Last updated Dec 2, 2021

Rate this page:

Security Scanner for Data Center apps

What is Security Scanner?

Code analysis scanners are an important part of any application security program because they provide a relatively cheap way to help developers identify common mistakes before they hit production. Security Scanner is an internal tool that runs code analysis tools against all marketplace Data Center apps and provides feedback to developers to help them improve the security of their applications.

Software composition analysis (SCA) scanner

SCA identifies all the open source in a codebase and maps that inventory to a list of currently known vulnerabilities.

Security Scanner currently uses a third-party SCA tool, however it’s not tied to a single SCA tool and Atlassian may change or add implementations based on features or future needs.

How to get SCA results locally

Before starting the Data Center App Approval Process, it is valuable to get an SCA results. There are multiple SCA tools available on the market: Snyk, Veracode, Chechmarx and many more. There is no requirement to use a specific tool, so you could select any tool you like.

How to get a dependency tree for Security Scanner analysis

Even if your app is not listed on the Atlassian Marketplace, there is still a way to get Security Scanner results. Create a dependency tree file for your app and attach it to your DCHELP ticket. Follow instructions below depending on the package manager used.

Generate a dependency tree file for maven package manager

Run the following command to generate a dependency tree file for maven based project:

1
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv

Generate a dependency tree file for gradle package manager

Run the following command to generate a dependency tree file for gradle based project:

1
gradle dependencies > gradle_dependency_tree.txt

Generate a dependency tree file for other package manager

At the moment only maven and gradle package managers are supported from the box. For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):

1
2
3
depencendyGroup:dependencyName:version
depencendyGroup:dependencyName:version
...

Rate this page: