Static Reviewer provides a native Software Configuration Management (SCM) Integration with the following platforms:

• GIT

• SubVersion (SVN)

• Concurrent Versions System (CVS)

• Ibm Rational Team Concert (RTC)

• Micro Focus PVCS

Other SCM platforms can used in Static Reviewer. This can be done directly from inside the tool, using the ALM Integration feature.

Further, using our DevOps plugins, the DevOps platform will provide the SCM integration, and Static Reviewer or Security Reviewer Software Composition Analysis will integrate them using standard DevOps pipelines.

ALM Process

ALM feature guarantees the integration between Static Reviewer and:

• Package Managers: Anaconda, Ant, Cargo, Cocoapods, PHP Composer, Docker, GOdep, GOmod, Gradle, Maven, NPM, NuGet, PackRat, pip, RubyGEM, sbt, Swift Package Manager

• Software Configuration Management: GIT, SubVersion, CVS, Microsoft TFS, IBM RTC, Micro Focus PVCS, Nexus, CA Harvest

• Build Managers: Ant, Maven, Gradle

• Third-party tools: 7Zip, wget, etc.

ALM is an executable process with the scope of retrieving the source code as well as all necessary dependencies for obtaining a zip file to be analyzed by Static Reviewer.

Such process must start with retrieving the source and could end with zipping. Static Reviewer needs a zip file when the analysis is launched from Team Reviewer, and instead needs a folder with unzipped source code and dependencies when the analysis is launched from command line.

For describing the process, you must use the following Simplified BPEL Executable Processes XML:

Open

PROCESS section gives the process a description (DES)

APPLICATION section associated the process to an Application Name, an Application Version and a Working SubDirectory

EXECUTABLES section lists all executables involved in the process with a Name, a Description, an Executable path (optional, useful for Windows only), the needed Environment Variables (EnvVar, EnvironmentVariables), the Command involving the executable and a Note. Further, a Progressive number indicates the sequence on which it will be executed (1 means it will be executed first) and the Condition

-- means no condition. The command will be executed anyway.

OnFailure: the command will be executed only in case the previous executable failed.

OnFailureExit: the command will be executed only in case the previous executable failed. Once command is terminated, the process will exit.

OnSuccess:  the command will be executed only in case the previous executable terminated successfully.

Static Reviewer will transform this simplified XML in BPEL Executable Processes format and execute it.

Any other task type, further than SCM, can be configured in the ALM workflow, including:

• Ant, Maven, Gradle, BuildForge, SBT and other https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/295034#SoftwareCompositionAnalysis-packagesPackageManagers

• BitBucket, Mercurial and other https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633#StaticReviewer-SCMIntegrations

• https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633 or

• Static Analysis results publication to Jenkins, Bamboo or to supported

• Bugtracking sites, like JIRA, BugZilla or others