Jump to main content
Welcome to the documentation for HCL® AppScan® Source.
Introduction to HCL® AppScan® Source
HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.
HCL® AppScan® Source Version 10.4.0 Readme and Release Notes®
Important concepts
Before you begin to use or administer AppScan® Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis.
Introduction to HCL® AppScan® Source for Analysis
This section describes how AppScan® Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow.
Logging in to AppScan® Enterprise Server from AppScan® Source products
Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments. All user management occurs in AppScan Enterprise.
United States government regulation compliance
Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL® is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan® Source supports.
AppScan® Source and accessibility
Accessibility affects users with physical disabilities, such as restricted mobility or limited vision. Accessibility issues can impede the ability to use software products successfully. This topic outlines known AppScan® Source accessibility issues and their workarounds.
What's New
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
Learn how to install, upgrade, and activate HCL® AppScan® Source.
System requirements and installation prerequisites
AppScan® Source deployment models
This section describes three different deployment models and the components that comprise each model.
Sample installation scenarios
When installing AppScan® Source, it is important to follow the correct installation workflow. These topics guide you through the workflow involved in some sample installation scenarios.
Upgrading AppScan® Source
Advanced installation and activation topics
This section describes advanced installation options and activation procedures.
AppScan® Source silent installers
The AppScan® Source custom installation wizard is used for creating silent installers.
Activating the software
Removing AppScan® Source from your system
You can remove AppScan® Source from the Windows™ Control Panel or with a Linux™ uninstall script. The AppScan Source uninstall does not remove or back up an installed Oracle database. Deleting the AppScan Source user from an Oracle instance is a manual database administrative task.
Learn how to configure applications and projects, and set attributes and properties in HCL® AppScan® Source.
Configuring applications and projects
Before you scan, you must configure applications and projects. This section explains the Application Discovery Assistant, New Application Wizard, and the New Project Wizard. You will learn how to configure attributes for AppScan® Source for Analysis. In addition, this section teaches you how to add existing applications and projects for scanning - and how to add files to projects.
Preferences are personal choices about the appearance and operation of AppScan® Source for Analysis.
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Administering AppScan® Source
This section explains user management, permissions, application and project registration, and port configuration.
Auditing user activity
AppScan® Source offers a convenient location for auditing user activity. The Audit view logs events such as authentication to the AppScan Enterprise Server, the creation of new users, and the creation of new rules in the database.
Logging in to AppScan® Enterprise Server from AppScan® Source products
Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments. All user management occurs in AppScan Enterprise.
LDAP integration
To add an AppScan® Source user that will be authenticated via LDAP, you must have configured the AppScan Enterprise Server user repository to use an LDAP repository.
Registering applications and projects for publishing to AppScan® Source
AppScan® Source application and project files
AppScan® Source applications and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. It is recommended that these files reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system.
Port configuration
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Scanning workspaces, projects, and files
You can scan an Eclipse workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.
Managing My Assessments
The My Assessments view contains a list of assessments (the currently-opened assessment, along with any assessments that you have saved). In this view, you can open, delete, save, rename, or compare assessments. When a scan completes or you open a saved assessment, the assessment appears in the My Assessments view. My Assessments displays a table of open or saved assessments, and identifies a published or modified assessment. Removing an assessment from this view (without saving or publishing it) permanently deletes that assessment.
Submitting AppScan® Source assessments to the Cloud for analysis
If you have a subscription to HCL AppScan on Cloud at HCL Cloud Marketplace, you can submit AppScan® Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription.
Publishing assessments
AppScan® Source offers two publishing options. You can publish assessments to the AppScan Source Database, for the purpose of storing and sharing assessments. Or, if your AppScan Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The AppScan Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.
Opening and saving assessments
AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.
Removing assessments from My Assessments
When assessments are removed from the My Assessments view, they are not removed from your local file system. If an assessment is removed from the view, it can be added back with the Open Assessment action.
Defining variables
When saving assessments or bundles, or publishing assessments, AppScan® Source for Analysis may suggest that you create a variable to replace absolute paths (without variables, AppScan Source for Analysis writes absolute paths to the assessment file to reference items such as source files). When you configure variables for absolute paths, you facilitate the sharing of assessments on multiple computers. It is recommended that you use variables when sharing assessments.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Displaying findings
The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.
The AppScan® Source triage process
The triage process includes manipulating findings through bundles, filters, and exclusions - and comparing assessment results.
Sample triage
This example describes an AppScan® Source triage workflow used by a security analyst. Triage workflow may vary according to your business needs.
Triage with filters
AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.
Triage with exclusions
After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.
Working with bundles
Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).
Working with static analysis fix groups
Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task.
Modifying findings
Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.
Comparing findings
Use the Diff Assessments action or the AppScanDelta utility to compare assessments. When two assessments are compared, the differences between the two are displayed in the Assessment Diff view or in an .ozasmt file. The results summarize new, fixed/missing, and common findings.
Custom findings
To augment your analysis results, you can create custom findings. These are user-created findings that AppScan® Source for Analysis adds to the currently-open assessment or selected application. Custom findings impact assessment metrics and can be included in reports. Once created, a custom finding is automatically included in future scans of the application.
Resolving security issues and viewing remediation assistance
AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.
Supported annotations and attributes
Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.
AppScan® Source trace
With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Creating findings reports
AppScan® Source reports
Creating custom reports
In the Report Editor, you create report templates used to generate custom reports.
Exporting findings
Export finds in CSV or SARIF format from the findings list of a scan.
Extending product function
Learn how to extend the product to meet specific development requirements.
Customizing the vulnerability database and pattern rules
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
Extending the application server import framework
AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
HCL® AppScan® Source for Development (Eclipse Plug-in)
With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
The Ounce/Make build utility
Ounce/Make is a tool that automates the importing of configuration information into AppScan® Source from build environments that use makefile. Ounce/Make eliminates the need to import configuration information from makefiles manually; this the recommended method of configuring these projects.
AppScan® Source command line interface (CLI)
The CLI is an interface to core AppScan® Source functionality.
The Ounce/Ant build tool
This section describes how to use Ounce/Ant, an AppScan® Source build utility that integrates AppScan Source and Apache Ant. Integrating Ounce/Ant with your Ant environment helps you automate builds and code assessments.
AppScan® Source Data Access API
The Data Access API provides access to AppScan® Source-generated assessment results, including findings and finding details. It also provides access to assessment metrics such as analysis date and time, lines of code, V-density, and number of findings.
Learn common product terminology.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.
Troubleshooting process overview
Troubleshooting is the process of finding and eliminating the cause of a problem. Whenever you have a problem with your software, the troubleshooting process begins as soon as you ask yourself what happened?
Contacting HCL® Software Support
If the self-help resources have not provided a resolution to your problem, you can contact HCL® Software Support. HCL Software Support provides assistance in resolving product issues.