types of issues that might not be high priority or of immediate

concern. For example, you can suppress issues that are fixed, or issues that you plan not to fix.

Suppressed issues are not included in the Total Issues value shown in the Version Progress

section of the expandable pane of the OVERVIEW page. Suppressed issues are also not included

in the calculation of application version metrics. For information about how to suppress an issue,

see "Auditing Scan Results" on page 337. For information on how to see suppressed issues, see

"Setting Issue Viewing Preferences" on the next page.

OpenText™ Fortify Software Security Center (24.2.0)

Page 345 of 459

User Guide

Chapter 15: Collaborative Auditing

Removed issues

As multiple scans are run on an application over time, issues are often remediated or become

obsolete. As Fortify Software Security Center merges scan results, it marks issues that were

uncovered in a previous scan, but are no longer evident in the most recent analysis results as

Removed.

Removed issues are not included in the Total Issues value shown in the Version Progress

section of the expandable pane on the OVERVIEW page. For information on how to see

removed issues, see "Setting Issue Viewing Preferences" below.

Hidden issues

In Fortify Audit Workbench, users typically hide a group of issues temporarily so that they can

focus on other issues. For example, you might hide all issues except those assigned to you.

For information on how to see hidden Issues, see "Setting Issue Viewing Preferences" below.

Setting Issue Viewing Preferences

You can set certain viewing preferences for individual application versions from the Application

Profile dialog box.

Viewing Suppressed Issues

To view the suppressed issues associated with an application version:

1. From the Dashboard or Applications view, select the version for the application version you

are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 346 of 459

User Guide

Chapter 15: Collaborative Auditing

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

Note: The filter set you select does not affect the number of suppressed issues shown.

For example, if a suppressed issue is hidden in the selected filter set, it is still included

in the count of suppressed issues.

3. Select the Show suppressed issues check box.

4. Click APPLY, and then click CLOSE.

Now, the AUDIT page displays all suppressed issues. Each suppressed issue is tagged with an

"S" icon in the Primary Location column.

Viewing Removed Issues

When Fortify Software Security Center merges uploaded scan results, it removes issues that

were uncovered in the previous analysis but are no longer evident in the most recent results.

To view the issues that were removed for an application version:

1. From the Dashboard or Applications view, select the version name for the application

version you are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

Note: The filter set you have selected does not affect the number of removed issues

shown. For example, if a suppressed issue is hidden in the selected filter set, it is still

included in the count of removed issues.

3. Select the Show removed issues check box.

4. Click APPLY, and then click CLOSE.

OpenText™ Fortify Software Security Center (24.2.0)

Page 347 of 459

User Guide

Chapter 15: Collaborative Auditing

Now, the AUDIT page displays all removed issues. Each removed issue is tagged with an "R" icon

in the Primary Location column.

Viewing Hidden Issues

In Fortify Software Security Center, hidden issues are the issues that are not shown because of

the filter set rules currently in effect.

To reveal any hidden issues associated with an application version:

1. From the Dashboard or Applications view, select the version for the application version you

are interested in.

Fortify Software Security Center opens the AUDIT page for the selected version.

2. On the application version toolbar, click PROFILE.

The APPLICATION PROFILE dialog opens to the ADVANCED OPTIONS tab.

Below the check boxes, the Issue counts by state, based on current selections shows the

number of hidden, suppressed, and removed issues in the database associated with the

selected application version.

3. Select the Show hidden issues check box.

4. Click APPLY, and then click CLOSE.

Now, the AUDIT page displays all hidden issues. Each hidden issue is tagged with an "H" icon in

the Primary Location column.

Changing Displayed Issues Using Filter Sets

Note: The filter sets listed depend on the issue template assigned to the application

version. The three filter sets shown here are included in the issue templates that Fortify

provides. However, you can use other issue templates that have different filter set names

and filter conditions.

Fortify Software Security Center provides the following filter sets for changing the display of

application version issues on the OVERVIEW, AUDIT, and OPEN SOURCE pages:

OpenText™ Fortify Software Security Center (24.2.0)

Page 348 of 459

User Guide

Chapter 15: Collaborative Auditing

l

Quick View

The Quick View filter set provides a view of issues in the Critical folder (these have a

potentially high impact and a high likelihood of occurring) and the High folder (these have a

potentially high impact and a low likelihood of occurring). This filter set provides a useful first

look at results that enables you to quickly address the most pressing issues.

l

Security Auditor View

This view reveals a broad set of security issues to be audited. The Security Auditor View filter

contains no visibility filters, so all issues are shown.

l

PCI Auditor View

This view is defined for individuals responsible for auditing an application with respect to its

compliance with Payment Card Industry Security Standards.

Overriding Assigned Issue Priority

When scan results are parsed and loaded into Fortify Software Security Center, the scan parser

for each supported engine type assigns a priority value to each issue. However, this priority

value does not reflect the full context of the affected code or application. Other factors that

concern the use of the affected code may justify assigning a different priority. For example, a

vulnerability assigned the "critical" priority value may be better classified as "medium" or "low"

priority if the section of code in question is never invoked in the application, or if the application

is intended for use exclusively by a small department and has no connections to other

applications and systems, so the identified vulnerability would have a low likelihood of being

exploited. To enable such a use case, Fortify Software Security Center provides the capability

for trusted users to change the priority originally assigned to an issue. Such priority changes are

reflected in generated reports.

Caution! Enabling or disabling this feature must be considered as a long-term change in

that it affects generated reports, computed metrics, and so on, depending on the data in the

system. Make sure that, before you enable or disable it, you discuss the planned change

with your security lead.

OpenText™ Fortify Software Security Center (24.2.0)

Page 349 of 459

User Guide

Chapter 15: Collaborative Auditing

Enabling and Disabling Priority Override Capability on Fortify Software Security Center

You can enable priority overrides on your system either during a new deployment of Fortify

Software Security Center, or on an existing Fortify Software Security Center instance.

Enabling the Priority Override Capability

To enable the priority override capability:

1. In the left pane of the Administration view, select Configuration, and then select Issue

Audit.

2. Select the Enable priority override check box.

3. Click SAVE.

4. Restart the server.

After server restart, the feature is enabled and is applied to all application versions. On the

AUDIT page, the issue details (AUDIT tab) now includes the PRIORITY OVERRIDE list tag.

Enabling Trusted Users to Override Issue Priority

To enable your users to make use of this functionality, create a new user role for them that

includes the "Edit restricted custom tag values" permission. Grant these roles only to trusted

users who have the knowledge and diligence to accurately assess issue priority. For information

about how to create a user role, see "Creating Custom Roles" on page 216.

Note: Any user roles with permission to edit restricted custom tag values can override issue

priority. (The system-defined Security Lead role already has the ability to edit restricted

custom tags.)

Disabling the Priority Override Capability

To disable the priority override capability:

1. In the left pane of the Administration view, select Configuration, and then select Issue

Audit.

2. Clear the Enable priority override check box.

3. Click SAVE.

4. Restart the server.

After server restart, the feature is disabled system-wide, and the PRIORITY OVERRIDE list tag

is no longer visible in the issue details.

OpenText™ Fortify Software Security Center (24.2.0)

Page 350 of 459

User Guide

Chapter 15: Collaborative Auditing

Overriding Priority Values During an Audit

To override the priority value for an issue during an audit:

1. On the AUDIT page, expand the row that contains the issue.

2. On the AUDIT tab in the right pane, from the PRIORITY OVERRIDE list, select the

preferred priority value.

3. (Required) In the box outlined in red below the list, type a comment to explain why you

changed the value.

Note: If you want to undo the override before you save the audit, click UNDO at the

bottom of the pane.

4. To save the new priority value and associated comments, click SAVE.

Viewing Issues That Have Changed Priority Values

To view issues that have priority values that you and others have manually assigned,

from the Group by list, selectPriority Override.

The issues table lists issues with overridden priorities, grouped by PRIORITY OVERRIDE tag

value. Issues with unchanged priority values are grouped under Not Set.

To see how the Priority value was changed, hover your cursor over the information icon.

OpenText™ Fortify Software Security Center (24.2.0)

Page 351 of 459

User Guide

Chapter 15: Collaborative Auditing

Viewing Priority Override Information in Issue Reports

If the priority override tag was used in auditing an application version, you can include the

information in the issue reports you generate.

To include priority override information in a new issue report, as you specify the parameters for

the report, leave the Detailed Report and Categories by Fortify Priority check boxes

selected.

If an issue report includes issues that have overridden priority values (and have Detailed

Report and Categories by Fortify Priority options selected), a note to that effect is displayed

on the cover page, as shown here:

If the priority override feature is used, and the Detailed Report and Categories by Priority

parameters are selected (either manually or by default), the Issues by Priority cube in the

Executive Summary displays a double asterisk where issues have changed priority values.

OpenText™ Fortify Software Security Center (24.2.0)

Page 352 of 459

User Guide

Chapter 15: Collaborative Auditing

The Issue Details sections of these reports show the current priority values, along with the

original priority values.

Reverting to Original Priority Values

If you overrode the originally-assigned priority value for an issue, and then saved it, but you

now want to revert the priority value to its original value:

1. On the AUDIT page, expand the row that contains the issue.

2. To the right of the PRIORITY OVERRIDE list tag, click the revert icon ( ).

3. (Required) In the box outlined in red below the list, type a comment to explain why you

changed the value.

4. To save the new priority value and associated comments, click SAVE.

Reports reflect the current effective priority value, whether that is the original priority set by the

engine (if unmodified) or the overridden value. If a user changed the priority value, those

reports show the changed value. If not, the reports show the original priority.

OpenText™ Fortify Software Security Center (24.2.0)

Page 353 of 459

User Guide

Chapter 15: Collaborative Auditing

Viewing Bugs Submitted for Issues

The issues table on the AUDIT page includes a Bug submitted column

a bug has been submitted against a listed issue.

that shows whether

To view the bug, click the VIEW BUG icon , and log in to the assigned bug tracking

application.

Tip: To view a bug, you must use a browser supported by the bug tracker application.

Auditing a Batch of Issues

To audit multiple issues at a time for an application version:

1. Open the AUDIT view for the application version.

2. In the issues list, select all of the check boxes for the issues you want to include in the batch

audit.

3. Click AUDIT.

OpenText™ Fortify Software Security Center (24.2.0)

Page 354 of 459

User Guide

Chapter 15: Collaborative Auditing

The AUDIT/ASSIGN dialog box opens.

4. To assign a user to the selected issues:

a. To open the SELECT USER dialog box, select the Edit assigned user icon

.

b. To locate a user to assign to these issues, in the Find user box, type part or all of a

user's name, and then click FIND.

c. In the list of returned names, click the name of the user to assign.

d. Click DONE.

The USER section now displays the selected user name and avatar (if available).

5. From the ANALYSIS list, select a value that reflects your assessment of this batch of

issues.

6. (Optional) In the COMMENTS box at the bottom, type a comment about this issue audit.

7. Click APPLY.

See Also