scan (sc)
Description
Scans an application (or all applications), project, folder, or file. A valid AppScan® Source for Automation license is required for use of this command.
Important: If you are working with
an AppScan®
Source project
that has dependencies in a development environment (for example, an IBM® MobileFirst
Platform project),
ensure that you build the project in the development environment before
importing it. After importing the project, if you modify files in
it, be sure to rebuild it in the development environment before scanning
in AppScan®
Source (if
you do not do this, modifications made to files will be ignored by AppScan®
Source).
Note: When scanning folders, by default all the files in the target folder
are scanned, regardless of language. As such, the scan results can differ from
scanning applications or projects. To target specific files, create an
appscan-config.xml file to define the scan targets.
When an appscan-config.xml file is present in the target folder,
then the configuration information therein is considered automatically by the
scanning process.Syntax
scan [path][config <proj_config>][-name <assessment_name>][-scanconfig <scan_configuration_name>] [-sourcecodeonly <true>] [-enablesecrets <true>] [-secretsonly <true>] [-waitforlicense <wait_time>]path: Optional. Full path and file name (.ozasmt) that the exported assessment will be saved as.Note:- If you specify a valid directory without a file name, an assessment file (.ozasmt) will be created for you based on the application name, project name, and scan configuration used when creating the assessment.
- If you specify a valid directory with a file name that does not exist, an assessment file will be created in that location using the file name specified.
- If you specify a file that already exists, the existing file will be overwritten.
- If you specify a file name (.ozasmt) in a directory that does not exist, no assessment will be saved.
config <proj_config>: Optional. This argument is only valid for project-level assessments. If your project has a configuration file, specify it using this argument.-name <assessment_name>: Optional. Provide a name for the assessment. This name is used in AppScan® Source client products to distinguish assessments from one another (for example, in AppScan® Source for Analysis, the name would appear in the Name column of the My Assessments view).-enablesecrets <true>: Optional. Specify to scan source files with secret scanner in addition to the other relevant scanners. Valid value istrue.-scanconfig <scan_configuration_name>: Optional. Specify the name of a scan configuration to use for the scan. If a scan configuration is not specified, the default scan configuration will be used for the scan.-secretsonly <true>: Optional. Specify to scan source files only with secret scanner. Valid value istrue.-sourcecodeonly <true>: Optional. Specify to scan only source files and ignore other supported file types (.dll,.exe). Valid value istrue.-waitforlicense <wait_time>: Optional. Specify the wait time in minutes for which a scan will wait when a AppScan® Source for Automation license is not available. If a wait time is not indicated using-waitforlicense, a default value is drawn fromCLI.ozsettings. Wait time can be disabled by setting the value to 0.
Note: The
-enablesecrets,
-secretsonly, and -sourcecodeonly
options are supported only in case of folder
scans. It does not apply to application and project
scans.Examples
- To scan the default configurations of projects in all applications:
AllApplications>> ScanThe results appear as:
New Scan started . . Preparing for Vulnerability Analysis... Performing Vulnerability Analysis... Generating Findings... Preparing project for scan... . . Scanned Project: Total files: 15 Total findings: 167 Total lines: 385 vkloc: 0.44448395412925595 v-Density: 22.446439683527426 Scanned Application: Total files: 15 Total findings: 167 Total lines: 385 vkloc: 0.44448395412925595 v-Density: 22.446439683527426 Scan completed: Total files: 15 Total findings: 167 Total lines: 385 vkloc: 0.44448395412925595 v-Density: 22.446439683527426 Elapsed Time - 18 SecondsNew Scan started. Please wait... Assessment complete ------------------- Total Call Sites: 75 Total Definitive Security Findings with High Severity: 25 Total Definitive Security Findings with Medium Severity: 37 Total Definitive Security Findings with Low Severity: 9 Total Suspect Security Findings with High Severity: 20 Total Suspect Security Findings with Medium Severity: 80 Total Suspect Security Findings with Low Severity: 60 Total Scan Coverage Findings with High Severity: 50 Total Scan Coverage Findings with Medium Severity: 33 Total Scan Coverage Findings with Low Severity: 17 Total Lines: 3000 ... - To scan the debug configuration of Prj1:
AllApplications\Prj1>> SC config debug - To scan a
folder:
AllApplications>> of C:\workspace\SimpleIOT SimpleIOT>> Scan