Configuring project properties for security scanning

To configure a Java™ project for security scanning, follow the instructions in this topic.

Procedure

  1. Choose Security Analysis > Configure Scan > Configure Projects for Security from the main menu.
  2. If your workspace contains more than one project, the Choose Projects dialog box will open. In this dialog box, select the project to configure and then click OK.
  3. Click Configure JDKs to set the Java and JSP compiler preferences - and then identify the JDK to use for scans by selecting it in the list. By default, IBM JDK 1.8 is used. AppScan® Source also provides IBM JDK 1.7 for selection - or you can add a different JDK.
    Note: Out-of-the-box, the default compiler for JSP projects is Tomcat 7, which requires Java Version 1.6 or higher. If Tomcat 7 is kept as default, using an earlier JDK will result in compilation errors during scans.
  4. JSP Settings: Configure the necessary JSP Settings for the specified project with these options:
    Table 1. JSP settings
    Option Description
    Contains web content Select this check box if the project is a web application that contains JavaServer Pages.
    Web Context Root Manually select the Web Context Root, or click Find to locate it. The Web Context Root is a WAR file or a directory that contains the WEB-INF directory. The web context root must be the root of a valid web application.
    Use JSP Compiler Select the JSP Compiler for the project. Out-of-the-box, Tomcat 7 is the default JSP compiler setting (the default JSP compiler can be changed in the Java and JSP preference page). To learn about the compilers that are supported by AppScan Source, see HCL AppScan Source system requirements.

    Apache Tomcat Versions 7 and 8 are included in the installation of AppScan Source. If the Tomcat 7 and Tomcat 8 preference pages are not configured, AppScan Source will compile JSP files using the supplied Tomcat JSP compiler that is currently marked as default. If you want to employ an external supported Tomcat compiler, use the Tomcat preference pages to point to your local Tomcat installation.

    If you are using Oracle WebLogic Server or WebSphere® Application Server, you must configure the applicable preference page to point to your local installation of the application server so that it can be used for JSP compilation during analysis. If you have not already completed this configuration, you will be prompted by a message to do so when you select the JSP compiler. If you click Yes in the message, you will be taken to the appropriate preference page. If you click No, a warning link will display next to the JSP compiler selection (following the link will open the preference page).
  5. File Encoding: The character encoding of files in your project must be set so that AppScan Source can read the files properly (and, for example, display them correctly in the source view). The default file encoding can be set in the AppScan Source preference page.
  6. Pre-scan Compilation Optimizations:
    • Precompiled classes: Use precompiled Java or JSP class files instead of compiling during the scan. When selected, this option disables the source stage options.
    • Stage source files to minimize effects of compilation errors: Controls whether AppScan Source copies the sources to the staging directory.

      Correct for packages not matching the directory structure requires the Java compiler to open each source file.

      Clean staging area between each scan ensures that the latest version of your code is compiled before scanning. This can improve the accuracy of results, however performance may be decreased when this option is selected.