I'm using Fortify SCA 24.4.0 with Q4 2024 Rulepacks. The release notes for the 2024 Q4 security content update indicate that the DIS STIG 6.1 report is supported in them. However, I don't see a corresponding item in the Fortify SCA 24.4.0 release notes…
Is there a way to separate options to sourceanalyzer from options to the build tool?
I am trying to run a Fortify scan on a Visual Studio project by using msbuild. However, the msbuild that is provided by the build infrastructure team only accepts options…
I'm using header() method to redirect page to another page. Then redirect variable is sanitized with html_special_chars() mathod and checked the full url with filter_var() method, still showing the bug. Code: $encoded_url = htmlspecialchars($loginUrl…
I want to perform SCA analysis on my source code. By following some tutorials, I learned that we need a setup like the one below:
SSC (Software Security Center) Scan Central SAST Controller Sensor SCA Client
However, the trial version for Software…
We are currently running Fortify SCA 22.1.1 which only goes up to DISA STIG 5.1. Is it possible to update the DISA STIGs while staying at SCA 22.1.1?
Under Fortify Exchange > Premium content > I see several things to download, but I'm not sure which…
Hello,
I have some questions regarding scanning the native source code for IOS and Android.
Can someone help me?
- Is it market practice to inspect (SAST) the NATIVE source code of Android and iOS Apps directly in the CI/CD process?
a) What is…
Hi guys, any of you guys successfully excluded unit test components from scan? How do you do it? My yml file right now have something like this for files exclusions: -
'-scanExclusion "fortify-scripts,*spec.ts"
for folder of "fortify-scripts" I…
I recently changed my Fortify scan command from sourceanalyzer -b 11809 "./**/*.go" to sourceanalyzer -b 11809 "./wmd/**/*.go" . The intent was to only scan Go files in the wmd directory of my project.
However, after making this change, I noticed that…
Hi,
Is there a way to print the total Lines of code for a fortify application ?
In Fortify SSC , we could see Executable LOC but I want the total lines of code for an application in fortify
Please suggest..
Hello, we are trying to update from Fortify SCA 22.2 Windows agents, to SCA 23.2 Windows agents. 22.2 Worked pretty well, we had no translation errors such as this. The full error for the translation is:
1103
Translator execution failed. Please…
Hello,
I would like to have the comments section of a finding on the Software Security Center website be exported in the excel report that is generated. How can I go about this? the version of SSC I am on is 23.1.2.0005
Versions:
Fortify: 20.2
msbuild: 17 (VS2022)
Windows: 10
Boost: 1.77
We need msbuild 4.X for some of the projects in our solution, and we would like, if possible, to use the same Fortify version for all scanning - that is why we are using Fortify…
Versions:
Fortify: 20.2
msbuild: 4.8 (VS2010)
Windows: 10
Running this command in a VS2010 developer command prompt:
sourceanalyzer -b ProjectName devenv Path/To/Project.sln /rebuild
When translating after a successful build, there are many…
Hi
For only one project I have a problem (bellow error datails) I cant upload to SSC via Audit workbenck or Azure pipeline job and with after login SCC with Auditworkbenck I can not dowload and access the project. But before I could upload and I can…
We implemented an extremely strict whitelist replacement regex and this is still being marked as a Critical " Cross-Site Scripting: Persistent ". If we implement XSS it comes back as "Poor Validation".
What is Fortify looking for here?
<asp:Label…
Hi,
I have executed two different scans .. One scan has 14000 files and the scan completed in a day. But the other scan which has 11000 files , only the the translation phase took 1 day.
Why does this happen? Is there any specific reason?
Please…
Hi,
Is there a way to take a backup of the Fortify SCA?
As we have all configurations and rulepacks in place in production , I want to take a backup and replicate the same in my stage.
I was able to install the sca but I found I need to configure…
Hi,
We have a large code base where we run the fortify scans on a monthly basis.
But, every month the changes happen in the code base is less than 10% but we are scanning the full code base.
I found that Fortify incremental scan feature has been…
While trying to execute a fortify scan for a directory , the translation phase has been failing due to sql files.
I then tried using one of the parameters -Dcom.fortify.sca.fileextensions.sql=PLSQL and -Dcom.fortify.sca.fileextensions.sql=TSQL
The…
Hi,
I have triggered a fortify scan on a set of files in war layout (files extracted from a war and then scan is triggered). And when I viewed the results in Audit in Fortify SSC, few are shown as minified js files. But the name is not *.min.js. The…
Hello everyone,
I am using Fortify SC SAST Assessment extension in Azure DevOps pipeline to trigger the SAST scan. However, as the framework of the source code is not supported, I had to specify the Build tool = none.
However, as I am scanning microservice…
Fortify sca via GitLab is giving warnings for python 3rd party library imports, which are installed via pip/whl, as the library files are not available in source code. What is the solution for this? Is there any way to install python3 and pip libs in…
I noticed when updating from SCA 20.2 to SCA 21.2, a moderate sized scan went from taking about 8 minutes to taking over 2 hours. Comparing the fortify-sca.properties file, I see that in 21.2 a new property was added which is defaulted to true: com.fortify…
hi
I'm really eager to learn fortify rule writing. when i was surfing online, i came across a coding that i cannot understand.
so far i think <predicate> tag contains Java(?) code.
but there's another tag <Definition> that contains something…