Wikis - Page

CyberRes Fortify Software Security Content 2022 Update 4

0 Likes

About CyberRes Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,286 vulnerability categories across 30 languages and spans more than one million individual APIs.

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2022.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

Fortify Secure Coding Rulepacks [Fortify Static Code Analyzer]

With this release, the Fortify Secure Coding Rulepacks detect 1,066 unique categories of vulnerabilities across 30 programming languages and span over one million individual APIs. In summary, this release includes the following:

Flask Updates (version supported: v2.2.x)

Flask is a micro web framework written in Python that does not require a particular set of tools or libraries out of the box. It is a lightweight and well established framework generally best suited for small to medium sized projects, but also capable of handling relatively complex projects such as small APIs and microservices. Supported categories include:

  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Poor Validation
  • Cross-Site Scripting: Reflected
  • JSON Injection
  • Often Misused: File Upload
  • Open Redirect
  • Path Manipulation
  • Privacy Violation
  • Server-Side Template Injection
  • System Information Leak: External
  • System Information Leak: Internal

iOS SDK Updates for Swift (version supported: 16)[1]

Apple's iOS SDK provides a collection of frameworks enabling developers to build mobile applications for Apple iPhone and iPad devices. This release contains incremental updates to our iOS SDK support for Swift. New and updated rules extend our API coverage of the Foundation framework in iOS SDK 15 and 16 for Swift iOS and iPadOS applications. These updates improve issue detection for many existing weakness categories, including:

  • Insecure SSL: Overly Broad Certificate Trust
  • Insecure Transport: Weak SSL Protocol
  • Privacy Violation
  • Resource Injection
  • System Information Leak

Salesforce Apex and Visualforce Updates (version supported: v55)[2]

Salesforce Apex is the programming language used for creating Salesforce applications such as business transactions, database management, web services, and Visualforce pages. This update improves our support in Database operations, SOAP web services, REST web services, core Apex system APIs, Crypto APIs, and Visualforce page components. Newly supported categories for Apex include:

  • Cookie Security: Cookie not Sent Over SSL
  • Cookie Security: Missing SameSite Attribute
  • Cookie Security: Overly Broad Path
  • Cookie Security: Overly Permissive SameSite Attribute
  • Cookie Security: Persistent Cookie
  • Header Manipulation
  • Header Manipulation: Cookies
  • Insecure Transport
  • Key Management: Hardcoded Encryption Key
  • Log Forging (debug)
  • Open Redirect
  • Password Management: Empty Password
  • Password Management: Hardcoded Password
  • Path Manipulation
  • Privacy Violation
  • Server-Side Request Forgery
  • System Information Leak: External
  • System Information Leak: Internal
  • Weak Cryptographic Hash
  • Weak Encryption: Insecure Initialization Vector

Furthermore, additional improvements have been made to the following supported categories:

  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Poor Validation
  • Cross-Site Scripting: Reflected

Secret Scanning Improvements

Secret scanning is the concept of finding secrets in various source code and configuration files. SSR already has support for many types of secrets and SCA applies the secret scanning rules to all file types, allowing for finding specific secrets regardless of code language. Support is expanded to cover the following secrets:

  • Credential Management: Hardcoded API Credential, for Hardcoded Bearer tokens
  • Password Management: Hardcoded Password, for Hardcoded passwords in SQL server connection strings
  • Password Management: Password in Comment, for Passwords in XML comments[3]

Google Guava Initial Coverage (version supported: v31.1)

Guava is a set of Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing caching, primitives, strings and more. It is widely used in Java projects within Google and other companies. Supported categories include:

  • Null Dereference
  • Path Manipulation
  • Privacy Violation
  • Setting Manipulation
  • System Information Leak
  • Unreleased Resource
  • Unsafe Reflection
  • Weak Cryptographic Hash
  • Weak Cryptographic Hash: User-Controlled Minimum Bits
  • Weak Cryptographic Hash: User-Controlled Seed
  • Weak Encryption

Hot Chocolate Initial Coverage (version supported: 12.15.2)

Hot Chocolate is an open-source GraphQL server built on top of the Microsoft .NET platform. Hot Chocolate enables developers to quickly create and deploy GraphQL-based APIs for their applications. This release adds initial support for Hot Chocolate, including detection of the following weakness categories in GraphQL APIs developed with Hot Chocolate:

  • Cross-Site Scripting: Inter-Component Communication (Cloud)
  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Poor Validation
  • Cross-Site Scripting: Reflected
  • GraphQL Bad Practices: Introspection Enabled
  • Privacy Violation
  • System Information Leak: External
  • Trust Boundary Violation

gRPC Expansion for Java and Initial Coverage for Python (version supported: 1.49.1)

Google Remote Procedure Call (gRPC) is a multi-environment and multi-language modern open-source high performance RPC framework. gRPC connects services with support for load balancing, tracing, and authentication. Rather than traditional JSON-over-HTTP, gRPC is based on HTTP2 and typically uses the binary Protocol Buffers (protobuf) format for messages.

Support has been expanded for Java gRPC to cover the following additional categories:

  • Access Control: gRPC Authentication Bypass
  • Insecure SSL: Overly Broad Certificate Trust
  • Log Forging
  • Setting Manipulation
  • Unreleased Resource: Streams

Support has been established for Python gRPC to cover the following categories:

  • Insecure Transport
  • Insecure Transport: gRPC Channel Credentials
  • Insecure Transport: gRPC Server Credentials
  • Privacy Violation
  • System Information Leak: External

Cloud Infrastructure as Code (IaC)

IaC is the process of managing and provisioning computer resources through code rather than various manual processes. Improved support includes Terraform configurations for deployment to AWS, Azure, and GCP. Common issues related to the configuration of these services are now reported to the developer.

Amazon AWS Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Amazon Web Services (AWS) infrastructure. In this release, we report the following categories for Terraform configurations:

  • AWS Terraform Misconfiguration: Amazon API Gateway Publicly Accessible
  • AWS Terraform Misconfiguration: Amazon EBS Insecure Storage
  • AWS Terraform Misconfiguration: Amazon ElastiCache Insecure Transport
  • AWS Terraform Misconfiguration: Amazon MQ Publicly Accessible
  • AWS Terraform Misconfiguration: Amazon Neptune Publicly Accessible
  • AWS Terraform Misconfiguration: Amazon RDS Insecure Storage
  • AWS Terraform Misconfiguration: Amazon RDS Proxy Insecure Transport
  • AWS Terraform Misconfiguration: Amazon RDS Publicly Accessible
  • AWS Terraform Misconfiguration: Amazon Redshift Publicly Accessible
  • AWS Terraform Misconfiguration: Amazon SNS Insecure Storage

Microsoft Azure Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Microsoft Azure infrastructure. In this release, we report the following categories for Terraform configurations: 

  • Azure Terraform Bad Practices: AKS Cluster Missing Host-Based Encryption
  • Azure Terraform Bad Practices: Azure Disk Snapshot Missing Customer-Managed Key
  • Azure Terraform Bad Practices: Azure MySQL Server Missing Infrastructure Encryption
  • Azure Terraform Bad Practices: Azure PostgreSQL Server Missing Infrastructure Encryption
  • Azure Terraform Bad Practices: Container Registry Missing Customer-Managed Key
  • Azure Terraform Bad Practices: Cosmos DB Missing Customer-Managed Key
  • Azure Terraform Bad Practices: Missing Azure Storage Infrastructure Encryption
  • Azure Terraform Bad Practices: Missing SQL Database Backup Encryption
  • Azure Terraform Bad Practices: Scale Set Missing Host-Based Encryption
  • Azure Terraform Bad Practices: Shared Image Missing Customer-Managed Key
  • Azure Terraform Bad Practices: SQL Database Missing Customer-Managed Key
  • Azure Terraform Bad Practices: Storage Account Missing Customer-Managed Key
  • Azure Terraform Bad Practices: Storage Encryption Scope Missing Customer-Managed Key
  • Azure Terraform Bad Practices: VM Missing Host-Based Encryption
  • Azure Terraform Misconfiguration: AKS Cluster Missing Customer-Managed Key
  • Azure Terraform Misconfiguration: Managed Disk Missing Customer-Managed Key
  • Azure Terraform Misconfiguration: Missing SQL Database Encryption
  • Azure Terraform Misconfiguration: VM Storage Missing Customer-Managed Key

Google Cloud Platform (GCP) Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Google Cloud Platform infrastructure. In this release, we report the following weakness categories for Google Cloud Platform Terraform configurations:

  • GCP Terraform Bad Practices: Apigee Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: BigQuery Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Cloud Bigtable Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Cloud Functions Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Cloud Spanner Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Filestore Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Pub/Sub Missing Customer-Managed Encryption Key
  • GCP Terraform Bad Practices: Secret Manager Missing Customer-Managed Encryption Key
  • GCP Terraform Misconfiguration: Compute Engine Missing Confidential Computing Features
  • GCP Terraform Misconfiguration: Edge Cache Service Missing HTTP-to-HTTPS Redirect
  • GCP Terraform Misconfiguration: Insecure App Engine Domain Transport
  • GCP Terraform Misconfiguration: Insecure App Engine Transport
  • GCP Terraform Misconfiguration: Insecure Cloud Function HTTP Trigger Transport
  • GCP Terraform Misconfiguration: Insecure Edge Cache Service Transport
  • GCP Terraform Misconfiguration: Insecure Supply Chain
  • GCP Terraform Misconfiguration: URL Map Missing HTTP-to-HTTPS Redirect

Miscellaneous Errata

In this release, resources have been invested to ensure we can reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

Deprecation of Fortify Static Code Analyzer versions prior to 19.x:

As mentioned in our 2022.3 release announcement, that was the last release of the Rulepacks that support Fortify Static Code Analyzer versions prior to 19.x. For this release, Fortify Static Code Analyzer versions prior to 19.x will not load the 2022.4 Rulepacks. This will require either downgrading the Rulepacks or upgrading Static Code Analyzer to version 19.x or later. For future releases, we will continue to support the last four major releases of Fortify Static Code Analyzer.

Refactoring of Fortify Priority Order Metadata for Weakness Categories

As it is important that our users can effectively remediate issues, we have been researching mechanisms to determine the categorization of issues more objectively within the Fortify Priority Order model. As part of this effort mentioned in the 2022 R3 release announcement, we have started reviewing the categories that all our rules cover and have identified some areas where updates were needed. The following 96 categories have had their associated Fortify Priority Order metadata changed, and as such you might see issues appear in the same or lower severity bucket (e.g., critical, high, medium, low). Existing filters might cause additional issues to be hidden due to the changes to the Fortify Priority Order value and its individual components.

  • Android Bad Practices: Encryption Secret Held in Static Field
  • Android Bad Practices: Use of Released Camera Resource
  • Android Bad Practices: Use of Released Media Resource
  • Android Bad Practices: Use of Released SQLite Resource
  • NET Bad Practices: Non-Serializable Object Stored in Session
  • Buffer Overflow
  • Buffer Overflow: Signed Comparison
  • Code Correctness: Arithmetic Operation on Boolean
  • Code Correctness: Function Not Invoked
  • Code Correctness: Incorrect Serializable Method Signature
  • Code Correctness: Memory Free on Stack Variable
  • Code Correctness: Negative Content-Length
  • Code Correctness: Premature Thread Termination
  • Code Correctness: readObject() Invokes Overridable Function
  • Code Correctness: Readonly Collection Reference
  • ColdFusion Bad Practices: Unauthorized Include
  • Cookie Security: Cookie not Sent Over SSL
  • Cross-Site Scripting: Handlebars Helper
  • Cross-Site Scripting: Inter-Component Communication
  • Cross-Site Scripting: Inter-Component Communication (Cloud)
  • Cross-Site Scripting: Persistent
  • Cross-Site Scripting: Reflected
  • Cross-Site Scripting: Untrusted HTML Downloads
  • Dangerous Method
  • Denial of Service
  • Denial of Service: Parse Double
  • Denial of Service: Regular Expression
  • Denial of Service: Stack Exhaustion
  • Denial of Service: StringBuilder
  • Double Free
  • Dynamic Code Evaluation: Code Injection
  • Dynamic Code Evaluation: Script Injection
  • File Disclosure: Django
  • File Disclosure: J2EE
  • File Disclosure: Spring
  • File Disclosure: Spring Webflow
  • File Disclosure: Struts
  • Format String: Argument Number Mismatch
  • Header Manipulation: Cookies
  • Header Manipulation: SMTP
  • J2EE Bad Practices: Non-Serializable Object Stored in Session
  • Log Forging
  • Null Dereference[4]
  • Often Misused: Authentication
  • Often Misused: Boolean.getBoolean()
  • Path Manipulation: Base Path Overwriting
  • Path Manipulation: Zip Entry Overwrite
  • Portability Flaw: File Separator
  • Portability Flaw: Locale Dependent Comparison
  • Privacy Violation
  • Privacy Violation: Android Internal Storage
  • Privacy Violation: BREACH
  • Privacy Violation: Heap Inspection
  • Privacy Violation: HTTP GET
  • Privacy Violation: Image
  • Privacy Violation: Keyboard Caching
  • Privacy Violation: Screen Caching
  • Privacy Violation: Sensitive Data Accessible From iTunes
  • Privacy Violation: Shoulder Surfing
  • Privacy Violation: Unobfuscated Logging
  • Privilege Management: Android Disable
  • Privilege Management: Missing API Permission
  • Privilege Management: Missing Content Provider Permission
  • Privilege Management: Missing Intent Permission
  • Process Control
  • Query String Injection: Android Provider
  • Race Condition: PHP Design Flaw
  • Race Condition: Singleton Member Field
  • Race Condition: Static Database Connection
  • SOQL Injection
  • SOSL Injection
  • System Information Leak: Overly Broad SQL Logging
  • System Information Leak: PHP Errors
  • System Information Leak: PHP Version
  • Unreleased Resource: Cursor Snarfing
  • Unsafe JNI
  • Unsafe JSNI
  • Unsafe Mobile Code: Access Violation
  • Unsafe Mobile Code: Database Access
  • Unsafe Native Invoke
  • Use After Free
  • Weak Encryption: Insecure Initialization Vector
  • Weak Encryption: Insecure Mode of Operation
  • Weak Encryption: Insufficient Key Size
  • Weak Encryption: Missing Required Step
  • Weak Encryption: User-Controlled Key Size
  • Weak XML Schema: Lax Processing
  • Weak XML Schema: Type Any
  • Weak XML Schema: Unbounded Occurrences
  • Weak XML Schema: Undefined Namespace

React Bad Practices: Dangerously Set InnerHTML

The usage of "dangerouslySetInnerHTML" within React applications is now flagged as a bad practice.

False Positive Improvements

Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:

  • Access Control: Database – issues removed in Apex when input coming from another database call
  • NET MVC Bad Practices: Model With Required Non-Nullable Property – false positives reduced when using attributes that would enforce certain characteristics of the data
  • Dockerfile Misconfiguration: Dependency Confusion – false positives reduced when image is created to be minimal by extending from scratch
  • GraphQL Bad Practices: Introspection Enabled – false positives reduced in Flask applications when registering class-based Flask views
  • Dynamic Code Evaluation: JNDI Reference Injection – false positives are reduced when Spring Boot projects set the ‘log4j2.version’ Maven property to a version that is not affected by Log4Shell
  • Memory Leak – false positives reduced when using std::unique_ptr
  • Mass Assignment: Insecure Binder Configuration – false positives reduced when using JSONConverter annotation with DataContract, DataMember, or IgnoreDataMember
  • Privacy Violation – false positives reduced on enum values in .NET
  • SQL Injection – false positives reduced when using prepared statements containing '$.' in MyBatis query annotations
  • Unreleased Resource – false positives reduced in C/C++ scans when bundling resources in a collection

PHP Misconfiguration: magic_quotes Categories Removed

The following three weakness categories have been removed because they are no longer relevant in supported versions of PHP:

  • PHP Misconfiguration: magic_quotes_gpc Enabled
  • PHP Misconfiguration: magic_quotes_runtime Enabled
  • PHP Misconfiguration: magic_quotes_sybase Enabled

As a result, all issues from the above categories will be removed from scan results.

Category Changes

Along with false positive removals, we identified some places that categories should have been unified or were mislabeled. When weakness category name changes occur, scan results when merging prior scans with new scans will result in issues being added/removed for the following categories.

Removed Category

Added Category

Code Correctness: Class Does Not Implement equals

Code Correctness: Class Does Not Implement Equivalence Method

Code Correctness: Class Does Not Implement Equals

Code Correctness: Class Does Not Implement Equivalence Method

Code Correctness: toString on Array

Code Correctness: ToString on Array

Code Correctness: null Argument to equals()

Code Correctness: null Argument To Equivalence Method

Code Correctness: null Argument to Equals()

Code Correctness: null Argument To Equivalence Method 

Additionally, the following 24 categories from our recent IaC support have been refactored to improve consistency. 

Removed Category

Added Category

Access Control: Azure Container Registry

Azure ARM Misconfiguration: Improper Container Registry Network Access Control

Access Control: Azure SQL Database

Azure ARM Misconfiguration: Improper SQL Server Network Access Control

Access Control: Cosmos DB

Azure ARM Misconfiguration: Improper DocumentDB Network Access Control

Access Control: Kubernetes Admission Controller

Kubernetes Bad Practices: Improper Admission Controller Access Control

Access Control: Kubernetes Image Authorization Bypass

Kubernetes Misconfiguration: Image Authorization Bypass

Ansible Bad Practices: CloudWatch Log Group Retention Unspecified

AWS Ansible Misconfiguration: Insufficient CloudWatch Logging

Ansible Bad Practices: Redshift Publicly Accessible

AWS Ansible Misconfiguration: Improper Redshift Network Access Control

Ansible Bad Practices: Unrestricted AWS Lambda Principal

AWS Ansible Misconfiguration: Improper Lambda Access Control Policy

Ansible Bad Practices: User-Bound AWS IAM Policy

AWS Ansible Bad Practices: Improper IAM Access Control Policy

Ansible Misconfiguration: Azure Monitor Missing Administrative Events

Azure Ansible Misconfiguration: Insufficient Azure Monitor Logging

Azure Resource Manager Bad Practices: Cross-Tenant Replication

Azure ARM Misconfiguration: Improper Storage Account Network Access Control

Azure Resource Manager Bad Practices: Remote Debugging Enabled

Azure ARM Misconfiguration: Improper App Service Access Control

Azure Resource Manager Bad Practices: SSH Password Authentication

Azure ARM Misconfiguration: Improper Compute VM Access Control

Azure Resource Manager Misconfiguration: Insecure Transport

Azure ARM Misconfiguration: Insecure App Service Transport

Azure Resource Manager Misconfiguration: Overly Permissive CORS Policy

Azure ARM Misconfiguration: Improper CORS Policy

Azure Resource Manager Misconfiguration: Security Alert Disabled

Azure ARM Misconfiguration: Insufficient Microsoft Defender Monitoring

Azure SQL Database Misconfiguration: Insufficient Logging

Azure ARM Misconfiguration: Insufficient SQL Server Monitoring

Insecure Storage: Missing EC2 AMI Encryption

AWS CloudFormation Misconfiguration: Insecure EC2 AMI Storage

Insecure Storage: Missing EFS Encryption

AWS CloudFormation Misconfiguration: Insecure EFS Storage

Insecure Storage: Missing Kinesis Stream Encryption

AWS CloudFormation Misconfiguration: Insecure Kinesis Data Stream Storage

Insecure Transport: Azure App Service

Azure Ansible Misconfiguration: Insecure App Service Transport

Kubernetes Bad Practices: API Server Publicly Accessible

Azure ARM Misconfiguration: Improper AKS Network Access Control

Privacy Violation: Exposed Default Value

Azure ARM Misconfiguration: Hardcoded Secret

Privilege Management: Overly Permissive Role

Azure ARM Misconfiguration: Improper Custom Role Access Control Policy

 

Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability Support

Server-Side Request Forgery[5]

Server-Side Request Forgery (SSRF) occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed. This release includes a check to detect SSRF vulnerability in web applications that accept user input.

Expression Language Injection

A critical Remote Code Execution vulnerability in the popular Apache Commons Text library versions 1.5 through 1.9 has been identified by CVE-2022-42889. The default configuration might allow unsafe script evaluation and arbitrary code execution. This release includes a check to detect the CVE-2022-42889 vulnerability on target web servers. Because this check sends a significant number of requests, it is excluded from the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.

Insecure Transport: Weak SSL Cipher

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a mechanism to help protect authenticity, confidentiality, and integrity of the data transmitted between a client and web server. Using a weak cipher or an encryption key of insufficient length, for example, could enable an attacker to defeat the protection mechanism and steal or modify sensitive information. This release includes a new check identified by ID 11285, to flag Insufficient Transport Layer Protection - Insecure Cipher vulnerability with critical severity. Insecure cipher suites have multiple known vulnerabilities and have attacks that are trivial.

Miscellaneous Errata

In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:

Insecure Transport: Weak SSL Cipher

This release includes improvements to the Insufficient Transport Layer Protection – Weak Cipher check (11716). Customers should see the severity of this check being reduced from Critical to High because the attacks against these weak ciphers are sophisticated and require considerable resources. The severity of this check is reduced, and a new check introduced to identify ‘Insufficient Transport Layer Protection – Insecure Cipher’ will flag issues with Critical severity. Going forward, recommended ciphers will not include cipher suites that do not have Perfect Forward Secrecy (PFS).

XML External Entity Injection[6]

The check identified by ID 11337 has been modified to use payloads that support the Out-of-band Application Security Testing (OAST) feature. Improvements to this check reduce false positives, increase the efficiency, and enhance accuracy of its results.

 

Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

Fortify Taxonomy: Software Security Errors

The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Fortify Support Portal.

 

Contact Fortify Technical Support

CyberRes Fortify
http://softwaresupport.softwaregrp.com/
+1 (844) 260-7219

 

Contact SSR

Alexander M. Hoole
Senior Manager, Software Security Research
CyberRes Fortify
hoole@microfocus.com
+1 (650) 258-5916

Peter Blay
Manager, Software Security Research
CyberRes Fortify
peter.blay@microfocus.com

PDF

[1] New rules for iOS SDK 16 require Fortify Static Code Analyzer 22.2 or later.
[2] Requires Fortify Static Code Analyzer 22.2 or later.
[3] Requires Fortify Static Code Analyzer 22.2 or later.
[4] Null Dereference changes are only applicable to Java and .NET.
[5] Requires OAST features that are available in the WebInspect 21.2.0.117 patch or later.
[6] Requires OAST features that are available in the WebInspect 21.2.0.117 patch or later.

Comment List
Related
Recommended