We’re excited about the new integration with the Sonatype OSS Index. The integration will allow software developers, security engineers and DevOps engineers to perform source code scanning and open source component analysis in one tool rather than in multiple tools. To take advantage of this new feature, customers need to do the following:
Let’s get started!
Once you’ve registered for a free Sonatype OSS Index Account, an API Token can be generated or regenerated in your Sonatype OSS Index account at: User Settings
Please Note! If your Puma Scan Professional License is part of an Organization, please contact the Organization Owner or Manager to perform this step. With Puma Scan Organizations, the Sonatype OSS Index integration is managed at the Organization level. This allows Organizations to perform this step once to enable the integration for all of its Organization Members. Once this step has been completed by your Organization Owner or Manager, continue on to the refresh your license step.
After you’ve created your Sonatype OSS Index account and generated an API Token, visit the Puma Scan Customer Portal to provide Puma Scan Professional with your Sonatype OSS Index Information.
Please note: If you choose to opt out of the integrations, please click the X. This will inform the Puma Scan Professional products that you don’t want to enable the Sonatype OSS Index feature.
The Integrations page is where you can opt in to the Sonatype OSS Index feature.
Once the Sonatype OSS Index integration is enabled for your account or Organization, refresh your Puma Scan Professional product licenses.
To refresh your license in Visual Studio 2017 or 2019, visit the Activate License menu item in the Puma Scan extension menu. Click the Choose New License link button and follow the dialog prompts. Once the license has been refreshed, restart Visual Studio.
The Puma Scan Professional Activate License dialog in Visual Studio.
To refresh your license in VS Code, execute the Puma Scan: Activate License command in the Command Palette or ellipse menu in the upper right-hand corner of VS Code once a document is loaded.
The Puma Scan Professional Activate License dialog in VS Code.
To refresh your Puma Scan Professional Server Edition license, download a new copy of the license file from the Puma Scan Customer Portal Licenses page. Next, place the file in the appropriate location. Please note: The default license file location is:
%appdata%/PumaSecurity/PumaScan. However, you can select a different location as your build pipeline may use a custom location.
To refresh your Puma Scan Professional Azure DevOps Edition license, please visit the Licenses page on the Puma Scan Customer Portal. Select the Copy License To Clipboard button next to the appropriate Azure DevOps Edition license entry.
The Copy License to Clipboard button.
Back in Azure DevOps, select the pipeline you would like to update and modify the value of the variable called PumaLicense with the value that is currently copied to your Clipboard. Once updated, save the pipeline.
The Azure DevOps Pipelines Variables tab.
Now that your products have an updated license, perform a new scan to ensure that the Sonatype OSS Index capabilities are working. Currently, Puma Scan Professional supports scanning dependencies defined in
.csproj files. Support for scanning
package.json files will be added in a future release.
Puma Scan Professional End User Edition reporting vulnerabilities powered by Sonatype OSS Index.
Using the SARIF Output Format Puma Scan Professional Server and Azure DevOps editions have...