Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 1
HP Fortify Software Security Center v4.00 System Requirements
Part Number: 1-184-2013-09-400-01
The HP Fortify Technical Communications team strives to provide the most comprehensive and accurate documentation possible. To ensure that your documents are up to date, visit the HP Software Product Manuals site at http://support.openview.hp.com/selfsolve/manuals.
HP Fortify Software Licenses
Before you begin working in HP Fortify software, you will need to download the appropriate licenses for your purchases. To do this, go to https://support.fortify.com. You will need the user name and password provided to you by HP Fortify Customer Support.
HP Fortify Software Security Center Server Requirements
Hardware Requirements
HP Fortify Software Security Center requires the following:
• 2 GHz+ processor, 64-bit
• 4 GB+ RAM
• Note: When you use Software Security Center as an HP Fortify Runtime Federation Controller, we recommend the following Java heap sizes for Software Security Center:
• With 32-bit JVMs: a minimum of 1.3 GB (-Xmx1300M)
• With 64-bit JVMs: the greater of at least 3 GB (-Xmx3G) or three-quarters of system memory
Platforms and Architectures
HP Fortify Software Security Center supports the following platforms and architectures:
Operating System Versions Architectures
Linux Red Hat ES 5 and ES 6 Novell SUSE 11, Oracle EL 5.2 a
64-bit
Windows® 2003 SP2 b, 2008 R2 64-bit Oracle Solaris 10 SPARC
Note: SSC has not been tested on all Linux variants, but most distributions are not known to cause issues. a Future versions will deprecate Oracle EL 5.2 in favor of more current releases. b Future versions will deprecate Windows Server 2003 in favor of a more current release.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 2
Application Servers
HP Fortify Software Security Center supports application servers listed in the following table.
Application Server Versions Java Versions
Tomcat 6.0 or 7.0 (recommended) Java 6 or 7 WebLogic 10.3.4 or 10.3.5 (recommended) Java 6 or 7 WebSphere 7.0, 8.5.0.2 Java 6 or 7 JBoss 5.0.1 Java 6 or 7
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 3
Databases
HP Fortify Software Security Center supports the following databases in a production environment:
Databases Character Sets Drivers
MS SQL Server 2008, or 2012
SQL_Latin1_General_CP1_CI_AS, Unicode If SQL Server is configured to use any character encoding other than unicode, you must append "sendStringParametersAsUnicode=false" to the end of your jdbc URL. For example: jdbc:jtds:sqlserver://dbhost:1433/ssc;sendStringParametersAsUnicode=false
JTDS 1.2.7 (Recommended) JDBC 3.0 Type 4 driver for Microsoft SQL Server version 1.2.2 Driver class: net.sourceforge.jtds.jdbc.Driver Jar file: jtds-1.2.2.jar Microsoft Microsoft SQL Server JDBC Driver 2.0 Type 4 Driver class: com.microsoft.sqlserver.jdbc.SQLServerDriver
Jar files: sqljdbc4.jar
MySQL 5.1 MySQL 5.5 (recommended)
UTF8, Latin1 MySQL Connector/J 5.1 or 5.1.11 Driver class: com.mysql.jdbc.driver
Jar file: mysql-connector-java-<Version_Number>-bin.jar
Oracle 10g and 11g AL32UTF8 for all languages WE8MSWIN1252 for US English
Oracle Database 11g Release 1 (11.1.0.7.0) JDBC Drivers Driver class: oracle.jdbc.OracleDriver Jar files: jdbc6.jar
DB2 9.5, 9.7 UTF8, IBM-1252 Note: IBM DB2 drivers also require that you add at least one of the following driver license files to the CLASSPATH before loading the JDBC driver and seeding your database. db2jcc_license_cisuz.jar db2jcc_license_cu.jar IBM DB2 JDBC Driver v9.5 FP4 3.53.95 Driver class: com.ibm.db2.jcc.DB2Driver Jar files: db2jcc4.jar
Note: HP Fortify Software Security Center Demonstration Server includes an Apache Derby database for evaluation purposes only. The database cannot be expanded or upgraded. Do not use it to store critical data.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 4
Database Disk Space
Use the following formula to estimate the size (in GB) of the HP Fortify Software Security Center database disk space:
DB_Space (GB) =000,000,1
)30*( ><+>< kbinactsTotalArtifkbsTotalIssue
where:
<TotalIssues> = Total number of issues in the system <TotalArtifacts> = Total size of all uploaded artifacts and scan results Notes: This equation produces only a rough estimate for the allocation of database disk space. The formula is not intended for use in estimating disk space requirements for long term projects. The disk requirements for the HP Fortify Software Security Center databases grow in proportion to the number of projects, scans, and issues in the system.
Browsers
HP Fortify Software Security Center is compatible with Internet Explorer 9 and 10, but not with IE 8.
HP Fortify Software Security Center requires Flash Player version 10.2 or later. For the best experience, we recommend that you use one of the following browsers with a minimum resolution of 1280x1024:
Browser Flash Plug-in
Firefox Flash Player 11 (recommended) Internet Explorer Flash Player 11 (recommended) Safari Flash Player 11 (recommended) Chrome Flash Player 11 (recommended) JAWS (See HP Fortify Assistive Technologies Section 508)
Flash Player 11 (recommended)
Authentication Systems
• Windows Active Directory Service
• LDAP
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 5
Service Integrations
HP Fortify Software Security Center supports the following service integrations:
Service Applications Versions
Bug Creation Bugzilla 3.0 HP ALM 11 JIRA 4.0
Authentication CA SiteMinder 12 Active Directory 2003, 2008
Issue Import AppDetective 6.0 AppScan 7.7, 7.9, 8.0 For compatibility with HP Fortify Static Code Analyzer (SCA), HP WebInspect, HP WebInspect Enterprise, and HP AMP, see “HP Fortify 4.00 Compatibility Matrix”
Dynamic Assessments WebInspect Enterprise
Notes:
• ALM 11 changeset mapping is only supported in conjunction with VisualSVN.
• Importing third-party issues may result in the loss of some third-party format functionality.
Documentation
The documents listed in the following table apply to HP Fortify Software Security Center.
Document Name PDF HTML Help
HP Fortify Software Security Center User Guide
HP_Fortify_SSC_User_Guide_4.00.pdf HP_Fortify_SSC_User_Help_4.00
HP Fortify Software Security Center Process Guide
N/A Within the web application at /ssc/guide/
HP Fortify Software Security Center Process Designer User Guide
HP_Fortify_Software_Security_Center_Process_Designer_User_Guide_4.00.pdf
HP_Fortify_Process_Designer_Help_4.00
HP Fortify Software Security Center Installation and Configuration Guide
HP_Fortify_SSC_Install_and_ Config_Guide_4.00.pdf
HP_Fortify_SSC _Install_and _Config_Help_4.00
HP Fortify Software Security Center Runtime Hybrid Analysis User Guide
HP_Fortify_Runtime_Hybrid_Analysis_User_Guide_4.00.pdf
N/A
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 6
HP Fortify Static Code Analyzer Requirements
Hardware Requirements
HP Fortify Software recommends that you install HP Fortify Static Code Analyzer (SCA) on a high-end processor with at least 4 GB of RAM. If your software is particularly complex, you may need more RAM.
Platforms and Architectures
SCA supports the following platforms and architectures:
Operating System Architectures Versions
Linux x86: 32-bit or 64-bit (recommended; required for parallel mode)
Red Hat ES 5 and ES 6 Novell SUSE 10, Oracle EL 5.2
Windows x86: 32-bit or 64-bit (recommended; required for parallel mode)
2003 SP1, 2008, XP, Vista Business, Vista Ultimate, Windows 7
Mac OS x86: 64-bit 10.6, 10.7 Solaris SPARC 10
x86 10 HP-UX Itanium 11.31
Notes:
• Audit Workbench, Process Designer, Custom Rules Editor, and Scan Wizard are not supported on HP-UX and Oracle Solaris.
• SCA has not been tested on all Linux variants, but most distributions are not known to cause issues.
• SCA has been supported on other platforms in the past. If the operating system that you require is not in the table above, please contact HP Fortify support for more information.
• The minimum requirements for running SCA in parallel mode are: - 64-bit OS - 4 cores
Note that the above are minimums; increasing the number of processor cores and increasing memory both result in faster processing.
• SCA 64-bit installations make use of some 32-bit utilities in addition to the 64-bit environment. The 32-bit compatibility libraries for your operating system must be installed. For example:
- on Debian or Ubuntu: sudo apt-get install ia32-libs - on Fedora: sudo yum install ia32-libs - on Red Hat Linux: sudo up2date ia32el
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 7
Languages
SCA supports the programming languages listed in the following table:
Language Versions
ABAP/BSP 6 ActionScript/MXML (Flex) 3, 4 ASP.NET, VB.NET, C# (.NET) 4.5 and earlier C/C++ See “Compilers” Classic ASP (with VBScript) 2, 3 COBOL IBM Enterprise Cobol for z/OS 3.4.1 with IMS, DB2, CICS, MQ ColdFusion CFML 5, 7, 8 HTML 5 and earlier Java (with Android) 1.3, 1.4, 1.5, 1.6, 1.7 JavaScript/AJAX 1.7 JSP 1.2, 2.1 Objective-C See “Compilers” PHP 5.0 – 5.3 PL/SQL 8.1.6 Python 2.6 T-SQL SQL Server 2005 and 2008 Visual Basic 6 VBScript 2.0, 5.0 XML 1.0
Note: iOS projects compiled using Objective-C require iOS SDK version 5 through 6, and Xcode versions 4.1 through 4.6.
Build Tools
SCA supports the build tools listed in the following table:
Build Tool Versions
Ant 1.5.x, 1.6.x, 1.7.x, 1.8.x Maven 2.0.9 to 2.x.x MSBuild 2, 3.5, 4 Xcodebuild 4.1, 4.2, 4.2.1, 4.3, 4.3.1, 4.4, 4.5, 4.6
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 8
Compilers
SCA supports the compilers listed in the following table:
Compilers Operating Systems
Clang 2.9, 3.0, 3.1 Mac OS LLVM-GCC 4.2, 4.3 Mac OS GNU gcc 2.9 – 4.7 Linux, HP-UX, Mac OS, Solaris, Windows GNU g++ 3.2 – 4.7 Linux, HP-UX, Mac OS, Solaris, Windows Intel icc 8.0 Linux Microsoft cl Windows Sun cc / Sun CC 5.9, 5.10, 5.11 Solaris Sun javac 1.3 – 1.7 Linux, HP-UX, Mac OS, Solaris, Windows
Integrated Development Environments
SCA supports the following integrated development environments:
Auditing and Scanning Plug-ins Remediation Plug-ins (audit-only)
Eclipse 3.4, 3.5, 3.6, 3.7, 3.8, 4.2 RAD 7.5, 8.0, 8.5; RSA 7, 7.5, 8.0 Microsoft Visual Studio 2003 (scanning only) Microsoft Visual Studio 2005, 2008, 2010 Premium and Professional, and 2012 Premium and Professional. (Note that SCA is not compatible with MS Visual Studio 2010 Express.)
Eclipse 3.6, 3.7, 3.8, 4.2 JDeveloper 10.1.3, 11.1.1 IntelliJ 10, 11 Microsoft Visual Studio 2010 and 2012 Premium and Professional
Note: The HP Fortify Software Security Center Plug-in for Eclipse requires JRE 1.5 or greater.
HP Fortify Build Monitor
HP Fortify Build Monitor supports the following Windows platforms and architectures:
Operating System Architectures Versions
Windows x86: 32-bit and 64-bit 2003 SP1, 2008, XP Windows x86: 32-bit 2000
Note: Build Monitor is not supported on Windows Vista or later.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 9
Service Integrations
HP Fortify Audit Workbench and Secure Code Plug-ins (SCP) support the following service integrations:
Service Applications Versions Supported Tools
Bug Creation Bugzilla 3.0 Audit Workbench, Visual Studio SCP, Eclipse SCP
HP Quality Center 9.2, 10.0 Audit Workbench, Eclipse SCP
Microsoft Team Foundation Server
2005, 2008, 2010, 2012
Visual Studio SCP
Software Security Center Bugtracker
4.00 Audit Workbench, Eclipse SCP
Issue Import AppDetective 6.0 Issue Import AppScan 7.7, 7.9, 8.0
For compatibility with HP Fortify SSC, HP WebInspect, HP WebInspect Enterprise, and HP AMP, see the HP Fortify 4.00 Compatibility Matrix on page 16.
Notes:
• HP Quality Center integration requires that you install the HPQC Client-Side Add-in software.
• To integrate with Microsoft Team Foundation Server you must install the Visual Studio Team Explorer software. To integrate with TFS 2010, you must install Visual Studio SCP on a machine running Visual Studio 2010 Premium or Professional.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 10
Documentation
The documents listed in the following table apply to HP Fortify Static Code Analyzer:
Document Name PDF HTML Help
HP Fortify Audit Workbench User Guide
HP_Fortify_Audit_Workbench_User_Guide_ 4.00.pdf
HP_Fortify_AWB_Help_4.00
HP Fortify Plug-in for Eclipse Installation and Usage Guide
HP_Fortify_Eclipse_Plug-in_Guide_4.00.pdf HP_Fortify_Eclipse_Help_4.00
HP Fortify JDeveloper Installation and Usage Guide
HP_Fortify_JDeveloper_Install_and_Usage_ Guide_4.00.pdf
HP_Fortify_JDeveloper_Help_4.00
HP Fortify Package for Visual Studio Installation and Usage Guide
HP_Fortify_Visual_Studio_Install_and_ Usage_4.00.pdf
HP_Fortify_VS_Help_4.00
HP Fortify Remediation Package for Microsoft Visual Studio Installation and Usage Guide
HP_Fortify_Rem_Package_Visual_Studio_Guide_4.00.pdf
HP_Fortify_VS_Rem_Help_4.00
HP Fortify Scanning Package for Microsoft Visual Studio User Guide
HP_Fortify_Visual_Studio_Scanning_ Guide_4.00.pdf
HP_Fortify_Visual_Studio_Scanning_Help_4.00
HP Fortify Remediation Plug-in for Eclipse Installation and Usage Guide
HP_Fortify_Rem_for_Eclipse_Plug-in_Guide_4.00.pdf
HP_Fortify_Eclipse_Rem_Help_4.00
HP Fortify Remediation Plug-in for JetBrains IntelliJ IDEA Installation and Usage Guide
HP_Fortify_Rem_for_IntelliJ_User_Guide_4.00.pdf
HP_Fortify_IntelliJ_Rem_Help_4.00
HP Fortify Software Security Center Process Designer User Guide
HP_Fortify_Process_Designer_User_Guide_ 4.00.pdf
N/A
HP Fortify Static Code Analyzer Custom Rules Guide
HP_Fortify_SCA_Custom_Rules_4.00.pdf N/A
HP Fortify Static Code Analyzer for COBOL Addendum
HP_Fortify_SCA_COBOL_Addendum_4.00.pdf N/A
HP Fortify Static Code Analyzer Installation and Configuration Guide
HP_Fortify_SCA_Install_and_Config_4.00.pdf HP_Fortify_SCA_Install_Help_4.00
HP Fortify Static Code Analyzer User Guide
HP_Fortify_SCA_User_Guide_4.00.pdf HP_Fortify_SCA_User_Help_4.00
HP Fortify Static Code Analyzer Utilities User Guide
HP_Fortify_SCA_Utilities_User_Guide_ 4.00.pdf
HP_Fortify_SCA_Utilities_Help_4.00
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 11
HP Fortify CloudScan
HP Fortify CloudScan has three major components: CloudScan CLI, CloudScan Controller, and CloudScan Cloud. The requirements for each component are listed below.
CloudScan CLI
Hardware Requirements
CloudScan CLI will run on any machine that supports HP Fortify Static Code Analyzer. Because CloudScan CLI is installed on build machines running SCA, hardware requirements will be met.
CloudScan Controller
Hardware Requirements
HP Fortify Software recommends that you install the CloudScan Controller on a high-end processor running at 2 GHz with at least 4 GB of RAM.
Platforms and Architectures
The CloudScan Controller supports the following platforms and architectures:
Operating System Architectures Versions
Linux x86: 64-bit Red Hat ES 5 and ES 6, Novell SUSE 11, Oracle EL 5.2c
Windows x86: 64-bit 2003 SP1d, 2008, XP Vista Business, Vista Ultimate, Windows 7
c Future versions will deprecate RedHat 4 and Oracle EL 5.2 in favor of more current releases. d Future versions will deprecate Windows Server 2003 in favor of a more current release.
Disk Space Requirement
To estimate the amount of disk space you will need on the machine running the CloudScan Controller, use the following equation: (number of jobs per day) × (average size of mobile build session) ÷ (number of days data is persisted)
100MB is a conservative estimate for the average size of the mobile build session. Seven days is the default for the number of days the data is persisted.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 12
CloudScan Cloud
The CloudScan Cloud is created using the Cloudera CDH3u0 release of the Apache Hadoop distribution.
Your Cloudera Hadoop cluster will require at least two machines.
For information on creating your Hadoop network: https://ccp.cloudera.com/display/DOC/Documentation
Notes:
• 64-bit nodes with 8GB+ RAM is recommended.
• The Hadoop slave nodes require installation of SCA. The official range of supported platforms for Cloudera includes Linux distributions not officially supported by SCA. However, there are no known SCA issues on these additional Linux variants.
• The size and resource requirements of HP Fortify jobs running in this cluster are not typical. Leveraging an existing Hadoop cluster might adversely affect the performance of other jobs running on the system. Create a separate Cloudera Apache Hadoop cluster to use with CloudScan.
Documentation
The HP Fortify CloudScan Installation, Configuration, and Usage Guide applies to HP Fortify CloudScan. This guide is available in both PDF (HP_Fortify_CloudScan_Guide_4.00.pdf) and html (HP Fortify CloudScan Help) formats.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 13
HP Fortify Runtime Requirements
Hardware Requirements
HP Fortify Runtime is a single install image for each platform (Windows 32-bit .NET, Windows 64-bit .NET, Windows Java, and Linux Java) which includes HP Fortify Runtime Application Protection, HP Fortify Runtime Application Logging, and HP Fortify SecurityScope. HP Fortify Software recommends that you install HP Fortify Runtime on a high-end processor or equivalent with at least 1 GB of RAM and 100 MB of available hard disk space for the software. The installation also requires at least 60 MB of available space in the temp directory. For Java systems, HP also recommends that you allow for 15 to 25 percent Java heap and MaxPermGen space for Runtime usage. Note: With the 3.70 release, two HP Fortify Runtime products were renamed, as follows:
• HP Fortify Real-Time Analyzer (also called RTA) is now HP Fortify Runtime Application Protection
• AppSM is now HP Fortify Runtime Application Logging
Supported Java Runtime Environments
Runtime supports the following Java runtime environments:
JRE Type Major Versions
IBM J9 1.4.2, 1.5.0, 1.6.0
Oracle HotSpot 1.4.2, 1.5.0, 1.6.0, 1.7.0
Oracle JRockit 1.4.2, 1.5.0, 1.6.0
Runtime for Java is supported on Windows and Linux.
Supported Java Application Servers
Runtime supports the following Java application servers:
Application Server Versions
RedHat JBoss 4.0, 5.0, 5.1, 6.0 Apache Tomcat 5.0, 5.5, 6.0, 7.0 Oracle WebLogic 8.1, 9.0, 9.2, 10.0, 10.3, 11g, 11gR1 IBM WebSphere 6.0, 6.1, 7.0
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 14
Supported .NET Runtime Environments
Runtime supports the following .NET runtime environments:
Operating System CLR Architectures CLR .NET Versions
Windows XP 32-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2003 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2008 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0 Windows Server 2008 R2 64-bit 2.0, 3.0, 3.5, 4.0 Windows 7 32-bit, 64-bit 2.0, 3.0, 3.5, 4.0
Supported .NET Application Server
Runtime supports the following .NET application server:
Application Server Versions
IIS 5.1, 6.0, 7.0, 7.5
Documentation
The following documentation applies to HP Fortify Runtime:
Document Name PDF HTML Help
HP Fortify Runtime Application Protection Operator Guide
HP_Fortify_RuntimeAppProtect_Operator_Guide_4.00.pdf
HP_Fortify_RuntimeAppProtect_Op_Help_4.00
ArcSight Application View Quick Start
HP_ArcSight_Application_View_Quick_Start_4.00.pdf
N/A
HP Fortify SecurityScope User Guide
HP_Fortify_SecurityScope_User_Guide_4.00.pdf
HP_Fortify_SecurityScope_User_Help_4.00
HP Fortify Runtime: Java Edition Installation and Configuration Guide
HP_Fortify_Runtime_Java_Install_and_Config_Guide_4.00.pdf
HP_Fortify_Runtime_Java_Help_4.00
HP Fortify Runtime: .NET Edition Installation and Configuration Guide
HP_Fortify_Runtime_DOTNET_Install_and_Config_Guide_4.00.pdf
HP_Fortify_Runtime_NET_Help_4.00
HP Fortify Runtime: Java Edition Designer Guide
HP_Fortify_Runtime_Java_Designer_Guide_4.00.pdf
N/A
HP Fortify Runtime: .NET Edition Designer Guide
HP_Fortify_Runtime_DOTNET_Designer_Guide_4.00.pdf
N/A
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 15
Document Name PDF HTML Help
HP Fortify RTAP Rulepack Kit Guide
HP_Fortify_RTAP_Rulepack_Kit_Guide_4.00.pdf
N/A
HP Fortify Runtime RTAL Rulepack Kit Guide
HP_Fortify_RTAL_Rulepack_Kit_Guide_4.00.pdf
N/A
HP Fortify SecurityScope Rulepack Kit Guide
HP_Fortify_SecurityScope__Rulepack_Kit_Guide_4.00.pdf
N/A
HP Fortify Demonstration Suite Installation and Usage Guide for Software Security Center
HP_Fortify_SSC_Demo_Suite_Install_and_Usage_Guide_4.00.pdf
HP_Fortify_Demo_Suite_Help_4.00
HP Fortify Runtime Configuration Editor Technical Note
HP_Fortify_Runtime_Configuration_Editor_TN_4.00.pdf
N/A
HP Fortify Runtime Diagnostic Tool Technical Note
HP_Fortify_Runtime_Diagnostic_Tool_TN_4.00.pdf
N/A
HP Fortify Runtime Hybrid Analysis User Guide
HP_Fortify_Hybrid_Analysis_User_Guide_4.00.pdf
N/A
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 16
HP Fortify 4.00 Compatibility Matrix
Summary
This section provides compatibility information for HP Fortify Software Security Center and components.
HP Fortify Software Security Center 4.00
HP Fortify Software Security Center works with the following component versions:
Component Versions
Audit Workbench 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00
Secure Coding Plug-in 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00
HP Fortify Client 2.0, 2.1, 2.5, 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00
HP Fortify RTA 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60 HP Fortify Runtime 3.70, 3.80, 3.90, 4.00 Process Designer 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80,
3.90, 4.00 JDeveloper Plug-in 2.6, 2.6.1, 2.6.5, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80,
3.90, 4.00 Visual Studio 2010 Remediation Plug-in 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00 IntelliJ Remediation Plug-in 3.50, 3.60, 3.70, 3.80, 3.90, 4.00 HP Fortify SecurityScope 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00 HP WebInspect 10.10 HP WebInspect Enterprise 10.10
FPR Compatibility
Later versions of HP Fortify products can open and read FPR files generated by earlier versions of HP Fortify products. For example, Audit Workbench 3.20 can read 2.1 FPR files. Earlier versions of HP Fortify products cannot open and read FPR files generated by later versions of HP Fortify products. For example, Audit Workbench 2.1 cannot read 3.20 FPR files. FPR versions are determined as follows:
• The version of an FPR is the same as the version of the analyzer that initially generates it. For example, an FPR generated by SCA 2.1 will be version 2.1.
• If two FPRs are merged, the resulting FPR has the version of the later one. For example, if a 2.1 and a 2.5 FPR are merged, the resulting FPR will be version 2.5.
Caution:
HP Fortify Software Security Center keeps a project file FPR that contains the latest scan results and audit information for each project. Audit Workbench and the Secure Coding Plug-ins also use this project file for collaborative auditing. Each time an FPR is uploaded to HP Fortify Software Security Center, it is merged with the project file. If the FPR has a later version number than the project file, the project file’s version will change to match the FPR.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 17
In order for Audit Workbench and the Secure Coding Plug-ins to work with the updated FPR, they must be at least the same version as the FPR. For example, Audit Workbench 2.0 cannot read a 2.5 FPR.
Seed Bundle
HP Fortify Software Security Center 4.00 supports seed bundle 4.00.
Process Templates
HP Fortify Software Security Center 4.00 supports the following process templates:
Process Templates 2.0, 2.1, 2.5, 2.6, 2.6.1, 3.0, 3.1, 3.20, 3.30, 3.40, 3.50, 3.60, 3.70, 3.80, 3.90, 4.00 (If you have older versions of Process Templates, you might need to open them in 4.00 Process Designer first and make appropriate changes before they can be accepted by HP Fortify Software Security Center 4.00.)
Runtime Configuration Bundle and Template
HP Fortify Software Security Center 4.00 supports Runtime Configuration Bundle and Template 4.00.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 18
Acquiring HP Fortify Software
HP Fortify Software is available on DVD or as an electronic download. You must have a SAID access account number in order to download HP Fortify Software from the HP Software Support Online site. Table 1 lists the available packages and describes their contents.
Table 1: Packages
File Name Description
Software_HP_Fortify_4.00_Eng_SW_Media_TF302-15135.iso
Disc image of the entire Software Security Center product line. After downloading, you will need to either mount the ISO image or burn it to a DVD before installation. For Windows operating systems.
Software_HP_Fortify_4.00_Eng_SW_Media_TF302-15135.iso.sig
Signature file for the Software Security Center product line ISO for Windows.
Software_HP_Fortify_4.00_Linux_Unix_Mac_TF302-15136.iso
Disc image of the entire Software Security Center product line. After downloading, you will need to either mount the ISO image or burn it to a DVD before installation. For Linux, Unix, and Macintosh operating systems.
Software_HP_Fortify_4.00_Linux_Unix_Mac_TF302-15136.iso.sig
Signature File for the Software Security Center product line ISO for Linux, Unix, and Macintosh operating systems.
HP_Fortify_Scan_Wizard_4.00_Windows_TF302-15147.zip
HP Fortify Scan Wizard for Windows.
HP_Fortify_Scan_Wizard_4.00_Windows_TF302-15147.zip.sig
Signature file for HP Fortify Scan Wizard for Windows.
HP_Fortify_Scan_Wizard_4.00_MacOSX_TF302-15146.tar.gz
HP Fortify Scan Wizard for Mac OS X.
HP_Fortify_Scan_Wizard_4.00_MacOSX_TF302-15146.tar.gz.sig
Signature file for HP Fortify Scan Wizard for Mac OS X.
HP_Fortify_Scan_Wizard_4.00_Linux_TF302-15145.tar.gz
HP Fortify Scan Wizard for Linux.
HP_Fortify_Scan_Wizard_4.00_Linux_TF302-15145.tar.gz.sig
Signature file for HP Fortify Scan Wizard for Linux.
HP_Fortify_SSC_Demo_Suite_4.00_Windows_ x86_TF302-15150.zip
HP Fortify Demo Suite for Windows (x86)
HP_Fortify_SSC_Demo_Suite_4.00_Windows_ x86_TF302-15150.zip.sig
Signature file for HP Fortify Demo Suite for Windows (x86)
HP_Fortify_SSC_Demo_Suite_4.00_Windows_ x64_TF302-15149.zip
HP Fortify Demo Suite for Windows (x64)
HP_Fortify_SSC_Demo_Suite_4.00_Windows_ x64_TF302-15149.zip.sig
Signature file for HP Fortify Demo Suite for Windows (x64)
HP_Fortify_SSC_Demo_Suite_4.00_Unix_TF302-15148.tar.gz
HP Fortify Demo Suite for Unix
HP_Fortify_SSC_Demo_Suite_4.00_Unix_TF302-15148.tar.gz.sig
Signature file for HP Fortify Demo Suite for Unix
HP_Fortify_SSC_Server_4.00_TF302-15151.zip HP Fortify Software Security Center
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 19
File Name Description
HP_Fortify_SSC_Server_4.00_TF302-15151.zip.sig
Signature file for HP Fortify Software Security Center
HP_Fortify_CloudScan_Controller_4.00_TF302-15137.zip
HP Fortify CloudScan Controller
HP_Fortify_CloudScan_Controller_4.00_TF302-15137.zip.sig
Signature file for HP Fortify CloudScan Controller
HP_Fortify_Runtime_4.00_TF302-15138.exe HP Fortify Runtime HP_Fortify_Runtime_4.00_TF302-15138.exe.sig Signature file for HP Fortify Runtime HP_Fortify_SCA_and_Apps_4.00_Windows_TF302-15144.zip
The HP Fortify SCA and Apps package for Windows includes:
• Static Code Analyzer
• Audit Workbench
• HP Fortify SCA plug-in for Eclipse
• HP Fortify SCA plug-in for Visual Studio 2003
• HP Fortify SCA plug-in for Visual Studio 2005
• HP Fortify SCA plug-in for Visual Studio 2008
• HP Fortify SCA plug-in for Visual Studio 2010
• HP Fortify SCA plug-in for Visual Studio 2010 Remediation
• HP Fortify Scanning Plugin for Microsoft Visual Studio
Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO.
HP_Fortify_SCA_and_Apps_4.00_Windows_ TF302-15144.zip.sig Signature files for the HP Fortify SCA and Apps package for
Windows
HP_Fortify_SCA_and_Apps_4.00_Mac_TF302-15143.tar.gz The HP Fortify SCA and Apps package for Macintosh
includes:
• Static Code Analyzer
• Audit Workbench
• HP Fortify SCA plug-in for Eclipse
• HP Fortify SCA plug-in for Visual Studio 2003
• HP Fortify SCA plug-in for Visual Studio 2005
• HP Fortify SCA plug-in for Visual Studio 2008
• HP Fortify SCA plug-in for Visual Studio 2010
• HP Fortify SCA plug-in for Visual Studio 2010 Remediation
• HP Fortify Scanning Plugin for Microsoft Visual Studio
Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO.
HP_Fortify_SCA_and_Apps_4.00_Mac_TF302-15143.tar.gz.sig
Signature file for the HP Fortify SCA and Apps package for Macintosh
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 20
File Name Description
HP_Fortify_SCA_and_Apps_4.00_Linux_TF302-15142.tar.gz The HP Fortify SCA and Apps package for Linux includes:
• Static Code Analyzer
• Audit Workbench
• HP Fortify SCA plug-in for Eclipse
• HP Fortify SCA plug-in for Visual Studio 2003
• HP Fortify SCA plug-in for Visual Studio 2005
• HP Fortify SCA plug-in for Visual Studio 2008
• HP Fortify SCA plug-in for Visual Studio 2010
• HP Fortify SCA plug-in for Visual Studio 2010 Remediation
Note: The plug-ins for IntelliJ and Jdeveloper are available only on DVD and as part of the ISO.
HP_Fortify_SCA_and_Apps_4.00_Linux_TF302-15142.tar.gz.sig
Signature file for the HP Fortify SCA and Apps package for Linux
HP_Fortify_SCA_4.00_HPUX_TF302-15140.tar.gz
HP Fortify SCA for HPUX
HP_Fortify_SCA_4.00_HPUX_TF302-15140.tar.gz.sig
Signature file for HP Fortify SCA for HPUX
HP_Fortify_SCA_4.00_Solaris_TF302-15141.tar.gz
HP Fortify SCA for Solaris
HP_Fortify_SCA_4.00_Solaris_TF302-15141.tar.gz.sig
Signature file for HP Fortify SCA for Solaris
Downloading the Software
To download HP Fortify Software from the HP Software Support Online site:
• Navigate to https://support.openview.hp.com.
• Click the Downloads tab to enter the software downloads section.
• Click Login, and then sign in using your HP Passport credentials.
Note: If you do not have an HP Passport, click the link called New users – please register.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 21
The Downloads screen appears.
1. Click the Software Updates link.
The Software updates screen appears.
2. Click My Updates.
The My software updates screen appears.
If you do not have SAID access for HP Fortify products associated with your HP Passport, you must select the Directly enter an SAID option, and then type in your HP Fortify SAID account number.
3. Select the terms and conditions check box, and then click View available products.
The My software updates – product list page appears.
4. Expand the Application Security Center product node to see the list of Application Security Center product names.
5. From the Product name box select the version of the HP Fortify English Software E-Media software you want. For information about the available packages, see Table 1: Packages on page 18.
6. From the Downloads box, select the package you want to download.
7. Click Download Directly or Use HP Download Manager.
Note: If your organization requires that you verify the download, you must also download the like-named signature file. For example, if you download the HP_Fortify_4.00_Eng_SW_Media_TF302-15079.iso file, you will also need to download the associated signature file, HP_Fortify_4.00_Eng_SW_Media_TF302-15079.iso.sig. In rare cases, the signature file you download has the wrong extension (either .zip or .gz). If this case, change the final extension to .sig.
Verifying Software Downloads
The following instructions walk you through the process of verifying the HP Fortify package you acquired from the Downloads section of the HP Software Support Online site (http://support.openview.hp.com). Successful verification ensures that the package has not been altered since it was signed by HP and posted to the site. Before proceeding with the verification process, download the HP Fortify product files and their
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 22
associated signature (*.sig) files. You are not required to verify the package to use the software, but your organization may require it for security reasons.
Preparing Your System for Electronic Media Verification
1. Download and install version 1.4.x or 2.0.x of GnuPG: http://www.gnupg.org/download/.
2. Generate a private key, as follows:
a. Run the following command. On a Windows system, run the command without the '$' prompt. $ gpg --gen-key
b. When prompted for key type, select DSA and Elgamal.
c. When prompted for a key size, select 2048.
d. When prompted for the length of time the key should be valid, select key does not expire.
e. Answer the user identification questions and provide a passphrase to protect your private key.
3. Use the instructions provided on the following linked page to create an HP public key file named “hpPublicKey.pub”: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCodeSigning&jumpid=reg_r1002_usen
4. Import the HP public key into GnuPG, as follows:
a. Move the hpPublicKey.pub file to the GNU installation directory.
b. Navigate to the GNU installation directory.
c. Run gpg --import hpPublicKey.pub
Verify that the Signature File Matches the Downloaded Software Package
To verify that the signature file matches the downloaded software package:
1. Navigate to the directory where you stored the downloaded package and signature file.
2. On Windows machines, run the following command: gpg --verify <Signature_File_Name> <Downloaded_File_Name>
On Unix/Linux, run: gpg –-verify <Signature_File_Name> <Downloaded_File_Name>
3. Examine the output to insure you receive verification that the software you downloaded has been signed by HP and has not been altered. Your output should include something like the following: c: .sig HP.Fortify_3 .SEng_SW.Media_TF302-15039.iso \Users\username\<downloadDirectory>gpg --uerif HPFortify_3 .5Eng_SWJ1edia_TF3O2-15039.iso
gpg: Signature made 04/18/12 15:05:36 Pacific Daylight Time using DSA key ID 2689BB87
gpg: Good signature from “Hewlett-Packard Company(HP Codesigning Service)”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB41 0E68 CEDF 95D0 6681 1E95 527B CS3A 2689 B887
Note: The warning message appears because the HP public key is not known to the system. You can ignore this warning or set up your environment to identify the HP public key as a trusted signature.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 23
For more information on downloading, verifying, and installing HP Fortify Software, see Acquiring HP Fortify Software.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 24
The ISO Download
If you choose to download an ISO file of the entire suite, you will need to either burn the ISO to a DVD or mount the ISO file prior to installing the software.
To burn the ISO file to a DVD:
Windows Unix/Linux Mac OS X
Windows 7 natively supports burning an ISO to a DVD.
1. Put a writable DVD disc in your writable DVD drive.
2. Navigate to the ISO file that you downloaded.
3. Right-click the file name.
4. Select Burn disc image from the menu.
The Windows Disc Image Burner window appears.
5. Select the writable DVD drive for your system.
6. (Optional) Select the Verify disc after burning box.
7. Click Burn.
Note: Windows versions earlier than Windows 7 do not natively support burning an ISO file to a DVD. You must acquire software that supports burning an ISO to disc.
The following instructions are general command-line instructions; your distribution might require alterations to these steps.
1. Put a writable DVD disc in your writable DVD drive.
2. To find the path to your disc drive, type: wodim –devices, and then press Enter.
3. Burn the ISO file to disc by typing: wodim dev=/dev/cdrw –v –data <downloaded_ISO_file>.iso, replacing /dev/cdrw with the path to your disc drive.
4. Press Enter.
Note: You can also burn an ISO file using software included with a GUI shell.
1. Insert a blank DVD into the drive.
2. Run Disk Utility.
3. From the File menu, select Open Disk Image, and then select the ISO to be burned.
4. From the list of volumes, select the item that represents the ISO file.
5. Click Burn, and then follow the instructions.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 25
To mount the ISO file:
Windows Linux / Unix Mac OS X
If you choose not to burn the ISO image to a disc, you can mount the ISO on your hard drive and run the installation from there. Windows does not include native support for mounting ISO files. You must use a third-party application if you choose to mount the ISO file to a directory in Windows rather than burning it to disc.
The following instructions are general command-line instructions; your distribution might require alterations to these steps.
1. Open a terminal in Linux.
2. Become root or an administrator user.
3. Create a mount point for the ISO file: mkdir/media/<folder_name_for_mount_ point>
4. Navigate to the directory you just created.
5. Type: mount –o loop file.iso /media/<folder_name_for_mount_point>
6. Type Enter.
1. Run Disk Utility.
2. From the Disk Utility menu, select Open Image File.
3. Select the HP Fortify ISO file.
The ISO file appears on the Mac OS desktop.
MOFFETT TOWERS, 1140 ENTERPRISE WAY, SUNNYVALE, CA 94089 USA 650.735.2215 26
HP Fortify Assistive Technologies (Section 508)
In accordance with section 508 of the Rehabilitation Act, HP Fortify Software Security Center and HP Fortify Audit Workbench have been engineered to work with the JAWS screen reading software package from Freedom Scientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textual components can be read aloud, providing greater access to these technologies.
Using JAWS with HP Fortify Products
When using JAWS to generate text-to-speech translations of the text in Audit Workbench or Software Security Center's graphical user interface, there are a number of keyboard combinations that will help you get the most out of the interaction. The following table provides a list of useful keyboard commands.
Note: For best results, run JAWS before launching your browser and logging on to your HP Fortify program.
JAWS Keyboard Combinations
The following table lists keyboard combinations that will help you use JAWS with HP Fortify products. For more information about using JAWS, see the JAWS documentation.
To do this: Use this keyboard combination:
To read values in combo boxes. Press Ctrl + down arrow key to turn on Form mode, or press Enter. Tab through multi-line text boxes. Press Ctrl + Tab to move from one multiline text box to another. Read multi-line labels. Press Insert + down arrow to read all lines in label. Read disabled (grayed-out) items. Press Insert + B or Insert + down arrow. Read disabled check boxes. Press ESC to leave Forms mode and enter Virtual Cursor mode. Enable table headings to be read. Press Insert + F2.
The Run JAWS Manager dialog box appears. Click OK.
Switch between pods or panels. Hold down CTRL + F7 while you select a different pane. Return focus to the application (JAWS is reading the web browser application rather than the content of the browser).
Press CTRL + R to refresh the display. Note that when you refresh the display, your session is aborted and any data you have typed onto the page is lost.
For more information or assistance, please visit HP Accessibility at: http://www.hp.com/accessibility.