Demo of the susceptibility analysis feature in Fortify Software Security Center (version 20.2) for open source scanning with Sonatype and Fortify.
Fortify can now determine whether you've invoked a function or method and whether an uncontrolled user input can reach that function or method.
The way that we collect methods and function signatures is based on the requests that we receive for Sonatype indications of known components. So as you request that Sonatype scan various open source components, we understand that any of those particular known vulnerabilities that have had updates, meaning that they have been patched, we'll generate a signature for that function or method so that we can see that the function that is actually in your own custom code and that you are utilizing that vulnerable component of the dependency…not just that you have the dependency on your class path but you've actually used it in a way that makes you susceptible to this particular vulnerability.
The combination of Fortify and Sonatype means you can truly help prioritize your open source Issues.