Micro Focus Fortify Software v20.2.0

Release Notes

Document Release Date: November 2020 (updated 4/27/2021)
Software Release Date: November 2020

IN THIS RELEASE

This document provides installation and upgrade notes, known issues, and workarounds that apply to release 20.2.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 20.2.0, which is downloadable from the Micro Focus Product Documentation website:

https://www.microfocus.com/support/documentation.

FORTIFY DOCUMENTATION UPDATES

• The Micro Focus Fortify ScanCentral Installation, Configuration, and Usage Guide has been renamed Micro Focus Fortify ScanCentral SAST Installation, Configuration, and Usage Guide.
• The Micro Focus Fortify Plugins for JetBrains IDEs User Guide has been renamed Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio User Guide.
• A new guide, the Micro Focus Fortify ScanCentral DAST Configuration and Usage Guide is now available.
• The Micro Focus Fortify Static Code Analyzer User Guide requires the following changes to Chapter 14: Translating COBOL Code:
• In the “Preparing COBOL Source and Copybook Files for Translation” section, the following sentences should be deleted: Fortify Static Code Analyzer processes only top-level COBOL sources. Do not include copybook files in the directory or the subdirectory where the COBOL sources reside.
• In the “Translating COBOL Source Files Without File Extensions” section, the property name is incorrect. The correct option in the example should be:
  -Dcom.fortify.sca.fileextensions.xyz=COBOL

Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website:

https://www.microfocus.com/support/documentation.

If you have trouble accessing our documentation, please contact Fortify Customer Support.

Note: Documentation prior to the 18.10 release is available on the Micro Focus Community (formerly Protect724) website: https://community.microfocus.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation.

INSTALLATION AND UPGRADE NOTES

Complete instructions for installing Fortify Software products are provided in the documentation for each product.

Updating Security Content after a Fortify Software Security Center Upgrade

If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide.

USAGE NOTES FOR THIS RELEASE

There is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our plugin framework, and our JavaScript Sandbox Project.

Fortify Static Code Analyzer

• Structural results - Most structural issues will show new instance IDs. The algorithm that computes instance IDs for structural issues now produces more variance than previous IDs that often differed only in the final digit.
• COBOL: If you plan to scan COBOL on a Windows system via automation, update the group policy so that Error Reporting does not require user intervention when an error occurs.
• Click the Windows Start button.
• Type gpedit.msc
• Navigate to Computer Configuration->Administrative Templates->Windows Components->Windows Error Reporting
• In the right pane, click on Prevent display of the user interface for critical errors and set it to Enabled.
• ABAP
• The ABAP Extractor includes a new option to export SAP standard code in addition to custom code. The Micro Focus Fortify Static Code Analyzer User Guide will be updated to include this information in a future update.
• If you have an issue installing the ABAP Extractor, contact Customer Support and request a newer version.
• Kotlin
• If you have Java code in your project that references Kotlin source, Kotlin functions called in Java are only resolved if the parameters and return types are built-in types or types defined in the same file as the  called function definition.

Fortify Software Security Center

·         REST API endpoint /api/v1/localUsers/{id} change: PUT method must contain up to date objectVersion value retrieved by a preceding GET request to the endpoint. An outdated, missing, or incorrect objectVersion value will cause a failure of the PUT request to protect LocalUser object consistency. POST and DELETE requests are not affected by the change. Note: This was incorrectly included in the Micro Focus Fortify Software Release Notes v20.1.0.

• The MariaDB JDBC driver, which is now used as the JDBC driver for MySQL database server, is bundled with the ssc.war file (<ssc.war>/WEB-INF/libs). In some cases the MariaDB driver uses different JDBC URL parameters.

 Note: Fortify Software Security Center does not support MariaDB as a backend database. The connectionCollation=<collation_name> parameter must be replaced with sessionVariables=collation_connection=<collation_name>. The rewriteBatchedStatements=true parameter is still supported. Any additional custom JDBC URL parameters must use syntax compatible with the MariaDB driver. If you are automating an SSC deployment and configuration, please be sure to update your auto-configuration file. Use the correct syntax to specify the jdbc.url property as described above and set the value of the db.driver.class property to org.mariadb.jdbc.Driver.

·         HTTP Basic authentication is deprecated for all REST API endpoints except for /api/v1/tokens/*, /api/v1/auth/* and /api/v1/license.

·         Token-related REST endpoints (/api/v1/tokens/*) are only available via HTTP Basic Authentication and disallowed when using Token authentication. Analogously, access to the legacy SOAP InvalidateTokenRequest and GetAuthenticationTokenRequest has been removed from all the default token types. Although these requests can still be granted in a custom token definition, such use is deprecated and access via token authentication will be explicitly denied in the future. Token creation/deletion functionality is only available when authenticated to SSC via HTTP Basic Authentication or the SSC Admin UI.

·         When integrating WebInspect Enterprise / ScanCentral DAST / AWB or other Fortify Tools to work with SSC, clock skew must be minimized between the different communicating machines (suggested: less than 5 minutes, compared on UTC basis). Requests to SSC can fail if there is excessive clock skew.

• Since 20.1.0, the unused copyCurrentStateFpr flag has been removed from the payloads of /projectVersions/action/copyFromPartial and /projectVersions/action/copyCurrentState endpoints. The flag caused confusion since it was ignored in the former endpoint and redundant in the latter. We recommend that you remove this flag from any scripts calling these endpoints. 
• Use the new ScanCentralCtrlToken token type instead of CloudCtrlToken. The CloudCtrlToken token type will be removed in the next release.
• Due to a limitation in the way the ScanCentral SAST client currently collects files for remote translation of ASP.NET code, Fortify recommends that you run local translations and remote scans via ScanCentral SAST for ASP.NET projects.

Fortify WebInspect

·         ScanCentral DAST: When running a Fortify ScanCentral DAST sensor outside of a container, such as a sensor service on the same machine as a Fortify WebInspect installation, you must install the ASP.NET Core Runtime 3.1.x (Hosting Bundle) as a prerequisite.

·         LIM on Docker Requirements: The LIM on Docker container runs on and works with the following software packages:

o    Windows 10 Pro

o    Windows Server 2019

o    Docker 18.09 or later

 

KNOWN ISSUES

The following are known problems and limitations in Fortify Software 20.2.0. The problems are grouped according to the product area affected.

Fortify Software Security Center

This release has the following issues:

·         When servlet session persistence is enabled in Tomcat, a "class invalid for deserialization" exception may be thrown during Tomcat startup. It is caused by significant changes in the classes where instances can be stored in HTTP sessions. This exception can be ignored.

• When servlet session persistence is enabled in Tomcat and SSC is started in maintenance mode, the seeding step may fail with "Unable to load seed context" error. To recover from the error, SSC must be restarted.
• You cannot enable "Enhanced security, security manager" for BIRT reports if your Fortify Software Security Center is installed on a Windows system.
• In the ScanCentral SAST CLI, use the '/switch' form instead of '-switch' for the '-bc (--build-command)' option when using 'msbuild' for the '-bt (--build-tool)' option.

Fortify Static Code Analyzer

This release has the following issues:

• Due to major improvements in our scanning capabilities for Go, Kotlin and Python, some issues will be assigned a new Instance ID and marked as New. The previous finding will be marked as removed.
• Visual Studio 2019 update 16.7 and later brings .NET Core SDK 3.1.403, which is not yet supported by Fortify Static Code Analyzer and can result in translation issues. As a workaround, Fortify recommends you downgrade the .NET Core SDK to version 3.1.109 (the latest version that Fortify Static Code Analyzer currently supports).
• There might be issues in picking up dockerfiles that are named dockerfile. As a workaround, specifically mention them in the translation command. This issue will be fixed in an upcoming patch

Fortify Audit Workbench, Secure Code Plugins, and Extensions

This release has the following issues:

• To launch the installer on MacOS Catalina (10.15), open the location in Finder and Control+click the app to invoke a context shortcut menu and select Open. A dialog appears providing three options, one of which is Open. You can run it even in the absence of notarization. More details are available in this support article: https://support.apple.com/en-us/HT202491
• Security Assistant for Eclipse requires an Internet connection for the first use. If you do not have an Internet connection, you will get an "Updating Security Content" error unless you copied the rules manually.
• On MacOS Catalina (10.15), if you point the installer to a copy of the fortify.license on the desktop, it will fail to copy it. Put the fortify.license file in a folder that the application has permissions, such as your user Home folder.
• ScanWizard generates incorrect command line options for ScanCentral invocation when upload to SSC is enabled. The generated script contains -project and -versionname options instead of -application and -version respectively. To make ScanCentral upload results correctly to the Application Version, you need to replace following line 
  %SCANCENTRAL_CLI% -sscurl %SSCURL% -ssctoken %SSCTOKEN% start -upload  -uptoken %SSCTOKEN% -project %SSCPROJECT% -versionname %SSCVERSION% -b %BUILDID% -scan 
  with
  %SCANCENTRAL_CLI% -sscurl %SSCURL% -ssctoken %SSCTOKEN% start -upload  -uptoken %SSCTOKEN% -application %SSCPROJECT% -version %SSCVERSION% -b %BUILDID% -scan
• On MacOS, there is a known issue when running the BIRTReportGenerator from the console. Please use AuditWorkbench to generate reports.

NOTICES OF PLANNED CHANGES

Fortify Static Code Analyzer

• Support for running FindBugs from Fortify Static Code Analyzer will be removed in the next release.

Note: For a list of technologies that will not be supported in the next release, please see the “Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software System Requirements document.

Fortify Software Security Center

•           REST API token endpoints /api/v1/auth/token and /api/v1/auth/obtain_token are deprecated and are scheduled for removal. Please use /api/v1/tokens endpoint instead.

FEATURES NOT SUPPORTED IN THIS RELEASE

• Incremental Analysis in Fortify Static Code Analyzer is no longer supported.
• The following reports have been removed in Fortify Software Security Center: DISA STIG 3.x, SSA Application, and SSA Portfolio.
• DISA STIG 3.x mappings have been removed. This means the attributes associated with DISA STIG 3.x are no longer displayed in the Group By and Filter By lists on the Audit page in Fortify Software Security Center.

WebInspect

Support for Selenium IDE has been deprecated in WebInspect. However, Selenium WebDriver is still supported. Ignore content related to Selenium IDE in the WebInspect documentation.

WebInspect Enterprise

Support for Selenium IDE has been deprecated in WebInspect Enterprise. Ignore content related to Selenium IDE in the WebInspect Enterprise documentation.

Note: For a list of technologies that are no longer supported in this release, please see the “Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software System Requirements document.

SUPPORT

If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using the following option.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://www.microfocus.com/support.

LEGAL NOTICES

© Copyright 2020 Micro Focus or one of its affiliates.

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. 

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.