Open source testing

Open source testing locates and anlyzes open source packages in your code.

Open source testing requires a specific HCL AppScan on Cloud Open Source Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in Static analysis scans when Static analysis entitlements also exist. It does the following:
  1. Locates open source packages in your code. To ensure that Application Security on Cloud collects only data for open source testing, use the -openSourceOnly option with appscan prepare (not available from Eclipse).
  2. Identified open source packages known to be vulnerable.
  3. Suggests remediation for the vulnerable packages.
Results are included in Static Analysis or Open Source reports and in your AppScan on Cloud portal.
Note: When you use the -oso or -openSourceOnly option with appscan prepare, you may encounter the message, "The prepare operation only found opensource file types, must include other scan file types."

Supported binary file types, by extension, are .jar, .war, .ear, .aar, .dll, .exe, .tar, .gz, .egg, .whl, .rpm, .drpm, .tar, .bz2, .tgz, .deb, .udeb, .gzip, .gem, .swf, .swc, .so, .ko, .a, .ar, .dmg, .msi, .air, and .apk.

Supported source files types, by extension, are .c, .cc, .cp, .cpp, .cxx, .c++, .goc, .h, .hh, .pch, .h++, .m, .mm, .c#, .cs, .csharp, .js, .py, .rb, .swift, .java, .clj, .cljx, and .cljs.

We have known issues with some open source scanning with some files types: .go, .php.

For additional information, see Static (SAST) scanning.