Home
Developing
Learn how to develop by using the product.
Scanning source code and managing assessments
This section explains how to scan your source code and manage assessments.
Scanning
You can scan an Eclipse or Rational® Application Developer for WebSphere® Software (RAD) workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.
Scan considerations
This topic describes restrictions and considerations that may affect your scans.

Welcome
Welcome to the documentation for HCL® AppScan® Source.
Introduction to HCL® AppScan® Source
HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.
What's New in AppScan® Source
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
Installing
Learn how to install the product.
Configuring
Learn how to configure the product.
Administering
Learn how to administer the product.
Developing
Learn how to develop by using the product.
- Scanning source code and managing assessments
  This section explains how to scan your source code and manage assessments.
  - Scanning
    You can scan an Eclipse or Rational® Application Developer for WebSphere® Software (RAD) workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.
    - Scan considerations
      This topic describes restrictions and considerations that may affect your scans.
    - Scan configurations
      Scan configurations are used when launching scans and can often lead to better scan results. AppScan® Source includes built-in scan configurations, which can be accessed in server mode or local mode. In addition, custom scan configurations can be created in AppScan Source for Analysis and shared to the AppScan Enterprise Server - and accessed from AppScan Source for Development in server mode.
    - Excluding a file from a scan
    - Cancelling or stopping a scan
      Although you can cancel a scan in progress, canceling a scan causes a loss of all data for that scan. Alternatively, you can stop a scan to halt it and produce an assessment with results that are found so far.
    - AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™
      On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and the AppScan Source for Development Eclipse plug-in may exhibit symptoms such as a hang after login or a fail during product use.
  - Managing My Assessments
    The My Assessments view contains a list of assessments (the currently-opened assessment, along with any assessments that you have saved). In this view, you can open, delete, save, rename, or compare assessments. When a scan completes or you open a saved assessment, the assessment appears in the My Assessments view. My Assessments displays a table of open or saved assessments, and identifies a published or modified assessment. Removing an assessment from this view (without saving or publishing it) permanently deletes that assessment.
  - Submitting AppScan® Source assessments to the Cloud for analysis
    If you have a subscription to HCL AppScan on Cloud at HCL Cloud Marketplace, you can submit AppScan® Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.
  - Publishing assessments
    AppScan® Source offers two publishing options. You can publish assessments to the AppScan Source Database, for the purpose of storing and sharing assessments. Or, if your AppScan Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The AppScan Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
  - Opening and saving assessments
    AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.
  - Removing assessments from My Assessments
    When assessments are removed from the My Assessments view, they are not removed from your local file system. If an assessment is removed from the view, it can be added back with the Open Assessment action.
  - Defining variables
    When saving assessments or bundles, or publishing assessments, AppScan® Source for Analysis may suggest that you create a variable to replace absolute paths (without variables, AppScan Source for Analysis writes absolute paths to the assessment file to reference items such as source files). When you configure variables for absolute paths, you facilitate the sharing of assessments on multiple computers. It is recommended that you use variables when sharing assessments.
- Triage and analysis
  Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
- Findings reports and audit reports
  Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
- Creating custom reports
  In the Report Editor, you create report templates used to generate custom reports.
Extending product function
Learn how to extend the product.
Reference
Review reference information for the product.
Troubleshooting and support
There are a number of self-help information resources and tools to help you troubleshoot problems.

Scan considerations

This topic describes restrictions and considerations that may affect your scans.

Linux
Java

To learn about considerations that are specific to scanning IBM® MobileFirst Platform projects, see Scanning a MobileFirst Platform project.

Linux

On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Development may exhibit symptoms such as a hang after login or a fail during product use. See Enabling browser-based content on Linux for AppScan Source for Development installed to Eclipse Version 3.7 or later for more information.

Java

Tip: If you are scanning Java and there are missing dependencies in your Java project, AppScan® Source will compile your Java files by synthesizing the pieces that the dependencies would have provided. In this case, you can improve the accuracy of findings by specifying missing dependencies, as follows:

After scanning, open <data_dir>\logs\StaticAnalyzer-Errors.log (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations) to see if AppScan® Source has reported missing dependencies.
Modify the project properties to include the dependencies.
Re-scan the project.