Fortify Static Code Analyzer (SCA) is a powerful static application security testing (SAST) tool that identifies security vulnerabilities in Java applications. This guide covers comprehensive integration, customization, and optimization.
Core Concepts
What is Fortify SCA?
- Enterprise-grade static analysis tool
- Identifies security vulnerabilities in source code
- Supports multiple programming languages including Java
- Provides detailed vulnerability analysis and remediation guidance
- Integrates with CI/CD pipelines and IDEs
Key Components:
- SourceAnalyzer: Core analysis engine
- Audit Workbench: GUI for reviewing results
- Fortify Software Security Center: Centralized management
- Build-time analysis: Integration with build tools
Setup and Installation
1. System Requirements
# Prerequisites - Java 8, 11, or 17 - Maven 3.6+ or Gradle 6+ - Fortify SCA 22.x+ - 4GB+ RAM (8GB+ recommended)
2. Environment Setup
# Set Fortify environment variables export FORTIFY_HOME=/opt/fortify/sca export PATH=$FORTIFY_HOME/bin:$PATH export JAVA_HOME=/usr/lib/jvm/java-11-openjdk # For Windows set FORTIFY_HOME=C:\Program Files\Fortify\SCA set PATH=%FORTIFY_HOME%\bin;%PATH%
Basic Usage and Scanning
1. Command Line Scanning
# Basic scan sourceanalyzer -b myapp -cp "lib/*.jar" src/**/*.java # Scan with Maven sourceanalyzer -b myapp mvn compile # Scan with Gradle sourceanalyzer -b myapp gradle compileJava # Generate report sourceanalyzer -b myapp -scan -f results.fpr
2. Maven Integration
<!-- fortify-maven-plugin --> <plugin> <groupId>com.fortify</groupId> <artifactId>fortify-maven-plugin</artifactId> <version>22.2.0</version> <configuration> <buildId>myapp</buildId> <source>1.11</source> <target>1.11</target> <maxHeap>4096m</maxHeap> </configuration> <executions> <execution> <goals> <goal>clean</goal> <goal>translate</goal> <goal>scan</goal> </goals> </execution> </executions> </plugin> <!-- Usage --> mvn fortify:clean fortify:translate fortify:scan
3. Gradle Integration
// build.gradle
plugins {
id 'com.fortify.fortify-gradle-plugin' version '22.2.0'
}
fortify {
buildId = 'myapp'
source = '11'
target = '11'
maxHeap = '4096m'
}
// Usage
./gradlew fortifyScan
Custom Rule Development
1. Custom Rule Structure
<!-- CustomRules.xml --> <RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules"> <RulePackID>B4988E23-7C47-4C61-89A4-123456789012</RulePackID> <Version>1.0</Version> <Name><![CDATA[Custom Java Rules]]></Name> <Rules version="1.0"> <!-- Custom rules go here --> </Rules> </RulePack>
2. Data Flow Rule Example
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" language="java"> <RuleID>CUSTOM-JAVA-001</RuleID> <VulnCategory>Custom Injection</VulnCategory> <DefaultSeverity>4.0</DefaultSeverity> <Description> <![CDATA[Custom SQL injection detection]]> </Description> <FunctionIdentifier> <NamespaceName>java.sql</NamespaceName> <ClassName>Statement</ClassName> <FunctionName>execute</FunctionName> <ApplyTo implements="true">true</ApplyTo> </FunctionIdentifier> <InOut> <Input source="1" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="SQL_INJECTION" /> </Conditions> </Rule>
3. Structural Rule Example
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules"
language="java">
<RuleID>CUSTOM-JAVA-002</RuleID>
<VulnCategory>Bad Practice</VulnCategory>
<DefaultSeverity>3.0</DefaultSeverity>
<Description>
<![CDATA[Avoid using System.exit() in application code]]>
</Description>
<Pattern>
<![CDATA[
// MethodAccess[Method/Name[matches("exit") and
// Class/Name[matches("java.lang.System")]]]
]]>
</Pattern>
</Rule>
4. Semantic Rule Example
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>CUSTOM-JAVA-003</RuleID> <VulnCategory>Configuration</VulnCategory> <DefaultSeverity>2.0</DefaultSeverity> <Description> <![CDATA[Spring Security CSRF protection disabled]]> </Description> <Pattern format="version-2"> <![CDATA[ function: csrf class: HttpSecurity argument: 0 action: disable ]]> </Pattern> </Rule>
Java-Specific Rule Examples
1. SQL Injection Detection
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>JAVA-SQL-INJECTION-001</RuleID> <VulnCategory>SQL Injection</VulnCategory> <DefaultSeverity>5.0</DefaultSeverity> <Description> <![CDATA[SQL injection vulnerability in JDBC]]> </Description> <FunctionIdentifier> <NamespaceName>java.sql</NamespaceName> <ClassName>Statement</ClassName> <FunctionName>execute</FunctionName> <ApplyTo implements="true">true</ApplyTo> </FunctionIdentifier> <InOut> <Input source="1" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="SQL_INJECTION" /> </Conditions> <Recommendations> <Recommendation> <![CDATA[ Use PreparedStatement with parameterized queries instead of string concatenation. Example: String sql = "SELECT * FROM users WHERE id = ?"; PreparedStatement stmt = connection.prepareStatement(sql); stmt.setString(1, userId); ]]> </Recommendation> </Recommendations> </Rule>
2. XSS Detection
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>JAVA-XSS-001</RuleID> <VulnCategory>Cross-Site Scripting</VulnCategory> <DefaultSeverity>4.0</DefaultSeverity> <Description> <![CDATA[XSS vulnerability in JSP output]]> </Description> <FunctionIdentifier> <NamespaceName>javax.servlet.jsp</NamespaceName> <ClassName>JspWriter</ClassName> <FunctionName>print</FunctionName> <ApplyTo implements="true">true</ApplyTo> </FunctionIdentifier> <InOut> <Input source="1" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="XSS" /> </Conditions> <Recommendations> <Recommendation> <![CDATA[ Encode user input before output using ESAPI encoder or similar: String safeOutput = ESAPI.encoder().encodeForHTML(userInput); ]]> </Recommendation> </Recommendations> </Rule>
3. Path Traversal
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>JAVA-PATH-TRAVERSAL-001</RuleID> <VulnCategory>Path Manipulation</VulnCategory> <DefaultSeverity>4.0</DefaultSeverity> <Description> <![CDATA[Path traversal vulnerability in file operations]]> </Description> <FunctionIdentifier> <NamespaceName>java.io</NamespaceName> <ClassName>File</ClassName> <FunctionName>File</FunctionName> </FunctionIdentifier> <InOut> <Input source="1" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="PATH_MANIPULATION" /> </Conditions> </Rule>
4. Insecure Deserialization
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>JAVA-DESERIALIZATION-001</RuleID> <VulnCategory>Insecure Deserialization</VulnCategory> <DefaultSeverity>4.5</DefaultSeverity> <Description> <![CDATA[Insecure deserialization detected]]> </Description> <FunctionIdentifier> <NamespaceName>java.io</NamespaceName> <ClassName>ObjectInputStream</ClassName> <FunctionName>readObject</FunctionName> </FunctionIdentifier> <InOut> <Input source="0" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="UNTRUSTED_DESERIALIZATION" /> </Conditions> </Rule>
Spring Framework Rules
1. Spring Security Configuration
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>SPRING-SECURITY-001</RuleID> <VulnCategory>Configuration</VulnCategory> <DefaultSeverity>3.0</DefaultSeverity> <Description> <![CDATA[Spring Security CSRF protection disabled]]> </Description> <Pattern format="version-2"> <![CDATA[ findfunction: csrf inclass: HttpSecurity with: - argument: 0 - action: disable ]]> </Pattern> <Recommendations> <Recommendation> <![CDATA[ Enable CSRF protection for state-changing operations: http.csrf().disable() // Remove this line ]]> </Recommendation> </Recommendations> </Rule>
2. Spring SQL Injection
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>SPRING-SQL-001</RuleID> <VulnCategory>SQL Injection</VulnCategory> <DefaultSeverity>4.0</DefaultSeverity> <Description> <![CDATA[Spring JdbcTemplate with string concatenation]]> </Description> <FunctionIdentifier> <NamespaceName>org.springframework.jdbc.core</NamespaceName> <ClassName>JdbcTemplate</ClassName> <FunctionName>query</FunctionName> <ApplyTo implements="true">true</ApplyTo> </FunctionIdentifier> <InOut> <Input source="1" /> <Return is-sanitizer="false" /> </InOut> <Conditions> <Condition type="TaintFlag" taintFlag="SQL_INJECTION" /> </Conditions> </Rule>
3. Spring Validation Bypass
<Rule xmlns="xmlns://www.fortifysoftware.com/schema/rules" language="java"> <RuleID>SPRING-VALIDATION-001</RuleID> <VulnCategory>Input Validation</VulnCategory> <DefaultSeverity>3.5</DefaultSeverity> <Description> <![CDATA[Missing @Valid annotation on request body]]> </Description> <Pattern format="version-2"> <![CDATA[ findannotation: RequestBody on: parameter without: - annotation: Valid ]]> </Pattern> </Rule>
Custom Taint Sources and Sinks
1. Custom Taint Sources
<!-- CustomTaintSources.xml --> <TaintSources xmlns="xmlns://www.fortifysoftware.com/schema/rules"> <!-- Custom HTTP parameter source --> <TaintSource ruleID="CUSTOM-SOURCE-001"> <FunctionIdentifier> <NamespaceName>com.example.controller</NamespaceName> <ClassName>CustomController</ClassName> <FunctionName>getUserInput</FunctionName> </FunctionIdentifier> <Out> <Return taintFlags="CUSTOM_UNTRUSTED" /> </Out> </TaintSource> <!-- Spring MVC parameter source --> <TaintSource ruleID="SPRING-PARAM-001"> <FunctionIdentifier> <NamespaceName>org.springframework.web.bind.annotation</NamespaceName> <ClassName>RequestParam</ClassName> </FunctionIdentifier> <Out> <Return taintFlags="UNTRUSTED" /> </Out> </TaintSource> <!-- JWT token source --> <TaintSource ruleID="JWT-SOURCE-001"> <FunctionIdentifier> <NamespaceName>io.jsonwebtoken</NamespaceName> <ClassName>Jwts</ClassName> <FunctionName>parser</FunctionName> </FunctionIdentifier> <Out> <Return taintFlags="UNTRUSTED" /> </Out> </TaintSource> </TaintSources>
2. Custom Taint Sinks
<!-- CustomTaintSinks.xml --> <TaintSinks xmlns="xmlns://www.fortifysoftware.com/schema/rules"> <!-- Custom logging sink --> <TaintSink ruleID="CUSTOM-SINK-001"> <FunctionIdentifier> <NamespaceName>org.slf4j</NamespaceName> <ClassName>Logger</ClassName> <FunctionName>info</FunctionName> </FunctionIdentifier> <In> <Input source="1" sinkType="LOG_FORGING" /> </In> </TaintSink> <!-- External command execution --> <TaintSink ruleID="COMMAND-INJECTION-001"> <FunctionIdentifier> <NamespaceName>java.lang</NamespaceName> <ClassName>Runtime</ClassName> <FunctionName>exec</FunctionName> </FunctionIdentifier> <In> <Input source="1" sinkType="COMMAND_INJECTION" /> </In> </TaintSink> <!-- LDAP query sink --> <TaintSink ruleID="LDAP-INJECTION-001"> <FunctionIdentifier> <NamespaceName>javax.naming</NamespaceName> <ClassName>DirectoryServices</ClassName> <FunctionName>search</FunctionName> </FunctionIdentifier> <In> <Input source="1" sinkType="LDAP_INJECTION" /> </In> </TaintSink> </TaintSinks>
3. Custom Cleaners/Sanitizers
<!-- CustomCleaners.xml --> <Cleaners xmlns="xmlns://www.fortifysoftware.com/schema/rules"> <!-- ESAPI encoder --> <CleaningFunction ruleID="ESAPI-CLEANER-001"> <FunctionIdentifier> <NamespaceName>org.owasp.esapi</NamespaceName> <ClassName>Encoder</ClassName> <FunctionName>encodeForHTML</FunctionName> </FunctionIdentifier> <InOut> <Input source="1" /> <Return clearTaintFlags="XSS" /> </InOut> </CleaningFunction> <!-- Apache Commons StringEscapeUtils --> <CleaningFunction ruleID="COMMONS-CLEANER-001"> <FunctionIdentifier> <NamespaceName>org.apache.commons.lang3</NamespaceName> <ClassName>StringEscapeUtils</ClassName> <FunctionName>escapeHtml4</FunctionName> </FunctionIdentifier> <InOut> <Input source="1" /> <Return clearTaintFlags="XSS" /> </InOut> </CleaningFunction> <!-- Custom validation --> <CleaningFunction ruleID="CUSTOM-VALIDATION-001"> <FunctionIdentifier> <NamespaceName>com.example.validation</NamespaceName> <ClassName>InputValidator</ClassName> <FunctionName>sanitizeInput</FunctionName> </FunctionIdentifier> <InOut> <Input source="1" /> <Return clearTaintFlags="ALL" /> </InOut> </CleaningFunction> </Cleaners>
Build Integration
1. Maven Full Configuration
<!-- pom.xml -->
<project>
<build>
<plugins>
<plugin>
<groupId>com.fortify</groupId>
<artifactId>fortify-maven-plugin</artifactId>
<version>22.2.0</version>
<configuration>
<buildId>${project.artifactId}</buildId>
<source>11</source>
<target>11</target>
<maxHeap>4096m</maxHeap>
<verbose>true</verbose>
<failOnError>true</failOnError>
<quickScan>false</quickScan>
<!-- Custom rules -->
<rulePack>CustomRules.xml</rulePack>
<rulePack>CustomTaintSources.xml</rulePack>
<rulePack>CustomTaintSinks.xml</rulePack>
<!-- Scan configuration -->
<scanArgs>
<arg>-Dcom.fortify.sca.Phase0HigherOrder.Languages=java</arg>
<arg>-Dcom.fortify.sca.EnableControlFlowDataFlow=true</arg>
<arg>-Dcom.fortify.sca.Xmx=4096m</arg>
</scanArgs>
</configuration>
<executions>
<execution>
<id>fortify-scan</id>
<phase>verify</phase>
<goals>
<goal>clean</goal>
<goal>translate</goal>
<goal>scan</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
2. Gradle Full Configuration
// build.gradle
plugins {
id 'java'
id 'com.fortify.fortify-gradle-plugin' version '22.2.0'
}
fortify {
buildId = project.name
source = '11'
target = '11'
maxHeap = '4096m'
verbose = true
failOnError = true
// Custom rules
rulePacks = [
'CustomRules.xml',
'CustomTaintSources.xml',
'CustomTaintSinks.xml'
]
// Scan arguments
scanArgs = [
'-Dcom.fortify.sca.Phase0HigherOrder.Languages=java',
'-Dcom.fortify.sca.EnableControlFlowDataFlow=true',
'-Dcom.fortify.sca.Xmx=4096m'
]
}
// Task dependencies
fortifyScan.dependsOn compileJava
check.dependsOn fortifyScan
3. Jenkins Pipeline
// Jenkinsfile
pipeline {
agent any
environment {
FORTIFY_HOME = '/opt/fortify/sca'
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build') {
steps {
sh 'mvn clean compile -DskipTests'
}
}
stage('Fortify Scan') {
steps {
script {
withEnv(["PATH+FORTIFY=${env.FORTIFY_HOME}/bin"]) {
sh """
sourceanalyzer -b ${env.JOB_NAME} -clean
sourceanalyzer -b ${env.JOB_NAME} -cp \"**/*.jar\" src/main/java
sourceanalyzer -b ${env.JOB_NAME} -scan -f ${env.JOB_NAME}.fpr
"""
}
}
}
post {
always {
archiveArtifacts artifacts: "*.fpr", fingerprint: true
fortify issues: [
[file: "${env.JOB_NAME}.fpr", buildProject: env.JOB_NAME]
] } } } } }
Advanced Configuration
1. Memory Optimization
# Memory settings for large projects sourceanalyzer -b myapp -Xmx8g -Xms2g -XX:MaxPermSize=512m mvn compile # For Windows sourceanalyzer -b myapp -Xmx8g -Xms2g -XX:MaxPermSize=512m mvn compile
2. Exclusion Patterns
# Exclude test files sourceanalyzer -b myapp -exclude "**/test/**" -exclude "**/Test*.java" mvn compile # Exclude generated code sourceanalyzer -b myapp -exclude "**/generated/**" -exclude "**/target/generated-sources/**" mvn compile
3. Custom Rule Loading
# Load custom rules sourceanalyzer -b myapp -rules CustomRules.xml -rules CustomTaintSources.xml mvn compile # Multiple rule files sourceanalyzer -b myapp -rules "rules/*.xml" mvn compile
Results Analysis and Filtering
1. Report Generation
# Generate HTML report ReportGenerator -format HTML -f report.html -source results.fpr # Generate PDF report ReportGenerator -format PDF -f report.pdf -source results.fpr # Generate SARIF for CI/CD ReportGenerator -format SARIF -f results.sarif -source results.fpr # Custom template ReportGenerator -template DeveloperWorkbook.xml -f custom_report.html -source results.fpr
2. Filter Configuration
<!-- filter.xml --> <Filter xmlns="xmlns://www.fortifysoftware.com/schema/filters"> <FilterGroup name="Security Critical"> <FilterRule action="hide"> <![CDATA[ [severity]:[low] ]]> </FilterRule> <FilterRule action="hide"> <![CDATA[ [confidence]:[low] ]]> </FilterRule> </FilterGroup> <FilterGroup name="False Positives"> <FilterRule action="hide"> <![CDATA[ [folder]:[test] ]]> </FilterRule> <FilterRule action="hide"> <![CDATA[ [file]:[.*Generated.java] ]]> </FilterRule> </FilterGroup> </Filter> <!-- Apply filter --> ReportGenerator -filter filter.xml -f filtered_report.html -source results.fpr
3. Audit Workbench Configuration
# Generate AWB file sourceanalyzer -b myapp -export-build-session buildSession.awb # Import into Audit Workbench auditworkbench -import buildSession.awb
Integration with Security Center
1. SSC Upload
# Upload to Fortify Software Security Center fortifyclient upload -url http://ssc-server:8080/ssc \ -authtoken ssc-token \ -application MyApp \ -applicationVersion 1.0 \ -f results.fpr
2. Maven SSC Integration
<!-- pom.xml -->
<plugin>
<groupId>com.fortify</groupId>
<artifactId>fortify-ssc-maven-plugin</artifactId>
<version>22.2.0</version>
<configuration>
<sscUrl>http://ssc-server:8080/ssc</sscUrl>
<authToken>${ssc.auth.token}</authToken>
<applicationName>MyApp</applicationName>
<applicationVersion>${project.version}</applicationVersion>
<uploadFpr>true</uploadFpr>
</configuration>
</plugin>
3. Quality Gates
# Check quality gate status fortifyclient qualityGate -url http://ssc-server:8080/ssc \ -authtoken ssc-token \ -application MyApp \ -applicationVersion 1.0 \ -f results.fpr
Best Practices
1. Scan Optimization
# Use incremental scanning for faster results sourceanalyzer -b myapp -incremental mvn compile # Parallel analysis for multi-core systems sourceanalyzer -b myapp -Dcom.fortify.sca.Threads=4 mvn compile # Exclude dependencies for faster scanning sourceanalyzer -b myapp -exclude "**/node_modules/**" -exclude "**/bower_components/**" mvn compile
2. Rule Management
# List loaded rules sourceanalyzer -list-rules # Validate custom rules sourceanalyzer -validate-rules CustomRules.xml # Rule debugging sourceanalyzer -b myapp -Dcom.fortify.sca.trace.RuleEngine.Detailed=true mvn compile
3. Performance Tuning
# Large project settings sourceanalyzer -b myapp -Xmx16g -XX:+UseG1GC -Dcom.fortify.sca.EnableIR=true mvn compile # Memory monitoring sourceanalyzer -b myapp -Dcom.fortify.sca.ProfileMemory=true mvn compile
Troubleshooting
1. Common Issues
# Memory issues export FORTIFY_OPTS="-Xmx8g -Xms2g -XX:MaxPermSize=512m" # Classpath issues sourceanalyzer -b myapp -cp "$(mvn dependency:build-classpath -q -Dmdep.outputFile=/dev/stdout)" mvn compile # Encoding issues sourceanalyzer -b myapp -Dfile.encoding=UTF-8 mvn compile
2. Debug Mode
# Enable debug logging sourceanalyzer -b myapp -Dcom.fortify.sca.Debug=true -Dcom.fortify.sca.TraceDir=./trace mvn compile # Verbose output sourceanalyzer -b myapp -verbose mvn compile
Conclusion
Fortify SCA provides:
- Comprehensive security analysis for Java applications
- Custom rule development for organization-specific requirements
- Integration with build tools and CI/CD pipelines
- Detailed vulnerability reporting with remediation guidance
- Enterprise-grade scalability for large codebases
By implementing the configurations and rules shown above, you can create a robust static analysis pipeline that identifies security vulnerabilities early in the development lifecycle, enforces security standards, and improves overall application security posture.
Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)
https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.
https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.
https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.
https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.
https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.
https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.
https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.
https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.
https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.
https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.