Micro Focus Fortify Software v20.2.0

Release Notes

Document Release Date: November 2020 (updated 3/2/2021)
Software Release Date: November 2020


IN THIS RELEASE

This document provides installation and upgrade notes, known issues, and workarounds that apply to release 20.2.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 20.2.0, which is downloadable from the Micro Focus Product Documentation website:

https://www.microfocus.com/support/documentation.

FORTIFY DOCUMENTATION UPDATES3/2

Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website:

https://www.microfocus.com/support/documentation.

If you have trouble accessing our documentation, please contact Fortify Customer Support.

Note: Documentation prior to the 18.10 release is available on the Micro Focus Community (formerly Protect724) website: https://community.microfocus.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation.

INSTALLATION AND UPGRADE NOTES

Complete instructions for installing Fortify Software products are provided in the documentation for each product.

Updating Security Content after a Fortify Software Security Center Upgrade

If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide.

USAGE NOTES FOR THIS RELEASE


There is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our plugin framework, and our JavaScript Sandbox Project.

Fortify Static Code Analyzer

Fortify Software Security Center

·         REST API endpoint /api/v1/localUsers/{id} change: PUT method must contain up to date objectVersion value retrieved by a preceding GET request to the endpoint. An outdated, missing, or incorrect objectVersion value will cause a failure of the PUT request to protect LocalUser object consistency. POST and DELETE requests are not affected by the change. Note: This was incorrectly included in the Micro Focus Fortify Software Release Notes v20.1.0.

 Note: Fortify Software Security Center does not support MariaDB as a backend database. The connectionCollation=<collation_name> parameter must be replaced with sessionVariables=collation_connection=<collation_name>. The rewriteBatchedStatements=true parameter is still supported. Any additional custom JDBC URL parameters must use syntax compatible with the MariaDB driver. If you are automating an SSC deployment and configuration, please be sure to update your auto-configuration file. Use the correct syntax to specify the jdbc.url property as described above and set the value of the db.driver.class property to org.mariadb.jdbc.Driver.

·         HTTP Basic authentication is deprecated for all REST API endpoints except for /api/v1/tokens/*, /api/v1/auth/* and /api/v1/license.

·         Token-related REST endpoints (/api/v1/tokens/*) are only available via HTTP Basic Authentication and disallowed when using Token authentication. Analogously, access to the legacy SOAP InvalidateTokenRequest and GetAuthenticationTokenRequest has been removed from all the default token types. Although these requests can still be granted in a custom token definition, such use is deprecated and access via token authentication will be explicitly denied in the future. Token creation/deletion functionality is only available when authenticated to SSC via HTTP Basic Authentication or the SSC Admin UI.

·         When integrating WebInspect Enterprise / ScanCentral DAST / AWB or other Fortify Tools to work with SSC, clock skew must be minimized between the different communicating machines (suggested: less than 5 minutes, compared on UTC basis). Requests to SSC can fail if there is excessive clock skew.

Fortify WebInspect

·         ScanCentral DAST: When running a Fortify ScanCentral DAST sensor outside of a container, such as a sensor service on the same machine as a Fortify WebInspect installation, you must install the ASP.NET Core Runtime 3.1.x (Hosting Bundle) as a prerequisite.

·         LIM on Docker Requirements: The LIM on Docker container runs on and works with the following software packages:

o    Windows 10 Pro

o    Windows Server 2019

o    Docker 18.09 or later

 

KNOWN ISSUES

The following are known problems and limitations in Fortify Software 20.2.0. The problems are grouped according to the product area affected.

Fortify Software Security Center

This release has the following issues:

·         When servlet session persistence is enabled in Tomcat, a "class invalid for deserialization" exception may be thrown during Tomcat startup. It is caused by significant changes in the classes where instances can be stored in HTTP sessions. This exception can be ignored.

Fortify Static Code Analyzer

This release has the following issues:

Fortify Audit Workbench, Secure Code Plugins, and Extensions

This release has the following issues:

NOTICES OF PLANNED CHANGES

Fortify Static Code Analyzer

Note: For a list of technologies that will not be supported in the next release, please see the “Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software System Requirements document.

FEATURES NOT SUPPORTED IN THIS RELEASE

WebInspect

Support for Selenium IDE has been deprecated in WebInspect. However, Selenium WebDriver is still supported. Ignore content related to Selenium IDE in the WebInspect documentation.

WebInspect Enterprise

Support for Selenium IDE has been deprecated in WebInspect Enterprise. Ignore content related to Selenium IDE in the WebInspect Enterprise documentation.

Note: For a list of technologies that are no longer supported in this release, please see the “Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software System Requirements document.

SUPPORT

If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using the following option.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://www.microfocus.com/support.


LEGAL NOTICES

© Copyright 2020 Micro Focus or one of its affiliates.

Warranty


The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. 

Restricted Rights Legend


Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.