Open source testing

Open source testing locates and analyzes open source packages in your code. Our Software Composition Analysis (SCA) aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.

Open source testing requires a specific HCL AppScan on Cloud Open Source Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in Static analysis scans when Static analysis entitlements also exist. It does the following:
  1. Locates open source packages in your code. To ensure that Application Security on Cloud collects only data for open source testing, use the -openSourceOnly option with appscan prepare (not available from Eclipse).
  2. Identified open source packages known to be vulnerable.
  3. Suggests remediation for the vulnerable packages.
Results are included in Static Analysis or Open Source reports and in your AppScan on Cloud portal.
Note: When you use the -oso or -openSourceOnly option with appscan prepare, you may encounter the message, "The prepare operation only found opensource file types, must include other scan file types."

Supported source files types, by extension, are .c, .cc, .cpp, .dll, .ear, .egg, .go, .h, .hpp, .jar, .java, .js, .php, .py, .war.

We have known issues with some open source scanning with some files types: .go, .php.

For additional information, see Static (SAST) scanning.