The 22.1 release is complete. You can now login to your Fortify on Demand portal. All the details of the 22.1 release are found within the documentation under "What's New". Here are the highlights of the new release:
Fortify Static Code Analyzer 21.2.x Support Fortify on Demand has implemented Micro Focus Fortify Static Code Analyzer 21.2.0 and associated patches for scanning source code. Fortify Static Code Analyzer 21.2.0 offers the following features:
Compiler updates:
gcc 10.2.1
g++ 10.2.1
Swiftc 5.4.2 and Xcodebuild 12.5.1
C++ 14 and 17 support
Go 1.17 support
Java updates:
ECMAScript 2021 support
TypeScript 4.2 - 4.3 support
Type inference improvements
SAPUI5/OpenUI5 support
Kotlin 1.5 support
Full support for PHP 8
YAML support
Elimination of the need for a separate license from Lightbend for Scala translations. A license key is still required to run the plugin. Contact Fortify on Demand support to obtain a license key.
Fortify WebInspect 21.2.0 Support Fortify on Demand has implemented Micro Focus Fortify WebInspect 21.2.0 for scanning web applications. Fortify WebInspect 21.2.0 offers the following features:
Macro Engine 6.1
Fortify WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.1.
Improved DOM XSS Detection
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS. This will allow for improved XSS attack performance and the ability to detect client-side only attacks, such as XSS in DOM fragments.
New Features
API Updates The following updates have been made to the Fortify on Demand API:
The following API endpoints have been added for managing user groups:
POST /api/v3/user-management/user-groups(create a user group)
PUT /api/v3/user-management/user-groups/{groupId}(update a user group)
DELETE /api/v3/user-management/user-groups/{groupId}(delete a user group)
PUT /api/v3/user-management/user-groups/{groupId}/members(get a list of user group members)
PATCH /api/v3/user-management/user-groups/{groupId}/members(update user group members)
TheincludeUrlsoptional parameter has been added toPUT /api/v3/releases/{releaseId}/dynamic-scans/scan-setup. Use this parameter to include in aDynamic+ Websitescan resources linked to theDynamic Site URLdomain.
For information on other API updates in this release, see the rest of the release notes.
Assign Applications to API Keys Security Leads can now assign applications to API keys so that API keys have access only to specified applications. Applications are assigned after API key creation. An API key that is not assigned to any application has access to all applications. Existing API keys will retain all access to all applications upon the upgrade.
Support for Mobile Scanning of AAB Files Fortify on Demand now supports mobile scanning of Android App Bundle (AAB) files. ThefileNameoptional parameter has been added toPOST /api/v3/releases/{releaseId}/mobile-scans/start-scanfor providing the file name and extension.
Support for OWASP Top 10 2021 Classification Fortify on Demand now supports the OWASP Top 10 2021 classification. The portal now includes the following additions:
OWASP 2021 has been added to the industry-standard classification options when creating a security policy.
OWASP 2021 has been added to the Issues page grouping and filtering options and the Standards and Best Practices section in the Vulnerability tab of the Issues page.
The OWASP 2021 report module has been added; system report templates have been updated.
API endpoints that provide vulnerability details have been updated with OWASP 2021 information.
OWASP 2021 columns have been added to the issues data export and Issues page exports.
User Group Management with Single Sign-On Fortify on Demand now supports user group creation and user group assignment updates with Single-Sign-On (SSO). Just-in-Time group provisioning must be enabled from the SSO settings in the portal .
Fortify Security Assistant for IntelliJ The Tools page now provides a link to the Fortify Security Assistant for IntelliJ marketplace page. Fortify Security Assistant for IntelliJ provides alerts to potential security issues as you write code. Existing Fortify Security Assistant licenses are valid for the plugin. For more information about Fortify Security Assistant for IntelliJ, seehttps://plugins.jetbrains.com/plugin/18406-fortify-security-assistant.
Support for Static Scanning of Infrastructure as Code Files Fortify on Demand now supports static scanning of Infrastructure as Code configuration files. A new technology stack named Infrastructure-as-Code/Dockerfile is available. Users can also submit Dockerfiles as stand-alone payloads under the same technology stack. Supported file formats for the technology stack are: Dockerfile, JSON, XML, and YAML.
Improvements
Static Scan Payload Validation Update The static scan payload validation process now first checks for file extensions supported by Fortify Static Code Analyzer. If the payload does not contain any supported file extensions, the static scan is cancelled. Supported file extensions are: ABAP, abap, appxmanifest, as, asax, ascx, ashx, asmx, asp, aspx, baml, bas, BSP, bsp, cbl, cfc, cfm, cfml, cls, cob, conf, Config, config, cpx, cs, cscfg, csdef, cshtml, ctl, ctp, dll, Dockerfile, dockerfile, erb, exe, frm, go, htm, html, inc, ini, java, js, jsff, json, jsp, jspf, jspx, jsx, kt, kts, Master, master, mxml, page, php, phtml, pkb, pkh, pks, plist, properties, py, razor, rb, scala, settings, sql, swift, tag, tagx, tld, trigger, ts, tsx, vb, vbhtml, vbs, vbscript, wadcfg, wadcfgx, winmd, wsdd, wsdl, xaml, xcfg, xhtml, xmi, xml, xsd, yaml, yml.
Bug Tracker Links Included in Copy State Data Bug tracker links are now included in the data that is copied from release using the copy state feature.
Issues on Issues Page Sorted by File Name and Line Number Grouped issues on the Issues page are now sorted by file name, then line number.
Application Assignment Update The ability to assign applications to users is now only available to users with theManage Userspermission.
Removal of Application Discovery Fortify on Demand has removed the Application Discovery feature from the portal.
Yellow Banner Removed for Open Source Issues The Issues page no longer shows the yellow banner "This vulnerability is no longer listed as an active vulnerability" for open source scan issues that have been set as Fixed Validated.
Dynamic Scan Settings Locked Upon Initial Scan Completion Upon completion of the initial dynamic scan in a release, the following fields on the Dynamic Scan Setup page are set to values from the completed scan and locked for editing:
Dynamite Site URL
All fields in theScopesection
All fields in theAuthenticationsection, with the exception of password-related fields.
Web Service Type
To edit these fields, create another release using the copy state feature and reconfigure scan settings. This change also applies to the API endpointPUT /api/v3/releases/{releaseId}/dynamic-scans/scan-setup.
Bootstrap Update (Security Update) Bootstrap has been updated to 4.6.1 in Fortify on Demand.
ClickHere to read the KB article with release notes.