Hello Developer Community!
With this post, we’d like to provide more details about Atlassian Security Scanner and our plans for using it to check Marketplace apps for security vulnerabilities.
Security Scanner is our internal tool for auditing third-party dependencies in Data Center apps. If an app contains a dependency with a critical or high security vulnerability, the tool will detect it and report it through an issue in the Atlassian Marketplace Security (AMS) project.
We’ve considered the feedback we received from you after the previous announcements about the introduction of security scanning, so now we’re going to address the most popular questions and concerns.
Here’s what we’re going to cover:
- Why do we use an internal tool and don’t share access to it?
- What does Security Scanner actually check?
- How often does security scanning occur?
- How does Security Scanner work?
- What do you need to do if you receive an AMS ticket?
- Will security scanning help with app preparation for Platform 7?
Quick overview of our communication timeline
This post is based on our previous announcements about the changes to the Data Center app approval process. So let’s quickly recap on what we already communicated to you and when.
- November 2021: We announced that starting from February 2022, we’d require all apps submitted for approval to be free from critical- and high-severity vulnerabilities in third-party dependencies. We also mentioned that starting from April 2022, we’d track detected vulnerabilities in the Atlassian Marketplace Security Jira project.
- April 2022: We notified you that we had to revise the previously shared plan due to the global situation. Although we postponed vulnerability detection and tracking, we kept the requirement for the submitted apps to be free from critical- and high-severity vulnerabilities in third-party dependencies.
- June 2023: We got back on track and announced that we were proceeding with introducing our internal tool to scan your apps for third-party dependency vulnerabilities.
Why do we use an internal tool and don’t share access to it?
Atlassian Security Scanner is a complementary solution to catch the most obvious security issues in case there are no security processes established on the app partner’s side. At the same time, security scanning of the app codebase is the responsibility of the app developer, since the app developer has full code access, app architecture, and business knowledge.
As an additional check for vulnerabilities in third-party dependencies of Data Center apps, the security scanning check allows Atlassian either to ensure that an app is safe to go to the Marketplace or to provide a valid reason why it isn’t and what needs to be fixed.
As of today, we still don’t plan to allow external access to Security Scanner for two reasons:
- First, we eliminate the risk of having the app data or functionality compromised by cyber frauds who could use our tool with malicious intentions.
- Second, our solution doesn’t aim to substitute security checks on your side with a tool you trust. We rather provide assistance with a security audit in case these checks aren’t done.
What does Security Scanner actually check?
During the first-time and annual app review, Security Scanner checks a third-party dependency tree that you submit to us. On a daily basis, the tool also checks the app’s .jar
files. If the dependency tree or .jar
file contains a critical- or high-severity vulnerability, Security Scanner will detect it. This vulnerability will be described in a Jira ticket in the Atlassian Marketplace Security (AMS) project. Only you and an entitled representative of Atlassian Support will have permission to view and manage this ticket.
How often does security scanning occur?
Security scanning runs as soon as you submit your app to us for the first time and continues on a daily basis for each app on the Marketplace. Nowadays, daily scanning for security vulnerabilities is essential because of the nature of modern cyber threats.
How does Security Scanner work?
A .jar
file with third-party dependencies in your app is sent to Security Scanner. By using software composition analysis, the tool checks them for vulnerabilities with critical or high severity. The severity of vulnerabilities is defined based on the criteria we describe in the Security Bug Fix Policy.
If Security Scanner doesn’t find any vulnerability, the app is safe to be on the Marketplace.
In the case where a vulnerability is detected, a Jira ticket about this vulnerability will be created in the Atlassian Marketplace Security (AMS) project, and you’ll receive an automated email notification about the ticket.
What do you need to do if you receive an AMS ticket?
If a vulnerability is detected in your app, you’ll receive an email notification about it with the link to the AMS Jira ticket describing the security issue.
The ticket will be assigned to the primary contact from the app’s list of contacts. The other contacts will be added as the ticket participants. Permission to view and work on the ticket will be shared only between the ticket participants and an entitled support engineer from Atlassian.
You work on an AMS ticket in the same way as you work on other Jira tickets. Check the description of the vulnerability and proceed with working on a fix.
According to our Security Bug Fix Policy, critical- and high-severity vulnerabilities must be fixed within 12 weeks from the day they were reported or triaged.
When the fix is ready, upload the new version of your app to the Marketplace. The next day, Security Scanner will do the check again, and if the app has no security issues, the AMS ticket will be closed automatically.
For more details on how to prepare your app for security scanner, check the following documents:
Will security scanning help with app preparation for Platform 7?
With the upgrade to Platform 7, Atlassian is removing support for a number of third-party libraries. This means that you might need to review the dependencies on these libraries in your apps and bundle new libraries if needed.
Our Security Scanner will provide the necessary bandwidth to timely identify risky third-party dependencies and report detected vulnerabilities for further fixing.
Prepare your Data Center app for Platform 7
How to contact us?
You’re welcome to leave your questions and feedback under this post.
If you’ve already received an AMS ticket, we recommend asking questions about a detected vulnerability in the ticket comments. The entitled representative of our Data Center Review team will respond and keep in touch with you.
You can also contact Atlassian Support directly.