Home
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Generating an IRX file using the command-line interface (CLI)
To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
CLI command reference (Windows)
Windows-specific commands for performing static analysis using a small client command line interface (CLI) that you download and extract to your local disk.
Authentication commands
Use authentication commands to log in to the ASoC service.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan on Cloud
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
    - Setting up the Static Analyzer Command Line Utility for use with SCA
      For Software Composition Analysis, download a small Command Line Utility. When you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis.
    - Configuring IRX file generation with the CLI
      Use a configuration file for IRX file generation, wherein you can specify individual targets, or include or exclude targets. In addition, you can use the configuration file to specify additional information that would help to generate a complete IRX file.
    - CLI command reference (Windows)
      Windows-specific commands for performing static analysis using a small client command line interface (CLI) that you download and extract to your local disk.
      - Analysis commands
        Analysis commands are used for submitting scan requests for analysis - or for working with scan requests that are already submitted. Using the commands, you can also receive information about scans. This information can be useful for automation scripts.
      - Authentication commands
        Use authentication commands to log in to the ASoC service.
      - Configuration commands
        Use configuration commands to prepare your files for scanning.
      - Global commands
        Use global commands to display CLI help and Static Analyzer Command Line Utility version information.
      - Command help
        Use the command help for retrieving a list of available commands or for retrieving information about an individual command.
      - Report commands
        Use report commands to generate scan reports.
      - Results commands
        Use results commands to retrieve scan results from the analysis service.
    - CLI command reference (Linux and macOS)
      Linux-specific commands for performing static analysis using a small client command line interface (CLI) that you download and extract to your local disk.
  - Generating in IRX file using a plugin or IDE
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Authentication commands (Windows™)

Use authentication commands to log in to the ASoC service.

appscan api_login

`appscan api_login`

Syntax:

appscan api_login -P <key_secret> -u <key_id>  -persist

Description:

Required options:

-P: Specify -P <key_secret>, where <key_secret> is the Key Secret that was created when you generated an API key.
-u: Specify -u <key_id>, where <key_id> is the Key Id that was created when you generated an API key.

Optional flags/settings:

-persist: Automatically attempt to reauthenticate to the service when the login token file expires.

Tip: For all commands, options can be used in any order.

Important: The api_login command is used for logging in from the CLI to the ASoC service on Cloud Marketplace only.