Home
Configuring
Learn how to configure the product.
Configuring applications and projects
Before you scan, you must configure applications and projects. This section explains the Application Discovery Assistant, New Application Wizard, and the New Project Wizard. You will learn how to configure attributes for AppScan® Source for Analysis. In addition, this section teaches you how to add existing applications and projects for scanning - and how to add files to projects.
Creating a new project for an application
After you add an application, you add projects to it.
Choosing between source code and build output scanning
When creating a new project, you have the option of choosing source code-only scanning or build output (bytecode) scanning, depending on the project.

Configuring
Learn how to configure the product.
- Configuring applications and projects
  Before you scan, you must configure applications and projects. This section explains the Application Discovery Assistant, New Application Wizard, and the New Project Wizard. You will learn how to configure attributes for AppScan® Source for Analysis. In addition, this section teaches you how to add existing applications and projects for scanning - and how to add files to projects.
  - AppScan® Source application and project files
    AppScan® Source applications and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. It is recommended that these files reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system.
  - Configuring applications
    You can use the New Application Wizard or the Application Discovery Assistant to create applications. The Application Discovery Assistant automates application setup for you, whereas the New Application Wizard allows you to add applications, guiding you through the configuration process. The wizard helps you manually create a project or add existing projects to an application. This section describes these two methods for adding application and basic configuration tasks.
  - Configuring your development environment for Eclipse and Rational® Application Developer for WebSphere® Software (RAD) projects
    Before you import an Eclipse or Rational® Application Developer for WebSphere® Software (RAD) project, you must properly configure the development environment. Although Eclipse is the basis for each project type, AppScan® Source distinguishes between the different versions.
  - Creating a new project for an application
    After you add an application, you add projects to it.
    - Choosing between source code and build output scanning
      When creating a new project, you have the option of choosing source code-only scanning or build output (bytecode) scanning, depending on the project.
    - Adding an existing project
      You can add AppScan® Source projects (.ppf files) previously created with AppScan Source for Analysis to AppScan Source applications. You can also add Eclipse project files (.epf), projects created by any of the supported build integration tools (for example, Ounce/Maven or Ounce/Ant), or project files created with Microsoft™ Visual C/C++ (.vcproj or.vcxproj), VB.NET (.vbproj), or C# (.csproj).
    - Adding multiple projects
      When you add multiple projects to an application, you can drag and drop them to the Explorer View - or you can browse a directory for projects and import some or all projects to the current application.
    - Adding a new Android Java project
      The New Project Wizard helps you manually create an Android Java project and add it to an application.
    - Adding a new Apex project
      The New Project Wizard helps you manually create an Apex project and add it to an application.
    - Adding a new ASP project
      The Project Configuration Wizard helps you manually create an ASP project and add it to an application.
    - Adding a new C/C++ project
      The New Project Wizard helps you manually create a C/C++ project and add it to an application. We strongly recommend direct import of Visual Studio solutions and projects, and subsequent import of makefile configurations using the Ounce/Make tool. While manual configuration is possible, it requires users to have significant and detailed knowledge of their compiler environment.
    - Adding a new C/C++/Objective-C source code-only project
      The New Project Wizard helps you manually create an C/C++/Objective C source code-only project and add it to an application.
    - Adding a new COBOL project
      The Project Configuration Wizard helps you manually create a COBOL project and add it to an application.
    - Adding a new ColdFusion project
      The Project Configuration Wizard helps you manually create a ColdFusion project and add it to an application.
    - Adding a new Dart project
      The New Project Wizard helps you manually create a Dart project and add it to an application.
    - Adding a new Go project
      The New Project Wizard helps you manually create a Go project and add it to an application.
    - Adding a new Groovy project
      The New Project Wizard helps you manually create a Groovy project and add it to an application.
    - Adding a new IBM RPG project
      The New Project Wizard helps you manually create a IBM RPG project and add it to an application.
    - Adding a new IaC project
      The New Project Wizard helps you manually create an Infrastructure as Code (IaC) project and add it to an application.
    - Adding a new Ionic project
      The New Project Wizard helps you manually create an Ionic project and add it to an application.
    - Adding a new Java™ or JavaServer Page (JSP) project
      When you add a new Java™ project to the application, you specify the project name, browse to the working directory, and then specify the source roots and project dependencies.
    - Adding a new or Java source code-only project
      The Project Configuration Wizard helps you manually create a Java source code-only project and add it to an application.
    - Adding a new JavaScript™ project
      The Project Configuration Wizard helps you manually create a JavaScript™ project and add it to an application.
    - Adding a new Kotlin project
      The New Project Wizard helps you manually create a Kotlin project and add it to an application.
    - Adding a new .NET source code-only project
      The New Project Wizard helps you manually create a .NET project and add it to an application.
    - Adding a new .NET Assembly project
      The New Project Wizard helps you create a .NET Assembly project. A .NET Assembly project can be used to scan compiled .NET assembly files, when source files may not be available or buildable. .NET Assembly projects consist of a working directory and list of sources, which may be directories or individual assembly files.
    - Adding a new pattern-based project
      The New Project Wizard helps you manually create a pattern-based project and add it to an application.
    - Adding a new PHP project
      When you add a new PHP: Hypertext Preprocessor (PHP) project to the application, you specify the project name, browse to the working directory, and then specify the source roots and project dependencies. The project dependencies can also be set in the Project Dependencies tab of the project properties after the project has been created.
    - Adding a new PL/SQL project
      The New Project Wizard helps you manually create a PL/SQL project and add it to an application.
    - Adding a new Python project
      The New Project Wizard helps you manually create a Python project and add it to an application.
    - Adding a new React Native project
      The New Project Wizard helps you manually create an React Native project and add it to an application.
    - Adding a new Ruby project
      The New Project Wizard helps you manually create a Ruby project and add it to an application.
    - Adding a new SAP ABAP project
      The New Project Wizard helps you manually create an SAP ABAP project and add it to an application.
    - Adding a new Scala project
      The New Project Wizard helps you manually create a Scala project and add it to an application.
    - Adding a new Swift project
      The New Project Wizard helps you manually create a Swift project and add it to an application.
    - Adding a new T-SQL project
      The New Project Wizard helps you manually create a T-SQL project and add it to an application.
    - Adding a new Terraform project
      The New Project Wizard helps you manually create a Terraform project and add it to an application.
    - Adding a new TypeScript project
      The New Project Wizard helps you manually create a TypeScript project and add it to an application.
    - Adding a new Visual Basic project
      The New Project Wizard helps you manually create a Visual Basic project and add it to an application.
    - Adding a new Vue.js project
      The New Project Wizard helps you manually create an Vue.js project and add it to an application.
    - Adding a new Xamarin project
      The New Project Wizard helps you manually create an Xamarin project and add it to an application.
  - Creating containers using the Docker image
  - Copying projects
    AppScan® Source for Analysis allows you to copy all project types except .NET projects. Modifications to the project do not affect the duplicated project; after you copy a project, there is no connection between the original project and the copied project. When you copy an imported project, you create an AppScan Source project file (.ppf) with all configuration information.
  - Modifying application and project properties
    When you select an application or project in the Explorer view, the current properties appear in the Properties view, where you can make modifications.
  - Global attributes
    Global attributes must be defined before they can be associated with individual applications. Global attributes are defined in the Properties view by selecting All Applications in the Explorer view.
  - Application attributes
    Application attributes apply to the currently-selected application and depend on previously created global attributes.
  - Removing applications and projects
    You can remove applications and projects from AppScan® Source for Analysis if they are not registered.
  - Explorer view
    The Explorer view contains a Quick Start section at the top - and an explorer section at the bottom which contains one node, All Applications. The Quick Start section contains several useful links that launch common actions. The explorer section consists of a tree pane that provides a hierarchical view of your resources: applications, projects, directories, and project files, with All Applications as its root. You navigate these resources much like a file browser. As you navigate the view, the selection state of the tree determines the available tabs in the Properties view.
- Preferences
  Preferences are personal choices about the appearance and operation of AppScan® Source for Analysis.

Choosing between source code and build output scanning

When creating a new project, you have the option of choosing source code-only scanning or build output (bytecode) scanning, depending on the project.

Understanding the different methods of scanning is critical to the success of your project. Each has specific uses, requirements, and results differ.

Source code-only scanning

Early in the software development lifecycle, source code-only scanning of uncompiled code can be a helpful tool to head off issues and confirm programmatic approach before the project is too far along.

Generally performed by developers, and requiring access to source files, source code-only scans are fast but not necessarily as accurate as scans of compiled code. Results of source code-only scans pinpoint vulnerabilities in specific lines of code; they do not show trace data.

Build output scanning

When accuracy is preferred over speed of a scan, build output scanning can help you understand not just where in an application a vulnerability exists, but also the impact of that vulnerability. Build output scanning is sometimes referred to as "dataflow" scanning.

Build output scans require access to the fully built application. Scan results display "traces" showing the flow of tainted data through the application, from the point it enters the application to the point at which the data is used (called the "sink"). The trace shows the line of code and the tainted variable at each point in the trace; its appearance is similar to an exception stack trace.

Build output scanning may have additional requirements, depending on the project type:

Application dependencies should be available for the most complete and accurate results.
For Java and .NET bytecode is required, so the application needs to be built before running the scan.
For C/C++, a Visual Studio solution is required.