Cybersecurity
DevOps Cloud
IT Operations Cloud
About CyberRes Fortify Software Security Research
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,286 vulnerability categories across 30 languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2022.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
Fortify Secure Coding Rulepacks [Fortify Static Code Analyzer]
With this release, the Fortify Secure Coding Rulepacks detect 1,066 unique categories of vulnerabilities across 30 programming languages and span over one million individual APIs. In summary, this release includes the following:
Flask Updates (version supported: v2.2.x)
Flask is a micro web framework written in Python that does not require a particular set of tools or libraries out of the box. It is a lightweight and well established framework generally best suited for small to medium sized projects, but also capable of handling relatively complex projects such as small APIs and microservices. Supported categories include:
iOS SDK Updates for Swift (version supported: 16)[1]
Apple's iOS SDK provides a collection of frameworks enabling developers to build mobile applications for Apple iPhone and iPad devices. This release contains incremental updates to our iOS SDK support for Swift. New and updated rules extend our API coverage of the Foundation framework in iOS SDK 15 and 16 for Swift iOS and iPadOS applications. These updates improve issue detection for many existing weakness categories, including:
Salesforce Apex and Visualforce Updates (version supported: v55)[2]
Salesforce Apex is the programming language used for creating Salesforce applications such as business transactions, database management, web services, and Visualforce pages. This update improves our support in Database operations, SOAP web services, REST web services, core Apex system APIs, Crypto APIs, and Visualforce page components. Newly supported categories for Apex include:
Furthermore, additional improvements have been made to the following supported categories:
Secret Scanning Improvements
Secret scanning is the concept of finding secrets in various source code and configuration files. SSR already has support for many types of secrets and SCA applies the secret scanning rules to all file types, allowing for finding specific secrets regardless of code language. Support is expanded to cover the following secrets:
Google Guava Initial Coverage (version supported: v31.1)
Guava is a set of Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing caching, primitives, strings and more. It is widely used in Java projects within Google and other companies. Supported categories include:
Hot Chocolate Initial Coverage (version supported: 12.15.2)
Hot Chocolate is an open-source GraphQL server built on top of the Microsoft .NET platform. Hot Chocolate enables developers to quickly create and deploy GraphQL-based APIs for their applications. This release adds initial support for Hot Chocolate, including detection of the following weakness categories in GraphQL APIs developed with Hot Chocolate:
gRPC Expansion for Java and Initial Coverage for Python (version supported: 1.49.1)
Google Remote Procedure Call (gRPC) is a multi-environment and multi-language modern open-source high performance RPC framework. gRPC connects services with support for load balancing, tracing, and authentication. Rather than traditional JSON-over-HTTP, gRPC is based on HTTP2 and typically uses the binary Protocol Buffers (protobuf) format for messages.
Support has been expanded for Java gRPC to cover the following additional categories:
Support has been established for Python gRPC to cover the following categories:
Cloud Infrastructure as Code (IaC)
IaC is the process of managing and provisioning computer resources through code rather than various manual processes. Improved support includes Terraform configurations for deployment to AWS, Azure, and GCP. Common issues related to the configuration of these services are now reported to the developer.
Amazon AWS Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Amazon Web Services (AWS) infrastructure. In this release, we report the following categories for Terraform configurations:
Microsoft Azure Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Microsoft Azure infrastructure. In this release, we report the following categories for Terraform configurations:
Google Cloud Platform (GCP) Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of Google Cloud Platform infrastructure. In this release, we report the following weakness categories for Google Cloud Platform Terraform configurations:
Miscellaneous Errata
In this release, resources have been invested to ensure we can reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Deprecation of Fortify Static Code Analyzer versions prior to 19.x:
As mentioned in our 2022.3 release announcement, that was the last release of the Rulepacks that support Fortify Static Code Analyzer versions prior to 19.x. For this release, Fortify Static Code Analyzer versions prior to 19.x will not load the 2022.4 Rulepacks. This will require either downgrading the Rulepacks or upgrading Static Code Analyzer to version 19.x or later. For future releases, we will continue to support the last four major releases of Fortify Static Code Analyzer.
Refactoring of Fortify Priority Order Metadata for Weakness Categories
As it is important that our users can effectively remediate issues, we have been researching mechanisms to determine the categorization of issues more objectively within the Fortify Priority Order model. As part of this effort mentioned in the 2022 R3 release announcement, we have started reviewing the categories that all our rules cover and have identified some areas where updates were needed. The following 96 categories have had their associated Fortify Priority Order metadata changed, and as such you might see issues appear in the same or lower severity bucket (e.g., critical, high, medium, low). Existing filters might cause additional issues to be hidden due to the changes to the Fortify Priority Order value and its individual components.
React Bad Practices: Dangerously Set InnerHTML
The usage of "dangerouslySetInnerHTML" within React applications is now flagged as a bad practice.
False Positive Improvements
Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:
PHP Misconfiguration: magic_quotes Categories Removed
The following three weakness categories have been removed because they are no longer relevant in supported versions of PHP:
As a result, all issues from the above categories will be removed from scan results.
Category Changes
Along with false positive removals, we identified some places that categories should have been unified or were mislabeled. When weakness category name changes occur, scan results when merging prior scans with new scans will result in issues being added/removed for the following categories.
Removed Category |
Added Category |
Code Correctness: Class Does Not Implement equals |
Code Correctness: Class Does Not Implement Equivalence Method |
Code Correctness: Class Does Not Implement Equals |
Code Correctness: Class Does Not Implement Equivalence Method |
Code Correctness: toString on Array |
Code Correctness: ToString on Array |
Code Correctness: null Argument to equals() |
Code Correctness: null Argument To Equivalence Method |
Code Correctness: null Argument to Equals() |
Code Correctness: null Argument To Equivalence Method |
Additionally, the following 24 categories from our recent IaC support have been refactored to improve consistency.
Removed Category |
Added Category |
Access Control: Azure Container Registry |
Azure ARM Misconfiguration: Improper Container Registry Network Access Control |
Access Control: Azure SQL Database |
Azure ARM Misconfiguration: Improper SQL Server Network Access Control |
Access Control: Cosmos DB |
Azure ARM Misconfiguration: Improper DocumentDB Network Access Control |
Access Control: Kubernetes Admission Controller |
Kubernetes Bad Practices: Improper Admission Controller Access Control |
Access Control: Kubernetes Image Authorization Bypass |
Kubernetes Misconfiguration: Image Authorization Bypass |
Ansible Bad Practices: CloudWatch Log Group Retention Unspecified |
AWS Ansible Misconfiguration: Insufficient CloudWatch Logging |
Ansible Bad Practices: Redshift Publicly Accessible |
AWS Ansible Misconfiguration: Improper Redshift Network Access Control |
Ansible Bad Practices: Unrestricted AWS Lambda Principal |
AWS Ansible Misconfiguration: Improper Lambda Access Control Policy |
Ansible Bad Practices: User-Bound AWS IAM Policy |
AWS Ansible Bad Practices: Improper IAM Access Control Policy |
Ansible Misconfiguration: Azure Monitor Missing Administrative Events |
Azure Ansible Misconfiguration: Insufficient Azure Monitor Logging |
Azure Resource Manager Bad Practices: Cross-Tenant Replication |
Azure ARM Misconfiguration: Improper Storage Account Network Access Control |
Azure Resource Manager Bad Practices: Remote Debugging Enabled |
Azure ARM Misconfiguration: Improper App Service Access Control |
Azure Resource Manager Bad Practices: SSH Password Authentication |
Azure ARM Misconfiguration: Improper Compute VM Access Control |
Azure Resource Manager Misconfiguration: Insecure Transport |
Azure ARM Misconfiguration: Insecure App Service Transport |
Azure Resource Manager Misconfiguration: Overly Permissive CORS Policy |
Azure ARM Misconfiguration: Improper CORS Policy |
Azure Resource Manager Misconfiguration: Security Alert Disabled |
Azure ARM Misconfiguration: Insufficient Microsoft Defender Monitoring |
Azure SQL Database Misconfiguration: Insufficient Logging |
Azure ARM Misconfiguration: Insufficient SQL Server Monitoring |
Insecure Storage: Missing EC2 AMI Encryption |
AWS CloudFormation Misconfiguration: Insecure EC2 AMI Storage |
Insecure Storage: Missing EFS Encryption |
AWS CloudFormation Misconfiguration: Insecure EFS Storage |
Insecure Storage: Missing Kinesis Stream Encryption |
AWS CloudFormation Misconfiguration: Insecure Kinesis Data Stream Storage |
Insecure Transport: Azure App Service |
Azure Ansible Misconfiguration: Insecure App Service Transport |
Kubernetes Bad Practices: API Server Publicly Accessible |
Azure ARM Misconfiguration: Improper AKS Network Access Control |
Privacy Violation: Exposed Default Value |
Azure ARM Misconfiguration: Hardcoded Secret |
Privilege Management: Overly Permissive Role |
Azure ARM Misconfiguration: Improper Custom Role Access Control Policy |
Fortify SecureBase [Fortify WebInspect]
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:
Vulnerability Support
Server-Side Request Forgery[5]
Server-Side Request Forgery (SSRF) occurs when an attacker can influence a network connection made by the application server. The network connection will originate from the application server's internal IP and an attacker can use this connection to bypass network controls and scan or attack internal resources that are not otherwise exposed. This release includes a check to detect SSRF vulnerability in web applications that accept user input.
Expression Language Injection
A critical Remote Code Execution vulnerability in the popular Apache Commons Text library versions 1.5 through 1.9 has been identified by CVE-2022-42889. The default configuration might allow unsafe script evaluation and arbitrary code execution. This release includes a check to detect the CVE-2022-42889 vulnerability on target web servers. Because this check sends a significant number of requests, it is excluded from the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.
Insecure Transport: Weak SSL Cipher
The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols provide a mechanism to help protect authenticity, confidentiality, and integrity of the data transmitted between a client and web server. Using a weak cipher or an encryption key of insufficient length, for example, could enable an attacker to defeat the protection mechanism and steal or modify sensitive information. This release includes a new check identified by ID 11285, to flag Insufficient Transport Layer Protection - Insecure Cipher vulnerability with critical severity. Insecure cipher suites have multiple known vulnerabilities and have attacks that are trivial.
Miscellaneous Errata
In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:
Insecure Transport: Weak SSL Cipher
This release includes improvements to the Insufficient Transport Layer Protection – Weak Cipher check (11716). Customers should see the severity of this check being reduced from Critical to High because the attacks against these weak ciphers are sophisticated and require considerable resources. The severity of this check is reduced, and a new check introduced to identify ‘Insufficient Transport Layer Protection – Insecure Cipher’ will flag issues with Critical severity. Going forward, recommended ciphers will not include cipher suites that do not have Perfect Forward Secrecy (PFS).
XML External Entity Injection[6]
The check identified by ID 11337 has been modified to use payloads that support the Out-of-band Application Security Testing (OAST) feature. Improvements to this check reduce false positives, increase the efficiency, and enhance accuracy of its results.
Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com. Customers looking for the legacy site, with the last supported update, can obtain it from the Fortify Support Portal.
Contact Fortify Technical Support
CyberRes Fortify
http://softwaresupport.softwaregrp.com/
+1 (844) 260-7219
Contact SSR
Alexander M. Hoole
Senior Manager, Software Security Research
CyberRes Fortify
hoole@microfocus.com
+1 (650) 258-5916
Peter Blay
Manager, Software Security Research
CyberRes Fortify
peter.blay@microfocus.com
[1] New rules for iOS SDK 16 require Fortify Static Code Analyzer 22.2 or later.
[2] Requires Fortify Static Code Analyzer 22.2 or later.
[3] Requires Fortify Static Code Analyzer 22.2 or later.
[4] Null Dereference changes are only applicable to Java and .NET.
[5] Requires OAST features that are available in the WebInspect 21.2.0.117 patch or later.
[6] Requires OAST features that are available in the WebInspect 21.2.0.117 patch or later.