In addition to the Maven plugin, the Ant task, wsclient, and fortify annotations should be open sourced as well and published to an artifact repository (i.e. Maven Central, bintray, etc).
Hi guys, for the Maven plugin you can find the source itself within the SCA install. It's tucked away in:
<SCA install dir>\Samples\advanced\maven-plugin
Similarly the source for the wsclient comes with the SSC bundle under:
I will follow up with our Product Manager as to whether there's any plans to release the source for any of the other pieces mentioned by Steve and also whether there's plans to publish these to an external repository.
One of the issues a lot of users have is that they end up making customizations to the Maven plugin and there's not way to provide those changes upstream so others can benefit.
For users just getting started with Fortify, it would be ideal if not only the plugin was open sourced, but the official binary available in Maven Central.
On a slightly unrelated general security tip, be careful when building your projects with open source compiled jars. :-). A nice addition to your fortify SLC 🙂