Cybersecurity
DevOps Cloud
IT Operations Cloud
This release brings significant enhancements to help you stay current with evolving technologies and improve scan quality. Version 24.4 includes enhanced support for PL/SQL and ABAP, enabling seamless analysis of these languages. For organizations planning to adopt .NET 9 with its upcoming November release, upgrading to 24.4 ensures uninterrupted Fortify SAST support. Additionally, 24.4 supports newer versions of Xcode(16), Go(1.23), Apex(61), Kotlin(2), TypeScript(5.3, 5.4), and Angular(17), and expands support to Linux on ARM, leveraging cost-efficient options for SAST workloads. Plus, with extended taint flag filters, the scan policy mechanism and default “security” scan policy delivers more accurate, less noisy results—helping your team focus on the vulnerabilities that matter most.
This release of Fortify Software includes the following new functions and features.
The following features have been added to Fortify Software Security Center.
Technology Preview: Magellan BI and Reporting Dashboards
This release includes a preview of upcoming support for the inclusion of OpenText Magellan BI and Reporting dashboards in Fortify Software Security Center. The Magellan BI and Reporting dashboards provide a comprehensive application security program overview, insights into important vulnerability metrics, and consistent dashboard views among the Fortify product Suite. If you are interested in previewing the upcoming Magellan dashboard integration, contact Customer Support for the software and support required to run the Technology Preview.
Audit Issue History Tracking
You can track changes in the attributes of an issue as you upload new scans for an audit. The issue history includes all attributes that Fortify Software Security Center extracts from uploaded scans that can be searched or filtered on the audit page.
ScanCentral SAST Controller role
The ScanCentral SAST Controller role is a new pre-configured role. This role is Intended for use only when configuring a Fortify ScanCentral SAST Controller. It allows users who are permitted to run scans but do not have upload analysis result permissions to upload scans.
Kubernetes support
Support added for Kubernetes versions 1.30 and 1.31
Support added for Helm command-line tool versions 3.15 and 3.16.
The following features have been added to Fortify ScanCentral SAST.
Uploading analysis results to Fortify Software Security Center
You can configure the ScanCentral SAST Controller with a ScanCentral SAST Controller service account created in Fortify Software Security Center. This enables to upload the scan results to Fortify Software Security Center using the Controller service account. In this case, your Software Security Center user accounts do not require the upload analysis results permission.
The start command -uptoken option is no longer required to upload scan results to Fortify Software Security Center if you specify the -sscurl and -ssctoken option pair.
ScanCentral client
You can add JVM system and ScanCentral SAST properties (for clients and sensors) to the ScanCentral client commands by adding the -D option to the SCANCENTRAL_VM_OPTS environment variable. You can add JVM system properties to the environment variable for use by the PackageScanner tool.
You can retrieve your package (job file) from the Controller using the retrieve command --job-file option.
The client start command -sargs option accepts the Fortify Static Code Analyzer -bin option.
The client start command -targs option accepts the Fortify Static Code Analyzer -gotags option.
When packaging PHP projects that use Composer for dependency management, the ScanCentral client will automatically restore the dependencies prior to generating the package.
Support packaging Maven projects that use the -Dmaven.repo.local
or
-Dsettings.localRepository
properties to configure a non-default local repository location.
Updated build tool support
Support for Gradle 8.7 - 8.10
ScanCentral SAST containers
New ScanCentral SAST Windows Sensor container with Windows Server 2022 as a base image
New database migration container to migrate the ScanCentral SAST Controller database when upgrading
The following features have been added to Fortify Static Code Analyzer.
Platforms
Linux on ARM support
IBM AIX 7.3
Languages
.NET (Core) 9.x
ABAP 7.x
Angular 17
Apex 61
C# 13
Go 1.23
Kotlin 2.0
PL/SQL 10, 11, 12, 18, 19, 21, and 23
TypeScript 5.3 and 5.4
Build tools
Bazel 7.x
Gradle 8.5
MSBuild 17.11
MSBuild and Bicep support on .NET 8
Platforms and architectures
Added support for IBM AIX 7.3.
Features/Updates
Updated the scan policies with the ability to exclude dataflow issues based on taint flags
Added support for Go build tags with the -gotags command-line option
Added support for Flask framework and Jinja2 templates
The following features have been added to Fortify Static Code Analyzer tools.
Secure code plugins
Support for Eclipse 2024-06
Support for IntelliJ IDEA 2024.2
Support for Android Studio 2023.3 and 2024.1
Support for Azure DevOps Server 2022
The following features have been added to ScanCentral DAST.
Scan Details now has Create By
The scan details panel now displays the user that created/imported the scan.
New REST endpoint to view messages
SC DAST has added an endpoint to retrieve the polling messages that occur in the product. These are primarily the message that the global service is processing from the sensors.
Linux containers now on UBI9
The SC DAST containers on Linux is now on the RedHat UBI9 with .NET 8.
The following features have been added to WebInspect.
WebInspect CLI & API
Support has been added for using an external SQL Server database when using either the WebInspect CLI or the WebInspect API.
Expanded URL field
URL field has been expanded for API scans using a postman collection. This allows the user to view the authentication endpoints and proceed with a dynamic token strategy.
HAR improvements
Updates to the HAR parser allows for a greater number of formats from different browsers.
New logging option
New environment variable for logging to stderr output.
Linux containers now on UBI9
The WebInspect container on Linux is now on the RedHat UBI9 with .NET 8.
Visit the Support website to:
https://www.microfocus.com/support
We Welcome Your Feedback
If you have comments or suggestions about the documentation, you can send these to the documentation team at fortifydocteam@opentext.com. Please use the subject line “Feedback on <Document_Title> <Product_Version>.” We appreciate your feedback!