• Fortify SCA 24.4.0 with 2024 Q4 Rulepacks: DISA STIG 6.1 BIRT report not available for export

    I'm using Fortify SCA 24.4.0 with Q4 2024 Rulepacks. The release notes for the 2024 Q4 security content update indicate that the DIS STIG 6.1 report is supported in them. However, I don't see a corresponding item in the Fortify SCA 24.4.0 release notes…
  • Automating Vulnerability Scanning in Bitbucket Pipelines

    Automating Vulnerability Scanning in Bitbucket Pipelines Hi Everyone, I’m looking to automate vulnerability scanning for code written in Java, Scala, Python, and Node.js within a Bitbucket pipeline. My plan is to use a CLI tool to scan the code, generate…
  • What are the settings that can be defined in the vsix.properties file

    What are the settings that can be defined in the vsix.properties file, that sits in the C:\Users\Public\Fortify\{Fortify Version Number}\VS{Visual Studio Version Number} directory? The only one I see is: Fortify.InstallDir=C:/Program Files/Fortify…
  • fortifyclient missing in Fortify/Fortify_Apps_and_Tools_24.2.0/bin or under /Tools

    Hello, I don't see fortifyclient in bin folder of /Fortify/Fortify_Apps_and_Tools_24.2.0/bin.Also I have searched under /Tools, but no luck. What could be the issue ? I am trying to upload .fpr file to SSC. Could somebody please help what am I missing…
  • Suggestions for open redirect issues in fortify?

    I'm using header() method to redirect page to another page. Then redirect variable is sanitized with html_special_chars() mathod and checked the full url with filter_var() method, still showing the bug. Code: $encoded_url = htmlspecialchars($loginUrl…
  • Fortify scan flagging as bug in command injection even I applied escapeshellarg() and escapeshellcmd()?

    PHP: Fortify scan flagging as bug in command injection even I applied escapeshellarg() and escapeshellcmd() Also, I tried the proc_open() with escapeshellarg() and escapeshellcmd() - still flagging as bug in command injection Examples: $inp = "input.jpg…
  • sourceanalyzer isnan not found

    I am building a fortify scan image to be used in our CI setup for Jenkins, as we dont use a standalone node were doing docker based build steps. I first started installing fcli and it sub tools I need to be aible to communicate with the FortifySoftware…
  • Fortify SCAN Process?

    I want to perform SCA analysis on my source code. By following some tutorials, I learned that we need a setup like the one below: SSC (Software Security Center) Scan Central SAST Controller Sensor SCA Client However, the trial version for Software…
  • Fortify SCA trail-version available?

    Can we get Fortify SCA /SSC /Fortify webInspect trail-version ? if yes please provide link to download i want to test Foritfy SCA on my source code .so i want to do some some test.can you provide the link to download SSC and SCA and other tools like…
  • Issue with Fortify SCA and Gradle: compileDebugKotlin Error

    Hello, I am facing an issue when using Fortify Static Code Analyzer (SCA) with a Gradle project. Below are the steps I followed and the error encountered: Steps Taken: Running Gradle without Fortify: ./gradlew build Output: …
  • Fortify and native source code analysis of Android and iOS applications.

    Hello, I have some questions regarding scanning the native source code for IOS and Android. Can someone help me? - Is it market practice to inspect (SAST) the NATIVE source code of Android and iOS Apps directly in the CI/CD process? a) What is…
  • Fortfiy SCA Scan Azure DevOps Fails

    Hi I sent a scan in a self-hosted agent in linux ubuntu running in docker for fortify sca scans in ado. The following error appears when it tries to upload the scan. ##[error]request to https://hostname:8443/ssc/api/v1/projectVersions?fields=id&q…
  • Fortify SCA FPR File not found

    Fullscreen scan.log Download [2024-05-28 11:39:59.279 WARN 101] File –f not found [2024-05-28 11:39:59.280 WARN 101] File enemdumayo.fpr not found [2024-05-28 11:40:00.982 INFO 1451] Analyzing 65 source file(s) [2024-05-28 11:40:46.196 INFO 1450…
  • Java's ProcessBuilder getting flagged for command injection even with a data cleanse rule

    Hello folks - I have a situation where we have a code that does something like this: Class OurProcess { List<String> cleansedCommand; public OurProcess(List<String> command) { cleansedCommand = Validator.cleanseCommand(command); } public…
  • How can I scan all files in a directory with a specific file extension?

    I recently changed my Fortify scan command from sourceanalyzer -b 11809 "./**/*.go" to sourceanalyzer -b 11809 "./wmd/**/*.go" . The intent was to only scan Go files in the wmd directory of my project. However, after making this change, I noticed that…
  • Is there a way to print the total Lines of code for a fortify application

    Hi, Is there a way to print the total Lines of code for a fortify application ? In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify Please suggest..
  • Performance of Fortify ScanCentral Sensors on k8s

    I'm finding the performance of running a ScanCentral Sensor on k8s to be slower than running on a VM. I'm using a Typescript app for my testing. On the VM, offloading both translate and scan, it consistently takes about 5m 30s. On k8s with the same version…
  • Regarding 'XML External Entity Injection' issue reported by Fortify on Java code

    Hi, I have a Fortify report which mentions a 'XML External Entity Injection' on TransfromFactory in Java code and I made the below fixes to address this. TransformerFactory tFactory = TransformerFactory.newInstance(); tFactory.setFeature(" ">xml…
  • Sourceanalyzer unable to set the root for headers and libraries via --sysroot

    I plan to use Fortify on the Yocto,but in the process of Translator there was a problem that the header file could not be found. # sourceanalyzer -b dd -debug -logfile test.log arm-openbmc-linux-gnueabi-g++ --sysroot=/home/allen/test/sysroot -o test…
  • I am getting this error for SSC "Unable to locate source file rendering information. Completion of an SCA scan using the latest version of sourceanalyzer is required to view source files."

    I am getting this error for SSC "Unable to locate source file rendering information. Completion of an SCA scan using the latest version of sourceanalyzer is required to view source files." however the code snippet is shown in audit work bench for the…
  • Fortify SCA 23.2 - VS Solution Scan: Translation Failed 6.0.13 .NET location: Not found (Windows)

    Hello, we are trying to update from Fortify SCA 22.2 Windows agents, to SCA 23.2 Windows agents. 22.2 Worked pretty well, we had no translation errors such as this. The full error for the translation is: 1103 Translator execution failed. Please…
  • Fortify (v20.2) Translation error - can't resolve Boost include macro

    Versions: Fortify: 20.2 msbuild: 17 (VS2022) Windows: 10 Boost: 1.77 We need msbuild 4.X for some of the projects in our solution, and we would like, if possible, to use the same Fortify version for all scanning - that is why we are using Fortify…
  • Fortify (v20.2) Translation for VS2010 C++ unable to find standard library and windows sdk header files

    Versions: Fortify: 20.2 msbuild: 4.8 (VS2010) Windows: 10 Running this command in a VS2010 developer command prompt: sourceanalyzer -b ProjectName devenv Path/To/Project.sln /rebuild When translating after a successful build, there are many…
  • FPR upload to SCC and download from SCC timeout problem

    Hi For only one project I have a problem (bellow error datails) I cant upload to SSC via Audit workbenck or Azure pipeline job and with after login SCC with Auditworkbenck I can not dowload and access the project. But before I could upload and I can…
  • Fortify Static Code Analyzer for Flutter

    Currently, you are supporting Dart 2.18 and Flutter 3.3. I have 2 questions to ask. Can we use Flutter 3.3.10 and Dart 2.18.6? Is there any roadmap for further release to support new version?