Malware Scanner for Atlassian Data Center Marketplace Applications

Maintaining a secure Marketplace is a collective effort shared by Atlassian and our Marketplace Partners. We fulfill this obligation by validating that all third-party apps meet security requirements.

We’ve launched a new capability that scans data center apps listed on the Marketplace to ensure that their codebase does not include any malware or malicious aspects. This will help us monitor and detect security vulnerabilities and improve the overall security posture of our ecosystem.

What scans are run?

Our malware scanner for data center apps on the marketplace operates these scanners:

1. VirusTotal is a third-party service that uses multiple antivirus engines and website scanners to detect viruses, worms, trojans, and other kinds of malicious content. We use this to analyze the jars from data center apps.

2. YARA Rules are custom rules to flag suspicious patterns, function calls, and other potential threat subjects for manual review by our team.

3. ClamAV is a free, open-source, cross-platform antivirus engine designed to detect malware, viruses, trojans, and other malicious threats.

This list may expand in the future as we continue to integrate and roll out new scanners.

FAQ

Does the Malware Scanner scan all versions of a Data Center App?

All newly uploaded apps (apps uploaded to the Marketplace for the first time) and incremental versions of the apps that support latest, previous, and current LTS (Long-Term Support) of Data Center product will be scanned within 24 hours of release. This ensures that any vulnerabilities in new apps or updated versions are promptly detected.

What will we do if we have malicious findings?

Our team will conduct an internal investigation for all findings to ascertain the authenticity and severity of all detected threats to ensure the security of the Marketplace for customers.

In cases of confirmed malware or other malicious activity, the Data Center Apps may be removed from the Marketplace, or blocked from listing if they haven’t been published.

How will we get notified about the scan results?

No action is required unless you are contacted by our team. Low severity issues identified by our scanner will be reported via the AMS project in ecosystem.atlassian.net with relevant actions to remediate the issues.

Can apps opt out of the Malware Scanning process?

Apps cannot opt out of the Malware Scanning process at this time.

How do we get in touch or contact Atlassian if the scanning somehow disrupts app functionality? How do I get support with the scanning?

Scanning is designed to be non-intrusive (unless otherwise mentioned). In the event the scanning somehow disrupts app functionality, please submit a request for support on our service desk.