Installing and using the HPE stuff (under linux):

(1) Mount (or open) the ISO file.
(2) in its folder `Linux`, run the `HP_Fortify_SCA_and_Apps_16.10_linux_x64.run` file for installation.
     using the license file.
(3) In the install folder (`~/HP_Fortify` by default) you get the folder `HP_Fortify_SCA_and_Apps_16.10`,
     in which there is a `bin` folder, in which there are the `sourceanalyzer` and `auditworkbench` executables.
    The first is used to do the static analysis, the second to view the results.
    However, I've just opened the workbench and run the static analysis from there
     (`Start new Project` > `Advanced Scan`, all defaults except `J2EE webapp?` = NO)
    This gives 58 criticals and 9 highs (in Quick View):
      critical:
        xss:                  50  --  lots of it.
        password management:   1  --  populating the password field in `reset.php`, with previous entry (on error)
        privacy violation:     1  --  installer.php prints results, including errors and warnings
        sql injection:         6  --  sql injection in installer.php
      high:
        cookie security:       1  --  not HttpOnly
        password management:   1  --  n/a
        privacy violation:     2  --  (html input autocompletion)
        weak encryption:       5  --  all about using php's `crypt(...)` function