Fortify Software  
What’s New in Micro Focus Fortify  
Software 21.2.0  
November 2021  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Static/Dynamic Issue Correlation Indicator  
l
In this release we introduce the static/dynamic issue correlation indicator. After static and  
dynamic scans are run on an application version and the results have been uploaded to Fortify  
Software Security Center, issues that were uncovered by both static and dynamic scans are  
tagged with the correlation ( ) indicator on the AUDIT page.  
ScanCentral SAST Controller Updates  
l
You can now place the ScanCentral SAST Controller into maintenance mode which prevents  
scans that are running on the sensor from losing data.  
l
You can shut down ScanCentral SAST Controller sensors individually or in a batch.  
ScanCentral DAST Scans Support  
The Scans feature now includes both static and dynamic scan results  
l
Micro Focus Fortify Software (21.2.0)  
Page 1 of 29  
New Premium Quarterly Reports  
l
PCI SSF (Software Security Framework) 1.2 report  
CWE Top 25 report  
l
LDAP Update  
l
You can now configure Fortify Software Security Center to invalidate tokens created by users  
who have been disabled in LDAP  
Java 11 Deployment  
Software Security Center can be deployed in a Java 11 (or higher) environment  
Kubernetes Updates  
l
l
Added support for Kubernetes 1.21  
Added support for Helm 3.6 and 3.7  
l
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for the Fortify License and Infrastructure Manager  
l
You can now centrally manage your Fortify ScanCentral SAST licenses through the Fortify  
License and Infrastructure Manager.  
MSBuild Integration Update  
l
With the 21.1.0 release of Fortify Static Code Analyzer, MSBuild integration was updated with  
support for .NET 5 and other new features. Fortify ScanCentral SAST now supports this new  
MSBuild integration functionality.  
Go Language Support  
Added support for Go version 1.17.  
Graceful Shutdown and Timer Support  
l
l
When shutting down Fortify ScanCentral SAST, the controller allows currently running scans  
to complete while keeping other scans from starting. Once the controller is running again, it will  
run the scans in the queue. In addition, a timeout can be set for long running scans that will  
cancel the scan if breached and free the sensor to pick up a new scan request.  
Sensor Pool Assignment Improvement  
l
When starting up a sensor, you can assign it to a specific sensor pool without having to use the  
Fortify Software Security Center UI.  
Micro Focus Fortify Software (21.2.0)  
Page 2 of 29  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Fortify License and Infrastructure Manager  
l
For customers that use Fortify under the Concurrent Scanning license model, Fortify Static  
Code Analyzer can now use the Fortify License and Infrastructure Manager to obtain a license  
key rather than the traditional fortify.license file. This enables the correct sharing of the  
Fortify Scan Machine license metric between Fortify Static Code Analyzer and WebInspect  
instances. The option to use the traditional fortify.license file is still available.  
Regular Expression (regex) Analysis  
l
The Fortify Static Code Analyzer Configuration analyzer can now detect vulnerabilities in file  
names and content using RegEx-based rules.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
l
l
l
IBM AIX 7.1  
Oracle Solaris SPARC 11.3  
Oracle Solaris x64 11.4  
Windows Server 2022  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
l
l
gcc 10.2.1  
g++ 10.2.1  
Swiftc 5.4.2  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
l
l
l
Gradle 7.2  
Maven 3.8.2  
MSBuild 16.11  
Xcodebuild 12.5.1  
C++ Updates  
l
l
l
Added support for gcc on Macintosh  
Added support for gcc version 10.2.1  
Added support for C++ 14 and 17  
Micro Focus Fortify Software (21.2.0)  
Page 3 of 29  
JavaScript Improvements  
l
l
l
l
l
Added support for ECMAScript 2021  
Added support for TypeScript 4.2 - 4.3  
Made Type inference improvements  
Added support for SAPUI5/OpenUI5  
Minified JS excluded from scan by default  
Go Language Update  
Added support for Go 1.17  
YAML Support  
Added support for translating YAML code  
Kotlin Update  
Added support for Kotlin 1.5  
PHP  
l
l
l
l
Completed support for PHP 8  
Scala  
l
Eliminated the need for a separate license from Lightbend for Scala translations. A license key is  
still required to run the plugin. The key is now included in the Fortify distribution.  
Configuration Scanning  
l
JSON scanning enabled by default  
Added YAML scanning  
l
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
ScanCentral SAST Support  
l
Added Remote Translation capability to Fortify Scan Wizard, and the Fortify Eclipse Plugins  
l
Added ability to configure Fortify ScanCentral SAST and launch local and remote translations  
and scans from the Fortify Eclipse Complete Plugin running an advanced analysis.  
New PCI SSF Report  
Generate new PCI SSF Report (version 1.2) from the following tools:  
l
l
l
l
Fortify Audit Workbench  
Fortify Visual Studio Extension  
Fortify Eclipse Plugins (Complete and Remediation)  
BIRTReportGenerator  
Micro Focus Fortify Software (21.2.0)  
Page 4 of 29  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST.  
Correlated Issues  
l
ScanCentral DAST can now uncover correlations between DAST and SAST results and  
forward the information to Fortify Software Security Center. Correlated results are displayed in  
the Fortify Software Security Center AUDIT View.  
Scan Visualization Update  
l
Selected scan visualizations can be opened in a new browser tab rather than using Site  
Explorer.  
Client-Side Certificate Support  
l
Upload a certificate and password for use when running a scan. If a scan requires the certificate,  
ScanCentral DAST will download and install it.  
l
Enable Redundant Page Detection and use it when running a scan.  
Scan Priority Level  
l
All scans can be assigned a priority level.  
l
When a scan is queued because there isn't a free sensor and a scan with a lower priority is  
running, the lower-priority scan will be shut down so the scan with the higher priority can run.  
The scan with the lower priority will restart when a sensor becomes available.  
Azure SQL Support  
l
The ScanCentral DAST Configuration Tool now supports Azure SQL and Azure Managed  
SQL.  
l
The ScanCentral DAST container now supports Azure SQL and Azure Managed SQL.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
API Discovery  
With the new API Discovery, any Swagger or OpenAPI schema detected during a scan will have its  
endpoints added to the existing scan and authentication will be applied to the endpoints with our  
automatic state detection. In addition, probes will be sent to default locations of popular API  
frameworks to discover schemas.  
Micro Focus Fortify Software (21.2.0)  
Page 5 of 29  
Two-factor Authentication  
Two-factor Authentication is a common requirement in enterprises and can be a burden to the  
security tester to get a bypass or to manually scan. WebInspect now offers the ability to automate  
Two-factor Authentication scans. This is accomplished by installing a lightweight Android app  
onto a phone or emulator that can capture SMS and Email tokens and pass them back to the  
scanner for authentication. Once configured, there is no need for user interaction.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect  
21.2.0 provides a faster crawl and audit, and better application support from the Web Macro  
Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS.  
This will allow for improved XSS attack performance and the ability to detect client-side only  
attacks, such as XSS in DOM fragments.  
Web Fuzzer Tool  
The Web Fuzzer Tool lets you run Fuzzing tests that submit random or sequential data to various  
areas of an application to uncover security vulnerabilities. For example, when searching for buffer  
overflows, a tester can generate data of various sizes and send it to one of the application entry  
points to observe how the application handles it.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to the Fortify WebInspect sensor used in WebInspect  
Enterprise.  
Note: WebInspect Enterprise 21.2.0 is scheduled for release in the latter half of December 21.2.0.  
API Discovery  
With the new API Discovery function in WebInspect, any Swagger or OpenAPI schema detected  
during a scan will have its endpoints added to the existing scan and authentication will be applied  
to the endpoints with our automatic state detection. In addition, probes will be sent to default  
locations of popular API frameworks to discover schemas.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Micro Focus Fortify Software (21.2.0)  
Page 6 of 29  
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect  
21.2.0 provides a faster crawl and audit, and better application support from the Web Macro  
Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS.  
This will allow for improved XSS attack performance and the ability to detect client-side only  
attacks, such as XSS in DOM fragments.  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
For More Information  
For more information about Fortify software products:  
Micro Focus Fortify Software (21.2.0)  
Page 7 of 29  
What’s New in Micro Focus Fortify  
Software 21.1.0  
July 2021  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Oracle: JDBC Driver Requirement  
If you use Oracle as your Fortify Software Security Center database, you no longer need to  
manually add the JDBC driver. The installer now includes the JDBC Thin Driver (ojdbc8.jar).  
Autoconfigure Update  
You no longer need to provide db.driver.class, db.dialect, or  
db.like.specialCharacters to deploy SSC using autoconfiguration (<app_  
context>.autoconfig file). Deployment works for all databases if you provide values for  
db.username, db.password, and jdbc.url only.  
Required Attribute Alert  
If an administrator creates a new required attribute, Fortify Software Security Center alerts you to  
the addition so that you can specify a value for it in an application version.  
Export Open Source Results  
You can now export your open source data to a comma-separated file.  
DENY Button for Artifacts  
There is now a DENY button for artifacts that require approval but were uploaded by mistake.  
The denied results will not be merged with the application version but can be retained as part of  
the record.  
New Reports  
The premium report bundle now includes three new issue reports:  
l
DISA STIG 5.1  
l
NIST 800-53 Revision 5 (Accessed through the FISMA Compliance: FIPS-200 report template)  
Micro Focus Fortify Software (21.2.0)  
Page 8 of 29  
l
CWE Top 25 2020  
StartTLS Support for LDAP  
StartTLS is now supported as a connection method to LDAP servers.  
Enhanced Issue Filtering  
Issue filtering from the OVERVIEW and AUDIT pages now includes enhancements.  
You can now filter issues based on their category.  
Kubernetes Support  
l
Added support for Kubernetes version 1.20.  
l
Added support for versions 3.4 and 3.5 of the Helm command-line tool.  
Service Integrations Support  
Added support for Azure DevOps Server 2020  
l
Micro Focus Fortify ScanCentral SAST  
Improved Job Processing Messages  
Previously, when a job was assigned to a sensor, the Controller sent the email message  
"ScanCentral job request accepted." After the job was completed, the Controller sent the email  
message "ScanCentral job completed."  
Now, when the Controller accepts a job, it sends the email message "ScanCentral job request  
accepted." After the job is assigned to a sensor, the Controller sends the email message  
Micro Focus Fortify Software (21.2.0)  
Page 9 of 29  
"ScanCentral job request assigned." Finally, after the job is completed, the Controller sends the  
email message "ScanCentral job completed."  
New -debug Option  
The -debug option, which enables debug logging on clients and sensors, was added in this  
release.  
-upload Option Required for Scans When Fortify Software Security Center is in Lockdown  
Mode  
Previously, if Fortify Software Security Center was in lockdown mode, you could run a scan even if  
you failed to specify the -upload option in the ScanCentral command. The results shown for the  
scan on the SCANCENTRAL > SAST tab in Fortify Software Security Center left out the  
application version and the scan was not uploaded. Now, if Fortify Software Security Center is in  
lockdown mode, and you try to start a scan without using the -upload option, client execution  
fails with an error.  
Improved Sensor Cleanup  
Now, the clean-up process on a sensor machine invokes the sourceanalyzer -clean  
command to remove Fortify Static Code Analyzer internal files related to the job.  
Maven Remote Translation  
You can now specify custom settings files for Maven remote translation.  
New Email Properties  
Two new properties in the config.properties file allow you to specify which outgoing email  
domains to use for outgoing emails and which domains are disallowed.  
Micro Focus Fortify Software (21.2.0)  
Page 10 of 29  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
.NET  
Added support for the following languages and frameworks:  
l
l
l
.NET 5.0  
C# 9  
ASP.NET Blazor  
To improve MSBuild integration, the custom msbuild executable and its assemblies were replaced  
by a Fortify-specific .targets file and task assemblies. These changes favorably impact translations  
under MSBuild Integration performed by the system’s MSBuild tool.  
MSBuild Support Update  
Added support for version 16.8 and 16.9.  
Go  
l
Added support for Go versions 1.15 and 1.16.  
l
Added support for the GOPROXY environment variable.  
Java  
l
Updated JSP translation produces fewer false positives  
Improved bytecode analysis  
l
JavaScript  
Added support for the following languages and frameworks:  
l
TypeScript 4.1  
l
Angular 10 and 11  
Kotlin  
Added support for Kotlin 1.4.20.  
PHP  
Added support for PHP 7.2, 7.3, 7.4, and 8.0.  
Python  
Added support for the following languages and frameworks:  
l
Python 3.9  
Django 3.1  
l
Micro Focus Fortify Software (21.2.0)  
Page 11 of 29  
Swift/Obj-C  
Added support for Xcode 12.4.  
Operating Systems (Linux)  
Added support for the following Linux servers:  
l
l
l
l
SUSE Linux Enterprise Server 15.  
Red Hat Enterprise Linux 8.2.  
CentOS Linux 7.6-1810 and 8.2-2004.  
Ubuntu 20.04.1 LTS.  
Micro Focus Visual COBOL (Technology Preview)  
Added support for Micro Focus Visual COBOL 6.0.  
C/C++ (Technology Preview)  
Improved support for constructs in C++11 using new Clang-based translation.  
Speed Dial (Technology Preview)  
l
Added level 3 and 4 support.  
l
Improved intermediate development scan speeds by up to 50% (with a reduction in reported  
issues).  
l
l
Reduced scan time for typed languages such as Java and C/C++.  
Level 4 support provides a full scan.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
ScanCentral SAST Support in Secure Code Plugins  
l
ScanCentral SAST support added to Eclipse Complete Plugin, IntelliJ Analysis Plugin, and  
Visual Studio Extension.  
l
l
You can now submit ScanCentral SAST scan requests from the plugins.  
Added support for both local translation (send MBS file for scan phase) and remote translation  
(send package for both translation and scan phases).  
Java 11 Runtime Support  
All tools and secure code plugins can be run in a Java 11 runtime environment.  
Syntax Highlighting for Additional Languages in Audit Workbench  
l
l
Adds syntax highlighting for the following languages: ABAP, Apex, ASP, C# and ASP.NET,  
COBOL, Cold Fusion, Go, Kotlin, Objective C, PHP, Python, Ruby, Scala, Swift, VB.NET, Visual  
Basic 6.0 and configuration files.  
Micro Focus Fortify Software (21.2.0)  
Page 12 of 29  
Improved Merge Behavior in Visual Studio Extension  
l
Adds the ability to choose to merge with or overwrite a previous scan result.  
l
If an issue template is specified for the scan (configured as default or via additional scan  
option), the issue template from the new scan will be saved in the merged FPR.  
l
Set the merge option in Fortify > Options > Project Configuration > Advanced Scan  
Options. Select or clear the Merge with Previous Scan checkbox.  
New Versions of Reports  
l
l
l
DISA STIG 5.1  
NIST 800-53 Revision 5  
CWE Top 25 2020  
These can be generated from Fortify Audit Workbench, the secure code plugins, and the  
BIRTReportGenerator command-line interface.  
Updated IDE Support  
l
l
l
Added support for Eclipse versions 2020-x and 2021-x in Micro Focus Fortify Plugins for  
Eclipse.  
Added support for Eclipse version 2021-x in Micro Focus Fortify Security Assistant Plugin for  
Eclipse.  
Added support for versions 4.x of Android Studio in Micro Focus Fortify Plugins for JetBrains  
IDEs and Android Studio.  
Service Integrations  
Added support for Azure DevOps Server 2020.  
l
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST.  
Functional Application Security Testing (FAST)  
FAST provides a CI/CD-friendly way to capture traffic from functional tests and send it to  
ScanCentral DAST for targeted DAST scanning.  
API Scanning with Postman  
In 21.1.0, ScanCentral DAST continues to simplify API scanning with its Postman integration. A  
new workflow in the WebInspect sensor automatically detects the authentication requests and  
excludes them from attack by default. There are also improvements to Oauth2.0 support.  
Micro Focus Fortify Software (21.2.0)  
Page 13 of 29  
Hacker Level Insights  
Hacker Level Insights is a new framework that exposes those insights about an application that  
are interesting from a security perspective, but not necessarily a vulnerability. Detection of  
JavaScript client-side frameworks is included in 21.1.0.  
Data Retention Policies  
Configuring data retention policies at the application or scan level allows automatic purging of  
stale data to support ScanCentral DAST database maintenance and system performance in high  
usage environments.  
Deny Intervals  
ScanCentral DAST supports application and scan-level deny intervals when currently running  
scans are paused or forced to complete, and new scans do not start.  
Base Settings  
Base Settings provide ScanCentral DAST administrators the ability to apply scan setting  
templates across all applications or specific applications.  
Policy Import  
ScanCentral DAST supports using custom policies at both the application level and scan level.  
Alerting  
A messaging framework displays information about the quality and performance of scans in  
progress.  
SiteExplorer Download  
A link is provided in ScanCentral DAST to download SiteExplorer for visualization of a scan.  
Horizontal Scaling (Technology Preview)  
Horizontal scaling of sensor script engines provides dramatically faster scanning.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
HTTP/2 Support  
Modern applications have begun leveraging HTTP/2 to improve the user experience with  
improved speed and more efficient client/server communication. WebInspect now supports  
applications that use HTTP/2 technology.  
API Scanning with Postman  
WebInspect continues to simplify API scanning with its Postman integration. A new workflow in  
the sensor automatically detects the authentication requests and excludes them from attack by  
default. There are also improvements to Oauth2.0 support.  
Micro Focus Fortify Software (21.2.0)  
Page 14 of 29  
Hacker Level Insights  
Hacker Level Insights is a new framework that exposes those insights about an application that  
are interesting from a security perspective but may not necessarily be a vulnerability. Detection of  
JavaScript client-side frameworks is included in 21.1.0.  
Engine 6.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect  
21.1.0 provides a faster crawl and audit, and better application support from the Web Macro  
Recorder with Macro Engine 6.0.  
Masked Parameters in TruClient  
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password  
to be masked so they are hidden from view.  
Simplified User Agent Selection  
Selection of a User Agent in settings during scan configuration is now applied to both TruClient  
macros and the scan settings.  
Alerting  
Alert-level scan log messages provide information about the quality and performance of scans in  
progress.  
OpenSSL  
The OpenSSL technical preview is now the default SSL/TLS implementation in WebInspect. This  
integration provides support for TLS 1.3, and provides an option for customers whose system  
administrators may be restricting the Microsoft SCHANNEL stack.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Engine 6.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance. WebInspect  
21.1.0 provides a faster crawl and audit, and better application support from the Web Macro  
Recorder with Macro Engine 6.0.  
Masked Parameter in TruClient  
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password  
to be masked so they are hidden from view.  
Simplified User Agent Selection  
Selection of a User Agent in Advanced Settings during scan configuration are now applied to  
both TruClient macros and the scan settings.  
Micro Focus Fortify Software (21.2.0)  
Page 15 of 29  
What’s New in Micro Focus Fortify  
Software 20.2.0  
November 2020  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Webhooks  
The latest version of Fortify Software Security Center includes a new Webhook feature in the  
Administrative section. Use it to create hooks for system and application version events directly in  
the UI or API. When available, Webhooks can be helpful in updating external pipelines with Fortify  
Software Security Center data. This feature will drive our next generation of build failure  
workflows in the continuous integration plugins that we currently offer.  
General Performance Improvements  
l
Ahead-of-time compilation reduces the time needed to download the JavaScript for our user  
interface. Our testing indicates a 40% reduction in the overall package size.  
l
The Issue endpoint has been refactored for better direct API performance.  
Open Source Components View  
Micro Focus Fortify Software (21.2.0)  
Page 16 of 29  
A new Open Source Components view appears on the Open Source tab of the Issues page. This  
view displays Sonatype open source issues. The user can audit these issues directly in the view.  
This view also includes two new fields: Invoked and Controllable. These fields indicate whether the  
Sonatype-identified method or function(s) were called or user-controlled input reached this  
function/method in your custom code.  
OWASP ASVS v4.0 Report  
The OWASP ASVS v4.0 report provides an easy way to consolidate the list of requirements for  
secure software development as defined by this standard.  
ScanCentral DAST  
ScanCentral DAST joins the family! The ScanCentral tab in Fortify Software Security Center now  
has both SAST and DAST options. WebInspect customers can now orchestrate dynamic testing  
and automation from within Fortify Software Security Center.  
Java 11 Support  
Support for Java 11 in combination with Tomcat 9. See the Micro Focus Software System  
Requirements document for more information.  
Micro Focus Fortify Software (21.2.0)  
Page 17 of 29  
Fortify ScanCentral SAST  
Product Name Change  
With the introduction of Fortify ScanCentral DAST (for dynamic scans), Fortify ScanCentral was  
re-named ScanCentral SAST. For information about Fortify ScanCentral DAST, see the Micro  
Focus Fortify ScanCentral DAST Configuration and Usage Guide.  
JavaScript Packaging Improvement  
There is a new parameter available in the ScanCentral SAST client to include npm dependencies,  
when they are not present in the current working directory. Users can add –scan-node-  
modules to ScanCentral SAST client command. ScanCentral SAST will download the node  
modules and include them for translation and analysis. If this flag is not present, even if the node  
modules are there, we exclude them by default.  
Quality Improvements  
l
ScanCentral SAST has improved support for multiple versions of Fortify Static Code Analyzer.  
When scanning resources are unavailable for a particular client version, more informative error  
messages will be issued.  
l
l
l
l
The auto upgrade feature now patches all connected ScanCentral SAST clients, avoiding the  
need to manually install the patches multiple times.  
ScanCentral SAST standalone clients receive both patch upgrades and major version upgrades  
(controller is upgraded).  
Embedded ScanCentral SAST clients from Fortify Static Code Analyzer will not automatically  
upgrade to the new version, but do receive patches.  
Custom build parameters that are required for software compilation are now included and  
invoked by ScanCentral SAST clients. Previously, the default build invocation parameters for  
supported build tools was used.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Java  
l
l
l
Support added for Java 14  
Native support for Lombok added. It is not necessary to use “delombok” anymore  
Support added for Kotlin interoperability  
If your project contains Java code that refers to Kotlin code, include all the source directories in  
the translation command so that the Kotlin function calls are correctly resolved  
Micro Focus Fortify Software (21.2.0)  
Page 18 of 29  
.NET  
l
Now uses MSBuild 16.6  
Added Generics Type support  
l
Swift/Obj C  
l
Added support for XCode up to version 11.7  
JavaScript  
l
JavaScript  
l
Support added for TypeScript 3.3- 4.0  
l
Support added for ECMAScript 2019 and 2020  
Kotlin  
l
l
l
Added full support for Kotlin 1.3.50  
Kotlin support is no longer a Technology Preview  
Added Kotlin Java Interoperability  
If your project contains Kotlin and Java source code, you can use the Java source to resolve any  
Kotlin types that refer to Java files  
l
Added Kotlin for Android support  
Go  
l
Added support for Go Modules  
l
Refactoring of Go translation which allows easier translation and takes away the need to have  
Go installed on the translation machine  
COBOL  
l
Added support for IBM Enterprise COBOL up to version 6.1  
Python  
l
Added support for Python 3.8  
Improved imports support for Python  
l
Docker  
l
Added support for running Fortify Static Code Analyzer in a Docker container  
Added support for scanning Docker configuration files  
l
ABAP Extractor  
l
Improved performance  
l
Added option to block the download of SAP standard code  
Modular Analysis (Technology Preview)  
Updated to include control flow analysis  
l
Speed Dial (Technology Preview)  
Micro Focus Fortify Software (21.2.0)  
Page 19 of 29  
The first version of Speed Dial provides a selection of configuration files to select the breadth and  
depth of the desired Fortify Static Code Analyzer scan.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Azure DevOps  
l
New ScanCentral SAST Task  
With the new Azure DevOps task, you can programmatically install the ScanCentral SAST client  
from the controller to configure and use the ScanCentral SAST client to orchestrate remote  
scanning from Azure DevOps. This works for both hosted and local build agents.  
l
New ScanCentral DAST Task  
In Azure DevOps, this task allows you to automate and orchestrate remote dynamic (WebInspect)  
scans from the ScanCentral DAST module inside of Fortify Software Security Center.  
Micro Focus Fortify Software (21.2.0)  
Page 20 of 29  
Visual Studio Code  
Fortify is happy to welcome the Fortify Visual Studio Code Extension to our IDE plugin family. In  
this first release, local Fortify Static Code Analyzer scans, remote scans via ScanCentral, and  
remote scans via Fortify on Demand are all supported.  
Token Authentication in all the Tools  
Fortify has introduced token-based authentication to Fortify Static Code Analyzer from Audit  
Workbench and the Visual Studio, Eclipse, and IntelliJ plugins.  
Support for OWASP ASVS v4.0 Report  
Support has been added for OWASP ASVS v4.0 reports.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Automatic Detection of Single-page Applications  
Fortify continues to improve usability with time-saving features that eliminate manual  
configuration of scans. WebInspect 20.2.0 detects when applications use modern frameworks  
such as Angular and React and automatically adjusts its configuration to provide the best  
coverage.  
For more information, read the Help topic and watch the "SPA Scanning Improvements" video on  
Micro Focus Fortify Software (21.2.0)  
Page 21 of 29  
Redundant Page Detection  
Applications with lots of redundant content, such as content management systems and catalog  
sites, can cause unnecessarily long-running scans. With WebInspect 20.2.0, you can use an  
advanced redundant page detection algorithm to reduce these scan times.  
For more information, read the Help and watch “Handling Redundant Content with WebInspect  
20.2” on the Fortify Unplugged YouTube channel for more information.  
ADFS CBT Support  
Per advice from Microsoft, many organizations are implementing a channel binding token (CBT)  
to secure Active Directory Federation Services (ADFS) authentication. WebInspect 20.2.0 now  
supports this extended protection mechanism. Look at Scan Settings under Network  
Authentication > Method > ADFS CBT to use this new feature, and reference the Help  
topic for details.  
Engine 5.1 Updates  
Fortify continues to evolve its engines to improve coverage and performance. WebInspect 20.2.0  
provides a faster crawl and audit, and better application support from the web macro recorder.  
Finally, as a sneak peak of things to come in 2021, the Web Macro Recorder with Macro Engine  
5.1 now attempts to detect and display client-side frameworks that are used in the target  
application. For more information, read the Help.  
OpenSSL Technical Preview  
WebInspect 20.2.0 introduces a technical preview of our OpenSSL integration. This integration  
provides support for TLS 1.3, and provides an option for customers whose system administrators  
may be restricting the Microsoft SCHANNEL stack. The setting may be enabled in the UI at Edit  
> Application Settings > General.  
ScanCentral DAST  
Fortify is excited to release a new DAST orchestration and automation platform integrated right  
into Software Security Center 20.2.0! For more information, watch our “Introduction to  
ScanCentral DAST” video on the Fortify Unplugged YouTube channel.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Automatic Detection of Single-page Applications  
Fortify continues to improve usability with time-saving features that eliminate manual  
configuration of scans. The WebInspect 20.2.0 sensor detects when applications use modern  
frameworks such as Angular and React, and automatically adjusts its configuration to provide the  
best coverage.  
Micro Focus Fortify Software (21.2.0)  
Page 22 of 29  
For more information, read the Help topic and watch the "SPA Scanning Improvements" video on  
Redundant Page Detection  
Applications with lots of redundant content, such as content management systems and catalog  
sites, can cause unnecessarily long-running scans. With the WebInspect 20.2.0 sensor, you can use  
an advanced redundant page detection algorithm to reduce these scan times.  
For more information, read the Help topic and watch “Handling Redundant Content with  
WebInspect 20.2” on the Fortify Unplugged YouTube channel.  
ADFS CBT Support  
Per advice from Microsoft, many organizations are implementing a channel binding token(CBT)  
to secure Active Directory Federation Services (ADFS) authentication. The WebInspect 20.2.0  
sensor now supports this extended protection mechanism. For more information, read the Help  
topic.  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
For More Information  
For more information about Fortify software products:  
What’s New in Micro Focus Fortify  
Software 20.1.0  
May 2020  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software (21.2.0)  
Page 23 of 29  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
SQL Server Change  
You no longer need to download the JDBC JAR file or ensure Tomcat Server classpath includes its  
location when using SQL Server as your database.  
GUI Changes  
Applications View  
l
Now displays application versions in an expandable list beneath the application name.  
Scans View  
l
A Copy token to clipboard button has been added to the Scan Requests page.  
Hostname and Pool columns have been added to the Scan Requests page.  
l
Sensors Page  
Micro Focus Fortify Software (21.2.0)  
Page 24 of 29  
l
Column headings have been changed on the Sensors page.  
Attributes Page  
l
An In Use column has been added to the Attributes page. It lets you see what attributes and  
attribute values are in use by an application version.  
CAS Single Logout Support  
Fortify Software Security Center now supports single logout for Central Authorization Server.  
l
Modified Single Sign-On Configuration  
The SSO page was redesigned to improve usability and make it clear that only one SSO solution  
can be configured.  
Single Sign-On Local Login Support for x509 and Kerberos/SPNEGO  
There is a new SSC property, sso.localAuthenticationEnabled, in app.properties. This  
property enables local login with a username and password even though SSO (x509 and  
Kerberos/SPNEGO only) is configured and enabled.  
LDAP Users and Application Versions  
Beginning with the 19.2.1 patch release, LDAP users assigned the Security Lead role (or a custom  
role with application creation privileges) can create application versions.  
Delete List Type Attributes and their Values  
You can now delete attribute values for list-type attributes even if they are currently used by an  
application version. Tired of being told you can't delete an unwanted attribute because it's  
currently "in-use"? This feature is for you.  
General Performance Improvements  
We have optimized the way we parse very large request / response fields from Fortify WebInspect.  
The issueDetails RESTful API endpoint now sends a smaller amount of data per request  
We have improved performance when leveraging authentication tokens and LDAP. This will be  
most noticeable when making frequent API requests.  
Software Security Center Kubernetes Deployment  
A new container is available on Fortify Docker. It Includes detailed documentation for deploying  
and configuring SSC via Helm charts to a Kubernetes cluster.  
New CWE Top 25 2019 Report  
Prioritize your security issues using the 2019 version of the CWE Top 25 2019.  
ScanCentral: Fortify CloudScan is now Fortify ScanCentral  
Fortify CloudScan has been renamed Fortify ScanCentral.  
ScanCentral: Automatic Client Updates  
Micro Focus Fortify Software (21.2.0)  
Page 25 of 29  
The ScanCentral Controller now checks to determine whether an update is available. If one is, it is  
placed in a specific directory on the ScanCentral Controller. Client updates begin after  
you next start the Controller. For more information, see "Enabling and Disabling Auto-Updates of  
ScanCentral Clients" in the user guide.  
ScanCentral: Secure the Controller  
Use the new client_auth_token property to restrict the use of the ScanCentral Controller to  
authorized clients only.  
ScanCentral: Package Scanner Tool  
The new package scanner tool generates Fortify Static Code Analyzer commands and runs them  
without starting the ScanCentral clients.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
.NET Updates  
l
l
l
l
l
l
Support added for .NET Core 2.2, 3.0, and 3.1  
Support added for C# 8  
Support added for VB.NET 16.0 (2019)  
Support added for MSBuild 16.4  
Support added for .NET Framework version 4.8  
Support added for ASP.NET 4.8  
macOS Update  
Support added for macOS 10.15  
Java Update  
Support added for Java 13  
Swift and Objective-C Updates  
l
l
l
Support added for Xcode 11, 11.1, 11.2.1, 11.3, 11.3.1  
Improved translator  
l
Compiler Updates  
l
l
l
Support added for cl 2019  
Support added for Apple LLVM (Clang) 11.0.0  
Support added for Swiftc 5.1, 5.1.2, 5.1.3  
Kotlin (Technical Preview)  
Support added for Kotlin 1.3.50  
l
Micro Focus Fortify Software (21.2.0)  
Page 26 of 29  
Note: Fortify Static Code Analyzer support for scanning Kotlin is available as a technical preview.  
However, security content for this feature will be released toward the end of June 2020. You can  
find vulnerabilities in your Kotlin applications only after the security content is available.  
Go Updates  
l
Support added for Go language 1.13.x (up to 1.13.3)  
Performance Improvements  
We have substantially improved dynamic languages analysis performance by making changes to:  
l
l
l
The Higher Order Analysis (HOA) algorithm  
Taint analysis of Python’s static initializers  
Type inference scalability on multiple cores  
These changes affect all languages that leverage higher order analysis:  
l
l
l
l
l
Python  
TypeScript  
JavaScript  
Ruby  
Swift  
FPR File Enhancements  
l
Translation options are now persisted in FPR files  
Filter files are persisted in FPR files  
l
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
Fortify Security Assistant  
l
Support for Visual Studio 2019  
Additional Premium Reports  
The following reports have been added to the Static Code Analyzer Tools:  
l
CWE Top 25 2019  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Engine Updates - Big Improvements on Modern Apps  
Micro Focus Fortify Software (21.2.0)  
Page 27 of 29  
We've updated our engines to keep pace with our customer's evolving applications! The engine  
update brings dramatic improvements to WebInspect’s ability to scan applications built with  
modern JavaScript frameworks.  
Single-Page Application (SPA) Coverage Visualization  
The new engine provides an improved visualization of Single-Page Applications.  
For more information, watch the "Scanning Single-Page Apps" video on the Fortify Unplugged  
Macro Recorder Updates  
The Macro Recorder is now on by default across all areas of WebInspect. The updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Upgraded Rescan Technology  
Rescan capabilities deliver a dramatically faster, more flexible, and more reliable experience. Our  
new rescan technology is better at replaying complicated attack sequences and is available via the  
UI, API, and CLI.  
For more information, watch the "WebInspect 20.1.0 Rescan Improvements" video on the Fortify  
Authenticated API Scanning with Postman  
We've continued to simplify API scanning and automation by adding the ability to handle  
authenticated API scanning to our Postman integration.  
For more information, watch the "Authenticated API Scanning with Postman" video on the Fortify  
Selenium WebDriver Login Macros  
Building on the Selenium WebDriver support from our last release, WebInspect now supports  
using a Selenium WebDriver script as a login macro.  
For more information, read the "Selenium Login Macro" topic in the Help.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Engine Updates - Big Improvements on Modern Apps  
We've updated our engines to keep pace with our customer's evolving applications. The engine  
update brings dramatic improvements to WebInspect Enterprise’s ability to scan applications built  
with modern JavaScript frameworks.  
Macro Recorder Updates  
Micro Focus Fortify Software (21.2.0)  
Page 28 of 29  
The Macro Recorder is now available within WebInspect Enterprise and as a free-standing  
application. The free-standing application, Macro Recorder 5.0, is available in the Fortify  
Marketplace. Continuing with our goal of supporting modern applications, our updated recorder  
delivers an improved experience when recording both login and workflow macros.  
For more information, watch the "Recording Macros in Macro Recorder 5.0" video on the Fortify  
Silverlight Removal Complete  
The WebInspect Enterprise Desktop client now automatically opens in Microsoft Internet Explorer  
as well as Microsoft Edge.  
Micro Focus Fortify Software (21.2.0)  
Page 29 of 29