Important concepts

Before you begin to use or administer AppScan® Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis.

AppScan Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application.

Applications, their attributes, and projects are created and organized in AppScan Source for Analysis:

  • Applications: An application contains one or more projects and their related attributes.
  • Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application.
  • Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan Source for Analysis.

The principal activity of AppScan Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including:

  • Severity: High, medium, or low, indicating the level of risk
  • Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow
  • File: Code file in which the finding exists
  • API/Source: The vulnerable call, showing the API and the arguments passed to it
  • Method: Function or method from which the vulnerable call is made
  • Location: Line and column number in the code file that contains the vulnerable API
  • Classification: Security finding or scan coverage finding. For more information, see Classifications.