HPE Software Products: Fortify Software Security Center Discussion
Share |

Software Content on HPE Enterprise Community in Read-Only May 9 - 15Open in a New Window

Software Content on HPE Enterprise Community in Read-Only May 9 - 15

As you may have seen in the last few months, Hewlett Packard Enterprise is combining some software assets with Micro Focus. As part of this spin-merge with Micro Focus, a new Software instance of an online community will go live on May 16, 2017.

All boards within the current Software category will be located to a new community. All URLs will redirect to the new community. All current users will be migrated to the new community as well. Please be sure to update your bookmarks after May 16.

As part of the migration to a new Software instance, all software content will be in read-only mode from May 9 – 15. We apologize for any inconvenience.

We will continue to provide further updates in this News board.


HP Fortify Rule Incorporate to Jslint ??Open in a New Window

is there any chance to incorporate the HP Fortify rules into JsLint. if it is possible means please share your thoughts. thanks  


Anyone have any experience deploying HPE Fortify SCA and SSC to a private cloud ?Open in a New Window

We're looking at moving to a DevOps model in a private cloud, and want to put FORTIFY in as part of our dev tools.  Checking the AWS Machine Image catalog, pretty much any HPE software is available as an AMI. . . except FORTIFY. 

Anyone have any experience here ?  I suspect that licensing will be the bugaboo. . . .


Fortify Error 1359, Duplicate Rule ID: xxxxxxxOpen in a New Window

Any expansion on resolving this issue?  We have 3 programs from the same shop, all have this error.   I've noticed that they have two custom rules files, but cannot look at them directly (we're halfway across the country from the Devs).

Any suggestions ?


HPE SCA / SSC Integration with GocdOpen in a New Window

I am looking for way to integrate HP SSC into gocd. I think HP dosnt provide any plugin but is there a alternae way of doing it?


How to use Maven plugin to scan native C source codeOpen in a New Window

I am using Fortify 16.20 maven plugin and trying to run a scan against Native C project.

Is this possible to do? I don't seem to be getting any results generated.

Please advise!



Unreleased Resource DatabaseOpen in a New Window


System.Data.SqlClient.SqlDataReader dr = sqlComm.ExecuteReader();

if (sqlConn.State.ToString().ToUpper() == "OPEN")

these statement throwing Unreleased Resource Database.

Please help me to solve this issue


admin authentication failure after setting X.509 SSOOpen in a New Window


After I configured SSO to use x.509, the login page still asks for username and password, but it fails to log me in using admin password. 

I changed in db table dbo.configproperty x.509.enabled to be false, but no luck.

How can I revert and be able to login using local username and password?




Integrating HPE Fortify & TeamCity.Open in a New Window

Hi All,

We are in need of  integrating TeamCity with Fortify or Vice-versa. Is there any plugins available in Fortify/Teamciry to achieve this or any other way to implement. Your suggestions would be a Great Help..!!!

Thanks in Advance.




How to filter LOW Fortify Priority issues during scanOpen in a New Window

Looking for option to filter out LOW Fortify Priority issues duing scan. With this approach fpr generated from scan will not contain LOW Severity issues. Please suggest how to configure scan for this purpose. I am using command line scan.  There is quick scan mode but it is not usuful as requirment for scan is to report all Critical, High and Medium issues that would appear in normal scan mode. Just need to exclude Low issues.

Thank you.



HP Fortify SCA and Applications Software QueriesOpen in a New Window

Hi Team,

Currnelty we are using HP Fortify SCA and Applications 4.30 version and we have planned to migrate visual studio 2017. and so for that case, is there latest "HP Fortify SCA and Applications " version is available?. which will be compatible for visual studio 2017.
Please suggest us to proceed further.


Fortyfi Scan High Issue ErrorsOpen in a New Window

Fortyfi scan was throughing me a high risk Issue on the following code. 

Reading cookies from Browser:

Cookie[] cookies = request.getCookies();

Adding SessionId to the Url connection:


Passing sessionId in requestParams:

public String getIcueSecureSessionId(@RequestParam String sessionId, @RequestParam
String appName)

Fortyfi comments for the above code:

The method getIcueSecureSessionId() in WidgetProviderController.java includes
unvalidated data in an HTTP response header on line 147. This enables attacks such
as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking,
cookie manipulation or open redirect.



I was trying to solve the issues but i never get any luck. I am open with the suggestions and please let me know if you can help me.




Query on HP Component ArchitectureOpen in a New Window

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.


Query on Automated Scanning ArchitectureOpen in a New Window

All Champs ,

I have few queries on the fucntionality of few components in Automated Scanning Architecture :

  • Build Server
  • Scan Pool Controller
  • Scan Pool Scan farm
  • WebInspect Scan farm
  • Fortify SSC & Databse

Request any of the SME or memebr to respond back on the details and fucntionality of above mentioned nodes/components.


HP Fortify SCA 4.30 -- Doesn't scan ASP .NET 4.5.2 (MVC 5) solutionOpen in a New Window

Please help!

I have to scan a ASP .NET 4.5.2 (MVC 5) solution using HP Fortify SCA 4.30.

unfortunatly it doesn't catch any issues though it runs through all the files.

But the same rule file catches issues in ASP .NET 4.5.2 solutions  ( non MVC )

seems only "*.cshtml" is additional in the solution.

I'm blocked because of this. Your help is highly appreciated!!!


Fortify Scan C# configuration filesOpen in a New Window

We use the Fortify scan to scan applications in the CD pipeline, hosted by TFS. there for we created a build task. I am wondering what files the Fortify scan scans. It looks like the scan is not checking the configuration files of a .Net application. The app.config for example seems to be ignored. Is there a parameter or value to add to the scan command that makes the scan check the configuration.


How to customize configuration of IDE Plugin in Fortify Cloudscan?Open in a New Window

I couldn't fine the right place to post this, so if it needs to be somewhere else, please move it or let me know where to post.
I have a Fortify CloudScan service set up. We are integrated into the application build process such that source code files are translated on the build server, packaged into a Mobile Build Package, which is sent to the CloudScan Controller for scanning. Pretty vanilla setup and things are working well. We also have individual developers with SCA + IDE Plugins. Currently, they are performing the full scanning process on their local workstations and uploading the .FPR to SSC. All this is in a Windows OS invironment.

Now to my question...
is there a way to configure or change the IDE plugin so when the developer selects "Run a Scan" in their IDE Plugin, it does the translate step, creates the Mobile Build Package, and sends it to the CloudScan controller just like what we are doing on the build machines?

This would free up so much time for the developers since the scan phase is what takes the longest time. I understand we will need to instal the CloudScan CI on the developer's workstation.

Finally, can we create a SCA Developer's install Package so this is the default process?



Fortify Scan Issue (in translation)Open in a New Window

.Net Solution is building succussfully!

but while translating it throws below error.

[error]: The Fortify add-in for Visual Studio did not execute; therefore, no files were translated. Ensure that the Fortify add-in is installed. If you are running Visual Studio 2005 SP1, you must also install the hotfix indicated by KB934517.

any idea! ?


Fortify SSC 16.x: Assign Users Lookup using LDAP with nested groupsOpen in a New Window

SSC 16.x is configured to use LDAP and nested groups.

Authentication with nested groups works.

User lookup for such functions as Search during Assigning an Issue doesn't work.

Error: An internal error has occurred. Please contact your Fortify System Administrator.

Using a non-nested LDAP group with Nested Groups in LDAP configuration turned off works.




Custom rule to cleanse log forging does not workOpen in a New Window

We have complicated software where most user input is validated against a schema before being accepted or logged to files. Fortify throws a large number of log forging errors that are false positive.

I have written a custom rule and imported the same into Fortify. But I still get log forging complaints.

I am including the custom rule here. Note that washStringForLog is a method that removes unwanted characters from the string passed and trims the string it is too long. The idea is that if the string first passes through this method, the log forging taint should be removed and fortify should not flag an error.



<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<Rules version="3.14">
<DataflowCleanseRule formatVersion="3.14" language="java">
<ApplyTo implements="true" overrides="true" extends="true"/>



WHat am I doing wrong here?


Contact Us

Vivit Worldwide
P.O. Box 18510
Boulder, CO 80308

Email: info@vivit-worldwide.org


Vivit's mission is to serve
the Hewlett Packard
Enterprise User
Community through
Advocacy, Community,
and Education.