Micro Focus Fortify Software, Version 22.1.0
Release Notes
Document Release Date: June 7, 2022


This document provides installation and upgrade notes, known issues, and workarounds that apply to release 22.1.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 22.1.0, which is available on the Micro Focus Product Documentation website:



Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you may find technical notes and release notes that describe forthcoming features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website:


If you have trouble accessing our documentation, please contact Fortify Customer Support.


Complete instructions for installing Fortify Software products are provided in the documentation for each product.

Fortify Static Code Analyzer

Migrating from a Patched Release of Fortify Static Code Analyzer: If your Fortify Static Code Analyzer installation has been patched, the last digit in the version number will be greater than zero. For instance, release 21.2.0 has a zero as the last digit which identifies it as a major release that has not been patched. Versions 20.1.6, 20.2.4, 21.1.4, and 21.2.3 are examples of patched releases. When upgrading from a patched Fortify Static Code Analyzer release, your configuration files and properties (sca.properties) may not carry over to the new installation. If you would like to migrate your configuration and properties settings to the new installation, please contact Customer Support for assistance.

Fortify ScanCentral SAST

The ScanCentral SAST client must be installed on a machine with a Java 11 runtime.


There is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our plugin framework, and our JavaScript Sandbox Project.

Fortify Static Code Analyzer

Fortify Software Security Center

Added restrictions: value must not start with = (equals to) + (plus) - (minus) or @ (at) character and must not contain control characters (with exception of a newline in Role's Description field). Validation is applied in both REST API and UI. This affects creating a new entity as well as updating an existing one. Affected REST API endpoints: /api/v1/localUsers, /api/v1/roles, /api/v1/projects, /api/v1/projectVersions

Thanks to GovTech (Thomas Lim and Yu Pengfei) for discovering the need for this validation.

Fortify ScanCentral SAST


The following are known problems and limitations in Fortify Software 22.1.0. The problems are grouped according to the product area affected.

Fortify Software Security Center

The migration in question adds the new Use data exports permission to any existing role that also contains a View Application Versions permission. In case any custom non-system defined roles were affected and the change was not desired, please update these roles manually after migration to 22.1.0.

Please pay attention when using tools to auto-generate API clients from Swagger spec. This might cause conflicts due to case insensitive process, and the generated client might need manual modification.

Fortify ScanCentral SAST

-targs "-exclude 'C:\My Project\src\Project1.java'"

Fortify Static Code Analyzer

Fortify Audit Workbench, Secure Code Plugins, and Tools

Fortify ScanCentral DAST

·         When importing an HTTP archive (.har) file to use as a workflow macro, the file size is limited to 4 MB. To increase the file size limit to 30MB, run the following SQL command:

IF NOT EXISTS (SELECT Id FROM ConfigurationSetting WHERE SettingName = 'UtilityWorkerServiceSettings.MaxReceiveMessageSize')

INSERT INTO ConfigurationSetting (SettingName, SettingValue, IsEncrypted)

VALUES ('UtilityWorkerServiceSettings.MaxReceiveMessageSize', '31457280', 0)


·         Global Restrictions and Application Settings Domain Restrictions are applied only for Standard Scans or API scans that use a start URL.


This section includes product features that will be removed from a future release of the software. In some cases, the feature will be removed in the very next release. Features that are identified as deprecated represent features that are no longer recommended for use. In most cases, deprecated features will be completely removed from the product in a future release. Fortify recommends that you remove deprecated features from your workflow at your earliest convenience.

Note: For a list of technologies that will lose support in the next release, please see the “Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software System Requirements document.

Fortify Software Security Center

Fortify ScanCentral SAST

Fortify Audit Workbench, Secure Code Plugins, and Tools


The following features are no longer supported.. Fortify Static Code Analyzer no longer supports Visual Studio Web Site projects. You must convert your Web Site projects to Web Application projects to ensure that Fortify Static Code Analyzer can scan them.

Note: For a list of technologies that are no longer supported in this release, please see the “Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software System Requirements document. This list only includes features that have lost support in this release.


If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using the following option.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://www.microfocus.com/support.


© Copyright 2022 Micro Focus or one of its affiliates.


The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. 

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.