The 22.2 release is complete. You can now login to your Fortify on Demand portal. All the details of the 22.2 release are found within the documentation under "What's New". Here are the highlights of the new release:
What's New in 22.2
Announcements
Web Services Terminology Update To better align with standard Application Security terminology, Fortify on Demand will be replacing "web services" references with "API" for the next release (22.3). Any references to web services in existing automation workflows needs to be updated upon the 22.3 upgrade. Dynamic+ API Assessment as a Subscription Micro Focus is offering the Dynamic+ API Assessment (formerly Dynamic+ Web Services Assessment) as a subscription. Micro Focus will perform unlimited Dynamic+ API Assessments during the Subscription Term. Only one assessment can be active at any time. A Dynamic+ API Assessment consists of the following activities:
Verify the API URL, credentials, and customer-provided definition of API endpoints to be assessed
Perform an automated, authenticated WebInspect assessment of designated API endpoints
Manually assess the target API endpoints using the Fortify on Demand testing methodology
Includes up to eight (8) hours of analysis by a Fortify on Demand security expert
Review of prioritized results by a Fortify on Demand security expert, including false positive removal
Open Source Select by Debricked Finding an open source project to solve your specific problem can be difficult, especially when you don't know the name of the projects. Using Debricked's Open Source Select database, you can search for and compare open source projects by searching for either the project name or desired functionality. For more information, see the Open Source Select database, accessible from a link on the portal toolbar.
Engine and Rulepack Updates
Fortify Software Security Content 2022 Update 1 Support
Fortify on Demand will implement Micro Focus Fortify Static Code Analyzer 22.1.0 for scanning source code on June 15th. Fortify Static Code Analyzer 22.1.0 offers the following features:
Compiler support updates:
Clang 13.1.6
OpenJDK javac 17
Swiftc 5.6
cl (MSVC) 2015 and 2022
Language and framework support updates:
C# 10
.NET 6.0
C/C++ 20
HCL 2.0
Java 17
TypeScript 4.4 and 4.5
Note: Rules for Terraform and Google Cloud Platform will be part of the Fortify Software Security Content 2022 update 2 release.
API and portal support for .NET 6 and Java 17 are included in the 22.2 release, but scanning support will not be available until the Fortify Static Code Analyzer upgrade on June 15th.
New Features
User Group Export
User group details can now be exported as a CSV file. The export functionality is available on the Groups tab of the Users Management page. User group exports contain the following details: group name, first name, last name, email, role name, and assigned applications.
Improvements
JIT User Group Provisioning Update
The following updates have been made to JIT user group provisioning, introduced in Fortify on Demand 22.1:
User group creation is now controlled separately from user group assignment.
If user group assignment is enabled, a value must be provided for the Groups attribute in the portal SSO settings.
Note: If a user logs in using SSO and the Groups attribute is empty in the SAML assertion, any existing user group assignments will be removed.
Daily Frequency for Scheduling Application and Release Exports
Application and release exports can be scheduled to run on a daily frequency. Daily exports run at 24:00 server time.
Hacker-level Insights Grouping Category
Hacker-level insights found in dynamic scans are now grouped in a new HLI: Detected Libraries category.
Package URL Added to Issues Data Export
The package URL (Sonatype identifier for open sources issues) has been added to the issues data export. The package URL is mapped to the existing URL column.
Bug Tracker Issues Updated When Release is Copied
For applications that have bug tracker integration enabled, when a release is copied, issues in the bug tracker are now updated. Links to the newly copied issues are added to the issue descriptions in the bug tracker.
If bug statement management is enabled, Fortify on Demand will not close a bug unless all associated issues have been fixed.
Tenant Code Saved on Login Page
The tenant code is now saved on the login page for subsequent logins.
Microservice Name Included in Report
The microservice name is now included on a report's title page.
I have question are the SSC versions 22.1 and SCA Version 22.1 compatible with Docker LIM and DAST versions that are 22,2 or higher or is there a matrix where I can see the compatibility of Docker with software versions?