Why do I need Sonatype to scan when I already use SCA?
Fortify on premise and Sonatype integration coming? - to determine if known vulnerability is exploitable during static analysis?
Re: Why do I need Sonatype to scan when I already use SCA?
The static analysis capability as implemented by Fortify SCA is great for finding weaknesses in your own code. However, in many modern business applications, some 80-90% of the effective code in production comes from open source libraries, pulled in through mechanisms such as Maven, Nuget, etc. These libraries may contain vulnerabilities too. In fact, this is an item in the OWASP Top-10: "Using Components With Known Vulnerabilities". Traditional static analysis is not effective in detecting those.
"Composition analysis" functionality works better to detect vulnerable components. This compares detected libraries with databases of known vulnerable components. Fortify doesn't have this functionality built-in natively, but Sonatype does.
In the spirit of "holistic appsec" as outlined by Dylan in the video, we want customers to be able to do static analysis, composition analysis (and more) within the Fortify platform. Therefore, we have established a partnership with Sonatype. This consists of both technical integrations (getting Sonatype results into SSC, running Sonatype and Fortify scans with one command) as well as commercials (obtaining that relevant licenses all through Micro Focus Fortify). All this already exists now, as of 20.1! Today's "What's new" presentation at 17:00 CEST will also cover this.
Determining whether a vulnerability in a component is exploitable in the context of your application is something we have on our roadmap (naming it "susceptibility analysis"), but that's not available yet.
Frans van Buul