Using the Static Analyzer Command Line Utility

The Static Analyzer Command Line Utility (SAClientUtil) is used to generate an IRX that can be scanned in a AppScan on Cloud or AppScan 360°. The appscan.sh prepare command is supported for use with AppScan 360° Static Analysis.

What is an IRX file?

IRX is a secure and encrypted zip archive that contains the information that is necessary to run a full static analysis of your program. It is encrypted at-rest upon creation, as well as during transport to the cloud (over SSL).

Internally, an IRX archive contains these files and artifacts:

  • A proprietary and obfuscated representation of your deployable program artifacts, built from your deployed source code (for example, Java bytecode or .Net MSIL). To learn which languages are supported for static analysis scans, see System requirements for static analysis).
  • Any runtime script files that are deployed with your program that can be analyzed for security vulnerabilities (for example .js (Javascript) or .rb (Ruby) files).
  • Static Analyzer configuration files that describe the application or project hierarchy and relationships or dependencies of your program. This allows for accurate and complete security analysis across project boundaries within your application.
  • Static Analyzer log files generated during the creation of the archive (for diagnostics and support).

Generating IRX files

Use (Windows) or appscan.sh prepare to generate an IRX.

Syntax:

appscan.sh prepare -c <configuration_file> -d <save_path> -jdk <jdk_path> -l <log_path> -n <file_name> -v,--verbose -X,--debug

Description:

Generate an IRX file.

Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. The message will provide guidance for updating or declining to update.

Optional flags/settings:

  • -acceptssl: Accept the use of an untrusted certificate.
    Note: This setting can be used with all SAClientUtil commands.

  • -c: This option is used for configuring a scan.

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.

  • -dr, --dryrun: Specify -dr or --dryrun to discover and validate scan targets, but not generate an .irx file.

  • .jdk: Specify -jdk <jdk_path> to indicate the path to your JDK installation to be used in lieu of the default JDK 11. If using a config file (-c <configuration_file>) and the jdk_path attribute is used, the value specified in the config file takes precedence.

  • -l: Specify -l <log_path>, where <log_path> is the directory that you want to save the log files to.

  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.

  • -ne: Specify -ne to prepare the IRX file unencrypted.
    Note: When using AppScan 360° SAST, the IRX file must be unencrypted.
  • -s: Specify -s <value> to indicate scan speed and depth, where <value> is either simple, balanced, deep, or thorough.
    • A simple scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.

    • A balanced scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Simple' scan.

    • A deep scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.

    • A thorough scan performs a comprehensive analysis to identify the most comprehensive list of vulnerabilities and will take the longest time to complete.

      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, thorough analysis may rule out false positives that might be reported in a simple scan and therefore report fewer vulnerabilities.
      Note: This optional parameter is case-sensitive. When no scan speed is specified, the Client Utility performs a deep scan as a default.

  • -sco, --sourceCodeOnly: Specify -sco or --sourceCodeOnly to scan only source code files. This setting disables scanning other supported file types, such as .dll, .exe, .jar, .war, .sln, and others.

    Source code-only scans are useful when you only have access to the source code, you want to run a faster scan, or you prefer speed over depth of scan. Choose alternate scan options if you only have access to the build outputs, or if you prefer depth of scan over speed.

    Note: See Static analysis language support for a list of included source code-only file types.

  • -t, --thirdParty: By default, third-party Java and .NET code is not scanned during IRX file generation. You can modify third-party code exclusion settings by following the instructions in Managing third-party Java and .NET exclusions. To include third-party code, specify the -t or --thirdParty option when you issue the prepare command.

    If you are a developer of third-party code that would normally be excluded in a scan, you should use the setting to include the third-party code.

  • -v,--verbose: Specify -v or --verbose to display more informational output during IRX file generation.

  • -X,--debug: Specify -X or --debug to run the entire command in debug mode. When run in debug mode, more log files are generated for troubleshooting.

Tip: For all commands, options can be used in any order.

Examples:

To generate an unencrypted IRX file that uses this configuration file, c:\my_config_files\my_config.xml and that saves the IRX file to c:\my_irx_files\my_scan.irx, issue this command:

appscan.sh prepare -c c:\my_config_files\my_config.xml -d -ne c:\my_irx_files -n my_scan.irx
Note: When using AppScan 360° Static Analysis, the IRX file must be unencrypted.