appscan_config file template and settings

When you prepare the configuration file, use this template:

<Configuration attributes="true/false">
    <Targets>
        <Target outputs-only="true/false" path="scan_target_path">
            <CustomBuildInfo build_info="info"/>
            <Include>string_pattern</Include>
            <Exclude>string_pattern</Exclude>
        </Target>
    </Targets>
</Configuration>
Within the template you can further customize the scan to handle:
  • configuration attributes
  • scan targets
  • custom build info
  • include and exclude strings

appscan_config file configuration attributes

Use the optional configuration attributes to specify third-party and/or Open Source scanning:
Attribute Description Default
thirdParty="<true or false>" Enables scanning of third-party artifacts. false
openSourceOnly="<true or false>" Disables security scanning and only runs open source analysis false
staticAnalysisOnly="<true or false>" Disables Open Source scanning and runs static analysis only. false
sourceCodeOnly="<true or false>" Scans only source files and ignores other supported file types: .NET (.dll, .exe,.sln), C (.sln). false

appscan_config file <Target> element attributes

Use the Targets element to indicate which targets to scan when you scan with the CLI.

Attribute Description Notes Example
outputs-only Used only when you want to scan a directory and force the Command Line Utility to find only the build output files (such as .jar, .war, and .class files). By default, this attribute is set to false. This means that the Command Line Utility searches the directory to determine if it is a target (such as an application server or an Eclipse workspace), or, if the directory contains items such as build scripts, Maven .pom files, and make files.

If you want the scan target to be treated as a simple directory, and have located only the output files, specify outputs-only="true" in the Target element.

If you specify <Target outputs-only="false" path="C:\Tomcat">, the Command Line Utility assumes that the target is your Tomcat application server - and searches for its deployed .war files.

However, if you specify <Target outputs-only="true" path="C:\Tomcat">, the Command Line Utility treats that location as a directory, and locates all build output files inside of it.

path Specify the path to a scan target or a directory of scan targets. (<scan_target_path>) When a directory is specified, all of its subdirectories are included during the scan.

If you specify <Target outputs-only="false" path="C:\WebSphere\AppServer85\profiles\AppSrv01">, the Command Line Utility locates all deployed .ear files in the AppSrv01profile.

If you specify <Target outputs-only="false" path="C:\WebSphere\AppServer85">, the Command Line Utility locates all deployed .ear files in all profiles.

appscan_config file <Target> sub-elements

There are three optional <Target> sub-elements:
  • CustomBuildInfo

    Specify build information depending on the target language. For some languages, more than one attribute can be set. For example, you may set <CustomBuildInfo build_info_1="info_1" build_info_2="info_2" build_info_3="info_3"/>, depending on the target language.

    For additional information on using CustomBuildInfo, see the table below.

  • Include
    Specify file patterns (<string_pattern>) to include when you scan. Include behavior depends on the target type, as outlined in the Target include and exclude behavior section. To specify multiple include patterns, add each pattern in its own <Include></Include> tag. For example,
    <Include>string_pattern_1</Include>
    <Include>string_pattern_2</Include>
    Note: If you specify include and exclude patterns that conflict, the exclude patterns take precedence.
  • Exclude

    Specify file patterns to exclude when you scan. Exclude behavior depends on the target type, as outlined in the Target include and exclude behavior section. To specify multiple exclude patterns, add each pattern in its own <Exclude></Exclude> tag.

Table 1. <CustomBuildInfo> attributes
Language Syntax Attribute Description Notes/examples
Java <CustomBuildInfo additional_classpath="dependency_path" jdk_path="JDK_path" jsp_compiler="JSP_compiler_path" package_includes="namespaces" package_excludes="namespaces"/> additional_classpath Specify more class paths On Windows, separate multiple class paths with a semicolon. On Linux, separate multiple class paths with a colon.
jdk_path The path to your JDK installation
jdk_compiler The path to your JSP compiler
jsp_compiler="C:\Tomcat"
jsp_compiler="C:\Program Files (x86)\IBM\WebSphere\AppServer"
jsp_compiler="C:\Oracle"
package_includes Override the existing third-party exclusions and scan only those classes that are from the given namespace(s). Use semi-colons to delimit the namespaces list. For example:
package_includes="com.hcl.example;com.hcl.sample"
package_excludes Append the specified namespaces to the existing list of third party exclusions. Use semi-colons to delimit the namespaces list.
irx_minor_cache_home Set the Java parallel processing cache location. The value should point to the location used for the cache. For example:
<CustomBuildInfo irx_minor_cache_home="X:/mycache"/>
JSP (under provided Tomcat) <CustomBuildInfo jsp_compiler_args="-ARGUMENTS"/> jsp_compiler_args Specify JSP compiler command line arguments to set or override the JSP compiler
.NET (Windows only) <CustomBuildInfo references="assembly_references" configuration="build_configuration"/> references Add assembly references Separate multiple references with a semicolon.
configuration Include a build configuration for Visual Studio solution discovery
package_includes Override the existing third-party exclusions and scan only those classes that are from the given namespace(s) Use semi-colons to delimit the namespaces list. For example:
package_includes="com.hcl.example;com.hcl.sample"
package_excludes Append the specified namespaces to the existing list of third party exclusions. Use semi-colons to delimit the namespaces list.
C/C++ (Windows only) <CustomBuildInfo configuration="build_configuration" include_paths="include_directories" macros="macros" compiler_opts=/> configuration Include a build configuration
include_paths Specify include paths Separate multiple include paths with a semicolon.
macros Include macros Separate multiple macros with a semicolon.
compiler_ops Specify compiler options Separate multiple options with a semicolon.
Note: The values that are set by these attributes are inherited by subtargets. For example, if your target is an EAR file that includes WAR and JAR subtargets, it is assumed that the WAR and JAR have the same values that are set for the EAR file that uses these attributes.