SourceAndLibScanner provides a command-line interface that enables you to combine both your Fortify Static Code Analyzer and Sonatype scan of your Java application into a single command. With this utility, you can integrate a single command into the build process of an application that you want to scan on a one-time or continuous basis. You can also upload the analysis results to Micro Focus Fortify Software Security Center. With SourceAndLibScanner, you can:
The scanning options are:
Documentation is included with sourceandlibscanner download.
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
Susceptibility analysis (tech preview) - Fortify is pleased to announce a new feature co-developed with Sonatype to determine whether a CVE is relevant to code that you write. In the first release, you are required to download the source code of the dependency and add it to the overall scan so that we can see private function / method calls.
Note: You will need SSC 20.2 to see the new "Open Source" tab where susceptibility analysis results are displayed.
Please see the included documentation inside the download zip for more details
New fail-on-policy-warnings options has been added. See description below or documentation included with download zip for details.
Sourcelibscanner can return a non-zero exit code, because you have the fail-on-policy-warnings option set, or because of IQ Server configuration options, for example, to fail upon policy violation in IQ. This is to maintain consistency of behavior between SourceAndLibScanner and native Sonatype CLI tools. For Example – IQ Server –potential configuration: If critical issues are found, scan is marked as “failed”, though the scan itself was completed successfully and the issues are available to be retrieved.
First release for Fortify's SourceAndLibScanner
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox