Data Center app versions scanned in the Atlassian Marketplace

In order to proactively identify and address unresolved security risks in DC Marketplace apps to safeguard the Atlassian ecosystem and its customers, Atlassian is continuously scanning not just the latest app versions, but also those compatible with current and previous Long Term Support (LTS) versions of Atlassian Data Center products. This initiative not only safeguards the Atlassian ecosystem and its customers but also sets a high standard for security in the software industry.

App Versions Scanned

This approach ensures that vulnerabilities in older, yet supported, app versions are detected and addressed, not just those in the latest releases.

Scanners Used During App Version Scanning

App version scans utilize a multi-layered security approach:

• Malware Scanner: Detects malicious code or behaviors.
• Software Composition Analysis (SCA) Scanner: Identifies vulnerabilities in third-party libraries and dependencies.
• Static Application Security Testing (SAST) Scanner: Finds insecure coding practices and vulnerabilities in the app’s source code.

Vulnerability Management of Findings identified via App version scanning

Findings are filed as tickets in the Atlassian Marketplace Security (AMS) Jira project, categorized by scanner type and severity. In addition, we will differentiate findings associated with different Targeted versions via the App Product Compatibility field. There are three possible values for the field:

• latestAppVersion - Finding is associated with the latest semantic version of the app available on the Atlassian Marketplace
• currentLTS - Finding is associated with the latest app version that supports the current LTS version of the associated Atlassian Data Center product offering
• previousLTS - Finding is associated with the latest app version that supports the previous LTS version of the associated Atlassian Data Center product offering

FAQ

The version being scanned is not the one that should be scanned.

We are trying to continuously optimize our processes, if you feel that there’s a mistake in the version(s) of your app being scanned, please reach out to our support executive by transitioning the AMS finding with the associated version to Atlassian Input Requested and we will take a look

How do I determine the Current LTS and Previous LTS versions of an Atlassian Data Center product?

The logic to identify the Current and Previous LTS Versions is as below:

• Current LTS: The most recent version designated as LTS for an Atlassian Data Center product
• Previous LTS: The LTS version immediately preceding the current LTS

e. g. If you want these values for Jira, you can head over to the LTS releases page and check the latest available LTS version, which would be 11.3 at the time of writing as the current LTS version, and the LTS version immediately preceding 11.3, which would be 10.3 at the time of writing as the previous LTS version.

What happens when Atlassian releases a newer LTS version of a product?

All the existing AMS findings associated with previously identified current LTS version will be marked Patched, and new tickets will be created with previousLTS value in the App Product Compatibility field. All the existing AMS findings associated with previously identified previous LTS version will automatically be marked as Patched.

Can apps opt out of the App version scanning process?

Apps cannot opt out at this time.

How do I get in touch or contact Atlassian if App version scans somehow disrupt app functionality? How do I get support with the scanning?

App version scans are designed to be non-intrusive (unless otherwise mentioned). In the event the scanning somehow disrupts app functionality, please submit a request for support on our service desk.