Fortify Software  
What’s New in Micro Focus Fortify  
Software 20.1.0  
May 2020  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
SQL Server Change  
You no longer need to download the JDBC JAR file or ensure Tomcat Server classpath includes its  
location when using SQL Server as your database.  
GUI Changes  
Applications View  
l
Now displays application versions in an expandable list beneath the application name.  
Micro Focus Fortify Software (20.1.0)  
Page 1 of 27  
Scans View  
l
A Copy token to clipboard button has been added to the Scan Requests page.  
Hostname and Pool columns have been added to the Scan Requests page.  
l
Sensors Page  
Column headings have been changed on the Sensors page.  
Attributes Page  
l
l
An In Use column has been added to the Attributes page. It lets you see what attributes and  
attribute values are in use by an application version.  
CAS Single Logout Support  
Fortify Software Security Center now supports single logout for Central Authorization Server.  
l
Modified Single Sign-On Configuration  
The SSO page was redesigned to improve usability and make it clear that only one SSO solution  
can be configured.  
Single Sign-On Local Login Support for x509 and Kerberos/SPNEGO  
Micro Focus Fortify Software (20.1.0)  
Page 2 of 27  
There is a new SSC property, sso.localAuthenticationEnabled, in app.properties. This  
property enables local login with a username and password even though SSO (x509 and  
Kerberos/SPNEGO only) is configured and enabled.  
LDAP Users and Application Versions  
Beginning with the 19.2.1 patch release, LDAP users assigned the Security Lead role (or a custom  
role with application creation privileges) can create application versions.  
Delete List Type Attributes and their Values  
You can now delete attribute values for list-type attributes even if they are currently used by an  
application version. Tired of being told you can't delete an unwanted attribute because it's  
currently "in-use"? This feature is for you.  
General Performance Improvements  
We have optimized the way we parse very large request / response fields from Fortify WebInspect.  
The issueDetails RESTful API endpoint now sends a smaller amount of data per request  
We have improved performance when leveraging authentication tokens and LDAP. This will be  
most noticeable when making frequent API requests.  
Software Security Center Kubernetes Deployment  
A new container is available on Fortify Docker. It Includes detailed documentation for deploying  
and configuring SSC via Helm charts to a Kubernetes cluster.  
New CWE Top 25 2019 Report  
Prioritize your security issues using the 2019 version of the CWE Top 25 2019.  
ScanCentral: Fortify CloudScan is now Fortify ScanCentral  
Fortify CloudScan has been renamed Fortify ScanCentral.  
ScanCentral: Automatic Client Updates  
The ScanCentral Controller now checks to determine whether an update is available. If one is, it is  
placed in a specific directory on the ScanCentral Controller. Client updates begin after  
you next start the Controller. For more information, see "Enabling and Disabling Auto-Updates of  
ScanCentral Clients" in the user guide.  
ScanCentral: Secure the Controller  
Use the new client_auth_token property to restrict the use of the ScanCentral Controller to  
authorized clients only.  
ScanCentral: Package Scanner Tool  
The new package scanner tool generates Fortify Static Code Analyzer commands and runs them  
without starting the ScanCentral clients.  
Micro Focus Fortify Software (20.1.0)  
Page 3 of 27  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
.NET Updates  
l
l
l
l
l
l
Support added for .NET Core 2.2, 3.0, and 3.1  
Support added for C# 8  
Support added for VB.NET 16.0 (2019)  
Support added for MSBuild 16.4  
Support added for .NET Framework version 4.8  
Support added for ASP.NET 4.8  
macOS Update  
Support added for macOS 10.15  
Java Update  
Support added for Java 13  
Swift and Objective-C Updates  
l
l
l
Support added for Xcode 11, 11.1, 11.2.1, 11.3, 11.3.1  
Improved translator  
l
Compiler Updates  
l
l
l
Support added for cl 2019  
Support added for Apple LLVM (Clang) 11.0.0  
Support added for Swiftc 5.1, 5.1.2, 5.1.3  
Kotlin (Technical Preview)  
Support added for Kotlin 1.3.50  
l
Note: Fortify Static Code Analyzer support for scanning Kotlin is available as a technical preview.  
However, security content for this feature will be released toward the end of June 2020. You can  
find vulnerabilities in your Kotlin applications only after the security content is available.  
Go Updates  
l
Support added for Go language 1.13.x (up to 1.13.3)  
Performance Improvements  
We have substantially improved dynamic languages analysis performance by making changes to:  
l
l
l
The Higher Order Analysis (HOA) algorithm  
Taint analysis of Python’s static initializers  
Type inference scalability on multiple cores  
These changes affect all languages that leverage higher order analysis:  
Micro Focus Fortify Software (20.1.0)  
Page 4 of 27  
l
l
l
l
l
Python  
TypeScript  
JavaScript  
Ruby  
Swift  
FPR File Enhancements  
l
Translation options are now persisted in FPR files  
Filter files are persisted in FPR files  
l
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Security Assistant  
l
Support for Visual Studio 2019  
Additional Premium Reports  
The following reports have been added to the Static Code Analyzer Tools:  
l
CWE Top 25 2019  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Engine Updates - Big Improvements on Modern Apps  
We've updated our engines to keep pace with our customer's evolving applications! The engine  
update brings dramatic improvements to WebInspect’s ability to scan applications built with  
modern JavaScript frameworks.  
Single-Page Application (SPA) Coverage Visualization  
The new engine provides an improved visualization of Single-Page Applications.  
For more information, watch the "Scanning Single-Page Apps" video on the Fortify Unplugged  
YouTube channel.  
Macro Recorder Updates  
The Macro Recorder is now on by default across all areas of WebInspect. The updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Unplugged YouTube channel.  
Micro Focus Fortify Software (20.1.0)  
Page 5 of 27  
Upgraded Rescan Technology  
Rescan capabilities deliver a dramatically faster, more flexible, and more reliable experience. Our  
new rescan technology is better at replaying complicated attack sequences and is available via the  
UI, API, and CLI.  
For more information, watch the "WebInspect 20.1.0 Rescan Improvements" video on the Fortify  
Unplugged YouTube channel.  
Authenticated API Scanning with Postman  
We've continued to simplify API scanning and automation by adding the ability to handle  
authenticated API scanning to our Postman integration.  
For more information, watch the "Authenticated API Scanning with Postman" video on the Fortify  
Unplugged YouTube channel.  
Selenium WebDriver Login Macros  
Building on the Selenium WebDriver support from our last release, WebInspect now supports  
using a Selenium WebDriver script as a login macro.  
For more information, read the "Selenium Login Macro" topic in the Help.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Engine Updates - Big Improvements on Modern Apps  
We've updated our engines to keep pace with our customer's evolving applications. The engine  
update brings dramatic improvements to WebInspect Enterprise’s ability to scan applications built  
with modern JavaScript frameworks.  
Macro Recorder Updates  
The Macro Recorder is now available within WebInspect Enterprise and as a free-standing  
application. The free-standing application, Macro Recorder 5.0, is available in the Fortify  
Marketplace. Continuing with our goal of supporting modern applications, our updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Unplugged Youtube channel.  
Silverlight Removal Complete  
The WebInspect Enterprise Desktop client now automatically opens in Microsoft Internet Explorer  
as well as Microsoft Edge.  
Micro Focus Fortify Software (20.1.0)  
Page 6 of 27  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
https://softwaresupport.softwaregrp.com  
For More Information  
For more information about Fortify software products:  
https://software.microfocus.com/solutions/application-security  
Micro Focus Fortify Software (20.1.0)  
Page 7 of 27  
What’s New in Micro Focus Fortify  
Software 19.2.0  
November 2019  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Scan Issue View Now Includes a Comment Column  
Micro Focus Fortify Software (20.1.0)  
Page 8 of 27  
Session Logout Screens  
A newly-integrated logout screen appears when users log out of Fortify Software Security Center.  
This also includes support for use with Fortify Software Security Center’s SSO support.  
l
l
In this release there are new session logout screens. If you logged in as a local user, and you log  
out (or you are logged out because your session timed out), the session logout screen displays  
a link that you can use to return to the login screen.  
If you logged in using a SAML-based single sign-on account, which supports single sign-off,  
and you log off, the session logoff page gives you the option of logging out as a local user, or  
logging out from your SSO SAML account. For more detail, see "About Session Logout" in the  
user guide.  
l
If you logged in using a SAML-based single sign-on account and your session times out due to  
inactivity, a session logout dialog box gives you the options of signing out locally, signing out  
of your SAML account, or staying logged in.  
Removal of Runtime Calls, Methods, and Parameters  
Runtime calls, methods, and parameters were removed from Web Service endpoints, APIs, and  
command-line tools.  
New Requirement for Audit Assistant Custom Tag Mapping  
When you map Audit Assistant analysis tag values to custom tag values, you must make sure that  
you assign at least one tag value to both the Non-Issue and True Issue categories. For details, see  
"Mapping Audit Assistant Analysis Tag Values to Software Security Center Custom Tag Values" in  
the user guide.  
Micro Focus Fortify Software (20.1.0)  
Page 9 of 27  
Exporting Data for All Application Versions  
l
You can now export data for all application versions to a CSV file. For details, see "Exporting  
Data to Comma-Separated Values Files" in the user guide.  
Additional File Formats Supported for Attachment to Issues  
l
Now, in addition to files in JPG, JPEG, BMP, PNG, and GIF formats, you can attach files in DOC,  
DOCX, PPT,and PPTX formats.  
PCI SSF Report & Issue Template  
The PCI SSF compliance mappings supersede the old PCI DSS requirements. Fortify makes both  
types of reports and Issue Templates available for customers still leveraging DSS requirements.  
New PCI Basic Seed Bundle  
A new seed bundle is available for seeding the Fortify Software Security Center database. The  
optional PCI Basic seed bundle (Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zip)  
adds a Payment Card Industry (PCI) Data Security Standard (DSS) process template and its  
associated report to the default set of issue templates and reports. PCI DSS will remain open for  
assessment of previously-started, and newly-started assessments initiated before June 2021, until  
October 2022. After October 2022, the new PCI Software Security Framework (SSF) will be the  
set of standards for evaluation.  
This is in addition to the Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip file, which is still  
available. For more information about seed bundles, see "Unpacking and Deploying Fortify  
Software Security Center Software" in the user guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Modular Analysis  
Modular analysis allows you to pre-scan libraries and sub-libraries separately from your core  
project. You can then include these pre-scanned libraries when you scan the core project. Fortify  
Static Code Analyzer can follow dataflow through the libraries without including the source code  
of the libraries in the core application scan or requiring rules for these libraries. This results in a  
high quality scan without having to scan the dependencies each time you scan the core  
application.  
Go Language  
Added support for translating Go language version 1.12 source code on Windows and Linux  
platforms.  
React  
Added support for React 16.5 JavaScript library.  
Micro Focus Fortify Software (20.1.0)  
Page 10 of 27  
Java  
Added support for Java 12.  
Performance improvements  
Fortify Static Code Analyzer now uses available cores in a more scalable fashion. Increasing the  
number of available cores may improve scan speeds. Similarly, increasing available memory may  
also improve scan speeds.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify CloudScan .NET packaging support  
Fortify CloudScan now supports packaging and scanning .NET solutions remotely (translation  
and analysis phases). The Fortify CloudScan client intelligently packages .NET solutions for  
remote translation and scanning outside of the build environment.  
Other directly-parsed languages have been added to CloudScan.  
The following languages are supported in Fortify Static Code Analyzer, but are not available for  
remote translation: the C family of languages (C/C++/Objective-C/Swift), COBOL, and  
ActionScript.  
Fortify SCA Visual Studio 2019 Extension w/ built-in CloudScan support  
l
Added Fortify extenstion for Visual Studio 2019  
Includes Fortify CloudScan support  
l
Micro Focus Fortify Software (20.1.0)  
Page 11 of 27  
Fortify Jenkins plugin with w/ built-in CloudScan and 19.2.0 Fortify Static Code Analyzer  
support  
This new plugin includes native Fortify CloudScan support and new scan options that support  
Fortify Static Code Analyzer 19.2.0. Available for download: https://plugins.jenkins.io/fortify.  
Micro Focus Fortify Software (20.1.0)  
Page 12 of 27  
Audit Workbench  
l
Dark Theme  
To enable the dark theme, navigate to: Options -> Appearance -> Dark Theme in Fortify Audit  
Workbench.  
l
Syntax highlighting support for TypeScript, YAML, Less and JSON.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Simplified API Scanning  
Scanning APIs, which are documented via the OpenAPI (Swagger) API description format, have  
been simplified. You can leverage this feature from the API Scan option of the Basic Scan Wizard  
or from the WebInspect API or CLI.  
Advanced API Scanning – Postman  
Run functioning Postman collections for advanced API scanning scenarios where unique  
workflows, complicated authentication, or specific parameter values are required.  
Response State Patterns  
Micro Focus Fortify Software (20.1.0)  
Page 13 of 27  
Handles complex scenarios where an application requires passing data from a response into a  
subsequent request. You can build response state rules from the Scan Settings > HTTP Parsing  
option.  
Macro Auto-gen Improvements  
The underlying macro auto-gen engine has been upgraded and signatures have been improved,  
resulting in improved accuracy and performance of our macro auto generation technology.  
Macro Validation Improvements  
The underlying macro validation engine has been improved, resulting in greater accuracy in  
validating macros.  
Usability Improvements  
l
Improved support for high resolution monitors.  
l
Some scan settings have been simplified to reduce confusion.  
Common Access Card (CAC) Improvements  
Many highly restricted applications leverage common access cards as a part of their two-factor  
authentication protocol. CAC coverage provides better support when scanning applications in  
these sensitive environments.  
Selenium Webdriver - Tech Preview  
A selenium WebDriver enables tighter integration of Fortify WebInspect into your pipeline in this  
Technical Preview. This integration allows Fortify WebInspect to automatically run selenium  
binaries, detect the tested surface area of the application, and then test for vulnerabilities.  
Updated Vuln Retest - Tech Preview  
Improvements to the accuracy of our vulnerability retest engines have been made. The Technical  
Preview of these updated capabilities are available via the API and CLI. Updated endpoints allow  
for testing all detected vulnerabilities, vulnerabilities by severity, or even individual vulnerabilities  
by unique identifier.  
Micro Focus Fortify Software (20.1.0)  
Page 14 of 27  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Silverlight Dependency Removal  
To provide more flexibility, WebInspect Enterprise no longer requires Internet Explorer with  
Silverlight for proper operation. Customers using modern browsers like Chrome and Firefox will  
be prompted to install the WIE Desktop Client which will allow them configure and visualize scans.  
Free-Standing Macro Recorder with Macro Engine 5.0  
While we work to complete integration of the updated Web Macro Recorder with Macro Engine  
5.0 throughout the product, we want to provide you with a free-standing version of the new tool.  
You can download the free-standing Web Macro Recorder tool from the Software Support Online  
portal. The tool provides both WebInspect Enterprise and WebInspect customers with an easy  
way to record macros without changing default settings.  
Micro Focus Fortify Software (20.1.0)  
Page 15 of 27  
What’s New in Micro Focus Fortify  
Software 19.1.0  
May - June 2019  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
UI / Usability Updates  
l
The COMMENTS section has been moved. Previously, you posted and viewed comments from  
the COMMENTS & HISTORY tab. Now you can post and view comments on the AUDIT tab in  
the right panel of the issue details section.  
l
l
Audit Page: Rulepack content is now divided into separate sections. Details /  
Recommendations / Metadata / References / etc are now found in the Info tab.  
The new version selector has a three-column layout for selecting application versions. It was  
designed to accommodate thousands of application versions.  
Micro Focus Fortify Software (20.1.0)  
Page 16 of 27  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
TypeScript  
TypeScript language support now includes:  
l
Higher Order Analysis (HOA) performance improvements  
Support for TypeScript 3.0, 3.1 and 3.2  
l
Python  
Python language support now includes:  
l
l
l
Support for Python 3.7  
Support for Django 2.x  
Performance improvements  
Gradle  
Gradle support now includes Gradle 4.x.  
Angular  
Angular support now includes Angular 7.  
Java  
Java support now includes Java 10 and Java 11.  
ECMAScript  
Fortify Static Code Analyzer now supports ECMAScript 2018.  
Higher Order Analyzer  
Higher Order Analyzer is on by default for JavaScript and TypeScript applications. When Higher  
Order Analyzer is enabled, Fortify Static Code Analyzer is able to better track dataflow issues and  
uncover more vulnerabilities.  
Micro Focus Fortify CloudScan  
Fortify CloudScan now ships with a utility to package source code, dependencies, and Fortify  
Static Code Analyzer translation instructions. You no longer have to install Fortify Static Code  
Analyzer locally or on the build server. The packaging utility allows you to centralize your Fortify  
infrastructure and create a consistent approach across languages.  
Micro Focus Fortify Software (20.1.0)  
Page 17 of 27  
l
l
You no longer have to install and run Fortify Static Code Analyzer on the build server for the  
following languages: Java, JavaScript, Ruby, Python, and PHP.  
The packaging utility packages everything necessary, including dependencies, and sends the  
package directly to the CloudScan CLI. The CloudScan CLI then sends it on to the sensors,  
which perform both translation and scanning phases of the analysis.  
l
l
The packaging utility intelligently sets what were previously manual translation options. Simply  
provide the location of the build file (build.gradle / pom.xml). No other configuration options  
are required for build integration.  
This new Fortify CloudScan utility supports auto packaging using the Gradle or Maven build  
tools.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Jenkins Plugin  
l
Post-build action analyzes the source with Fortify Static Code Analyzer, updates security  
content, uploads analysis results to Fortify Software Security Center, and fails the build based  
on uploaded results processed by Fortify Software Security Center.  
l
l
l
Provides native pipeline support for source code analysis with Fortify Static Code Analyzer,  
security content update, and uploads to Fortify Software Security Center.  
Snippet generator makes it easy to generate the pipeline code necessary to add a Fortify task  
to a pipeline script.  
Displays Fortify security analysis results for each job that includes a history trend and the latest  
issues from Fortify Software Security Center. Navigates to individual issues on Fortify Software  
Security Center for detailed analysis.  
Micro Focus Fortify Software (20.1.0)  
Page 18 of 27  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Simplified API Scanning  
We have dramatically simplified scanning APIs that are documented using the OpenAPI  
(Swagger) API description format. You can use the API Scan option in the Basic Scan Wizard or  
leverage this feature from the WebInspect API or CLI.  
Advanced API Scanning – Postman  
Fortify WebInspect can now directly run your functioning Postman collections for more advanced  
API scanning scenarios where unique workflows, complicated authentication, or specific  
parameter values are required.  
Response State Patterns  
Fortify WebInspect can now handle complex scenarios where an application requires passing data  
from a response into a subsequent request. To build response state rules, go to Scan Settings >  
HTTP Parsing.  
Macro Auto-gen Improvements  
We’ve upgraded the underlying macro auto-gen engine and we’ve improved our signatures. You  
should see improved accuracy and performance of our macro auto generation technology.  
Macro Validation Improvements  
The underlying engine for our macro validation feature has been improved. You should note  
improved accuracy in validating macros.  
Usability Improvements  
We’ve addressed some usability concerns on two fronts. First, we’ve improved WebInspect’s  
support for high resolution monitors. Second, we’ve begun simplifying some of our scan settings  
to avoid customer confusion.  
Common Access Card (CAC) Improvements  
Many highly-restricted applications leverage common access cards as a part of their two-factor  
authentication protocol. We’ve broadened our CAC coverage to better support our customers  
who are scanning applications in these sensitive environments.  
Verify Site Improvements  
We’ve improved the Verify Site API endpoint to support more advanced detection of application  
complexity, and to provide a measurement of application response time that can be used to  
predict potential for long running scans.  
Free-Standing Macro Recorder with Macro Engine 5.0  
Micro Focus Fortify Software (20.1.0)  
Page 19 of 27  
While we work to complete integration of the updated Web Macro Recorder with Macro Engine  
5.0 throughout the product, we want to provide you with a free-standing version of the new tool.  
You can download the free-standing Web Macro Recorder tool from the Software Support Online  
portal. The tool provides both WebInspect Enterprise and WebInspect customers with an easy  
way to record macros without changing default settings.  
Selenium Webdriver - Tech Preview  
To allow customers to more tightly integrate WebInspect into their pipelines, we’ve built a  
Selenium WebDriver integration. This integration allows WebInspect to automatically run  
Selenium binaries, detect the tested surface area of the application, and then test for  
vulnerabilities.  
Updated Vuln Retest - Tech Preview  
We’re improving the accuracy of our vulnerability retest engines. In 19.2.0 we’re releasing a  
technical preview of these updated capabilities which are available via the API and CLI. The  
updated endpoints allow for testing all detected vulnerabilities, vulnerabilities by severity, or even  
individual vulnerabilities by unique identifier.  
Micro Focus Fortify Software (20.1.0)  
Page 20 of 27  
Micro Focus Fortify WebInspect Enterprise  
The following feature has been added to Fortify WebInspect Enterprise.  
New API Endpoints  
New SmartUpdate endpoints provide a way of:  
l
l
l
Getting a list of all SmartUpdate occurrences  
Getting details or status of a specific SmartUpdate  
Starting the SmartUpdate process to download the latest SecureBase changes and sensor  
versions  
Micro Focus Fortify Software (20.1.0)  
Page 21 of 27  
What’s New in Micro Focus Fortify  
Software 18.20  
November 2018  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
SSC Scalability  
l
l
l
l
The persistence layer has been optimized to accommodate additional SCA scans  
The format of the issue fields has been made more efficient when storing and retrieving  
Total issue size has been reduced  
Adding new scans is typically 10-30% faster  
Audit Page Redesign (Phase 1)  
l
Fortify Priority Order (Critical / High / Medium / Low ) appears on the Audit and Overview  
screens. Clicking these folders allows you to view the associated issues.  
l
l
Issue Details and Recommendations are now accessed from the tabs on the Audit page  
Adding comments to individual issues no longer requires going to the Assign screen; comments  
can be submitted directly in the Audit page  
Micro Focus Fortify Software (20.1.0)  
Page 22 of 27  
Audit Assistant Auto-Predict  
l
You can now set automatic predictions for application versions. You can enable this feature on  
the ADMINISTRATION -> Configuration -> Audit Assistant page by checking the Enable  
auto predict check box in the application version Profile window  
l
New predictions are automatically requested when new issues are uploaded to an application  
version  
Note: Audit Assistant does not re-predict on issues in application versions when a previous  
prediction was made. Create a new application version to reset this functionality.  
Application Security Training  
When viewing security issues, a "Get Training" link will take you to contextual application security  
training provided by Secure Code Warrior.  
l
Contextually correct application security training has been designed to integrate with any  
application security training provider. The current iteration includes integration to Secure Code  
Warrior.  
l
A current list of the full mapping between Secure Code Warrior and Fortify Software Security  
Center is available from customer support  
Request Dynamic Scans (Fortify WebInspect Enterprise) Migrated to the Current User  
Interface  
The dynamic scan request feature in the legacy user interface has been migrated to the current  
user interface  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Apple Update  
Support for the latest releases of the following components:  
l
l
l
Swift 4.2  
Xcode 10  
Objective-C/C++  
TypeScript  
Added the ability to scan TypeScript applications. TypeScript is a superset of JavaScript that adds  
optional static typing to the language.  
.NET Update  
l
MSBuild support has been changed to reflect the direction Microsoft has set for .NET  
MSBuild integration is now the only build integration used to translate .NET applications  
l
Micro Focus Fortify Software (20.1.0)  
Page 23 of 27  
l
l
When translation is invoked from the Visual Studio extension or devenv on the command line,  
MSBuild integration is used  
In addition to translating Visual Studio Solutions, you can now translate individual Visual  
Studio Projects  
l
l
Added support for delegate and function modeling  
Improved support for rules surfaces more vulnerabilities in .NET applications  
Python  
The new Python translator supports both Python 2 and Python 3 applications. The new Python  
translator is used by default, but the legacy Python 2.x translator is still available with a command  
line option.  
The new Python translator provides:  
l
l
l
Improved support for Python 3  
Support for Python 2.x applications  
Improved support for Django 1.8  
The legacy Python 2 Translator:  
Fortify Static Code Analyzer uses the new Python translator by default. To use the legacy  
translator, specify it on the command line.  
Scanning Python 3 Applications:  
By default, Fortify Static Code Analyzer assumes you are scanning Python 2.x applications. To  
scan Python 3 applications, specify the Python version on the command line:  
-python-version 3  
Node.js  
We added support for scanning Node.js 10.x applications.  
Angular  
This initial release of Angular support enables scanning Angular 2, 4, 5 and 6 applications.  
Java 9  
Major defects were fixed in our Java 9 support, resulting in the discovery of more complex  
vulnerabilities in Java 9 applications.  
Logging  
With this release, we provide a major update to the logging infrastructure. There are now two  
different log files:  
l
Standard log file (sca.log): provides information you can use when troubleshooting  
l
Fortify Support log (sca_FortifySupport.log): provides information that may be helpful to the  
customer support or development team  
Micro Focus Fortify Software (20.1.0)  
Page 24 of 27  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Jenkins Plugin  
An improved version of the Fortify Jenkins Plugin. It includes the following features and  
capabilities:  
l
l
l
Full translation and analysis capabilities  
Ability to upload your results to Fortify Software Security Center  
Supported application types include:  
l
l
l
l
l
l
Java  
Maven  
Gradle  
.NET (msbuild / devenv)  
Other (directly input any Fortify Static Code Analyzer command)  
Ability to fail or mark builds as unstable using the Fortify Software Security Center search  
criteria  
MSBuild Integration Enhancements  
With this new, enhanced version, you can continue to use devenv or msbuild as you always have.  
The devenv invocations are now converted to msbuild options automatically. In addition, this new  
version:  
Micro Focus Fortify Software (20.1.0)  
Page 25 of 27  
l
l
Provides increased consistency in the Fortify Static Code Analyzer translation / analysis phases  
No longer requires the Fortify Extension for Visual Studio or Visual Studio in order to scan  
.NET solutions (.NET framework is required to be installed). To scan from the Visual Studio IDE,  
the Fortify Extension for Visual Studio is still required  
l
No longer requires admin privilege to install Fortify Extension for Visual Studio forVisual Studio  
2013  
For example, the following command:  
sourceanalyzer –b test devenv Sample.sln /REBUILD  
will be converted to:  
sourceanalyzer –b test msbuild Sample.sln /t:rebuild  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Checks over WebSockets  
The Fortify WebInspect engines can now examine the data traversing WebSockets. This allows us  
to detect vulnerabilities in modern applications leveraging WebSockets for advanced  
communication.  
Pause-resume Scan Capability on the Command Line  
The command line has been updated to support pause/resume of running scans. When you use  
the Fortify WebInspect command line interface for automation, you will gain greater flexibility,  
control, and improved parity withexisting API functionality.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Improved Sensor Stability  
Improvements to thread management in the Fortify WebInspect Enterprise sensors result in  
significant improvements to sensor stability, reliability, and greater up time.  
API Improvements  
The following enhancements have been made to the API:  
l
l
l
Existing scan templates may be overridden with workflow and login macros.  
SSC Project Versions can be assigned to any security group.  
When using the temporary file upload endpoint, Fortify WebInspect Enterprise automatically  
Micro Focus Fortify Software (20.1.0)  
Page 26 of 27  
creates a file identifier rather than requiring your input.  
l
Endpoints now list which parameters are required or optional.  
SmartUpdate  
SmartUpdate just got smarter. Now, instead of downloading the entire package, you select the  
language and version number you require, reducing the amount of content you need to  
download.  
Micro Focus Fortify Software (20.1.0)  
Page 27 of 27