Micro Focus Fortify Software v18.10 Release Notes Document Release Date: May 2018 Software Release Date: May 2018 IN THIS RELEASE This document provides installation and upgrade notes, known issues, and workarounds that apply to release 18.10 of the Fortify software products. This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Fortify Software v18.10, which is downloadable from the Micro Focus Product Documentation website: https://www.microfocus.com/support-and-services/documentation. FORTIFY DOCUMENTATION UPDATES *** Accessing Fortify Documentation The Fortify Software documentation set contains installation, user, and deployment guides for all Fortify Software products and components. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website: https://www.microfocus.com/support-and-services/documentation. If you have trouble accessing our documentation, please contact Fortify Customer Support. INSTALLATION AND UPGRADE NOTES Complete instructions for installing Fortify Software products are provided in the installation and configuration guides for each product.  *** Updating Security Content after a Fortify Software Security Center Upgrade  If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide. USAGE NOTES FOR THIS RELEASE  There is a new landing page (https://fortify.github.io/) for our consolidated (FoD + On-Prem) GitHub repository. It contains links to engineering documentation and the code to several projects including a parser sample, our new plugin framework, and our JavaScript Sandbox Project. *** Fortify Static Code Analyzer * Structural results - Most structural issues will show new instance IDs. The algorithm that computes instance IDs for structural issues now produces more variance than previous IDs that often differed only in the final digit. * To translate Python code, use the following command:  sourceanalyzer -b -python-version -python-path   Include the -python-path option to specify all paths used to import packages or modules.  The -python-version is required for Python 3 code as the default is Python 2. If you use several commands with the same to translate your files, always specify the same Python version. Do not mix Python 2 and Python 3 code with the same build ID.  * The Fortify Maven Plugin group ID has changed from "com.hpe.security.fortify.maven.plugin" to "com.fortify.sca.plugins.maven."  *** Fortify Static Code Analyzer Tools * To use x.509 authentication in Software Security Center, install the Unlimited Cryptography Strength Jurisdiction Policy  http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html  into the Oracle JRE (1.8) bundled with Fortify Static Code Analyzer and Tools. You may also need to install a certificate for Software Security Center to the same JRE if a self-signed certificate is used for HTTPS connection. * Support for Kerberos SSO in Audit Workbench and the secure coding plugins for Eclipse and Visual Studio is limited to the Windows platform.   *** Fortify Software Security Center  * 18.10 introduces performance fixes that require longer migration. Databases over 1TB may take 5 hours or more. * You must install a trusted CA certificate on the Java Runtime environment on both the Fortify Software Security Center and Fortify WebInspect servers to view Fortify WebInspect scan results within Fortify Software Security Center or to launch a ‘Guided Scan’ from the Fortify Software Security Center legacy user interface (4.30). * JavaScript Sandbox Project (https://fortify.github.io/ssc-js-sandbox-docs/) - A utility designed to showcase customer requested scenarios leveraging the Fortify Software Security Center RESTful API. The code is available as well as the tutorial style documentation.  NOTICES OF PLANNED CHANGES This list serves as notification of technologies that will not be supported in our 18.20 release. This list is not exhaustive and is subject to change without notice. It is based on information known at the time of the 18.10 release. For supported platform deprecation notices, please see the system requirements document.    *** Fortify Runtime Customers who are currently using Fortify Runtime are encouraged to upgrade to Fortify Application Defender, a Runtime Application Self Protection (RASP) solution that helps mitigate risk from homegrown or third-party applications. In addition, all sales of the standalone Runtime product require pre-approval from Product Management. Fortify Application Defender provides visibility into application abuse while protecting software vulnerabilities from exploits in real time. Application Defender is available as a SAAS offering or it can be installed on-premises. For more information, see https://software.microfocus.com/software/application-defender.   *** Fortify Static Code Analyzer Tools * Process Designer utility will no longer be a supported tool. *** Software Security Center * Fortify Software Security Center legacy user interface (4.30) UI based on flex (flash player) will be deprecated in the next release. TECHNOLOGIES NOT SUPPORTED IN THIS RELEASE Beginning with this release, the following technologies are no longer supported.   *** Fortify Software Security Center  The following technologies are not supported in this release of  Fortify Software Security Center: * Apache Tomcat 8.0 * IBM DB2 * IBM WebSphere * Oracle Database 12c Release 1 * Oracle WebLogic *** Fortify SCA Tools The following technologies are not supported in this release of  Fortify Static Code Analyzer Tools: * JDeveloper is no longer supported. * JIRA 7.1 bugtracker integration * IntelliJ Ultimate 15   *** Fortify WebInspect The following technologies are not supported in this release of Fortify WebInspect: * Windows Server 2008 R2 SP1 * SQL Server Express 2008 R2 SP3   *** Fortify WebInspect Enterprise The following technologies are not supported in this release of Fortify WebInspect Enterprise: * Windows Server 2008 R2 SP1 * SQL Server Express 2008 R2 SP3 * SQL Server 2008 R2 SP2 * Firefox 33.0 *** The License Infrastructure Manager  (LIM) The following technologies are not supported in this release of the License Infrastructure Manager: * Windows Server 2008 R2 with SP1 * Windows Server 2008 with SP2 KNOWN ISSUES The following are known problems and limitations in Fortify Software 18.10. The problems are grouped according to the product area affected. *** Fortify Software Security Center This release has the following issues: * Artifacts with suppressed issues uploaded in different order may produce application versions with different metrics. * Buglink URL contains an additional slash when SSC is deployed at root. Manually removing the slash fixes the URL. * Navigating back using ‘Previous’ on the Set-up Wizard after uploading your fortify license may block you from proceeding to the next step. Restart Tomcat and re-import license. * Hotkey: Using a hotkey to open a second dropdown (Group by) when the first dropdown (Filter by) is not collapsed will not work. * Hotkey: Upload artifact (ctrl+alt+u) does not work on landing directly to Audit page. * Hotkey: Create New application (ctrl+alt+n) does not work from applications list page. * After migration, the ‘Use SSC Proxy’ is not set to enabled under Rulepack updates and Audit Assistant. * Proxy settings from previous versions may not be retained after migration. * Fortify Software Security Center must be deployed as a single instance and not behind a load balancer. * Your LDAP server (single or multiple) should not be configured behind a load balancer. * "Enhanced security, security manager" for BIRT Reports can't be enabled if MySQL Connector/J 5.1.41 used.   ***Fortify Static Code Analyzer This release has the following issues: * Due to limitations of the .NET translator design, we're currently unable to track dataflows through callback arguments of .NET API calls that are specified as delegate objects or function names (aka method group expressions). This issue does not occur if callback arguments are passed in the form of lambda expressions or anonymous methods. We will improve the translator design in a future release to enable dataflow tracking through these arguments for all possible forms in which they can appear in the source code. * If translating a number of Visual Studio 2017 projects in quick succession (with delay of less than 10 minutes between builds) via the Fortify Extension for Visual Studio, some translations may fail due to loss of necessary data. The suspected cause of this is that the Roslyn compiler server process is left running by the first build and reused by the following builds. To work around this issue, you will need to locate and kill the VBCSCompiler.exe compiler server process after each build. * Scan Wizard does not support scanning Apex and Visualforce code in this release. * The Django Framework is not supported for Python 3. * The Java translator may not correctly resolve references to some types and functions of the standard library of the Java Language system that were added as part of the Java 9 release.  This issue will be resolved in a future release.   *** Fortify Audit Workbench, Secure Coding Plugins and Extensions, and Process Designer This release has the following issues: * Fortify Audit Workbench and Fortify Complete plugin for Eclipse 4.7+ - the progress dialog is not displayed when you open an FPR or start a scan. Instead, there is a progress indicator at the bottom right corner of the window that you can click to see how things are progressing. * The PCI DSS Compliance BIRT report is not available this release; use Fortify Tools 17.20 or earlier to generate that report. We will bring the report back in the 18.20 release. * Fortify Audit Workbench - Issues you suppress might still appear in the issues list; if this occurs, choose Options > Show Suppressed Issues and disable the Show Suppressed Issues function. * Security Assistant for Eclipse requires an Internet connection for the first run. If you don’t have an Internet connection, you will get an "Updating Security Content" error unless you copied the rules manually. * If you switch between TFS and JIRA7 bug trackers, you must restart Fortify Audit Workbench/Eclipse or you will get an internal error while validating credentials. *** Fortify Runtime Products (Fortify Runtime, Fortify Application Logging, Fortify Runtime Application Protection, and Fortify WebInspect  Runtime Agent)  This release has the following issues: * Running the Runtime Agent on a Windows 2003 machine requires installing the Advanced Encryption Standard (AES) cipher suites in the Schannel.dll module for Windows Server 2003. Download the hotfix from Microsoft support. https://support.microsoft.com/en-us/kb/948963. * Setup Wizard and Configuration Editor are not supported in AIX due to GUI incompatibilities. * If you are running Fortify Runtime or the Application Defender runtime agent on JBoss 6.10 or later and you cannot start the runtime agent, you must modify the /bin/standalone.conf(Unix or Linux) or \bin\standalone.batstandalone.conf.bat (Windows) file as follows:   1. Append the following to the ?Djboss.modules.system.pkgs=org.jboss.byteman VM option: ,org.jboss.logmanager,com.fortify   2. Add the following VM options. Substitute the full path to the JBoss home for JBoss_home> and the version of the jar file for your JBoss release for : -Djava.util.logging.manager=org.jboss.logmanager.LogManager < jar_file_version>.jar < jar_file_version>.jar < jar_file_version>.jar If you are running JBoss 7.1.1 and it is located in C:/bin/jboss/job-as-7.1.1.Final, add VM options similar to the following: -Djava.util.logging.manager=org.jboss.logmanager.LogManager Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/jboss/logmanager/main/jboss-logmanager-1.2.2.GA.jar Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/jboss/logmanager /log4j/main/jboss-logmanagerlog4j-1.0.0.GA.jar Xbootclasspath/p:C:/bin/jboss/jboss-as 7.1.1.Final/modules/org/apache/log4j/main /log4j-1.2.16.jar * Due to the nature of profilers in .NET, the .NET Runtime Agent will fail to load if the COR_PROFILER_PATH environment variable is present.   SUPPORT If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options. To Manage Your Support Cases, Acquire Licenses, and Manage Your Account https://softwaresupport.softwaregrp.com To Call Support 844.260.7219   LEGAL NOTICES Copyright © Copyright 2018 Micro Focus or one of its affiliates Warranty The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.  Restricted Rights Legend Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.