Cybersecurity
DevOps Cloud
IT Operations Cloud
About OpenText Fortify Software Security Research
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including OpenText Fortify Static Code Analyzer and OpenText Fortify WebInspect. Today, Fortify Software Security Content supports 1,662 vulnerability categories across 33+ languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2024.4.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
Fortify Secure Coding Rulepacks [Fortify Static Code Analyzer]
With this release, the Fortify Secure Coding Rulepacks detect 1,437 unique categories of vulnerabilities across 33+ languages and span over one million individual APIs. In summary, this release includes the following:
Improved Support for PL/SQL (version supported: 19c)[1]
PL/SQL is Oracle's procedural implementation of the SQL language, and it is generally used to interact with relational databases. Its main advantage and strength is to provide a server-side, stored procedural language that is easy to use, seamless with SQL, robust, portable, and secure. As of Fortify Static Code Analyzer 24.4, the majority of PL/SQL-related categories are reported by a new and improved analysis engine (see the Supported Libraries documentation for exclusions).
Categories supported by this migration:
Cloud Infrastructure as Code (IaC)[2]
Expanded support for cloud infrastructure as code. Infrastructure as code is the process of managing and provisioning computer resources through code, rather than various manual processes. Common issues related to the configuration of these services mentioned are reported to the developer. As of Fortify Static Code Analyzer 24.4, the majority of Azure Terraform, Google Cloud Platform (GCP) Terraform, and Amazon Web Services (AWS) Terraform configuration issues are reported by a new analysis engine. This will result in a set of added and removed issues when merging FPRs generated with prior versions of Fortify Static Code Analyzer. Additionally, the following categories have been added:
Azure Terraform Configurations
HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Utilizing these templates users can create, delete and modify collections of resources, known as a stack, as a single unit. Terraform plugins called providers let Terraform interact with cloud platforms and other services via their application programming interfaces (APIs). In this release, we improved the accuracy of the following categories:
Initial gRPC for .NET support (version supported: 2.66.0)
gRPC for .NET is a Remote Procedure Call framework for the .NET platform. A modern, open source and high-performance RPC framework that can run anywhere and offers transparent communication between the server and the client for the simplified building of connected systems. Initial support includes the following categories:
Improved Spring Security Support (version supported: 6.3.3)
Spring Security provides a framework for authentication, authorization, and protection against common attacks. Improved coverage for the following categories is included:
Additionally, the following new categories are supported:
Improved Spring Web & Spring Web MVC Support (version supported: 6.1)
Spring Web and Spring Web Model-View-Controller (MVC) are modules of the Spring Framework, designed around Servlet architecture, that provide functionality for building web applications and web services. Improved Spring Web & Spring Web MVC support focuses on improved results in complex scenarios within web controllers and API controllers, that includes the ability to detect JSON Injection. Support also includes the ability to detect SameSite cookie weaknesses.
Categories updated for this library:
Categories new for this library:
Improved Support for Android 14 (version supported: Android SDK Platform 34)
The Android API is a set of tools and libraries for building apps on Android devices. It provides access to the underlying hardware, system features, and services of the Android platform. This release contains incremental updates to our Android API support for Java and Kotlin.
Improved weakness category coverage includes the following:
The following new weakness categories are introduced in this release for Android applications:
Improved Support for Android Jetpack (AndroidX)
Android Jetpack is a set of libraries, tools, and guidance that help developers create Android applications with greater ease. Jetpack covers the androidx.* packages and is unbundled from platform APIs, which helps facilitate backwards compatibility and allows for more frequent updates. In this release, we provide improved support for the following libraries:
Improved weakness category coverage includes the following:
Improved Support for Flask (version supported: 3.0)
Flask is a micro web framework written in Python that does not require a particular set of tools or libraries. It is a light-weight and well established framework best suited for small to medium sized projects, but also capable of handling relatively complex projects such as small APIs and microservices. In this release, we provide improved support for Flask 3 and Jinja2.
Category coverage includes the following:
Detecting Risk Related to Artificial Intelligence (AI) and Machine Learning (ML) Models
With the use of generative AI and large language models (LLMs) rapidly changing the solution space of the software industry, new risks are presenting themselves. This release improves coverage for projects that consume Spring AI (Java), LangChain (JavaScript), Google Gemini (Node.js), and improved support for OpenAI APIs (Python and JavaScript), Anthropic Claude (JavaScript). Support detects weaknesses that results from implicit trust of responses from AI/ML model APIs, in addition to the following features:
Initial Support for Java Spring AI (version supported: 1.0.0-M2)
The Spring AI library provides tools to enhance Spring applications with AI capabilities through integrating various language models and vector databases with the application.
Initial support for this library includes the following namespaces:
Categories coverage includes the following:
Additionally, we support identifying potentially unsafe data from machine learning models, which can lead to new "Cross-Site Scripting: AI" findings in Java, Kotlin, and Scala applications.
Initial Support for JavaScript LangChain (version supported: 0.3)
LangChain is an open-source orchestration framework for the development of applications using large language models (LLMs). The LangChain library for JavaScript offers tools and APIs to create LLM-driven applications, such as chatbots and virtual agents.
Categories coverage includes the following:
Additionally, we support identifying potentially unsafe data from machine learning models, which can lead to new “Cross-Site Scripting: AI” findings in JavaScript applications.
Initial Support for Google Gemini API SDK for Node.js (version supported:1.5)
Gemini is a generative artificial intelligence chatbot developed by Google; it gives access to Google large language models (LLMs). Gemini can handle multiple types (or "modes") of input, making it multimodal, which means it can process text, code, images, and even audio. It has the potential to accurately solve problems, give advice, and answer questions in various fields—from the mundane to the scientific. In this release, we provide initial support for the Google Gemini API SDK for Node.js in the GoogleGenerativeAI package.
Category coverage includes the following:
Additionally, we support identifying potentially unsafe data from machine learning models, which can lead to new “Cross-Site Scripting: AI” findings in JavaScript applications.
Improved Support for Python OpenAI (version supported: 1.43)
The OpenAI library for Python provides tools for integrating AI capabilities into various applications. This library supports a range of functionalities such as natural language processing, text generation, and conversational AI.
Our previously released rules are updated to increase robustness and detect various use cases of the library.
Categories updated for this library:
Improved Support for JavaScript OpenAI (version supported: 4.60.0)
The OpenAI library for JavaScript provides tools for integrating AI capabilities into various applications. This library supports a range of functionalities such as natural language processing, text generation, and conversational AI.
Our previously released rules are updated to increase robustness and detect various use cases of the library.
Categories updated for this library:
Improved Support for JavaScript Anthropic (version supported: 0.27.1)
The Anthropic Claude libraries for JavaScript provide tools for integrating the Claude AI language model into applications.
Our previously released rules are updated to increase robustness and detect various use cases of the library.
Categories updated for this library:
Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) Version 6.1
To support our federal customers’ compliance needs, correlation of the OpenText Fortify Taxonomy to the DISA Application Security and Development STIG version 6.1 has been added.
MISRA C 2023 Support
MISRA is a collaboration across manufacturers, component suppliers, academics and engineering consultancies seeking to promote best practice spanning safety and security-related electronic systems and other software-intensive applications. The MISRA C 2023 Guidelines provide guidance for C programming that helps to identify code and coding practices that will negatively affect program safety, security, and reliability. To support our customers that seek to attain compliance with MISRA C 2023, correlation of the OpenText Fortify Taxonomy to the MISRA C 2023 guidelines that have security impact has been added.
Miscellaneous Errata
In this release, we invested resources to reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
Deprecation of Fortify Static Code Analyzer Versions Prior to 21.x
As observed with the 2023.4 release, we are continuing to support the last four major releases of Fortify Static Code Analyzer. Therefore, this will be the last release of the Rulepacks that support Fortify Static Code Analyzer versions prior to 21.x. For the next release, Fortify Static Code Analyzer versions prior to 21.x will not load the most recent Rulepacks. This will require either downgrading the Rulepacks or upgrading the version of Fortify Static Code Analyzer. For future releases, we will continue to support the last four major releases of Fortify Static Code Analyzer.
False Positive Reduction and Other Notable Detection Improvements
Work has continued with the effort to remove false positives in this release. Customers can expect further removal of false positives, and other notable improvements related to the following areas:
Category Name Changes
When weakness category name changes occur, merging analysis results of prior scans with new scans might result in added/removed categories.
To improve consistency, the following two categories have been renamed:
2024 R2 Category Name |
24.4 Category Name |
GCP Terraform Misconfiguration: Overly Permissive Role |
GCP Terraform Misconfiguration: Overly Permissive IAM Role |
GCP Terraform Misconfiguration: Permissive Firewall |
GCP Terraform Misconfiguration: Overly Permissive VPC Firewall |
Updated Mappings for DISA Control Correlation Identifier (CCI) Version 2
DISA CCI is a document that bridges the gap between high- and low-level cybersecurity guidance by providing a set of standard identifiers paired with singular, actionable statements. The DISA Application Security and Development STIG is closely mapped to DISA CCI wherein a single STIG control might apply to one or more CCI. This release brings mapped CCIs to parity with the recent support of DISA Application and Development STIG 6.1.
Updated Mappings for NIST Special Publication 800-53 Revisions 4 and 5
The National Institute of Standards and Technology (NIST) Special Publication 800-53 is a document that provides a catalog of security and privacy controls for information systems that can be leveraged by the cybersecurity field at large to provide guidance on how to secure systems. NIST Special Publication 800-53 is closely mapped to the DISA CCI, wherein a single CCI might apply to one or more NIST 800-53 control. This release brings mapped NIST 800-53 controls to parity with the recent support of DISA Application and Development STIG 6.1.
Aligning Software Security Content Releases with OpenText Versioning
As noted in the 2024 Update 2 release, the OpenText Fortify Software Content Updates now align with the OpenText versioning standards. Moving forward releases are scheduled one per quarter every year and are numbered according to the year and quarter — therefore, this release of OpenText Fortify Software Security Content is 24.4, indicates a release in the first month of the 4th quarter of 2024. The next release will be 25.1 in the first quarter of 2025.
Fortify SecureBase [Fortify WebInspect]
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide customers in the following updates available immediately using SmartUpdate.
Vulnerability Support
Denial of Service: GraphQL
GraphQL is a query language for APIs and provides a runtime to query existing data. An attacker can trigger excessive CPU and memory usage by batching multiple expensive queries into a single request to cause a Denial of Service (DoS). This release includes a check to detect if batching attacks are possible in the GraphQL application.
Command Injection
If you are using Apache and PHP CGI on Windows and the system is set up to use certain code pages, the PHP CGI module might misinterpret some characters as PHP options. This can enable attackers to pass options to the PHP binary to reveal the source code or run arbitrary PHP code on the server. This affects PHP versions 5, 7, 8.0, 8.1.*x (before 8.1.29), 8.2.*x (before 8.2.20), and 8.3.*x (before 8.3.8). This security issue was identified by CVE-2024-4577 and this release includes a check to detect this vulnerability on target servers.
Insecure Deployment: Unpatched Application (CVE-2024-38475)
The Apache HTTP Server is vulnerable to DocumentRoot Confusion attacks identified by CVE-2024-38475. Improperly escaping output in mod_rewrite on Apache HTTP Server version 2.4.59 and earlier enables an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL. Attackers can use it for code execution or source code disclosure. Substitutions in server context that use backreferences or variables as the first segment of the substitution are affected. This release contains a check to detect this vulnerability in Apache HTTP Servers.
Compliance Reports
DISA Application Security and Development STIG Version 6.1
To support our federal customers’ compliance needs, correlation of the WebInspect checks to the DISA Application Security and Development STIG version 6.1 has been added.
Policy Updates
Improved DISA STIG 6.1
A policy customized to include checks relevant to DISA STIG 6.1 has been added to the WebInspect SecureBase list of supported policies.
Miscellaneous Errata
In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following areas.
Credential Management: Sensitive Information Disclosure
This release includes improvements for the Credential Management: Sensitive Information Disclosure check to reduce false positives and improve the accuracy of its results. Additionally, you can use Check Input to enable this check for unauthenticated scans.
Flag At Host
The Flag At Host check input field controls whether we report the vulnerability for every endpoint that we encounter during the crawl or only once per host. We have extended the usage of this check input to some of the cookie and header-related checks. By default, the value is set to flagging only once per host. By changing the value of 'Flag At Host' to '0' or 'false', the checks are flagged on each endpoint instead. The following list of checks are consolidated into reporting once:
Fortify Premium Content
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
DISA STIG 6.1 and MISRA C 2023
To accompany the new correlations, this release also contains a new report bundle for OpenText Fortify Software Security Center with support for DISA STIG 6.1 and MISRA C 2023, which is available for download from the Fortify Customer Support Portal under Premium Content.
Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com.
Contact Customer Support
OpenText Fortify
https://softwaresupport.softwaregrp.com/
+1 (800) 509-1800
Contact SSR
Alexander M. Hoole
Senior Manager, Software Security Research
OpenText Fortify
hoole@opentext.com
+1 (514) 281-5551 ext. 75119
Peter Blay
Manager, Software Security Research
OpenText Fortify
pblay@opentext.com
+1 (415) 500-9546
© Copyright 2024 Open Text or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Open Text products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.
[1] Requires Fortify Static Code Analyzer 24.4 or later.
[2] Requires Fortify Static Code Analyzer 24.4 or later. Furthermore, with Fortify Static Code Analyzer 24.4 or later, the 24.4 or later rulepacks (2024.4.0.0009) are required to prevent duplicate IaC issues.