• Have questions about this item?

  • Contact us

Description

SourceAndLibScanner provides a command-line interface that enables you to combine both your Fortify Static Code Analyzer and Sonatype scan of your Java application into a single command. With this utility, you can integrate a single command into the build process of an application that you want to scan on a one-time or continuous basis. You can also upload the analysis results to Micro Focus Fortify Software Security Center. With SourceAndLibScanner, you can: 

  • Scan your code with Fortify Static Code Analyzer and Sonatype, and then upload Fortify and Sonatype results to Fortify Software Security Center 
  • Scan your code with Fortify Static Code Analyzer and Sonatype, then upload the Fortify results to Fortify Software Security Center and the Sonatype results to an on-premises Lifecycle product (Nexus IQ Server) 
  • Perform Fortify Static Code Analyzer scans of your code OR perform Sonatype scans of your third- party components

The scanning options are: 

  • Use Fortify Static Code Analyzer to scan your code for vulnerabilities with either the automatic build integration packager or native Fortify Static Code Analyzer commands 
  • Use Sonatype to scan for open source component vulnerabilities using your locally deployed Nexus IQ Server


Minimum Requirements

Documentation is included with sourceandlibscanner download.

Suggested apps

Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.

Releases

Release
Size
Date
SourceAndLibScanner 21.1.2
54.8 MB
  |  
Jan 24, 2022
More info Less info
Product compatibility
Fortify Static Code Analyzer
Version 21.1 · 21.2
Version 22.1 · 22.2
Version 23.1
Fortify Software Security Center
Version 21.1 · 21.2
Version 22.1 · 22.2
Version 23.1
Release notes

Security update:

  • Updated Log4J to version 2.17.1
Languages
English
Files
SourceAndLibScanner 20.2.2
53.9 MB
  |  
Jan 24, 2022
More info Less info
Product compatibility
Fortify Static Code Analyzer
Version 20.20
Fortify Software Security Center
Version 20.20
Version 21.1 · 21.2
Version 22.1 · 22.2
Version 23.1
Release notes

Security update:

  • Updated Log4J to version 2.17.1
Languages
English
Files
SourceAndLibScanner 20.1.2
44.5 MB
  |  
Jan 24, 2022
More info Less info
Product compatibility
Fortify Static Code Analyzer
Version 20.10 · 20.20
Fortify Software Security Center
Version 20.10 · 20.20
Version 21.1 · 21.2
Version 22.1 · 22.2
Version 23.1
Release notes

Security patch release:

  • Updated Log4J to 2.17.1
Languages
English
Files

Prior releases

Release
Size
Date
SourceAndLibScanner 21.1.1
54.8 MB
  |  
Dec 17, 2021
More info Less info
Product compatibility
Fortify Static Code Analyzer
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Fortify Software Security Center
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Release notes

Security update:

  • Updated Log4J to version 2.16.0
Languages
English
Files
SourceAndLibScanner 21.1.0
54.6 MB
  |  
Sep 8, 2021
More info Less info
Product compatibility
Fortify Static Code Analyzer
Version 21.1
Fortify Software Security Center
Version 21.1
Release notes

Requirements:

  • Java 11
  • See product compatibility section

New features:

  • Support for Micro Focus Fortify Static Code Analyzer 21.1.x and Sonatype Nexus IQ Server 121

Bug fixes:

  • Fixes an issue where in certain cases the semantic rule was not getting generated
  • Fixes an issue where all Sonatype findings were showing as critical in SSC instead of following the threat level defined in IQ Server
Languages
English
Files
SourceAndLibScanner 20.2.1
53.7 MB
  |  
Feb 15, 2021
More info Less info
Product compatibility
Fortify
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Version 20.10
Release notes

Feature to send call flow information from SSC to Sonatype IQ Server

Languages
English
Files
SourceAndLibScanner 20.2.0
45.4 MB
  |  
Nov 17, 2020
More info Less info
Product compatibility
Fortify Software Security Center
Version 20.20
Release notes

Susceptibility analysis (tech preview) - Fortify is pleased to announce a new feature co-developed with Sonatype to determine whether a CVE is relevant to code that you write. In the first release, you are required to download the source code of the dependency and add it to the overall scan so that we can see private function / method calls.

Note: You will need SSC 20.2 to see the new "Open Source" tab where susceptibility analysis results are displayed.

Additional Language Support - In addition to Java, you can now scan JavaScript/TypeScript, C#, VB.NET, Go, Ruby, PHP, and Python.

Please see the included documentation inside the download zip for more details

Languages
English
Files
SourceAndLibScanner 20.1.1
44.2 MB
  |  
Nov 6, 2020
More info Less info
Product compatibility
Fortify Software Security Center
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Version 20.10 · 20.20
Fortify Static Code Analyzer
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Version 20.10 · 20.20
Release notes

New fail-on-policy-warnings options has been added. See description below or documentation included with download zip for details.

Sourcelibscanner can return a non-zero exit code, because you have the fail-on-policy-warnings option set, or because of IQ Server configuration options, for example, to fail upon policy violation in IQ. This is to maintain consistency of behavior between SourceAndLibScanner and native Sonatype CLI tools. For Example – IQ Server –potential configuration: If critical issues are found, scan is marked as “failed”, though the scan itself was completed successfully and the issues are available to be retrieved.

Languages
English
Files
SourceAndLibScanner 20.1
43.0 MB
  |  
May 4, 2020
More info Less info
Product compatibility
Fortify Software Security Center
Version 23.1
Version 22.2 · 22.1
Version 21.2 · 21.1
Version 20.20 · 20.10
Version 19.10 · 19.20
Fortify Static Code Analyzer
Version 20.20 · 20.10
Version 19.22
Release notes

First release for Fortify's SourceAndLibScanner

Languages
English
Files

Unsubscribe from notifications

You are receiving release updates for this item because you have subscribed to the following products:
If you unsubscribe, you will no longer receive any notifications for these products.
Tip: to update your subscription preferences, go to Manage Subscriptions from your Dashboard, uncheck the products you no longer want to receive notifications for, and click 'Save'.
Unsubscribe Cancel

Marketplace Terms of Service

In order to continue, you must accept the updated Marketplace Terms of Service
Since you are downloading an app from the OpenText Marketplace, you need to accept the updated Marketplace Terms of Service before you can continue. Use the link to review the Marketplace Terms of Service. Once complete check the, "I accept the Marketplace Terms of Service" box below and click accept to continue your download.


Accept Cancel
Your download has begun...

Your download has begun

Related content and resources

Your browser is not supported!

Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox

release-rel-2024-10-1-6270 | Sun Oct 6 21:16:47 PDT 2024