Skip to main content
Link
Menu
Expand
(external link)
Document
Search
Copy
Copied
VA Software Assurance
Home
Fortify
Fortify Usage
Fortify Cheat Sheet (Getting Started)
Fortify Documentation
How to set the Fortify Scan Policy
Always Use Default Scan Settings
Common Fortify findings in jQuery
Does Fortify support jQuery and Node.js
Entering command-line arguments into Audit Workbench or Fortify IDE plugin
How to audit findings in third-party code
How to create a Fortify log file
How to increase memory for Fortify translation
How to install or update Fortify rulepacks
How to merge scan files
How to scan a Visual Studio Web Site Project
How to scan an iOS application
How to scan Apex code
How to scan applications using Modular Analysis
How to scan files with non-standard file extensions
How to scan files without file name extensions
How to scan Flex code
How to scan PL/SQL on Windows
How to scan TypeScript files
How to select a Fortify Visual Studio IDE Plugin
How to troubleshoot Fortify not scanning some files in a project
How to view error messages reported by Fortify
How to view Remediation Effort for findings in AWB
Should minified JavaScript code be scanned
Third-party JavaScript libraries not scanned by Fortify
Weak XML Schema - Unbounded Occurrences findings
When Fortify does not support the programming language version used
Which Filter Set value should be used
Which Fortify tool should I use to scan my application
Fortify Errors
Troubleshooting Fortify Errors
Cannot locate class... Errors
Error performing ASP.NET Precompilation Errors
File parsing or Syntax errors
Fortify cannot locate web.xml or WEB-INF directory
Function...is too complex Errors
The ActionScript frontend was unable to resolve the following import... Errors
The ASP/VBScript frontend was unable to resolve the following include... Errors
The PHP frontend was unable to resolve the following include... Errors
The ruby frontend was unable to resolve the following require... Errors
Unable to locate the Microsoft .NET disassembler tool (ildasm)... Errors
Scan Issues
Audit was not performed within Fortify
Buildable source not delivered
Cannot determine what source code provided corresponds to source code scanned
Code broken into a large number of FPR files
Code not scanned
Code scanned but not delivered
Command or options used for translation phase not provided
Default analysis tags not used
Default rulepacks were not used during scan
Delivered scan does not match previous submissions
Errors during scan
Hidden and suppressed Issues
Incorrect scan policy was used
Incorrect submission materials potentially provided
Issues not audited
Minified JavaScript Not Scanned
Old version of Fortify used during scan
Old version of rulepacks used during scan
Quick scan mode used
Removed Findings
Scan was not performed correctly
Scanned source differs from provided source
Speed Dial Used
Unable to extract source code from FPR files
Zero Trust Architecture
How to know if zero trust principles are followed in my application
How to know if my application's network should be trusted
DevSecOps
How are Fortify scans different than code review
How to address container manager password management findings
How to capture Fortify logs in a CI server
How to configure Fortify build failure criteria on a CI server
How to configure Fortify Speed Dial for use at the VA
How to know if a database in a container environment should be trusted
How to know if a Redis in-memory data store should be trusted
How to know if container configuration data should be trusted
How to know if container environment variables can be trusted
How to know if it is safe to log sensitive information to a log aggregator
How to manage Fortify artifacts in a CI server
How to run Fortify Static Code Analyzer in a container
How to scan Infrastructure as Code (IaC) files
How to submit a code review that uses custom rules
How to submit a code review that uses a filter file
How to write a Fortify custom rule
Fortify Systems Programming
Writing Client-Side Pre-Commit Git Hooks
What does an integrated Fortify code scanning solution look like?
Fortify Other
How do I know if my application should be subject to code review
How is the Fortify license managed
How secure code review is different than exploit development
How to interpret remediation estimates
How to know if a database should be trusted
How to know if configuration files should be trusted
How to know if external input should be trusted
How to know if it is safe to log sensitive information to a file
How to Validate a V&V secure code review package
Insecure Transport - Mail Transmission findings
Secure Coding Resources
What are some recommended libraries for securing code
Why do I need to do code review if my environment is secure
SSC
How do I manage roles in SSC
How do I resolve errors when seeding the SSC database
Mainframes
How to scan COBOL code
CodeQL
CodeQL Usage
CodeQL Errors
Snyk
Snyk Usage
Snyk Errors
Threat Modeling
How do I update the initial diagrams
How to audit false positives
How to audit mitigated threats
How to audit unmitigated threats
How to get started analyzing an application threat model
How to get started drawing application threat model diagrams
Spoofing (STRIDE)
Tampering (STRIDE)
Repudiation (STRIDE)
Information Disclosure (STRIDE)
Denial of Service (STRIDE)
Elevation of Privilege (STRIDE)
These technical notes provide information on composition analysis: