Fortify on Demand 21.2


Micro Focus Fortify is excited to announce the release of Fortify on Demand version 21.2.

Users can access the Release Notes and User Guide from the Fortify on Demand Help Center or the documentation link in the Fortify on Demand portal. The documentation is available in English upon the upgrade; Japanese and Spanish translations are available a few weeks after the upgrade.

What's New

Engine and Rulepack Updates

Fortify Static Code Analyzer 21.1.x Support

Fortify on Demand has implemented Micro Focus Fortify Static Code Analyzer 21.1.0 and 21.1.1 for scanning source code. Fortify Static Code Analyzer 21.1.0 offers the following features:

- .NET 5.0 support

C# 9 support

- ASP.NET Blazor support

- Go 1.15 and 1.16 support

- Updated Java Server Pages (JSP) translation that produces fewer false positives

- Improved Java bytecode analysis

- TypeScript 4.1 support

- Angular 10 and 11 support

- Kotlin 1.4.20 support

- PHP 7.2, 7.3, 7.4, and 8.0 support

- Python 3.9 and Django 3.1 support

- Xcode 12.4 support

- Micro Focus Visual COBOL 6.0 support (technology preview)

- Fortify Static Code Analyzer 21.1.1 offers Swiftc 5.4 and Xcode 12.5 support.

Fortify WebInspect 21.1.0 Support

Fortify on Demand has implemented Micro Focus Fortify WebInspect 21.1.0 for scanning web applications. Fortify WebInspect 21.1.0 offers the following features:

- Hacker-level insights: Fortify WebInspect flags libraries that are detected in the application during the scan. These findings provide context relating to the overall security posture of an application, but do not necessarily represent security vulnerabilities. Detection of JavaScript client-side frameworks is included in 21.1.0.

- HTTP/2 support

- Macro Engine 6.0

- Fortify WebInspect 21.1.0 provides a faster crawl and audit and better application support from the Web Macro Recorder with Macro Engine 6.0.

Fortify Software Security Content 2021 Update 1 Support

(2021 May update) Fortify on Demand has implemented Fortify Software Security Content 2021 update 1 from Fortify Security Research (SSR). For more information, see here.

New Features

API Updates

The following updates have been made to the Fortify on Demand API:

- The character limit for a release name has been expanded from 50 to 250 characters.

- The user who suppressed an issue (SuppressedBy) has been added to GET api/v3/releases/{releaseId}/vulnerabilities.


Webhooks are now available for integrating applications with Fortify on Demand. Webhooks provide a way for notifications to be delivered to an external web server when scans are updated in Fortify on Demand.

Users with the Configure Webhooks permission can configure webhooks to trigger when a subscribed event occurs. The following events are available: scan start, scan pause, scan resumption, scan cancellation, and scan completion. When one of the subscribed events occurs, Fortify on Demand sends a HTTP POST payload to the webhook's configured URL. Webhooks can be used in place of polling in CICD pipelines that incorporate scanning.

Microservices Filtering and Searching

Fortify on Demand has added the ability to filter and search by microservices. The following updates have been made:

- The Has Microservices filter has been added to Your Applications page. In conjunction, the Has Microservices column has been added to the applications data export.

- The MicroserviceName filter has been added to Your Releases page. In conjunction, the MicroserviceName column has been added to the releases data export.

- Users can search by microservice name using the tenant-level search feature.

Reset User Tour

Users can now reset the Fortify on Demand user tour by going to the account settings page and clicking Reset Tour Popups.

Azure DevOps and Jenkins Plugins Update

- Added Scan Central packaging abilities for selected build tools, PHP and Python.

- Added abilities to create applications, microservices, and releases via plugin task.

- Abilities to save scan settings via plugin.

Note: Azure DevOps GA: Later part of August

Jenkins GA: Beginning of September


Single Sign-On Improvements

The following improvements have been made to single sign-on (SSO):

- SSO users are now redirected to their identity provider login page after the session expires.

- SSO users who log out of Fortify on Demand are redirected to the Fortify on Demand login page. A link is available on the page to log users back in through SSO.

- SSO users accessing deep links are now routed directly to the page after logging in through SSO.

Note: An SSO setting to enable this feature has been added in the portal. The feature require cookies to be enabled in the browser and a user login session within the last 30 days.

Data Export Improvements

The following improvements have been made to data exports:

- The Technology Stack, Language Level, and Audit Type columns have been added to the scans data export. Note that technology stack and language level values are taken from the settings used in the scan, not the submitted scan settings.

- The Created Date column (the date an application was created) has been added to the applications data export.

- Copied Release ID and Scan ID Added to Scan Summary

- If a release was created using the "copy state" feature, the scan summary of the first scan of the release now shows the release ID that was copied and the latest scan ID at the time of copying.

Tool Updates

The following tools, available through the Fortify on Demand portal, have been updated:

- Fortify ABAP Extractor updated to 900478

- Micro Focus Fortify Static Code Analyzer updated to 21.1.1

- Micro Focus Fortify ScanCentral updated to 21.1.0

JQuery Update

JQuery has been updated to 3.6.0.

Integration and Tools

Sonatype Integration Updates

The following updates have been made to the Sonatype integration:

- (2021 May update) Tenants no longer need a Nexus IQ license to view remediation information provided by Sonatype.

- (2021 June update) Fortify on Demand has updated the Sonatype scanner. The Sonatype integration now offers support for Objective-C and Swift applications, as well as improved analysis of JavaScript payloads.

Comment List