Home
Extending product function
Learn how to extend the product.
Customizing the vulnerability database and pattern rules
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
Extending the AppScan® Source Security Knowledgebase
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans. Custom rules tailor the AppScan® Source Security Knowledgebase (or vulnerability database) to your specific security standards and apply those standards consistently across your enterprise.
Creating custom rules
In the Custom Rules view, you can open the Custom Rules Wizard, a tool that guides you through the creation of custom database records. Once you create custom rules, you view them in the Custom Rules view. The table displays the signature, language, and the purpose.

Extending product function
Learn how to extend the product.
- Customizing the vulnerability database and pattern rules
  This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
  - Extending the AppScan® Source Security Knowledgebase
    This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans. Custom rules tailor the AppScan® Source Security Knowledgebase (or vulnerability database) to your specific security standards and apply those standards consistently across your enterprise.
    - Creating custom rules
      In the Custom Rules view, you can open the Custom Rules Wizard, a tool that guides you through the creation of custom database records. Once you create custom rules, you view them in the Custom Rules view. The table displays the signature, language, and the purpose.
    - Using the Custom Rules wizard
      The Custom Rules Wizard helps you add methods to the AppScan® Source Security Knowledgebase. The scope of most custom rules is global (applies to all projects). Custom no-trace findings, sources, sinks, and taint propagators are always global. Custom validation/encoding routines are not global.
    - Likelihood rule attributes
      The Attribute.Likelihood.High and Attribute.Likelihood.Low attributes are part of the built-in rules and can be used when creating custom rules.
    - Custom Rules view
      In the Custom Rules view, you create custom rules with the Custom Rules Wizard. Add, view, or delete existing rules.
  - Customizing input/output tracing through AppScan® Source trace
    Some applications (particularly web applications) require input/output tracing to identify security vulnerabilities related to SQL injection, command injection, and cross-site scripting. Through AppScan® Source trace, you can specify a validation routine that, if used, eliminates the reporting of any vulnerability. All other outputs are marked as vulnerabilities if input has not been validated.
  - Customizing with pattern-based rules
    AppScan® Source pattern-based scanning is an analysis of your source code based on customized search criteria. Pattern-based scanning is similar to grep (grep searches one or more files for a given character string or pattern). Auditors or security analysts performing triage might use pattern-based scanning to search for specific patterns in specific applications or in a project. Once you define a pattern as a vulnerability type, a scan of your source code identifies the pattern as a vulnerability. When AppScan Source finds a match, the item appears in the findings table. The out-of-the-box AppScan Source rule library includes predefined rules and rule sets (collections of rules).
- Extending the application server import framework
  AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
- HCL® AppScan® Source for Development (Eclipse Plug-in)
  With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

Creating custom rules

In the Custom Rules view, you can open the Custom Rules Wizard, a tool that guides you through the creation of custom database records. Once you create custom rules, you view them in the Custom Rules view. The table displays the signature, language, and the purpose.

Project-specific validation and encoding routines only appear in the Custom Rules view if the project to which the rules apply exists in an application under All Applications in the Explorer view.

Signature: The signature is the fully-qualified function name. For example, the Java™ signature includes arguments and return types, such as com.test.vulnerable.VulnClass.vulnerable(java.lang.string;int):int.
Language: C/C++, Java™, Visual Basic, Classic ASP, or .NET
Purpose: The custom record type or types on the given method, such as a Validation.EncodingRequired routine, sink, or source.

Tip: If you are refining your assessment of a code base by scanning iteratively and adding custom rules, and then re-scanning without changing the source code, you can dramatically reduce scan time by setting the project properties to use a vulnerability analysis cache. To do this, select the Enable Vulnerability Analysis cache check box in the project properties. To learn how to set project properties, see the instructions for using the Selected project Overview tab.