Micro Focus Fortify Software v18.20 Release Notes Document Release Date: November 2018 Software Release Date: November 2018 IN THIS RELEASE This document provides installation and upgrade notes, known issues, and workarounds that apply to release 18.20 of the Fortify product suite. This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 18.20, which is downloadable from the Micro Focus Product Documentation website: https://www.microfocus.com/support-and-services/documentation. *** Release Update *** Micro Focus Fortify WebInspect Enterprise software will be made available in the near future. Right before release, an issue was discovered and a decision was made to delay the release instead of immediately requiring a patch. Because the documentation was already complete when the issue was discovered, you will find references to Micro Focus WebInspect Enterprise version 18.20 in the What's New in Micro Focus Fortify 18.20 document and the Micro Focus Fortify Software System Requirements document for release 18.20. When the software is ready to download, you will be notified by email. FORTIFY DOCUMENTATION UPDATES *** Accessing Fortify Documentation The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website: https://www.microfocus.com/support-and-services/documentation. If you have trouble accessing our documentation, please contact Fortify Customer Support. Note: Documentation prior to the 18.10 release can be found on the Protect 365 Community website: https://community.softwaregrp.com/t5/Fortify-Product- Documentation/ct-p/fortify-product-documentation. *** Fortify WebInspect URL Changes The license service URL has been changed and is now incorrect in the help. The correct URL should be https://licenseservice.fortify.microfocus.com/. The SmartUpdate URL has been changed and is now incorrect in the help. The correct URL should be https://smartupdate.fortify.microfocus.com/. The Support Channel URL has been changed and is now incorrect in the help. The correct URL should be https://supportchannel.fortify.microfocus.com/.   These URLs are correct in the 18.20 PDF documents available at https://www.microfocus.com/support-and-services/documentation/. INSTALLATION AND UPGRADE NOTES Complete instructions for installing Fortify Software products are provided in the documentation for each product. *** Updating Security Content after a Fortify Software Security Center Upgrade If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide. USAGE NOTES FOR THIS RELEASE There is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our new plugin framework, and our JavaScript Sandbox Project. *** Fortify Static Code Analyzer * Structural results -- Most structural issues will show new instance IDs. The algorithm that computes instance IDs for structural issues now produces more variance than previous IDs that often differed only in the final digit. *** Fortify Static Code Analyzer Tools * Support for Kerberos SSO in Audit Workbench and the secure coding plugins for Eclipse and Visual Studio is limited to the Windows platform. *** Fortify Software Security Center * In SSC 18.20, a bug has been discovered where SMTP settings are not persisted upon restart of SSC’s application server. Each time the server is restarted, the SMTP settings would need to be updated and saved in SSC. To remediate this bug, please follow the readme instructions provided with ssc-core-18.20.1072.jar. This jar/readme is available on the Customer Portal and here: SFTP Access : sftp -o Port=2222 ssc1820@ftp-pro.houston.softwaregrp.com sftp -P 2222 ssc1820@ftp-pro.houston.softwaregrp.com HTTPS Access: https://ftp-pro.houston.softwaregrp.com/mffts FTP Access : ftp://ssc1820:qi+VG5er@ftp-pro.houston.softwaregrp.com Drop Box Host: ftp-pro.houston.softwaregrp.com (15.124.2.77, Failover: 15.124.2.77) Login: ssc1820 Password: qi+VG5er (NOTE: CASE-sensitive) Last Modified: 10/30/2018 8:09:54 PM Expire Notice: scheduled for 1/14/2019 12:00:00 AM Valid Until: 1/28/2019 8:09:54 PM (90 days) Access Type: read-only * To use x.509 authentication in Software Security Center, the Unlimited Cryptography Strength Jurisdiction Policy is required. This is included by default with Oracle JDK version 1.8.161+ and OpenJDK 1.8.161+. You may also need to install a certificate for Software Security Center to the same runtime environment if a self-signed certificate is used for an HTTPS connection. * Premium reports based on SSC 18.20, downloaded from the Customer Portal, will not be compatible with prior versions of SSC. * 18.10 and later versions contain performance fixes that require longer migration. Databases over 1 TB may take 5 hours or more. * You must install a trusted CA certificate on the Java Runtime environment on both the Fortify Software Security Center and Fortify WebInspect servers to view Fortify WebInspect scan results within Fortify Software Security Center or to launch a ‘Guided Scan’ from the Fortify Software Security Center legacy user interface (4.30). * JavaScript Sandbox Project (https://fortify.github.io/ssc-js-sandbox-docs/) -- A utility designed to showcase customer requested scenarios leveraging the Fortify Software Security Center RESTful API. The code is available as well as the tutorial style documentation. NOTICES OF PLANNED CHANGES This list serves as notification of technologies that will not be supported in our 19.1 release. This list is not exhaustive and is subject to change without notice. It is based on information known at the time of the 18.20 release. *** Fortify Software Security Center After this release, we will no longer support: * SQL Server 2014 * Internet Explorer 11 * Service Integrations: JIRA 7.4 *** Fortify Static Code Analyzer After this release, we will no longer support: * Bamboo 6.2 * Xcodebuild 9.x * Swiftc 4.0.3, 4.1 * All compilers on HP-UX, IBM AIX, Solaris * Operating systems: Windows 7, HP-UX, IBM AIX, and Solaris *** Fortify Static Code Analyzer Tools After this release, we will no longer support: * Android Studio 2.3.x * Eclipse 4.6, 4.7 * IntelliJ IDEA 2017.x * WebStorm 2017.x TECHNOLOGIES NOT SUPPORTED IN THIS RELEASE *** Fortify Software Security Center The following technologies are not supported in this release: * Flex/Flash * MySQL 5.6 * Apache Tomcat 8.5 * MySQL 5.6 * macOS 10.12 * Process Designer * Legacy (4.30) user interface * Legacy Parsers: o Whitehat o Runtime o Real-Time Analyzer (RTA) o PenTest Analysis o Program Trace Analyzer (PTA) o AppScan o AppDetective *** Fortify Static Code Analyzer The following technologies are not supported in this release: * Xcodebuild 8.x * Apple LLVM (clang) 8.x * Swiftc 3.1 * macOS 10.12 *** Fortify Static Code Analyzer Tools The following technologies are not supported in this release: * IntelliJ 2016.x * The Process Designer utility KNOWN ISSUES The following are known problems and limitations in Fortify Software 18.20. The problems are grouped according to the product area affected. *** Fortify Software Security Center This release has the following issues: * You can no longer file a bug in Visual Studio Online; NTLM authentication is no longer supported by Microsoft. * The Policy drop-down on the Administration/Audit Assistant page lists only the first ten policies on the Audit Assistant server. * Occasionally, you can't download reports in MS Word format (DOC). * The Buglink URL contains an additional slash when SSC is deployed at root. Manually removing the slash fixes the URL. * Navigating back using ‘Previous’ on the Set-up Wizard after uploading your fortify license may block you from proceeding to the next step. Restart Tomcat and re-import license. * "Enhanced security, security manager" for BIRT Reports can't be enabled if MySQL Connector/J 5.1.41 or newer is used. * Fortify Software Security Center must be deployed as a single instance and not behind a load balancer. * Your LDAP server (single or multiple) should not be configured behind a load balancer. ***Fortify Static Code Analyzer This release has the following issues: * Python: Longer scan times and out of memory issues. There is a known issue for some Python projects which will use more memory than usual during the scan phase. This can result in significantly longer scan times, OutOfMemory exceptions, or lost issues when compared to an 18.10 scan. If this is a Python 2 project, the workaround is to fall back to the legacy Python 2 translator. If this is a Python 3 project, the workaround is to continue to use Fortify Static Code Analyzer 18.10. 18.10 FPR files can be used in an 18.20 Fortify Software Security Center environment and together with 18.20 Fortify Tools like Fortify Audit Workbench and plugins.   * Swift: Null Pointer Exception during High Order Analysis (in StackCESKMachinery.java) of Swift App. There is a known issue with Fortify Static Code Analyzer that causes NPE during scanning Swift apps. The issue occurs when the name of a variable or constant inside a computed property is identical to the property name. Use different names for the computed property and variable or constant inside it to work around this issue.   * Swift: Error opening input file (No such file or directory) [ERROR 1103] Translator execution failed. There is a known issue with Fortify Static Code Analyzer where it throws “error opening input file //R.swift (no such file or directory)” while translating the R.Swift library. As a workaround, remove the following line from the file: ~/.fortify/sca18.2/build//swift-filelist.txt. Do not issue a sourceanalyzer clean (sourceanalyzer -b -clean) command; instead, redo the translation with xcodebuild clean build.   * .NET: There is a known issue in .Net binary translation which may not work correctly if multiple binaries are translated with separate Fortify Static Code Analyzer invocations where the same build ID is used across all invocations. This scenario is supposed to be used to enable scanning the entire set of translation results by a single Fortify Static Code Analyzer invocation. The issue is manifested by numerous translation and scan errors. As a workaround, use MSBuild integration or the Fortify Extension for Visual Studio for translation of .Net projects if this issue is observed. * Due to limitations of the .NET translator design, we're currently unable to track dataflows through callback arguments of .NET API calls that are specified as delegate objects or function names (aka method group expressions). This issue does not occur if callback arguments are passed in the form of lambda expressions or anonymous methods. We will improve the translator design in a future release to enable dataflow tracking through these arguments for all possible forms in which they can appear in the source code. * Scan Wizard does not support scanning Apex and Visualforce code in this release. *** Fortify Audit Workbench, Secure Coding Plugins and Extensions This release has the following issues: * Fortify Complete plugin for Eclipse 4.7+ - the progress dialog is not displayed by default when you do things like open an FPR or start a scan. Instead, there is a progress indicator at the bottom right corner of the window that you can click to see how things are progressing. If you like to see the dialog, you can configure it in Window > Preferences > General > remove the "Always run in background" check. * Fortify Audit Workbench - Issues you suppress might still appear in the issues list; if this occurs, choose Options > Show Suppressed Issues and disable the Show Suppressed Issues function. * Security Assistant for Eclipse requires an Internet connection for the first run. If you don’t have an Internet connection, you will get an "Updating Security Content" error unless you copied the rules manually. * Security Assistant for Eclipse cannot download Security Content if Fortify Complete plugin for Eclipse is also installed. Please uninstall Fortify Complete plugin first. * If you switch between TFS and JIRA7 bug trackers, you must restart Fortify Audit Workbench/Eclipse or you will get an internal error while validating credentials. * JIRA7 and TFS bugtrackers in Audit Workbench and Eclipse Complete plugin do not fill in the information for issue summary and description. You can manually input the values or contact support for the updated versions of the plugins. *** Fortify Runtime Products (Fortify WebInspect Runtime Agent) This release has the following issues: * Running the Runtime Agent on a Windows 2003 machine requires installing the Advanced Encryption Standard (AES) cipher suites in the Schannel.dll module for Windows Server 2003. Download the hotfix from Microsoft support: https://support.microsoft.com/en-us/kb/948963. * Setup Wizard and Configuration Editor are not supported in AIX due to GUI incompatibilities. * If you are running Fortify Runtime or the Application Defender runtime agent on JBoss 6.10 or later and you cannot start the runtime agent, you must modify the /bin/standalone.conf(Unix or Linux) or \bin\standalone.batstandalone.conf.bat (Windows) file as follows: 1. Append the following to the ?Djboss.modules.system.pkgs=org.jboss.byteman VM option: ,org.jboss.logmanager,com.fortify 2. Add the following VM options. Substitute the full path to the JBoss home for JBoss_home> and the version of the jar file for your JBoss release for : -Djava.util.logging.manager=org.jboss.logmanager.LogManager < jar_file_version>.jar < jar_file_version>.jar < jar_file_version>.jar If you are running JBoss 7.1.1 and it is located in C:/bin/jboss/job-as-7.1.1.Final, add VM options similar to the following: -Djava.util.logging.manager=org.jboss.logmanager.LogManager Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/jboss/logmanager/main/jboss-logmanager-1.2.2.GA.jar Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/jboss/logmanager /log4j/main/jboss-logmanagerlog4j-1.0.0.GA.jar Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/apache/log4j/main /log4j-1.2.16.jar * Due to the nature of profilers in .NET, the .NET Runtime Agent will fail to load if the COR_PROFILER_PATH environment variable is present. SUPPORT If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options.To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://softwaresupport.softwaregrp.com. To Call Support 844.260.7219 LEGAL NOTICES Copyright © Copyright 2018 Micro Focus or one of its affiliates Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.