Micro Focus Fortify Software Security Center – Tips and Tricks

Micro Focus Fortify Software Security Center helps to integrate and automate security testing with dev and get complete visibility of application security risks.

This post will have the monthly Fortify Software Security Center Tips and Tricks which will be a consolidation of various common issues in Fortify Software Security Center. Do check out this article for troubleshooting tips and tricks for other tools.

Fortify Software Security Center Tips – Jan 2021

1.Instructions to fix the issue when the receiving SQL server errors trying to fetch the Fortify Rule set off SSC

It is often observed among users that when they receive SQL server errors trying to fetch the Fortify Rule set off SSC, there is an error. Many of the Fortify builds fail on the step when the SQL server is trying to fetch the Fortify Rule set off the SSC site. This particular command in the scripts:

fortifyupdate -acceptKey -url https:///ssc

It completely fails the entire script execution with a: Error 6224: Server returned: HTTP/1.1 500

It is observed that running the script again does not really help, and it could or not get ahead of this and succeed. The errors in the logs that match the error time is given below:

"2019-01-08 15:35:48,448 [WARN] org.hibernate.engine.jdbc.spi.SQLExceptionHelper - SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]2019-01-08 15:35:48,520 [WARN] org.hibernate.engine.jdbc.spi.SqlExceptionHelper - SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13]2019-01-08 15:35:48,529 [ERROR] com.fortify.manager.controller.RulepackDistributorController - RulepackUpdateServlet: Error getting rulepacks for download at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]"

 This error can be fixed, the user mainly needs to take some preventive measures. The user needs to defrag and reindex the whole DB. After that, the users will not encounter that error again.

2. Figuring out if the OR condition can be provided in a search query

Users often have doubts regarding the OR condition is available in a search query if at all. The users often need to query the jobs API but are only able to return only values that are identical to the ones given below:

criteria:state:FINISHEDANDjobClassName:com.fortify.manager.BLL.jobs.ArtifactUploadJob OR jobClassName:com.fortify.manager.BLL.jobs.fulltext.IndexNewIssuesJob

Users have viewed the case in order to understand and know how to use both of the operators in API, the AND and OR. It is observed according to the tests, that both the operators AND/OR do not really work for finding the query string. The API Documentation has certain examples that only contains one field used for search. Also, note that the examples do not have AND/OR operators used.

Once the syntax and documentation are inspected carefully, it is observed that the boolean operators (AND/OR) are not supported in the SSC REST API’s while also using the query string search. Thus, only a single condition can be utilized. 

3. Resolving the Fortify Software Security Center (SSC) configuration – Database seeding error

It is observed among the users that they come across a Fortify Software Security Center (SSC) configuration – Database seeding error. 

When the users are in the process of configuring the Fortify Software Security Center, they come across another similar error, the message is given below:

Seeding failed:

Unable to seed all init seed bundlesPlease find the attached SSC logs and do the needful to resolve the issue. Database installed: Mysql – 5.7.28 and jdbc driver – 8.0.18

This error can be fixed easily, users just need to follow the instructions:

  1. The user needs to stop Tomcat.
  2. Make sure to delete the Catalina folder from the “Apache Tomcat installation directory\work”.
  3. Then you need to delete the ssc folder from web apps.
  4. Now delete the ssc.war
  5. After that, you need to clear all the Tomcat logs.
  6. Now you need to delete the .fortify folder.

Then you need to use the files you will download to perform the tasks given below:

  1. You need to initiate the file “drop-tables.sql” in a similar way you ran it previously.
  2. Now run the file “create-tables.sql” in a similar way you ran it previously.
  3. Then you need to add the new ssc.war into the web apps folder.
  4. Now you need to start Tomcat.
  5. Navigate to the SSC Wizard, now move forward with the configuration procedure.
  6. Then in the JDBC URL, you need to carefully use the DB collation “utf8_bin”.
  7. Then in the seeding, you need to follow the order given below:
  • Fortify_Process_Seed_Bundle-2018_Q3.zip
  • Fortify_Report_Seed_Bundle-2018_Q3.zip
  • Fortify_PCI_Basic_Seed_Bundle-2018_Q3.zip

4. Obtaining CORS support from JavaScript Client

Users need assistance in obtaining the CORS support from JavaScript Client for better performance. It is observed among the users that when Fortify is blocking all of their requests for connecting to the Fortify SSC API from the internal JavaScript apps. It has been blocked because of insufficient proper CORS configuration.

Users have tried to set the same in the web.xml, but they were not successful. The users need professional assistance in getting the right configuration for adding in the SSC tomcat config file. It is so that they will be able to allow their javascript apps to pass the CORS preflight browser check without any hassle.

The error message that the user encounters for the localhost test they set up is given below: 

Access to XMLHttpRequest at 'https://<SSC_HOSTNAME>:<PORT>/ssc/api/v1/projects' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

For starters, the users need to note that there is an OCTCR enhancement request for this error in SSC: OCTCR11A122354

Users can easily get out of this issue, they need to bypass the CORS support in the Tomcat services. The bypass needs to be done for all web apps that were hosted in /webapps/; that is in the SSC. The users need to follow some instructions for enabling all of the REST API calls to the SSC API via CORS filters in Tomcat services:

  1. The user needs to make a backup of the web.xml file in /conf/ folder.
  2. Then you need to edit the web.xml file, and then you need to add entries related to CORS given below carefully:
  1. The user needs to note that these entries are entirely related to the CORS filter for the Tomcat service.
  2. Then in the “cors.allowed.origins” the users need to accurately specify * that is to allow any kind of origin for requests that can be possible to gain information from the targeted site. In this situation any of the SSC REST API endpoints that the user needs for performing tasks.
  3. Now you need to remember to save all the changes in the web.xml file.
  4. After that, you need to restart the Tomcat service.

After these steps have been performed perfectly the user needs to try to send a request to SSC from the JS Client via the CORS filter in the Tomcat service.

5. Fixing the Indexing Error – Contact Administrator

It is observed among the users that there is a Missing Global Search Index in their system. It is displayed after updating the Fortify SSC from the 17.20 version to the 18.20 on Windows Operating Systems. They encounter an error at the topmost tab of the web UI, the error says: “Indexing Error – Contact Administrator”.

The root cause of this recurring error is that the SearchIndex location was not set properly. This is noted in accordance with the facts in the log and configuration files, SearchIndex location:

[WARN] com.fortify.manager.DAO.fulltext.ModelMappingFactoryImpl - Fulltext search is disabled because searchIndex.location property has no value
  1. The user needs to end and stop the Tomcat Server.
  2. Then you need to navigate to //conf.
  3. Make a backup of the file app.properties.
  4. Line 8 will show the property “searchIndex.location=”. The user simply needs to set the correct path towards the .fortify folder, which should be without any space. An example is given below for reference purpose:
  1. After that is done, the user needs to start the Tomcat Server.

6. Executing the Fortify SSC Reporting – OWASP 2017 Reporting

Users often need assistance in executing the Fortify SSC Reporting – OWASP 2017 Reporting and ways to add the report to SSC. It is observed among the users that only the prior year’s reports are available in the report selections. They have also tried filtering by OWASP TOP 2017 it is noted that it results in a failure, but not specifically in the reporting. 

The user also needs to note that the 2017 ID cannot be accessed and is not available in the parameter section of the report generator.

  1. The user needs to navigate to the Administration, then go to Templates.
  2. Under Templates, you need to click on Reports and then OWASP Top 10.

Then you need to edit the parameter named ‘Options’.

Then you need to add a new parameter:

Display Value: ‘OWASP Top 10 2017’

Report Value: ‘3C6ECB67-BBD9-4259-A8DB-B49328927248’

With the help of the steps given above the OWASP Top 10 2017 option will be available at the time of the generation of an OWASP Top 10 report. The users also need to note that they have updated all of the Rulepacks (the latest version is Q4-2017) in SSC. That is important for being able to use this recent external list mapping.

7. Performing a Full Metric Recalculation

Users often question ways to initiate a metric recalculation for ALL application versions in SSC and related information about the Full Metric Recalculation. It is also observed that the reboot feature of the SSC server does help in this field.

The user has a new custom performance indicator and they would want to get all of their metrics recalculated. This will help as the new performance indicator value will be updated for each one of them.

At the time the Custom Performance Indicator was created, all of the metrics will be calculated again for all of the application’s versions, wherever the user made some changes. For example, Auditing, uploading .fpr, among others.

This re-calculation will be applicable along with the settings of the Snapshot refresh. It also depends on the Snapshot refresh settings, the metrics will be calculated again to the specific application version basically with any type of alterations.

So, now the user needs to have ALL application versions along with their metrics re-calculated, you can follow the instructions given below in order to do that:

  1. The user needs to add the value invalidate.snapshots.after.variables.changes=true in the app.properties file located at /Windows/System32/config/systemprofile/.fortify/ssc/conf/
  2. Then you need to start the Tomcat service, particularly for SSC.
  3. This special value will aid you to allow the metrics recalculation for ALL application versions. That would be done in accordance with the existing settings you already have in the Scheduler. Then you need to go to Snapshot Refresh and select it.

8. Instructions to fix the error when SSC Seeding is running low on memory

It often happens with the users that at the time of Database seeding the seed fails with an error message that says that there is a JAVA heap error in the SSC log file. It is a fact that if the accurate settings are selected at the time of the database setup and configuration this kind of error message would not show up. 

Generally, this error is caused because of JAVA not having sufficient memory space to run the seeding and the database population. Due to that reason, it results in failure and hence the error message.

This solution is particularly for the seeding java heap error:

Users are given a basic guideline, that it should be a minimum of 4 GB, and maximum it must be about 1 to 2 GB below according to what is shown in the device. 

  1. You need to navigate to the <Tomcat Home Directory>/bin. Then you need to make a file named setenv.sh for Linux Operating systems, or setenv.bat for Windows Operating Systems.
  2. Then in the setenv file, the user needs to use the format given below. That would help them to set the heap size with the help of the parameters provided:

Specifically for the Linux Operating System: export CATALINA_OPTS=”-Xms4096M -Xmx10240M”

Specifically for the Windows Operating System: set CATALINA_OPTS=-Xms4096M -Xmx10240M         

  1. The -Xms is minimum and the -Xmx is maximum.
  2. You need to save the file to retain the changes, and then restart Tomcat.

Then the user needs to go through the SSC configuration again, and then the seeding will be accurate without any problem.

9. Instructions to properly export the fortify content

Often users seek assistance in exporting the Fortify content in the native format through an API or a Batch process.

In order to find information regarding exporting the Fortify Content in native format through an API or a Batch, you can make use of the steps given below:

To access the Fortify Software Security Center API Documentation:

  1. The user needs to navigate to the Fortify header and then click the help icon. Then they will be able to view the About Fortify Software Security Center box.
  2. Then you need to select the API Documentation. Then the  FORTIFY SOFTWARE SECURITY CENTER API DOCUMENTATION VERSION web page will be opened and displayed on the screen.

Then the user will be able to figure out how they can make the proper configuration to GET, POST, PUT, and DELETE.

10. Steps to reset admin password on SSC

It often happens that users come across some problems in LDAP connection, it is displayed to be expired. It is recommended that you update the new password in the LDAP connection settings in SSC.

The problem arises here because the user is not able to log in to the SSC with an ‘Admin’ account. WIE Service account admin privilege is denied as well. So, the users seek help to reset the admin (nondomain account) password on SSC.

This error can be solved, the user needs to perform the steps given below accurately,

  1. The user needs to make sure that they have a secure backup of their database.
  2. Then you need to implement the SQL statement given below in the SSC database.

This specific query will reset the admin password to its initial ‘admin’ state. Then it will unlock the account by resetting all of the failed login attempts made. The user needs to note that this is an MSSQL query.

Specifically for the 20.1.x version:

UPDATE fortifyuser
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  password = '{sha}{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
  userName = 'admin';

Specifically for the 19.x version:

UPDATE fortifyuser
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  secPass = '{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
  userName = 'admin';

Specifically for the versions prior to 19.x:

UPDATE fortifyuser
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  secPass = 'b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74',
  salt = 'P7D4co4mI/4='
  userName = 'admin';