HPE Fortify Static Code Analyzer

The earlier you find security flaws during development, the less impactful they are to fix. To be effective, source code analysis must be more than thorough and accurate. It also should provide you actionable insight into the root causes of security problems, while helping prioritize which vulnerabilities to address first.

The HPE Fortify Static Code Analyzer (SCA) in HPE Fortify Software Security Center helps you meet all of these needs. It uses HP Fortify’s award winning static analysis to provide the most far-reaching vulnerability detection in source code available today. It delivers key functionality required for an effective Software Security Assurance (SSA) program.

With HPE Fortify SCA you can pinpoint root causes of security vulnerabilities in source code, receive prioritized results sorted by severity of risk, and get guidance on how to fix vulnerabilities in line-of-code detail. As a result you can ensure your software is trustworthy, reduce the costs of finding and fixing application vulnerabilities, and establish the foundation for secure coding best practices.


HPE Fortify SCA provides root-cause vulnerability detection through the most comprehensive set of secure coding rules available and supports the widest array of languages, platforms, build environments (Integrated Development Environments, or IDEs) and software component APIs.

HPE Fortify SCA provides:

— conduct static analysis to pinpoint root causes of security vulnerabilities in source code;

— detect more than 480 types of software security vulnerabilities across 20 development languages—the most in the industry;

— receive prioritized results sorted by severity of risk and guidance on how to fix vulnerabilities in line-of-code detail;

— ensure compliance with application security mandates.

Hardware Requirements

HPE Fortify Software recommends that you install HPE Fortify Static Code Analyzer (SCA) on a high-end processor with at least 1Gb of RAM.

HPE Fortify SCA supports the following platforms and architectures:

Operating system Architecture Version
Linux x86: 32-bit & 64-bit Fedora Core 7
Red Hat® ES4, ES5
Novell SUSE 10
Oracle EL 5.2
Windows x86: 32-bit & 64-bit 2003 SP1
2008
XP
Vista Business
Vista Ultimate
Windows 7
Windows x86: 32-bit 2000
Mac OS x86 10.5, 10.6
Oracle Solaris SPARC 8, 9, 10
x86 10
HP-UX PA-RISC 11.11
AIX PPC 5.2
FreeBSD x86: 32-bit 6.3, 7.0

Note: Audit Workbench and Secure Coding Plug-ins are not supported on HP-UX, IBM® AIX®, Oracle™ Solaris™, and Free BSD.

Note: the Secure Coding Package for Microsoft Visual Studio 2003 is not supported on Windows Vista or above.

International Platforms and Architectures

HPE Fortify SCA supports double-byte and international character sets when installed on the following platforms:

Operating system Architecture Version
Linux Red Hat® ES 5,
Novell SUSE 10
Fedora Core 7
x86: 32-bit
Windows 2003 SP1
2008
Vista Business
Vista Ultimate
x86: 32-bit
Oracle Solaris 10 x86

For non-English platforms, the following are NOT supported:

— OS: Windows 2000, HP-UX, IBM AIX, Macintosh OS X, Oracle Solaris SPARC, and all 64-bit architecture;
— Application Servers: Jrun, jBoss, BEA Weblogic 10;
— Database: DB2.

Note: no localized documentation is included in this release.

Languages

HPE Fortify SCA supports the following programming languages:

Language Version
Version ASP.NET, VB.NET, C# (.NET) 1.1, 2.0, 3.0, 3.5
C/C++ See «Compilers»
Classic ASP (with VBScript) 2 / 3
COBOL IBM Enterprise Cobol for z/OS 3.4.1 with IMS, DB2, CICS, MQ
CFML 5, 7, 8
HTML 2
Java 1.3, 1.4, 1.5, 1.6
JavaScript/AJAX 1.7
JSP JSP 1.2 / 2.1
PHP 5
PL/SQL 8.1.6
Python 2.6
T-SQL SQL Server 2005
Visual Basic 6
VBScript 2.0 / 5.0
ActionScript/MXML 3 и 4
XML 1.0
ABAP/4
Build Tools Version
Ant 1.5.x, 1.6.x, 1.7.x
Maven 2.0.9 or later

Compilers

HP Fortify SCA supports the following compilers:

Compilers Operating system
GNU gcc 2.9 – 4 AIX, Linux, HP-UX, Mac OS, Solaris, Windows
GNU g++ 3 – 4 AIX, Linux, HP-UX, Mac OS, Solaris, Windows
IBM javac 1.3 – 1.6 AIX
Intel icc 8.0 Linux
Microsoft cl 12.x – 13.x Windows
Microsoft csc 7.1 – 8.x Windows
Oracle cc 5.5 Solaris
Oracle javac 1.3 – 1.6 Linux, HP-UX, Mac OS, Solaris, Windows

Integrated Development Environments

The HPE Fortify Software Security Center Plug-in for Eclipse and HPE Fortify Software Security Center Package for Visual Studio are supported on the following platforms:

Operating system IDE
Linux Eclipse 3.2, 3.3, 3.4, 3.5, 3.6
RAD 7, 7.5
RSA 7, 7.5
JBuilder 2008 R2
JDeveloper 10.1.3, 11.1.1
Windows Eclipse 3.2, 3.3, 3.4, 3.5
Visual Studio 2003, 2005, 2008,2010
RAD 6, 7, 7.5
RSA 7, 7.5
JBuilder 2008 R2
JDeveloper 10.1.3, 11.1.1
Mac OSX Eclipse 3.2, 3.3, 3.4, 3.5, 3.6
JBuilder 2008 R2
JDeveloper 10.1.3, 11.1.1

Note: HPE Fortify Software Security Center does not support Eclipse 3.4+ running on a 64-bit JRE. However, HPE Fortify Software Security Center does support 32-bit Eclipse running on a 32-bit JRE on a 64-bit platform.

Third-Party Integrations

HPE Fortify Audit Workbench and Secure Code Plug-ins (SCP) support the following service integrations:

Service Application Version Supported Tool
Bug Creation Bugzilla 3.0 Audit Workbench,
Visual Studio SCP,
Eclipse SCP
HP Quality Center 9.2, 10.0 Audit Workbench,
Eclipse SCP
Microsoft Team Foundation Server 2005, 2008,2010 Visual Studio SCP

Note: HPE Quality Center integration requires that you install Audit Workbench and/or the Secure Code Plug-in for Eclipse on a Windows platform.

Note: HPE Quality Center integration requires you to install the HPQC Client-Side Add-in software.

Note: Team Foundation Server integration requires you to install the Visual Studio Team Explorer software.