Micro Focus Fortify Software v21.1.0

Release Notes

Document Release Date: August 9, 2021
Software Release Date: July 13, 2021



This document provides installation and upgrade notes, known issues, and workarounds that apply to release 21.1.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 21.1.0, which is downloadable from the Micro Focus Product Documentation website:




Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website:


If you have trouble accessing our documentation, please contact Fortify Customer Support.


Complete instructions for installing Fortify Software products are provided in the documentation for each product.

Updating Security Content after a Fortify Software Security Center Upgrade

If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide.


There is a landing page (https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our plugin framework, and our JavaScript Sandbox Project.

Fortify Static Code Analyzer

·         Structural results - Most structural issues will show new instance IDs. The algorithm that computes instance IDs for structural issues now produces more variance than previous IDs that often differed only in the final digit.

·         COBOL: If you plan to scan COBOL on a Windows system via automation, update the group policy so that Error Reporting does not require user intervention when an error occurs.

1.       Click the Windows Start button.

2.       Type gpedit.msc

3.       Navigate to Computer Configuration->Administrative Templates->Windows Components->Windows Error Reporting

4.       In the right pane, click on Prevent display of the user interface for critical errors and set it to Enabled.

·         Kotlin

If you have Java code in your project that references Kotlin source, Kotlin functions called in Java are only resolved if the parameters and return types are built-in types or types defined in the same file as the called function definition.

Fortify Software Security Center

·         REST API token endpoint /api/v1/auth/obtain_token was removed. Please use the /api/v1/tokens endpoint instead.

·         Endpoint /api/v1/auth/token  has been disabled by default.  /api/v1/tokens should be used instead. If you use the Fortify Extension for Visual Studio or Fortify Audit Workbench version 20.2.x or earlier, connect to Fortify Software Security Center using the X.509 or Kerberos SSO authentication method and enable the /api/v1/auth/token endpoint using the following property <fortify.home>/<app_context>/conf/app.properties file: rest.enableLegacyTokenEndpoint=true. We recommend that you enable the legacy endpoint only for the transitional phase and remove the property after Fortify Extension for Visual Studio and Fortify Audit Workbench are upgraded to 21.1.x. 

·         The Governance module, which has been obsolete for some time, has been removed. We also removed several endpoints, tables, and alerts:

·         The following endpoints were removed: 
/upload/documentArtifactUpload.html, /download/documentArtifactDownload.html, /download/activitySignOffFprDownload.html, /download/requirementTemplateSignOffFprDownload.html. 

·         The following SOAP endpoints perform no actions: uploadDocumentArtifact, downloadArtifact

·         SSC Report Templates for Application Summary, Security at a Glance, Hierarchical Summary and Issue Trending reports were updated and no longer query removed database tables. If you use custom generated Report Templates, especially if based on aforementioned templates, make sure your templates do not query any of the removed tables:  activitycommentactivityinstance, activitysignoff, documentai, documentartifact, documentartifact_def, documentdefinstance, measurementinstance, projectstateai, requirementcomment, requirementinstance, requirementsignoff, requirementtemplatecomment, requirementtemplateinstance, requirementtemplatesignoff, savedevidence, sdlhistory, taskcomment, taskinstance, timelapse_event, timelapseai, variableinstance


·         If you have system alerts that monitor Governance events (Document Artifact Created/Updated/Deleted, Due Date Updated, Persona Assignment Updated, Work Owner Updated), extract any data you wish to preserve for future reference from these alerts (e.g. list of monitored application versions). These alerts will never trigger and will be removed by migration.


·         The unused userOnly flag caused confusion so it has been removed from the payloads of the /roles and /authEntities/{parentId}/roles endpoints (where it was ignored) and /permissions and /roles/{parentId}/permissions endpoints (where its value was always false and had no real use). We recommend that you remove this flag from any scripts calling these endpoints.

·         The userType (SSO/LOCAL) read-only flag was exposed in /localUsers endpoint payloads. For a long time, only LOCAL user types have been used in Fortify Software Security Center and represent users with standard functionality. SSO user types will not be able to log in to Fortify Software Security Center using username + password authentication anymore. Any legacy local users of SSO user type with existing password will be migrated to LOCAL user type to preserve their ability to log in.

·         To improve security, the ssc-webapp container does not run with privileged user (UID 0) anymore. The container will run with a standard user (UID 1111). Migration is handled automatically by distributed SSC Helm chart.

Fortify ScanCentral SAST

Fortify WebInspect, Fortify WebInspect Enterprise, and Fortify ScanCentral DAST

·         Do not install the Functional Application Security Testing (FAST) proxy on the same machine as Fortify WebInspect, a Fortify WebInspect installation running the sensor service in a DAST environment, or a Fortify WebInspect sensor being used with Fortify WebInspect Enterprise.


The following are known problems and limitations in Fortify Software 21.1.0. The problems are grouped according to the product area affected.

Fortify Software Security Center

This release has the following issues:

·         When sending issues to Audit Assistant for training, you may need to click the SEND FOR TRAINING button twice to update the status. 

Fortify ScanCentral SAST

Fortify Static Code Analyzer

This release has the following issues:

·         Due to major improvements in our scanning capabilities for Go, PHP, Kotlin and Python, some issues will be assigned a new Instance ID and marked as New. The previous finding will be marked as removed.

·         Visual Studio 2019 update 16.7 and later brings .NET Core SDK 3.1.403, which is not yet supported by Fortify Static Code Analyzer and can result in translation issues. As a workaround, Fortify recommends you downgrade the .NET Core SDK to version 3.1.109 (the latest version that Fortify Static Code Analyzer currently supports).

·         MSBuild versions 16.10 and later are not yet supported by FortiFfy Static Code Analyzer. As Visual Studio 2019 comes with a corresponding version of MSBuild, we advise not upgrading Visual Studio 2019 to version 16.10 or later at this time to avoid running into this issue.

Fortify Audit Workbench, Secure Code Plugins, and Extensions

This release has the following issue:

Fortify ScanCentral DAST

This release has the following issues:

·         You may receive an AUTH SETTINGS HAVE BEEN CHANGED AND MUST BE VALIDATED message and a Validate button on your display after importing and validating a Postman collection file that uses Dynamic Authentication in the Scan Settings Configuration wizard. If this occurs and there are no errors or changes to the settings in the Postman Validation dialog box, click Validate.
After the settings have been validated again, click OK to accept the settings.

Fortify WebInspect

This release has the following issue:


·         WebInspect does not support Global variables or Data variables in Postman. However, it does support Environment and Collection variables as well as Local variables in a collection. Workaround: You can specify Global variables and Data variables in an Environment, which is a set of variables that you can use in your Postman requests.

Fortify WebInspect Tools

This release has the following issue:

For more information, including procedures for using the Logout Condition Editor, see the Web Macro Recorder with Macro Engine 6.0 help or the Micro Focus Fortify WebInspect Tools Guide.


Note: For a list of technologies that will lose support in the next release, please see the “Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software System Requirements document. This section relates to features that will change or be removed in the near future.

Fortify Software Security Center

·         Fortify recommends the use of REST API (/api/v1/* and /download/*) endpoints instead of SOAP API (/fm-ws/*) endpoints. While you can still use the SOAP API, we are in the process of removing SOAP API support.

Fortify ScanCentral SAST

·       The Fortify ScanCentral SAST CLI --exclude-disabled-projects (-edp) option for the start and package commands will be removed in the next release.

Fortify Static Code Analyzer



Note: For a list of technologies that are no longer supported in this release, please see the “Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software System Requirements document. This list only includes features that have lost support in this release.


If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using the following option.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://www.microfocus.com/support.


© Copyright 2021 Micro Focus or one of its affiliates.


The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. 

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.