Fortify Software  
What’s New in Micro Focus Fortify  
Software 20.2.0  
November 2020  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Webhooks  
The latest version of Fortify Software Security Center includes a new Webhook feature in the  
Administrative section. Use it to create hooks for system and application version events directly in  
the UI or API. When available, Webhooks can be helpful in updating external pipelines with Fortify  
Software Security Center data. This feature will drive our next generation of build failure  
workflows in the continuous integration plugins that we currently offer.  
Micro Focus Fortify Software (20.2.0)  
Page 1 of 28  
General Performance Improvements  
l
Ahead-of-time compilation reduces the time needed to download the JavaScript for our user  
interface. Our testing indicates a 40% reduction in the overall package size.  
l
The Issue endpoint has been refactored for better direct API performance.  
Open Source Components View  
A new Open Source Components view appears on the Open Source tab of the Issues page. This  
view displays Sonatype open source issues. The user can audit these issues directly in the view.  
This view also includes two new fields: Invoked and Controllable. These fields indicate whether the  
Sonatype-identified method or function(s) were called or user-controlled input reached this  
function/method in your custom code.  
OWASP ASVS v4.0 Report  
The OWASP ASVS v4.0 report provides an easy way to consolidate the list of requirements for  
secure software development as defined by this standard.  
ScanCentral DAST  
ScanCentral DAST joins the family! The ScanCentral tab in Fortify Software Security Center now  
has both SAST and DAST options. WebInspect customers can now orchestrate dynamic testing  
and automation from within Fortify Software Security Center.  
Java 11 Support  
Support for Java 11 in combination with Tomcat 9. See the Micro Focus Software System  
Requirements document for more information.  
Micro Focus Fortify Software (20.2.0)  
Page 2 of 28  
Fortify ScanCentral SAST  
Product Name Change  
With the introduction of Fortify ScanCentral DAST (for dynamic scans), Fortify ScanCentral was  
re-named ScanCentral SAST. For information about Fortify ScanCentral DAST, see the Micro  
Focus Fortify ScanCentral DAST Configuration and Usage Guide.  
JavaScript Packaging Improvement  
There is a new parameter available in the ScanCentral SAST client to include npm dependencies,  
when they are not present in the current working directory. Users can add –scan-node-  
modules to ScanCentral SAST client command. ScanCentral SAST will download the node  
modules and include them for translation and analysis. If this flag is not present, even if the node  
modules are there, we exclude them by default.  
Quality Improvements  
l
ScanCentral SAST has improved support for multiple versions of Fortify Static Code Analyzer.  
When scanning resources are unavailable for a particular client version, more informative error  
messages will be issued.  
l
l
l
l
The auto upgrade feature now patches all connected ScanCentral SAST clients, avoiding the  
need to manually install the patches multiple times.  
ScanCentral SAST standalone clients receive both patch upgrades and major version upgrades  
(controller is upgraded).  
Embedded ScanCentral SAST clients from Fortify Static Code Analyzer will not automatically  
upgrade to the new version, but do receive patches.  
Custom build parameters that are required for software compilation are now included and  
invoked by ScanCentral SAST clients. Previously, the default build invocation parameters for  
supported build tools was used.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Java  
l
l
l
Support added for Java 14  
Native support for Lombok added. It is not necessary to use “delombok” anymore  
Support added for Kotlin interoperability  
If your project contains Java code that refers to Kotlin code, include all the source directories in  
the translation command so that the Kotlin function calls are correctly resolved  
Micro Focus Fortify Software (20.2.0)  
Page 3 of 28  
.NET  
l
Now uses MSBuild 16.6  
Added Generics Type support  
l
Swift/Obj C  
l
Added support for XCode up to version 11.7  
JavaScript  
l
JavaScript  
l
Support added for TypeScript 3.3- 4.0  
l
Support added for ECMAScript 2019 and 2020  
Kotlin  
l
l
l
Added full support for Kotlin 1.3.50  
Kotlin support is no longer a Technology Preview  
Added Kotlin Java Interoperability  
If your project contains Kotlin and Java source code, you can use the Java source to resolve any  
Kotlin types that refer to Java files  
l
Added Kotlin for Android support  
Go  
l
Added support for Go Modules  
l
Refactoring of Go translation which allows easier translation and takes away the need to have  
Go installed on the translation machine  
COBOL  
l
Added support for IBM Enterprise COBOL up to version 6.1  
Python  
l
Added support for Python 3.8  
Improved imports support for Python  
l
Docker  
l
Added support for running Fortify Static Code Analyzer in a Docker container  
Added support for scanning Docker configuration files  
l
ABAP Extractor  
l
Improved performance  
l
Added option to block the download of SAP standard code  
Modular Analysis (Technology Preview)  
Updated to include control flow analysis  
l
Speed Dial (Technology Preview)  
Micro Focus Fortify Software (20.2.0)  
Page 4 of 28  
The first version of Speed Dial provides a selection of configuration files to select the breadth and  
depth of the desired Fortify Static Code Analyzer scan.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Azure DevOps  
l
New ScanCentral SAST Task  
With the new Azure DevOps task, you can programmatically install the ScanCentral SAST client  
from the controller to configure and use the ScanCentral SAST client to orchestrate remote  
scanning from Azure DevOps. This works for both hosted and local build agents.  
l
New ScanCentral DAST Task  
In Azure DevOps, this task allows you to automate and orchestrate remote dynamic (WebInspect)  
scans from the ScanCentral DAST module inside of Fortify Software Security Center.  
Micro Focus Fortify Software (20.2.0)  
Page 5 of 28  
Visual Studio Code  
Fortify is happy to welcome the Fortify Visual Studio Code Extension to our IDE plugin family. In  
this first release, local Fortify Static Code Analyzer scans, remote scans via ScanCentral, and  
remote scans via Fortify on Demand are all supported.  
Token Authentication in all the Tools  
Fortify has introduced token-based authentication to Fortify Static Code Analyzer from Audit  
Workbench and the Visual Studio, Eclipse, and IntelliJ plugins.  
Support for OWASP ASVS v4.0 Report  
Support has been added for OWASP ASVS v4.0 reports.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Automatic Detection of Single-page Applications  
Fortify continues to improve usability with time-saving features that eliminate manual  
configuration of scans. WebInspect 20.2.0 detects when applications use modern frameworks  
such as Angular and React and automatically adjusts its configuration to provide the best  
coverage.  
For more information, read the Help topic and watch the "SPA Scanning Improvements" video on  
the Fortify Unplugged YouTube channel.  
Micro Focus Fortify Software (20.2.0)  
Page 6 of 28  
Redundant Page Detection  
Applications with lots of redundant content, such as content management systems and catalog  
sites, can cause unnecessarily long-running scans. With WebInspect 20.2.0, you can use an  
advanced redundant page detection algorithm to reduce these scan times.  
For more information, read the Help and watch “Handling Redundant Content with WebInspect  
20.2” on the Fortify Unplugged YouTube channel for more information.  
ADFS CBT Support  
Per advice from Microsoft, many organizations are implementing a channel binding token (CBT)  
to secure Active Directory Federation Services (ADFS) authentication. WebInspect 20.2.0 now  
supports this extended protection mechanism. Look at Scan Settings under Network  
Authentication > Method > ADFS CBT to use this new feature, and reference the Help  
topic for details.  
Engine 5.1 Updates  
Fortify continues to evolve its engines to improve coverage and performance. WebInspect 20.2.0  
provides a faster crawl and audit, and better application support from the web macro recorder.  
Finally, as a sneak peak of things to come in 2021, the Web Macro Recorder with Macro Engine  
5.1 now attempts to detect and display client-side frameworks that are used in the target  
application. For more information, read the Help.  
OpenSSL Technical Preview  
WebInspect 20.2.0 introduces a technical preview of our OpenSSL integration. This integration  
provides support for TLS 1.3, and provides an option for customers whose system administrators  
may be restricting the Microsoft SCHANNEL stack. The setting may be enabled in the UI at Edit  
> Application Settings > General.  
ScanCentral DAST  
Fortify is excited to release a new DAST orchestration and automation platform integrated right  
into Software Security Center 20.2.0! For more information, watch our “Introduction to  
ScanCentral DAST” video on the Fortify Unplugged YouTube channel.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Automatic Detection of Single-page Applications  
Fortify continues to improve usability with time-saving features that eliminate manual  
configuration of scans. The WebInspect 20.2.0 sensor detects when applications use modern  
frameworks such as Angular and React, and automatically adjusts its configuration to provide the  
best coverage.  
Micro Focus Fortify Software (20.2.0)  
Page 7 of 28  
For more information, read the Help topic and watch the "SPA Scanning Improvements" video on  
the Fortify Unplugged YouTube channel.  
Redundant Page Detection  
Applications with lots of redundant content, such as content management systems and catalog  
sites, can cause unnecessarily long-running scans. With the WebInspect 20.2.0 sensor, you can use  
an advanced redundant page detection algorithm to reduce these scan times.  
For more information, read the Help topic and watch “Handling Redundant Content with  
WebInspect 20.2” on the Fortify Unplugged YouTube channel.  
ADFS CBT Support  
Per advice from Microsoft, many organizations are implementing a channel binding token(CBT)  
to secure Active Directory Federation Services (ADFS) authentication. The WebInspect 20.2.0  
sensor now supports this extended protection mechanism. For more information, read the Help  
topic.  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
hthttps://www.microfocus.com/solutions/application-security  
Micro Focus Fortify Software (20.2.0)  
Page 8 of 28  
What’s New in Micro Focus Fortify  
Software 20.1.0  
May 2020  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
SQL Server Change  
You no longer need to download the JDBC JAR file or ensure Tomcat Server classpath includes its  
location when using SQL Server as your database.  
GUI Changes  
Applications View  
l
Now displays application versions in an expandable list beneath the application name.  
Scans View  
l
A Copy token to clipboard button has been added to the Scan Requests page.  
Hostname and Pool columns have been added to the Scan Requests page.  
l
Micro Focus Fortify Software (20.2.0)  
Page 9 of 28  
Sensors Page  
Column headings have been changed on the Sensors page.  
Attributes Page  
l
l
An In Use column has been added to the Attributes page. It lets you see what attributes and  
attribute values are in use by an application version.  
CAS Single Logout Support  
Fortify Software Security Center now supports single logout for Central Authorization Server.  
l
Modified Single Sign-On Configuration  
The SSO page was redesigned to improve usability and make it clear that only one SSO solution  
can be configured.  
Single Sign-On Local Login Support for x509 and Kerberos/SPNEGO  
There is a new SSC property, sso.localAuthenticationEnabled, in app.properties. This  
property enables local login with a username and password even though SSO (x509 and  
Kerberos/SPNEGO only) is configured and enabled.  
LDAP Users and Application Versions  
Beginning with the 19.2.1 patch release, LDAP users assigned the Security Lead role (or a custom  
role with application creation privileges) can create application versions.  
Delete List Type Attributes and their Values  
You can now delete attribute values for list-type attributes even if they are currently used by an  
application version. Tired of being told you can't delete an unwanted attribute because it's  
currently "in-use"? This feature is for you.  
General Performance Improvements  
We have optimized the way we parse very large request / response fields from Fortify WebInspect.  
The issueDetails RESTful API endpoint now sends a smaller amount of data per request  
Micro Focus Fortify Software (20.2.0)  
Page 10 of 28  
We have improved performance when leveraging authentication tokens and LDAP. This will be  
most noticeable when making frequent API requests.  
Software Security Center Kubernetes Deployment  
A new container is available on Fortify Docker. It Includes detailed documentation for deploying  
and configuring SSC via Helm charts to a Kubernetes cluster.  
New CWE Top 25 2019 Report  
Prioritize your security issues using the 2019 version of the CWE Top 25 2019.  
ScanCentral: Fortify CloudScan is now Fortify ScanCentral  
Fortify CloudScan has been renamed Fortify ScanCentral.  
ScanCentral: Automatic Client Updates  
The ScanCentral Controller now checks to determine whether an update is available. If one is, it is  
placed in a specific directory on the ScanCentral Controller. Client updates begin after  
you next start the Controller. For more information, see "Enabling and Disabling Auto-Updates of  
ScanCentral Clients" in the user guide.  
ScanCentral: Secure the Controller  
Use the new client_auth_token property to restrict the use of the ScanCentral Controller to  
authorized clients only.  
ScanCentral: Package Scanner Tool  
The new package scanner tool generates Fortify Static Code Analyzer commands and runs them  
without starting the ScanCentral clients.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
.NET Updates  
l
l
l
l
l
l
Support added for .NET Core 2.2, 3.0, and 3.1  
Support added for C# 8  
Support added for VB.NET 16.0 (2019)  
Support added for MSBuild 16.4  
Support added for .NET Framework version 4.8  
Support added for ASP.NET 4.8  
macOS Update  
Support added for macOS 10.15  
l
Java Update  
Micro Focus Fortify Software (20.2.0)  
Page 11 of 28  
l
Support added for Java 13  
Swift and Objective-C Updates  
l
l
Support added for Xcode 11, 11.1, 11.2.1, 11.3, 11.3.1  
Improved translator  
Compiler Updates  
l
l
l
Support added for cl 2019  
Support added for Apple LLVM (Clang) 11.0.0  
Support added for Swiftc 5.1, 5.1.2, 5.1.3  
Kotlin (Technical Preview)  
Support added for Kotlin 1.3.50  
l
Note: Fortify Static Code Analyzer support for scanning Kotlin is available as a technical preview.  
However, security content for this feature will be released toward the end of June 2020. You can  
find vulnerabilities in your Kotlin applications only after the security content is available.  
Go Updates  
l
Support added for Go language 1.13.x (up to 1.13.3)  
Performance Improvements  
We have substantially improved dynamic languages analysis performance by making changes to:  
l
l
l
The Higher Order Analysis (HOA) algorithm  
Taint analysis of Python’s static initializers  
Type inference scalability on multiple cores  
These changes affect all languages that leverage higher order analysis:  
l
l
l
l
l
Python  
TypeScript  
JavaScript  
Ruby  
Swift  
FPR File Enhancements  
l
Translation options are now persisted in FPR files  
Filter files are persisted in FPR files  
l
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Security Assistant  
Micro Focus Fortify Software (20.2.0)  
Page 12 of 28  
l
Support for Visual Studio 2019  
Additional Premium Reports  
The following reports have been added to the Static Code Analyzer Tools:  
l
CWE Top 25 2019  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Engine Updates - Big Improvements on Modern Apps  
We've updated our engines to keep pace with our customer's evolving applications! The engine  
update brings dramatic improvements to WebInspect’s ability to scan applications built with  
modern JavaScript frameworks.  
Single-Page Application (SPA) Coverage Visualization  
The new engine provides an improved visualization of Single-Page Applications.  
For more information, watch the "Scanning Single-Page Apps" video on the Fortify Unplugged  
YouTube channel.  
Macro Recorder Updates  
The Macro Recorder is now on by default across all areas of WebInspect. The updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Unplugged YouTube channel.  
Upgraded Rescan Technology  
Rescan capabilities deliver a dramatically faster, more flexible, and more reliable experience. Our  
new rescan technology is better at replaying complicated attack sequences and is available via the  
UI, API, and CLI.  
For more information, watch the "WebInspect 20.1.0 Rescan Improvements" video on the Fortify  
Unplugged YouTube channel.  
Authenticated API Scanning with Postman  
We've continued to simplify API scanning and automation by adding the ability to handle  
authenticated API scanning to our Postman integration.  
For more information, watch the "Authenticated API Scanning with Postman" video on the Fortify  
Unplugged YouTube channel.  
Selenium WebDriver Login Macros  
Building on the Selenium WebDriver support from our last release, WebInspect now supports  
using a Selenium WebDriver script as a login macro.  
Micro Focus Fortify Software (20.2.0)  
Page 13 of 28  
For more information, read the "Selenium Login Macro" topic in the Help.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Engine Updates - Big Improvements on Modern Apps  
We've updated our engines to keep pace with our customer's evolving applications. The engine  
update brings dramatic improvements to WebInspect Enterprise’s ability to scan applications built  
with modern JavaScript frameworks.  
Macro Recorder Updates  
The Macro Recorder is now available within WebInspect Enterprise and as a free-standing  
application. The free-standing application, Macro Recorder 5.0, is available in the Fortify  
Marketplace. Continuing with our goal of supporting modern applications, our updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Unplugged Youtube channel.  
Silverlight Removal Complete  
The WebInspect Enterprise Desktop client now automatically opens in Microsoft Internet Explorer  
as well as Microsoft Edge.  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
hthttps://www.microfocus.com/solutions/application-security  
Micro Focus Fortify Software (20.2.0)  
Page 14 of 28  
What’s New in Micro Focus Fortify  
Software 19.2.0  
November 2019  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Scan Issue View Now Includes a Comment Column  
Micro Focus Fortify Software (20.2.0)  
Page 15 of 28  
Session Logout Screens  
A newly-integrated logout screen appears when users log out of Fortify Software Security Center.  
This also includes support for use with Fortify Software Security Center’s SSO support.  
l
l
In this release there are new session logout screens. If you logged in as a local user, and you log  
out (or you are logged out because your session timed out), the session logout screen displays  
a link that you can use to return to the login screen.  
If you logged in using a SAML-based single sign-on account, which supports single sign-off,  
and you log off, the session logoff page gives you the option of logging out as a local user, or  
logging out from your SSO SAML account. For more detail, see "About Session Logout" in the  
user guide.  
l
If you logged in using a SAML-based single sign-on account and your session times out due to  
inactivity, a session logout dialog box gives you the options of signing out locally, signing out  
of your SAML account, or staying logged in.  
Removal of Runtime Calls, Methods, and Parameters  
Runtime calls, methods, and parameters were removed from Web Service endpoints, APIs, and  
command-line tools.  
New Requirement for Audit Assistant Custom Tag Mapping  
When you map Audit Assistant analysis tag values to custom tag values, you must make sure that  
you assign at least one tag value to both the Non-Issue and True Issue categories. For details, see  
"Mapping Audit Assistant Analysis Tag Values to Software Security Center Custom Tag Values" in  
the user guide.  
Micro Focus Fortify Software (20.2.0)  
Page 16 of 28  
Exporting Data for All Application Versions  
l
You can now export data for all application versions to a CSV file. For details, see "Exporting  
Data to Comma-Separated Values Files" in the user guide.  
Additional File Formats Supported for Attachment to Issues  
l
Now, in addition to files in JPG, JPEG, BMP, PNG, and GIF formats, you can attach files in DOC,  
DOCX, PPT,and PPTX formats.  
PCI SSF Report & Issue Template  
The PCI SSF compliance mappings supersede the old PCI DSS requirements. Fortify makes both  
types of reports and Issue Templates available for customers still leveraging DSS requirements.  
New PCI Basic Seed Bundle  
A new seed bundle is available for seeding the Fortify Software Security Center database. The  
optional PCI Basic seed bundle (Fortify_PCI_SSF_Basic_Seed_Bundle-2019_Q3.zip)  
adds a Payment Card Industry (PCI) Data Security Standard (DSS) process template and its  
associated report to the default set of issue templates and reports. PCI DSS will remain open for  
assessment of previously-started, and newly-started assessments initiated before June 2021, until  
October 2022. After October 2022, the new PCI Software Security Framework (SSF) will be the  
set of standards for evaluation.  
This is in addition to the Fortify_PCI_Basic_Seed_Bundle-2019_Q3.zip file, which is still  
available. For more information about seed bundles, see "Unpacking and Deploying Fortify  
Software Security Center Software" in the user guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Modular Analysis  
Modular analysis allows you to pre-scan libraries and sub-libraries separately from your core  
project. You can then include these pre-scanned libraries when you scan the core project. Fortify  
Static Code Analyzer can follow dataflow through the libraries without including the source code  
of the libraries in the core application scan or requiring rules for these libraries. This results in a  
high quality scan without having to scan the dependencies each time you scan the core  
application.  
Go Language  
Added support for translating Go language version 1.12 source code on Windows and Linux  
platforms.  
React  
Added support for React 16.5 JavaScript library.  
Micro Focus Fortify Software (20.2.0)  
Page 17 of 28  
Java  
Added support for Java 12.  
Performance improvements  
Fortify Static Code Analyzer now uses available cores in a more scalable fashion. Increasing the  
number of available cores may improve scan speeds. Similarly, increasing available memory may  
also improve scan speeds.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify CloudScan .NET packaging support  
Fortify CloudScan now supports packaging and scanning .NET solutions remotely (translation  
and analysis phases). The Fortify CloudScan client intelligently packages .NET solutions for  
remote translation and scanning outside of the build environment.  
Other directly-parsed languages have been added to CloudScan.  
The following languages are supported in Fortify Static Code Analyzer, but are not available for  
remote translation: the C family of languages (C/C++/Objective-C/Swift), COBOL, and  
ActionScript.  
Fortify SCA Visual Studio 2019 Extension w/ built-in CloudScan support  
l
Added Fortify extenstion for Visual Studio 2019  
Includes Fortify CloudScan support  
l
Micro Focus Fortify Software (20.2.0)  
Page 18 of 28  
Fortify Jenkins plugin with w/ built-in CloudScan and 19.2.0 Fortify Static Code Analyzer  
support  
This new plugin includes native Fortify CloudScan support and new scan options that support  
Fortify Static Code Analyzer 19.2.0. Available for download: https://plugins.jenkins.io/fortify.  
Micro Focus Fortify Software (20.2.0)  
Page 19 of 28  
Audit Workbench  
l
Dark Theme  
To enable the dark theme, navigate to: Options -> Appearance -> Dark Theme in Fortify Audit  
Workbench.  
l
Syntax highlighting support for TypeScript, YAML, Less and JSON.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Simplified API Scanning  
Scanning APIs, which are documented via the OpenAPI (Swagger) API description format, have  
been simplified. You can leverage this feature from the API Scan option of the Basic Scan Wizard  
or from the WebInspect API or CLI.  
Advanced API Scanning – Postman  
Run functioning Postman collections for advanced API scanning scenarios where unique  
workflows, complicated authentication, or specific parameter values are required.  
Response State Patterns  
Micro Focus Fortify Software (20.2.0)  
Page 20 of 28  
Handles complex scenarios where an application requires passing data from a response into a  
subsequent request. You can build response state rules from the Scan Settings > HTTP Parsing  
option.  
Macro Auto-gen Improvements  
The underlying macro auto-gen engine has been upgraded and signatures have been improved,  
resulting in improved accuracy and performance of our macro auto generation technology.  
Macro Validation Improvements  
The underlying macro validation engine has been improved, resulting in greater accuracy in  
validating macros.  
Usability Improvements  
l
Improved support for high resolution monitors.  
l
Some scan settings have been simplified to reduce confusion.  
Common Access Card (CAC) Improvements  
Many highly restricted applications leverage common access cards as a part of their two-factor  
authentication protocol. CAC coverage provides better support when scanning applications in  
these sensitive environments.  
Selenium Webdriver - Tech Preview  
A selenium WebDriver enables tighter integration of Fortify WebInspect into your pipeline in this  
Technical Preview. This integration allows Fortify WebInspect to automatically run selenium  
binaries, detect the tested surface area of the application, and then test for vulnerabilities.  
Updated Vuln Retest - Tech Preview  
Improvements to the accuracy of our vulnerability retest engines have been made. The Technical  
Preview of these updated capabilities are available via the API and CLI. Updated endpoints allow  
for testing all detected vulnerabilities, vulnerabilities by severity, or even individual vulnerabilities  
by unique identifier.  
Micro Focus Fortify Software (20.2.0)  
Page 21 of 28  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Silverlight Dependency Removal  
To provide more flexibility, WebInspect Enterprise no longer requires Internet Explorer with  
Silverlight for proper operation. Customers using modern browsers like Chrome and Firefox will  
be prompted to install the WIE Desktop Client which will allow them configure and visualize scans.  
Free-Standing Macro Recorder with Macro Engine 5.0  
While we work to complete integration of the updated Web Macro Recorder with Macro Engine  
5.0 throughout the product, we want to provide you with a free-standing version of the new tool.  
You can download the free-standing Web Macro Recorder tool from the Software Support Online  
portal. The tool provides both WebInspect Enterprise and WebInspect customers with an easy  
way to record macros without changing default settings.  
Micro Focus Fortify Software (20.2.0)  
Page 22 of 28  
What’s New in Micro Focus Fortify  
Software 19.1.0  
May - June 2019  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
UI / Usability Updates  
l
The COMMENTS section has been moved. Previously, you posted and viewed comments from  
the COMMENTS & HISTORY tab. Now you can post and view comments on the AUDIT tab in  
the right panel of the issue details section.  
l
l
Audit Page: Rulepack content is now divided into separate sections. Details /  
Recommendations / Metadata / References / etc are now found in the Info tab.  
The new version selector has a three-column layout for selecting application versions. It was  
designed to accommodate thousands of application versions.  
Micro Focus Fortify Software (20.2.0)  
Page 23 of 28  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
TypeScript  
TypeScript language support now includes:  
l
Higher Order Analysis (HOA) performance improvements  
Support for TypeScript 3.0, 3.1 and 3.2  
l
Python  
Python language support now includes:  
l
l
l
Support for Python 3.7  
Support for Django 2.x  
Performance improvements  
Gradle  
Gradle support now includes Gradle 4.x.  
Angular  
Angular support now includes Angular 7.  
Java  
Java support now includes Java 10 and Java 11.  
ECMAScript  
Fortify Static Code Analyzer now supports ECMAScript 2018.  
Higher Order Analyzer  
Higher Order Analyzer is on by default for JavaScript and TypeScript applications. When Higher  
Order Analyzer is enabled, Fortify Static Code Analyzer is able to better track dataflow issues and  
uncover more vulnerabilities.  
Micro Focus Fortify CloudScan  
Fortify CloudScan now ships with a utility to package source code, dependencies, and Fortify  
Static Code Analyzer translation instructions. You no longer have to install Fortify Static Code  
Analyzer locally or on the build server. The packaging utility allows you to centralize your Fortify  
infrastructure and create a consistent approach across languages.  
Micro Focus Fortify Software (20.2.0)  
Page 24 of 28  
l
l
You no longer have to install and run Fortify Static Code Analyzer on the build server for the  
following languages: Java, JavaScript, Ruby, Python, and PHP.  
The packaging utility packages everything necessary, including dependencies, and sends the  
package directly to the CloudScan CLI. The CloudScan CLI then sends it on to the sensors,  
which perform both translation and scanning phases of the analysis.  
l
l
The packaging utility intelligently sets what were previously manual translation options. Simply  
provide the location of the build file (build.gradle / pom.xml). No other configuration options  
are required for build integration.  
This new Fortify CloudScan utility supports auto packaging using the Gradle or Maven build  
tools.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Jenkins Plugin  
l
Post-build action analyzes the source with Fortify Static Code Analyzer, updates security  
content, uploads analysis results to Fortify Software Security Center, and fails the build based  
on uploaded results processed by Fortify Software Security Center.  
l
l
l
Provides native pipeline support for source code analysis with Fortify Static Code Analyzer,  
security content update, and uploads to Fortify Software Security Center.  
Snippet generator makes it easy to generate the pipeline code necessary to add a Fortify task  
to a pipeline script.  
Displays Fortify security analysis results for each job that includes a history trend and the latest  
issues from Fortify Software Security Center. Navigates to individual issues on Fortify Software  
Security Center for detailed analysis.  
Micro Focus Fortify Software (20.2.0)  
Page 25 of 28  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Simplified API Scanning  
We have dramatically simplified scanning APIs that are documented using the OpenAPI  
(Swagger) API description format. You can use the API Scan option in the Basic Scan Wizard or  
leverage this feature from the WebInspect API or CLI.  
Advanced API Scanning – Postman  
Fortify WebInspect can now directly run your functioning Postman collections for more advanced  
API scanning scenarios where unique workflows, complicated authentication, or specific  
parameter values are required.  
Response State Patterns  
Fortify WebInspect can now handle complex scenarios where an application requires passing data  
from a response into a subsequent request. To build response state rules, go to Scan Settings >  
HTTP Parsing.  
Macro Auto-gen Improvements  
We’ve upgraded the underlying macro auto-gen engine and we’ve improved our signatures. You  
should see improved accuracy and performance of our macro auto generation technology.  
Macro Validation Improvements  
The underlying engine for our macro validation feature has been improved. You should note  
improved accuracy in validating macros.  
Usability Improvements  
We’ve addressed some usability concerns on two fronts. First, we’ve improved WebInspect’s  
support for high resolution monitors. Second, we’ve begun simplifying some of our scan settings  
to avoid customer confusion.  
Common Access Card (CAC) Improvements  
Many highly-restricted applications leverage common access cards as a part of their two-factor  
authentication protocol. We’ve broadened our CAC coverage to better support our customers  
who are scanning applications in these sensitive environments.  
Verify Site Improvements  
We’ve improved the Verify Site API endpoint to support more advanced detection of application  
complexity, and to provide a measurement of application response time that can be used to  
predict potential for long running scans.  
Free-Standing Macro Recorder with Macro Engine 5.0  
Micro Focus Fortify Software (20.2.0)  
Page 26 of 28  
While we work to complete integration of the updated Web Macro Recorder with Macro Engine  
5.0 throughout the product, we want to provide you with a free-standing version of the new tool.  
You can download the free-standing Web Macro Recorder tool from the Software Support Online  
portal. The tool provides both WebInspect Enterprise and WebInspect customers with an easy  
way to record macros without changing default settings.  
Selenium Webdriver - Tech Preview  
To allow customers to more tightly integrate WebInspect into their pipelines, we’ve built a  
Selenium WebDriver integration. This integration allows WebInspect to automatically run  
Selenium binaries, detect the tested surface area of the application, and then test for  
vulnerabilities.  
Updated Vuln Retest - Tech Preview  
We’re improving the accuracy of our vulnerability retest engines. In 19.2.0 we’re releasing a  
technical preview of these updated capabilities which are available via the API and CLI. The  
updated endpoints allow for testing all detected vulnerabilities, vulnerabilities by severity, or even  
individual vulnerabilities by unique identifier.  
Micro Focus Fortify Software (20.2.0)  
Page 27 of 28  
Micro Focus Fortify WebInspect Enterprise  
The following feature has been added to Fortify WebInspect Enterprise.  
New API Endpoints  
New SmartUpdate endpoints provide a way of:  
l
l
l
Getting a list of all SmartUpdate occurrences  
Getting details or status of a specific SmartUpdate  
Starting the SmartUpdate process to download the latest SecureBase changes and sensor  
versions  
Micro Focus Fortify Software (20.2.0)  
Page 28 of 28