New Member..
New Member..
104 views

Why do I need Sonatype to scan when I already use SCA?

Fortify on premise and Sonatype integration coming? - to determine if known vulnerability is exploitable during static analysis?

1 Reply
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Hi Dave,

The static analysis capability as implemented by Fortify SCA is great for finding weaknesses in your own code. However, in many modern business applications, some 80-90% of the effective code in production comes from open source libraries, pulled in through mechanisms such as Maven, Nuget, etc. These libraries may contain vulnerabilities too. In fact, this is an item in the OWASP Top-10: "Using Components With Known Vulnerabilities". Traditional static analysis is not effective in detecting those.

"Composition analysis" functionality works better to detect vulnerable components. This compares detected libraries with databases of known vulnerable components. Fortify doesn't have this functionality built-in natively, but Sonatype does.

In the spirit of "holistic appsec" as outlined by Dylan in the video, we want customers to be able to do static analysis, composition analysis (and more) within the Fortify platform. Therefore, we have established a partnership with Sonatype. This consists of both technical integrations (getting Sonatype results into SSC, running Sonatype and Fortify scans with one command) as well as commercials (obtaining that relevant licenses all through Micro Focus Fortify). All this already exists now, as of 20.1! Today's "What's new" presentation at 17:00 CEST will also cover this.

Determining whether a vulnerability in a component is exploitable in the context of your application is something we have on our roadmap (naming it "susceptibility analysis"), but that's not available yet.

Kind regards,

Frans van Buul

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.