HPE Software Products: Fortify Software Security Center Discussion
Share |

Is Fortify Static Code Analyzer and WebInspect the same software?Open in a New Window

Is Fortify Static Code Analyzer and WebInspect the same software? Because I can't see any trial software link for Fortify Static Code Analyzer.


Resolving Fortify IssueOpen in a New Window


We are executing Fortify scan on our source code. One of the issue reported is 'Missing XML Validation". The priority is Low and the kingdom is "Input Validation and Representation". 

The code snippet for this issue is as follows:

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();


DocumentBuilder documentBuilder;
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setErrorHandler(new SimpleErrorHandler());

Document xmlDoc;
xmlDoc = documentBuilder.parse( new InputSource( new StringReader(xmlStr)));

Fortify complains about Missing XML Validation for the last line  i.e. xmlDoc = documentBuilder.parse( new InputSource( new StringReader(xmlStr)));

We have set the validation on the parser as true. But not sure why Fortify doesn't accept that as a secure code.

Kindly help in resolving this.


Scan CSharp project with SCA Audit Workbench 16Open in a New Window


I have win10 64 bit, SCA 16 version and all needed software for correct SCA 16 work.

When I scan old C# project (which have 17500 LOC) I get report that project have only 88loc and 37loc was scanned.

I fixed ildasm.exe path in configuration file but it didn't help me.




Concerns about accuracy in Compliance Report templatesOpen in a New Window

Hi all, I wanted to put out there some possible concerns I have with the results I'm seeing in Compliance Report templates run using Fortify SCA scan data.

Everything below involves the same set of SCA assessment data being filtered through Compliance Reports and yielding surprisingly different results. I don't have access to the Foritfy system and am not a Fortify expert, I just have the reports -- so I can't 100% rule out operator error somewhere. 

Multiple different entities I support are running the compliance reports and assume they're getting complete assessment reports. But the reports vary wildly in length, severity and number of findings. It seems like the compliance reports are discarding some findings (or else are multiplying the number and risk of the findings).

The DISA STIG compliance reports I'm seeing are by far the longest (and most complete?) at 600 pages and 3500 findings / code snippets. Two other compliance reports, FISMA/FIPS200 and CWE SANS 2011, were 50 pages each, but list 75 or 130 findings/snippets, respectively.

I considered the possibility that maybe each single code vulnerability was being counted and re-counted as being applicable to multiple controls. But, I don't expect the STIG report should be 25x to 50x larger than the FISMA report. If anything, I would expect the FISMA report to be amplified from single findings counting against multiple controls, compared to DISA STIG.

Or if some of the reports are hiding some of the findings from the SCA data, that seems undesirable.

Another possible concern is the severity rankings for findings. In the DISA STIG report for example, many CAT I and CAT II findings are being marked as Low severity. In some places, CAT II findings are marked High while CAT I findings are marked Low. Which would be fine if there was some intelligence behind the decision, but on inspecting some of them, the DISA CAT ratings seem more accurate.

Some risk categories are totally blank.  My DISA STIG report lists zero CAT III findings, which seems unexpected.  All 3 reports I looked at (STIG, FISMA and SANS) listed 0 Medium findings. Note that the STIG report was 90% CAT II findings, so there should be at least some Mediums. 

The FISMA report lists 0 Medium and 0 Low findings, so 100% of the findings are Critical or High. By comparison, the STIG report lists almost 90% Low (but with zero CAT III findings).  100% High (FISMA) vs 90% Low (STIG) are very different risk reports from the same SCA data.

I can't figure out how the logic for giving severity ratings is working. The fact that there are thousands of Low findings in STIG and zero in FISMA suggests that the Compliance Template has some effect on the ratings, they aren't coming straight from the SCA scan data uniformly. But then on the other hand, the DISA STIG CAT ratings seem to be overridden by some other source of severity ratings, presumably from SCA.

Am I wrong in thinking these are issues that could be done better? And how might I give this feedback to HP? I don't know yet whether or not we have a support contract. I found an email address fortifytechsupport@hp.com that might be relevant.  Thanks!


Referenced assembly does not include assembly pathOpen in a New Window

Hi I have Rebuid the .net solution file in command prompt the Rebuid is succeeded but i see something which I coudnt understand why it is appearing.

I opened developer command pprompt which is in All programs->Visual Studio 2013->Visual Studio Tools->Developer Command Prompt for VS2013.

These where the commands I used 

cd c/user/xyz

sourceanalyzer -b "app" -verbose -debug -logfile trans.log devenv Sample.sln /Rebuild Debug

Whereas the error whic I am getting is 

========= Rebuild All: 11 succeeded, 0 failed, 0 skipped =======


Fortify SCA..


Running: INFO : "-show-runtime-properties"


Referenced assembly does not include assembly path: Thicktecture.ServiceModel.Extensions.Metadata


Running: ASPCOMPILE : "-v" xyz


Running:  TRANSLATE :


Can anyone tell me why I am getting this error ?



Cannot Seed Initial DB - MSSQLOpen in a New Window

Hey all,

I'm not able to proceed past the initial seeding in the configuration setup. We're trying to setup the environment to demo and sandbox, but we keep getting this error and can't progress any further.

If anybody has any ideas, it would be incredibly helpful.

Some initial errors are below (entire log exceeds current characters)

16-10-17 14:52:26,586 [com.fortify.systemspec] - ========================== Fortify Context Startup =============================

WARN 2016-10-17 14:52:30,902 [org.hibernate.mapping.RootClass] - HHH000038: Composite-id class does not override equals(): com.fortify.manager.DAO.measurement.VariableCopy$VariableCopyPK

WARN 2016-10-17 14:52:30,903 [org.hibernate.mapping.RootClass] - HHH000039: Composite-id class does not override hashCode(): com.fortify.manager.DAO.measurement.VariableCopy$VariableCopyPK

WARN 2016-10-17 14:52:40,907 [com.fortify.manager.service.ldap.impl.LdapConfigRestorerImpl] - Not loading ldap properties into DB because enabled flag is false.

WARN 2016-10-17 14:52:44,408 [com.fortify.manager.service.runtime.RuntimeControllerConnectionConfiguration] - Runtime integration disabled

INFO 2016-10-17 14:52:44,915 [com.fortify.server.configuration.db.DBUtil] - Start of "sourcefilemap.fileName initial filling"

INFO 2016-10-17 14:52:45,402 [com.fortify.server.configuration.db.DBUtil] - "sourcefilemap.fileName initial filling" is successfully completed

INFO 2016-10-17 14:52:45,412 [com.fortify.server.configuration.db.DBUtil] - Opening zip file: temp4699533465298773753zip

INFO 2016-10-17 14:52:47,679 [com.fortify.server.configuration.db.DBUtil] - Opening zip file: temp4390493848572494269zip

INFO 2016-10-17 14:52:58,114 [com.fortify.server.configuration.db.DBUtil] - Opening zip file: temp465640963335816730zip

INFO 2016-10-17 14:53:00,017 [com.fortify.server.configuration.db.DBUtil] - Opening zip file: temp5984807870144934414zip

INFO 2016-10-17 14:53:02,418 [com.fortify.server.configuration.db.DBUtil] - Opening zip file: temp2067715629240169605zip

WARN 2016-10-17 14:53:09,205 [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - SQL Error: 2627, SQLState: 23000

ERROR 2016-10-17 14:53:09,205 [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] - Violation of PRIMARY KEY constraint 'PK_CATPACKLOOKUP'. Cannot insert duplicate key in object 'dbo.catpacklookup'. The duplicate key value is (1510, Code Correctness: null Argument to equals()).

ERROR 2016-10-17 14:53:09,209 [org.hibernate.engine.jdbc.batch.internal.BatchingBatch] - HHH000315: Exception executing batch [could not perform addBatch]

ERROR 2016-10-17 14:53:09,220 [com.fortify.manager.BLL.impl.RulepackBLLImpl] - Exception loading external metadata

com.fortify.manager.exception.FMDALGeneralException: An unexpected error occurred.
at com.fortify.manager.DAL.support.FMD



Cannot update Audit Project from SCA to SSCOpen in a New Window


First sorry in my English ^_^". Right now I have an issue uploading the audit project to SSC Server. After using SCA to scan the code, I clicked upload the audit project, In the step "Uploading Audit..." I encountered an issue like this


class com.fortify.ws.client.FortifyWebServiceException
(DOCTYPE is disallowed when the feature
"http://apache.org/xml/features/disallow-doctype-decl" set to true." (line1))


Well, i'm not kind of Java and tomcat guys. After searching google a while i still can't figure where I can fix this = ="
So Please help >_<

For my environment installation
1. SSC install using tomcat 8.5 In Windows 2012 r2, MSSQL2014r2
2. SCA install on Windows 7 x64


SSC 16.10 Cannot update the RulePackOpen in a New Window

Hi i'm now building new SSC 16.10 to support deploying rulepack in our environment.

After finished basic configuration, I tried to Update SSC rulepacks via Browser UI. after that it threw an error like this

"An internal error has occurred. Please contact your Fortify System Administrator"

Please help


HP WebInspect Certificates and Authentication Time OutOpen in a New Window

I am having authentication issues when attempting to scan web applications behind a reverse web proxy. I can get to the site just fine on the system that runs that scanner but when I attempt to build my scan it times out and I never get prompted to choose my certificate (I am using CAC authentication).

What I would like to try is to load my certificate on the local machine. When I go to the default settings in WI I can see there is a selection for local machine and within that are two selections: "MY" and "ROOT" I can see there is a certificate for root but there is nothing for "MY"

How can I load my authentication certificate for there? I believe my time out issue is occurring because I am reaching across a VPN connection to my scanner and then through the WI program. Could this be the case?

I am open to any other suggestions as well.


Fortify SSC v16 BugTracker JiraOpen in a New Window


We are now setting up Jira plugin in Fortify SSC v16. When we are trying to test connection with JIRA ir shows an error:

Error occured during test: There is a problem during connection with JIRA server: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Does any of certificates needs to be set in Jira or it should be configurated?


Thank you,



HP Fortify 6.11 ASP.NET Compiler error "Encountered: Page" on default.aspxOpen in a New Window

I'm geting a warning from HP Fortify on my API page.  This is my whole default.aspx:

<%@ Page Language="C#" %>
<script runat="server">
  protected override void OnLoad(EventArgs e)

and I get the following error in the translate page (this is taken from the logfile):

Building line numbers from source for: C:/git/Esb/Esb.Api/default.aspx
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParser.parse() Thread-15 Master FINE]
Starting to parse: C:\git\Esb\Esb.Api\default.aspx
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParserTokenManager.TokenLexicalActions() Thread-15 Master WARNING]
Bad character in: %; line: 1; col: 2
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.vb.VBParserTokenManager.TokenLexicalActions() Thread-15 Master WARNING]
Bad character in: @; line: 1; col: 3
[2016-09-21 16:46:33.219 com.fortify.frontend.translator.dotnet.DotnetSourceParser.reportParseError() Thread-15 Master WARNING 10000]
Parse error in file C:\git\Esb\Esb.Api\default.aspx at 1:5. Encountered: "Page".

I don't know why its invoking a VB parser, or why Page would be an invalid entry


Getting authentication failure after java version updateOpen in a New Window


Recently we have updated java version in our Fortify box. After update, we are unable to login into Fortify enterprise web client. We are using AD to login into Fortify. I restarted Tomcat. but no luck. let me know how to resolve.








How to exclude in Fortify scan for SQL Injection in MyBatis Mapper filesOpen in a New Window


I am using My-batis generated fild in my project. I am getting "SQL Injection: MyBatis Mapper" errors, when i run Fortify on it.

To resolve this issue i modified the "$" to "#" in my mappers, which is not supported by My-Batis.

Could someone help me to resolve this issue, on how to exclude this SQL Injection issue in Fortify scan?

  Also please let me know why Fortify is not supporting My-Batis generated files


Problems with initial seeding for SSC mysql databaseOpen in a New Window


I am trying to install and configure SSC 16.10 with Mysql.  During the process seeding I get the following error reported in the log:

Caused by: org.springframework.dao.DataIntegrityViolationException: could not perform addBatch;

SQL [insert into catpacklookup (fromExtension, orderingInfo, catPackExternalCategory_id, mappedCategory) values (?, ?, ?, ?)]; constraint [null];

nested exception is org.hibernate.exception.ConstraintViolationException: could not perform addBatch

        at org.springframework.orm.hibernate4.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:163) ~[spring-orm-4.2.1.RELEASE.jar:4.2.1.RELEASE]


We've dropped and recreated the DB multiple times trying to resolve this issue.  Any pointers as to what might be causing this installation issue?





Fortify - Path Manipulation issues in JavaOpen in a New Window

I am getting Path Manipulation issues on the following statements of my Java code when I run Fortify tool on my web-application.  Below are the different sample statements where it throws HIGH priority security vulnerabilities. Please note that the filePath that is being passed is an absolute path but not relative. We have a requirement to read files that are placed in a system directory, hence I have depend on java.io file system package. 

Please suggest me the resolution to avoid security issues on below statements.

File file = new File(filePath)
FileReader fileReader = new FileReader(filePath);
FileInputSteam inputStream = new FileInputSteam(new File(filePath));
String userHome = System.getProperty("user.home");
Path path = Paths.get(filePath);


Cross-Frame Scripting ( 11293 ) ErrorOpen in a New Window

Facing cross frame scripting issue on site.

Tried changing web.config with below code but after rescan cross scripting error did not go.

Tried other two options like 1) adding X-frame-options in IIS for response header, 2) installed nuget package nwebsec however the rescan returned same error.

              <add name="X-Frame-Options" value="DENY " />


Can any one help on this


Cross frame scripting - ASP.Net applicationOpen in a New Window

We are facing cross-frame scripting issue in our newly developed application using ASP.net 4.5. We have tried the below list of fixes but the scanner tool is still giving us the same error,

1. x-frame deny option.

2. Machine key addition in the config file.

3. x-frame deny using nuget package

But none of the fixes working and we still getting the issue. Can you someone suggest some thoughts





Fortify exclude option not working for my projectOpen in a New Window

I have a visual studio c/c++ project having folder structure as below



"client" is the root foler which has ABCClient & lib folder inside "client" folder.

"ABCClient "project is refering some of the source file from "lib" folder also.

I want to completly exclude issues reported in fortify scan from "lib" folder. I tried exclude options but still its reporting issues from "lib" folder.

I have used below commands.

sourceanalyzer -b "test5" -exclude "**\lib\*" -quick -Xmx4G -Xss8M -debug -logfile scan.log -scan -f ABCClient8.fpr

sourceanalyzer -b "test5" -exclude "client\lib\*" -quick -Xmx4G -Xss8M -debug -logfile scan.log -scan -f ABCClient8.fpr

I have tried both wildcard chars as well as absolute path of exclude file but it didn't worked.


Please someone help


How to setup Continuous Integration gated check-in with Fortify SCA Visual Studio OnlineOpen in a New Window


We are trying to integrate Fortify SCA into our DevOps platform VSO, we are able to run the SCA from command line and generate FPR files.

However we want to fail the build step if there are any Mandatory Issues reported by SCA, we didnt find an easy way to do this.

Do you have any recommendations on how to integrate with continuous integration gated check-in

We are using Microsoft .NET as our development platform

Thanks in advance


HP Fortify SCA - erroneous Insecure RandomnessOpen in a New Window

HP Fortify SCA flags math.Random in JQuery (js/jquery-1.7.1.min.js) as High Vulnerability Insecure Randomness. JQuery and GitHub forum moderators disagree (links below). The Fortify explanation is to use window.crypto.random, which I have done (see screenshot) but SCA does not accept this. Any suggestions?

Thank you,

Github disagrees             



JQuery disagrees


Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org


Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.