ForgeRock Code Scanning policy
The purpose of this article is to provide details of the Code Scanning Policy that applies to ForgeRock software.
5 readers recommend this article
Code scanning policy details
ForgeRock take the quality and security of our codebase very seriously. To that end, prior to each release we scan our codebase using industry recognized tools to detect issues and strive to ensure our code meets the high standards expected from us by our customers.
The nature of the issues discovered by automated code scanning reports vary from the occasional real security or quality issue to ‘false positives’ that are flagged by the automatic scanners that lack context. The engineering team review the report and ensure that all Very High / High issues are understood and, to the extent they represent actual issues, are addressed in accordance within our standard development processes. Issues that fall into the aforementioned categories are typically resolved before the actual release. Medium / Low issues are processed similarly; but many will fall into categories where they do not present security issues, but are an integral part of the product. Therefore only Medium / Low issues that actually present as a problem are flagged for resolution in a future maintenance release of the product.
ForgeRock products are often customized by our customers and some customers choose to run similar code quality scans against both their custom code and our codebase. If a customer code quality report contains issues that contain ForgeRock code; ForgeRock may reasonably cooperate with the customer to investigate provided the customer discloses the entire detailed report to ForgeRock. Customers should raise a ticket in the support system with the following priority levels in accordance with the support policies.
| Code Quality Severity Level | Corresponding ForgeRock ticket priority |
|---|---|
| Very High / High | P2 |
| Medium | P3 |
| Low / Very Low / Informational | P4 |
For any P2 tickets; ForgeRock will assess and look to resolve the issue, if required, in the normal manner of support. For P3 and P4 tickets they will be assessed and any required resolution shall be prioritized based on its severity. If as a result of the assessment ForgeRock decides that there is a real issue, the resolution to said issue will be flagged for inclusion in a future release.
As discussed previously, often P3 / P4 issues are false positives and therefore ForgeRock reserves the right to limit the number of P3 / P4 issues that we will review through our standard support channel.
Note
To expedite the process around managing your code scanning report, if you determine the contents of your code scanning report will result in greater than 3 tickets then please open a single ticket with the priority matching that of your highest level of severity and attach the report to the ticket. ForgeRock support will make an assessment based on the number of incidents in the report as to whether we can proceed via support tickets or a paid for review exercise will be required.
ForgeRock periodically run code quality reports on our codebase and ensure all issues are resolved based on the severity. If a customer requests that ForgeRock provide a detailed response on each issue found in their code quality report or we decide the number of issues in the code scanning report that require analysis is excessive; the code scanning task will become a paid for exercise. The entry level price is $25,000, the actual price charged will depend on the size and complexity of the report provided. Any customer looking to purchase this service should contact their account representative or contact sales@forgerock.com.