Site icon Software Test Tips

Micro Focus Fortify Software Security Center – Tips and Tricks

Micro Focus Fortify Software Security Center - Tips and Tricks

Micro Focus Fortify Software Security Center helps to integrate and automate security testing with dev and get complete visibility of application security risks.

This post will have the monthly Fortify Software Security Center Tips and Tricks which will be a consolidation of various common issues in Fortify Software Security Center. Do check out this article for troubleshooting tips and tricks for other tools.

Table of Contents

Fortify Software Security Center Tips – Jan 2021

1.Instructions to fix the issue when the receiving SQL server errors trying to fetch the Fortify Rule set off SSC

It is often observed among users that when they receive SQL server errors trying to fetch the Fortify Rule set off SSC, there is an error. Many of the Fortify builds fail on the step when the SQL server is trying to fetch the Fortify Rule set off the SSC site. This particular command in the scripts:

fortifyupdate -acceptKey -url https:///ssc

It completely fails the entire script execution with a: Error 6224: Server returned: HTTP/1.1 500

It is observed that running the script again does not really help, and it could or not get ahead of this and succeed. The errors in the logs that match the error time is given below:

"2019-01-08 15:35:48,448 [WARN] org.hibernate.engine.jdbc.spi.SQLExceptionHelper - SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]2019-01-08 15:35:48,520 [WARN] org.hibernate.engine.jdbc.spi.SqlExceptionHelper - SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13]2019-01-08 15:35:48,529 [ERROR] com.fortify.manager.controller.RulepackDistributorController - RulepackUpdateServlet: Error getting rulepacks for download at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]"

 This error can be fixed, the user mainly needs to take some preventive measures. The user needs to defrag and reindex the whole DB. After that, the users will not encounter that error again.

2. Figuring out if the OR condition can be provided in a search query

Users often have doubts regarding the OR condition is available in a search query if at all. The users often need to query the jobs API but are only able to return only values that are identical to the ones given below:

criteria:state:FINISHEDANDjobClassName:com.fortify.manager.BLL.jobs.ArtifactUploadJob OR jobClassName:com.fortify.manager.BLL.jobs.fulltext.IndexNewIssuesJob

Users have viewed the case in order to understand and know how to use both of the operators in API, the AND and OR. It is observed according to the tests, that both the operators AND/OR do not really work for finding the query string. The API Documentation has certain examples that only contains one field used for search. Also, note that the examples do not have AND/OR operators used.

Once the syntax and documentation are inspected carefully, it is observed that the boolean operators (AND/OR) are not supported in the SSC REST API’s while also using the query string search. Thus, only a single condition can be utilized. 

3. Resolving the Fortify Software Security Center (SSC) configuration – Database seeding error

It is observed among the users that they come across a Fortify Software Security Center (SSC) configuration – Database seeding error. 

When the users are in the process of configuring the Fortify Software Security Center, they come across another similar error, the message is given below:

Seeding failed:

Unable to seed all init seed bundlesPlease find the attached SSC logs and do the needful to resolve the issue. Database installed: Mysql – 5.7.28 and jdbc driver – 8.0.18

This error can be fixed easily, users just need to follow the instructions:

  1. The user needs to stop Tomcat.
  2. Make sure to delete the Catalina folder from the “Apache Tomcat installation directory\work”.
  3. Then you need to delete the ssc folder from web apps.
  4. Now delete the ssc.war
  5. After that, you need to clear all the Tomcat logs.
  6. Now you need to delete the .fortify folder.

Then you need to use the files you will download to perform the tasks given below:

  1. You need to initiate the file “drop-tables.sql” in a similar way you ran it previously.
  2. Now run the file “create-tables.sql” in a similar way you ran it previously.
  3. Then you need to add the new ssc.war into the web apps folder.
  4. Now you need to start Tomcat.
  5. Navigate to the SSC Wizard, now move forward with the configuration procedure.
  6. Then in the JDBC URL, you need to carefully use the DB collation “utf8_bin”.
  7. Then in the seeding, you need to follow the order given below:

4. Obtaining CORS support from JavaScript Client

Users need assistance in obtaining the CORS support from JavaScript Client for better performance. It is observed among the users that when Fortify is blocking all of their requests for connecting to the Fortify SSC API from the internal JavaScript apps. It has been blocked because of insufficient proper CORS configuration.

Users have tried to set the same in the web.xml, but they were not successful. The users need professional assistance in getting the right configuration for adding in the SSC tomcat config file. It is so that they will be able to allow their javascript apps to pass the CORS preflight browser check without any hassle.

The error message that the user encounters for the localhost test they set up is given below: 

Access to XMLHttpRequest at 'https://<SSC_HOSTNAME>:<PORT>/ssc/api/v1/projects' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

For starters, the users need to note that there is an OCTCR enhancement request for this error in SSC: OCTCR11A122354

Users can easily get out of this issue, they need to bypass the CORS support in the Tomcat services. The bypass needs to be done for all web apps that were hosted in /webapps/; that is in the SSC. The users need to follow some instructions for enabling all of the REST API calls to the SSC API via CORS filters in Tomcat services:

  1. The user needs to make a backup of the web.xml file in /conf/ folder.
  2. Then you need to edit the web.xml file, and then you need to add entries related to CORS given below carefully:
CorsFilter
org.apache.catalina.filters.CorsFilter
cors.allowed.origins
*
cors.allowed.methods
GET,POST,HEAD,OPTIONS,PUT
cors.allowed.headers
Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
cors.exposed.headers
Access-Control-Allow-Origin,Access-Control-Allow-Credentials
CorsFilter
/*
  1. The user needs to note that these entries are entirely related to the CORS filter for the Tomcat service.
  2. Then in the “cors.allowed.origins” the users need to accurately specify * that is to allow any kind of origin for requests that can be possible to gain information from the targeted site. In this situation any of the SSC REST API endpoints that the user needs for performing tasks.
  3. Now you need to remember to save all the changes in the web.xml file.
  4. After that, you need to restart the Tomcat service.

After these steps have been performed perfectly the user needs to try to send a request to SSC from the JS Client via the CORS filter in the Tomcat service.

5. Fixing the Indexing Error – Contact Administrator

It is observed among the users that there is a Missing Global Search Index in their system. It is displayed after updating the Fortify SSC from the 17.20 version to the 18.20 on Windows Operating Systems. They encounter an error at the topmost tab of the web UI, the error says: “Indexing Error – Contact Administrator”.

The root cause of this recurring error is that the SearchIndex location was not set properly. This is noted in accordance with the facts in the log and configuration files, SearchIndex location:

ssc.log
[WARN] com.fortify.manager.DAO.fulltext.ModelMappingFactoryImpl - Fulltext search is disabled because searchIndex.location property has no value
  1. The user needs to end and stop the Tomcat Server.
  2. Then you need to navigate to //conf.
  3. Make a backup of the file app.properties.
  4. Line 8 will show the property “searchIndex.location=”. The user simply needs to set the correct path towards the .fortify folder, which should be without any space. An example is given below for reference purpose:
searchIndex.location=C:\Users\\.fortify
  1. After that is done, the user needs to start the Tomcat Server.

6. Executing the Fortify SSC Reporting – OWASP 2017 Reporting

Users often need assistance in executing the Fortify SSC Reporting – OWASP 2017 Reporting and ways to add the report to SSC. It is observed among the users that only the prior year’s reports are available in the report selections. They have also tried filtering by OWASP TOP 2017 it is noted that it results in a failure, but not specifically in the reporting. 

The user also needs to note that the 2017 ID cannot be accessed and is not available in the parameter section of the report generator.

  1. The user needs to navigate to the Administration, then go to Templates.
  2. Under Templates, you need to click on Reports and then OWASP Top 10.

Then you need to edit the parameter named ‘Options’.

Then you need to add a new parameter:

Display Value: ‘OWASP Top 10 2017’

Report Value: ‘3C6ECB67-BBD9-4259-A8DB-B49328927248’

With the help of the steps given above the OWASP Top 10 2017 option will be available at the time of the generation of an OWASP Top 10 report. The users also need to note that they have updated all of the Rulepacks (the latest version is Q4-2017) in SSC. That is important for being able to use this recent external list mapping.

7. Performing a Full Metric Recalculation

Users often question ways to initiate a metric recalculation for ALL application versions in SSC and related information about the Full Metric Recalculation. It is also observed that the reboot feature of the SSC server does help in this field.

The user has a new custom performance indicator and they would want to get all of their metrics recalculated. This will help as the new performance indicator value will be updated for each one of them.

At the time the Custom Performance Indicator was created, all of the metrics will be calculated again for all of the application’s versions, wherever the user made some changes. For example, Auditing, uploading .fpr, among others.

This re-calculation will be applicable along with the settings of the Snapshot refresh. It also depends on the Snapshot refresh settings, the metrics will be calculated again to the specific application version basically with any type of alterations.

So, now the user needs to have ALL application versions along with their metrics re-calculated, you can follow the instructions given below in order to do that:

  1. The user needs to add the value invalidate.snapshots.after.variables.changes=true in the app.properties file located at /Windows/System32/config/systemprofile/.fortify/ssc/conf/
  2. Then you need to start the Tomcat service, particularly for SSC.
  3. This special value will aid you to allow the metrics recalculation for ALL application versions. That would be done in accordance with the existing settings you already have in the Scheduler. Then you need to go to Snapshot Refresh and select it.

8. Instructions to fix the error when SSC Seeding is running low on memory

It often happens with the users that at the time of Database seeding the seed fails with an error message that says that there is a JAVA heap error in the SSC log file. It is a fact that if the accurate settings are selected at the time of the database setup and configuration this kind of error message would not show up. 

Generally, this error is caused because of JAVA not having sufficient memory space to run the seeding and the database population. Due to that reason, it results in failure and hence the error message.

This solution is particularly for the seeding java heap error:

Users are given a basic guideline, that it should be a minimum of 4 GB, and maximum it must be about 1 to 2 GB below according to what is shown in the device. 

  1. You need to navigate to the <Tomcat Home Directory>/bin. Then you need to make a file named setenv.sh for Linux Operating systems, or setenv.bat for Windows Operating Systems.
  2. Then in the setenv file, the user needs to use the format given below. That would help them to set the heap size with the help of the parameters provided:

Specifically for the Linux Operating System: export CATALINA_OPTS=”-Xms4096M -Xmx10240M”

Specifically for the Windows Operating System: set CATALINA_OPTS=-Xms4096M -Xmx10240M         

  1. The -Xms is minimum and the -Xmx is maximum.
  2. You need to save the file to retain the changes, and then restart Tomcat.

Then the user needs to go through the SSC configuration again, and then the seeding will be accurate without any problem.

9. Instructions to properly export the fortify content

Often users seek assistance in exporting the Fortify content in the native format through an API or a Batch process.

In order to find information regarding exporting the Fortify Content in native format through an API or a Batch, you can make use of the steps given below:

To access the Fortify Software Security Center API Documentation:

  1. The user needs to navigate to the Fortify header and then click the help icon. Then they will be able to view the About Fortify Software Security Center box.
  2. Then you need to select the API Documentation. Then the  FORTIFY SOFTWARE SECURITY CENTER API DOCUMENTATION VERSION web page will be opened and displayed on the screen.

Then the user will be able to figure out how they can make the proper configuration to GET, POST, PUT, and DELETE.

10. Steps to reset admin password on SSC

It often happens that users come across some problems in LDAP connection, it is displayed to be expired. It is recommended that you update the new password in the LDAP connection settings in SSC.

The problem arises here because the user is not able to log in to the SSC with an ‘Admin’ account. WIE Service account admin privilege is denied as well. So, the users seek help to reset the admin (nondomain account) password on SSC.

This error can be solved, the user needs to perform the steps given below accurately,

  1. The user needs to make sure that they have a secure backup of their database.
  2. Then you need to implement the SQL statement given below in the SSC database.

This specific query will reset the admin password to its initial ‘admin’ state. Then it will unlock the account by resetting all of the failed login attempts made. The user needs to note that this is an MSSQL query.

Specifically for the 20.1.x version:

UPDATE fortifyuser
SET
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  password = '{sha}{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
WHERE
  userName = 'admin';

Specifically for the 19.x version:

UPDATE fortifyuser
SET
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  secPass = '{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
WHERE
  userName = 'admin';

Specifically for the versions prior to 19.x:

UPDATE fortifyuser
SET
  requirePasswordChange = 'Y',
  failedLoginAttempts = 0,
  dateFrozen = NULL,
  suspended = 'N',
  secPass = 'b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74',
  salt = 'P7D4co4mI/4='
WHERE
  userName = 'admin';

Fortify Software Security Center Tips – Feb 2021

1.Artifact deletion error persists for a whole month

It often happens with the users that they encounter an error that says:

[ERROR] com.fortify.manager.service.EmailServiceImpl - error sending email java.lang.NullPointerException: null at com.fortify.manager.service.EmailServiceImpl.sendMessage(EmailServiceImpl.java:103) [ssc-core-18.20.1071.jar:?] This was nested among the SQL deadlock errors.

This is specifically a deletion error, it happens when the artifact notification box persists for a whole month. It is also responsible for blocking all of the necessary future uploads. This error remains even while the status is being scheduled. It is quite possible to get rid of the error, you just need to take some measures. 

  1. For correcting this issue, the user needs to disable alerting and restart SSC. 
  2. Then the Database cleans up will clear all of the offending records, it is initially its specific function to do so.
  3. Then the user needs to scroll through and inspect the Alert set up carefully to locate the error that was responsible for this error.
  4. Then they need to eliminate the error.

2. Solving the ‘500 Internal Server Error’ while Logging in with a single user

It is observed that when the user had logged incorrectly in the beginning but later they are simultaneously re-directed to a 500 internal server error page. 

According to the experiences of the users, it is noticed that when a user is logging into the Fortify SSC for the first time after a long time (Like a whole year). The users already have an account in SSC in LDAP and they have already acquired all the necessary permissions for it to work.

But what happens is that when the users log in again, they are simultaneously directly to an unusual page with some unknown URL view that says, a 500 internal server error. This error specifically is a recurrent one, not known to have been encountered by many users, it is limited.

This error can be solved but before that, the users need to understand all the features of the LDAP and LOCAL so that they can identify the problem. It is known through complaints that the user had an account in both LDAP and LOCAL but the issue is that the local did not have any role being assigned to it. That is the cause of the internal 500 server error every time whenever the user tries to log in. 

Once the cause is identified we come to a conclusion that we need to do some changes through the settings. It could be fixed by assigning the local account a specific role that needs to be performed particularly through the SSC Database.

This is necessary because the portal was also a reason behind the error. It was because of the portal that the user was unable to load the LOCAL account and kept showing the internal 500 server error.

3. Instruction to fix the ‘Error code 2004 at the installation VS extension’

It is observed that when the users were trying to install the visual studio 2017 plug-in for SCA they came across this error code. This specific error appears in all the install logs while the installation process is ongoing for the Visual Studio extension.

Apparently, there were not any other secondary errors. And an inspection shows that the EC 2004 is a generic error message for the Visual Studio. The error that appears on the screen, ‘Error code 2004 at the installation VS extension’.

This error can be fixed easily by maintaining some simple safety measures carefully. The main cause of this error is supposed to have occurred due to that faulty installer.

It could be because the installer that was downloaded was corrupted and had some issues in the extension files, either they were missing or were corrupt. This can be resolved by downloading the install again properly and going through the installation procedure again. 

Once the installer is properly installed and the files are secured then the  ‘Error code 2004 at the installation VS extension’ would not appear ever again.

4. Fixing the Error: UPDATEEXISTINGWITHLATEST while uploading the FPR to SSC

It often happens with users that when they are uploading FPR to SSC 20.1 they are met with an error. The error being, UPDATEEXISTINGWITHLATEST and it is a recurring one.

Database error: ORA-06575: Package or function UPDATEEXISTINGWITHLATEST is in an invalid state

2020-10-10 01:00:20,158   [ERROR] org.hibernate.engine.jdbc.spi.SqlExceptionHelper – ORA-01034: ORACLE not available\nORA-27101: shared memory realm does not exist\nLinux-x86_64 Error: 2: No such file or directory\nAdditional information: 3651\nAdditional information: -1741379813\n

The above mentioned are some of the error messages that are displayed on the device’s screen. This installation is basically a recent one of the SSC version of 20.1. It is present in the Azure cloud, and this error occurs when it is the user’s first time uploading their FPR.

The upgrade path given below was utilized by the users according to the observations:

SSCOSDBTomcatJavaDB ExportDB ImportJDBC Driver
17.1RH 7.x  12c Release 1887
18.1   RH 7.x  12c Release 29812c Release 1  12c Release 28
18.2RH 7.x12c Release 2988
19.1RH 7.x12c Release 2988
20.1RH 7.x19c98  12c Release 219 c8

This problem arises due to the fact that at the time of upgradation, when the 17.20 version is skipped. That is the reason why there are two missing tables, the issue_ca, and pluginimage.

As we know the cause is issue_ca and pluginimage missing in the earlier upgrade 20.1 SSC database process. This problem can be solved easily, you simply need to follow the instructions given below:

  1. In the beginning, you need to search for these tables and see if they exist.

You need to type, issue_ca_temp and pluginimage_temp and if they are there then you need to rename them to issue_ca and pluginimage respectively.

  1. In case these ‘temp’ files are not present anywhere then you need to contact product support regarding the missing files.

5. Fixing the error code when a new application version NPE is added

The users get an unusual error message at the moment they are attempting to create a new project version SSC 20.1. The error is: the /bulk endpoint is returning a nullpointerexception, this is a recurring error.

Here is an example:

2020-10-20 15:34:08,802 10.130.16.8 /ssc/api/v1/bulk [ERROR] com.fortify.server.platform.shared.spring.RestApiExceptionHandlerAdvice - java.lang.NullPointerException: An unexpected error has occurred. [url: /ssc/api/v1/projectVersions/289050373/attributes]
java.lang.NullPointerException: null

at

com.fortify.server.platform.shared.util.RestApiCoreBLLHelper.updateCollection(RestApiCoreBLLHelper.java:402) ~[web-platform-shared-20.1.0.0169.jar:?]

at

com.fortify.server.platform.endpoints.rest.AttributeOfProjectVersionController.updateCollection(AttributeOfProjectVersionController.java:57) ~[web-platform-endpoints-20.1.0.0169.jar:?]

This occurs due to the fact that the new installation is of SSC under the Azure cloud. The first time when the user is utilizing the new installation while creating a new application this error seems to have disrupted the procedure from moving forward.

Current Database Stats remains as the  SSC database version is Oracle 19.0 and the JDBC driver ojdbc 8.  The error code could be fixed by striking out the possible reasons for the malfunctioning. It seems that the attribute values for the new version of the application are simply not set in accordance with the request given below:

{
"uri": "https://fortify.com/ssc/api/v1/projectVersions/289052408/attributes",
"httpVerb": "PUT",
"postData": []
},

You need to make sure if the attribute values are present and should be able to be set accordingly. You can follow the steps given below to know that:

  1. You need to restart SSC or Tomcat to check if all the recent changes were processed or not.
  2. Then you need to add the application version again, and then you need to capture the screens.

Then you need to navigate to the Attributes page, then you need to check if the values are in the dropdowns and are able to set or not. And if you are able to select them, then you need to set some and then continue with the test. If there are no values at all, then you will have to create at least one, that is the minimum requirement.

6. Instructions to fix the ‘TypeError: Object doesn’t support this action’

It is taken note of among users that whenever they are upgrading to SSC 20.2 they are unable to access the options in the Menu tab at the top. Hence, this results in a hindrance for further working on it.

The error message that pops up on the screen is given below for reference:

An unexpected error has occurred. Please contact your administrator TypeError: Object doesn't support this action.

The ‘TypeError: Object doesn’t support this action’ error can be easily fixed as it usually happens due to an outdated browser. It is mainly due to the usage of Internet Explorer 11 or any unsupported, or outdated browser.

The SSC dropped support for Internet Explorer 11 in SSC 19.1 previously due to some specific performance-related reasons. You can fix this error easily, the user just has to utilize Chrome. The user particularly needs to make sure that this Chrome is a supported browser and an upgraded recent version, which is also suitable for the SSC version 20.2.

7. Fixing the technicality of the purging of the Projects Artifacts suddenly

It is observed among the users that whenever they are deploying SSC and the WebInspect Enterprise in the DevSecOps initiative they encounter difficulties in purging the Projects Artifacts. The details of the operation according to the observations are given below:

According to the observations of a case around 300 SCA and WebInspect jobs run in the background on a daily basis. The SQL Server Enterprise 2014 even has 400+ GB disk space that is undertaken by SSC. Even after removing a few artifacts manually does not help due to the volume, manually removing them does not seem plausible.

Major queries are regarding purging, methods of reduction of database space, and the effect of manual deletion on SSC and SCA. Manually removal of the Artifacts indeed affects the Database, as it results in the slow performance of SSC and all the SCA scan work does not upload for the processing in SSC. 

The standard database memory that is 32 GB memory, makes the allover performance of SSC lagging. The database memory utilization remains at 94% in the background. The specific fortify database size was massive, around 700 GB. It consumed all of the back-ups and due to this performance, the script is not possible at all.

There is a particular BAT script. It is immensely useful as it can assist the user in purging most of the space that is utilized by Project Artifact. You need to run a Backup of all of your database before running the script so that you can prevent losing all of the important files and the data. This error can be fixed, you simply need to keep certain things in mind and follow the steps given below:

  1. You need to create a completely empty purge.bat file
  2. Then you need to paste the text that is given below into it:
================
set un=admin
set pw=admin
set scandate=30102014
set sscurl=http://localhost:8080/ssc
for /F %%i in ('fortifyclient listProjectVersions -url %sscurl% -user %un% -password %pw% ˆ
findstr /r "ˆ[0-9][0-9]*"') do fortifyclient purgeProjectVersion -projectVersionID %%i -scanDate
%scandate% -url %sscurl% -user %un% -password %pw%
================
  1. Then you need to change the values for the first four lines accurately.

The fortify client tool should be accessible and available on every device that

has SCA already installed in it. In case you do not have access to a Windows device with SCA installed in it then you search:

fortifyclient in the HP-Fortify-Server-WAR\Tools\fortifyclient\bin directory.

  1. Then you need to use scanDate, it is necessary for specifying the projects that you want to be removed before the scanDate is defined.
  2. The script given above will go through every project version and then run a Purge.

You need to remember that the scan date would not be the same as the upload date.

  1. Once the purge is done completely, you need to shrink the SSC database. This is crucial to understand the file size reduction. 

For shrinking the database:

  1. You need to open the Microsoft SQL Server Management Studio.
  2. Then you need to right-click on the SSC database.
  3. Then click on Tasks, then select Shrink, and then Database.

Once running the Shrink is successful, you need to make sure to wait for a while for the changes to set in. After the completion of the Shrinking procedure, it is recommended that the user should rebuild all of the indexes in the SSC database.

8. Instructions to resolve the incorrect or wrong SCA analysis date

It often happens that the analysis dates are wrong in the SCA and there is a difference in the Server time zones.

An example has been attached for reference:

– Server time: 11:19 a.m

– Cloudscan artifact uploaded: 10:48 a.m.

– Analysis Date set to 4:46 pm (which is 5 hours behind)

This error is caused because SSC, Cloud scan, and SCA servers were specifically set on various time zones. This issue can be resolved if the user manually sets all the servers in the same time zone from that point onwards.

9. Instructions to delete the owner of the application manually

It often happens with the users that the owner does not have access to SSC. The error message that appears on the screen says:

“The selected user(s) cannot be deleted because they are the owner of one or more application versions.”

This error can be fixed easily, the user simply needs to follow the steps given below:

1. You need to SELECT * FROM projectversion WHERE owner=”;

2. Then you will be able to use any similar update query:

UPDATE projectversion
SET owner=''
WHERE owner='';

10. When there is a difficulty in creating new application projects and later marked as “Finish Later”

It often happens that users encounter an error while creating new application projects and then marked as “Finish Later”.

When any of the new application is created or in the process of creation, the following error shows up:

{"message":"Custom tag 7e190805-dffa-427e-a4f9-a3304dc42819 is hidden and cannot be assigned to application version."}

Then the log files show:

2018-12-12 12:23:10,767 [ERROR] com.fortify.server.platform.shared.spring.RestApiExceptionHandlerAdvice - com.fortify.manager.exception.FMUserInputException: Custom tag 7e190805-dffa-427e-a4f9-a3304dc42819 is hidden and cannot be assigned to application version. [url: /ssc/api/v1/projectVersions/14052]These new projects are now marked as "Finish Later" and require the legacy user interface in order to access them to upload/delete etc. scans.

Users need to utilize the REST API because there isn’t any 4.3 version UI. They can do that by using the Bulk option as the one given below:

The user needs to know the particular project version ID, then they can initiate the query below on the DB:

It is necessary to know the project version ID, you can execute this query on the DB:

Then you need select p.name,pv.id, pv.name as version from the project p

inner join projectversion pv on pv.project_id = p.id

After you have the ID, it is important that you use the curl or any of the applications like Postman. It would be able to send a POST request to send a bulk request that would enable the project version.

An example using the curl has been given below for reference:

curl -v -i -H "Authorization: Basic " -H "Content-Type: application/json" -X POST --data @c:\projectVersion_BULK.in http://localhost:8080/ssc/api/v1/bulk

base64_encoded_creds – is the base64 encoded SSC username and password (with colon) eg username:password

eg echo -n 'username:password'
Base64

projectVersion_BULK.in – POST data to be particularly sent to SSC that would be equivalent to the  “Step 2. Define Attributes and Risk” at the time of creating a brand new project version.

projectVersion_BULK.in
{"requests": [{"uri":"http://localhost:8080/ssc/api/v1/projectVersions/[YOUR_PROJECT_ID]/attributes",
"httpVerb":"PUT",
"postData":
[
{"attributeDefinitionId":5,"values":[{"guid":"Active"}],"value":null},
{"attributeDefinitionId":1,"values":[{"guid":"High"}],"value":null},
{"attributeDefinitionId":6,"values":[{"guid":"Partial"}],"value":null},
{"attributeDefinitionId":7,"values":[{"guid":"externalpublicnetwork"}],"value":null}
]
},
{"uri":"http://localhost:8080/ssc/api/v1/projectVersions/[YOUR_PROJECT_ID]?hideProgress=true",
"httpVerb":"PUT",
"postData":{"committed":true}
}
]
}

Fortify Software Security Center Tips – Mar 2021

1. How to delete LDAP user with project “ownership”

What is LDAP? 

LDAP or Lightweight Directory Access Protocol is a cross-platform authentication protocol for directory services. LDAP is the protocol that allows applications to connect with other directory service servers. Users, passwords, and device accounts are stored in directory services, which share this information with other network entities.

If you are facing the below problem 

  1. How to delete LDAP users with project “ownership”.
  2. Error: Possibly unhandled rejection: {“message”:”The selected LDAP entity(ies) cannot be deleted because they contain an owner of one or more application versions.”,”responseCode”:400,”errorCode”:-10512}

The following steps can be implemented to resolve the issue: 

  1. To change the owner of a project, copy it to a new project with a new owner and details, then delete the old one. 
  2. Because of DB Schema’s sophistication, the UI is the most error-free alternative and does not require API coding. 
  3. You will be able to delete the LDAP users without issue after copying the project with the new user because they are no longer owners of an application. 
  4. To alter the owner of an application, you’ll need to make a copy of it. That is both the safest and the simplest way to make it. 
  5. As I stated in the previous email, once you change the owner, you will be able to remove the other user.
  6. You can check whether a user has access to a particular program using the UI by going to Administration > Users > LDAP and selecting one of the users there. 
  7. For a particular program, go to Profile > Application Settings and look for the Owner in the lower-left corner of the popup. 
  8. The owner only applies to a particular project version, not the whole program. 
  9. There is no way to search all the application versions owned by a specific user through the UI, but you can do so by running the following question directly on your database:
SELECT project.id AS 'Project ID', project.name AS 'Project', projectversion.name AS 'Project version', projectversion.owner AS 'Owner'
FROM projectversion JOIN project ON (projectversion.project_id = project.id)
WHERE projectversion.owner='';

That query will display all the project versions (also telling you the project version) owned by the user that you specified instead.

2. Unsafe Content Source: style-src

What is Style-src ?

The style-src Content Security Policy (CSP) directive protects CSS styles and stylesheets from being loaded and executed.

Summary

  1. There are three urls in the application that set style-src ‘unsafe-inline’ in the Content Security Policy Header:

The following steps can be implemented to resolve the issue: 

  1. Due to the ‘unsafe-inline’ in the Content Security Policy Header, a defect has been opened in relation to the request to Refactor the website to delete inline JavaScript and CSS:
  1. From here on out, we’ll have to wait for the MicroFocus R&D team’s response on when this problem will be resolved.

3. Steps to install a new Fortify license

About the new fortify license:

You may use the Fortify License and Infrastructure Manager (LIM) to handle your Micro Focus Fortify WebInspect concurrent product licenses from a single location. When using concurrent licenses, the LIM is required. Activation tokens are not produced by the LIM.

Micro Focus creates activation tokens that indicate how many licenses were purchased. You register your activation token with the LIM database, then use it to assign and release license seat leases to users. SmartUpdate is used by the LIM to download software updates and keep them up to date.

Summary: 

  1. New SCA license. 
  2. Fortify now has a new license. On Linux, we’re using V18.2. Python scanning is also included in the new license. How do we replace an existing license in SSC with a new one? How can we tell if the new license has been installed and Python has been included in SSC?

The following steps can be implemented to resolve the issue: 

  1. By putting your new fortify.license file in the directory, you can replace the license. It should be in the.fortify folder. 

NOTE: To prevent conflicts, remember to delete the old file and restart the SSC and Tomcat servers.

4. Fortify SSC Email Alerts Not Working 100%

How does Fortify’s SSC work?

The Fortify SSC allows teams to review and manage security testing activities, prioritize remediation efforts based on risk potential, monitor progress, and produce cross-portfolio management reports.

Summary: 

  1. SSC Email Alerts aren’t always working. 
  2. Certain people who set up individual email notifications are no longer receiving them. 
  3. However, this is not the case everywhere. 
  4. Is there something you can check or look at to make sure the SSC is sending the emails to the mail relay? 

The following steps can be implemented to resolve the issue: 

Login as an admin user and go to Administration->Configuration->Core and change the “User Administrator’s email Address” value; once saved, the email should be sent correctly.”

5. Learn an alternative way to purge Fortify SSC DB

What is Fortify SSC? 

The Fortify – Software Security Center (SSC) family of products conducts in-depth reviews of an organization’s source code, yielding succinct summaries of source code security flaws.

The following steps can be implemented to purge Fortify SSC DB: 

Before a provided date, if you want to purge all artifacts in an application version that was scanned :

Navigate to the <ssc_install_dir>/Tools/fortifyclient/bin directory.

fortifyclient ‑url <ssc_url> purgeApplicationVersion <app_identifier> 
‑scanDate <MMDDYYYY>

where <ssc_url> represents the URL of the Fortify Software Security Center instance and <app_identifier> represents the -application <app_name>, -version <version_name>, or -applicationVersionID <id>.

6. Full Metric Recalculation

What is the Relation of Full Metric Calculation with DIFOT or OTIF?

OTIF (on-time and in-full [delivery]) or DIFOT (delivery in full, on time) is a calculation of logistics or delivery efficiency within a supply chain. It tests whether the supply chain was able to meet the specifications and is usually expressed as a percentage.

How do you request a metric recalculation in SSC for ALL program versions? It appears that restarting the SSC server will not solve the problem. 

If you created a new custom performance indicator and would like all application versions’ metrics to be recalculated to reflect the new performance indicator value.

The following steps can be implemented to resolve the issue: 

  1. When a Custom Performance Indicator is created, the metrics will be recalculated for the application versions where users made changes (auditing, uploading.fpr, and so on). This recalculation will be applied with the Snapshot refresh settings, so the metrics will be recalculated to the application version with any kind of changes, depending on the Snapshot refresh settings. 
  2. Now that you need all of the application versions’ metrics recalculated, the user can do so by making the following changes:

– Adding the value invalidate.snapshots.after.variables.changes=true in the app.properties file located at /Windows/System32/config/systemprofile/.fortify/ssc/conf/

-Restart the Tomcat service for SSC

-This value helps to allow the metrics re-calculation for all application versions according to the settings you have in the Scheduler –> Snapshot Refresh.

7. Uploading large file results in GC error

How does GC work? 

The garbage collector (GC) is an automated memory manager. The garbage collector is in charge of managing an application’s memory allocation and release. This ensures that you don’t have to write code to perform memory management tasks if you’re dealing with managed code.

Automatic memory management can solve problems like forgetting to free an object, resulting in a memory leak, or trying to access memory for an object that has already been freed.

The following steps can be implemented to resolve the issue: 

1.Follow the steps below to increase the Java heap size in Tomcat: 

  1. Build a setenv.sh or setenv.bat file in /bin for Linux systems and setenv.bat for Windows systems. 
  2. Use the following format to set the heap size using the following parameters within the setenv file:

-Linux:

export CATALINA_OPTS="-Xms4096M -Xmx4096M"

-Windows:

set CATALINA_OPTS=-Xms4096M -Xmx4096M

2.Check that the minimum and maximum values are the same. 

3.Restart Tomcat after saving the file. 

We are using 4 GB in this example, but you can increase this value if you have more memory.

8. Search by issue found date

What is the coexistence of the New UI and the Legacy UI? 

The legacy (v 4.30) user interface (UI), which is carried forward with this update, can be used to work with SSA projects and process templates. You have the option of working with either the new or legacy interfaces.

However, keep in mind that functionality added in versions 4.40 and 16.10 is not available in the legacy edition. 

The following steps can be implemented to resolve the issue: 

  1. First and foremost, there is no choice to check for issues by specifying a date. Now, the customer may use the REST API controller for Issues to make a GET request with curl or another tool like Postman, using the setting “foundDate” on the json payload of the command. 
  2. Users should search the Swagger UI for SSC REST documentation for reference, and then go to the following page to access the REST documentation:
http(s)://:/ssc/html/docs/api-reference/index.jsp
  1. For specific controller: http(s)://:/ssc/html/docs/api-reference/index.jsp#/issue-detail-controller/listIssueDetail
  2. So, there is a property or setting called “foundDate” for the json payload for GET request, thus, in that setting customer needs to set the date required, e.g.

             “foundDate” : “2019-08-20T19:07:37.238Z”

  1. Another option in the SSC UI is to create a custom filter that groups the issues by the date the FPR was submitted to the application version. 

9. SSC Issue Report for DISA STIG does not show option 4.9 in dropdown

What is SITG? 

A Security Technical Implementation Guide (SITG) is a product configuration standard that includes cybersecurity specifications. STIGs provide a method for securing protocols within networks, servers, computers, and logical designs in order to improve overall security.

The following steps can be implemented to resolve the issue: 

  1. Please follow these steps:
-Display Value: ‘STIG4.9’
-Report Value: ‘7B9F7B3B-07FC-4B61-99A1-70E3BB23A6A0’

10. UI Cannot Read Property Length Null

What is UI? 

The abbreviation “UI” stands for “user interface.” The user interface is the graphical layout of an application. It includes the buttons that users press, the text they read, the photographs, sliders, text entry fields, and all other things with which the user interacts.

This involves everything from the screen layout to the transitions and uses animations for each and every micro-interaction. Every visual feature, interaction, and animation must be created.

The following steps can be implemented to resolve the issue: 

  1. To resolve this issue, navigate to the path where your Tomcat instance is installed and open the SSC lib folder, for example: 
C:\Program Files\Apache Software Foundation\Tomcat9\webapps\ssc\WEB-INF\lib.
  1. Once you’ve gotten into the lib file, you’ll need to replace the “guava-19.0.jar” file with the “guava-22.0.jar” file attached to this email to update the library that’s causing the issue. 
  2. This modification will be included in the latest 19.20 edition (in an OOB configuration). 

Note: It is recommended that you restart the Tomcat service after making this update.

Fortify Software Security Center Tips – Apr 2021

Is it possible to provide an OR condition in a search query?

Is an OR condition needed in the search query? When you want to query the jobs API but this returns to only values that match these criteria:

FINISHEDANDjobClassName: com.fortify.manager.BLL.jobs.ArtifactUploadJob OR jobClassName:com.fortify.manager.BLL.jobs.fulltext.IndexNewIssuesJob

We still haven’t figured out the documentation that supports this. So far there is no such example in the SSC UI of this.

Being curious, the customer tried to open the case to know how to use both AND and OR operators in API. They also performed tests to clarify this. It appears that both operators AND /OR do not seem to work for search using a query string.

Actually, API Documentation has examples provided with only one field used for search. Examples do not have AND/OR operators to be used. After double-checking the syntax and documentation the boolean operators (AND/OR) are not supported in the SSC REST APIs while using query string search. Therefore, only one condition can be used.

Delete owner of the application

If the application owner doesn’t have access to SSC, then the following error may occur: “The selected user(s) cannot be deleted because they are the owner of one or more application versions.”

To get out of the error select * FROM projectversion

WHERE owner=”;

If not this, you can then use a similar update query:UPDATE projectversion

SET owner=”

WHERE owner=”;

And after this, you can delete the user in SSC.

Wrong or incorrect SCA Analysis Date

In SSC, the server time zones have incorrect times. When you upload Cloudscan results to SSC, the “Analysis date” has an incorrect time since it is 5 hours in the future.

For Example:

Server time: 11:19 am

Cloudscan artificat uploaded: 10:48 a.m.

Analysis Date set to 4:46pm (which is 5 hours behind)

This problem arises because SSC, Cloudscan, and SCA servers were on different time zones. For correcting the time zones, it is recommended to have all servers in the same time zone.

Indexing Error – Contact Administrator

Are you missing the Global Search Index? After upgrading from Fortify SSC from 17.20 to 18.20 on Windows, the following error can be seen at the top of the web UI: “Indexing Error – Contact Administrator”

This error needs to be resolved. According to the log and configuration files, the Search Index location was not set:

ssc.log

[WARN] com.fortify.manager.DAO.fulltext.ModelMappingFactoryImpl – Fulltext search is disabled because searchIndex.location property has no value

To complete this task, follow the below-written steps.

Step 1: Stop the Tomcat Server.

Step 2: Go to //conf.

Step 3: Create a backup of the file app.properties.

Step 4: The line 8 indicates the property “searchIndex.location=”, please set the absolute path to the .fortify folder, without any space, for example, the following

searchIndex.location=C:\Users\\.fortify

Step 5: Start the Tomcat Server.

Full Metric Recalculation

Customers obviously need full Metric Recalculation in SSC. But how does the customer initiate a metric recalculation for ALL application versions in SSC?

It won’t be as simple as rebooting the SSC server to get the desired results. The customer has a new custom performance indicator and the customer would like all application versions to have their metrics recalculated so that the new performance indicator value is updated for each.

Now let us see the metric recalculation initialization. When Custom Performance Indicator was created, the metrics were re-calculated for the versions of the application where the users made changes (Auditing, uploading. fpr, among others). Then this re-calculation was applied with the settings of the Snapshot refresh. Depending on the Snapshot refresh settings, the metrics will be recalculated to the application version with any kind of changes.

Now, the customer wants to have ALL application versions with their metrics re-calculated. Do follow the below-written steps so as to have ALL applications.

Step 1: The value invalidate.snapshots.after.variables.changes=true in the app.properties file located at /Windows/System32/config/systemprofile/.fortify/ssc/conf/.

Step 2: Restart the Tomcat service for.

Step 3: This value helps to allow the metrics re-calculation for all application versions according to the settings you have in the Scheduler –> Snapshot Refresh.

Unsafe Content Source: style-src

Now we need to reset the admin password on SSC because the LDAP account which is facilitating the LDAP connection is expired. According to the latest, now it is needed to update the new password in LDAP connection settings in SSC.

But there is a problem. We are unable to log in to SSC with an “Admin” account. Even the WIE Service account admin privilege is denied. Now we will check out how to reset the password for the “Admin” (nondomain account) account in SSC?

Step 1: First ensure that you have a proper backup of your database.

Step 2: Execute the following SQL statement in the SSC database.

Step 3: Then the query about Executeill reset the admin password back to ‘admin’ and unlock the account by resetting the failed login attempts. (Please note this is an MSSQL query.)

Step 4: Then follow the below-written commands according to the preferred versions.

20.1.x:

UPDATE fortifyuser
SET
requirePasswordChange = 'Y',
failedLoginAttempts = 0,
dateFrozen = NULL,
suspended = 'N',
password = '{sha}{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
WHERE
userName = 'admin';

19.x:

UPDATE fortifyuser
SET
requirePasswordChange = 'Y',
failedLoginAttempts = 0,
dateFrozen = NULL,
suspended = 'N',
secPass = '{P7D4co4mI/4=}b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74'
WHERE
userName = 'admin';

Versions prior to 19.x:

UPDATE fortifyuser
SET
requirePasswordChange = 'Y',
failedLoginAttempts = 0,
dateFrozen = NULL,
suspended = 'N',
secPass = 'b0521d842e68c870af598b81aa8cd6d1728611b1e5568397e420b2d026172b74',
salt = 'P7D4co4mI/4='
WHERE
userName = 'admin';

Unsafe Content Source: style-src

Are your Content Source: style-src unsafe? There are three URLs in the application that set style-src ‘unsafe-inline in the Content Security Policy Header.

1./ssc/html/ssc/index.jsp

2./ssc/html/ssc/views/partials/

3./ssc/login.jsp

Do you want to make your content source safe? First, let us see what’s the reason behind this.

A defect OCTCR11A205010 has been detected in regards to the request about the Refactor the website to remove inline JavaScript and CSS due to the ‘unsafe-inline’ in the Content Security Policy Header. As discussed above below are the three URLs in the Content Security Policy Header.

•/ssc/html/ssc/index.jsp

•/ssc/html/ssc/views/partials/

•/ssc/login.jsp

From now we will need to await feedback from the R&D team regarding when this issue is going to be addressed.

Error creating new application projects – marked as “Finish Later”

Error is found in new application projects. Errors are marked as “Finish Later”. Here is the error: {“message”: “Custom tag 7e190805-dffa-427e-a4f9-a3304dc42819 is hidden and cannot be assigned to application version.”}

The log file shows this:

2018-12-12 12:23:10,767 [ERROR] com.fortify.server.platform.shared.spring.RestApiExceptionHandlerAdvice – com.fortify.manager.exception.FMUserInputException: Custom tag 7e190805-dffa-427e-a4f9-a3304dc42819 is hidden and cannot be assigned to application version. [url: /ssc/api/v1/projectVersions/14052] These new projects are now marked as “Finish Later” and require the legacy user interface in order to access them to upload/delete etc. scans.

Trying to enable the legacy interface (as per the documentation) does not work and throws a 404 error when trying to access /ssc/flex/index.jsp after login (the file exists at that URL). So now the deletion of projects marked as “Finish Later”, and any new application Projects are created without having them failed and getting tagged as “Finish Later”.

Now essential steps must be taken to resolve this issue. Here are the below-written steps.

Step 1: First it is necessary to use the REST API as there is no 4.3 UI.

Step 2: Use the bulk option as below. It is necessary to know the project version ID so that you can execute this query on the DB.

Step 3: Then use p.name,pv.id, pv.name as version from project p

inner join projectversion pv on pv.project_id = p.id

Step 4: Once you have the ID, it is necessary to use curl or any app (like Postman) that can send a POST request to send a bulk request to enable the project version.

Step 5: Use this link so that you can find more information about it http://localhost:[Your SSC #PORT]/ssc/html/docs/api-reference/index.jsp#/bulk-controller/postBulk.

Below you can see an example using curl:

curl -v -i -H "Authorization: Basic " -H "Content-Type: application/json" -X POST --data @c:\projectVersion_BULK.in http://localhost:8080/ssc/api/v1/bulk
base64_encoded_creds - is the base64 encoded SSC username and password (with colon) eg username:password
eg echo -n 'username:password'
base64
projectVersion_BULK.in - POST data to send to SSC which would be equivalent to "Step 2. Define Attributes and Risk" when creating a new project version.
projectVersion_BULK.in
{"requests": [{"uri":"http://localhost:8080/ssc/api/v1/projectVersions/[YOUR_PROJECT_ID]/attributes",
"httpVerb”: PUT",
"postData":
[
{"attributeDefinitionId":5,"values":[{"guid":"Active"}],"value":null},
{"attributeDefinitionId":1,"values":[{"guid":"High"}],"value":null},
{"attributeDefinitionId":6,"values":[{"guid":"Partial"}],"value":null},
{"attributeDefinitionId":7,"values":[{"guid":"externalpublicnetwork"}],"value":null}
]
},
{"uri":"http://localhost:8080/ssc/api/v1/projectVersions/[YOUR_PROJECT_ID]?hideProgress=true",
"httpVerb”: PUT",
"postData":{"committed”: true}
}
]
}

You can use this link https://www.base64encode.org/, to encode your SSC admin username and password e.g. admin:password.

SAML 2.0 integration does not work. Version 18.20 does like the // (Double URL)

Did you know SAML 2.0 integration does not work? It is the same as the version 18.20. When you use it, the following error occurs, right?

Error:

500 – Internal Server Error

SAML 2.0 integration does not work.

Here is provided you with URL:

https://ss.itso.ao.dcn:8443/ssc//saml/SSO/alias/urn:ssc:saml

Note: SSC is trying to use a double “//”

Follow the below-written steps, to prevent the error.

Step 1: find  in the “spring_saml_metadata.xml” file that SSC was pulling the extra “/” in the URLs:

“Location=https://ssc.itso.ao.dcn:8443/ssc//saml/SingleLogout/alias/urn:ssc:saml”

Step 2: Open “app.properties “file

Step 3: Remove the one slash in the properties file and save it. From:

host.url=https://ssc.itso.ao.dcn:8443/ssc/ To:

host.url=https://ssc.itso.ao.dcn:8443/ssc

Step 4: Restart tomcat

Step 5: Generate the SSC’s (SP) metadata again at :/ssc/saml/metadata

Step 6: Check the file to make sure the extra slash is removed from the location= URLs

Step 7: If removed then upload this metadata file to the IDP and try it again.

This will definitely solve your problem.

Receiving SQL server errors trying to fetch the Fortify Rule set off SSC

While trying to fetch Fortify Rule set off SSC, SQL server errors are being received. Now we are getting a lot of Fortify builds that fail on the step of trying to fetch the Fortify Rule set off the SSC site. This command in the scripts: fortifyupdate -acceptKey -URL https:///ssc fails the entire script execution with Error 6224: Server returned: HTTP/1.1 500.

If you even try to run the script again, you may or may not get past this and succeed. Errors in logs matching error time are as follows:

“2019-01-08 15:35:48,448 [WARN] org.hibernate.engine.jdbc.spi.SqlExceptionHelper – SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]2019-01-08 15:35:48,520 [WARN] org.hibernate.engine.jdbc.spi.SqlExceptionHelper – SQL Error: 0, SQLState: null at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13]2019-01-08 15:35:48,529 [ERROR] com.fortify.manager.controller.RulepackDistributorController – RulepackUpdateServlet: Error getting rulepacks for download at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.13] at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:191) ~[sqljdbc42.jar:?]”

This error can be prevented if the has defragged and reindexed the entire DB.

Fortify Software Security Center Tips – May 2021

1. We are not able to find the link for the SSC and login into it. We cannot create new users within the application

Users have issues logging in to SSC. Actually, the link for SSC is not found. This gives rise to another problem i.e. new users can not be created within the application.

Solution

But as always we have come with a solution. The URL can be found  inside of app.properties located at C:\Windows\System32\config\systemprofile\.fortify\ssc\conf.

Using this link will help you login into SSC and create your account.

2. Is there a timeline when the fortify release will happen that supports .NET core 3.0?

Users are curious about the fortify release timeline which will also support the .NET core 3.0. Apart from this, questions are about whether we will be able to run the scans on a Linux box? All this is supported by Windows but most users wish it to be available on Linux.

Solution

Need not worry because the enhancement request is already granted for the future support of.NET Core 3.0 with ER ID OCTCR11G216076. But there’s no defined date for this implementation to take place. We do not have information about when it will be added to the software.

3. Init.token not written after upgrade to Tomcat 9

We have upgraded Tomcat from 8.0.5 to 9 on Fortify SSC server. But the problem is we cannot get past the Setup page because the inti.token is not being written to the location it was before. Here is the location for this: c:\Windows\System32\config\systemprofile\.fortify\ssc.

Solution

Despite trying only one location, we will check for these possible locations. Here it goes.

First we will check for Windows.

C:\Windows\System32\config\systemprofile\.fortify\ssc\logs

C:\Windows\SysWOW64\config\systemprofile\.fortify\ssc\logs

C:\Windows\ServiceProfiles\LocalService\.fortify\ssc\logs

Here goes for Linux.

./home/tomcat/.fortify/ssc/logs/ssc.log

4. Where is the included Jira Plugin?

Included Jira Plugin is available on SSC. But where is this included? We will try to find it.

Solution

After endeavoring for some time, we were realized it to be present in the installation files:

Fortify_19.2.0_Server_WAR_Tomcat.zip\plugins\BugTrackerPluginJIRA7\

5. After setting up SSC to the point of seeding the database successfully, once I restart the server, the site no longer comes up

The site no longer appears in SSC after setting it up to the point of seeding the database successfully and restarting the server.

It shows the error written below:

2020-02-27 14:32:51,335 [WARN] org.springframework.web.context.support.XmlWebApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionFactory' defined in ServletContext resource [/WEB-INF/internal/dataContext.xml]: Invocation of init method failed; nested exception is org.hibernate.search.exception.SearchException: HSEARCH000103: Unable to initialize Index Manager named 'com.fortify.manager.DAO.Issue' 2020-02-27 14:32:51,335 [ERROR] org.springframework.web.context.ContextLoader - Context initialization failed org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sessionFactory' defined in ServletContext resource [/WEB-INF/internal/dataContext.xml] 

Solution

Regarding the error:

2020-02-27 23:57:58,984 [ERROR] org.springframework.web.context.ContextLoader – Context initialization failed caused by: org.hibernate.search.exception.SearchException: Unable to create index directory: D:\index for index com.fortify.manager.DAO.cloud.CloudWorker.

As we looked up, it seems to be an issue with the creation of the Index directory. This is normally related to rights over the windows folder. Try going through below written steps:

Step 1: Create the folder D:\index (If it does not exist)

Step 2: Right-click on the folder “index”

Step 3: Select “Properties”

Step 4: Security Tab

Step 5: Click on “Edit”

Step 6: For the user that is running the Tomcat service, give full control.

Step 7: Click on ok to save the changes.

6. TypeError: Object doesn’t support this action

Have you tried changing or deleting anything in SSC? Yes, we do get the TypeError: Object doesn’t support this action”.

Solution

This issue is due to the browser. AS we all know that it is no longer supported. All you have to do is to use chrome. This issue will be fixed. This issue is related to the browser. I.E is no longer supported. Using Chrome fixed the issue.

7. HTTPS Deployment Error

Users have some issues with HTTPS Deployment. Probably there’s an error. HTTPS operates only on tomcat after enabling it with a self-signed certificate. Also, the website SSC. War) is not deployed with https (localhost:8443 > ssc). My opinion is to get some suggestions and fix the issue.

Solution

We can solve these issues using the ssc.log.

2019-10-30 14:29:45,808 0:0:0:0:0:0:0:1 /ssc/ [WARN] com.fortify.manager.web.filters.HostHeaderFilter – HTTP Host header value localhost:8443 does not match host.url property for request URI /ssc/

2019-10-30 14:30:04,821 0:0:0:0:0:0:0:1 /ssc/ [WARN] com.fortify.manager.web.filters.HostHeaderFilter – HTTP Host header value localhost:8443 does not match host.url property for request URI /ssc/

You can also check the ” app.properties” file and review the host.url parameter.

8. SSO damaged DB

SSO has caused real damage to DB. During the attempt to configure Single Sign On after the reboot application was not available anymore. The server was restored to the previous state but it didn’t fix the issue. Looks like Oracle DB was affected by the change. Restoring DB will take significant time (it was configured and is being managed by a separate group). Is there a way to correct it and get the application back without restoring DB?

Solution

You can run the following query.

update configproperty

set propertyValue=’false’

where propertyName=’sso.enabled’;

x509.enabled to false

 

9. CVE-2020-1938 – Apache Tomcat “Ghostcat” Vulnerability

We noticed that TomCat has a vulnerability identified as GhostCat (CVE-2020-1938) [https://securityboulevard.com/2020/02/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and/]. The components CloudScan Controller and Software Security Center run on Tomcat and are bundled in the installation package. Can you please send us the patch for TomCat or advise us on how to fix this security vulnerability.

Solution

Based on the information provided here chaitin.cn > en > ghostcat

and  tomcat.apache.org > security-9

.html#Fixed_in_Apache_Tomcat_9.0.31 the exploit is only possible if you are using an AJP connector, not the regular HTTP connector that is used by default in both SSC and CloudScan Controller/ScanCentral.

For Fortify Software Security Center (SSC), you have two options:

Option 1. Upgrade the version of TomCat to a version where Apache has addressed the vulnerability. Apache Tomcat has released fixes for the following versions of Tomcat:

Option 2. As SSC does not rely on the AJP connector. Based on this you can disable it by commenting out the line from the <TOMCAT_HOME>/conf/server.xml file. For example:

<!– <Connector port = “8009” protocol = “AJP / 1.x” redirectPort = “8443” /> –>

For CloudScan Controller, it is not recommended to upgrade the version of TomCat provided, but comment out the line mentioned above. Our SSR team indicated that rules to detect Ghostcat (CVE-2020–1938) will be included in our next rule pack release.

10. After restarting Apache, SSC is giving a 404 error

After restarting Apache, we are getting a sudden 404 error: The origin server did not find a current representation for the target resource or is not willing to disclose that one exists error. We have no idea about how it happened. We did not change any configuration but earned this. Many of our users also have the same error. This cannot be tackled by troubleshooting. We really need help.

Solution

After many efforts, we found that the problem was within the SSL certs for our mysql server expired. Once renewed, the issue was solved.

Exit mobile version