Wikis - Page

What's new in Fortify on Demand 24.4

1 Likes

Fortify on Demand CE 24.4 Release Notes (October 2024)

We are excited to announce the general availability of our OpenText Fortify on Demand 24.4 release! Highlights of the 24.4 release include:​

  • Several enhancements based on valuable customer feedback.
  • Portal Enhancements and a variety of changes to improve user experience.
  • Upgrades to our API to refine and support additional functionality, offering better performance and more flexibility for integrating with FoD via API

Users can access the Release Notes and User Guide from the Fortify on Demand Help Center or the documentation link in the Fortify on Demand portal. The documentation is available in English upon the upgrade; Japanese and Spanish translations are available a few weeks after the upgrade.

What's New

Announcements

The Continuous Application Monitoring service is scheduled to be deprecated in the 25.2 release.

Engine and Rulepack Updates

Fortify Software Security Content 2024 Update 2 Support (September 2024)

Fortify on Demand has implemented Fortify Software Security Content 2024 update 2 from Fortify Security Research (SSR). For more information, see Fortify Software Security Content 2024 Update 2.

New Features

Fortify Aviator Filtering

Issues can be filtered and grouped by whether they have been audited by Fortify Aviator. Fortify Aviator has been added to the Application Issues and Release Issue pages' grouping and filtering options, as well as the data export wizard's filtering options. The Fortify Aviator column has been added to the issues data export.

The optional query parameter fortifyAviator has been added to GET /api/v3/releases/{releaseId}/vulnerabilities for filtering vulnerabilities by whether they have been audited by Fortify Aviator.

(*Fortify Aviator is currently only available in AMS)

DISA STIG 5.3, OWASP API Top 10 2023 , and OWASP Mobile Top 10 2024 Support

Fortify on Demand now supports DISA STIG 5.3, OWASP API Top 10 2023, and OWASP Mobile Top 10 2024. The portal includes the following additions:

  • New report modules and report templates have been added.

  • The STIG 5.3, OWASP 2023, and OWASP Mobile Top 10 2024 columns have been added to the issues data export.

  • DISA STIG 5.3, OWASP API Top 10 2023, and OWASP Mobile Top 10 2024 have been added to the Issue pages' grouping and filter lists, and the Standards and Best Practices section in the Vulnerability tab.

  • STIG 5.3, OWASP API Top 10 2023, and OWASP Mobile Top 10 2024 has been added to the classification options when configuring a security policy.

  • API endpoints that provide vulnerability details have been updated.

Reports Page Filtering

Your Reports page now supports filtering reports. Filtering by report creation date, application, and report creator has been added .

Set Up Email Reminders for Expiring Entitlements

Security Leads can now set up email reminders for expiring entitlements on the Entitlements page. Once set up, the reminders are applied to Fortify, Debricked, and Sonatype entitlements. Reminders can be edited and deleted.

API Endpoints for Managing API Keys

The following API endpoints have been added for managing API keys:

  • GET /api/v3/api-keys (return a list of API keys)

  • POST /api/v3/api-keys (create a new API key)

  • DELETE /api/v3/api-keys/{apiKeyId} (delete an API key)

  • GET /api/v3/api-keys/{apiKeyId} (return details of an API key)

  • PUT /api/v3/api-keys/{apiKeyId} (update an API key)

  • POST /api/v3/api-keys/{apiKeyId}/newsecret (create a new secret for an existing API key)

  • GET /api/v3/api-keys/{apiKeyId}/application-access (return a list of applications assigned to an API key)

API Endpoints for Managing Attributes

The following API endpoints have been added for managing attributes:

  • POST /api/v3/attributes (create a new attribute)

  • DELETE /api/v3/attributes/{attributeId} (delete an attribute)

Other API Updates

The following additional updates have been made to the Fortify on Demand API:

  • The API endpoint GET /api/v3/releases/{releaseId}/scans/{scanId}/polling-summary has been added for returning the scan status for a given scan.

  • The API endpoint GET /api/v3/releases/{releaseId}/mobile-scans/scan-setup has been added for returning mobile scan setup details for a given release.

  • The API endpoint GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/comments has been added for returning the audit comments of a given vulnerability.

    • The optional body parameter fallbackToActiveEntitlement has been added to the following endpoints:

      • POST /api/v3/releases/{releaseId}/static-scans/start-scan

      • POST /api/v3/releases/{releaseId}/static-scans/start-scan-with-defaults

      The default value is true. If the given entitlement ID is expired, the scan proceeds by consuming the oldest active entitlement. If the value is set to false, a relevant error message is returned.

  • The following API endpoints now return the scan ID along with the reference ID upon a completed scan import:

    • PUT /api/v3/releases/{releaseId}/static-scans/import-scan

    • PUT /api/v3/releases/{releaseId}/dynamic-scans/import-scan

  • The API endpoint GET /api/v3/applications/open-source-components now supports filtering by release.

  • Open source issue counts (by severity) have been added to the following API endpoints: GET /api/v3/applications/{applicationId}/releases, GET /api/v3/releases, and GET /api/v3/releases/{releaseId}

  • The API endpoint GET /api/v3/releases/{releaseId}/dynamic-scans/scan-setup now obfuscates password values in the response.

  • The API endpoint GET /api/v3/releases/{releaseId}/vulnerabilities/{vulnId}/history now returns a relevant error message for an invalid vulnerability ID.

  • The API endpoint GET /api/v3/scans/{scanId}/summary now returns a relevant error message for an invalid scan ID.

  • The API endpoint GET /api/v3/scans/{scanId}/fpr now returns a relevant error message if the given FPR has exceeded the retention period.

  • API endpoints for starting static scans now return a relevant error message if the given release is currently being copied.

Download Event-based Web Macro Recorder for Mac

The Event-based Web Macro Recorder for Mac is now available for download on the Tools page.

Improvements

User Creation Date Displayed

The User Management page now displays the user creation date.

Entitlement Consumption Data Export Update

Fortify Aviator and DAST Automated add-on services are now included in the entitlement consumption data export.

Password Values Obfuscated on Dynamic Scan Setup Page

On the Dynamic Scan Setup page, saved values in the password fields are now obfuscated.

Other Updates

  • The Interactive Training section, which contains Secure Code Warrior links and other educational links, has been moved to the top of the Recommendations tab in the issue details panel for increased visibility.

  • The character limit for text-type attributes has been expanded from 50 to 1024 characters.

  • Users can search and sort values in the Bug Tracker integration fields, such as project, workspace, and custom fields.

  • The Beta Features page has been removed.

AMS: https://helpcenter.ams.fortify.com/hc/en-us/articles/34705453641747/ 

EMEA : https://helpcenter.emea.fortify.com/hc/en-us/articles/34705950208787/

APAC : https://helpcenter.apac.fortify.com/hc/en-us/articles/31507554699924/

Comment List
Related
Recommended