Home
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Triage with filters
AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.
Using AppScan® Source predefined filters
AppScan® Source includes a set of predefined filters that can be selected for filtering scan results. This help topic describes these out-of-the-box filters.
Manually adding new filters after upgrading
For AppScan® Source installations configured with a SoldDB or Oracle database, manually add new reporting filters after upgrade to 10.0.8 or later.

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
- Displaying findings
  The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.
- The AppScan® Source triage process
  The triage process includes manipulating findings through bundles, filters, and exclusions - and comparing assessment results.
- Sample triage
  This example describes an AppScan® Source triage workflow used by a security analyst. Triage workflow may vary according to your business needs.
- Triage with filters
  AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.
  - Using AppScan® Source predefined filters
    AppScan® Source includes a set of predefined filters that can be selected for filtering scan results. This help topic describes these out-of-the-box filters.
    - Manually adding new filters after upgrading
      For AppScan® Source installations configured with a SoldDB or Oracle database, manually add new reporting filters after upgrade to 10.0.8 or later.
    - AppScan® Source predefined filters (Version 8.7.x and earlier)
      This topic lists predefined filters that were included in AppScan® Source Version 8.7.x and earlier.
    - Restoring archived predefined filters
      Predefined filters that were provided in AppScan® Source prior to Version 8.8 can be added back to the product by following the steps in this task. Once restored on a single machine, they can be managed in the same manner as filters that you create (for example, they can be shared to multiple clients).
  - Creating and managing filters
    AppScan® Source offers multiple methods for creating and using filters. The main view for filter creation, the Filter Editor view, provides a robust set of rules which can be manually set and then saved to a filter. The Filter Editor view also provides a mechanism for managing filters that you have created - allowing you to easily modify or remove them. Alternately, you can filter the findings table using views that offer graphical representations of the findings - and then save those filters in the Filter Editor view. When you create a filter, the other views update to reflect the filter properties.
  - Applying filters
    Filters can be applied before or after scanning. To apply filters after scanning, use the Filter Editor or another view that allows you to apply filters. To apply filters before scanning, set a global filter or filter using a scan configuration. When you apply filters before scanning, you cannot show unfiltered findings or remove the filter without scanning again.
- Triage with exclusions
  After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.
- Working with bundles
  Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).
- Working with static analysis fix groups
  Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task.
- Modifying findings
  Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.
- Comparing findings
  Use the Diff Assessments action or the AppScanDelta utility to compare assessments. When two assessments are compared, the differences between the two are displayed in the Assessment Diff view or in an .ozasmt file. The results summarize new, fixed/missing, and common findings.
- Custom findings
  To augment your analysis results, you can create custom findings. These are user-created findings that AppScan® Source for Analysis adds to the currently-open assessment or selected application. Custom findings impact assessment metrics and can be included in reports. Once created, a custom finding is automatically included in future scans of the application.
- Resolving security issues and viewing remediation assistance
  AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.
- Supported annotations and attributes
  Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Manually adding new filters after upgrading

For AppScan® Source installations configured with a SoldDB or Oracle database, manually add new reporting filters after upgrade to 10.0.8 or later.

As part of AppScan® Source 10.0.8, the following report filters have been introduced:

OWASP Top 10 API Security 2019 filter
CWE 2021 Top 25 filter
OWASP Top 10 2017 report
OWASP Top 10 2021 report

By default, the newly added filters are available in AppScan® Source installation, except for the installations upgraded from earlier releases configured with a database (SolidDB or Oracle).

To make these filters available to certain upgraded installations of AppScan® Source, perform these steps:

Copy the report definition files from <data_dir>\IBM\AppScanSource\data\default\filters\ to <data_dir>\IBM\AppScanSource\scanner_filters\.
The relevant report definition file names are:
- CWE Top 25 2021 Vulnerabilities.off
- OWASP API Security Top 10 2019 Vulnerabilities.off
- OWASP Top 10 2017 Vulnerabilities.off
- OWASP Top 10 2021 Vulnerabilities.off
Edit the copied files:
- Change the value of XML property global from true to false.
- Change <Filter added="false" exclude_matching_findings="true" global="true" global_exclusion="false" name="CWE Top 25 2021 Vulnerabilities" version="0"> to <Filter added="false" exclude_matching_findings="true" global="false" global_exclusion="false" name="CWE Top 25 2021 Vulnerabilities" version="0">
Start AppScan® Source for Analysis client.
Open the Filters view.
The newly added filters will be available as Custom Filters local to the installation.
Optional. Mark the filter as Shared to make it available to other AppScan® Source installations connecting to the same database.