Home
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Generating in IRX file using a plugin or IDE
Scanning in integrated development environments
How to scan source code using the static analysis plug-in after it has been installed to the Eclipse or Visual Studio integrated development environments (IDE). In Eclipse, you can scan Java projects; in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
Managing third-party Java and .NET exclusions
By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan on Cloud
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
    - Scanning in integrated development environments
      How to scan source code using the static analysis plug-in after it has been installed to the Eclipse or Visual Studio integrated development environments (IDE). In Eclipse, you can scan Java projects; in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
      - Generating an IRX for a .NET Core project
        Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2017 and Visual Studio 2019 plugins on Windows only.
      - Supported .NET source code attributes
        When using static analysis to scan .NET, [ValidatorMethod], [CallbackMethod], and [SuppressSecurityTrace] method-level attributes are supported. When these attributes are used, [ValidatorMethod()], [CallbackMethod()], and [SuppressSecurityTrace()] are also accepted.
      - Supported Java source code annotations
        When using static analysis to scan Java™, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are supported.
      - Managing third-party Java and .NET exclusions
        By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.
      - Parallel processing for Java applications
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Managing third-party Java and .NET exclusions

By default, third-party Java and .NET code is not scanned during IRX file generation. You can manage the third-party code that is excluded by following the instructions in this topic.

About this task

When you generate an IRX file for your code, third-party code is excluded so that your assessment does not include information and findings about code that you are not interested in analyzing. To modify what is excluded, follow the steps in this topic. If, instead, you want to include third-party code when scanning, see these topics:

Procedure

Locate the config directory of the extracted SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility).
In this directory, locate the dot_net.exclusions (.NET) or java.exclusions (Java) file.

Note: Other .exclusions files in this directory are experimental and modifying them will not affect third-party exclusions.

Open the file in a text editor, where you will see that it is XML in this format:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Exclusions>
  <packages>
    <package name="package_name"/>
  </packages>
  ...
</Exclusions>

Edit the file to add packages to exclude.
Note:
- Package names that are specified will match all packages with the same prefix (they will be treated as though they are followed by a wildcard). For example, if you add <package name="com.mycompany.common"/> as an exclusion, <package name="com.mycompany.common.action1"/> and <package name="com.mycompany.common.action2"/> will be excluded.
- Only entries that are added to the <packages> container affect third-party exclusions. Adding classes and methods will not affect exclusions.
Save the file and then generate an IRX file for your source code.

What to do next

If you modify exclusion files, you should follow these best practices:

Keep a back-up of modified exclusion files. In particular, remember that, if you upgrade to a new version of the Static Analyzer Command Line Utility, you will be downloading versions of the exclusion files without your updates. When updating the Command Line Utility, keep a copy of your modified exclusion files and then copy them over to the new Command Line Utility.
Keep modifications in a single block of XML entries so that you can easily copy and paste them if you need to.