Best practices for Java scanning
When scanning Java projects in AppScan on Cloud, if you use Maven or Gradle for your builds (and most Java apps use one of these), you should use the respective ASoC Maven or Gradle plug-in.
However, if you are not using one of those tools, we recommend using
appscan-config.xml to limit the scan to just your code, and to
provide a classpath so all dependencies are found.
The major steps for setting up limited scanning using appscan-config.xml
are:
- Perform a dry run of the IRGen process and examine results to identify packages to include and exclude.
- Configure
appscan-config.xmlto include and exclude packages accordingly. - Perform another dry run to confirm the correct packages are to be scanned.
- If all is well, run
appscan prepareto generate the IRX file.
Perform a dry run and examine results
- The packages that would be included in the scan.
- The package names for any dependencies that couldn't be found.
appscan prepare -dr on the target directory.
For example:- On Windows:
appscan.bat prepare -dr
- On Linux:
appscan.sh prepare -dr
Validating classes...
100%
Validation complete.
__
The following packages/namespaces will be analyzed:
com.ibm.security
__
The following problems were found:
Missing required reference com.ibm.security.appscan.*
Missing required reference javax.servlet.*
Missing required reference javax.servlet.http.*
Missing required reference javax.ws.rs.*
Missing required reference javax.ws.rs.core.*
Missing required reference org.apache.commons.codec.binary.*
Missing required reference org.apache.commons.lang.*
Missing required reference org.apache.wink.json4j.*Configure appscan-config.xml
After performing a dry run and evaluating results, configure
appscan-config.xml:
- If there are package names that should not be scanned (for example, third-party
dependencies or internal dependencies from other teams) there are two ways to scope the
scan to just the intended code:
- In
appscan-config.xml, specifypackage_includesattribute to whitelist the scan to just the packages to analyze. The value is a semi-colon delimited list of one or more package names.For example:package_includes="com.hcl.appscan.client;com.hcl.appscan.server" - In
appscan-config.xml, use<Exclude>tags to exclude third party files and/or directories. The contents of the<Exclude>tag are a pattern and the*character can be used as a wild card.For example,<Exclude>myDependency-.jar</Exclude>Note: Either or both of these approaches can be used.
- In
- After specifying the scope of the scan, review the list of missing packages and
identify the
.jarfiles that contain those packages. Use theadditional_classpathattribute in theappscan-config.xmlto specify the locations of each missing.jarfile. The value of theadditional_classpathattribute is a delimited list of the path to each .jar file. On Linux/Mac, the delimiter is the colon character ( : ) and on Windows it’s the semi-colon character ( ; ).For example:additional_classpath=”C:\myDependencies\lib\xyz.jar;C:\myDependencies\lib\sample.jar”/
appscan-config.xml includes the modification noted
above. appscan-config.xml should be placed
in the directory where the appscan prepare command will be run. Any
relative paths in appscan-config.xml should be relative to that
directory. Learn more about appscan-config.xml
here.<Configuration>
<Targets>
<Target path="./myApp">
<CustomBuildInfo package_includes=”com.hcl.appscan.client;com.hcl.appscan.server” additional_classpath=”C:\myDependencies\lib\xyz.jar;C:\myDependencies\lib\sample.jar”/>
<Exclude>myDependency-.jar</Exclude>*
<Exclude>abc.jar</Exclude>
</Target>
</Targets>
</Configuration>After saving appscan-config.xml to the appropriate location, run
appscan prepare -dr again to confirm that the list of packages to
be analyzed is as expected, and that there are no missing references. Assuming all looks
good, use appscan prepare to generate the IRX file