Fortify Software  
What’s New in Micro Focus Fortify  
Software 22.2.0  
November 2022  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Priority Override Capability  
Administrators can now enable users to change, or override the priority values assigned to  
issues. With the introduction of priority override capability, the Engine Priority option was  
added to the Group by menu. This grouping selection returns issues based on the original  
priority value assigned by the engine that identified the issue.  
Prioritizing ScanCentral SAST Jobs  
In this release, you can move a pending scan request to the first position in the jobs queue from  
the SCANCENTRAL SAST tab. For details, see "Prioritizing a ScanCentral SAST Scan Request" in  
the user guide.  
Support for Tomcat Access log Pattern for Kubernetes Deployments  
Fortify Software Security Center now supports changing the Tomcat access log pattern for a  
Kubernetes deployment. For details, see "Configuring the Apache Tomcat Access Logs for  
Additional Fields on the Docker Image" in the user guide.  
Micro Focus Fortify Software (22.2.0)  
Page 1 of 30  
ScanCentral SAST Tab Enhancements  
The following changes were made to the SAST tab in the SCANCENTRAL view:  
l
The Status column is now the State column, which now displays symbols to indicate the  
current scan state.  
l
The Scan Requests table now includes the Priority column, which shows the order in which  
pending scan requests jobs are to be run. You can sort the listed jobs by selecting the  
Priority heading. The details for an expanded scan request now include the PRIORITIZE  
SCAN button, which you can select to move the scan request to the top of the job queue for  
the pool. You can also click the arrow icon in the Scan Requests table to move the request to  
the top of the queue. For details, see "Prioritizing a ScanCentral SAST Scan Request" in the  
user guide.  
Viewing and Auditing Debricked Vulnerability Results  
You can now view and audit Debricked scan results for applications in Fortify Software Security  
Center so that, in addition to seeing vulnerabilities in the source code, you can also view the  
open-source vulnerabilities from third-party libraries. For details, see "Viewing Open Source  
Data" in the user guide.  
Creating Clickable Links in Bug Tracking Templates  
As of release 22.1.1, you can use the new HtmlUtil class in the velocity templates for bug  
trackers to create a link to a specific issue in Fortify Software Security Center. For information  
about how to use this class, select the Editing tips link in the EDIT TEMPLATE dialog box (see  
"Customizing Velocity Templates for Bug Tracker Plugins" in the user guide).  
Changes to the About Fortify Software Security Center Box  
The Configuration section of the ADMINISTRATION view now includes the About page, from  
which you configure the SUPPORT link in the About box. For information about how to change  
the SUPPORT link, see "Customizing the Fortify Software Security Center About Box" in the user  
guide.  
Changes to SAML SSO Configuration  
The procedure used to configure Fortify Software Security Center to work with SAML SSO has  
changed (see "Configuring Fortify Software Security Center to Work with SAML 2.0-Compliant  
Single Sign-On Solutions" in the user guide)  
Micro Focus Fortify Software (22.2.0)  
Page 2 of 30  
Preventing LDAP Refresh on Startup / Enabling Persisted Cached LDAP Data  
Previously, the LDAP data resided in in-memory cache and was lost at server shutdown. Now,  
you can enable the cached data to persist after shutdown, so that restarting Fortify Software  
Security Center is much faster, especially for large LDAP environments. For more information,  
see "Enabling Persistence of the LDAP Cache" in the user guide.  
Updated Kubernetes Support  
l
Support for Kubernetes 1.23 and 1.24  
l
Support for Helm 3.9  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for Packaging Java 8 Projects  
If you have a Java 8 project that fails to build because ScanCentral SAST requires Java 11 to  
run, you can set the new SCANCENTRAL_JAVA_HOME environment variable to point Java 11.  
After you do, ScanCentral SAST runs correctly, and the build runs successfully with JAVA_HOME  
set to Java 8 for the project build.  
Upgrade of the Internal H2 Database Engine  
The internal H2 database for Fortify ScanCentral SAST was upgraded. As a result, you must run  
an associated migration script. For details, see "Upgrading the ScanCentral SAST Controller" in  
the Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
Improved Method for Excluding Files From Scans When Using ScanCentral SAST to  
Package Projects  
Previously, Gradle, Maven, and MSBuild integration relied on internal build procedure logic to  
collect files. The only way to exclude files was either to exclude them from the build file, or use  
an additional translation argument (-targs"-exclude...,"), which required that you knew  
where the file was to be saved in the ScanCentral SAST working directory.  
You can now use the -exclude option directly from the ScanCentral SAST command line to  
exclude some files from scans for the Maven, Gradle, MSBuild build tools, and for -bt none. For  
details see "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Configuring the Name of FPR Files Uploaded to Fortify Software Security Center  
The FPR files uploaded to Fortify Software Security Center are named scan.fpr. You can now use  
the -fprssc option specify the name to use for generated FPR files uploaded to Fortify Software  
Security Center. For details, see "Submitting Scan Requests and Uploading Results to Fortify  
Software Security Center" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Micro Focus Fortify Software (22.2.0)  
Page 3 of 30  
Packaging Projects with File Paths that Contain an Umlaut  
Previously, packaging failed if a file name or file path for a project included an umlaut character.  
Now, you can prevent such failures by adding a new property to the fortify-sca.properties file.  
For details, see the cautionary note in "Package Command" in the Micro Focus Fortify  
ScanCentral SAST Installation, Configuration, and Usage Guide.  
Configuring a Proxy for ScanCentral SAST Clients  
If your outbound traffic must go through a proxy, you can now add a proxy configuration for  
that purpose. For details, see "Configuring Proxies for Fortify ScanCentral SAST Clients " in the  
Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
(Fortify on Demand only) New Option for Packaging Files for Debricked  
The new -oss packaging option enables you to package additional files that Debricked requires  
for its scans. See "Package Command" in the Micro Focus Fortify ScanCentral SAST Installation,  
Configuration, and Usage Guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12 Apple silicon  
l
Ubuntu 22.04.1 LTS  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 14.0.0  
l
Swiftc 5.7  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Xcodebuild 14 and 14.0.1  
Micro Focus Fortify Software (22.2.0)  
Page 4 of 30  
Language and Framework Updates  
l
COBOL  
IBM Enterprise COBOL for zOS 6.2 and 6.3  
Micro Focus Visual COBOL 7.0 and 8.0  
l
Apex 55  
l
Kotlin 1.6  
l
PHP 8.1  
l
TypeScript / JavaScript  
React 17.0  
React Native .68  
Vue 2  
Note: Rules for Vue 2 will be part of the Fortify Software Security Content 2022 R4 release.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Analysis Plugin for IntelliJ and Android Studio  
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio now supports:  
l
IntelliJ 2022.2  
l
Android Studio 2021.3  
Eclipse Support  
The Fortify Eclipse Complete Plugin now supports Eclipse 2022-06 and 2022-09.  
Updated CWE Top 2022 Report  
Updated to incorporate content from the Fortify Software Security Content 2022 Update 3.  
Updated Custom Rules Editor  
Includes the following generic and category-specific templates for generating custom  
Configuration, Regex, and Infrastructure as Code (IaC) rules:  
l
Configuration Rule for PropertyMatch  
l
Configuration Rule for XPathMatch  
l
Docker Bad Practices: Untrusted Base Image in Use  
l
Credential Management: Hardcoded API Credential  
l
Regex Rule for ContentRegex  
l
Regex Rule for FileNameRegex  
Micro Focus Fortify Software (22.2.0)  
Page 5 of 30  
l
l
l
l
l
l
Regex Rule for FileNameRegex and ContentRegex  
Structural Rule for Cloud Configuration in Nested Objects  
Structural Rule for Cloud Configuration in Single Object  
Structural Rule for Terraform Configuration in Nested Blocks  
Structural Rule for Terraform Configuration in Single Block  
Terraform Bad Practices: Untrusted Module in Use  
Additional language support:  
l
Apex  
l
Go  
l
HCL  
l
JavaScript/TypeScript  
l
JSON  
l
Kotlin  
l
PHP  
l
Python  
l
YAML  
Additional configuration file type support:  
l
configuration  
l
docker  
l
xml  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
GraphQL Native Support  
ScanCentral DAST now supports scanning GraphQL natively. A Postman collection or workflow  
is no longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
ScanCentral DAST has added support for gRPC scanning. This popular server-to-server  
framework can now be scanned for security vulnerabilities.  
SOAP Service Scanning  
ScanCentral DAST now supports scanning SOAP services.  
Engine 7.1 Updates  
Micro Focus Fortify Software (22.2.0)  
Page 6 of 30  
Fortify continues to enhance its engines to improve scan coverage and performance.  
ScanCentral DAST 22.2.0 provides a faster crawl and audit and better application support from  
the Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
The ScanCentral DAST core components and sensor are now available on a lightweight Linux  
container. This new Linux option provides enhanced support for automation and sensor auto  
scaling.  
Sensor Auto Scaling  
ScanCentral DAST provides optional sensor auto scaling in Kubernetes that automatically starts  
the sensor container, runs the scan, and shuts down the container upon completion.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
GraphQL Native Support  
WebInspect now supports scanning GraphQL natively. A Postman collection or workflow is no  
longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
WebInspect has added support for gRPC scanning. This popular server-to-server framework can  
now be scanned for security vulnerabilities.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 22.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
WebInspect is now available on a lightweight Linux container. This containerized version of  
WebInspect is a great option for automation scenarios when WebInspect is used through its API.  
Updated SOAP Scanning  
WebInspect will be deprecating its older SOAP scanning option through the Web Service Test  
Designer tool. In preparation, a new mechanism to scan SOAP applications is available through  
the API scanning option.  
Micro Focus Fortify Software (22.2.0)  
Page 7 of 30  
Contact Micro Focus Fortify Customer Support  
If you have questions or comments about using this product, contact Micro Focus Fortify  
Customer Support using one of the following options.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account  
https://www.microfocus.com/support  
For More Information  
For more information about Fortify software products:  
https://www.microfocus.com/solutions/application-security  
Micro Focus Fortify Software (22.2.0)  
Page 8 of 30  
What’s New in Micro Focus Fortify  
Software 22.1.0  
June 2022  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Issue Correlation Details  
If you have correlated issues in an application version, you can use the heading for the  
correlated issues icon ( ) to sort listed issues based on whether or not they are correlated  
with other issues (see "Viewing Correlated Issues on the AUDIT Page" in the Fortify Software  
Security Center User Guide). You can also selectively list the issues with which a given issue is  
correlated (see "Auditing Correlated Issues" in the Fortify Software Security Center User Guide).  
Targeted Rulepack Downloads  
Previously, Fortify Software Security Center ignored the clientType parameter in Rulepack  
update requests. As a result, Rulepack clients received all Rulepacks available (both Fortify  
Static Code Analyzer and Fortify Security Assistant Rulepacks). Now, Fortify Software Security  
Center takes the clientType parameter into account for Rulepack update requests. For details,  
see "Updating Rulepacks from the Micro Focus Fortify Update Server" in the Fortify Software  
Security Center User Guide.  
Micro Focus Fortify Software (22.2.0)  
Page 9 of 30  
Updated Processing Rule: Ignore SCA Scans Performed in Quick Scan Mode  
The processing rule for ignoring Fortify Static Code Analyzer scans performed in quick scan  
mode now also prevents the upload of Fortify Static Code Analyzer speed dial results performed  
with a setting of less than four. For details, see "Setting Analysis Results Processing Rules for  
Application Versions" in the Fortify Software Security Center User Guide.  
Report Maintenance: New "Days to Preserve" Option  
On the Scheduler page, the Days to preserve option was added in a new Reports maintenance  
section. This option enables you to specify the number of days Fortify Software Security Center  
retains generated reports. For more information, see "Configuring Job Scheduler Settings in the  
Fortify Software Security Center User Guide.  
Pausing Job Execution  
You can now control job execution by pausing (and then resuming) it using the Pause job  
execution option located on the Maintenance page (ADMINISTRATION > Maintenance). After  
you pause job execution, jobs (artifact processing, report generation, data export requests, and  
so on) that are currently running continue to completion. Any new jobs submitted are queued  
for processing once the Pause job execution check box is cleared and normal processing  
resumes. For more detail, see "Pausing and Resuming Job Execution" in the Fortify Software  
Security Center User Guide.  
Requiring Comments for Specific Custom Tag Values  
Administrators can now require comments for custom tags. When the "Require Comments"  
setting is checked, any changes to the custom tag will cause an additional comment box to  
appear for the custom tag and the Save button will be disabled until a comment is entered. For  
details, see "Adding Custom Tags to the System" in the Fortify Software Security Center User  
Guide.  
Expanded Issue Counts  
Previously, you could display 20, 50, or 100 issues at a time on the AUDIT page. Now, you can  
display up to 150 or 200 issues per page.  
Kubernetes Updates  
l
Added support for Kubernetes 1.22  
l
Added support for Helm 3.8  
Micro Focus Fortify Software (22.2.0)  
Page 10 of 30  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Kotlin for Android Support  
You can now use the ScanCentral Client to package Kotlin for Android projects for remote  
translation using Gradle integration (-bt gradle).  
New Command to Update ScanCentral Client  
Using the new update command, you can update ScanCentral Client to the latest version on  
the ScanCentral Controller.  
Get SSC Artifact Processing State Using Job Token  
Using the status command, ScanCentral Client can retrieve the processing state of a job that  
uploaded the FPR to SSC.  
Build Tool Updates  
• Gradle 7.3  
• MSBuild 14.0, 17.0, 17.1, and 17.2  
Support for Multiple Client Versions on the Controller for Auto-Update  
The Auto-Update feature now supports multiple versions of clients. Sensors and embedded  
clients will be updated by the versions available in the Controller, rather than the version of the  
Controller.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12  
l
Windows 11  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 13.1.6  
l
OpenJDK javac 17  
l
Swiftc 5.6  
l
cl (MSVC) 2015 and 2022  
Micro Focus Fortify Software (22.2.0)  
Page 11 of 30  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Gradle 7.4.x  
l
MSBuild 14.0, 17.0, 17.1 and 17.2  
l
Xcodebuild 13.3 and 13.3.1  
Language and Framework Updates  
l
C# 10  
l
.NET 6.0  
l
C/C++ 20  
l
HCL 2.0  
l
Java 17  
l
TypeScript 4.4 and 4.5  
Note: Rules for Terraform and Google Cloud Platform will be part of the Fortify Software  
Security Content 2022 R2 release.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Visual Studio 2022 Support  
The Fortify Extension for Visual Studio now supports Visual Studio 2022.  
IntelliJ 2021.x Support  
The Fortify Analysis Plugin for IntelliJ now supports IntelliJ 2021.x to 2021.3.  
Import Standard Fortify Rulepacks from Filesystem  
Use the Options menu in Fortify Audit Workbench, Fortify Eclipse Complete Plugin, and Fortify  
Extension for Visual Studio to import Fortify Rulepacks downloaded from the Customer Portal.  
Compare LOC of Scanned Files Between Two FPRs  
View LOC counts of analyzed files in an FPR (-loc) or compare LOC counts between two FPRs  
using FPRUtility (-loc, -compareTo).  
Configurable Timeout for fortifyupdate  
Configure the socket timeout for fortifyupdate using the  
rulepackupdate.SocketReadTimeoutSeconds property in the server.properties file.  
The default value is 180.  
Micro Focus Fortify Software (22.2.0)  
Page 12 of 30  
New Search Modifier: shortfilename  
In Fortify Audit Workbench and the Fortify Plugins for Eclipse, you can use shortfilename as  
a search modifier in Issue Templates to filter or hide issues that match the file name. For full  
path matches, continue to use the file search modifier.  
New OWASP Top 10 2021 Report  
Generate new OWASP Top 10 Report (2021) from the following tools:  
• Fortify Audit Workbench  
• Fortify Extension for Visual Studio  
• Fortify Remediation Plugin for Eclipse  
• BIRTReportGenerator  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
User Configuration Restrictions  
l
New permissions allow you to bar scanning of specific domains or IP addresses.  
l
New Modify User permission required to allow user to modify a scan. A user who does not  
have this permission can only configure a scan URL, login macro, workflow macros, and  
network credentials. With this limited role, users can start scans, create scans from base  
settings, and view settings but not change them.  
PostgresSQL Support  
l
Support for use of a PostgresSQL database.  
Scan Import  
l
Import Scans into ScanCentral PostgresSQL database from Fortify WebInspect or Fortify  
WebInspect Enterprise.  
Automated Deployment (Infrastructure as Code)  
l
Support for the fully automated deployment of ScanCentral DAST.  
Rescan Button  
l
The Rescan button allows you to rescan and existing scan.  
Micro Focus Fortify Software (22.2.0)  
Page 13 of 30  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Support for HAR Files  
Scanning with workflow macros ensures that important content is covered in a scan. WebInspect  
can now use HAR files for workflow scanning.  
Out-of-Band Testing  
WebInspect can now test for a new class of vulnerabilities called Out-of-Band or OAST  
vulnerabilities. Using the public Fortify OAST server, WebInspect can detect OAST  
vulnerabilities such as Log4Shell.  
Engine 7.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 22.1.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 7.0.  
MS SQL AD Authentication Support  
WebInspect 22.1.0 can now use a MS SQL Database using AD Authentication.  
Windows 11 Support  
WebInspect 22.1.0 is now supported on the Windows 11 operating system.  
Azure SQL Database Support  
WebInspect 22.1.0 can now use an Azure SQL Database for storing scan data.  
Sensor Support for Fortify WebInspect Enterprise 21.2.0  
WebInspect 22.1.0 can be configured as a sensor for Fortify WebInspect 21.2.0.  
What’s New in Micro Focus Fortify  
Software 21.2.0  
November 2021  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software (22.2.0)  
Page 14 of 30  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Static/Dynamic Issue Correlation Indicator  
l
In this release we introduce the static/dynamic issue correlation indicator. After static and  
dynamic scans are run on an application version and the results have been uploaded to  
Fortify Software Security Center, issues that were uncovered by both static and dynamic  
scans are tagged with the correlation ( ) indicator on the AUDIT page.  
ScanCentral SAST Controller Updates  
l
You can now place the ScanCentral SAST Controller into maintenance mode which prevents  
scans that are running on the sensor from losing data.  
l
You can shut down ScanCentral SAST Controller sensors individually or in a batch.  
ScanCentral DAST Scans Support  
l
The Scans feature now includes both static and dynamic scan results  
New Premium Quarterly Reports  
l
PCI SSF (Software Security Framework) 1.2 report  
l
CWE Top 25 report  
LDAP Update  
l
You can now configure Fortify Software Security Center to invalidate tokens created by users  
who have been disabled in LDAP  
Java 11 Deployment  
l
Software Security Center can be deployed in a Java 11 (or higher) environment  
Kubernetes Updates  
l
Added support for Kubernetes 1.21  
l
Added support for Helm 3.6 and 3.7  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for the Fortify License and Infrastructure Manager  
l
You can now centrally manage your Fortify ScanCentral SAST licenses through the Fortify  
License and Infrastructure Manager.  
MSBuild Integration Update  
Micro Focus Fortify Software (22.2.0)  
Page 15 of 30  
l
With the 21.1.0 release of Fortify Static Code Analyzer, MSBuild integration was updated with  
support for .NET 5 and other new features. Fortify ScanCentral SAST now supports this new  
MSBuild integration functionality.  
Go Language Support  
l
Added support for Go version 1.17.  
Graceful Shutdown and Timer Support  
l
When shutting down Fortify ScanCentral SAST, the controller allows currently running scans  
to complete while keeping other scans from starting. Once the controller is running again, it  
will run the scans in the queue. In addition, a timeout can be set for long running scans that  
will cancel the scan if breached and free the sensor to pick up a new scan request.  
Sensor Pool Assignment Improvement  
l
When starting up a sensor, you can assign it to a specific sensor pool without having to use  
the Fortify Software Security Center UI.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Fortify License and Infrastructure Manager  
l
For customers that use Fortify under the Concurrent Scanning license model, Fortify Static  
Code Analyzer can now use the Fortify License and Infrastructure Manager to obtain a license  
key rather than the traditional fortify.license file. This enables the correct sharing of the  
Fortify Scan Machine license metric between Fortify Static Code Analyzer and WebInspect  
instances. The option to use the traditional fortify.license file is still available.  
Regular Expression (regex) Analysis  
l
The Fortify Static Code Analyzer Configuration analyzer can now detect vulnerabilities in file  
names and content using RegEx-based rules.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
IBM AIX 7.1  
l
Oracle Solaris SPARC 11.3  
l
Oracle Solaris x64 11.4  
l
Windows Server 2022  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
gcc 10.2.1  
l
g++ 10.2.1  
l
Swiftc 5.4.2  
Micro Focus Fortify Software (22.2.0)  
Page 16 of 30  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Gradle 7.2  
l
Maven 3.8.2  
l
MSBuild 16.11  
l
Xcodebuild 12.5.1  
C++ Updates  
l
Added support for gcc on Macintosh  
l
Added support for gcc version 10.2.1  
l
Added support for C++ 14 and 17  
JavaScript Improvements  
l
Added support for ECMAScript 2021  
l
Added support for TypeScript 4.2 - 4.3  
l
Made Type inference improvements  
l
Added support for SAPUI5/OpenUI5  
l
Minified JS excluded from scan by default  
Go Language Update  
l
Added support for Go 1.17  
YAML Support  
l
Added support for translating YAML code  
Kotlin Update  
l
Added support for Kotlin 1.5  
PHP  
l
Completed support for PHP 8  
Scala  
l
Eliminated the need for a separate license from Lightbend for Scala translations. A license  
key is still required to run the plugin. The key is now included in the Fortify distribution.  
Configuration Scanning  
l
JSON scanning enabled by default  
l
Added YAML scanning  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
ScanCentral SAST Support  
Micro Focus Fortify Software (22.2.0)  
Page 17 of 30  
l
l
Added Remote Translation capability to Fortify Scan Wizard, and the Fortify Eclipse Plugins  
Added ability to configure Fortify ScanCentral SAST and launch local and remote translations  
and scans from the Fortify Eclipse Complete Plugin running an advanced analysis.  
New PCI SSF Report  
Generate new PCI SSF Report (version 1.2) from the following tools:  
l
Fortify Audit Workbench  
l
Fortify Visual Studio Extension  
l
Fortify Eclipse Plugins (Complete and Remediation)  
l
BIRTReportGenerator  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST.  
Correlated Issues  
l
ScanCentral DAST can now uncover correlations between DAST and SAST results and  
forward the information to Fortify Software Security Center. Correlated results are displayed  
in the Fortify Software Security Center AUDIT View.  
Scan Visualization Update  
l
Selected scan visualizations can be opened in a new browser tab rather than using Site  
Explorer.  
Client-Side Certificate Support  
l
Upload a certificate and password for use when running a scan. If a scan requires the  
certificate, ScanCentral DAST will download and install it.  
l
Enable Redundant Page Detection and use it when running a scan.  
Scan Priority Level  
l
All scans can be assigned a priority level.  
l
When a scan is queued because there isn't a free sensor and a scan with a lower priority is  
running, the lower-priority scan will be shut down so the scan with the higher priority can run.  
The scan with the lower priority will restart when a sensor becomes available.  
Azure SQL Support  
l
The ScanCentral DAST Configuration Tool now supports Azure SQL and Azure Managed  
SQL.  
l
The ScanCentral DAST container now supports Azure SQL and Azure Managed SQL.  
Micro Focus Fortify Software (22.2.0)  
Page 18 of 30  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
API Discovery  
With the new API Discovery, any Swagger or OpenAPI schema detected during a scan will have  
its endpoints added to the existing scan and authentication will be applied to the endpoints with  
our automatic state detection. In addition, probes will be sent to default locations of popular API  
frameworks to discover schemas.  
Two-factor Authentication  
Two-factor Authentication is a common requirement in enterprises and can be a burden to the  
security tester to get a bypass or to manually scan. WebInspect now offers the ability to  
automate Two-factor Authentication scans. This is accomplished by installing a lightweight  
Android app onto a phone or emulator that can capture SMS and Email tokens and pass them  
back to the scanner for authentication. Once configured, there is no need for user interaction.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for  
XSS. This will allow for improved XSS attack performance and the ability to detect client-side  
only attacks, such as XSS in DOM fragments.  
Web Fuzzer Tool  
The Web Fuzzer Tool lets you run Fuzzing tests that submit random or sequential data to  
various areas of an application to uncover security vulnerabilities. For example, when searching  
for buffer overflows, a tester can generate data of various sizes and send it to one of the  
application entry points to observe how the application handles it.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to the Fortify WebInspect sensor used in WebInspect  
Enterprise.  
Note: WebInspect Enterprise 21.2.0 is scheduled for release in the latter half of December 2021.  
Micro Focus Fortify Software (22.2.0)  
Page 19 of 30  
API Discovery  
With the new API Discovery function in WebInspect, any Swagger or OpenAPI schema detected  
during a scan will have its endpoints added to the existing scan and authentication will be  
applied to the endpoints with our automatic state detection. In addition, probes will be sent to  
default locations of popular API frameworks to discover schemas.  
Automatic State Detection  
WebInspect now automatically detects and configures state for Oauth, JWT, and Bearer Tokens  
during a scan.  
Engine 6.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.1.  
Improved DOM XSS Detection  
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for  
XSS. This will allow for improved XSS attack performance and the ability to detect client-side  
only attacks, such as XSS in DOM fragments.  
Micro Focus Fortify Software (22.2.0)  
Page 20 of 30  
Micro Focus Fortify Software (22.2.0)  
Page 21 of 30  
What’s New in Micro Focus Fortify  
Software 21.1.0  
July 2021  
This release of Micro Focus Fortify Software includes the following new functions and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Oracle: JDBC Driver Requirement  
If you use Oracle as your Fortify Software Security Center database, you no longer need to  
manually add the JDBC driver. The installer now includes the JDBC Thin Driver (ojdbc8.jar).  
Autoconfigure Update  
You no longer need to provide db.driver.class, db.dialect, or  
db.like.specialCharacters to deploy SSC using autoconfiguration (<app_  
context>.autoconfig file). Deployment works for all databases if you provide values for  
db.username, db.password, and jdbc.url only.  
Required Attribute Alert  
If an administrator creates a new required attribute, Fortify Software Security Center alerts you  
to the addition so that you can specify a value for it in an application version.  
Export Open Source Results  
You can now export your open source data to a comma-separated file.  
DENY Button for Artifacts  
There is now a DENY button for artifacts that require approval but were uploaded by mistake.  
The denied results will not be merged with the application version but can be retained as part of  
the record.  
New Reports  
The premium report bundle now includes three new issue reports:  
l
DISA STIG 5.1  
l
NIST 800-53 Revision 5 (Accessed through the FISMA Compliance: FIPS-200 report  
template)  
Micro Focus Fortify Software (22.2.0)  
Page 22 of 30  
l
CWE Top 25 2020  
StartTLS Support for LDAP  
StartTLS is now supported as a connection method to LDAP servers.  
Enhanced Issue Filtering  
Issue filtering from the OVERVIEW and AUDIT pages now includes enhancements.  
You can now filter issues based on their category.  
Kubernetes Support  
l
Added support for Kubernetes version 1.20.  
l
Added support for versions 3.4 and 3.5 of the Helm command-line tool.  
Service Integrations Support  
l
Added support for Azure DevOps Server 2020  
Micro Focus Fortify ScanCentral SAST  
Improved Job Processing Messages  
Previously, when a job was assigned to a sensor, the Controller sent the email message  
"ScanCentral job request accepted." After the job was completed, the Controller sent the email  
message "ScanCentral job completed."  
Now, when the Controller accepts a job, it sends the email message "ScanCentral job request  
accepted." After the job is assigned to a sensor, the Controller sends the email message  
Micro Focus Fortify Software (22.2.0)  
Page 23 of 30  
"ScanCentral job request assigned." Finally, after the job is completed, the Controller sends the  
email message "ScanCentral job completed."  
New -debug Option  
The -debug option, which enables debug logging on clients and sensors, was added in this  
release.  
-upload Option Required for Scans When Fortify Software Security Center is in Lockdown  
Mode  
Previously, if Fortify Software Security Center was in lockdown mode, you could run a scan even  
if you failed to specify the -upload option in the ScanCentral command. The results shown for  
the scan on the SCANCENTRAL > SAST tab in Fortify Software Security Center left out the  
application version and the scan was not uploaded. Now, if Fortify Software Security Center is in  
lockdown mode, and you try to start a scan without using the -upload option, client execution  
fails with an error.  
Improved Sensor Cleanup  
Now, the clean-up process on a sensor machine invokes the sourceanalyzer -clean  
command to remove Fortify Static Code Analyzer internal files related to the job.  
Maven Remote Translation  
You can now specify custom settings files for Maven remote translation.  
New Email Properties  
Two new properties in the config.properties file allow you to specify which outgoing email  
domains to use for outgoing emails and which domains are disallowed.  
Micro Focus Fortify Software (22.2.0)  
Page 24 of 30  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
.NET  
Added support for the following languages and frameworks:  
l
.NET 5.0  
l
C# 9  
l
ASP.NET Blazor  
To improve MSBuild integration, the custom msbuild executable and its assemblies were  
replaced by a Fortify-specific .targets file and task assemblies. These changes favorably impact  
translations under MSBuild Integration performed by the system’s MSBuild tool.  
MSBuild Support Update  
Added support for version 16.8 and 16.9.  
Go  
l
Added support for Go versions 1.15 and 1.16.  
l
Added support for the GOPROXY environment variable.  
Java  
l
Updated JSP translation produces fewer false positives  
l
Improved bytecode analysis  
JavaScript  
Added support for the following languages and frameworks:  
l
TypeScript 4.1  
l
Angular 10 and 11  
Kotlin  
Added support for Kotlin 1.4.20.  
PHP  
Added support for PHP 7.2, 7.3, 7.4, and 8.0.  
Python  
Added support for the following languages and frameworks:  
l
Python 3.9  
l
Django 3.1  
Micro Focus Fortify Software (22.2.0)  
Page 25 of 30  
Swift/Obj-C  
Added support for Xcode 12.4.  
Operating Systems (Linux)  
Added support for the following Linux servers:  
l
SUSE Linux Enterprise Server 15.  
l
Red Hat Enterprise Linux 8.2.  
l
CentOS Linux 7.6-1810 and 8.2-2004.  
l
Ubuntu 20.04.1 LTS.  
Micro Focus Visual COBOL (Technology Preview)  
Added support for Micro Focus Visual COBOL 6.0.  
C/C++ (Technology Preview)  
Improved support for constructs in C++11 using new Clang-based translation.  
Speed Dial (Technology Preview)  
l
Added level 3 and 4 support.  
l
Improved intermediate development scan speeds by up to 50% (with a reduction in reported  
issues).  
l
Reduced scan time for typed languages such as Java and C/C++.  
l
Level 4 support provides a full scan.  
Micro Focus Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer Tools.  
ScanCentral SAST Support in Secure Code Plugins  
l
ScanCentral SAST support added to Eclipse Complete Plugin, IntelliJ Analysis Plugin, and  
Visual Studio Extension.  
l
You can now submit ScanCentral SAST scan requests from the plugins.  
l
Added support for both local translation (send MBS file for scan phase) and remote  
translation (send package for both translation and scan phases).  
Java 11 Runtime Support  
l
All tools and secure code plugins can be run in a Java 11 runtime environment.  
Syntax Highlighting for Additional Languages in Audit Workbench  
l
Adds syntax highlighting for the following languages: ABAP, Apex, ASP, C# and ASP.NET,  
COBOL, Cold Fusion, Go, Kotlin, Objective C, PHP, Python, Ruby, Scala, Swift, VB.NET, Visual  
Basic 6.0 and configuration files.  
Micro Focus Fortify Software (22.2.0)  
Page 26 of 30  
Improved Merge Behavior in Visual Studio Extension  
l
Adds the ability to choose to merge with or overwrite a previous scan result.  
l
If an issue template is specified for the scan (configured as default or via additional scan  
option), the issue template from the new scan will be saved in the merged FPR.  
l
Set the merge option in Fortify > Options > Project Configuration > Advanced Scan  
Options. Select or clear the Merge with Previous Scan checkbox.  
New Versions of Reports  
l
DISA STIG 5.1  
l
NIST 800-53 Revision 5  
l
CWE Top 25 2020  
These can be generated from Fortify Audit Workbench, the secure code plugins, and the  
BIRTReportGenerator command-line interface.  
Updated IDE Support  
l
Added support for Eclipse versions 2020-x and 2021-x in Micro Focus Fortify Plugins for  
Eclipse.  
l
Added support for Eclipse version 2021-x in Micro Focus Fortify Security Assistant Plugin for  
Eclipse.  
l
Added support for versions 4.x of Android Studio in Micro Focus Fortify Plugins for JetBrains  
IDEs and Android Studio.  
Service Integrations  
l
Added support for Azure DevOps Server 2020.  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST.  
Functional Application Security Testing (FAST)  
FAST provides a CI/CD-friendly way to capture traffic from functional tests and send it to  
ScanCentral DAST for targeted DAST scanning.  
API Scanning with Postman  
In 21.1.0, ScanCentral DAST continues to simplify API scanning with its Postman integration. A  
new workflow in the WebInspect sensor automatically detects the authentication requests and  
excludes them from attack by default. There are also improvements to Oauth2.0 support.  
Micro Focus Fortify Software (22.2.0)  
Page 27 of 30  
Hacker Level Insights  
Hacker Level Insights is a new framework that exposes those insights about an application that  
are interesting from a security perspective, but not necessarily a vulnerability. Detection of  
JavaScript client-side frameworks is included in 21.1.0.  
Data Retention Policies  
Configuring data retention policies at the application or scan level allows automatic purging of  
stale data to support ScanCentral DAST database maintenance and system performance in high  
usage environments.  
Deny Intervals  
ScanCentral DAST supports application and scan-level deny intervals when currently running  
scans are paused or forced to complete, and new scans do not start.  
Base Settings  
Base Settings provide ScanCentral DAST administrators the ability to apply scan setting  
templates across all applications or specific applications.  
Policy Import  
ScanCentral DAST supports using custom policies at both the application level and scan level.  
Alerting  
A messaging framework displays information about the quality and performance of scans in  
progress.  
SiteExplorer Download  
A link is provided in ScanCentral DAST to download SiteExplorer for visualization of a scan.  
Horizontal Scaling (Technology Preview)  
Horizontal scaling of sensor script engines provides dramatically faster scanning.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
HTTP/2 Support  
Modern applications have begun leveraging HTTP/2 to improve the user experience with  
improved speed and more efficient client/server communication. WebInspect now supports  
applications that use HTTP/2 technology.  
API Scanning with Postman  
WebInspect continues to simplify API scanning with its Postman integration. A new workflow in  
the sensor automatically detects the authentication requests and excludes them from attack by  
default. There are also improvements to Oauth2.0 support.  
Micro Focus Fortify Software (22.2.0)  
Page 28 of 30  
Hacker Level Insights  
Hacker Level Insights is a new framework that exposes those insights about an application that  
are interesting from a security perspective but may not necessarily be a vulnerability. Detection  
of JavaScript client-side frameworks is included in 21.1.0.  
Engine 6.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.0.  
Masked Parameters in TruClient  
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password  
to be masked so they are hidden from view.  
Simplified User Agent Selection  
Selection of a User Agent in settings during scan configuration is now applied to both TruClient  
macros and the scan settings.  
Alerting  
Alert-level scan log messages provide information about the quality and performance of scans  
in progress.  
OpenSSL  
The OpenSSL technical preview is now the default SSL/TLS implementation in WebInspect. This  
integration provides support for TLS 1.3, and provides an option for customers whose system  
administrators may be restricting the Microsoft SCHANNEL stack.  
Micro Focus Fortify WebInspect Enterprise  
The following features have been added to Fortify WebInspect Enterprise.  
Engine 6.0 Updates  
Fortify continues to enhance its engines to improve scan coverage and performance.  
WebInspect 21.1.0 provides a faster crawl and audit, and better application support from the  
Web Macro Recorder with Macro Engine 6.0.  
Masked Parameter in TruClient  
The Web Macro Recorder with Macro Engine 6.0 allows values for parameters such as password  
to be masked so they are hidden from view.  
Simplified User Agent Selection  
Selection of a User Agent in Advanced Settings during scan configuration are now applied to  
both TruClient macros and the scan settings.  
Micro Focus Fortify Software (22.2.0)  
Page 29 of 30  
Micro Focus Fortify Software (22.2.0)  
Page 30 of 30