Software Composition Analysis for Data Center apps

As part of our recent publication of the Security Requirements for Data Center apps, which requires developers to perform SCA Scans, and our ongoing commitment to building trust with customers, Atlassian will be introducing a new Software Composition Analysis (SCA) scanning capability for Data Center apps. Its main objective is to proactively identify and address risks associated with third-party dependencies, thereby maintaining the safety and integrity of apps listed on the Atlassian Marketplace.

What is SCA scanning for Data Center apps?

Software Composition Analysis (SCA) is a security process that scans an application's third-party dependencies, libraries, and open-source components to identify known vulnerabilities. The SCA scanning process ensures that vulnerabilities in bundled dependencies are detected and addressed before they can impact customers. This approach aligns with Atlassian's broader security strategy to provide comprehensive coverage across all layers of application security.

FAQ

Does the SCA Scanner scan all versions of a Data Center App?

The SCA scanner scans the latest version of each app every 24 hours. All newly uploaded apps (apps uploaded to the Marketplace for the first time) and incremental versions of the apps that support the latest, previous, and current LTS (Long-Term Support) of Data Center products will be scanned within 24 hours of release. This ensures that any vulnerabilities in new apps or updated versions are promptly detected.

How will we get notified about the scan results?

When the SCA Scanner detects vulnerabilities in the 3rd-party dependencies used by the app, app developers will be notified through AMS (Atlassian Marketplace Security) tickets. These tickets are subject to the resolution timeframes as outlined in our Security Bug Fix Policy, ensuring vulnerabilities are addressed promptly.

How can we ensure that our app is free from vulnerabilities in third-party dependencies?

1. Download and install Grype as follows: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

2. Confirm installation and update DB: grype db update

3. If you have the asset as JAR file, skip this step. If you have an OBR file, unzip it and extract the main JAR file.

4. Scan the JAR file as follows: grype <jar-file-name>.jar

What should we do if a False Positive is identified during the SCA scan of my Data Center App?

Please comment on the finding, or submit a request for support on our service desk for our SMEs to take a look, so we can resolve your query at the earliest.

What tools are being used by Atlassian for performing SCA scans?

Atlassian uses Grype to perform SCA scans on Marketplace Data Center apps.

What is the difference between SAST and SCA scanners?

SAST (Static Application Security Testing) and SCA (Software Composition Analysis) are both important for ensuring application security, but they focus on different aspects. SAST scans your custom codebase to identify vulnerabilities, such as insecure coding patterns, logic flaws, or potential exploits at the source code level. It analyzes the proprietary code written by developers. On the other hand, SCA focuses on third-party dependencies, libraries, and open-source components used in the application. It identifies known vulnerabilities in these components by mapping them against public vulnerability databases (e.g., CVE).

Can apps opt out of the scanning process?

Apps cannot opt out of scanning at this time.

How do we get in touch or contact Atlassian to get support with the scanning

Partners can contact Atlassian by submitting their request through our service desk.