Fortify Static Code Analyzer
The following features have been added to Fortify Static Code Analyzer.
Platforms
macOS 14 support
Languages
Angular 16.1 and 16.2
Apex 59 and 60
C23
Dart 3.1
Django 5.0
Flutter 3.13
Go 1.21 and 1.22
Java 21
Kotlin 1.9
PHP 8.3
Scala 3, versions 3.3-3.4
Swift 5.10
TypeScript 5.1 and 5.2
Visual Basic (VB.NET) 16.9
Compilers
gcc 13
g++ 13
Swiftc 5.9.2, 5.10
Build tools
Bazel 6.4.0
CMake 3.23.3 and later
MSBuild 17.9
xcodebuild 15.3
Features/Updates
ARM JSON Templates (IaC)
AWS CloudFormation (IaC)
Scanning .NET requires .NET SDK 8.0.
The default python version is now 3.
The default scan policy has changed from classic to security. The security scan policy excludes issues related to code quality from the analysis results.
Ability to specify the location of a custom supported JDK or JRE version that is not included in the Fortify Static Code Analyzer installation
Fortify Static Code Analyzer automatically detects the content of files with a .cls extension to determine if they are Apex or Visual Basic code. This removes the need to include the -apex option, which is now deprecated.
Updated LOC (lines of code) calculation: To better align with the LOC count shown by code editors, Fortify Static Code Analyzer now reports the total number of lines of code, including blank lines and comments. Due to this change, when you upload an artifact created with Fortify Static Code Analyzer 24.2.0 (or later) to an SSC application version that already contains artifacts generated by earlier versions of Fortify Static Code Analyzer, a one-time approval may be required if the following processing rule is enabled: Require approval if line count differs by more than 10%. Once a 24.2.0 artifact has been approved in an application version, subsequent 24.2.0 uploads to that application version will no longer trigger the processing rule unless the LOC count changes due to significant code changes or changes in the scan setup.