Description

SourceAndLibScanner provides a command-line interface that enables you to combine both your Fortify Static Code Analyzer and Sonatype scan of your Java application into a single command. With this utility, you can integrate a single command into the build process of an application that you want to scan on a one-time or continuous basis. You can also upload the analysis results to Micro Focus Fortify Software Security Center. With SourceAndLibScanner, you can: 

  • Scan your code with Fortify Static Code Analyzer and Sonatype, and then upload Fortify and Sonatype results to Fortify Software Security Center 
  • Scan your code with Fortify Static Code Analyzer and Sonatype, then upload the Fortify results to Fortify Software Security Center and the Sonatype results to an on-premises Lifecycle product (Nexus IQ Server) 
  • Perform Fortify Static Code Analyzer scans of your code OR perform Sonatype scans of your third- party components

The scanning options are: 

  • Use Fortify Static Code Analyzer to scan your code for vulnerabilities with either the automatic build integration packager or native Fortify Static Code Analyzer commands 
  • Use Sonatype to scan for open source component vulnerabilities using open source component scan service that Sonatype created specifically for Fortify customers or your locally deployed Nexus IQ Server


Minimum Requirements

Documentation is included with sourceandlibscanner download.

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Releases

Release
Size
Date
SourceAndLibScanner 21.1.0
54.6 MB
  |  
Sep 8, 2021
More info Less info
Product compatibility
Release notes

Requirements:

  • Java 11
  • See product compatibility section

New features:

  • Support for Micro Focus Fortify Static Code Analyzer 21.1.x and Sonatype Nexus IQ Server 121

Bug fixes:

  • Fixes an issue where in certain cases the semantic rule was not getting generated
  • Fixes an issue where all Sonatype findings were showing as critical in SSC instead of following the threat level defined in IQ Server
Languages
English
SourceAndLibScanner 20.2.1
53.7 MB
  |  
Feb 15, 2021
More info Less info
Product compatibility
Version 20.10
Release notes

Feature to send call flow information from SSC to Sonatype IQ Server

Languages
English
SourceAndLibScanner 20.2.0
45.4 MB
  |  
Nov 17, 2020
More info Less info
Product compatibility
Release notes

Susceptibility analysis (tech preview) - Fortify is pleased to announce a new feature co-developed with Sonatype to determine whether a CVE is relevant to code that you write. In the first release, you are required to download the source code of the dependency and add it to the overall scan so that we can see private function / method calls.

Note: You will need SSC 20.2 to see the new "Open Source" tab where susceptibility analysis results are displayed.

Additional Language Support - In addition to Java, you can now scan JavaScript/TypeScript, C#, VB.NET, Go, Ruby, PHP, and Python.

Please see the included documentation inside the download zip for more details

Languages
English
SourceAndLibScanner 20.1.1
44.2 MB
  |  
Nov 6, 2020
More info Less info
Product compatibility
Version 21.1
Version 20.10 · 20.20
Version 21.1
Version 20.10 · 20.20
Release notes

New fail-on-policy-warnings options has been added. See description below or documentation included with download zip for details.

Sourcelibscanner can return a non-zero exit code, because you have the fail-on-policy-warnings option set, or because of IQ Server configuration options, for example, to fail upon policy violation in IQ. This is to maintain consistency of behavior between SourceAndLibScanner and native Sonatype CLI tools. For Example – IQ Server –potential configuration: If critical issues are found, scan is marked as “failed”, though the scan itself was completed successfully and the issues are available to be retrieved.

Languages
English
SourceAndLibScanner 20.1
43.0 MB
  |  
May 4, 2020
More info Less info
Product compatibility
Version 21.1
Version 20.20 · 20.10
Version 19.10 · 19.20
Version 20.20 · 20.10
Version 19.22
Release notes

First release for Fortify's SourceAndLibScanner

Languages
English

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the Micro Focus Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2021-10-2-4543 | Thu Oct 21 03:26:53 PDT 2021