Configuring a scan using an archive file

AppScan on Cloud supports uploading archive files of code for scanning without first generating an IRX file. This saves the user time by offloading the preparation of the files to ASoC.

File upload types by language for AppScan on Cloud

Common user workflows for ASoC include:
  • Upload source code and build artifacts
  • Generate IRX locally and upload IRX
Based on the language being scanned, the following table lists the file upload types for the these workflows:
Important: The filename must contain ASCII characters only.
Language Upload source code Upload source code + build artifacts Upload IRX (generate IRX locally)
C/C++ To scan file types listed as "source code-only" in the language support table. To scan byte code file types listed under default content in the language support table.
Java and Java web content N/A

  • .jar

    Customize scan target and dependencies using config file.

  • .class

    Archive directory structure containing the class files,

  • .war
    Note: Tomcat is the default JSP compiler.

  • .ear

  • .jar and .class, when all dependencies cannot be included in the archive
  • .war, if JSP compile requires a webserver other than Tomcat
.NET To scan file types listed as "source code-only" in the language support table.1 To scan byte code file types listed under default content in the language support table.
Others

Always. appscan-config is not needed.

Archive must contain the entire directory structure of the target code to be scanned.

Language-specific behaviors

Java

When scanning Java code archive files, the default behavior is for ASoC to perform data flow analysis (DFA) and scan byteccode only. Default functionality does not scan source code.

To scan source code only from Java code archive files, and not scan bytecode, specify sourceCodeOnly=true in appscan-config.xml.

C/C++ and .NET

When scanning C/C++ and .NET archive files, the default behavior is for ASoC to scan source code only. Binaries in the file are ignored.
Note: .NET assemblies are not supported.

Other languages

When scanning archive files for other languages, the default behavior is for ASoC to scan source code only.

Limitations of archive file scanning

Please note the following limitations of archive file scanning:
  • .NET assemblies are not supported
  • Visual Studio solution files (.sln) are not supported
  • Ruby .gem files are not supported
  • When preparing to scan code from a Linux system, take care not to use Windows reserved names when creating archive files. For example, .aux, .com, .nul, and so on. Our analysis runs on Windows and thus cannot process such filenames.