Cybersecurity
DevOps Cloud
IT Operations Cloud
The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including OpenTextTM Fortify Static Code Analyzer and OpenTextTM Fortify WebInspect. Today, Fortify Software Security Content supports 1,669 vulnerability categories across 33+ languages and spans more than one million individual APIs.
Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2025.1.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.
With this release, the Fortify Secure Coding Rulepacks detect 1,443 unique categories of vulnerabilities across 33+ languages and span over one million individual APIs. In summary, this release includes the following:
.NET 9 is a free and open-source development framework used for building cross-platform applications and designed to deliver productivity, performance, security, and reliability. As the successor of the .NET 8 framework, this new release includes enhancements for performance, security, and functional improvements. Security content improvements for this release are specially focused on .NET for Web Applications and provides updates for nine existing categories as well as the following four new categories:
Entity Framework (EF) Core is a cross-platform, lightweight, extensible, open-source version of the popular Entity Framework data access technology. It serves as an Object Relational Mapper (ORM) that enables .NET developers to work with databases using .NET objects, eliminating the need for writing most of the data access code required by an application. Improvements bring support of EF Core up to version 9 and provides updates spanning three existing categories.
Jinja is a templating engine used to create webpages by use of a python-like syntax. It can be used standalone, or as part of a larger web framework like Django or Flask. Support for Jinja has been improved to better find security issues, for two existing categories related to data leakage, that exist when Jinja is used in a standalone context.
PySpark is the Python library for the data analytic engine of Apache Spark. It is designed to enable developers to perform distributed computing for real-time data processing and analysis of large-scale datasets. Initial support for PySpark spans five existing categories.
Android KTX stands for Android Kotlin Extensions, which is a set of Kotlin extension functions and properties that provide a more concise and expressive way of writing Android apps with Kotlin. Customers can expect improved results across all dataflow categories when Android KTX is used in their Android applications.
Salesforce Apex is the programming language used for creating Salesforce applications such as business transactions, database management, web services, and Visualforce pages. Improvements to category coverage span 10 existing categories and includes the following new category:
ABAP (Advanced Business Application Programming) is SAP’s primary programming language for developing robust business applications within the SAP ecosystem. It supports both procedural and object-oriented paradigms, integrates seamlessly with SAP’s data and application frameworks, and underpins a wide range of enterprise-level solutions. Improvements to category coverage span 11 existing categories and adds support for the following categories in ABAP applications:
OkHttp is a Java/Kotlin/Android library for establishing client-side HTTP sessions. It supports the HTTP/2 protocol (or uses connection pooling when HTTP/2 is unavailable) and performs transparent GZIP operations; all for the purpose of optimizing network performance. This library also provides an easy-to- use request/response API, supports modern TLS cryptographic features, as well as allows for synchronous or asynchronous response handling. Initial support detects weaknesses that span10 existing categories.
The category 'Prompt Injection: Persistent' has been introduced as an extension of Prompt Injection, where prompt input originates from a persistent datastore. This category is reported when potentially dangerous input is used to construct an AI model's system prompt leading to unexpected, and potentially dangerous, behavior. Coverage of this new category spans multiple AI related libraries and frameworks across Java, JavaScript, Kotlin, Python, Scala, and TypeScript.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines intended to protect both cardholder data and account information. To support our e-commerce and financial services customers in the area of compliance, this release supports correlation between our Fortify Taxonomy categories and the requirements specified in the latest version of the Payment Card Industry Data Security Standard, version 4.0.1.
The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) was introduced in 2019 and replaces SANS Top 25. Released in November of 2024, the 2024 CWE Top 25 is determined using a heuristic formula that normalizes the frequency and severity of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. To support our customers who want to prioritize their auditing around the most commonly reported critical vulnerabilities in the NVD, a correlation of the Fortify Taxonomy to the 2024 CWE Top 25 has been added.
MISRA is a collaboration across manufacturers, component suppliers, academics, and engineering consultancies that seek to promote best practice spanning safety and security-related electronic systems and other software-intensive applications. The MISRA C++ 2023 Guidelines provide guidance for C++ programming to help identify code and coding practices that will negatively affect program safety, security, and reliability. To support our customers that seek to attain compliance with MISRA C++ 2023, correlation of the Fortify Taxonomy to the MISRA C++ 2023 guidelines that have security impact has been added.
In this release, we invested resources to reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:
False Positive Reduction and Other Notable Detection Improvements
Work has continued with the effort to remove false positives in this release. Customers can expect further removal of false positives, and other notable improvements related to the following areas:
Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide customers in the following updates available immediately using SmartUpdate.
Deserializing user provided, or untrusted data, with the Python Pickle library can cause dynamic code execution during the deserialization process. This release includes a check to detect unsafe usage of the Python Pickle library in affected web applications.
HTTP headers are key-value pairs sent between the client and server to provide additional information to handle HTTP requests and responses. Browser vendors mark some HTTP headers as deprecated when they no longer maintain, support, or enhance implementation of the header. Usage of these headers might create a false sense of security and increase the site's vulnerability. This release includes a check to detect whether X-XSS-Protection header is enabled.
The Apache HTTP Server is vulnerable to Filename Confusion attacks identified by CVE-2024- 38474. A substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier enables an attacker to execute scripts in directories that are allowed by the configuration but not accessible through any URL, or to expose the source code of scripts that should only be run as CGI. This results in code execution or source code disclosure. This release contains a check to detect this vulnerability in Apache HTTP Servers.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of guidelines intended to protect both cardholder data and account information. To support our e-commerce and financial services customers compliance needs, this release contains a correlation of the WebInspect checks to the requirements specified in the latest version of the Payment Card Industry Data Security Standard, version 4.0.1.
The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) was introduced in 2019 and replaces SANS Top 25. Released in November, the 2024 CWE Top 25 is determined using a heuristic formula that normalizes the frequency and severity of vulnerabilities reported to the National Vulnerability Database (NVD) over the past two years. This SecureBase update includes checks that map either directly to the category identified by the CWE Top 25, or a CWE-ID related to a CWE-ID in the Top 25 via “ChildOf” relationship.
A policy customized to include checks relevant to PCI DSS 4.0.1 has been added to the WebInspect SecureBase list of supported policies.
A policy customized to include checks relevant to 2024 CWE Top 25 has been added to the WebInspect SecureBase list of supported policies.
In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following areas.
The display name of RubyCE_Audit_Mode is changed from Aggressive_Audit to RubyCE_Audit_Mode.
The display name of AllowDenialOfServiceTesting is changed from Enable DoS Testing to Allow Denial of Service (DoS) Testing.
The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.
To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for PCI DSS 4.0.1, MISRA C++ 2023, and 2024 CWE Top 25, which is available for download from the OpenText Application Security Customer Portal under Premium Content.
The OpenText Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com.
OpenText Fortify https://softwaresupport.softwaregrp.com/
+1 (800) 509-1800
Senior Manager, Software Security Research
OpenText Fortify
hoole@opentext.com
+1 (514) 281-5551 ext. 75119
Manager, Software Security Research
OpenText Fortify
jalwine@opentext.com
Product Manager, Fortify SAST
OpenText Fortify
pblay@opentext.com
+1 (415) 500-9546
© Copyright 2025 OpenText or one of its affiliates. The information contained herein is subject to change without notice. The only warranties for Open Text products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein.