Micro Focus Fortify Software v19.1.0
Release Notes

Document Release Date: July 31, 2019
Software Release Date: May and June 2019

Updated: August 26, 2019


This document provides installation and upgrade notes, known issues, and workarounds that apply to release 19.1.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on new features in this release, see What's New in Micro Focus Fortify Software 19.1.0, which is downloadable from the Micro Focus Product Documentation website:



The contents of the Micro Focus Fortify Static Code Analyzer Installation Guide, the Micro Focus Fortify Static Code Analyzer Performance Guide, and the Micro Focus Fortify Static Code Analyzer User Guide have been combined into a single document. We now publish only the Micro Focus Fortify Static Code Analyzer User Guide.

Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In addition, you will find technical notes and release notes that describe new features, known issues, and last-minute updates. You can access the latest HTML or PDF versions of these documents from the Micro Focus Product Documentation website:


If you have trouble accessing our documentation, please contact Fortify Customer Support.

Note: Documentation prior to the 18.10 release can be found on the Micro Focus Community (formerly Protect724) website:


Beginning with this release, we have slightly altered our version numbering scheme. The first two digits represent the year of release. This is followed by a single digit to identify the release sequence within the year, and a final digit to identify the patch number. So the first release of 2019 is 19.1.0. If a patch is released, the third digit changes to 1. A release number of 19.2.1 would identify the release as the first patch release to the second release of 2019.



Complete instructions for installing Fortify Software products are provided in the documentation for each product.

Updating Security Content after a Fortify Software Security Center Upgrade

If you have upgraded your Fortify Software Security Center instance but you do not have the latest security content (Rulepacks and external metadata), some generated reports (related to 2011 CWE) might fail to produce accurate results. To solve this issue, update the security content. For instructions, see the Micro Focus Fortify Software Security Center User Guide.


There is a landing page (
https://fortify.github.io/) for our consolidated (Fortify on Demand + Fortify On-Premise) GitHub repository. It contains links to engineering documentation and the code to several projects, including a parser sample, our new plugin framework, and our JavaScript Sandbox Project.
Fortify Static Code Analyzer

·         Structural results -- Most structural issues will show new instance IDs. The algorithm that computes instance IDs for structural issues now produces more variance than previous IDs that often differed only in the final digit.

·         Java results – Some Java projects may show an increase in issue counts. We have improved our Java frontend in this release and the new design causes an increase in issues found in certain cases.

Fortify Static Code Analyzer Tools

·         Support for Kerberos SSO in Audit Workbench and the secure coding plugins
for Eclipse and Visual Studio is limited to the Windows platform.

·         The Fortify Jenkins Plugin is no longer included with the Fortify_SCA_and_Apps package.
This plugin is now available on the Jenkins Plugins Index and you can download and install this plugin directly from Jenkins. Go to Manage Plugins, click the Available tab, and then select the "Fortify" plugin.

·         Scan Wizard is no longer shipped as a standalone application, but it is still included in the Fortify_SCA_and_Apps installer. You can request a standalone version from Fortify Customer Support.

·         In order to prevent potential conflicts, the Fortify CloudScan Controller should not be run on the same Tomcat instance as Fortify Software Security Center.


Fortify Software Security Center

·         To use x.509 authentication in Software Security Center, the Unlimited Cryptography Strength Jurisdiction Policy is required. This is included by default with Oracle JDK version 1.8.161+ and OpenJDK 1.8.161+. You may also need to install a certificate for Software Security Center to the same runtime environment if a self-signed certificate is used for an HTTPS connection.

·         Premium reports based on SSC 18.20 and later versions, downloaded from the Customer Portal, are not compatible with versions prior to SSC 18.20. 

·         18.10 and later versions contain performance fixes that require longer migration. Migration of databases with over 1 TB of data might take 5 hours or more. You must install a trusted CA certificate on the Java Runtime environment on both the Fortify Software Security Center and Fortify WebInspect servers to view Fortify WebInspect scan results within Fortify Software Security Center.

·         JavaScript Sandbox Project (https://fortify.github.io/ssc-js-sandbox-docs/)
-- A utility designed to showcase customer requested scenarios leveraging the Fortify Software Security Center RESTful API. The code is available as well as the tutorial style documentation.

Fortify WebInspect

·         The new login and workflow macro recorder in Fortify WebInspect provides improved scan speeds as well as better support for modern single-page applications.  However, it also requires more resources.  If you elect to use this upgraded tool, then Micro Focus suggests that you use it with the recommended hardware requirements of 4 CPU cores and 16 GB of RAM or greater.

·         Windows Server 2012 R2 is currently included as a supported Operating System, however our real-world experience has shown this OS version to have major reliability problems related to SSL and TLS.  We will drop support for this operating system in our next release, and we urge customers to upgrade their operating systems as soon as possible.



This list serves as notification of technologies that will not be supported in our 19.2.0 release. This list is not exhaustive and is subject to change without notice. It is based on information known at the time of the 19.1.0 release.

Fortify Software Security Center

No planned changes in SSC 19.1.0.

Fortify Static Code Analyzer Tools

After this release, we will no longer support:

·         Android Studio 3.0

·         Eclipse 4.8, 4.9

·         Visual Studio 2013

Fortify WebInspect

After this release, we will no longer support:

·         Windows Server 2012 and Windows Server 2012 R2

Fortify Software Security Center

The following technologies are not supported in this release:

·         SQL Server 2014

·         Internet Explorer 11

·         Service Integrations: Jira 7.4

Fortify Static Code Analyzer

The following technologies are not supported in this release:

·         Xcodebuild 9.x

·         Apple LLVM (clang) 5.x

·         Swift 4.1.x

Fortify Static Code Analyzer Tools

The following technologies are not supported in this release:

·         IntelliJ 2017.x

·         WebStorm 2017.x

·         Eclipse 4.6, 4.7

·         Android Studio 2.3.x

·         Standalone Scan Wizard distribution



The following are known problems and limitations in Fortify Software 19.1.0. The problems are grouped according to the product area affected.

Fortify Software Security Center

This release has the following issues:

·         If you have permission to comment on issues, but do not have permission to edit custom tag values, then if you add a comment from the issue details section of the AUDIT page, your first attempt to save the comment will fail. To work around this issue, click SAVE a second time. The second save attempt will succeed.

·         The first page (Start page) of the Fortify Software Security Center Setup wizard contains a link to the  Release Notes for the 18.20  version of the software. The correct link is: https://www.microfocus.com/documentation/fortify-software-security-center/1910/19.1.0%20Release%20Notes.htm

·         It is not currently possible for a user belonging to an LDAP group to create new application versions in SSC. For example, if an LDAP group has the “Security Lead” role and a member of it logs in to SSC, the application wizard is enabled in the UI.  However, if the user attempts to create an application version, it will result in errors when the “Finish” button is pressed in the Application creation wizard.  (Local users and directly registered LDAP users _are_ able to create application versions if they have the “Security Lead” role.)
Workaround: Customers who want to allow members of an LDAP group to create application versions must assign the “Administrator” role to that group.

·         If Tomcat is installed in a path containing white spaces, there might be problems displaying issues under the Audit tab for an Application Version.  For example, the following installation path examples include one or more spaces and should be avoided:

C:\parent dir with spaces\child_dir_no_spaces\tomcat_install_dir\

C:\parent_dir_no_spaces\child dir with spaces\tomcat_install_dir\

C:\parent_dir_no_spaces\child_dir_no_spaces\tomcat install dir with spaces\

·         Occasionally you can't download reports in MS Word format (DOC).

·         "Enhanced security, security manager" for BIRT Reports can't be enabled if MySQL Connector/J 5.1.41 or newer is used.

·         Fortify Software Security Center must be deployed as a single instance and not behind a load balancer.

·         Your LDAP server (single or multiple) should not be configured behind a load balancer.

Fortify Static Code Analyzer

This release has the following issues:

·         Swift: Null Pointer Exception during High Order Analysis (in StackCESKMachinery.java) of Swift App. There is a known issue with Fortify Static Code Analyzer that causes NPE during scanning Swift apps. The issue occurs when the name of a variable or constant inside a computed property is identical to the property name. Use different names for the computed property and variable or constant inside it to work around this issue.

·         Swift: Error opening input file (No such file or directory) [ERROR 1103] Translator execution failed. There is a known issue with Fortify Static Code Analyzer where it
throws “error opening input file /<path>/R.swift (no such file or directory)” while translating the R.Swift library. As a workaround, remove the following line from the file: ~/.fortify/sca18.2/build/<build_id>/swift-filelist.txt. Do not issue a sourceanalyzer clean (sourceanalyzer -b <build-id> -clean) command; instead, redo the translation with xcodebuild clean build.

·         .NET: There is a known issue in .Net binary translation which may not work correctly if multiple binaries are translated with separate Fortify Static Code Analyzer invocations where the same build ID is used across all invocations. This scenario is supposed to be used to enable scanning the entire set of translation results by a single Fortify Static Code Analyzer invocation. The issue is manifested by numerous translation and scan errors. As a workaround, use MSBuild integration or the Fortify Extension for Visual Studio for translation of .Net projects if this issue is observed.

·         Java results – Some Java project scans may produce an increased number of issues. We have improved our Java frontend in this release and the new design may result in an increase in the number of issues found.

·         Due to limitations of the .NET translator design, we're currently unable to track dataflows through callback arguments of .NET API calls that are specified as delegate objects or function names (aka method group expressions). This issue does not occur if callback arguments are passed in the form of lambda expressions or anonymous methods. We will improve the translator design in a future release to enable dataflow tracking through these arguments for all possible forms in which they can appear in the source code.

·         Scan Wizard does not support scanning Apex and Visualforce code in this release.

Fortify Audit Workbench, Secure Coding Plugins and Extensions

This release has the following issues:

·         Fortify Complete plugin for Eclipse 4.7+ - the progress dialog is not displayed by default when you do things like open an FPR or start a scan. Instead, there is a progress indicator at the bottom right corner of the window that you can click to see how things are progressing. If you like to see the dialog, you can configure it in Window > Preferences > General > remove the "Always run in background" check.

·         Fortify Audit Workbench - Issues you suppress might still appear in the issues list; if this occurs, choose Options > Show Suppressed Issues and disable the Show Suppressed Issues function.

·         Security Assistant for Eclipse requires an Internet connection for the first run. If you don’t have an Internet connection, you will get an "Updating Security Content" error unless you copied the rules manually.

·         If you switch between TFS and Jira 7 bug trackers, you must restart Fortify Audit Workbench/Eclipse or you will get an internal error while validating credentials.

·         Fortify Remediation plugin for Eclipse displays an error if the Fortify Complete plugin for Eclipse is also installed. Please uninstall the Fortify Complete plugin to work with the Fortify Remediation plugin. You can contact customer support to get an updated version of Fortify Remediation plugin for Eclipse.

Fortify WebInspect

·         Any supported Windows operating system may fail to apply the C++ 2015 runtime redistributable package provided by Microsoft. If you encounter an issue with scans having errors related to loading SPI.Parsers.Script, you must manually install the C++ runtime redistributable package before continuing.

·         The topics “Converting Recorded Steps to Code” and “Using the Event Handler Editor” in the help for the Web Macro Recorder tool Technology Preview describe features that are not available in the tool. Ignore these topics.



If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account: https://softwaresupport.softwaregrp.com.

To Call Support

© Copyright 2019 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend
Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.