Last updated Mar 21, 2022

Rate this page:

Security Scanner for Data Center apps

What is DC Apps Security Scanner?

Code analysis scanners are an important part of any application security program because they provide a relatively cheap way to help developers identify common mistakes before they hit production. DC Apps Security Scanner is an internal tool that runs code analysis tools against all marketplace Data Center apps and provides feedback to developers to help them improve the security of their applications.

Software composition analysis (SCA) scanner

SCA identifies all the open source in a codebase and maps that inventory to a list of currently known vulnerabilities.

DC Apps Security Scanner currently uses a third-party SCA tool, however it’s not tied to a single SCA tool and Atlassian may change or add implementations based on features or future needs.

SCA analysis for DC Apps

Before starting the Data Center App Approval Process, it is important to get an SCA results. There are multiple SCA tools available on the market: OWASP dependency-check, Snyk, Veracode, grype, Chechmarx and many more. There is no requirement to use a specific tool, so you could select any tool you like.

Security scanning in DC App Approval Process

Security scanning for third party dependencies vulnerabilities for all DC apps initial and annual reviews is required starting from February 2022. Before February 2022 security scanning is optional.

  1. All initial and annual DC apps reviews have to provide results of security scanning for third party dependencies vulnerabilities with any tool of your choice. Example scanning with OWASP dependency-check is described below.
  2. Security scanning report should be free of critical- and high-severity security vulnerabilities in third party dependencies bundled with the app.
  3. Dependency tree of an app needs to be generated and attached to DCHELP ticket during the review process. Based on dependency tree and app package file we do sanity check for third party dependencies vulnerabilities with DC Apps Security Scanner.
  4. If any additional critical- and/or high-severity security vulnerabilities are found by DC Apps Security Scanner sanity check we would apply Security Bug Fix Policy for Marketplace Apps. For more details see Regular security scanning.

Regular security scanning

Regular security scanning will be enabled in Q2 2022.

New security vulnerabilities in third party apps could be found any day. We encourage embedding SCA scanning into app SDLC and continuous integration systems in order to identify vulnerabilities earlier. As an additional check, we’ll run DC Apps Security Scanner on a daily basis to scan marketplace DC apps. All new detected critical- and high-severity vulnerabilities will be tracked in Atlassian Marketplace Security Jira project.

Atlassian Marketplace Security is our one-stop-shop for vulnerability management, where partners can go to review all their vulnerabilities, statuses, due dates, sources, and severities. All issues in AMS describe the vulnerability in detail, and all questions about an issue can be addressed in the comments of the issue. Learn more about AMS, and review our Security Bug Fix Policy for Marketplace Apps.

How to get a dependency tree for DC Apps Security Scanner analysis

Dependency tree is used by DC Apps Security Scanner for third party dependencies vulnerabilities check.

Generate a dependency tree file for maven package manager

Run the following command to generate a dependency tree file for maven based project:

1
2
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv

Generate a dependency tree file for gradle package manager

Run the following command to generate a dependency tree file for gradle based project:

1
2
gradle dependencies > gradle_dependency_tree.txt

Generate a dependency tree file for other package manager

At the moment only maven and gradle package managers are supported from the box. For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):

1
2
depencendyGroup:dependencyName:version
depencendyGroup:dependencyName:version
...

Example scanning with OWASP Dependency-Check

OWASP dependency-check maven plugin

The OWASP dependency-check maven plugin is, by default, tied to the verify or site phase depending on if it is configured as a build or reporting plugin.

Important 1: Do not forget to skip provided dependencies by setting the skipProvidedScope property to true (an example is present on the official page).

Important 2: OWASP dependency-check has some known false positives. Use this suppression file url to suppress Atlassian known false positives. See maven plugin configuration property: suppressionFiles.

OWASP dependency-check gradle plugin

The OWASP dependency-check gradle plugin provides monitoring of the gradle projects dependent libraries.

Important: OWASP dependency-check has some known false positives. Use this suppression file url to suppress Atlassian known false positives. See gradle plugin configuration property: suppressionFile.

Scanning .jar file with OWASP dependency-check CLI

App .jar artifact could be scanned with the OWASP dependency-check CLI. Run command to generate report:

1
2
dependency-check -s app_file_name.jar --suppression https://dcapt-downloads.s3.amazonaws.com/atlassian-security-scanner-dc-apps-suppressions.xml

Rate this page: