HPE Security Fortify Software System Requirements...Contents Preface 6 ContactingHPE SecurityFortifySupport 6 ForMoreInformation 6 AbouttheDocumentationSet 6 Introduction 7 SoftwareDelivery

HPE SecurityFortify SoftwareSoftware Version: 17.20

System Requirements

Document Release Date: November 2017Software Release Date: November 2017

Legal Notices

WarrantyThe only warranties for Seattle SpinCo, Inc. and its subsidiaries' (“Seattle”) products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting anadditional warranty. Seattle shall not be liable for technical or editorial errors or omissions contained herein. Theinformation contained herein is subject to change without notice.

Restricted Rights LegendConfidential computer software. Except as specifically indicated, valid license from Seattle required for possession, use orcopying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, andTechnical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notice© Copyright 2001 - 2017 EntIT Software LLC, a Micro Focus company

Trademark NoticesAdobe™ is a trademark of Adobe Systems Incorporated.

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Documentation UpdatesThe title page of this document contains the following identifying information:

l Software Version number

l Document Release Date, which changes each time the document is updated

l Software Release Date, which indicates the release date of this version of the software

To check for recent updates or to verify that you are using the most recent edition of a document, go to:

https://community.saas.hpe.com/t5/Fortify-Product-Documentation/ct-p/fortify-product-documentation

You will receive updated or new editions if you subscribe to the appropriate product support service. Contact yourMicro Focus sales representative for details.

SystemRequirements

HPE Security Fortify Software (17.20) Page 2 of 44


Contents

Preface 6Contacting HPE Security Fortify Support 6For More Information 6About the Documentation Set 6

Introduction 7Software Delivery 7Software Licenses 7

Fortify Software Security Center Server Requirements 7Hardware Requirements 7

Database 8Database PerformanceMetrics for Minimumand Recommended HardwareRequirements 8

Platforms and Architectures 8Application Servers 9Fortify Software Security Center Database 9Browsers 10Authentication Systems 11

Single Sign-On (SSO) 11BIRT Reporting 11Service Integrations 12

Fortify Static Code Analyzer Requirements 12Hardware Requirements 12Software Requirements 12Platforms and Architectures 13Supported Languages 14Build Tools 15Compilers 15Secure Code Plugins 16

Single Sign-On (SSO) 17Service Integrations for Fortify Static Code Analyzer Tools 17Security Content 17

Fortify CloudScan Requirements 17CloudScan Controller Hardware Requirements 18CloudScan Controller Platforms and Architectures 18CloudScan Client and Sensor Hardware Requirements 18

Fortify Runtime Requirements 19Platforms and Architectures 19Java Runtime Environments 19Java Application Servers 19.NET Frameworks 20Cloud Platforms 20

SystemRequirements


IIS for Windows Server 20Cipher Suites for Runtime Agent 20

FortifyWebInspect Requirements 21Running as Administrator 21Hardware Requirements 21Software Requirements 21Notes on SQL Server Editions 22Ports and Protocols 23

Required Connections 23Optional Connections 23Connections for Tools 26

FortifyWebInspect Agent 26WebInspect Software Development Kit (SDK) 26Software Integrations for FortifyWebInspect 26

FortifyWebInspect Enterprise Requirements 27FortifyWebInspect Enterprise Installation and Upgrade Requirements 27Integrations for FortifyWebInspect Enterprise 27FortifyWebInspect Enterprise Database 27Hardware Requirements 28Software Requirements 28FortifyWebInspect Enterprise Administrative Console Requirements 29

Hardware Requirements 29Software Requirements 30

Ports and Protocols 30Required Connections 31Optional Connections 32Connections for Tools 33

FortifyWebInspect Enterprise Sensor 33FortifyWebInspect Enterprise Notes and Limitations 34

License Infrastructure Manager Requirements 34Hardware Requirements 34Software Requirements 35

Version Compatibility Matrix 35Fortify Software Component Compatibility 35FPR File Compatibility 36Fortify Software Security Center Support for Runtime Configuration Bundle and Template 36

Virtual Machine Support 36

Technologies and Features no Longer Supported in this Release 37

Technologies and Features to Lose Support in the Next Release 37

Acquiring Fortify Software 38Downloading Fortify Software 41About Verifying Software Downloads 42

Preparing Your System for Digital Signature Verification 42Verifying Software Downloads 42

Assistive Technologies (Section 508) 43

SystemRequirements


Send Documentation Feedback 44

SystemRequirements


Preface

Contacting HPE Security Fortify Support

If you have questions or comments about using this product, contact HPE Security Fortify TechnicalSupport using one of the following options.

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account

https://support.fortify.com

To Email Support

[email protected]

To Call Support

1.844.260.7219

For More Information

For more information about HPE Security software products: http://www.hpe.com/software/fortify

About the Documentation Set

The HPE Security Fortify Software documentation set contains installation, user, and deploymentguides for all HPE Security Fortify Software products and components. In addition, you will findtechnical notes and release notes that describe new features, known issues, and last-minute updates.You can access the latest versions of these documents from the following Fortify ProductDocumentation website:


You will need to register for an account.

SystemRequirements


http://support.fortify.com/

mailto:[email protected]

http://www.hpe.com/software/fortify



IntroductionThis document provides the details about the environments and products that HPE supports for thisversion of Fortify Software and its associated products, which includes:

l Fortify Software Security Center Server

l Fortify Static Code Analyzer

l Fortify Audit Workbench and Secure Code Plugins

l Fortify CloudScan

l Fortify Runtime

l FortifyWebInspect

l FortifyWebInspect Enterprise

l License Infrastructure Manager

Software Delivery

Fortify Software is delivered only electronically. It is not available on disc. See "Acquiring FortifySoftware" on page 38 for more information.

Software Licenses

Before you can start using Fortify Software, you must download the licenses for your purchases fromthe Fortify Customer Portal (https://support.fortify.com). To access the site, use the credentials thatHPE Security Fortify Customer Support has provided.

Fortify Software Security Center ServerRequirementsThis section describes the system requirements for the Fortify Software Security Center server.

Hardware Requirements

Fortify Software Security Center requires the hardware specifications listed in the following table.

Component Minimum Recommended

Fortify Software Security Center Processor Quad-core Eight-core

RAM 8GB 32 GB

Fortify Software Security Center server Java Heap Size 4 GB 24 GB


https://support.fortify.com/

Database

HPE recommends an eight-core processor with 64 GB of RAM for the Fortify Software Security Centerdatabase. Using less than this recommendation can impact Fortify Software Security Centerperformance.

Use the following formula to estimate the size (in GB) of the Fortify Software Security Center databasedisk space:

((<Total_Issues>*30 KB) + <Total_Artifacts>) ÷ 1,000,000

where:

l <Total_Issues> is the total number of issues in the system

l <Total_Artifacts> is the total size in KB of all uploaded artifacts and scan results

Note: This equation produces only a rough estimate for database disk space allocation. Do not usethis formula to estimate disk space requirements for long-term projects. Disk requirements forFortify Software Security Center databases increases in proportion to the number of projects,scans, and issues in the system.

Database Performance Metrics for Minimum and Recommended HardwareRequirements

The following table shows performance metrics (number of issues discovered per hour) for FortifySoftware Security Center configured with the minimumand the recommended hardware requirements.

DatabaseIssues per HourMinimum Configuration

Issues per HourRecommended Configuration

IBM DB2 293,930 1,812,570

MySQL 362,514 2,589,385

Oracle Database 231,392 3,020,950

SQL Server 725,028 3,625,140

Platforms and Architectures

Fortify Software Security Center supports the platforms and architectures listed in the following table.

Operating System Architectures Versions

Windows 64-bit Server 2016

Server 2012 R2

SystemRequirements



Linux 64-bit Red Hat Enterprise Linux 6 update 5 and later

Red Hat Enterprise Linux 7.x

Oracle Linux 6 update 5 and later

Oracle Linux 7.x

SUSE Linux Enterprise Server 12

Note: Although Fortify Software Security Center has not been tested on all Linux variants, mostdistributions are not known to have issues.

Application Servers

Fortify Software Security Center supports the application servers listed in the following table.

Application Server Versions Java Versions

Apache Tomcat 8.0, 8.5 8

IBM WebSphere 8 8.5.5 8

Oracle WebLogic 12c 12.1.3 8

Fortify Software Security Center Database

Fortify Software Security Center requires that all database schema collations be case-sensitive.

For a production environment, Fortify Software Security Center supports the databases listed in thefollowing table.

Databases VersionSupported CharacterSets Drivers

IBM DB2 10.5fixpack 6

UTF8, IBM-1252 IBM DB2 drivers also require that you addat least one of the following driver licensefiles to the CLASSPATH before you load theJDBC driver and seed the database:

l db2jcc_license_cisuz.jarl db2jcc_license_cu.jarIBM DB2 JDBC Driver v10.5

Driver class:com.ibm.db2.jcc.DB2Driver

SystemRequirements


Databases VersionSupported CharacterSets Drivers

JAR file:db2jcc4.jar

MySQL 5.6

5.7(CommunityEdition)

utf8_bin, latin1_general_cs

5.1.35 or later

Driver class:com.mysql.jdbc.driver

JAR file:mysql-connector-java-<version>-bin.jar

OracleDatabase

12cRelease 1

AL32UTF8 for alllanguages

WE8MSWIN1252 for USEnglish

Oracle Database 12c Release 1 (12.1)JDBC Drivers

Driver class:oracle.jdbc.OracleDriver

JAR files:ojdbc7.jar (for Java 7 or later)

12cRelease 2

AL32UTF8 for alllanguages

WE8MSWIN1252 for USEnglish

Oracle Database 12c Release 2(12.2.x) JDBC Drivers

Driver class:oracle.jdbc.OracleDriver

JAR files:ojdbc8.jar (for Java 8)

SQL Server 2014

2016

Make sure to use thecase-sensitive (CS)option when choosingyour collation method.For example:

SQL_Latin1_General_CP1_CS_AS

Microsoft JDBC Driver 6.0 for SQL Server

Driver class:com.microsoft.sqlserver.jdbc.SQLServerDriver

JAR file:sqljdbc42.jar

Browsers

HPE recommends that you use one of the browsers listed in the following table and aminimum screenresolution of 1280 x 1024.

Browser Version

Google Chrome 59.0 or later

SystemRequirements


Browser Version

Microsoft Edge 20

Internet Explorer 11

Mozilla Firefox 54.0 or later

Safari 10

Note: To use the Fortify Software Security Center 4.30 legacy user interface, you must have AdobeFlash Player installed.

Authentication Systems

Fortify Software Security Center supports the following directory services:

l LDAP: LDAP 3 compatible

l Windows Active Directory Service

Single Sign-On (SSO)

Fortify Software Security Center supports:

l HTTP SSO (Oracle SSO, CA SSO)

l SAML SSO

l SPNEGO/Kerberos SSO

l PKI SSO (X.509)

l CAS SSO

BIRT Reporting

Software Security Center reports support Business Intelligence and Reporting Technology (BIRT)version 4.4.2.

SystemRequirements


Service Integrations

Fortify Software Security Center supports the service integrations listed in the following table.

Service Applications Versions

Bug tracking Bugzilla 5.0

HPE Application Lifecycle Management (ALM)/Quality Center Enterprise (QC)

12.50

JIRA 7.1, 7.4

TeamFoundation Server (TFS) 2015, 2017

Visual Studio TeamServices (VSTS)

Note: Only basic user password authentication issupported.

n/a

Authentication Active Directory 2008, 2012

Dynamic assessments FortifyWebInspect Enterprise 17.20

Fortify Static Code Analyzer RequirementsThis section describes the system requirements for Fortify Static Code Analyzer, and the Fortify StaticCode Analyzer Tools (including the Secure Code Plugins).


HPE recommends that you install Fortify Static Code Analyzer on a high-end processor with at least8 GB of RAM. If your software is complex, you might require more RAM. See the HPE Security FortifyStatic Code Analyzer Performance Guide for more information.

Increasing the number of processor cores and increasing memory both result in faster processing.

Software Requirements

Fortify Static Code Analyzer requires Java 8. The Fortify SCA and Applications installer installsJRE 1.8.0_144.

SystemRequirements



Fortify Static Code Analyzer supports the platforms and architectures listed in the following table.

Operating System Architecture Platforms

Windows 64-bit Windows Server 2016

Windows Server 2012 R2

Windows 8.1, 10




Oracle Linux 7.x


macOS 10.12

Oracle Solaris x86, 64-bit 10.5 and later

Oracle Solaris SPARC 64-bit 10.5 and later

HP-UX Itanium 64-bit 11.31

IBM AIX 64-bit 6.1, 7.2

Fortify Static Code Analyzer Tools (including Secure Code Plugins) support the platforms andarchitectures listed in the following table.

Operating System Architecture Platforms

Windows 64-bit Windows 7, 8.1, 10




Oracle Linux 7.x


macOS 10.12

SystemRequirements


Supported Languages

Fortify Static Code Analyzer supports the programming languages listed in the following table.

Language Versions

.NET 2.0–4.7

ABAP/BSP 6

ActionScript 3.0

Apex 36

ASP.NET 2.0–4.7

C# 5, 6, 7

C/C++ See "Compilers" on the next page

Classic ASP (with VBScript)

2.0, 3.0

COBOL IBM Enterprise COBOL for z/OS 3.4.1 with CICS, IMS, DB2 embedded SQL,and IBM MQ

ColdFusion 8, 9, 10

HTML 5 and earlier

Java (including Android)

5.0, 6, 7, 8, 9

JavaScript ECMAScript 2015

JSP 1.2, 2.1

MXML (Flex) 4

Objective-C/C++ See "Compilers" on the next page

PHP 5.3, 5.4, 5.5, 5.6, 7.0, 7.1

PL/SQL 8.1.6

Python 2.6, 2.7

Ruby 1.9.3

Scala 2.11, 2.12

Swift 3.0.2, 3.1

SystemRequirements


Language Versions

T-SQL SQL Server 2005, 2008, 2012

VB.NET 11, 14, 15

VBScript 2.0, 5.0

Visual Basic 6

XML 1.0

Build Tools

Fortify Static Code Analyzer supports the build tools listed in the following table.

Build Tool Versions Notes

Ant 1.9.6

Gradle 2.13 The Fortify Static Code Analyzer Gradle build integration supports thefollowing language/platform combinations:

l Java/Windows, Linux, and macOS

l C/Linux

l C++/Linux

Jenkins 1.6

Maven 3.0.5, 3.3.x

MSBuild 4.x, 12.0,14.0, 15.0

Xcodebuild 8.0, 8.1,8.2, 8.3

Compilers

Fortify Static Code Analyzer supports the compilers listed in the following table.

Compiler Versions Platform

gcc GNU gcc 4.9, 5.x Windows , Linux, macOS, Solaris, IBM AIX

gcc GNU gcc 4.2.5 and later HP-UX

g++ GNU g++ 4.9, 5.x Windows , Linux, macOS, Solaris, IBM AIX

SystemRequirements


Compiler Versions Platform

g++ GNU g++ 4.2.5 and later HP-UX

Intel C++ Compiler icc 8.0 Linux

Oracle javac 7, 8. 9 Windows , Linux, macOS, Solaris, HP-UX,IBM AIX

Oracle Solaris Studio 12 Solaris

cl 2013, 2015, 2017 Windows

Apple LLVM (Clang) 8.0, 8.1, 8.2, 8.3 macOS

Swiftc 3.0.2, 3.1 macOS

Secure Code Plugins

The following table lists the supported integrated development environments (IDE) for the SecureCode Plugins.

Plugin IDE and Version

Eclipse(Complete and Remediation)

Eclipse 4.6, 4.7

IntelliJ IDEA Analysis IntelliJ IDEA 15, 2016.x, 2017.x

Android Studio 2.3.x

IntelliJ IDEA Remediation IntelliJ IDEA 15, 2016.x, 2017.x

Android Studio 2.3.x

WebStorm2017.x

JDeveloper RemediationExtension

JDeveloper 12c

Security Assistant (for Javacode only)

Eclipse 4.6, 4.7

Visual Studio Package Visual Studio 2013 Premium, Professional, and Ultimate

Visual Studio 2015 Community, Professional, and Enterprise

Visual Studio 2017 Community, Professional, and Enterprise

Note: Fortify Static Code Analyzer is not compatible withVisual Studio Express.

SystemRequirements


Single Sign-On (SSO)

The Eclipse Complete plugin and the Visual Studio Package support the following SSOmethods toconnect with Fortify Software Security Center:

l SPNEGO/Kerberos SSO

l PKI SSO (X.509)

Service Integrations for Fortify Static Code Analyzer Tools

The following table lists the supported service integrations for Audit Workbench and the Secure CodePlugins.

Service Versions Supported Tools

Bugzilla 5.0 Audit Workbench, Eclipse Plugin, VisualStudio Package

HPE Application Lifecycle Management(ALM)/Quality Center Enterprise (QC)

12.50 Audit Workbench, Eclipse Plugin

TeamFoundation Server (TFS) 2013 Visual Studio Package

2015,2017

Audit Workbench, Eclipse Plugin,Visual Studio Package

Visual Studio TeamServices (VSTS)

Note: Only basic user passwordauthentication is supported.

n/a Audit Workbench, Eclipse Plugin

JIRA 7.1, 7.4 Audit Workbench, Eclipse Plugin

Fortify Software Security Center Bugtracker 17.20 Audit Workbench, Eclipse Plugin,Visual Studio Package

Security Content

Fortify Secure Coding Rulepacks are backward compatible with all supported Fortify Software versions.This ensures that Rulepacks updates do not break any working Fortify Software installation.

Fortify CloudScan RequirementsFortify CloudScan has three major components: a CloudScan Controller, CloudScan clients, andCloudScan sensors. This section describes the requirements for each component.

SystemRequirements


CloudScan Controller Hardware Requirements

HPE recommends that you install the CloudScan Controller on a high-end 64-bit processor running at2 GHz with at least 8 GB of RAM.

CloudScan Controller Disk Space Requirements

To estimate the amount of disk space required on the machine that runs the CloudScan Controller, usethe following equation:

<Number_Jobs_Per_Day> x (<Average_MBS_Size> + <Average_FPR_Size> + <Average_SCA_Log_Size>) x <Number_Days_Data_is_Persisted>

By default, data is persisted for seven days.

CloudScan Controller Platforms and Architectures

The CloudScan Controller supports the platforms and architectures listed in the following table.


Windows 64-bit Server 2016

Server 2012 R2




Oracle Linux 7.x


CloudScan Client and Sensor Hardware Requirements

CloudScan clients and sensors run on anymachine that supports Fortify Static Code Analyzer. BecauseCloudScan clients and sensors are installed on build machines running Fortify Static Code Analyzer, thehardware requirements are met.

See "Fortify Static Code Analyzer Requirements" on page 12 for hardware, software, and platform andarchitecture requirements.

SystemRequirements


CloudScan Sensor Disk Space Requirements

To estimate the amount of disk space required on the machine that runs a CloudScan sensor, use thefollowing equation:

<Number_of_Scans> x (<Average_MBS_Size> + <Average_FPR_Size> + <Average_SCA_Log_Size>) x<Number_Days_Data_is_Persisted>

By default, data is persisted for seven days.

Fortify Runtime RequirementsFortify Runtime is delivered as separate install images for Fortify Runtime Application Protection,ArcSight Application View, and FortifyWebInspect Agent.


Fortify Runtime supports 32-bit and 64-bit applications written in Java 5, 6, 7, and 8.

Java Runtime Environments

Fortify Runtime supports the Java runtime environments listed in the following table.

JRE Major Versions

IBM J9 5 (SR10 and later)

6 (SR6 and later)

Oracle HotSpot 5, 6, 7, 8

Oracle JRockit 5, 6 (R27.6 and later)

Note: Runtime for Java is supported on Unix, Linux, and Windows.

Java Application Servers

Fortify Runtime supports the Java application servers listed in the following table.

Application Server Versions

Apache Tomcat 6.0, 7.0, 8.0

IBM WebSphere 7.0, 8.0, 8.5, 8.5.5

Oracle WebLogic 10.0, 10.3, 11g, 11gR1, 12c

SystemRequirements


Application Server Versions

Red Hat JBoss Enterprise Application Platform 5.1.2, 5.2.0, 6.0.1, 6.1.1, 6.2.0, 6.30, 6.40

Jetty 9.3

WildFly 10.1

.NET Frameworks

Fortify Runtime supports .NET frameworks versions 2.0, 3.0, 3.5, 4.0, 4.5, and 4.5.1.

Cloud Platforms

Fortify Runtime supports the cloud platforms listed in the following table.

Cloud Platform Service

Amazon Web Services Virtual machines without a sandboxed environment

Microsoft Azure Virtual machines and cloud services

Note: Microsoft Azure platform as a service (PaaS) is not supported.

IIS for Windows Server

Fortify Runtime supports Internet Information Services (IIS) versions 6.0, 7.0, 7.5, 8 and 8.5.

Cipher Suites for Runtime Agent

Runtime Agent supports the following cipher suites for communicating with an external syslog server:

l TLS_RSA_WITH_3DES_EDE_CBC_SHA

l TLS_RSA_WITH_AES_128_CBC_SHA

l TLS_RSA_WITH_AES_128_CBC_SHA256

l TLS_RSA_WITH_AES_256_CBC_SHA

l TLS_RSA_WITH_AES_256_CBC_SHA256

To run Runtime Agent on aWindows 2003machine with IIS 6.0, you must install the AdvancedEncryption Standard (AES) cipher suites in the Schannel.dllmodule for Windows server 2003.Download the hotfix fromMicrosoft support (https://support.microsoft.com/en-us/kb/948963).

SystemRequirements


https://support.microsoft.com/en-us/kb/948963

Fortify WebInspect RequirementsBefore you install FortifyWebInspect, make sure that your systemmeets the requirements described inthis section.

Running as Administrator

FortifyWebInspect requires administrative privileges for proper operation of all features. Refer to theWindows operating systemdocumentation for instructions on changing the privilege level to run FortifyWebInspect as an administrator.


HPE recommends that you install FortifyWebInspect on a system that conforms to the supportedcomponents listed in the following table. Beta or pre-release versions of operating systems, servicepacks, and required third-party components are not supported.

Component Requirement Notes

Processor 2.5 GHz quad-core or faster Recommended

2.0 GHz dual-core Minimum

RAM 8+GB (2 GB per core) Recommended

4 GB Minimum

Hard disk 100+ GB Recommended

40 GB Minimum

Display 1980 x 1080 Recommended

1280 x 1024 Minimum

Important: If you are running a FortifyWebInspect sensor with SQL Express, HPE recommendsthat you use at least a 4-core CPU and a 64-bit operating systemwith at least 8 GB of RAM.


FortifyWebInspect runs on and works with the software packages listed in the following table.

Note: FortifyWebInspect is available in both 32-bit and 64-bit installation versions.

SystemRequirements


Package Versions Notes

Windows Windows 10 Recommended

Windows 7with SP1

Windows 8 or 8.1

Windows Server 2012, 2012 R2

Windows Server 2016

.NET .NET Framework 4.6.1

SQL Server SQL Server 2012with SP2 Recommended

No scan database limit

SQL Server 2008 R2with SP2

SQL Server 2012with SP1 No scan database limit

SQL Server 2014with SP1 No scan database limit

SQL Server 2016 No scan database limit

SQL Server Express SQL Server 2014 Express with SP1 Recommended

10 GB scan database limit

SQL Server 2012 Express with SP1 or SP2 10 GB scan database limit

SQL Server 2016 Express 10 GB scan database limit

Browser Internet Explorer 11 Recommended

Internet Explorer 10

Portable Document Format Adobe Acrobat Reader 11 Recommended

Adobe Acrobat Reader 8.1.2 Minimum

Notes on SQL Server Editions

When using the Express edition of SQL Server:

l Scan data must not exceed the database size limit. If you require a larger database or you need toshare your scan data, use the full version of SQL Server.

l During the installation you might want to enable “Hide advanced installation options.” Accept alldefault settings. FortifyWebInspect requires that the default instance is named SQLEXPRESS.

SystemRequirements


When using the full edition of SQL Server:

l You can install the full version of SQL Server on the local host or nearby (co-located). You canconfigure this option in the FortifyWebInspect Application Settings (Edit > Application Settings >Database).

Ports and Protocols

This section describes the ports and protocols FortifyWebInspect uses to make required and optionalconnections.

Required Connections

The following table lists the ports and protocols FortifyWebInspect uses to make required connections.

Direction Endpoint URL or Details Port Protocol Notes

FortifyWebInspectto targethost

Target host Scan target host Any HTTP Fortify WebInspect must connect to theweb application or web service to bescanned.

FortifyWebInspectto SQLdatabase

MS SQL Express orMS SQLStandard/Enterprise

SQLEXPRESS serviceon localhost or SQLTCP service locallyinstalled or remotehost

1433 SQL TCP Used for maintaining the scan dataand generating reports within theFortify WebInspect application.

FortifyWebInspecttoCertificateRevocationList (CRL)

Verisign CRL http://crl.verisign.com/pca3.crl

or

http://csc3-2004-crl.verisign.com/CSC3-2004.crl

80 HTTP Offline installations of FortifyWebInspect or Fortify WebInspectEnterprise require you to manuallydownload and apply the CRL fromVerisign. Fortify WebInspect productsprompt for these lists from Windowsand their absence can cause problemswith the application. A one-timedownload is sufficient, but HPErecommends regularly repeating thisCRL download process as part ofregular maintenance.

Optional Connections

The following table lists the ports and protocols FortifyWebInspect uses to make optional connections.


FortifyWebInspectto HPELicenseactivationserver

Remote HPELicensingService

https://licenseservice.fortify.hpe.com 443 HTTPSover SSL

For one-time activationof a Fortify WebInspectNamed User license. Youmay optionally use thefollowing:

SystemRequirements


http://crl.verisign.com/pca3.crl



https://licenseservice.fortify.hpe.com/


l An offline activationprocess instead ofusing this directconnection

l Upstream proxy withauthentication insteadof a direct connection

FortifyWebInspecttoSmartUpdateserver

RemoteSmartUpdateservice

https://smartupdate.fortify.hpe.com 443 HTTPSover SSL

Used to automaticallyupdate the FortifyWebInspect product.SmartUpdate isautomatic when openingthe product UI, but canbe disabled and runmanually. Can optionallyuse upstream proxy withauthentication instead ofa direct connection.

FortifyWebInspectto HPESupportChannelserver

Remote HPESupportChannelservice

https://supportchannel.fortify.hpe.com 443 HTTPSover SSL

Used to retrieve productmarketing messagesand to upload FortifyWebInspect data orproduct suggestions toHPE Security FortifySupport. Message checkis automatic whenopening the product UI,but can be disabled andrun manually. Canoptionally use upstreamproxy withauthentication instead ofa direct connection.

FortifyWebInspectto HPETelemetryserver

Remote HPETelemetryandperformancereportingservice

https://telemetry.fortify.com

Note: Accessing this URL in abrowser does not display anycontent.

443 HTTPSover SSL

The Telemetry serviceprovides an automatedprocess for collectingand sending FortifyWebInspect usageinformation to HPE. HPEsoftware developers usethis information to helpimprove the product.

FortifyWebInspectto LicenseandInfrastructureManager(LIM)

HPE LIM

(LocalLicensingService)

Lease Concurrent User license 443 Webservicesover SSL

Required for FortifyWebInspect client tolease and use aConcurrent User licensemaintained in a LIMlicense pool. You candetach the client licensefrom LIM after activationto avoid a constantconnection.

FortifyWebInspectAPI listener

Localmachine API,or network IP

http://localhost:8083/webinspect/api 8083 oruser-specified

HTTP Use to activate a FortifyWebInspect APIWindows Service. This

SystemRequirements


https://smartupdate.fortify.hpe.com/

https://supportchannel.fortify.hpe.com/

https://telemetry.fortify.com/

http://localhost:8083/webinspect/api


address opens a listening port onyour machine, which youcan use locally orremotely to generatescans and retrieve theresults programmatically.This API can be SSLenabled, and supportsBasic or Windowsauthentication.

FortifyWebInspectto FortifyWebInspectEnterprise

FortifyWebInspectEnterpriseserver

User-specified Fortify WebInspectserver

443 oruser-specified

HTTP orHTTPSover SSL

The Enterprise Servermenu connects FortifyWebInspect as a client tothe enterprise securitysolution to transferfindings and user roleand permissionsmanagement.

FortifyWebInspectsensorservice toFortifyWebInspectEnterprise


User-specified Fortify WebInspectserver



Separate from the FortifyWebInspect UI, you canconfigure the localinstallation as a remotescan engine for use bythe enterprise securitysolution community. Thisis done through aWindows Service. Thisconstitutes a differentproduct from FortifyWebInspect desktop andis recommended to berun on its own, non-user-focused machine.

Browser toFortifyWebInspect

localhost Manual Step-Mode Scan Dynamic,8081, oruser-specified


Fortify WebInspectserves as a web proxy tothe browser, enablingmanual testing of thetarget web serverthrough FortifyWebInspect.

FortifyWebInspectto QualityCenterEnterprise(ALM)

QC server User-specified ALM server Server-specified


Permits submission offindings as defects tothe ALM bug trackerapplication.

SystemRequirements


Connections for Tools

The following table lists the ports and protocols that the FortifyWebInspect tools use to makeconnections.

Tool Direction Endpoint Port Protocol Notes

Web Proxy To target host localhost 8080 oruser-specified


Intercepts and displays web traffic

Web FormEditor

To target host localhost Dynamic,8100, oruser-specified


Intercepts web traffic and capturessubmitted forms

Login orWorkflowMacroRecorders

To target host localhost Dynamic,8081, oruser-specified


Records browser sessions for replayduring scan

WebDiscovery

Fortify WebInspectmachine totargeted IP range

Targethostnetworkrange

User-specifiedrange

HTTPandHTTPSover SSL

Scanner for identifying rogue webapplications hosted among the targetedscanned IP and port ranges

Use to provide targets to FortifyWebInspect (manually)

Fortify WebInspect Agent

For system requirements, see "Fortify Runtime Requirements" on page 19.

WebInspect Software Development Kit (SDK)

TheWebInspect SDK requires the following software:

l Visual Studio 2013 or 2015

l .NET Framework 4.6.1

Important: Visual Studio Express versions do not support third-party extensions. Therefore, theseversions do not meet the software requirements for using theWebInspect SDK.

Software Integrations for Fortify WebInspect

The following table lists products that you can integrate with FortifyWebInspect.

Product Versions

FortifyWebInspect Enterprise 17.20

HPE Application Lifecycle Management (ALM) 11.5, 12.01, 12.21,12.53

SystemRequirements


Product Versions

Note: You must also install the ALM Connectivity tool to connect FortifyWebInspect to ALM.

Fortify Software Security Center 17.20

HPE Unified Functional Testing 11.5

Fortify WebInspect Enterprise RequirementsBefore you install FortifyWebInspect Enterprise, make sure that your systemsmeet the requirementsdescribed in this section.

Note: Product versions that are not specifically listed in this document are not supported.

Fortify WebInspect Enterprise Installation and UpgradeRequirements

You can upgrade directly from FortifyWebInspect Enterprise 17.10 to FortifyWebInspect Enterprise17.20. You cannot upgrade directly from any other versions of FortifyWebInspect Enterprise. Fordetailed information about upgrades, see the HPE Security Fortify WebInspect Enterprise Installationand Implementation Guide.

Integration with Fortify Software Security Center is optional. If you are integrating FortifyWebInspectEnterprise with Fortify Software Security Center, then you must install and run Fortify SoftwareSecurity Center 17.20 before you install a new instance of FortifyWebInspect Enterprise or upgradefrom FortifyWebInspect Enterprise 17.10. You can install Fortify Software Security Center and FortifyWebInspect Enterprise on the same or different machines. Using separate machines might improveperformance.

Integrations for Fortify WebInspect Enterprise

You can integrate FortifyWebInspect Enterprise with the following components:

l FortifyWebInspect sensors 17.20

l FortifyWebInspect Agent 17.12

Fortify WebInspect Enterprise Database

HPE recommends that you configure the database server on a separate machine from either FortifySoftware Security Center or FortifyWebInspect Enterprise.

The FortifyWebInspect Enterprise Server SQL database requires case-insensitive collation.

SystemRequirements


Important: This is opposite the requirement for Fortify Software Security Center databases asdescribed in "Fortify Software Security Center Database" on page 9.


The following table lists the hardware requirements for the FortifyWebInspect Enterprise server.


Processor 3.0 GHz quad-core or faster Recommended

2.5 GHz dual-core Minimum

RAM 8+GB (2 GB per core) Recommended

4 GB Minimum


20+ GB if using a local database

5 GB if using a remote database


1280 x 1024 Minimum


FortifyWebInspect Enterprise server runs on and works with the software packages listed in thefollowing table.


Windows Windows Server 2012 R2 Recommended

Windows Server 2012

Windows Server 2016


Platform IIS 8.5 Recommended

IIS 7.5

IIS 8.0

IIS 10

SQL Server SQL Server 2014with SP1 Recommended

SystemRequirements



No scan databaselimit

SQL Server 2012with SP1 or SP2 No scan databaselimit

SQL Server 2016 No scan databaselimit


Mozilla Firefox 51.0 or 56.01 Recommended

Mozilla Firefox1 47.0

Plugins for EnterpriseServers

For Fortify Software Security Center: AdobeFlash Player

For FortifyWebInspect Enterprise: Silverlight 5.0or 5.1

Fortify WebInspect Enterprise Administrative ConsoleRequirements

This section describes the hardware and software requirements for the FortifyWebInspect EnterpriseAdministrative Console.

You do not need to install the FortifyWebInspect Enterprise Administrative Console on the samemachine as theWeb Console of the FortifyWebInspect Enterprise server. The two consoles havedifferent system requirements. In addition, you can install multiple Administrative Consoles on differentmachines connected to the same FortifyWebInspect Enterprise server.


The following table lists the hardware requirements for FortifyWebInspect Enterprise AdministrativeConsole.


Processor 2.5 GHz dual-core Minimum

RAM 4GB Minimum

1You cannot perform a Guided Scan or create reports using the Mozilla Firefox browser. This browserno longer supports the .NET Framework Assistant plugin.

SystemRequirements



Hard disk 2 GB


1280 x 1024 Minimum


The FortifyWebInspect Enterprise Administrative Console runs on and works with the softwarepackages listed in the following table.

Note: The FortifyWebInspect Enterprise Administrative Console is available in both 32-bit and64-bit installation versions.


Windows Windows 10 Recommended

Windows 7with SP1

Windows 8 or 8.1

Windows Server 2016

Windows Server 2012 or 2012 R2


Ports and Protocols

This section describes the ports and protocols FortifyWebInspect Enterprise uses to make required andoptional connections.

SystemRequirements


Required Connections

The following table lists the ports and protocols FortifyWebInspect Enterprise uses to make requiredconnections.


FortifyWebInspectEnterpriseManagerserver to SQLdatabase

MS SQLStandard/Enterprise

SQL TCP service on locallyinstalled or remote host


SQL TCP Used to maintain thescan data and fullEnterpriseenvironment.Customconfigurations of MSSQL are permitted,including portchanges andencryptedcommunication.

FortifyWebInspectEnterpriseManagermachine toFortifySoftwareSecurityCenter server

Fortify SoftwareSecurity Centerserver

User-specified Fortify SoftwareSecurity Center server



As a modular add-on, FortifyWebInspectEnterprise requires aconnection to its coreFortify SoftwareSecurity Centerserver.

Note: Thisconnection isrequired only ifyou integrateFortifyWebInspectEnterprisewithFortify SoftwareSecurity Center.

Sensormachines toFortifyWebInspectEnterpriseManagerserver

Fortify WebInspectEnterprise server

User-specified Fortify WebInspectEnterprise server


HTTPSover SSL

Communication istwo-way HTTPtraffic, initiated in-bound by the FortifyWebInspect sensormachine.

Browserusers toFortifyWebInspectEnterpriseserver UI

Fortify WebInspectEnterprise server



HTTPSover SSL

You can configureFortify WebInspectEnterprise not to useSSL, but testsindicate that itmight affect theusability of theproduct.

Browser userto FortifySoftwareSecurityCenter UI

Fortify SoftwareSecurity Centerserver

User-specified Fortify SoftwareSecurity Center server



You can configurethe Fortify SoftwareSecurity Centerserver on anyavailable port during

SystemRequirements



installation.

FortifyWebInspectEnterpriseManagermachine toSmartUpdateserver

SmartUpdate https://smartupdate.fortify.hpe.com 443 HTTPSover SSL

Used to acquireupdates for theproduct as well as allconnected clients(Fortify WebInspectsensors and FortifyWebInspectdesktop). Theadministratormanually runsSmartUpdate,however HPErecommends thatyou set up anautomated schedule.New client releasesare held in reserveuntil the FortifyWebInspectEnterpriseadministrator marksthem as Approved,at which time theyare automaticallydistributed from theFortify WebInspectEnterprise Managerserver. Can supportthe use of anupstream proxy withauthenticationinstead of a directInternet connection.

Optional Connections

The following table lists the ports and protocols FortifyWebInspect Enterprise uses to make optionalconnections.


Fortify WebInspectdesktop machinesto FortifyWebInspectEnterpriseManager server




HTTPSover SSL

Communication is two-way HTTP traffic,initiated in-bound bythe Fortify WebInspectdesktop machine.

Fortify WebInspectEnterpriseManager machineto HPE Licenseactivation server

HPELicensingService

https://licenseservice.fortify.hpe.com 443 HTTPSover SSL

For one-time activationof the FortifyWebInspect Enterpriseserver license as wellas periodic checksduring an update. You

SystemRequirements


https://smartupdate.fortify.hpe.com/

https://licenseservice.fortify.hpe.com/


may optionally use thefollowing:

l An offline activationprocess instead ofusing this directconnection

l Upstream proxywith authenticationinstead of a directInternet connection

Fortify WebInspectEnterpriseManager machineto mail server

User’s mailserver

Email alerts 25 oruser-specified

SMTP Used for SMTP alertsfor administrationteam. To enablemobile TXT alerts, youcan use an SMTP-to-SMS gateway address.

Fortify WebInspectEnterpriseManager machineto SNMPCommunity

User’sSNMPCommunity

SNMP alerts 162 oruser-specified

SNMP Used for SNMP alertsfor administrationteam.

Connections for Tools

The following table lists the ports and protocols that the FortifyWebInspect tools use to makeconnections.

Tool Direction Endpoint Port Protocol Notes

Web Proxy To targetwebapplication

localhost 8080 oruser-specified


Intercepts and displays web traffic

Web FormEditor

To targetwebapplication

localhost Dynamic,8100, oruser-specified


Intercepts web traffic and captures submittedforms

Login orWorkflow MacroRecorders

To targetwebapplication

localhost Dynamic,8081, oruser-specified


Records browser sessions for replay duringscan

Web Discovery Totargeted IPrange

localhost User-specifiedrange

HTTPandHTTPSover SSL

Scanner for identifying rogue webapplications hosted among the targetedscanned IP and port ranges

Use to provide targets to Fortify WebInspect(manually)

Fortify WebInspect Enterprise Sensor

A FortifyWebInspect Enterprise sensor is a FortifyWebInspect sensor that runs scans on behalf ofFortifyWebInspect Enterprise. See "FortifyWebInspect Requirements" on page 21 for more

SystemRequirements


information.

To run a scan from FortifyWebInspect Enterprise, you must have at least one instance of FortifyWebInspect connected and configured as a sensor.

Fortify WebInspect Enterprise Notes and Limitations

l You can connect any instance of Fortify Software Security Center to only one instance of FortifyWebInspect Enterprise, and you can connect any instance of FortifyWebInspect Enterprise to onlyone instance of Fortify Software Security Center.

l For a FortifyWebInspect Enterprise environment to support Internet Protocol version 6 (IPv6), youmust deploy the IPv6 protocol on each FortifyWebInspect Enterprise Administrative Console, eachFortifyWebInspect Enterprise sensor, and the FortifyWebInspect Enterprise server.

License Infrastructure Manager RequirementsThis section describes the hardware and software requirements for License Infrastructure Manager(LIM).


HPE recommends that you install the LIM on a system that conforms to the supported componentslisted in following table. Beta or pre-release versions of operating systems, service packs, and requiredthird-party components are not supported.


Processor 2.5 GHz single-core or faster Recommended

1.5 GHz single-core Minimum

RAM 2+GB Recommended

1 GB Minimum


20 GB Minimum


1024 x 768 Minimum

SystemRequirements



LIM runs on and works with the software packages listed in the following table.


Windows Server Windows Server 2012 or 2012 R2

Windows Server 2008 R2with SP1

Windows Server 2008with SP2

Internet Information Services (IIS) Version 7 or later

.NET Framework 4.6.1


Mozilla Firefox 51.0 Recommended

Mozilla Firefox 44.0 or 47.0

Version Compatibility MatrixThis section provides compatibility information for Fortify Software components.

Fortify Software Component Compatibility

Fortify Software version 17.20 works with the component versions listed in the following table.

Component Versions

Fortify Software Security Center 17.20

Fortify Static Code Analyzer Tools(Audit Workbench, Secure Code Plugins, andCustomRules Editor)

17.20

Fortify Runtime 17.12

FortifyWebInspect Agent 17.12

FortifyWebInspect 17.20

FortifyWebInspect Enterprise 17.20

SystemRequirements


FPR File Compatibility

Earlier versions of Fortify Software products cannot open and read FPR files generated by laterversions of Fortify Software products. For example, Audit Workbench 4.40 cannot read 17.20 FPR files.However, later versions of Fortify Software products can open and read FPR files generated by earlierversions of Fortify Software products. For example, Audit Workbench version 17.20 can open and readversion 4.40 FPR files.

FPR version numbers are determined as follows:

l The FPR version is the same as the version of the analyzer that initially generated it. For example, anFPR generated by Fortify Software version 17.20 also has the version number 17.20.

l The FPR version is the same as the version of the Fortify Software Security Center or Fortify StaticCode Analyzer Tool used to modify or audit the FPR.

l If you merge two FPRs, the resulting FPR has the version of the more recently generated FPR. Forexample, if you merge a version 4.40 FPR with a version 17.20 FPR, the resulting FPR has the versionnumber 17.20.

You can only open 17.20 FPR files with Fortify Software Security Center or Fortify Static CodeAnalyzer Tools version 17.20 or later.

Caution Regarding Uploading FPRs to Fortify Software Security Center

Fortify Software Security Center keeps a project file that contains the latest scan results and auditinformation for each application. Audit Workbench and the Secure Code Plugins also use this projectfile for collaborative auditing.

Each time you upload an FPR to Fortify Software Security Center, it is merged with the existing projectfile. If the FPR has a later version number than the existing project file, the existing project file versionchanges to match the FPR. For Audit Workbench and the Secure Code Plugins to work with theupdated FPR, theymust be at least the same version as the FPR. For example, Audit Workbench 4.40cannot open and read a 17.20 FPR.

Fortify Software Security Center Support for RuntimeConfiguration Bundle and Template

Fortify Software Security Center 17.20 supports Runtime Configuration Bundle and Template 17.12.

Virtual Machine SupportYou can run Fortify software products in an approved operating system in virtual machineenvironments. You must provide dedicated CPU and memory resources that meet the minimumhardware requirements. If you find issues that cannot be reproduced on the native environments withsufficient processing, memory, and disk resources, you need to work with the provider of the virtualenvironment to get them resolved.

SystemRequirements


Note: Running Fortify software products in a VM environment with shared CPU and memoryresources is not supported.

Technologies and Features no Longer Supported inthis ReleaseThe following technologies and features are no longer supported in Fortify Software:

l JIRA 6.4

l MacOS X 10.11

l MacOS X Apple LLVM (clang) compiler version 7.x

l Swift compiler version 2.2

l TeamFoundation Server 2012

l Visual Studio 2012 Premium, Professional, and Ultimate

l Scanning plugin for Xcode IDE 7.x is only available on demand fromHPE Security Fortify Support

Technologies and Features to Lose Support in theNext ReleaseCustomers who are currently using Fortify Runtime are encouraged to upgrade to Fortify ApplicationDefender, a Runtime Application Self Protection (RASP) solution that helps mitigate risk fromhomegrown or third-party applications. In the next release, you will no longer be able to manage FortifyRuntime from Fortify Software Security Center. In addition, all sales of the standalone Fortify Runtimeproduct require pre-approval fromProduct Management. Fortify Application Defender providesvisibility into application abuse while protecting software vulnerabilities from exploits in real time.Application Defender is available as a SAAS offering or it can be installed on-premises. For moreinformation, see https://software.microfocus.com/software/application-defender.

The following technologies and features are scheduled for deprecation in the next Fortify Softwarerelease:

l Apache Tomcat 8.0 (Fortify Software Security Center)

l Fortify Remediation Extension for JDeveloper

l IBM DB2

l IBM WebSphere (Fortify Software Security Center)

l IntelliJ IDEA 15 (Secure Code Plugins)

l JIRA 7.1

l Oracle Database 12c Release 1 (Fortify Software Security Center)

l Oracle Linux 6 update 5 and later, Oracle Linux 7.x

l Oracle WebLogic (Fortify Software Security Center)

l Swift compiler version 3.0.2 (Fortify Static Code Analyzer)

SystemRequirements


https://software.microfocus.com/software/application-defender

Acquiring Fortify SoftwareFortify Software is available as an electronic download. The following table lists the available packagesand describes their contents.

File Name Description

HPE_Security_Fortify_17.20_Windows.iso (For Windows operating systems) Disc image of theentire Fortify Software product line. After downloading,you must either mount the ISO image or burn it to aDVD before installation.

HPE_Security_Fortify_17.20_Windows.iso.sig

(For Windows operating systems) Signature file for theFortify Software product line ISO

HPE_Security_Fortify_17.20_Linux_Unix_Mac.iso

(For Linux, Unix, and Mac operating systems) Disc imageof the entire Fortify Software product line. Afterdownloading, you must either mount the ISO image orburn it to a DVD before installation.

HPE_Security_Fortify_17.20_Linux_Unix_Mac.iso.sig

(For Linux, Unix, and Mac operating systems) Signaturefile for the Fortify Software product line ISO

HPE_Security_Fortify_SSC_Server_17.20.zip

Fortify Software Security Center

HPE_Security_Fortify_SSC_Server_17.20.zip.sig

Signature file for Fortify Software Security Center

HPE_Security_Fortify_CloudScan_Controller_17.20.zip

Fortify CloudScan Controller

HPE_Security_Fortify_CloudScan_Controller_17.20.zip.sig

Signature file for Fortify CloudScan Controller

HPE_Security_Fortify_Runtime_17.12.zip Fortify Runtime

HPE_Security_Fortify_Runtime_17.12.zip.sig

Signature file for Fortify Runtime

HPE_Security_Fortify_SCA_and_Apps_17.20_Windows.zip

Fortify SCA and Applications package for Windows

This package includes the following components:


l Audit Workbench

l CustomRules Editor

l Process Designer

l Fortify Plugin for Eclipse

SystemRequirements



l Fortify Analysis Plugin for IntelliJ and Android Studio

l Fortify Package for Visual Studio

l Scan Wizard

l Sample applications

Note:

l Security content (Rulepacks and externalmetadata) can be downloaded during theinstallation.

l Fortify Remediation Extension for JDeveloper,Fortify Remediation Plugin for Eclipse, FortifySecurity Assistant Plugin for Eclipse, FortifyRemediation Plugin for IntelliJ and AndroidStudio, and Fortify Jenkins Plugin are included aspart of the HPE_Security_Fortify_17.20_Windows disc image.

HPE_Security_Fortify_SCA_and_Apps_17.20_Windows.zip.sig

Signature files for the Fortify SCA and Applicationspackage for Windows

HPE_Security_Fortify_SCA_and_Apps_17.20_Mac.tar.gz

Fortify SCA and Applications package for macOS

This package includes the following components:


l Audit Workbench


l Process Designer



l Fortify Scan Wizard


Note:


l Fortify Remediation Extension for JDeveloper,Fortify Remediation Plugin for Eclipse, FortifySecurity Assistant Plugin for Eclipse, FortifyRemediation Plugin for IntelliJ and AndroidStudio, and Fortify Jenkins Plugin are included aspart of the HPE_Security_Fortify_17.20_Linux_Unix_Mac disk image.

SystemRequirements



HPE_Security_Fortify_SCA_and_Apps_17.20_Linux.tar.gz

Fortify SCA and Applications package for Linux

The package includes the following components:


l Audit Workbench


l Process Designer



l Fortify Scan Wizard


Note:


l Fortify Remediation Extension for JDeveloper,Fortify Remediation Plugin for Eclipse, FortifySecurity Assistant Plugin for Eclipse, FortifyRemediation Plugin for IntelliJ and AndroidStudio, and Fortify Jenkins Plugin are included aspart of the HPE_Security_Fortify_17.20_Linux_Unix_Mac disk image.

HPE_Security_Fortify_SCA_and_Apps_17.20_Linux.tar.gz.sig

Signature file for Fortify Static Code Analyzer for Linux

HPE_Security_Fortify_SCA_17.20_HPUX.tar.gz

Fortify Static Code Analyzer for HP-UX

HPE_Security_Fortify_SCA_17.20_HPUX.tar.gz.sig

Signature file for Fortify Static Code Analyzer forHP-UX

HPE_Security_Fortify_SCA_17.20_Solaris.tar.gz

Fortify Static Code Analyzer for Solaris

HPE_Security_Fortify_SCA_17.20_Solaris.tar.gz.sig

Signature file for Fortify Static Code Analyzer for Solaris

HPE_Security_Fortify_SCA_17.20_AIX.tar.gz

Fortify Static Code Analyzer for AIX

HPE_Security_Fortify_SCA_17.20_AIX.tar.gz.sig

Signature file for Fortify Static Code Analyzer for AIX

HPE_Security_Fortify_Scan_Wizard_17.20_Windows.zip

Fortify Scan Wizard for Windows

SystemRequirements



HPE_Security_Fortify_Scan_Wizard_17.20_Windows.zip.sig

Signature file for Fortify Scan Wizard for Windows

HPE_Security_Fortify_Scan_Wizard_17.20_MacOSX.tar.gz

Fortify Scan Wizard for macOS

HPE_Security_Fortify_Scan_Wizard_17.20_MacOSX.tar.gz.sig

Signature file for Fortify Scan Wizard for macOS

HPE_Security_Fortify_Scan_Wizard_17.20_Linux.tar.gz

Fortify Scan Wizard for Linux

HPE_Security_Fortify_Scan_Wizard_17.20_Linux.tar.gz.sig

Signature file for Fortify Scan Wizard for Linux

WebInspect_32_17.20.zip FortifyWebInspect 32-bit version package

This package includes product documentation (PDF)

WebInspect_64_17.20.zip FortifyWebInspect 64-bit version package

This package includes product documentation (PDF)

WebInspect_Agent_17.12.zip FortifyWebInspect Agent package

HPSecurityToolkit_17.20.zip HPE Security Toolkit package for use with FortifyWebInspect Enterprise

WI_Enterprise_17.20.zip FortifyWebInspect Enterprise package

The package includes the following components:

l FortifyWebInspect Enterprise server

l FortifyWebInspect Enterprise Administrative Console

l Product documentation (PDF)

Downloading Fortify Software

To download Fortify software:

1. Open a browser window and go to https://h22244.www2.hpe.com/mysoftware.

2. Sign in with your HPE Passport credentials.

3. Click Manage Entitlements.4. In the search bar, enter your Order Number, and then click Search.5. Click Download Software.6. Find the product name and version for the software you want to download, and then click Select.

If you encounter any difficulties with the download process, click Contact Us / Self Help for moreinformation.

SystemRequirements


https://h22244.www2.hpe.com/mysoftware

Note: If your organization requires that you verify the download, you must also download the like-named signature file. For example, if you download the HPE_Security_Fortify_SCA_and_Apps_17.20_Windows.zip file, you must also download the associated signature file HPE_Security_Fortify_SCA_and_Apps_17.20_Windows.sig.

About Verifying Software Downloads

This topic describes how to verify the digital signature of the signed file that you downloaded from theHPE Security Software Support site. Verification ensures that the downloaded package has not beenaltered since it was signed and posted to the site. Before proceeding with verification, download theFortify Software product files and their associated signature (*.sig) files. You are not required to verifythe package to use the software, but your organization might require it for security reasons.

Preparing Your System for Digital Signature Verification

To prepare your system for electronicmedia verification:

1. Navigate to the GnuPG site (http://www.gnupg.org).

2. Download and install GnuPGPrivacy Guard version 1.4.x or 2.0.x.

3. Generate a private key, as follows:

a. Run the following command (on aWindows system, run the command without the $ prompt):

$ gpg --gen-keyb. When prompted for key type, select DSA and Elgamal.c. When prompted for a key size, select 2048.d. When prompted for the length of time the key should be valid, select key does not expire.e. Answer the user identification questions and provide a passphrase to protect your private key.

4. Download the HPE-GPGpublic keys (compressed tar file) from the following location:

https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPLinuxCodeSigning

5. Extract the public keys using WinZip.

6. Import each downloaded key with GnuPG, as follows:

l Run gpg --import <Path_to_Key>/<File_Name_of_Key>

Verifying Software Downloads

To verify that the signature file matches the downloaded software package:

1. Navigate to the directory where you stored the downloaded package and signature file.

2. Run the following command:

gpg --verify <Signature_File_Name> <Downloaded_File_Name>

SystemRequirements


http://www.gnupg.org/



3. Examine the output to make sure that you receive verification that the software you downloaded issigned byMicro Focus Group Limited and is unaltered. Your output should include somethingsimilar to the following:

gpg: Signature made Fri, Oct 06, 2017 10:37:56 PM PDT using RSA key IDAA71A9CFgpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust modelgpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3ugpg: next trustdb check due at 2025-12-07gpg: Good signature from "Micro Focus Group Limited RSA-2048-12"

Note: A warning messagemight be displayed because the public key is not known to the system.You can ignore this warning or set up your environment to trust the these public keys.

Assistive Technologies (Section 508)In accordance with section 508 of the Rehabilitation Act, Audit Workbench has been engineered towork with the JAWS screen reading software package from FreedomScientific. JAWS provides text-to-speech support for use by the visually impaired. With JAWS, labels, text boxes, and other textualcomponents can be read aloud, providing greater access to these technologies.

Fortify Software Security Center works well with the ChromeVox screen reader.

SystemRequirements


Send Documentation FeedbackIf you have comments about this document, you can contact the documentation teamby email. If anemail client is configured on this computer, click the link above and an email window opens with thefollowing information in the subject line:

Feedback on System Requirements (HPE Security Fortify Software 17.20)

Just add your feedback to the email and click send.

If no email client is available, copy the information above to a newmessage in a web mail client, and sendyour feedback to [email protected].

We appreciate your feedback!


mailto:[email protected]?subject=Feedback on HPE Security Fortify Software System Requirements (17.20)

Documents

HPE Security Fortify Software System Requirements...Contents Preface 6 ContactingHPE SecurityFortifySupport 6 ForMoreInformation 6 AbouttheDocumentationSet 6 Introduction 7 SoftwareDelivery