Rate this page:
Code analysis scanners are a key part of any application security program. They help us identify common mistakes before an app hits production.
Data Center (DC) Apps Security Scanner is an internal tool that:
SCA identifies all the open source in a codebase. It maps that inventory to a list of currently known vulnerabilities.
DC Apps Security Scanner currently uses a third-party SCA tool.
Atlassian may change or add implementations based on features or future needs.
Before submitting your DC app, it's important to get SCA results.
There are multiple SCA tools you can use, including:
You can use any tool you like.
Security scanning for third-party dependencies vulnerabilities is required for all technical and annual DC app reviews. Before February 2022, it was was optional.
If you're submitting a technical or annual DC app review, you need to:
New security vulnerabilities in third-party apps can be found any day.
In order to identify vulnerabilities earlier, we recommend:
We also scan Marketplace DC apps daily by running the DC Apps Security Scanner.
You can view all critical or high-severity vulnerabilities tracked in the Atlassian Marketplace Security (AMS) Jira project. The AMS Jira project is our go-to place for:
Learn more about:
Dependency tree is used by DC Apps Security Scanner for third-party dependencies vulnerabilities check.
Generate a dependency tree file for the following package managers:
Run the following command to generate a dependency tree file for maven based project:
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv
Run the following command to generate a dependency tree file for gradle based project:
gradle dependencies > gradle_dependency_tree.txt
At the moment only
gradle package managers are supported from the box.
For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):
depencendyGroup:dependencyName:version depencendyGroup:dependencyName:version ...
Check out the Open Web Application Security Project (OWASP) dependency-check plugins for:
The OWASP dependency-check maven plugin is, by default,
tied to the
site phase depending on whether it's configured as a build or reporting plugin.
true. See an example on the official page.
The OWASP dependency-check gradle plugin provides monitoring of the gradle projects dependent libraries.
App .jar artifact can be scanned with the OWASP dependency-check CLI.
To generate a report, run the command:
dependency-check -s app_file_name.jar --suppression https://dcapt-downloads.s3.amazonaws.com/atlassian-security-scanner-dc-apps-suppressions.xml
Rate this page: