Scan Configuration view

The Scan Configuration view allows you to create configurations that you can use when launching scans. You can also use the view to set a default scan configuration. In a scan configuration, you can specify source rules to use during a scan - and you can include numerous scan settings. The settings made in a scan configuration can often lead to better scan results - and the ability to save these settings can make scanning easier and more time-efficient.

The Scan Configuration view has these main sections:

Scan configuration management

Use this section to select, add, remove, save, and share scan configurations - and to set scan configurations as default.

  • To create a new scan configuration, click New. After completing the scan configuration settings, click Save to save the changes. To set the scan configuration as default, click Select as Default after saving it. To learn how the default scan configuration is used, refer to Scanning.
  • To work with an existing scan configuration, select it from the list:
    • If you modify the scan configuration settings, click Save to save the changes (unwanted changes can be discarded by switching to a different scan configuration and then clicking Discard).
    • To remove the selected scan configuration, click Delete.
    • To duplicate the scan configuration, click Duplicate. This will cause a new scan configuration to be created based on the original scan configuration's settings.
    • To set the scan configuration as default, click Select as Default. To learn how the default scan configuration is used, refer to Scanning.
    • To share the scan configuration with others, click Share. This will save the scan configuration to the AppScan® Enterprise. To reload filters from AppScan Enterprise, click Refresh.
      Note: To share scan configurations - or modify or delete a shared scan configuration - you must have Manage Shared Configurations permission. To learn about setting permissions, see the HCL AppScan Source Installation and Administration Guide.
    Note: AppScan Source provides built-in scan configurations. These cannot be modified or removed. Selecting them in the list will allow you to duplicate them or view their settings.

General tab

Basic Information

This section allows you to name scan configurations and provide descriptions for them.

Filters

In this section, you can choose one or more filters to apply to the scan whenever the scan configuration is used. When selecting a filter, you can choose an AppScan Source predefined filter or a shared filter or one that you have created. See Scan configurations for more details.

Taint-Flow Analysis tab

Taint-Flow Analysis

Enable and set the scope of taint-flow analysis.

Scan Rules

Use this section to determine which source rules will be in effect for the scan.

A source is an input to the program, such as a file, servlet request, console input, or socket. By excluding some source rules, you can speed up scanning and avoid detecting vulnerabilities arising from inputs that are not of interest.

Rules are tagged with rule properties to indicate that they are related to a particular vulnerability, mechanism, attribute, or technology. These properties are grouped into rule sets, which correspond to a common set of related rules. You can limit the source rules included in the scan by specifying either rule sets or individual rule properties.

  • Select one or more vulnerability types (organized by type in rule sets) to include in the scan:
    • Everything: If this is selected, vulnerabilities arising from all supported sources of input will be detected.
    • User Input: If this is selected, vulnerabilities arising from end user input will be detected.
    • Web Applications: If this is selected, vulnerabilities arising from web application risk will be detected.
    • Error Handling and Logging: If this is selected, vulnerabilities arising from error handling and logging mechanisms will be detected.
    • Environment: If this is selected, vulnerabilities arising from configuration files, system environment files, and property files will be detected.
    • External Systems: If this is selected, vulnerabilities arising from external entities will be detected.
    • Data Store: If this is selected, vulnerabilities arising from data stores (such as databases and caching) will be detected.
    • Unusual Things: If this is selected, vulnerabilities arising from routines that are not normally part of a production application will be detected.
    • File System: If this is selected, vulnerabilities arising from file systems will be detected.
    • Sensitive Data: If this is selected, vulnerabilities arising from sensitive data will be detected.

    Hover text describes each rule set in this section.

  • Select individual scan rule properties to include in the scan: Click Discard selected rule sets and let me select individual rule properties. This opens the Select Rule Properties dialog box, which allows you to choose individual rule properties. If this dialog box is completed, any rule sets that were selected will be discarded. Scan rules that have the selected rule properties will be used for the scan.
Advanced Settings

This section is intended for advanced users only. It contains a variety of settings that can improve scan results. Hover text describes each setting in this section.

Pattern Analysis tab

Pattern Analysis

Use this section to enable pattern-based scanning when the scan configuration is used. Pattern-based scanning is an analysis of your source code based on customized search criteria.

Pattern Rule Sets and Pattern Rules

Use these sections to add rules and rule sets to use during pattern analysis. See Customizing with pattern-based rules and Scan configurations for more information.