Module 1 - Scanning and monitoring source code

This module takes you through the onboarding process of a Java application from source code

Scanning & monitoring application source code

What is software composition analysis (SCA)?

Software composition analysis (SCA) is an open source component management tool. It generates a report listing all open source components in an application including direct and indirect dependencies. Using an SCA tool, development teams can quickly track and analyze open source components introduced into a project.
Although convenient and widely used, open source components have been traditionally difficult to track. As a result, developers have relied on manual processes such as emails and spreadsheets to mitigate the situation. However, these manual processes threaten to undo the convenience provided by open source and provide an incomplete solution. A more desirable approach is to leverage an SCA tool that provides immediate insight into each component.

Why use an SCA tool?

Open source components are major building blocks in software development across virtually every vertical. Regardless of the size of your organization, SCA helps identify open source components in the applications that are critical to your business. SCA tools enable developers to:
  1. 1.
    Understand the dependencies used in their applications.
  2. 2.
    Enforce security & compliance policies throughout the Software Development Life Cycle (SDLC).
  3. 3.
    Proactively fix potential vulnerabilities at the source.
  4. 4.
    Improve team efficiency and company security posture.

Learning objective

In this module we will shift security left and learn how to leverage Snyk for Bitbucket Cloud to automatically detect open source vulnerabilities and fix issues throughout your development process. Before we dive-in let's take a moment and review some key concepts.
We'll take you through a sequence where you acquaint yourself with a code repository for a deliberately vulnerable application named java-goof. We'll direct you to import the repository into your Atlassian Bitbucket environment and then integrate with Snyk. The sequence establishes the initial conditions you and your team will have when they first bring Snyk into your environment.