Important concepts

Before you begin to use or administer AppScan® Source, you should become familiar with fundamental AppScan® Source concepts. This section defines basic AppScan® Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan® Source for Analysis.

AppScan® Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application.

Applications, their attributes, and projects are created and organized in AppScan® Source for Analysis:

  • Applications: An application contains one or more projects and their related attributes.
  • Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application.
  • Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan® Source for Analysis.

The principal activity of AppScan® Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including:

  • Severity: High, medium, or low, indicating the level of risk
  • Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow
  • File: Code file in which the finding exists
  • API/Source: The vulnerable call, showing the API and the arguments passed to it
  • Method: Function or method from which the vulnerable call is made
  • Location: Line and column number in the code file that contains the vulnerable API
  • Classification: Security finding or scan coverage finding. For more information, see Classifications.