System requirements for AppScan 360° Static Analysis
This section describes required operating systems and supporting technology for downloading and deploying AppScan 360° Static Analysis. Additional information on setting up required components can be found here.
- The AppScan 360° SAST
gatewayThe main entry point for a scan.
- The
workflow-managerManages scan progress.
- The
scan-manager.Fetches scan artifacts and details, and gathers troubleshooting information.
- The
preparerservicePrepares source code and builds artifacts for analysis.
- The
analyzerserviceEvaluates the IRX to identify vulnerabilities.
- The ASCP Adapter
Interface to AppScan Central Platform for monitoring scan status and progress, and working with results and logs.
- RabbitMQ
System requirements and prerequisites
bash script and thus requires a Linux environment.
AppScan 360° Static Analysis agents are
deployed locally or in the cloud.Downloading AppScan 360° SAST
- RedHat 7.9 or newer, or Ubuntu
- Docker or containerd runtime
- Kubectl
- Helm
- HCL Harbor
- HCL ID with access to the FlexNet operations portal.
- HCL Harbor account with read access and access to the AppScan 360° SAST project area.
- Archive installation
- HCL ID with access to the FlexNet operations portal.
Cluster setup
- CA certificate and private key to enable TLS
- The latest available version of an ingress controller (for example, NGINX)
- Keda version 2.9.4
- CertManager version 1.11.0
- kubectl for communicating with the cluster.
Cloud Deployment to AKS (Azure)
AppScan 360° SAST containers can be deployed on a Kubernetes environment provided by various cloud providers configured as follows:
Static Analyzer Command Line Utility
The Static Analyzer Command Line Utility
(SAClientUtil) is used to generate an IRX that can be scanned
in AppScan 360°. The appscan.sh
prepare command is supported for use with AppScan 360° Static Analysis.
SAClientUtil) is updated regularly for a variety of reasons,
including:- New language support
- Updated language support (new files types associated with supported languages, for example)
- New features
- Fixes
Resource requirements
Containers
For each container at rest, based on a reference system with RHEL7.9, 16GB RAM, 24 vCPU, and 512GB disk space, the following resources are required:
| Service | Instance (min/max) | CPU (min/max) | RAM (min/max) | Disk space (min/max) |
prepare service |
1/10 | 4/6 | 16GB/16GB | |
analyze service |
1/10 | 4/6 | 32GB/32GB | |
| Workflow manager | 1/1 | 2/4 | 6GB/6GB | |
| Scan Manager | 1/1 | 1/2 | 4GB/4GB | |
| ASCP Adapter | 1/3 | 2/4 | 6GB/6GB | |
| Gateway | 1/1 | 1/2 | 4GB/4GB | |
| Scan data (shared) | 200GB | |||
| Logs (shared) | 10GB |
preparer and
analyzer services can be increased based on the memory
requirement of an individual scan. The disk space for scan data and logs can be
increased as needed.azurefile storage as a storage class for PVCs. If a custom
storage class like longhorn is to be used, disk space of ~250GB
is provided for pods PVC as well as log PVC. Resource requirements are highly variable based on specific scanning needs, configurations, application demands, and so on. See Configuring concurrent scans for additional information.
Autoscaling
The preparer, analyzer, and ASCP Adapter services can be scaled up and down
automatically. When concurrent scan requests are detected by monitoring, the
RabbitMQ message queues for any of preparer,
analyzer, or ASCP Adapter
services, up to ten pods (by default) for each service can be started in parallel to
address the requests in the queue.
| Service | Instance (min/max) |
|---|---|
preparer |
1/10 |
analyzer |
1/10 |
ascp-adapter |
1/3 |
workflow-manager |
1/1 |
scan-manager |
1/1 |
gateway |
1/1 |
Storage
- Scan cache
- Scan data
- Logs
By default, AppScan 360° SAST uses the
azurefile storage provider when deployed in Azure, unless
otherwise configured to use other storage provider. The storage provider class-name,
size and other properties can be customized using configuration parameters.