Fortify Software  
Document Release Date: May 2024  
What’s New in Fortify Software 24.2.0  
May 2024  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Data Retention  
Administrators can define time period for retaining application version artifacts.  
Customizable UI Theme  
You can now set the UI theme to dark, light, or automatic.  
Customized BIRT Reports  
l
Generate and download customized BIRT reports in XLSX format.  
l
Supports BIRT Report Designer 4.14.0  
Syncronize Audit History Changes in Fortify ScanCentral DAST using Kafka  
You can set up Kafka to synchronize audit history changes for suppressed issues,  
priority override, and analysis tag with Fortify ScanCentral DAST.  
fortfyclient Timeouts  
Set up timeouts for connect, read, and write for fortifyclient.  
OpenText™ Fortify Software (24.2.0)  
Page 1 of 34  
Kubernetes support  
1.29  
Helm support  
3.13 and 3.14  
Updated LOC (lines of code) calculation  
To better align with the LOC count shown by code editors, Fortify Static Code  
Analyzer now reports the total number of lines of code, including blank lines and  
comments. Due to this change, when you upload an artifact created with Fortify  
Static Code Analyzer 24.2.0 (or later) to an SSC application version that already  
contains artifacts generated by earlier versions of Fortify Static Code Analyzer, a  
one-time approval may be required if the following processing rule is enabled:  
Require approval if line count differs by more than 10%. Once  
a 24.2.0 artifact has been approved in an application version, subsequent 24.2.0  
uploads to that application version will no longer trigger the processing rule unless  
the LOC count changes due to significant code changes or changes in the scan  
setup.  
OpenText™ Fortify Software (24.2.0)  
Page 2 of 34  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Sensor Version Support  
Scan requests initiated from older clients can be assigned and processed by newer  
sensor versions.  
Encoded Tokens  
Added support for encoded tokens (decoded tokens are deprecated).  
ScanCentral SAST Client  
l
Ability to use the Debricked CLI for open source software composition analysis  
(for use with Fortify on Demand only).  
l
Simplified commands by automatically detecting requirements.txtfor Python  
projects, the PHP version for PHP projects, and setting a default value for  
package name.  
ScanCentral Controller  
You can configure the Controller to disallow queuing multiple scan requests that are  
uploaded to the same application version. If enabled, newer scan requests will  
replace the one that is in the queue while keeping its priority. It can be overridden  
with an option for individual scan requests.  
Updated Build Tool Support  
l
Support for Gradle 8.6  
l
Support for dotnet 8.0  
l
Support for MSBuild 17.9  
OpenText™ Fortify Software (24.2.0)  
Page 3 of 34  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Platforms  
l
macOS 14 support  
Languages  
l
Angular 16.1 and 16.2  
l
Apex 59 and 60  
l
C23  
l
Dart 3.1  
l
Django 5.0  
l
Flutter 3.13  
l
Go 1.21 and 1.22  
l
Java 21  
l
Kotlin 1.9  
l
PHP 8.3  
l
Scala 3, versions 3.3-3.4  
l
Swift 5.10  
l
TypeScript 5.1 and 5.2  
l
Visual Basic (VB.NET) 16.9  
Compilers  
l
gcc 13  
l
g++ 13  
l
Swiftc 5.9.2, 5.10  
Build tools  
l
Bazel 6.4.0  
l
CMake 3.23.3 and later  
l
MSBuild 17.9  
l
xcodebuild 15.3  
OpenText™ Fortify Software (24.2.0)  
Page 4 of 34  
Features/Updates  
l
ARM JSON Templates (IaC)  
l
AWS CloudFormation (IaC)  
l
Scanning .NET requires .NET SDK 8.0.  
l
The default python version is now 3.  
l
The default scan policy has changed from classic to security. The security scan  
policy excludes issues related to code quality from the analysis results.  
l
Ability to specify the location of a custom supported JDK or JRE version that is not  
included in the Fortify Static Code Analyzer installation  
l
Fortify Static Code Analyzer automatically detects the content of files with a .cls  
extension to determine if they are Apex or Visual Basic code. This removes the  
need to include the -apex option, which is now deprecated.  
l
Updated LOC (lines of code) calculation: To better align with the LOC count  
shown by code editors, Fortify Static Code Analyzer now reports the total number  
of lines of code, including blank lines and comments. Due to this change, when  
you upload an artifact created with Fortify Static Code Analyzer 24.2.0 (or later) to  
an SSC application version that already contains artifacts generated by earlier  
versions of Fortify Static Code Analyzer, a one-time approval may be required if  
the following processing rule is enabled: Require approval if line  
count differs by more than 10%. Once a 24.2.0 artifact has been  
approved in an application version, subsequent 24.2.0 uploads to that application  
version will no longer trigger the processing rule unless the LOC count changes  
due to significant code changes or changes in the scan setup.  
OpenText™ Fortify Software (24.2.0)  
Page 5 of 34  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Applications and Tools Installer  
Now includes the standalone Fortify ScanCentral SAST client.  
Fortify Audit Workbench  
Now includes a timeout setting for downloading analysis results from Fortify  
Software Security Center.  
Secure Coding Plugins  
l
Support for Red Hat Enterprise Linux (RHEL) 9  
l
Support for macOS 14  
l
Fortify Visual Studio Extension supports suppressing issues and auditing multiple  
issues in batch when remediating analysis results on Fortify Software Security  
Center.  
l
Fortify Plugin for Eclipse, Fortify Analysis Plugin for IntelliJ IDEA and Android  
Studio, and the Fortify Extension for Visual Studio support analysis with a  
standalone ScanCentral SAST client.  
l
Support for Eclipse 2023-12 and 2024-03  
l
Support for IntelliJ IDEA 2023.3 and 2024.1  
l
Support for Android Studio 2023.1 and 2023.2  
l
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio, Fortify Plugin for  
Eclipse, and Fortify Extension for Visual Studio will be available in the relevant  
marketplaces.  
New Issue Reports  
l
DISA STIG 5.3  
l
OWASP Mobile Top 10 2024  
OpenText™ Fortify Software (24.2.0)  
Page 6 of 34  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST.  
Syncing of Suppressed Issues in Fortify Software Security Center  
You can now configure Kafka settings in ScanCentral DAST to provide support for  
the syncing of audit history changes in Fortify Software Security Center, including  
support for suppressed issues. Additionally, you can show or hide suppressed  
issues in the ScanCentral DAST Scans view and scan visualization.  
Regex Editor Tool  
ScanCentral DAST now includes a Regex Editor tool that enables you to construct  
and test regular expressions.  
Perform Actions on Multiple Scans  
You can select multiple scans and then pause, start, stop, delete, or publish them.  
Use an Access Token for Sensor Auto Scaling  
When configuring Sensor Auto Scaling in a Kubernetes environment, you can now  
configure ScanCentral DAST to read an access token from the default path in  
Kubernetes, to retrieve the token from a specific path in the container, or to use a  
long-lived access token.  
DAST Health Monitoring  
Readiness and liveness probe commands have been added to ScanCentral DAST  
services to enable Kubernetes to detect failures and restart containers.  
OAuth 2.0 Support  
You can now configure Client Credentials Grant and Password Credentials Grant  
OAuth 2.0 authentication flows for scans requiring network authentication.  
Mac Version of Event-based Web Macro Recorder Tool  
The Event-based Web Macro Recorder tool is available for Mac, which enables you  
to create login and workflow macros on macOS.  
OpenText™ Fortify Software (24.2.0)  
Page 7 of 34  
Fortify WebInspect  
The following features have been added to WebInspect.  
Docker Images Available in Iron Bank  
The Fortify WebInspect (DAST) scanner Docker image is available on the Iron Bank  
hardened container image repository, along with the 2FA, FAST, OAST, and WISE  
images.  
Enhanced CycloneDX Export Data  
CycloneDX export data now includes vulnerability details, including CVE ID  
number, description, ratings, affected library versions, and the source provider’s  
URL (PURL).  
OAuth 2.0 Support  
You can now configure Client Credentials Grant and Password Credentials Grant  
OAuth 2.0 authentication flows for scans requiring network authentication.  
Mac Version of Event-based Web Macro Recorder Tool  
The Event-based Web Macro Recorder tool is available for Mac, which enables you  
to create login and workflow macros on macOS.  
Contacting Customer Support  
Visit the Support website to:  
l
Manage licenses and entitlements  
l
Create and manage technical assistance requests  
l
Browse documentation and knowledge articles  
l
Download software  
l
Explore the Community  
https://www.microfocus.com/support  
We Welcome Your Feedback  
If you have comments or suggestions about the documentation, you can send these  
to the documentation team at fortifydocteam@opentext.com. Please use the  
subject line “Feedback on <Document_Title> <Product_Version>.” We appreciate  
your feedback!  
OpenText™ Fortify Software (24.2.0)  
Page 8 of 34  
Copyright 2024 Open Text.  
What’s New in Fortify Software 23.2.0  
December 2023  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Fortify Audit Assistant Gen 2  
Audit Assistant is an optional tool that you can use to help determine whether or not  
the issues returned from your scans represent true vulnerabilities. Generation 2, or  
Gen 2, of Audit assistant is now available. Using advanced AI and machine  
learning, Gen 2 provides improved accuracy, training based on the decisions your  
auditors have made, and greater speed.  
When upgrading Fortify Software to version 23.2.0, you must also upgrade Audit  
Assistant to use the new Gen 2 version of Audit Assistant.  
BIGINT Data Type Replaces INT in scan_issue(ID) and issue(ID) Fields  
This change affects the scan_issue table in both MSSQL and MySQL databases.  
During database migration, the data type for scan_issue(ID) and issue(ID) will be  
changed to BIGINT if it has not already been done. For information on how this  
impacts your database migration, see "Preparing to Upgrade the Fortify Software  
Security Center Database" in the OpenText™ Fortify Software Security Center User  
Guide.  
OpenText™ Fortify Software (24.2.0)  
Page 9 of 34  
Debricked SBOM Support  
You can now download Debricked Software Bill Of Materials and view information  
on the third-party components in your application.  
Base URL Attribute  
You can now assign a base URL attribute via the  
SCANCENTRAL DAST ATTRIBUTES page.  
New Automation Token  
Fortify Software Security Center now has a new SSC API Token type: the  
AutomationToken. This token type is a duplicate of the UnifiedLoginToken type. It  
provides access to most of the REST API and is intended for use in long-running  
automations and can be configured to last up to a year.  
Preserve Issue Detected on Date Across Versions  
Now, when creating a new application version based on a previous version, the  
Detected on date will be carried over to the new version. Previously, the Detected  
on date was set to the current date when basing a new application version on a  
previous one.  
Change User Assigned to an Issue  
You can now change the user assigned to an issue.  
Custom Banner  
An administrator can create an informational banner that persists until removed or  
changed.  
New Reports  
The premium report bundle now includes two new issue reports:  
l
OWASP API Top 10 (2023)  
l
CWE Top 25 (2023)  
The following report versions are no longer available in this release:  
l
SANS 2009/2010  
l
STIG 4.10, 4.9 and below  
l
OWASP < 2013  
l
CWE Top 25 2019/2020  
l
WASC 24 + 2  
REST Fortify Client  
The REST fortifyclient replaces the SOAP fortifyclient and is now the default.  
Additions to the System Requirements  
OpenText™ Fortify Software (24.2.0)  
Page 10 of 34  
Fortify Software Security Center Database  
l
SQL Server 2022  
Service Integrations  
l
Jira 9.10  
Software Requirements  
l
Red Hat Enterprise Linux 9 (RHEL 9) support  
l
Kubernetes 1.27 and 1.28 support  
l
Helm 3.12 support  
BIRT Reporting  
l
BIRT Report Designer 4.13.0  
OpenText™ Fortify Software (24.2.0)  
Page 11 of 34  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
l
Support for ScanCentral SAST .NET scanning and packaging on Linux systems  
l
Support for remote translation and scan of COBOL projects  
l
ScanCentral SAST will now retry any failed uploads to Fortify Software Security  
Center. Use the new upload command to resend an FPR file to Fortify Software  
Security Center after a previous upload attempt failed.  
l
REST API documentation for the Fortify ScanCentral SAST Controller is available  
with Swagger UI  
l
You can now package the debug logs from clients, sensors, and Fortify Static  
Code Analyzer into a ZIP archive using the start command option -diagnosis.  
l
Offload translation and scan support with Gradle versions 7.4-8.3 and MSBuild  
versions 17.4 - 17.8  
OpenText™ Fortify Software (24.2.0)  
Page 12 of 34  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer:  
Build tools  
l
Ant 1.10.14  
l
Gradle 8.1 and 8.3  
l
Maven 3.9.4  
l
MSBuild 17.6 - 17.8  
l
xcodebuild 15 and 15.0.1  
Languages  
l
Angular 15.1, 15.2, 16.0  
l
Apex 58  
l
Bicep v0.12.x → current  
l
0.12.1 → 0.14.85 (supporting .NET 6)  
l
0.15.31 → current (supporting .NET 7)  
l
C# 12  
l
C17  
l
Dart 3.0  
l
ECMAScript 2023  
l
Go 1.20  
l
Kotlin 1.8  
l
.NET 8.0  
l
Python 3.12  
l
Django up to 4.2  
l
React 18.0  
l
Solidity 0.4.12-0.8.21  
l
Swift 5.9  
l
TypeScript 5.0  
Compilers  
l
Clang 15.0.0  
l
Swiftc 5.9  
OpenText™ Fortify Software (24.2.0)  
Page 13 of 34  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
The Fortify Static Code Analyzer installer no longer includes the Fortify Static  
Code Analyzer applications and tools. A separate installer is included for  
installing the Fortify Static Code Analyzer applications and tools.  
Fortify Audit Workbench  
l
Syntax source code highlighting for Terraform, Dart, Bicep, and Solidity.  
l
Installation automatically detects the Fortify Static Code Analyzer versions  
installed in a default location.  
l
By default, Fortify Audit Workbench does not display binary source code  
Secure Coding Plugins  
• Fortify Plugin for Eclipse adds support for 2023-06 and 2023.06  
• Fortify Analysis Plugin for IntelliJ IDEA and Android Studio adds support for IntelliJ  
IDEA 2023.2 and Android Studio 2022.2 and 2022.3  
New Report Versions  
OWASP MASVS 2.0  
CWE Top 25 2023  
OWASP API Top 10 2023  
OpenText™ Fortify Software (24.2.0)  
Page 14 of 34  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST  
Fortify Connect  
The new Fortify Connect feature enables you to perform scans of private  
applications from the cloud without exposing the application through your firewall.  
Event-based Logout Conditions  
The Event-based Web Macro Recorder now supports the use of JavaScript during  
execution to detect and notify the Fortify Weblnspect sensor of logout.  
Event Handlers  
The Event-based Web Macro Recorder now supports event handlers that react to  
unpredictable events, such as dialogs opening and popup DOM elements that steal  
focus.  
Web Storage Keys  
The Event-based Web Macro Recorder now supports the use of web storage keys  
that enable the application to determine and maintain state.  
Support for IMAP in Two-factor Authentication Scans  
Two-factor authentication scanning now supports IMAP email servers.  
OpenText™ Fortify Software (24.2.0)  
Page 15 of 34  
Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Fortify License and Infrastructure Manager  
Linux Version  
A Linux version of the Fortify License and Infrastructure Manager (LIM) is now  
available for download from the Fortify Docker repository.  
Event-based Logout Conditions  
The Event-based Web Macro Recorder now supports the use of JavaScript during  
execution to detect and notify the Fortify Weblnspect sensor of logout.  
Event Handlers  
The Event-based Web Macro Recorder now supports event handlers that react to  
unpredictable events, such as dialogs opening and popup DOM elements that steal  
focus.  
Web Storage Keys  
The Event-based Web Macro Recorder now supports the use of web storage keys  
that enable the application to determine and maintain state.  
Web Socket Events  
WebInspect now includes a Capture Web Socket Events setting in the JavaScript  
dialog under Scan Settings.  
Support for IMAP in Two-factor Authentication Scans  
Two-factor authentication scanning now supports IMAP email servers.  
What’s New in Fortify Software 23.1.0  
May 2023  
This release of Fortify Software includes the following new functions and features.  
Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
OpenText™ Fortify Software (24.2.0)  
Page 16 of 34  
FIPS-Inside Technology Preview  
With this release, you can run Fortify Software Security Center functions in RHEL  
8.5 and 9.0 FIPS-only-enabled environments. However, Kerberos SSO  
authentication is not supported. The support is subject to limitations of Red Hat  
OpenJDK 11 on the RHEL OS in FIPS mode. Since this has been released as a  
Technology Preview, please report any omissions, issues, or gaps in functionality  
so that we can address them prior to the next release.  
Priority Override Signifiers in Reports  
Changes to Fortify priority values (using the priority override feature) are now  
reflected in issue reports. For details, see "Viewing Priority Overrides Information in  
Issue Reports" in the Fortify Software Security Center User Guide, 23.1.0.  
Fortify Insight  
If you have purchased Fortify Insight, you can link your Fortify Software Security  
Center to your Fortify Insight dashboard by adding a Fortify Insight link to your SSC  
Dashboard.  
OpenText™ Fortify Software (24.2.0)  
Page 17 of 34  
Extended Search Capability for X.509 SSO Implementation  
Previously, for an X.509 SSO implementation, Fortify Software Security Center  
searched the Subject field of the client certificate to retrieve the username for  
certificate authentication. The search now extends to include the Subject Alternative  
Name field.  
Replacing SOAP fortifyclient with REST fortifyclient  
In an effort to further secure your Fortify Software Security Center deployment,  
Fortify is phasing out SOAP fortifyclientand replacing it with REST  
fortifyclient. In this release, SOAP fortifyclient remains the default, but REST  
fortifyclientis available to you.  
The file names for both utilities are the same, but the files are in different directories.  
The SOAP fortifyclient files are in <ssc_install_  
dir>/Tools/fortifyclient/binand the REST fortifyclient files are in <ssc_  
install_dir>/Tools/fortifyclient-new-rest/bin.  
To improve security and prepare for the eventual deprecation of SOAP-based  
fortifyclient, Fortify strongly recommends disabling SOAP and testing the REST  
version of fortifyclient in your testing environment. Report any lack of parity or  
functionality as soon as possible.  
For more information, see the Fortify Software Release Notes 23.1.0.  
Job Queue Redesign  
A new job execution strategy named "Flexible (technical preview)" is introduced in  
this release. Based on the conservative strategy, the flexible strategy makes more  
efficient use of job queue sensors. Users can switch between the new strategy and  
previous strategies, as needed.  
Improved Event Log Filtering  
Two new options enable you to refine the data displayed on the Event Logs page.  
You can now specify a username and / or an event type to filter the events that you  
view and export. To remove specified filters, click CLEAR.  
Cloud Database Support  
Fortify Software Security Center now supports SQL Server in both Azure and AWS  
cloud database services.  
Windows Server 2022 Support  
Fortify Software Security Center now supports running on the Windows Server 2022  
operating system.  
Kubernetes Support  
OpenText™ Fortify Software (24.2.0)  
Page 18 of 34  
l
l
Support added for Kubernetes versions 1.25 and 1.26  
Support added for Kubernetes Persistent Volumes with optional support for Pod  
Security Context fsGroup option (fsGroup support is required for using a non-  
default container user ID)  
l
l
Support added for kubectl command-line tool version 1.24, 1.25, and 1.26. Fortify  
recommends the use of the same version of kubectl command-line tool as the  
Kubernetes cluster version  
Support added for version 3.10 and 3.11 of the Helm command-line tool  
Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Specifying Fortify Static Code Analyzer Options and Properties as -targs and -  
sargs Arguments  
ScanCentral now supports the options specified in -targsand -sargsthat Fortify  
Static Code Analyzer allows, and ignores or blocks those that are not allowed.  
Clients now accept rules, filters, and project templates - not only through the  
designated ScanCentral options, but also from the scan arguments parameter (-  
sargs). Previously, if specified, these options were ignored. For more information,  
see Appendix A: Fortify ScanCentral SAST Command-Line Options in the Fortify  
ScanCentral SAST Installation, Configuration, and Usage Guide.  
New Status Command Option: --block-until  
Previously, a ScanCentral client had no way to let you know if an FPR that you  
uploaded to Fortify Software Security Center was processed completely. Now, you  
can use the --block-until option to block additional actions from being performed  
until processing is complete, so that the merged results you later download include  
all of the audits, comments, suppressed issues, and history from the previous  
scans.  
The new --block-untiloption for the STATUS command polls Fortify Software  
Security Center for the scan merge status, and then returns the following  
information:  
l
Job status  
l
SSC upload status  
l
SSC application version ID  
l
SSC application name  
l
SSC application version name  
l
SSC artifact ID  
l
SSC artifact status  
OpenText™ Fortify Software (24.2.0)  
Page 19 of 34  
Build Tools  
l
Added support for Maven version 3.9.x  
Auto Detection of Build Tool for Remote Translation  
Previously, to perform a remote translation, you had to supply the -bt(--build-  
tool) option with a value that specified the build tool. Now, Fortify ScanCentral  
SAST detects the build tool automatically based on the project files being scanned.  
For example, if Fortify ScanCentral SAST detects a pom.xml file, it automatically  
sets -btto mvn. If it detects a build.gradlefile, it sets -btto gradle. If Fortify  
ScanCentral SAST detects a *.slnfile, it sets -btto msbuild and sets -bfto the  
xxx.slnfile.  
If ScanCentral detects multiple file types (for example, pom.xmland build.gradle),  
it prioritizes the build tool selection as follows: Maven > Gradle > MSBuild and prints  
a message to indicate which build tool type was selected based on the multiple file  
types found.  
Note: If you specify the build tool manually, auto-detection is overridden.  
Configurable Location for the worker-persist.properties File  
For containerized deployments it is useful to determine where certain files are  
generated so that you can customize persistence. For example, the worker-  
persist.propertiesfile and the job files are stored in the same folder (sensor  
working directory). Now, you can use two new properties to specify where the  
worker-persist.propertiesfile is generated and where the job files are generated.  
This enables you to persist the worker-persist.propertiesfile, which is needed to  
maintain sensor pool assignments, without having to keep all of the old Job files.  
Fortify ScanCentral Controller and Sensor Docker Images and Helm Chart  
ScanCentral Controller and Sensor Docker images are now available on Docker  
Hub. You must be a member of the fortifydocker organization to download the  
images. A Helm Chart is available at https://github.com/fortify/helm3-charts.  
Windows Server 2022 Support  
Fortify ScanCentral SAST now runs on the Windows Server 2022 operating system.  
OpenText™ Fortify Software (24.2.0)  
Page 20 of 34  
Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Features  
l
The Fortify Static Code Analyzer installation program no longer includes the  
Fortify Static Code Analyzer applications and tools. A separate installer is  
provided to install the Fortify Static Code Analyzer applications and tools.  
l
Scan Policy  
You can set a scan policy to identify the most serious vulnerabilities. There are  
three policies to choose from: classic, security, or devops. The classic scan policy  
is the default; it does not prioritize analysis results. The security scan policy is  
used to exclude issues related to code quality from the results. Use this policy to  
focus on remediation. The devops scan policy excludes issues that are also  
excluded by the security policy and reduces the number of low-priority issues.  
Use this policy when speed is a priority and developers want to review results  
directly (without intermediate auditing).  
l
Filter Files  
You can now set an exclusion threshold value to a filter file by adding one of the  
following exclusion types: priority, impact, likelihood, confidence, probability, and  
accuracy.  
l
.NET analysis on Linux. You can now translate .NET code on Linux installations  
of Fortify Static Code Analyzer.  
Platforms  
l
Red Hat Enterprise Linux 9.x  
l
macOS 13 on Intel and Apple Silicon (compatibility mode)  
Compilers  
l
Clang 14.0.3  
l
gcc 11  
l
g++ 11  
l
swiftc 5.8  
Build tools  
l
Ant 1.10.13  
l
Gradle 8.0.2  
l
Maven 3.9.1  
OpenText™ Fortify Software (24.2.0)  
Page 21 of 34  
l
l
MSBuild 17.5 (Windows)  
Xcodebuild 14.2 and 14.3  
OpenText™ Fortify Software (24.2.0)  
Page 22 of 34  
Languages  
l
.NET 7  
l
Apex 56 and 57  
l
ASP.NET Core 7  
l
C# 11  
l
Dart 2.12 - 2.18 / Flutter 2.0 - 3.3  
Rules for Dart/Flutter will be released in Q2 2023.  
l
ECMAScript 2022  
l
Go 1.18 and 1.19  
l
Kotlin 1.7  
l
PHP 8.2  
l
Python 3.10, 3.11  
l
TypeScript 4.6 - 4.9  
OpenText™ Fortify Software (24.2.0)  
Page 23 of 34  
Fortify Static Code Analyzer Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
The Fortify Static Code Analyzer installer no longer includes the Fortify Static  
Code Analyzer applications and tools. A separate installer is included for  
installing the Fortify Static Code Analyzer applications and tools.  
Platforms and Architectures  
l
Windows 11  
l
macOS 13. All tools run in compatibility mode on Apple M1 and M2 processors  
Secure Code Plugins  
Added support for updated versions of the following IDEs:  
l
Eclipse 2023-03  
l
IntelliJ IDEA 2023.1  
l
Android Studio 2022.1  
l
Visual Studio 2022, version 17.5  
Fortify Extension for Visual Studio  
The remediation phase now supports custom tags that require comments and the  
priority override tag.  
New Report Template Versions  
l
PCI DSS 4.0  
l
PCI SSF 1.2  
l
DISA STIG 5.2  
OpenText™ Fortify Software (24.2.0)  
Page 24 of 34  
Fortify ScanCentral DAST  
The following features have been added to ScanCentral DAST  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the  
National Vulnerability Database (NVD) and Debricked health metrics when  
configured with a Debricked access token.  
Key Stores  
ScanCentral DAST now provides key stores as a way to create variables that you  
can use in scan settings, base settings, and macro parameters. When a scan is run,  
these variables are replaced with the latest values from the key store.  
Artifacts Repositories  
ScanCentral DAST now supports using artifacts repositories where scan artifacts  
reside. When a scan is run that references an artifact in a repository, either a tagged  
version or the latest copy of the artifact is pulled and used to configure and run the  
scan.  
Private Data Settings  
You can now configure private data settings that remove personally identifiable  
information from the scan and log data upon scan completion.  
Scan Visualization Enhancements for API Scans  
The site tree in scan visualization now includes icons for operations and parameters  
in API scans.  
Postman Scan Enhancements  
You can now import global variables files to use in Postman scans. There are also  
changes to validation and the ability to edit the sessions contained in collection files  
after validation.  
OpenText™ Fortify Software (24.2.0)  
Page 25 of 34  
Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
Client-side Library Analysis  
The hacker-level insights check has been enhanced to include information from the  
National Vulnerability Database (NVD) and Debricked health metrics when  
configured with a Debricked access token.  
Two-factor Authentication  
WebInspect has added the ability to automate Two-factor Authentication scans of  
sites using Authenticator Apps. This is in addition to our SMS- and email-based two-  
factor scanning. Once configured, there is no need for user interaction.  
SQLite SecureBase  
WebInspect now uses a SQLite database for SecureBase. The file extension is now  
SecureBase.db.  
Support for Postman Global Variables  
You can now import global variables files to use in Postman scans.  
WebInspect REST API v2  
The WebInspect REST API now includes a version 2, which includes asynchronous  
versions of endpoints that take a long time to complete. These endpoints generate a  
job token that you can use with the v2 Job endpoints to get the status and results  
from the job.  
Enhanced Support of Localized SecureBase Content  
A new Application Setting for SmartUpdate allows you to select a language to  
localize the security and report content in SecureBase.  
Enhancements to False Positives  
False Positives and ignored items have been renamed as Suppressed Findings in  
the UI. You can now export and import suppressed findings as JSON files.  
Enhanced Support for Client Certificates  
WebInspect now supports client certificates with strong private key (password)  
protection in Guided Scans, Basic Scans, and Interactive Scans.  
Improved Scan Coverage and Performance  
Fortify continues to enhance its engines to improve scan coverage and  
performance. WebInspect 23.1.0 provides a faster crawl and audit, and better  
OpenText™ Fortify Software (24.2.0)  
Page 26 of 34  
application support with the Event-based Web Macro Recorder (formerly called  
Web Macro Recorder with Macro Engine 23.1.0).  
WebInspect Software Requirements  
Added support for Windows Server 2022, SQL Server 2022, and SQL Server  
Express 2022.  
What’s New in Micro Focus Fortify  
Software 22.2.0  
November 2022  
This release of Micro Focus Fortify Software includes the following new functions  
and features.  
Micro Focus Fortify Software Security Center  
The following features have been added to Fortify Software Security Center.  
Priority Override Capability  
Administrators can now enable users to change, or override the priority values  
assigned to issues. With the introduction of priority override capability, the Engine  
Priority option was added to the Group by menu. This grouping selection returns  
issues based on the original priority value assigned by the engine that identified the  
issue.  
Prioritizing ScanCentral SAST Jobs  
In this release, you can move a pending scan request to the first position in the jobs  
queue from the SCANCENTRAL SAST tab. For details, see "Prioritizing a  
ScanCentral SAST Scan Request" in the user guide.  
Support for Tomcat Access log Pattern for Kubernetes Deployments  
Fortify Software Security Center now supports changing the Tomcat access log  
pattern for a Kubernetes deployment. For details, see "Configuring the Apache  
Tomcat Access Logs for Additional Fields on the Docker Image" in the user guide.  
ScanCentral SAST Tab Enhancements  
The following changes were made to the SAST tab in the SCANCENTRAL view:  
OpenText™ Fortify Software (24.2.0)  
Page 27 of 34  
l
l
The Status column is now the State column, which now displays symbols to  
indicate the current scan state.  
The Scan Requests table now includes the Priority column, which shows the  
order in which pending scan requests jobs are to be run. You can sort the listed  
jobs by selecting the Priority heading. The details for an expanded scan request  
now include the PRIORITIZE SCAN button, which you can select to move the  
scan request to the top of the job queue for the pool. You can also click the arrow  
icon in the Scan Requests table to move the request to the top of the queue. For  
details, see "Prioritizing a ScanCentral SAST Scan Request" in the user guide.  
Viewing and Auditing Debricked Vulnerability Results  
You can now view and audit Debricked scan results for applications in Fortify  
Software Security Center so that, in addition to seeing vulnerabilities in the source  
code, you can also view the open-source vulnerabilities from third-party libraries.  
For details, see "Viewing Open Source Data" in the user guide.  
Creating Clickable Links in Bug Tracking Templates  
As of release 22.1.1, you can use the new HtmlUtil class in the velocity templates  
for bug trackers to create a link to a specific issue in Fortify Software Security  
Center. For information about how to use this class, select the Editing tips link in the  
EDIT TEMPLATE dialog box (see "Customizing Velocity Templates for Bug Tracker  
Plugins" in the user guide).  
Changes to the About Fortify Software Security Center Box  
The Configuration section of the ADMINISTRATION view now includes the About  
page, from which you configure the SUPPORT link in the About box. For information  
about how to change the SUPPORT link, see "Customizing the Fortify Software  
Security Center About Box" in the user guide.  
Changes to SAML SSO Configuration  
The procedure used to configure Fortify Software Security Center to work with  
SAML SSO has changed (see "Configuring Fortify Software Security Center to  
Work with SAML 2.0-Compliant Single Sign-On Solutions" in the user guide)  
Preventing LDAP Refresh on Startup / Enabling Persisted Cached LDAP Data  
Previously, the LDAP data resided in in-memory cache and was lost at server  
shutdown. Now, you can enable the cached data to persist after shutdown, so that  
restarting Fortify Software Security Center is much faster, especially for large LDAP  
environments. For more information, see "Enabling Persistence of the LDAP  
Cache" in the user guide.  
Updated Kubernetes Support  
l
Support for Kubernetes 1.23 and 1.24  
l
Support for Helm 3.9  
OpenText™ Fortify Software (24.2.0)  
Page 28 of 34  
Micro Focus Fortify ScanCentral SAST  
The following features have been added to Fortify ScanCentral SAST.  
Support for Packaging Java 8 Projects  
If you have a Java 8 project that fails to build because ScanCentral SAST requires  
Java 11 to run, you can set the new SCANCENTRAL_JAVA_HOMEenvironment variable to  
point Java 11. After you do, ScanCentral SAST runs correctly, and the build runs  
successfully with JAVA_HOMEset to Java 8for the project build.  
Upgrade of the Internal H2 Database Engine  
The internal H2 database for Fortify ScanCentral SAST was upgraded. As a result,  
you must run an associated migration script. For details, see "Upgrading the  
ScanCentral SAST Controller" in the Micro Focus Fortify ScanCentral SAST  
Installation, Configuration, and Usage Guide.  
Improved Method for Excluding Files From Scans When Using ScanCentral  
SAST to Package Projects  
Previously, Gradle, Maven, and MSBuild integration relied on internal build  
procedure logic to collect files. The only way to exclude files was either to exclude  
them from the build file, or use an additional translation argument (-targs"-  
exclude...,"), which required that you knew where the file was to be saved in the  
ScanCentral SAST working directory.  
You can now use the -excludeoption directly from the ScanCentral SAST  
command line to exclude some files from scans for the Maven, Gradle, MSBuild  
build tools, and for -bt none. For details see "Package Command" in the Micro  
Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
Configuring the Name of FPR Files Uploaded to Fortify Software Security  
Center  
The FPR files uploaded to Fortify Software Security Center are named scan.fpr.  
You can now use the -fprssc option specify the name to use for generated FPR files  
uploaded to Fortify Software Security Center. For details, see "Submitting Scan  
Requests and Uploading Results to Fortify Software Security Center" in the Micro  
Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
OpenText™ Fortify Software (24.2.0)  
Page 29 of 34  
Packaging Projects with File Paths that Contain an Umlaut  
Previously, packaging failed if a file name or file path for a project included an  
umlaut character. Now, you can prevent such failures by adding a new property to  
the fortify-sca.properties file. For details, see the cautionary note in "Package  
Command" in the Micro Focus Fortify ScanCentral SAST Installation, Configuration,  
and Usage Guide.  
Configuring a Proxy for ScanCentral SAST Clients  
If your outbound traffic must go through a proxy, you can now add a proxy  
configuration for that purpose. For details, see "Configuring Proxies for Fortify  
ScanCentral SAST Clients " in the Micro Focus Fortify ScanCentral SAST  
Installation, Configuration, and Usage Guide.  
(Fortify on Demand only) New Option for Packaging Files for Debricked  
The new -oss packaging option enables you to package additional files that  
Debricked requires for its scans. See "Package Command" in the Micro Focus  
Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.  
Micro Focus Fortify Static Code Analyzer  
The following features have been added to Fortify Static Code Analyzer.  
Operating System Updates  
Fortify added support for the following operating systems and versions:  
l
macOS 12 Apple silicon  
l
Ubuntu 22.04.1 LTS  
Compiler Updates  
Fortify added support for the following compiler versions:  
l
Clang 14.0.0  
l
Swiftc 5.7  
Build Tool Updates  
Fortify added support for the following build tool versions:  
l
Xcodebuild 14 and 14.0.1  
OpenText™ Fortify Software (24.2.0)  
Page 30 of 34  
Language and Framework Updates  
l
COBOL  
IBM Enterprise COBOL for zOS 6.2 and 6.3  
Micro Focus Visual COBOL 7.0 and 8.0  
l
Apex 55  
l
Kotlin 1.6  
l
PHP 8.1  
l
TypeScript / JavaScript  
React 17.0  
React Native .68  
Vue 2  
Note: Rules for Vue 2 will be part of the Fortify Software Security Content 2022  
R4 release.  
Micro Focus Fortify WebInspect  
The following features have been added to Fortify WebInspect.  
GraphQL Native Support  
WebInspect now supports scanning GraphQL natively. A Postman collection or  
workflow is no longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
WebInspect has added support for gRPC scanning. This popular server-to-server  
framework can now be scanned for security vulnerabilities.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and  
performance. WebInspect 22.2.0 provides a faster crawl and audit, and better  
application support from the Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
WebInspect is now available on a lightweight Linux container. This containerized  
version of WebInspect is a great option for automation scenarios when WebInspect  
is used through its API.  
Updated SOAP Scanning  
OpenText™ Fortify Software (24.2.0)  
Page 31 of 34  
WebInspect will be deprecating its older SOAP scanning option through the Web  
Service Test Designer tool. In preparation, a new mechanism to scan SOAP  
applications is available through the API scanning option.  
Micro Focus Fortify Static Code Analyzer  
Tools  
The following features have been added to Fortify Static Code Analyzer tools.  
Fortify Analysis Plugin for IntelliJ and Android Studio  
The Fortify Analysis Plugin for IntelliJ IDEA and Android Studio now supports:  
l
IntelliJ 2022.2  
l
Android Studio 2021.3  
Eclipse Support  
The Fortify Eclipse Complete Plugin now supports Eclipse 2022-06 and 2022-09.  
Updated CWE Top 2022 Report  
Updated to incorporate content from the Fortify Software Security Content 2022  
Update 3.  
Updated Custom Rules Editor  
Includes the following generic and category-specific templates for generating  
custom Configuration, Regex, and Infrastructure as Code (IaC) rules:  
l
Configuration Rule for PropertyMatch  
l
Configuration Rule for XPathMatch  
l
Docker Bad Practices: Untrusted Base Image in Use  
l
Credential Management: Hardcoded API Credential  
l
Regex Rule for ContentRegex  
l
Regex Rule for FileNameRegex  
l
Regex Rule for FileNameRegex and ContentRegex  
l
Structural Rule for Cloud Configuration in Nested Objects  
l
Structural Rule for Cloud Configuration in Single Object  
l
Structural Rule for Terraform Configuration in Nested Blocks  
l
Structural Rule for Terraform Configuration in Single Block  
l
Terraform Bad Practices: Untrusted Module in Use  
Additional language support:  
OpenText™ Fortify Software (24.2.0)  
Page 32 of 34  
l
l
l
l
l
l
l
l
l
Apex  
Go  
HCL  
JavaScript/TypeScript  
JSON  
Kotlin  
PHP  
Python  
YAML  
Additional configuration file type support:  
l
configuration  
l
docker  
l
xml  
Micro Focus Fortify ScanCentral DAST  
The following features have been added to Fortify ScanCentral DAST  
GraphQL Native Support  
ScanCentral DAST now supports scanning GraphQL natively. A Postman collection  
or workflow is no longer required to get a comprehensive GraphQL scan.  
gRPC Scanning  
ScanCentral DAST has added support for gRPC scanning. This popular server-to-  
server framework can now be scanned for security vulnerabilities.  
SOAP Service Scanning  
ScanCentral DAST now supports scanning SOAP services.  
Engine 7.1 Updates  
Fortify continues to enhance its engines to improve scan coverage and  
performance. ScanCentral DAST 22.2.0 provides a faster crawl and audit and better  
application support from the Web Macro Recorder with Macro Engine 7.1.  
Linux Version  
The ScanCentral DAST core components and sensor are now available on a  
lightweight Linux container. This new Linux option provides enhanced support for  
automation and sensor auto scaling.  
Sensor Auto Scaling  
OpenText™ Fortify Software (24.2.0)  
Page 33 of 34  
ScanCentral DAST provides optional sensor auto scaling in Kubernetes that  
automatically starts the sensor container, runs the scan, and shuts down the  
container upon completion.  
OpenText™ Fortify Software (24.2.0)  
Page 34 of 34