I'm using Fortify SCA 24.4.0 with Q4 2024 Rulepacks. The release notes for the 2024 Q4 security content update indicate that the DIS STIG 6.1 report is supported in them. However, I don't see a corresponding item in the Fortify SCA 24.4.0 release notes…
Automating Vulnerability Scanning in Bitbucket Pipelines
Hi Everyone,
I’m looking to automate vulnerability scanning for code written in Java, Scala, Python, and Node.js within a Bitbucket pipeline. My plan is to use a CLI tool to scan the code, generate…
What are the settings that can be defined in the vsix.properties file, that sits in the C:\Users\Public\Fortify\{Fortify Version Number}\VS{Visual Studio Version Number} directory?
The only one I see is:
Fortify.InstallDir=C:/Program Files/Fortify…
Hello, I don't see fortifyclient in bin folder of /Fortify/Fortify_Apps_and_Tools_24.2.0/bin.Also I have searched under /Tools, but no luck. What could be the issue ? I am trying to upload .fpr file to SSC. Could somebody please help what am I missing…
I'm using header() method to redirect page to another page. Then redirect variable is sanitized with html_special_chars() mathod and checked the full url with filter_var() method, still showing the bug. Code: $encoded_url = htmlspecialchars($loginUrl…
PHP: Fortify scan flagging as bug in command injection even I applied escapeshellarg() and escapeshellcmd() Also, I tried the proc_open() with escapeshellarg() and escapeshellcmd() - still flagging as bug in command injection Examples: $inp = "input.jpg…
I am building a fortify scan image to be used in our CI setup for Jenkins, as we dont use a standalone node were doing docker based build steps.
I first started installing fcli and it sub tools I need to be aible to communicate with the FortifySoftware…
I want to perform SCA analysis on my source code. By following some tutorials, I learned that we need a setup like the one below:
SSC (Software Security Center) Scan Central SAST Controller Sensor SCA Client
However, the trial version for Software…
Can we get Fortify SCA /SSC /Fortify webInspect trail-version ? if yes please provide link to download
i want to test Foritfy SCA on my source code .so i want to do some some test.can you provide the link to download SSC and SCA and other tools like…
Hello,
I am facing an issue when using Fortify Static Code Analyzer (SCA) with a Gradle project. Below are the steps I followed and the error encountered:
Steps Taken:
Running Gradle without Fortify:
./gradlew build
Output:
…
Hello,
I have some questions regarding scanning the native source code for IOS and Android.
Can someone help me?
- Is it market practice to inspect (SAST) the NATIVE source code of Android and iOS Apps directly in the CI/CD process?
a) What is…
Hi I sent a scan in a self-hosted agent in linux ubuntu running in docker for fortify sca scans in ado.
The following error appears when it tries to upload the scan.
##[error]request to https://hostname:8443/ssc/api/v1/projectVersions?fields=id&q…
Hello folks - I have a situation where we have a code that does something like this:
Class OurProcess {
List<String> cleansedCommand;
public OurProcess(List<String> command) {
cleansedCommand = Validator.cleanseCommand(command);
}
public…
I recently changed my Fortify scan command from sourceanalyzer -b 11809 "./**/*.go" to sourceanalyzer -b 11809 "./wmd/**/*.go" . The intent was to only scan Go files in the wmd directory of my project.
However, after making this change, I noticed that…
Hi,
Is there a way to print the total Lines of code for a fortify application ?
In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify
Please suggest..
I'm finding the performance of running a ScanCentral Sensor on k8s to be slower than running on a VM. I'm using a Typescript app for my testing. On the VM, offloading both translate and scan, it consistently takes about 5m 30s. On k8s with the same version…
Hi,
I have a Fortify report which mentions a 'XML External Entity Injection' on TransfromFactory in Java code and I made the below fixes to address this.
TransformerFactory tFactory = TransformerFactory.newInstance(); tFactory.setFeature(" ">xml…
I plan to use Fortify on the Yocto,but in the process of Translator there was a problem that the header file could not be found.
# sourceanalyzer -b dd -debug -logfile test.log arm-openbmc-linux-gnueabi-g++ --sysroot=/home/allen/test/sysroot -o test…
I am getting this error for SSC "Unable to locate source file rendering information. Completion of an SCA scan using the latest version of sourceanalyzer is required to view source files." however the code snippet is shown in audit work bench for the…
Hello, we are trying to update from Fortify SCA 22.2 Windows agents, to SCA 23.2 Windows agents. 22.2 Worked pretty well, we had no translation errors such as this. The full error for the translation is:
1103
Translator execution failed. Please…
Versions:
Fortify: 20.2
msbuild: 17 (VS2022)
Windows: 10
Boost: 1.77
We need msbuild 4.X for some of the projects in our solution, and we would like, if possible, to use the same Fortify version for all scanning - that is why we are using Fortify…
Versions:
Fortify: 20.2
msbuild: 4.8 (VS2010)
Windows: 10
Running this command in a VS2010 developer command prompt:
sourceanalyzer -b ProjectName devenv Path/To/Project.sln /rebuild
When translating after a successful build, there are many…
Hi
For only one project I have a problem (bellow error datails) I cant upload to SSC via Audit workbenck or Azure pipeline job and with after login SCC with Auditworkbenck I can not dowload and access the project. But before I could upload and I can…
Currently, you are supporting Dart 2.18 and Flutter 3.3. I have 2 questions to ask.
Can we use Flutter 3.3.10 and Dart 2.18.6?
Is there any roadmap for further release to support new version?