Static analysis client support

This topics describes the supported operating systems and the types projects that can be scanned by ASoC when you perform static analysis.

Operating system support

HCL AppScan on Cloud clients are supported on the following operating systems:
  • Windows: HCL AppScan on Cloud is supported on 64-bit systems and it runs in 64-bit mode.
  • macOS: HCL AppScan on Cloud is supported on 64-bit systems running on Intel processors and runs in 64-bit mode.
  • Linux: HCL AppScan on Cloud is supported on 64-bit systems only.

Command Line Utility support

Application server support

The Command Line Utility includes Apache Tomcat Version 7 application server .jar files that are used for basic JavaServer Page compilation. To achieve better compatibility, you can configure the CLI to use your own application server (supported application servers include Apache Tomcat versions 7 and higher, WebSphere® Application Server Versions 7, 8.0, and 8.5.x, and Oracle Weblogic Server version 10.3 and 12.x).

Command Line Utility and cloud service version compatibility

Your Static Analyzer Command Line Utility version is automatically checked when you:

  • Issue the appscan prepare command on Windows or the appscan.sh prepare command on Linux and macOS.
  • Use the Run Static Analysis action in an integrated development environment that has the static analysis plug-in installed.
  • Use the prepare option to generate an IRX file for a Maven project.
  • Upload an IRX file by using the appscan queue_analysis command on Windows or the appscan.sh queue_analysis command on Linux and macOS.
  • Upload an IRX file to the cloud.

When you perform any of the prepare or Run Static Analysis actions, you may receive a message indicating that a new version of the Command Line Utility is available. In this case, you can proceed without upgrading the Command Line Utility - or you can upgrade the Command Line Utility to take advantage of new features and capabilities.

When you perform any of the above actions using a version of the Command Line Utility that is no longer supported, a message will indicate that the Command Line Utility must be updated. In this case, download and set up the latest Command Line Utility

Plugin support

Gradle support

The HCL AppScan on Cloud Gradle plugin is used to automate the scanning of Java and Java web projects in Gradle. It generates an IRX file for Gradle projects that have the "java" plugin and/or "war" plugins applied. It can optionally submit the generated IRX file to the cloud service for analysis.

To use the plugin, add the following lines to build.gradle.

Using plugins.dsl:
  • Groovy:
    plugins {
    	id "com.hcl.security.appscan" version "1.0.1"
    }				
  • Kotlin:
    plugins {
    	id("com.hcl.security.appscan") version "1.0.1"
    }					
Using the legacy plugin applicaion:
  • Groovy:
    buildscript {
    	repositories {
    		maven { 
    			url "https://plugins.gradle.org/m2/" 
    		}
    	}
    	dependencies { 
    		classpath "gradle.plugin.com.hcl.security:application-security-gradle-plugin:1.0.1" 
    		}
    	}
    
    apply plugin: "com.hcl.security.appscan"
    						
  • Kotlin:
    buildscript {
    	repositories {
    		maven { 
    			url=uri("https://plugins.gradle.org/m2/")
    		}
    	}
    	dependencies { 
    		classpath("gradle.plugin.com.hcl.security:application-security-gradle-plugin:1.0.1")
    		}
    	}
    
    apply(plugin="com.hcl.security.appscan")
    

Maven support

The Maven ASoC plugin is now live in the Maven Central Repository; it no longer needs to be installed manually.

Use the prepare goal of the appscan-maven-plugin to generate an IRX file for all jar, war, and ear projects in your build. Use the analyze goal of the appscan-maven-plugin to generate an IRX file for all jar, war, and ear projects in your build and submit it to the ASoC service for analysis.

Eclipse support

You can choose to install a plug-in to Eclipse so you can scan Java projects from its user interface. Eclipse Versions 4.2 or higher are supported. This includes the Eclipse 3.8 release of Eclipse Version 4.2.

Eclipse must be installed on your system before you can install the Eclipse plug-in.

To acquire and install the Eclipse plug-in, locate the plug-in at the Eclipse marketplace. Or, in Eclipse, go to Help > Eclipse Marketplace, search for AppScan, then click Browse for more results.

IntelliJ IDEA support

You can choose to install a plug-in to IntelliJ IDEA so you can scan Java projects from its user interface. IntelliJ IDEA versions 15.x through 2017 are supported.

IntelliJ IDEA must be installed on your system before you can install the IntelliJ IDEA plug-in. In addition, if you are using IntelliJ 2020.2 or newer, you must also install JavaFX Runtime for Plugins to use the IntelliJ IDEA plug-in with AppScan on Cloud.

To acquire and install the IntelliJ plug-in, locate the plug-in at the JetBrains Plugins Repository. Or, in IntelliJ, go to File > Settings, select Plugins and click Browse repositories.... Search for HCL AppScan.

Note: In order to display results and reports, IntelliJ IDEA must run with an Oracle JDK. To learn how to set up IntelliJ IDEA with an Oracle JDK, consult the IntelliJ IDEA documentation.

Microsoft Visual Studio support (Windows only)

You can choose to install a plug-in to Visual Studio so you can scan .NET (C#, ASP.NET, VB.NET) and C++ solutions, projects, and websites from its user interface. Visual Studio must be installed on your system before you can install the Visual Studio plug-in.

To acquire and install the Visual Studio plug-in, locate the plug-in at the Vistual Studio marketplace. Or, in Visual Studio, go to Tools > Extensions and Updates. Select Online and search for Static Analyzer.

AppScan on Cloud supports the following Visual Studio versions:
.NET (C#, ASP.NET, VB.NET) C++
Visual Studio 2012 X X
Visual Studio 2013 X X
Visual Studio 2015 X X
Visual Studio 2017 X X
Visual Studio 2019 X X
Note: AppScan on Cloud does not support UTF-16.
For the supported languages, AppScan on Cloud enables scanning of Visual Studio projects both interactively through an IDE plugin and in your automation using the AppScan CLI. The following integrations are available:
Visual Studio Plugin Command Line Interface (CLI)
Visual Studio 2012 X X
Visual Studio 2013 X X
Visual Studio 2015 X X
Visual Studio 2017 X X
Visual Studio 2019 X X
Note: The Visual Studio plug-in is not supported on macOS or Linux.

Jenkins support

The ASoC Jenkins plug-in allows you to add dynamic, static, and mobile analysis build steps to your Jenkins build projects. You can install the plug-in to Jenkins Versions 1.609.1 or higher. From the plug-in, you can connect to the ASoC service on Cloud Marketplace.

Visual Studio Team Services/Team Foundation Server (Azure DevOps) support

The Visual Studio Team Services/Team Foundation Server (Azure DevOps) plugin allows you to scan static, dynamic, or mobile VSTS and TFS projects. AppScan on Cloud supports TFS version 2018 update 2 and newer. To learn more about the plugin, see, Installing and using the Azure DevOps Services plugin.

AppScan Go! support

AppScan Go! is supported on Windows, Linux, and Mac.