Prioritizing your open source issues – Susceptibility analysis with Fortify and Sonatype

Demo of the susceptibility analysis feature in Fortify Software Security Center (version 20.2) for open source scanning with Sonatype and Fortify.

Fortify can now determine whether you've invoked a function or method and whether an uncontrolled user input can reach that function or method.

The way that we collect methods and function signatures is based on the requests that we receive for Sonatype indications of known components. So as you request that Sonatype scan various open source components, we understand that any of those particular known vulnerabilities that have had updates, meaning that they have been patched, we'll generate a signature for that function or method so that we can see that the function that is actually in your own custom code and that you are utilizing that vulnerable component of the dependency…not just that you have the dependency on your class path but you've actually used it in a way that makes you susceptible to this particular vulnerability.

The combination of Fortify and Sonatype means you can truly help prioritize your open source
Issues.

The first release is for Java only.

Fortify Static Code Analyzer (SCA) is the industry-leading SAST (static application security testing) tool. This on-premises tool also powers Fortify on Demand for Fortify on Demand (FoD), which is a complete application security as-a-service (AppSec SaaS) solution with SAST, DAST, IAST, RASP, SCA (open source security), and developer security training.

- Connect with peers and share your knowledge
- Find solutions and answers to your technical questions
- Stay informed on new releases and product enhancements
- Access downloads, demos, videos and support tips