Configuration commands (Linux and macOS)

Use configuration commands to prepare your files for scanning.

appscan.sh prepare

Syntax:

appscan.sh prepare -c <configuration_file> -d <save_path> -es, --enableSecrets -jdk <jdk_path> -l <log_path> -n <file_name> -oso,--openSourceOnly -s <value> -sco,--sourceCodeOnly -so, --secretsOnly -t,--thirdParty -v,--verbose -X,--debug

Description:

Generate an IRX file.

Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.

Optional flags/settings:

  • -c: This option is used for configuring a scan.
  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.
  • -dr, --dryrun: Specify -dr or --dryrun to discover and validate scan targets, but not generate an .irx file.
  • -es, --enableSecrets: Specify -es or --enableSecrets to enable scanning for secrets. Secrets scanning is disabled by default.
  • -jdk: Specify -jdk <jdk_path> to indicate the path to your JDK installation to be used in lieu of the default JDK 17. If using a config file (-c <configuration_file>) and the jdk_path attribute is used, the value specified in the config file takes precedence.
  • -l: Specify -l <log_path>, where <log_path> is the directory that you want to save the log files to.
  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.
  • -oso, -openSourceOnly: Specify -oso or -openSourceOnly to look only for known vulnerabilities in SCA packages. When -oso or -openSourceOnly is specified, AppScan on Cloud does not perform static analysis on the package.
    Note: When a user has an Open Source license, SCA analysis is part of a static scan by default. This option limits analysis to SCA vulnerabilities. Users must have an Open Source license to take advantage of SCA-only analysis.
  • -s: Specify -s <value> to indicate scan speed and depth, where <value> is either simple, balanced, deep, or thorough. Scan speeds specified through the command line correspond to scan speeds that can be chosen in AppScan Go!
    • A simple scan performs a surface-level analysis of your files to identify the most pressing issues for remediation. It takes the least amount of time to complete.
    • A balanced scan provides a medium level of detail on the analysis and identification of security issues, and takes a bit more time to complete than the 'Simple' scan.
    • A deep scan performs a more complete analysis of your files to identify vulnerabilities, and usually takes longer to complete.
    • A thorough scan performs a comprehensive analysis to identify the most comprehensive list of vulnerabilities and will take the longest time to complete.
      Note: Scan speed does not necessarily correlate to relative number of vulnerabilities found in the code. For example, thorough analysis may rule out false positives that might be reported in a simple scan and therefore report fewer vulnerabilities.
    Note: This optional parameter is case-sensitive. When no scan speed is specified, the Client Utility performs a deep scan as a default.
  • -sao: Specify -sao to perform static analysis only. When -sao is specified, AppScan on Cloud does not perform open source analysis on the package.
  • -sco, --sourceCodeOnly: Specify -sco or --sourceCodeOnly to scan only source code files. This setting disables scanning other supported file types, such as .dll, .exe, .jar, .war, and others.

    Source-code only scans are useful when you only have access to the source code, you want to run a faster scan, or you prefer speed over depth of scan. Choose alternate scan options if you only have access to the build outputs, or if you prefer depth of scan over speed.

    Note: See Static Analysis Language Support for a list of included source code-only file types.
  • -so, --secretsOnly: Specify -so or --secretsOnly to scan for secrets in source code only. Secrets scanning is disabled by default.
  • -t, --thirdParty: By default, third-party Java and .NET code is not scanned during IRX file generation. You can modify third-party code exclusion settings by following the instructions in Managing third-party Java and .NET exclusions. To include third-party code, specify the -t or --thirdParty option when you issue the prepare command.

    If you are a developer of third-party code that would normally be excluded in a scan, you should use the setting to include the third-party code.

  • -v,--verbose: Specify -v or --verbose to display more informational output during IRX file generation.
  • -X,--debug: Specify -X or --debug to run the entire command in debug mode. When run in debug mode, more log files are generated for troubleshooting.
Tip: For all commands, options can be used in any order.

Examples:

To generate an IRX file that uses this configuration file, /root/Desktop/my_config_files/my_config.xml - and that saves the IRX file to /root/Desktop/my_irx_files -n my_scan.irx - issue this command:

appscan.sh prepare -c /root/Desktop/my_config_files/my_config.xml -d /root/Desktop/my_irx_files -n my_scan.irx

appscan.sh prepare_sca

Syntax:

appscan prepare_sca -d <save_path> -l <log_path> -n <file_name> -X, -debug -container <container> -image <image>

Description:

Generate an IRX file against a Docker image for running Software Composition Analysis (SCA). When run without parameters, this command is equivalent to running appscan.sh prepare -oso.
Important: Docker CLI tools must be installed and configured on the system to scan Docker containers and images.

Optional flags/settings:

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.
  • -l: Specify -l <log_path>, where <log_path> is the directory that you want to save the log files to.
  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.
  • -X,--debug: Specify -X or --debug to run the entire command in debug mode. When run in debug mode, more log files are generated for troubleshooting.
  • -container: Specify -container <container> where <container> is a Docker container to analyze. The value may be a container name, container digest, or the path to a local archive.
  • -image: Specify -image <image> where <image> is a Docker image to analyze. The value may be an image name, image digest, or the path to a local archive.
Tip: For all commands, options can be used in any order.

appscan.sh package

Syntax:

appscan.sh package -d <save_path> -f <assessment_file> -n <file_name>

Description:

Generate an IRX file that contains an assessment (.ozasmt) file that was created in an HCL AppScan Source Version 9.0 or higher product.

Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.

Optional flags/settings:

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the IRX file to.
  • -f: Specify -f <assessment_file>, where <assessment_file> is the .ozasmt file that you want to package for scanning. If the <assessment_file> file is not in the current directory, use this option to specify the assessment file path and file name.
    Note: This option is only required if one or both of these statements are true:
    • You are issuing the command from a directory that contains more than one assessment file. If the directory contains only one assessment file, that file is packaged if the -f option is not used.
    • You are issuing the command from a directory that contains no assessment files. In this case, the -f option must be used to specify the path and file name of the assessment file to package.
  • -n: Specify -n <file_name>, where <file_name> is the IRX file name. You can specify the file name with or without the .irx file extension. If you specify it without the extension, it is automatically added for you when the file is generated.
Tip: For all commands, options can be used in any order.

Examples:

While in the /root/Desktop/my_irx_files directory, you can generate an IRX file that contains this assessment file, /root/Desktop/my_assessment_files/my_assessment.ozasmt, by issuing this command:

appscan.sh package -f /root/Desktop/my_assessment_files/my_assessment.ozasmt

The resulting IRX file will be saved in /root/Desktop/my_irx_files.

appscan.sh get_pubkey

Syntax:

appscan.sh get_pubkey -d <save_path>

Description:

Download the public encryption key for use on a computer that is not connected to the Internet.

If you are generating an IRX file from a computer that is connected to the Internet, this command is not required since an encryption key is automatically downloaded when you issue the prepare command. If an encryption key is already present on the computer, it is updated, if necessary, when you issue the prepare command.

However, if you are generating an IRX file from a computer that is not connected to the Internet, you can download the encryption key by using this command. You can then copy the encryption key to the computer that is not connected to the Internet for use when you generate the IRX file. To use the encryption key on that computer, you must preserve the rsa.pub file name and place the file in the config directory of the extracted SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility).

Note: The encryption key that is used must be current. If an IRX file is generated with an outdated encryption key, the IRX file is rejected when it is uploaded. If your computer is connected to the Internet, issue the prepare command again to automatically update the encryption key. If your computer is not connected to the Internet, you need to use the get_pubkey command.

Optional flags/settings:

  • -d: Specify -d <save_path>, where <save_path> is the directory that you want to save the encryption key to. If this option is not specified, the key is saved to the config directory of the extracted SAClientUtil_<version>_<os>.zip file.