Home
Developing
Learn how to develop by using the product.
AppScan® Source for Analysis and defect tracking
AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
Tracking defects through email (sending findings by email)

Developing
Learn how to develop by using the product.
- Scanning source code and managing assessments
  This section explains how to scan your source code and manage assessments.
- Triage and analysis
  Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
- AppScan® Source for Analysis and defect tracking
  AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
  - Enabling defect tracking with preferences
    Defect Tracking System preferences allow you to enable the submission of findings to a defect tracking system - and determine how defects are submitted.
  - Integrating HP Quality Center and AppScan® Source for Analysis
    The HP Quality Center integration with AppScan® Source for Analysis requires a Quality Center client installation on the local computer. The Quality Center client application is downloaded and installed on the local computer the first time you log in to Quality Center through the Quality Center browser-based client interface.
  - Integrating Rational® ClearQuest® and AppScan® Source for Analysis
    The Rational® ClearQuest® integration with AppScan® Source for Analysis requires a Rational ClearQuest client installation on the local computer. This installation includes the CQPerl executable, and you must configure the location of the executable in the AppScan Source for Analysis Rational ClearQuest preferences.
  - Integrating Rational Team Concert™ and AppScan® Source for Analysis
    Rational Team Concert™ integration with AppScan® Source for Analysis does not require that an additional Rational Team Concert client be installed on your computer.
  - Integrating Microsoft™ Team Foundation Server and AppScan® Source for Analysis
    The Team Foundation Server integration with AppScan® Source for Analysis requires a Microsoft™ Visual Studio Team Explorer client installation on the local computer.
  - Working with submitted defects
    When you submit more than a few findings as separate defects, the process runs in the background while you continue the triage process. After the defect submission, a defect ID received from the defect system is attached to the relevant findings and remains with that finding. To work with a defect that has been submitted to your defect tracking system, follow the steps in this topic.
  - Submitting bundles to defect tracking and by email
    The findings in bundles can be submitted to your corporate defect tracking system - or sent by email. Once you place findings in a bundle, you can submit these findings as bugs for developer remediation.
  - Tracking defects through email (sending findings by email)
- Findings reports and audit reports
  Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
- Creating custom reports
  In the Report Editor, you create report templates used to generate custom reports.

Tracking defects through email (sending findings by email)

About this task

If you have configured email preferences, you can email findings or bundles directly to developers to advise them of potential defects found after a scan. The email includes an attachment that contains the findings - and text that describes the findings.

Note: Some Simple Mail Transfer Protocol (SMTP) relays only deliver mail to specific domains. In this case, if you send from mydomain.com, only recipients in mydomain.com can receive the email through AppScan® Source for Analysis.

To email findings from a findings table:

Procedure

Select the finding or findings in the table, or open a bundle. If you open a bundle, select the bundle findings to mail.
Right-click the selection and choose Email Findings from the menu.
The email will include a bundle attachment that contains the findings. In the Attachment File Name dialog box, specify a name for the finding bundle. For example, specifying my_finding in the Attachment File Name field causes a bundle with file name my_finding.ozbdl to be attached to the email.
Click OK to open the Email Findings dialog box.
By default, the Mail To field in the Email Findings dialog box will populate with the To Address that is specified in the email preferences - however, it can easily be changed when preparing the email. In this dialog box, review the contents of the email and then click OK to send the email.

Results

Example email contents:

1 findings:
Name: JavaAny.test_DataInput
Type: Vulnerability.Validation.Required
Severity: Low
Classification: Suspect
File Name: C:\TestApps\java\JavaAny\src\JavaAny.java
Line / Col: 275 / 0
Context: di . java.io.DataInput.readFully ( ba )
Notes: Check into this vulnerability and report back ASAP.

Tip: You can email individual findings or bundles from the Finding Detail view. You can also email bundles by clicking Email Bundle on the Bundle toolbar.