Wikis - Page

Fortify Software Security Content Update 25.1

0 Likes

About OpenText Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including OpenTextTM Fortify Static Code Analyzer and OpenTextTM Fortify WebInspect. Today, Fortify Software Security Content supports 1,669 vulnerability categories across 33+ languages and spans more than one million individual APIs.

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2025.1.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

 

Fortify Secure Coding Rulepacks [Fortify Static Code Analyzer]

With this release, the Fortify Secure Coding Rulepacks detect 1,443 unique categories of vulnerabilities across 33+ languages and span over one million individual APIs. In summary, this release includes the following: 

.NET Improvements (version supported: 9)

.NET 9 is a free and open-source development framework used for building cross-platform applications and designed to deliver productivity, performance, security, and reliability. As the successor of the .NET 8 framework, this new release includes enhancements for performance, security, and functional improvements. Security content improvements for this release are specially focused on .NET for Web Applications and provides updates for nine existing categories as well as the following four new categories:

  • .NET Bad Practices: BinaryFormatter Enabled
  • Unreleased Resource: Handle Leak
  • Unreleased Resource: Handle Owner
  • Unreleased Resource: Invalid Handle

Entity Framework Core Improvements (version supported: 9)

Entity Framework (EF) Core is a cross-platform, lightweight, extensible, open-source version of the popular Entity Framework data access technology. It serves as an Object Relational Mapper (ORM) that enables .NET developers to work with databases using .NET objects, eliminating the need for writing most of the data access code required by an application. Improvements bring support of EF Core up to version 9 and provides updates spanning three existing categories.

Jinja Improvements (version supported: 3.1)

Jinja is a templating engine used to create webpages by use of a python-like syntax. It can be used standalone, or as part of a larger web framework like Django or Flask. Support for Jinja has been improved to better find security issues, for two existing categories related to data leakage, that exist when Jinja is used in a standalone context.

PySpark (version supported: 3.5)

PySpark is the Python library for the data analytic engine of Apache Spark. It is designed to enable developers to perform distributed computing for real-time data processing and analysis of large-scale datasets. Initial support for PySpark spans five existing categories. 

Android KTX (version supported: 1.13)

Android KTX stands for Android Kotlin Extensions, which is a set of Kotlin extension functions and properties that provide a more concise and expressive way of writing Android apps with Kotlin. Customers can expect improved results across all dataflow categories when Android KTX is used in their Android applications.

Salesforce Apex and Visualforce Improvements (version supported: 60)

Salesforce Apex is the programming language used for creating Salesforce applications such as business transactions, database management, web services, and Visualforce pages. Improvements to category coverage span 10 existing categories and includes the following new category:

  • Setting Manipulation: User-Controlled Approval Action

ABAP Improvements (version supported: 7.58)

ABAP (Advanced Business Application Programming) is SAP’s primary programming language for developing robust business applications within the SAP ecosystem. It supports both procedural and object-oriented paradigms, integrates seamlessly with SAP’s data and application frameworks, and underpins a wide range of enterprise-level solutions. Improvements to category coverage span 11 existing categories and adds support for the following categories in ABAP applications:

  • Denial of Service: Regular Expression
  • Insecure Transport
  • Missing XML Validation
  • Path Manipulation: Zip Entry Overwrite
  • Server-Side Request Forgery
  • Setting Manipulation
  • Unreleased Resource: Database
  • Unreleased Resource: Sockets
  • XML Entity Expansion Injection
  • XML External Entity Injection
  • XML Injection

OkHttp (version supported: 4.12)

OkHttp is a Java/Kotlin/Android library for establishing client-side HTTP sessions. It supports the HTTP/2 protocol (or uses connection pooling when HTTP/2 is unavailable) and performs transparent GZIP operations; all for the purpose of optimizing network performance. This library also provides an easy-to- use request/response API, supports modern TLS cryptographic features, as well as allows for synchronous or asynchronous response handling. Initial support detects weaknesses that span10 existing categories.

Prompt Injection: Persistent

The category 'Prompt Injection: Persistent' has been introduced as an extension of Prompt Injection, where prompt input originates from a persistent datastore. This category is reported when potentially dangerous input is used to construct an AI model's system prompt leading to unexpected, and potentially dangerous, behavior. Coverage of this new category spans multiple AI related libraries and frameworks across Java, JavaScript, Kotlin, Python, Scala, and TypeScript.

PCI DSS 4.0.1

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines intended to protect both cardholder data and account information. To support our e-commerce and financial services customers in the area of compliance, this release supports correlation between our Fortify Taxonomy categories and the requirements specified in the latest version of the Payment Card Industry Data Security Standard, version 4.0.1.

2024 Common Weakness Enumeration (CWE) Top 25

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) was introduced in 2019 and replaces SANS Top 25. Released in November of 2024, the 2024 CWE Top 25 is determined using a heuristic formula that normalizes the frequency and severity of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. To support our customers who want to prioritize their auditing around the most commonly reported critical vulnerabilities in the NVD, a correlation of the Fortify Taxonomy to the 2024 CWE Top 25 has been added.

MISRA C++ 2023 Support

MISRA is a collaboration across manufacturers, component suppliers, academics, and engineering consultancies that seek to promote best practice spanning safety and security-related electronic systems and other software-intensive applications. The MISRA C++ 2023 Guidelines provide guidance for C++ programming to help identify code and coding practices that will negatively affect program safety, security, and reliability. To support our customers that seek to attain compliance with MISRA C++ 2023, correlation of the Fortify Taxonomy to the MISRA C++ 2023 guidelines that have security impact has been added.

Miscellaneous Errata

In this release, we invested resources to reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

False Positive Reduction and Other Notable Detection Improvements

Work has continued with the effort to remove false positives in this release. Customers can expect further removal of false positives, and other notable improvements related to the following areas:

  • Dynamic Code Evaluation: Unsafe Deserialization – false positives reduced in Android applications
  • Insecure Randomness – false positives reduced for TLS configurations in Golang applications
  • Insecure Transport: Weak SSL Protocol – false positives reduced in C/C++ applications with OpenSSL
  • Privacy Violation – new issues detected in Visual Basic applications
  • System Information Leak – false positives reduced in Salesforce Apex/Visualforce applications
  • Unreleased Resource: Database – new issues detected in Android applications with SQLite databases
  • Unreleased Resource: Streams – false positives reduced in Java applications

 

Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide customers in the following updates available immediately using SmartUpdate.  

Vulnerability Support

Dynamic Code Evaluation: Unsafe Deserialization

Deserializing user provided, or untrusted data, with the Python Pickle library can cause dynamic code execution during the deserialization process. This release includes a check to detect unsafe usage of the Python Pickle library in affected web applications.

HTML5: Deprecated Header

HTTP headers are key-value pairs sent between the client and server to provide additional information to handle HTTP requests and responses. Browser vendors mark some HTTP headers as deprecated when they no longer maintain, support, or enhance implementation of the header. Usage of these headers might create a false sense of security and increase the site's vulnerability. This release includes a check to detect whether X-XSS-Protection header is enabled.

Insecure Deployment: Unpatched Application (2024-38474)

The Apache HTTP Server is vulnerable to Filename Confusion attacks identified by CVE-2024- 38474. A substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier enables an attacker to execute scripts in directories that are allowed by the configuration but not accessible through any URL, or to expose the source code of scripts that should only be run as CGI. This results in code execution or source code disclosure. This release contains a check to detect this vulnerability in Apache HTTP Servers.

Compliance Reports

PCI DSS 4.0.1

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines intended to protect both cardholder data and account information. To support our e-commerce and financial services customers compliance needs, this release contains a correlation of the WebInspect checks to the requirements specified in the latest version of the Payment Card Industry Data Security Standard, version 4.0.1.

2024 Common Weakness Enumeration (CWE) Top 25

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) was introduced in 2019 and replaces SANS Top 25. Released in November, the 2024 CWE Top 25 is determined using a heuristic formula that normalizes the frequency and severity of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. This SecureBase update includes checks that map either directly to the category identified by the CWE Top 25, or a CWE-ID related to a CWE-ID in the Top 25 via “ChildOf” relationship.

Policy Updates

PCI DSS 4.0.1

A policy customized to include checks relevant to PCI DSS 4.0.1 has been added to the WebInspect SecureBase list of supported policies.

2024 CWE Top 25

A policy customized to include checks relevant to 2024 CWE Top 25 has been added to the WebInspect SecureBase list of supported policies.

Miscellaneous Errata

In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following areas.

RubyCE_Audit_Mode

The display name of RubyCE_Audit_Mode is changed from Aggressive_Audit to RubyCE_Audit_Mode.

Enable DoS Testing

The display name of AllowDenialOfServiceTesting is changed from Enable DoS Testing to Allow Denial of Service (DoS) Testing.

 

Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

PCI DSS 4.0.1 and 2024 CWE Top 25

To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for PCI DSS 4.0.1, MISRA C++ 2023, and 2024 CWE Top 25, which is available for download from the OpenText Application Security Customer Portal under Premium Content.

OpenText Fortify Taxonomy: Software Security Errors

The OpenText Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com.

 

Contact Customer Support

OpenText Fortify https://softwaresupport.softwaregrp.com/

+1 (800) 509-1800

  

Contact SSR

Alexander M. Hoole

Senior Manager, Software Security Research
OpenText Fortify
hoole@opentext.com
+1 (514) 281-5551 ext. 75119

Justin Alwine

Manager, Software Security Research
OpenText Fortify
jalwine@opentext.com

Peter Blay

Product Manager, Fortify SAST
OpenText Fortify
pblay@opentext.com
+1 (415) 500-9546

 

© Copyright 2025 OpenText or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Open Text products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.

PDF

Labels:

Announcement
Comment List
Related
Recommended