scan (sc)

Description

Scans an application (or all applications), project, folder, or file. A valid AppScan® Source for Automation license is required for use of this command.

Important: If you are working with an AppScan® Source project that has dependencies in a development environment (for example, an IBM® MobileFirst Platform project), ensure that you build the project in the development environment before importing it. After importing the project, if you modify files in it, be sure to rebuild it in the development environment before scanning in AppScan® Source (if you do not do this, modifications made to files will be ignored by AppScan® Source).
Note: When scanning fodlers, by default all the files in the target folder are scanned, regardless of language. As such, the scan results can differ from scanning applications or projects. To target specific files, create an appscan-config.xml file to define the scan targets. When an appscan-config.xml file is present in the target folder, then the configuration information therein is considered automatically by the scanning process.

Syntax

scan [path][config <proj_config>][-name <assessment_name>]
[-scanconfig <scan_configuration_name>] [-sourcecodeonly <true/false>]
  • path: Optional. Full path and file name (.ozasmt) that the exported assessment will be saved as.
    Note:
    • If you specify a valid directory without a file name, an assessment file (.ozasmt) will be created for you based on the application name, project name, and scan configuration used when creating the assessment.
    • If you specify a valid directory with a file name that does not exist, an assessment file will be created in that location using the file name specified.
    • If you specify a file that already exists, the existing file will be overwritten.
    • If you specify a file name (.ozasmt) in a directory that does not exist, no assessment will be saved.
  • config <proj_config>: Optional. This argument is only valid for project-level assessments. If your project has a configuration file, specify it using this argument.
  • -name <assessment_name>: Optional. Provide a name for the assessment. This name is used in AppScan® Source client products to distinguish assessments from one another (for example, in AppScan® Source for Analysis, the name would appear in the Name column of the My Assessments view).
  • -scanconfig <scan_configuration_name>: Optional. Specify the name of a scan configuration to use for the scan. If a scan configuration is not specified, the default scan configuration will be used for the scan.
  • -sourcecodeonly <true/false>: Optional. Specify to scan only source files and ignore other supported file types (.dll, .exe). Valid values are true and false.
    Note:
    • The -sourcecodeonly option is supported only in case of folder scans. It does not apply to application and project scans.
    • When -sourcecodeonly is true and appscan-config.xml is also provided, the parameter specified at the command line has precedence.

Examples

  • To scan the default configurations of projects in all applications:
    AllApplications>> Scan

    The results appear as:

    New Scan started
    		.
    		.
    Preparing for Vulnerability Analysis...
    Performing Vulnerability Analysis...
    Generating Findings...
    Preparing project for scan...
    		.
    		.
    Scanned Project:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Scanned Application:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Scan completed:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Elapsed Time - 18 Seconds
    New Scan started. Please wait...
    Assessment complete
    -------------------
    Total Call Sites: 75
    Total Definitive Security Findings with High Severity: 25
    Total Definitive Security Findings with Medium Severity: 37
    Total Definitive Security Findings with Low Severity: 9
    Total Suspect Security Findings with High Severity: 20
    Total Suspect Security Findings with Medium Severity: 80
    Total Suspect Security Findings with Low Severity: 60
    Total Scan Coverage Findings with High Severity: 50
    Total Scan Coverage Findings with Medium Severity: 33
    Total Scan Coverage Findings with Low Severity: 17
    Total Lines: 3000
    ...
  • To scan the debug configuration of Prj1:
    AllApplications\Prj1>> SC config debug
  • To scan a folder:
    AllApplications>> of C:\workspace\SimpleIOT
    SimpleIOT>> Scan