Rate this page:
Code analysis scanners are an important part of any application security program because they provide a relatively cheap way to help developers identify common mistakes before they hit production. DC Apps Security Scanner is an internal tool that runs code analysis tools against all marketplace Data Center apps and provides feedback to developers to help them improve the security of their applications.
SCA identifies all the open source in a codebase and maps that inventory to a list of currently known vulnerabilities.
DC Apps Security Scanner currently uses a third-party SCA tool, however it’s not tied to a single SCA tool and Atlassian may change or add implementations based on features or future needs.
Before starting the Data Center App Approval Process, it is important to get an SCA results. There are multiple SCA tools available on the market: OWASP dependency-check, Snyk, Veracode, grype, Chechmarx and many more. There is no requirement to use a specific tool, so you could select any tool you like.
Security scanning for third party dependencies vulnerabilities for all DC apps initial and annual reviews is required starting from February 2022. Before February 2022 security scanning is optional.
Regular security scanning will be enabled in Q2 2022.
New security vulnerabilities in third party apps could be found any day. We encourage embedding SCA scanning into app SDLC and continuous integration systems in order to identify vulnerabilities earlier. As an additional check, we’ll run DC Apps Security Scanner on a daily basis to scan marketplace DC apps. All new detected critical- and high-severity vulnerabilities will be tracked in Atlassian Marketplace Security Jira project.
Atlassian Marketplace Security is our one-stop-shop for vulnerability management, where partners can go to review all their vulnerabilities, statuses, due dates, sources, and severities. All issues in AMS describe the vulnerability in detail, and all questions about an issue can be addressed in the comments of the issue. Learn more about AMS, and review our Security Bug Fix Policy for Marketplace Apps.
Dependency tree is used by DC Apps Security Scanner for third party dependencies vulnerabilities check.
Run the following command to generate a dependency tree file for maven based project:
1 2mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv
Run the following command to generate a dependency tree file for gradle based project:
1 2gradle dependencies > gradle_dependency_tree.txt
At the moment only maven
and gradle
package managers are supported from the box. For any other package manager
prepare dependency tree text file manually in the format (make sure
transitive
dependencies are included in the list):
1 2depencendyGroup:dependencyName:version depencendyGroup:dependencyName:version ...
The OWASP dependency-check maven plugin is, by default,
tied to the verify
or site
phase depending on if it is configured as a build or reporting plugin.
Important 1: Do not forget to skip provided dependencies by setting the skipProvidedScope
property to true
(an example is present on the official page).
Important 2: OWASP dependency-check has some known false positives. Use this suppression file url to suppress Atlassian known false positives. See maven plugin configuration property: suppressionFiles.
The OWASP dependency-check gradle plugin provides monitoring of the gradle projects dependent libraries.
Important: OWASP dependency-check has some known false positives. Use this suppression file url to suppress Atlassian known false positives. See gradle plugin configuration property: suppressionFile.
App .jar artifact could be scanned with the OWASP dependency-check CLI. Run command to generate report:
1 2dependency-check -s app_file_name.jar --suppression https://dcapt-downloads.s3.amazonaws.com/atlassian-security-scanner-dc-apps-suppressions.xml
Rate this page: