Security Scanner for Data Center apps

Code analysis scanners are a key part of any application security program. They help us identify common mistakes before an app hits production.

Data Center (DC) Apps Security Scanner is an internal tool that:

• Runs code analysis tools against all Marketplace Data Center apps
• Provides feedback to help you improve your app's security

As part of the new Security requirements for Data Center apps the partners are required to perform vulnerability scans, including software composition analysis (SCA) and static application security testing (SAST), on every new version release before publishing them on the Marketplace

Static Application Security Testing (SAST) Scans

Static Application Security Testing (SAST) is essential for identifying security vulnerabilities in the source code during the development phase. Below is a list of recommended tools for SAST scanning:

Open-Source/Commercial Tools

-Semgrep Community Edition / Semgrep Code

-SonarQube

-Snyk Code

-Checkmarx

-Veracode

Software composition analysis (SCA) scanner

SCA identifies all the open source in a codebase. It maps that inventory to a list of currently known vulnerabilities.

DC Apps Security Scanner currently uses a third-party SCA tool.

Atlassian may change or add implementations based on features or future needs.

SCA analysis for Data Center apps

Before submitting your DC app, it's important to get SCA results.

There are multiple SCA tools you can use, including:

• OWASP dependency-check
• Snyk
• Veracode
• grype
• Chechmarx

You can use any tool you like.

Security scanning required for app approval

How to submit your results

If you're submitting a technical or annual DC app review, you need to:

1. Provide the results for security scanning for third-party dependencies vulnerabilities with any tool of your choice.
   • See example scanning with OWASP dependency-check
2. Provide results that are free of critical and high-severity security vulnerabilities in third-party dependencies bundled with the app.
3. Generate and attach the dependency tree of the app to your technical review ticket.
   • Based on the dependency tree and app package file we may sanity check
   • During a sanity check, if any additional critical or high-severity security vulnerabilities are found, we apply the Security Bug Fix Policy for Marketplace Apps.

Regular security scanning

New security vulnerabilities in third-party apps can be found any day.

In order to identify vulnerabilities earlier, we recommend:

• Embedding software composition analysis (SCA) scanning into app SDLC
• Continuous integration systems

We also scan Marketplace DC apps daily by running the DC Apps Security Scanner.

You can view all critical or high-severity vulnerabilities tracked in the Atlassian Marketplace Security (AMS) Jira project. The AMS Jira project is our go-to place for:

• Vulnerability management
• Details on:
  • Vulnerabilities
  • Statuses
  • Due dates
  • Sources
  • Severities
• Asking or addressing questions in the issue's comments

Learn more about:

• Marketplace vulnerability management
• Our Security Bug Fix Policy

Generate a dependency tree

Dependency tree is used by DC Apps Security Scanner for third-party dependencies vulnerabilities check.

Generate a dependency tree file for the following package managers:

Maven

Run the following command to generate a dependency tree file for maven based project:

1
2
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv

Gradle

Run the following command to generate a dependency tree file for gradle based project:

1
2
gradle dependencies > gradle_dependency_tree.txt

Other

At the moment only maven and gradle package managers are supported from the box.

For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):

1
2
depencendyGroup:dependencyName:version
depencendyGroup:dependencyName:version
...

Example scanning with Open Web Application Security Project (OWASP)

Check out the Open Web Application Security Project (OWASP) dependency-check plugins for:

Maven

The OWASP dependency-check maven plugin is, by default, tied to the verify or site phase depending on whether it's configured as a build or reporting plugin.

Important

• Do not forget to skip provided dependencies.
  • Set the skipProvidedScope property to true. See an example on the official page.
• OWASP dependency-check has some known false positives.
  • Use this suppression file url to suppress Atlassian known false positives.
  • Check the maven plugin configuration property, suppressionFiles.

Gradle

The OWASP dependency-check gradle plugin provides monitoring of the gradle projects dependent libraries.

Important

• OWASP dependency-check has some known false positives.
  • Use this suppression file url to suppress Atlassian known false positives.
  • See gradle plugin configuration property, suppressionFile.

Scanning a .jar file

App .jar artifact can be scanned with the OWASP dependency-check CLI.

To generate a report, run the command:

1
2
dependency-check -s app_file_name.jar --suppression https://dcapt-downloads.s3.amazonaws.com/atlassian-security-scanner-dc-apps-suppressions.xml