Home
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning for security vulnerabilities
To scan source code for security vulnerabilities, follow the steps in these topics.
Software Composition Analysis (SCA) testing
Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code. SCA, sometimes refered to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.

Welcome
Welcome to the documentation for HCL AppScan on Cloud.
Getting started
Security is about protecting your valuable assets. Some of the most important assets your organization owns are in the form of information, such as intellectual property, strategic plans, and customer data. Protecting this information is critical for your organization to continue to operate, be competitive, and meet regulatory requirements.
Navigation
This section describes the items on the main ASoC menu bar, and links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
DAST
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
IAST
Using an agent installed on your application, ASoC identifies security vulnerabilities in your app during runtime, by monitoring all interactions, both legitimate and malicious. The process is "passive", in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- System requirements for static analysis
  This section describes the supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
  - Configure a scan in AppScan on Cloud
  - Configuring a scan using AppScan Go!
    Use AppScan Go! to configure a static scan. You can then run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To be able to initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. If you want to use the CLI, follow these instructions for creating that file.
  - Generating in IRX file using a plugin or IDE
  - Software Composition Analysis (SCA) testing
    Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code. SCA, sometimes refered to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.
  - Static analysis integrations
  - Submitting HCL AppScan Source assessments to the Cloud for analysis
    If you have a subscription to HCL AppScan on Cloud, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.
  - Static analysis scan results
    This topic describes the features available in static analysis scan results.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Troubleshooting static analysis
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
Results
The Scan History tab of your application displays your scan results (including scan statistics) and rescan options.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Software Composition Analysis (SCA) testing

Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code. SCA, sometimes refered to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.

SCA requires a specific ASoC Open Source Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in Static analysis scans when Static analysis entitlements also exist. It does the following:

Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use the -openSourceOnly option with appscan prepare (not available from Eclipse).
Identifies open source packages known to be vulnerable.
Suggests remediation for the vulnerable packages.

Results are included in Static Analysis or Open Source reports and in your ASoC portal.

Note: When you use the -oso or -openSourceOnly option with appscan prepare, you may encounter the message, "The prepare operation only found opensource file types, must include other scan file types."

Supported source files types, by extension, are .c, .cc, .cpp, .dll, .ear, .egg, .go, .h, .hpp, .jar, .java, .js, .php, .py, .war.

For additional information, see Static analysis.