Fortify for Sonatype

Supported Products:

Fortify Static Code Analyzer

Fortify Static Code Analyzer is power by Sonatype, boosting your secure coding capabilities. Sonatype matches open source component names against issues noted in the National Vulnerability Database (NVD). It uses artificial intelligence and machine learning along with human curation to ingest and identify security vulnerabilities from other open source projects, GitHub commits, advisory websites, the NVD, and a number of other vulnerability sources.


Fortify Software Security Center

The Sonatype Nexus Lifecycle Integration contains the parser plugin for Software Security Center and an integration service that can integrate results from Sonatype's Nexus Lifecycle alongside findings from Fortify Static Code Analyzer (SCA), providing a consolidated view of application vulnerabilities.

Fortify on Demand

The Sonatype integration allows you to simultaneously run SAST and SCA analysis within Fortify on Demand. It supprts Java, .NET, JavaScript and Python giving you integrated results delivered on one platform for remediation, reporting and analytics. It also examines fingerprints of over 65 million components and detect 70% more vulnerabilities than the NVD database alone.

Fortify on Demand - Open Source Scanning with Sonatype


SourceAndLibScanner provides a command-line interface that enables you to combine both your Fortify Static Code Analyzer and Sonatype scan of your Java application into a single command. With this utility, you can integrate a single command into the build process of an application that you want to scan on a one-time or continuous basis. You also can upload the analysis results to Micro Focus Fortify Software Security Center.

With SourceAndLibScanner, you can:

  • Scan your code with Fortify Static Code Analyzer and Sonatype, and then upload Fortify and Sonatype results to Fortify Software Security Center
  • Scan your code with Fortify Static Code Analyzer and Sonatype, then upload the Fortify results to Fortify Software Security Center and the Sonatype results to an on-premises Lifecycle product (Nexus IQ Server)
  • Perform Fortify Static Code Analyzer scans of your code OR perform Sonatype scans of your third- party components

The scanning options are:

  • Use Fortify Static Code Analyzer to scan your code for vulnerabilities with either the automatic build integration packager or native Fortify Static Code Analyzer commands
  • Use Sonatype to scan for open source component vulnerabilities using open source component scan service that Sonatype created specifically for Fortify customers or your locally deployed Nexus IQ Server
General Resources:
Fortify SourceAndLibScanner (to combine Fortify Static Code Analyzer and Sonatype scans)

About Sonatype

Sonatype’s integrated open source governance platform (Nexus) helps more than 1,000 organizations and 10 million software developers simultaneously accelerate innovation and improve application security. More about Sonatype.

release-rel-2021-1-3-hotfix-5713 | Thu Jan 21 09:20:43 PST 2021
Thu Jan 21 09:20:43 PST 2021