Last updated Nov 9, 2022

Security Scanner for Data Center apps

Code analysis scanners are a key part of any application security program. They help us identify common mistakes before an app hits production.

Data Center (DC) Apps Security Scanner is an internal tool that:

  • Runs code analysis tools against all Marketplace Data Center apps
  • Provides feedback to help you improve your app's security

Software composition analysis (SCA) scanner

SCA identifies all the open source in a codebase. It maps that inventory to a list of currently known vulnerabilities.

DC Apps Security Scanner currently uses a third-party SCA tool.

Atlassian may change or add implementations based on features or future needs.

SCA analysis for Data Center apps

Before submitting your DC app, it's important to get SCA results.

There are multiple SCA tools you can use, including:

You can use any tool you like.

Security scanning required for app approval

Security scanning for third-party dependencies vulnerabilities is required for all technical and annual DC app reviews. Before February 2022, it was was optional.

How to submit your results

If you're submitting a technical or annual DC app review, you need to:

  1. Provide the results for security scanning for third-party dependencies vulnerabilities with any tool of your choice.
  2. Provide results that are free of critical and high-severity security vulnerabilities in third-party dependencies bundled with the app.
  3. Generate and attach the dependency tree of the app to your technical review ticket.

Regular security scanning

New security vulnerabilities in third-party apps can be found any day.

In order to identify vulnerabilities earlier, we recommend:

  • Embedding software composition analysis (SCA) scanning into app SDLC
  • Continuous integration systems

We also scan Marketplace DC apps daily by running the DC Apps Security Scanner.

You can view all critical or high-severity vulnerabilities tracked in the Atlassian Marketplace Security (AMS) Jira project. The AMS Jira project is our go-to place for:

  • Vulnerability management
  • Details on:
    • Vulnerabilities
    • Statuses
    • Due dates
    • Sources
    • Severities
  • Asking or addressing questions in the issue's comments

Learn more about:

Generate a dependency tree

Dependency tree is used by DC Apps Security Scanner for third-party dependencies vulnerabilities check.

Generate a dependency tree file for the following package managers:

Maven

Run the following command to generate a dependency tree file for maven based project:

1
2
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv

Gradle

Run the following command to generate a dependency tree file for gradle based project:

1
2
gradle dependencies > gradle_dependency_tree.txt

Other

At the moment only maven and gradle package managers are supported from the box.

For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):

1
2
depencendyGroup:dependencyName:version
depencendyGroup:dependencyName:version
...

Example scanning with Open Web Application Security Project (OWASP)

Check out the Open Web Application Security Project (OWASP) dependency-check plugins for:

Maven

The OWASP dependency-check maven plugin is, by default, tied to the verify or site phase depending on whether it's configured as a build or reporting plugin.

Important

Gradle

The OWASP dependency-check gradle plugin provides monitoring of the gradle projects dependent libraries.

Important

Scanning a .jar file

App .jar artifact can be scanned with the OWASP dependency-check CLI.

To generate a report, run the command:

1
2
dependency-check -s app_file_name.jar --suppression https://dcapt-downloads.s3.amazonaws.com/atlassian-security-scanner-dc-apps-suppressions.xml

Rate this page: