Rate this page:
Code analysis scanners are an important part of any application security program because they provide a relatively cheap way to help developers identify common mistakes before they hit production. Security Scanner is an internal tool that runs code analysis tools against all marketplace Data Center apps and provides feedback to developers to help them improve the security of their applications.
SCA identifies all the open source in a codebase and maps that inventory to a list of currently known vulnerabilities.
Security Scanner currently uses a third-party SCA tool, however it’s not tied to a single SCA tool and Atlassian may change or add implementations based on features or future needs.
Before starting the Data Center App Approval Process, it is valuable to get an SCA results. There are multiple SCA tools available on the market: Snyk, Veracode, Chechmarx and many more. There is no requirement to use a specific tool, so you could select any tool you like.
Even if your app is not listed on the Atlassian Marketplace, there is still a way to get Security Scanner results. Create a dependency tree file for your app and attach it to your DCHELP ticket. Follow instructions below depending on the package manager used.
Run the following command to generate a dependency tree file for maven based project:
mvn dependency:tree -DoutputType=dot -DoutputFile=maven_dependency_tree.gv
Run the following command to generate a dependency tree file for gradle based project:
gradle dependencies > gradle_dependency_tree.txt
At the moment only and package managers are supported from the box. For any other package manager prepare dependency tree text file manually in the format (make sure transitive dependencies are included in the list):
1 2 3
depencendyGroup:dependencyName:version depencendyGroup:dependencyName:version ...
Rate this page: