OpenText™ Static Application Security Testing (Fortify Static Code Analyzer)  
Version 25.2.0  
Release Notes  
Document Release Date: April 2025  
Software Release Date: April 2025  
This document provides the new features, installation and upgrade notes, known issues, and  
workarounds that apply to release 25.2.0 of OpenText™ Static Application Security Testing (Fortify  
Static Code Analyzer).  
This information is not available elsewhere in the product documentation. The user guides for this  
product are available on the Product Documentation website:  
https://www.microfocus.com/documentation/fortify-static-code/.  
NOTE ON THE 25.2.0 RELEASE  
The 25.2 release of the OpenText™ Application Security Software is being released in two stages.  
OpenText™ Static Application Security Testing (Fortify Static Code Analyzer). The remainder of the  
25.2 OpenText Application Security Software products will be released in the latter half of May  
2025.  
UPDATES TO THIS DOCUMENT  
Date  
Addition and/or change  
4/10/2025  
Initial release.  
FORTIFY PRODUCT NAME CHANGES  
OpenText is in the process of changing the following product names:  
Previous name  
New name  
Fortify Static Code Analyzer  
OpenText™ Static Application Security Testing (OpenText SAST)  
OpenText™ Application Security  
Fortify Software Security  
Center  
Fortify WebInspect  
OpenText™ Dynamic Application Security Testing (OpenText  
DAST)  
Fortify on Demand  
Debricked  
OpenText™ Core Application Security  
OpenText™ Core Software Composition Analysis (OpenText  
Core SCA)  
Fortify Applications and Tools OpenText™ Application Security Tools  
The product names have changed on product splash pages, mastheads, login pages, and other  
places where the product is identified. The name changes are intended to clarify product  
functionality and to better align the Fortify Software products with OpenText. In some cases, such  
as on the documentation title page, the old name might temporarily be included in parenthesis.  
You can expect to see more changes in future product releases.  
FORTIFY DOCUMENTATION UPDATES  
The following documents will reflect changes that enable us to release products more often and  
with fewer dependencies on other products in the Application Security (Fortify) suite.  
Document  
OpenText™ Fortify Software Release Notes  
Change  
This document has been renamed to  
OpenText™ <Product_Name> Release Notes as  
each product will have its own release notes  
document.  
Fortify Software System Requirements  
Rather than publishing a single guide that  
covers all of the products for a specific  
release, each product’s requirements can be  
found in the product’s user guide.  
What’s New in Fortify Software  
New features will no longer be appear in a  
separate document. New features will be  
listed in the product’s Release Notes.  
Accessing Documentation  
The documentation set contains installation, deployment, and user guides. In addition, you will  
find release notes that describe last-minute updates. You can access the latest HTML and/or PDF  
versions of the documents for this release from the Product Documentation website:  
https://www.microfocus.com/documentation/fortify-static-code/.  
If you have trouble accessing our documentation, please contact Customer Support.  
NEW FEATURES IN THIS RELEASE  
Platforms  
macOS 15  
Language support  
PHP 8.4 support  
Python 3.13 support  
ECMAScript 2024  
Build tools  
Gradle integration supports Gradle up to 8.10.2  
Features/updates  
Test projects are excluded by default in translation of Visual Studio projects  
The Security (default) and DevOps scan policies are updated to reduce additional noise.  
Improved ABAP translation and code extraction  
Jupyter notebooks  
Auto detection of Django and Flask templates.  
Django 5.1 support  
Spring (GaphQL) 1.3.3 support  
Pandas (Python)  
Apache Commons (new libraries added)  
Additional IaC categories across AWS, Azure, and Google Cloud  
Support for additional types of AI vulnerabilities  
DISA STIG 6.2  
INSTALLATION AND UPGRADE NOTES  
Complete instructions for installing products are provided in the documentation for each product.  
The ScanCentral SAST client included in the installer is a later version than the  
ScanCentral SAST Controller at the time of release. OpenText recommends you wait  
until the ScanCentral SAST Controller version 25.2 is available before upgrading  
sensors to 25.2.  
USAGE NOTES FOR THIS RELEASE  
Version 25.2.0 updates the Security (default) and DevOps scan policies to reduce  
additional noise. Currently this is specified as "Risk", where an issue with low risk is defined  
as an issue with a low probability, unless it has a very high priority. Future releases will  
make this filter clearer and customizable.  
KNOWN ISSUES  
The following are known problems and limitations in OpenText™ Static Application Security Testing  
(Fortify Static Code Analyzer) version 25.2.0.  
Analyzing IaC languages and Solidity using the next-gen SAST engine cannot currently  
be accomplished with mobile build sessions. You must scan these projects locally.  
NOTICES OF PLANNED CHANGES  
This section includes product features and technologies that will be removed from a future release  
of the software. In some cases, the feature will be removed in the very next release. Features that  
are identified as deprecated represent features that are no longer recommended for use. In most  
cases, deprecated features will be completely removed from the product in a future release.  
OpenText recommends that you remove deprecated features from your workflow at your earliest  
convenience.  
The modular analysis feature is deprecated and will be removed from the product in a  
future release.  
Build tools  
Support for xcodebuild 15, 15.0.1, 15.1, 15.2 will be removed in the next release.  
FEATURES NOT SUPPORTED IN THIS RELEASE  
The following features are no longer supported.  
Build tools  
xcodebuild 14.3, 14.3.1  
Maven 3.0.5, 3.5.x  
Compilers  
swiftc 5.8, 5.8.1  
Clang 14.0.3  
Other features  
Fortify Static Code Analyzer 20.x will no longer load new rulepacks.  
The -apex and -apex-version options are deprecated and will be removed in a future  
release.  
Visual Studio Web Site projects are no longer supported. Convert your Web Site projects to  
Web Application projects to ensure that OpenText SAST can scan them.  
DEFINITIONS  
Deprecation  
When a product feature or integration is deprecated, OpenText no longer accepts enhancement  
requests for the feature but does respond to critical or security defects. OpenText will continue to  
support the usage of a deprecated feature or integration. If applicable, the feature is turned off by  
default, but customers can re-enable it. OpenText will stop supporting the feature or integration on  
the removal date or in the removal release.  
Removal  
When a product feature or integration is removed, OpenText no longer accepts or responds to  
critical or security defects. If the feature is a function, coded in the product, all code is removed,  
and the feature no longer functions in the product. If the feature is an external system or  
integration, the ability to integrate or be used by the product is removed and OpenText no longer  
supports its use or ability to function.  
SUPPORT  
If you have questions or comments about using this product, contact Customer Support using the  
following option.  
To Manage Your Support Cases, Acquire Licenses, and Manage Your  
Account: https://www.microfocus.com/support.  
LEGAL NOTICES  
Copyright 2025 Open Text  
WARRANTY  
The only warranties for products and services of Open Text and its affiliates and licensors (“Open  
Text”) are as may be set forth in the express warranty statements accompanying such products  
and services. Nothing herein should be construed as constituting an additional warranty. Open  
Text shall not be liable for technical or editorial errors or omissions contained herein. The  
information contained herein is subject to change without notice.