Open source software composition analysis (OpenText Core Application Security only)

OpenText Core Application Security (Fortify on Demand) customers can use the --open-source-scan (-oss) option with the package command to include additional files required for open source software composition analysis by OpenText Core SCA. By default, the OpenText ScanCentral SAST client uses the Debricked CLI to automatically generate the lock files required for open source composition analysis. Using the Debricked CLI, gives you the most up-to-date Debricked artifact generation. OpenText ScanCentral SAST client installs the Debricked CLI if it is not yet installed and checks for a newer version online.

The OpenText ScanCentral SAST client installs the Debricked CLI in one of the following locations:

  • Default location:

    • On a Windows system: %LOCALAPPDATA%\Fortify\scancentral-<version>\debricked\

    • On a Linux system: <userhome>/.fortify/scancentral-<version>/debricked/

  • Custom location specified by the debricked_cli_dir property in the <client_install_dir>/Core/config/client.properties file

If you want to use the Debricked CLI without the automatic installation, you can manually place the Debricked CLI in either location. See the Debricked CLI documentation for instructions on how to download the latest releases. To avoid automatic updates of the Debricked CLI, include the --skip-debricked-update (-sdu) option in your OpenText ScanCentral SAST client package command.

If you want to prepare the files by yourself using the Debricked CLI directly and you don't want the OpenText ScanCentral SAST client to overwrite the prepared files, use the --debricked-no-resolve or -dnr option in your OpenText ScanCentral SAST client package command.