Fortify Static Code Analyzer is powered by Sonatype, boosting your secure coding capabilities. Sonatype matches open source component names against issues noted in the National Vulnerability Database (NVD). It uses artificial intelligence and machine learning along with human curation to ingest and identify security vulnerabilities from other open source projects, GitHub commits, advisory websites, the NVD, and a number of other vulnerability sources.
The Sonatype Nexus Lifecycle Integration contains the parser plugin for Software Security Center and an integration service that can integrate results from Sonatype's Nexus Lifecycle alongside findings from Fortify Static Code Analyzer (SCA), providing a consolidated view of application vulnerabilities.
The Sonatype integration allows you to simultaneously run SAST and SCA analysis within Fortify on Demand. It supprts Java, .NET, JavaScript and Python giving you integrated results delivered on one platform for remediation, reporting and analytics. It also examines fingerprints of over 65 million components and detect 70% more vulnerabilities than the NVD database alone.
SourceAndLibScanner provides a command-line interface that enables you to combine both your Fortify Static Code Analyzer and Sonatype scan of your Java application into a single command. With this utility, you can integrate a single command into the build process of an application that you want to scan on a one-time or continuous basis. You also can upload the analysis results to Micro Focus Fortify Software Security Center.
With SourceAndLibScanner, you can:
The scanning options are:
Sonatype’s integrated open source governance platform (Nexus) helps more than 1,000 organizations and 10 million software developers simultaneously accelerate innovation and improve application security. More about Sonatype.