Welcome to Fortify on Demand 22.1!


The 22.1 release is complete. You can now login to your Fortify on Demand portal. All the details of the 22.1 release are found within the documentation under "What's New".
Here are the highlights of the new release:

What's New in 22.1

Engine and Rulepack Updates

Fortify Software Security Content 2021 Update 4 Support
Fortify on Demand has implemented Fortify Software Security Content 2021 update 4 from Fortify Security Research (SSR). For more information, see https://community.microfocus.com/cyberres/fortify/w/fortify-product-announcements/40791/cyberres-fortify-software-security-content-update-4.

Fortify Static Code Analyzer 21.2.x Support
Fortify on Demand has implemented Micro Focus Fortify Static Code Analyzer 21.2.0 and associated patches for scanning source code. Fortify Static Code Analyzer 21.2.0 offers the following features:
  • Compiler updates:
    • gcc 10.2.1
    • g++ 10.2.1
  • Swiftc 5.4.2 and Xcodebuild 12.5.1
  • C++ 14 and 17 support
  • Go 1.17 support
  • Java updates:
    • ECMAScript 2021 support
    • TypeScript 4.2 - 4.3 support
    • Type inference improvements
  • SAPUI5/OpenUI5 support
  • Kotlin 1.5 support
  • Full support for PHP 8
  • YAML support
  • Elimination of the need for a separate license from Lightbend for Scala translations. A license key is still required to run the plugin. Contact Fortify on Demand support to obtain a license key.
Fortify Static Code Analyzer 21.2.1 offers Swiftc 5.5, 5.5.1 and Xcode 13, 13.1 support.
Fortify Static Code Analyzer 21.2.2 offers Log4j 2.16 update.
Fortify Static Code Analyzer 21.2.3 offers Swiftc 5.5.2, Xcode 13.2 and 13.2.1, and Log4j 2.17.1 update.

Fortify WebInspect 21.2.0 Support
Fortify on Demand has implemented Micro Focus Fortify WebInspect 21.2.0 for scanning web applications. Fortify WebInspect 21.2.0 offers the following features:
  • Macro Engine 6.1
Fortify WebInspect 21.2.0 provides a faster crawl and audit, and better application support from the Web Macro Recorder with Macro Engine 6.1.
  • Improved DOM XSS Detection
WebInspect 21.2.0 has new DOM XSS detection capabilities for analyzing client-side code for XSS. This will allow for improved XSS attack performance and the ability to detect client-side only attacks, such as XSS in DOM fragments.

New Features

API Updates
The following updates have been made to the Fortify on Demand API:
  • The following API endpoints have been added for managing user groups:
    • POST /api/v3/user-management/user-groups (create a user group)
    • PUT /api/v3/user-management/user-groups/{groupId} (update a user group)
    • DELETE /api/v3/user-management/user-groups/{groupId} (delete a user group)
    • PUT /api/v3/user-management/user-groups/{groupId}/members (get a list of user group members)
    • PATCH /api/v3/user-management/user-groups/{groupId}/members (update user group members)
  • The includeUrls optional parameter has been added to PUT /api/v3/releases/{releaseId}/dynamic-scans/scan-setup. Use this parameter to include in a Dynamic+ Website scan resources linked to the Dynamic Site URL domain.
For information on other API updates in this release, see the rest of the release notes.

Assign Applications to API Keys
Security Leads can now assign applications to API keys so that API keys have access only to specified applications. Applications are assigned after API key creation. An API key that is not assigned to any application has access to all applications.
Existing API keys will retain all access to all applications upon the upgrade.

Support for Mobile Scanning of AAB Files
Fortify on Demand now supports mobile scanning of Android App Bundle (AAB) files. The fileName optional parameter has been added to POST /api/v3/releases/{releaseId}/mobile-scans/start-scan for providing the file name and extension.

Support for OWASP Top 10 2021 Classification
Fortify on Demand now supports the OWASP Top 10 2021 classification. The portal now includes the following additions:
  • OWASP 2021 has been added to the industry-standard classification options when creating a security policy.
  • OWASP 2021 has been added to the Issues page grouping and filtering options and the Standards and Best Practices section in the Vulnerability tab of the Issues page.
  • The OWASP 2021 report module has been added; system report templates have been updated.
  • API endpoints that provide vulnerability details have been updated with OWASP 2021 information.
  • OWASP 2021 columns have been added to the issues data export and Issues page exports.
User Group Management with Single Sign-On
Fortify on Demand now supports user group creation and user group assignment updates with Single-Sign-On (SSO). Just-in-Time group provisioning must be enabled from the SSO settings in the portal .

Fortify Security Assistant for IntelliJ
The Tools page now provides a link to the Fortify Security Assistant for IntelliJ marketplace page. Fortify Security Assistant for IntelliJ provides alerts to potential security issues as you write code. Existing Fortify Security Assistant licenses are valid for the plugin.
For more information about Fortify Security Assistant for IntelliJ, see https://plugins.jetbrains.com/plugin/18406-fortify-security-assistant.

Support for Static Scanning of Infrastructure as Code Files
Fortify on Demand now supports static scanning of Infrastructure as Code configuration files. A new technology stack named Infrastructure-as-Code/Dockerfile is available. Users can also submit Dockerfiles as stand-alone payloads under the same technology stack. Supported file formats for the technology stack are: Dockerfile, JSON, XML, and YAML.


Static Scan Payload Validation Update
The static scan payload validation process now first checks for file extensions supported by Fortify Static Code Analyzer. If the payload does not contain any supported file extensions, the static scan is cancelled.
Supported file extensions are: ABAP, abap, appxmanifest, as, asax, ascx, ashx, asmx, asp, aspx, baml, bas, BSP, bsp, cbl, cfc, cfm, cfml, cls, cob, conf, Config, config, cpx, cs, cscfg, csdef, cshtml, ctl, ctp, dll, Dockerfile, dockerfile, erb, exe, frm, go, htm, html, inc, ini, java, js, jsff, json, jsp, jspf, jspx, jsx, kt, kts, Master, master, mxml, page, php, phtml, pkb, pkh, pks, plist, properties, py, razor, rb, scala, settings, sql, swift, tag, tagx, tld, trigger, ts, tsx, vb, vbhtml, vbs, vbscript, wadcfg, wadcfgx, winmd, wsdd, wsdl, xaml, xcfg, xhtml, xmi, xml, xsd, yaml, yml.

Bug Tracker Links Included in Copy State Data
Bug tracker links are now included in the data that is copied from release using the copy state feature.

Issues on Issues Page Sorted by File Name and Line Number
Grouped issues on the Issues page are now sorted by file name, then line number.

Application Assignment Update
The ability to assign applications to users is now only available to users with the Manage Users permission.

Removal of Application Discovery
Fortify on Demand has removed the Application Discovery feature from the portal.

Yellow Banner Removed for Open Source Issues
The Issues page no longer shows the yellow banner "This vulnerability is no longer listed as an active vulnerability" for open source scan issues that have been set as Fixed Validated.

Dynamic Scan Settings Locked Upon Initial Scan Completion
Upon completion of the initial dynamic scan in a release, the following fields on the Dynamic Scan Setup page are set to values from the completed scan and locked for editing:
  • Dynamite Site URL
  • All fields in the Scope section
  • All fields in the Authentication section, with the exception of password-related fields.
  • Web Service Type
To edit these fields, create another release using the copy state feature and reconfigure scan settings.
This change also applies to the API endpoint PUT /api/v3/releases/{releaseId}/dynamic-scans/scan-setup.

Bootstrap Update (Security Update)
Bootstrap has been updated to 4.6.1 in Fortify on Demand.

Click Here to read the KB article with release notes.
Comment List