微Focus Fortify软件22.2.0版本发布说明说明书

admin管理员组

文章数量:1531374

2024年7月2日发(作者：)

Micro Focus Fortify Software, Version 22.2.0

Release Notes

Document Release Date: November 2022, updated: 1/31/2023

Software Release Date: November 2022

IN THIS RELEASE

This document provides installation and upgrade notes, known issues, and workarounds that

apply to release 22.2.0 of the Fortify product suite.

This information is not available elsewhere in the product documentation. For information on

new features in this release, see What's New in Micro Focus Fortify Software 22.2.0, which is

available on the Micro Focus Product Documentation website:

/support/documentation.

FORTIFY DOCUMENTATION UPDATES

Accessing Fortify Documentation

The Fortify Software documentation set contains installation, user, and deployment guides. In

addition, you may find technical notes and release notes that describe forthcoming features,

known issues, and last-minute updates. You can access the latest HTML or PDF versions of

these documents from the Micro Focus Product Documentation website:

/support/documentation.

If you have trouble accessing our documentation, please contact Fortify Customer Support.

The Micro Focus Fortify Plugin for Eclipse User Guide now covers only the Fortify

Eclipse Complete Plugin. The new document Micro Focus Fortify Remediation Plugin

for Eclipse User Guide describes the Fortify Remediation plugin for Eclipse.

•

The Micro Focus Fortify Plugins for JetBrains IDEs and Android Studio User Guide has

been renamed to Micro Focus Fortify Analysis Plugin for IntelliJ IDEA and Android

Studio User Guide and covers only the Fortify Analysis plugin. A new document Micro

Focus Fortify Remediation Plugin for IntelliJ IDEA and Android Studio User Guide

describes the Fortify Remediation plugin.

•

Support for versions of the GNU gcc and GNU g++ compilers has been expanded to 6.x

– 10.4 on Windows, Linux, and macOS operating systems. This change is documented in

the Compiler section of the Micro Focus Fortify Software System Requirements.

•

INSTALLATION AND UPGRADE NOTES

Complete instructions for installing Fortify Software products are provided in the documentation

for each product.

Fortify Static Code Analyzer

Migrating from a Patched Release of Fortify Static Code Analyzer: If your Fortify Static

Code Analyzer installation has been patched, the last digit in the version number will be greater

than zero. For instance, release 21.2.0 has a zero as the last digit which identifies it as a major

release that has not been patched. Versions 20.1.6, 20.2.4, 21.1.4, and 21.2.3 are examples of

patched releases. When upgrading from a patched Fortify Static Code Analyzer release, your

configuration files and properties (ties) might not carry over to the

new installation. If you would like to migrate your configuration and properties settings to the

new installation, please contact Fortify Customer Support for assistance.

Fortify Audit Workbench, Secure Code Plugins, and Tools

Eclipse Remediation Plugin is not included in

the Fortify_SCA_and_Apps__.zip in this release. It is

available for download from the Eclipse Marketplace.

•

IntelliJ IDEA and Android Studio Remediation Plugin is not included in the

Fortify_SCA_and_Apps__.zip in this release. It is available for

download from the JetBrains Marketplace.

•

USAGE NOTES FOR THIS RELEASE

There is a landing page (/) for our consolidated (Fortify on Demand +

Fortify On-Premises) GitHub repository. It contains links to engineering documentation and the

code to several projects, including a parser sample, our plugin framework, and our JavaScript

Sandbox Project.

Fortify Static Code Analyzer

The SCAState utility does not work in the 22.2.0 release. This functionality will be

restored in the upcoming 22.2.1 patch. If you require the SCAState functionality in the

22.2.0 release, you can request a hotfix through Customer Support.

•

For security reasons, Fortify Static Code Analyzer sample projects have been removed

from the installer. These samples are now available as a separate ZIP package.

•

Fortify Software Security Center

•

Recent Chrome or Chromium-based browsers default to SameSite=Lax cookie policy.

That means cookies are not sent with sub-requests to 3rd-party sites. Therefore, SAML

Single Logout will not work correctly in cases when it is not initiated from Fortify

Software Security Center. To make SAML Single Logout work in Chrome or Chromium-

based browsers, SameSite policy for session cookies must be changed to “None”. Please

note that this denotes less secure policy than the default one, so changing it is left for

your consideration. To change the policy for container deployments, use

HTTP_SERVER_SAME_SITE_COOKIES environment variable. For non-container

deployments, add to the

context section of your Tomcat configuration. See

/tomcat-9.0-

doc/config/#Nested_Components for details. Fortify Software Security

Center must be restarted for the changes to have effect.

•

A major upgrade of libraries providing functionality for SAML Single Sign On and

Single Logout solutions was delivered in this release. Fortify strongly recommends to test

SAML SSO behavior after upgrade on non-production environment first. For successful

SAML SSO migration, please follow the instructions below right after upgrading to

22.2.0.

o

HTTP Redirect and HTTP POST bindings are supported, however only one at a

time for inbound SAML messages. The default binding is set to HTTP POST. In

case your IdP only supports HTTP Redirect (GET) for sending Single Logout

messages (this is the case Microsoft Azure AD) you must switch to HTTP

Redirect binding for inbound Single Logout messages. Add

e=REDIRECT property to

ties. Fortify Software Security Center must be restarted for the

changes to have effect.

o

Navigate to

://saml/metadata/ to

re-generate Fortify Software Security Center SAML metadata and re-upload them

to your IdP server. To make the transition as smooth as possible, an effort was

made for SAML SSO to work correctly after upgrade even with SAML metadata

generated pre-22.2.0 release. However, it is necessary to update the metadata file

in IdP server at your earliest convenience.

o

Please also note that



HTTP Artifact binding is not supported anymore.



Logout responses and Logout requests sent by IdP are required to be

signed, Fortify Software Security Center will refuse to process them

otherwise.

•

If property includes default port (443 for https or 8080 for http), Fortify

Software Security Center will strip it as a part of URL normalization. This behavior can

be changed by adding property ort=true to

ties. When this property is used, will be normalized to

always include a port, adding a default one if none is specified.

•

Velocity template engine libraries affecting bugtracker filing templates were upgraded in

this release from version 1.7 to version 2.3. For detailed list of changes in 2.3 since 1.7

see /engine/2.3/. Custom bugtracker filing

templates, or custom changes to built-in bugtracker templates might be affected by the

listed changes. If so, custom template content needs to be manually updated. If you wish

to maximize backward compatibility instead, add property

edBackwardCompatibility=true to

ties. Please note that this is a best effort for maintaining backward

compatibility and some manual changes might still be necessary.

•

In previous releases, a PUT request to ap/v1/issueTemplates/{id} returned 200

even in case a non-existing Issue Template ID was used. Such request will fail with 409

from now on.

•

Azure DevOps bug filing template was updated and now escapes HTML characters for

issue deeplinks and bug attributes. In case this template was customized (specifically, the

Description field was altered) in previous releases, the template update might not be

applied in full range, and manual changes might be necessary. For more details on how to

apply HTML escaping, please refer to “Editing tips” available when editing bug filing

template’s fields in Administration page.

Fortify ScanCentral SAST

•

Due to an issue where scans fail because of very long generated build IDs (multi-modal

projects), ScanCentral SAST now uses a hash string for the build ID.

KNOWN ISSUES

The following are known problems and limitations in Fortify Software 22.2.0. The problems are

grouped according to the product area affected.

Fortify Software Security Center

•

•

•

•

•

•

Enabling the "Enhanced Security" option for BIRT reports breaks report generation if

Fortify Software Security Center is installed on a Windows system.

For successful integration with Fortify WebInspect Enterprise, Fortify Software Security

Center must be deployed to /ssc context. In particular, the context must be changed for

Fortify Software Security Center Kubernetes deployment, which uses root context by

default.

The migration script downloaded from the maintenance page will be saved to file with

PDF extension when using Firefox. The contents of the file are accurate, and it can be

used for migration upon changing the file extension to .sql.

Fortify Software Security Center does not verify optional signature on SAML identity

provider metadata even if it is present. Recommended mitigation is using file:// or

URL to provide identity provider's SAML metadata to Fortify Software Security Center

(avoid using URL).

When editing Issue Templates in UI, it is not possible to replace the template file. As a

workaround, /upload/ API endpoint can be

used to replace existing template file.

Fortify Software Security Center API Swagger spec contains two definitions that differ

only in case:

o

Custom Tag used for assigning custom tag values to issues in an application

version

o

Custom tag used for managing custom tags

Please pay attention when using tools to auto-generate API clients from Swagger spec.

This might cause conflicts due to case insensitive process, and the generated client might

need manual modification.

Fortify Static Code Analyzer

While scanning JSP projects, you might notice a considerable increase in vulnerability

counts in JSP-related categories (e.g. cross-site scripting) compared to versions of Fortify

Static Code Analyzer prior to 22.1.0. To remove these spurious findings, specify the -

legacy-jsp-dataflow option on the Fortify Static Code Analyzer command line

during the analysis phase.

•

In some circumstances when upgrading Fortify Static Code Analyzer to a new version,

the custom settings in the ties configuration file might not

get migrated. As a workaround, copy the custom settings from the fortify-

ties configuration file from the old installation location to the new one.

•

Fortify Audit Workbench, Secure Code Plugins, and Tools

•

•

•

•

•

•

If you encounter crashes with Audit Workbench on an older version of Linux make sure

you have the required version 3.22 (or later) of the GTK3 library.

Selecting File Bug for the first time on Linux produces an error, but it disappears if you

click on the button the second time.

Authenticating with Azure DevOps from the Eclipse Complete plugin results in an error

message on Linux.

Clearing the date-typed custom tag's value is not working from the Fortify Remediation

plugin for IntelliJ.

BIRT reports do not support generating the XLS file format anymore.

If you are not connected to the internet, you will get an Updating Security Content error

when you first start Fortify Security Assistant for Eclipse. After importing the rules, you

will no longer get this error upon startup.

Fortify ScanCentral DAST

Users who do not have permissions to create settings, and who click EDIT from the

Settings List, cannot save the edited settings as a new template. As a workaround, these

users can use the Settings Configuration wizard by clicking NEW SCAN or NEW

SETTINGS.

•

The Data Retention setting is not displayed in Base Settings. If Data Retention was set in

Base Settings that were configured in ScanCentral DAST 22.1.0, then those settings still

apply, but are not displayed in the UI. Also, if Data Retention is enabled at the

Application level, then the setting will be applied to the Base Settings. The Data

Retention setting is displayed in the scan Settings. If you create new templates or run

scans using these settings, then the Data Retention setting will be applied.

•

Container names for the DAST Sensor and Utility Service must not exceed 50 characters

in Docker run commands or Docker compose files.

•

ScanCentral DAST uploads the scanner service logs to the database, but there is no UI

option to download the logs. To get the logs, use the following API endpoint:

•

GET /api/v2/scans/{scanId}/download-dast-service-logs

A ZIP file that may contain multiple ZIP files is downloaded. This is because each time a

scan is paused, interrupted, or completed, the logs are uploaded to the database. A scan

may be resumed on a different scanner each time the scan is paused or interrupted, and the

logs are saved each time.

•

When importing an HTTP archive (.har) file to use as a workflow macro, the file size is

limited to 4 MB. To increase the file size limit to 30MB, run the following SQL

command:

IF NOT EXISTS (SELECT Id

FROM ConfigurationSetting WHERE SettingName =

'eiveMessageSize')

INSERT

INTO ConfigurationSetting (SettingName, SettingValue, IsEn

crypted)

VALUES

('eiveMessageSize',

'31457280', 0)

GO

Global Restrictions and Application Settings Domain Restrictions are applied only for

Standard Scans or API scans that use a start URL.

•

The Fortify ScanCentral DAST download package that you obtain from the Software and

License Download site includes the file

for Alpine Linux distribution. The documentation does not describe how to use the

Apline Linux version, but instead describes the preferred scancentral-dast-

file for RedHat Linux distribution. To obtain the RedHat Linux

version, contact Micro Focus Fortify Customer Support.

•

Fortify WebInspect Enterprise

• Completed scan request data presented in the WebInspect Enterprise WebConsole -

Scan Requests UI may be overwritten when a new scan request is submitted for the

same application version in Fortify Software Security Center. This issue will be

resolved in a hotfix to 22.2.0.

• When exporting a scan in XML format to import as an artifact to Fortify Software

Security Center, fewer findings may be present in the imported file than were in the

original scan.

NOTICES OF PLANNED CHANGES

This section includes product features that will be removed from a future release of the software.

In some cases, the feature will be removed in the very next release. Features that are identified as

deprecated represent features that are no longer recommended for use. In most cases, deprecated

features will be completely removed from the product in a future release. Fortify recommends

that you remove deprecated features from your workflow at your earliest convenience.

Note: For a list of technologies that will lose support in the next release, please see the

“Technologies to Lose Support in the Next Release” topic in the Micro Focus Fortify Software

System Requirements document.

Fortify Static Code Analyzer

•

Support for the GOPATH will be removed in a future release to align with changes in the

Go language.

Fortify Software Security Center

SOAP API is deprecated and is scheduled for removal, together

with fortifyclient and the wsclient library. Please use REST API

(/api/v1/*, /download/* and /transfer/*) endpoints instead of SOAP

API (/fm-ws/*) endpoints.

•

SOAP API is deprecated and is scheduled for complete removal as of the Fortify

Software Security Center 24.1.0 release. The phased deprecation is scheduled as follows:

- In SSC version 23.1.0, SOAP remains the default

- In SSC version 23.2.0, SOAP is disabled by default, but is not removed

- In SSC version 24.1.0, SOAP is removed entirely

Please use REST API (/api/v1/*, /download/* and /transfer/*)

endpoints instead of SOAP API (/fm-ws/*) endpoints. A new sample command-line

based Fortify Software Security Center client (ssc-client) using REST API is

included in the Fortify Software Security Center distribution. The ssc-client sample

serves as a starting point for using a REST API-based client as a replacement for the

SOAP API-based fortifyclient.

Note: It is always possible that, because of schedule delays, SOAP will be removed

entirely in a release later than SSC 24.1.0.

•

Starting with 23.1.0 release, it will not be possible to suppress Plugin Framework’s

validation of engineType using system environment variable

•

FORTIFY_PLUGINS_PARSER_VULN_ENGINETYPECHECK or JVM system property

TypeCheck. Any third-party parsers

failing the validation will cease to work. EngineType of the submitted vulnerabilities

must be coherent with engineType provided in the plugin metadata.

•

REST API endpoint

api/v1/projectVersions/{parentId}/dynamicScanRequests/actio

n/cancel was deprecated and is scheduled for removal.

Fortify WebInspect

•

The Web Service Test Designer tool will be removed in a future release.

FEATURES NOT SUPPORTED IN THIS RELEASE

The following features are no longer supported.

Fortify Software Security Center REST API token endpoint /api/v1/auth/token

has been removed. Please use the /api/v1/tokens endpoint instead.

•

Fortify Static Code Analyzer no longer supports Visual Studio Web Site projects. You

must convert your Web Site projects to Web Application projects to ensure that Fortify

Static Code Analyzer can scan them.

•

Fortify WebInspect no longer supports Flash parsing

•

Fortify ScanCentral SAST -

The allow_insecure_clients_with_empty_token property, used to

configure the Controller, was removed from the ties file

•

Note: For a list of technologies that are no longer supported in this release, please see the

“Technologies no Longer Supported in this Release” topic in the Micro Focus Fortify Software

System Requirements document. This list only includes features that have lost support in this

release.

SUPPORT

If you have questions or comments about using this product, contact Micro Focus Fortify

Customer Support using the following option.

To Manage Your Support Cases, Acquire Licenses, and Manage Your

Account: /support.

LEGAL NOTICES

© Copyright 2022-2023 Micro Focus or one of its affiliates.

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors

(“Micro Focus”) are set forth in the express warranty statements accompanying such products

and services. Nothing herein should be construed as constituting an additional warranty. Micro

Focus shall not be liable for technical or editorial errors or omissions contained herein. The

information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from

Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212,

Commercial Computer Software, Computer Software Documentation, and Technical Data for

Commercial Items are licensed to the U.S. Government under vendor's standard commercial

license.

本文标签： 说明版本发布软件说明书