Considerations to scan an application code

When you want to use HCL OneTest Server to run a scan of the application code for security vulnerabilities, you must read the considerations that you must take into account and complete certain tasks.

Before you can run a scan of the application code on HCL OneTest Server, you must have completed the following tasks:
  • Created a file that has the following characteristics:
    • The format of the file must be yaml.
    • The name must be .codesweep.
  • Committed the following assets or resources to the remote repository:
    • The .codesweep file.
    • The application code can either be in the root directory or another folder in the root directory.
      Note: The default root directory is the directory that contains the .codesweep file.
You can specify the following information in the .codesweep file:
  • The name of the asset that must be displayed as the test asset in the Execution page of HCL OneTest Server. The name must be specified at the first level in the file as the value of the name attribute.
  • Optionally, the name of folders that contain the application code.

    All files and folders in the root directory are scanned as the default action, if no files or folders are specified under the folders attribute.

    You can specify the files or folders to scan by using any of the following options:
    • Specify the files or folders by using an XML file that is in the same format as the HCL AppScan IRX file.
    • Specify the files or folders in the .codesweep file under the includes or excludes attributes under the folders attribute.
      • Optionally, you can specify the name of files or folders that must be included in the scan. You must specify the files or folders as the value of the includes attribute under the folders attribute.
      • Optionally, you can specify the name of files or folders that contain the application code that need not be scanned. You must specify the files or folders as the value of the excludes attribute under the folders attribute.
      Note: You cannot use wildcard characters to indicate the files or folders anywhere in the .codesweep file.
  • Optionally, you can specify the rules that are to be ignored in the scan. You can specify the rules by using any of the following options:
    • Specify a file, which is a copy of ~/appscan/custom_scanners_service_ignore.json that is created by the CodeSweep plugin for Visual Studio. With this method, you can reuse the preferences that you have configured in your development environment.
    • Specify a list of rules. Each rule is defined by a name and a language identifier.
  • Optionally, you can specify the criteria for attributes and their values that specify the verdict of the scan and the range for the security errors in the code.
For example, you can consider the following details:
Where... Is...
The name of the asset that is to be displayed on the Execution page mycode
The folder that contains the code to be scanned use_code
The folder that contains the code that is to be excluded in the scan do_not_use_code
The value of the attribute Verdict
The range for the security errors is classified as follows:
  • max-high
  • max-medium
  • max-low

The conditions for a pass verdict are as follows:

  • 0
  • 10
  • 100
The contents of the .codesweep file is as follows:
name: mycode
folders: # default=./ , Optional
    configuration: configuration.xml # XML Configuration file, Optional
    includes: # list of folders to include, Optional
        - use_code
    excludes: # list of folders to exclude, Optional
        - do_not_use_code        
ignore: # Ignore rules, Optional
    file: custom_scanners_service_ignore.json # json file coming from visual code, Optional
    rules: #list of rules to ignore, Optional
        - name: com.ouncelabs.languagelite.nodejs.Rules.NodeJS_PrivateDataExposedviaHTTPURL # Name, Required
          language: NodeJS # Language, Required
        - name: com.ouncelabs.languagelite.nodejs.Rules.NodeJS_PrivateDataExposedviaHTTP # Name, Required
          language: NodeJS # Language, Required
verdict: # PASS verdict, Optional
    max-high: 0 # default=0, Optional
    max-medium: 10 # default=0 , Optional
    max-low: 100 # default=-1 (no limit), Optional
You can continue to configure a run of a scan of the code, see Configuring a run to scan the application code.
Restriction: You cannot run the test assets on a remote Docker host.