• Fortify SCA 24.4.0 with 2024 Q4 Rulepacks: DISA STIG 6.1 BIRT report not available for export

    I'm using Fortify SCA 24.4.0 with Q4 2024 Rulepacks. The release notes for the 2024 Q4 security content update indicate that the DIS STIG 6.1 report is supported in them. However, I don't see a corresponding item in the Fortify SCA 24.4.0 release notes…
  • How to separate options to sourceanalyzer from options to the build tool

    Is there a way to separate options to sourceanalyzer from options to the build tool? I am trying to run a Fortify scan on a Visual Studio project by using msbuild. However, the msbuild that is provided by the build infrastructure team only accepts options…
  • Suggestions for open redirect issues in fortify?

    I'm using header() method to redirect page to another page. Then redirect variable is sanitized with html_special_chars() mathod and checked the full url with filter_var() method, still showing the bug. Code: $encoded_url = htmlspecialchars($loginUrl…
  • Fortify SCAN Process?

    I want to perform SCA analysis on my source code. By following some tutorials, I learned that we need a setup like the one below: SSC (Software Security Center) Scan Central SAST Controller Sensor SCA Client However, the trial version for Software…
  • Fortify SCA - DISA STIG 5.1 question

    We are currently running Fortify SCA 22.1.1 which only goes up to DISA STIG 5.1. Is it possible to update the DISA STIGs while staying at SCA 22.1.1? Under Fortify Exchange > Premium content > I see several things to download, but I'm not sure which…
  • Fortify and native source code analysis of Android and iOS applications.

    Hello, I have some questions regarding scanning the native source code for IOS and Android. Can someone help me? - Is it market practice to inspect (SAST) the NATIVE source code of Android and iOS Apps directly in the CI/CD process? a) What is…
  • How do I exclude unit tests from SAST scan?

    Hi guys, any of you guys successfully excluded unit test components from scan? How do you do it? My yml file right now have something like this for files exclusions: - '-scanExclusion "fortify-scripts,*spec.ts" for folder of "fortify-scripts" I…
  • How can I scan all files in a directory with a specific file extension?

    I recently changed my Fortify scan command from sourceanalyzer -b 11809 "./**/*.go" to sourceanalyzer -b 11809 "./wmd/**/*.go" . The intent was to only scan Go files in the wmd directory of my project. However, after making this change, I noticed that…
  • Is there a way to print the total Lines of code for a fortify application

    Hi, Is there a way to print the total Lines of code for a fortify application ? In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify Please suggest..
  • Fortify SCA 23.2 - VS Solution Scan: Translation Failed 6.0.13 .NET location: Not found (Windows)

    Hello, we are trying to update from Fortify SCA 22.2 Windows agents, to SCA 23.2 Windows agents. 22.2 Worked pretty well, we had no translation errors such as this. The full error for the translation is: 1103 Translator execution failed. Please…
  • Export comments from Software Security Center to Excel file

    Hello, I would like to have the comments section of a finding on the Software Security Center website be exported in the excel report that is generated. How can I go about this? the version of SSC I am on is 23.1.2.0005
  • Fortify (v20.2) Translation error - can't resolve Boost include macro

    Versions: Fortify: 20.2 msbuild: 17 (VS2022) Windows: 10 Boost: 1.77 We need msbuild 4.X for some of the projects in our solution, and we would like, if possible, to use the same Fortify version for all scanning - that is why we are using Fortify…
  • Fortify (v20.2) Translation for VS2010 C++ unable to find standard library and windows sdk header files

    Versions: Fortify: 20.2 msbuild: 4.8 (VS2010) Windows: 10 Running this command in a VS2010 developer command prompt: sourceanalyzer -b ProjectName devenv Path/To/Project.sln /rebuild When translating after a successful build, there are many…
  • FPR upload to SCC and download from SCC timeout problem

    Hi For only one project I have a problem (bellow error datails) I cant upload to SSC via Audit workbenck or Azure pipeline job and with after login SCC with Auditworkbenck I can not dowload and access the project. But before I could upload and I can…
  • Cross-Site Scripting: Persistent Validation even with restrictive replace

    We implemented an extremely strict whitelist replacement regex and this is still being marked as a Critical " Cross-Site Scripting: Persistent ". If we implement XSS it comes back as "Poor Validation". What is Fortify looking for here? <asp:Label…
  • What rules were added in 23.2?

    We need to know what rules were added in 23.2 for our audits but I can't find the information anywhere.
  • Scan time differs for same count of files

    Hi, I have executed two different scans .. One scan has 14000 files and the scan completed in a day. But the other scan which has 11000 files , only the the translation phase took 1 day. Why does this happen? Is there any specific reason? Please…
  • Fortify SCA backup

    Hi, Is there a way to take a backup of the Fortify SCA? As we have all configurations and rulepacks in place in production , I want to take a backup and replicate the same in my stage. I was able to install the sca but I found I need to configure…
  • Alternate for Fortify sca incremental analysis

    Hi, We have a large code base where we run the fortify scans on a monthly basis. But, every month the changes happen in the code base is less than 10% but we are scanning the full code base. I found that Fortify incremental scan feature has been…
  • Significance of -Dcom.fortify.sca.fileextensions.sql=TSQL while scanning .sql files

    While trying to execute a fortify scan for a directory , the translation phase has been failing due to sql files. I then tried using one of the parameters -Dcom.fortify.sca.fileextensions.sql=PLSQL and -Dcom.fortify.sca.fileextensions.sql=TSQL The…
  • Is there anything like - disable the minification of js file on build for FORTIFY scan

    Hi, I have triggered a fortify scan on a set of files in war layout (files extracted from a war and then scan is triggered). And when I viewed the results in Audit in Fortify SSC, few are shown as minified js files. But the name is not *.min.js. The…
  • Specify scan target path for Fortify SC SAST extension in azure DevOps for none build tool

    Hello everyone, I am using Fortify SC SAST Assessment extension in Azure DevOps pipeline to trigger the SAST scan. However, as the framework of the source code is not supported, I had to specify the Build tool = none. However, as I am scanning microservice…
  • Fortify sca via GitLab is giving warnings for python 3rd party library imports, which are installed via pip/whl, as the library files are not available in source code?

    Fortify sca via GitLab is giving warnings for python 3rd party library imports, which are installed via pip/whl, as the library files are not available in source code. What is the solution for this? Is there any way to install python3 and pip libs in…
  • What is "com.fortify.sca.use.ctran"?

    I noticed when updating from SCA 20.2 to SCA 21.2, a moderate sized scan went from taking about 8 minutes to taking over 2 hours. Comparing the fortify-sca.properties file, I see that in 21.2 a new property was added which is defaulted to true: com.fortify…
  • Fortify rule writing

    hi I'm really eager to learn fortify rule writing. when i was surfing online, i came across a coding that i cannot understand. so far i think <predicate> tag contains Java(?) code. but there's another tag <Definition> that contains something…