Troubleshooting static analysis scans

Troubleshooting scans in AppScan 360° looks a little different than in AppScan on Cloud. Follow guidance here to troubleshoot SAST scanning issues in AppScan 360°.

Troubleshooting scans is performed first by the user, then, if a resolution is not reached, escalated to an administrator. The general path for troubleshooting is as follows:
  1. User reviews error messages.
  2. User reviews common error cases.
  3. If the issue persists, user downloads scan logs and escalates to an administrator.
  4. Administrator investigates user supplied information.
  5. If the issue persists, administrator escalates to HCL support.

User: Review error messages

From the AppScan Central Platform, go to the scan page for the failed scan. Either:
  • Select Applications > (application) > View all scans > (scan name), or,
  • Select Scans > (scan name)
Review error messages displayed on the scan page. Common error cases are discussed below.
Important: Make note of the scan ID and execution ID:
  • The scan ID is part of the URL. Look for the character string after /scans/. For example, in the following URL, the scan ID is 6ecf4111-adf9-47a8-852b-625ff4c954ef:
    < ASCP service URL>/70f7db22-1bea-4f55-babc-5668f1f723f4/scans/6ecf4111-adf9-47a8-852b-625ff4c954ef/scanOverview
  • The execution ID is listed on the Overview tab, under Scan details.

User: Review common error cases

The most common errors are:

Open source

Error: Scan failed. Your subscription does not allow for Open Source scans. 
Please contact your sales representative for information regarding activating “Open Source” scanning. 
If you need further assistance, please reach out to our Technical Support team

You tried to scan open source files. AppScan 360° does not support open source scanning.

If you uploaded a ZIP file for scanning, review the contents of the ZIP file.

  • If the ZIP contains only open source files, upload a ZIP containing non-open source files and try the scan again.
  • If the ZIP file contains an appscan-config.xml configuration file, review properties listed in the file. AppScan 360° does not support the openSourceOnly property. If openSourceOnly="true" is listed, remove this property and try the scan again.
    Note: Review supported properties for appscan-config.xml here.
If you uploaded an IRX:
  1. Rerun appscan prepare, confirming the target files are not open source files and the openSourceOnly parameter is not used.
    Note: Review supported parameters for appscan prepare here.
  2. If the issue persists, download scan logs and escalate to an administrator.

No IPVA/Corrupted IRX

Error: We are unable to complete the scan successfully. The scan failed since the IRX was not created properly. 
It could possibly be due to an incorrect configuration or missing dependencies. 
If you need additional assistance, please reach out to our Technical Support team.

Something went wrong during the IRX generation step of the scan.

If you uploaded an IRX:

  • If you have access to the location from which appscan prepare was run, check for errors in the logs.zip file created during that process.
  • Look in the SAClientUtil/logs/client.log file for errors.
  • For deeper IRX investigation, escalate to an administrator.

If you uploaded a ZIP, download scan log and escalate to an administrator.

Unknown error

Error. An unknown error occurred.

There are a few possibilities. Download the scan log and escalate to a scan administrator for further investigation.

User: Download scan log to escalate to an administrator

To download the scan log:
  • From the ASCP user interface:
    1. On the scan page (Applications > Application > View all scans > (scan name) or Scans > (scan name)), copy the Execution ID listed under Scan details.
    2. On the upper right of the scan page, select Manage scan > Download log.

      AppScan 360° downloads a ZIP file to your local system. Note the location of the download.

    3. Extract the contents of the ZIP file.
  • From a command line:

    Download the contents of the directory associated with the scan from <fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/.

Scan administrator: Investigate user-supplied information

Access scan logs

To access scan logs:

  1. Download the contents of the directory associated with the scan from <fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/.
  2. Extract and investigate logs for errors.
  3. Resolve any errors, and try the scan again.

Investigate an IRX with a no IPVA/corrupted IRX error

  1. Download the contents of the directory associated with the scan from <fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/.
  2. Copy the downloaded files to a local system.
  3. Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.

  4. Double-click internal.scan to open it.

  5. Check the .log file in the root as well as the logs in the logs folder for any errors.
  6. Resolve any errors, and try the scan again.

Investigating an IRX with an open source error

Note: AppScan 360° does not support open source scanning.
If the scan failed with the error Your subscription does not allow for Open Source scans. and you uploaded an IRX for scanning, check for errors in the IRX file:
  1. Download the contents of the directory associated with the scan from <fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/.
  2. Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.

  3. Open the scan.manifest file for examination.
    If Total Languages Found = 1 and the only entry in the Language section is Open Source, then the IRX file was generated for open source scanning only, or you pointed to a location containing only open source files:
    • Confirm that the target location contains non-open source files.

      AppScan 360° does not support open source scanning.

    • Confirm that you are not using an unsupported property or parameter in the appscan prepare command or in the appscan-config.xml file. If openSourceOnly="true" is listed, remove this property.

      AppScan 360° does not support the openSourceOnly property in either appscan prepare or appscan-config.xml.

  4. Try the scan again.

Investigating other error cases

Open Source File Types

Problems found during validation. 
The prepare operation found only open source files types. To run opensource only, use the -oso flag. 
To run security and opensource, include additional supported file types.

You tried to run an open source-only scan, or tried to run a third-party scan, but the scan needs additional configuration.

AppScan 360° does not support open source-only scans.

Verify scan configuration:
  • Confirm that you are not using an unsupported parameter in the appscan prepare command. If openSourceOnly="true" or -oso is listed, remove this parameter.

    AppScan 360° does not support the openSourceOnly or -oso parameter in appscan prepare.

  • If you uploaded an IRX and intended to run a scan on a location with only third-party libraries, enable third-party scanning. Either:
    1. Add the third-party flag to appscan prepare to pick up third-party libraries and try the scan again.

      The command should look like: appscan prepare -tp.

    2. Add thirdParty="true" to appscan-config.xml and try the scan again.

      An example can be found at Configuring IRX file generation with the CLI

  • If you uploaded a ZIP and intended to run a scan on a location with only third-party libraries, enable third-party scanning:
    • If you want to scan third-party code, add thirdParty="true" to appscan-config.xml and try the scan again.

No Known File Types

No known scan file types were found during discovery. 
Please specify a location that contains .class, .jar, .war, .ear, .dll, .exe, PHP, Ruby, NPM packages, or JavaScript files.

You tried to scan a location that does not contain any scannable files.

Verify that the files in the target location are valid files types. Check the list of supported file types at Static analysis language support.

If you used appscan-config.xml, check that the target path is a valid location.

No Scannable Files

Problems found during validation. 
No scannable files found. If you are trying to scan third party code, generate the IRX file using the --thirdParty option. If you are trying to scan for open source, generate the IRX using the -oso option. For a list of supported file types, refer to https://help.hcl-software.com/appscan/ASoC/src_language_support.html#src_language_support__table_ylp_rn5_jw.
  • If you intended to run a scan on a location with only third-party libraries, you must enable third-party scanning. Either:
    1. Add the third-party flag to appscan prepare to pick up third-party libraries and try the scan again.

      The command should look like appscan prepare -tp.

    2. Add thirdParty="true" to appscan-config.xml and try the scan again.

      An example can be found at Configuring IRX file generation with the CLI

  • If you intended to run a data flow analysis scan, confirm that the target scan location contains the correct compiled file types for Java, .NET, or C/C++, and try the scan again.

  • If you intended to run a source code-only scan, confirm the target location contains correct source code file types, and try the scan again.
  • If you did not intend to run a source-code only scan, remove the –sco flag from the appscan prepare command, or from appscan-config.xml, and try the scan again.

Scan administrator: Working with HCL support

If, after applying the troubleshooting guidance presented here, you’re still unsure of what caused the scan failure, contact HCL Customer Support for additional assistance. Be ready to provide support with the following information:
  • Execution ID
  • Scan ID
  • Preparer pod ID, if applicable
  • Analyzer pod ID, if applicable
  • Any error reported on the scan page in AppScan 360° or in service.log.
  • The log ZIP file.
  • Details about the application/project being scanned.
  • Details about steps taken to troubleshoot and/or resolve the issue.
Note: Backup any important information and scan details off the pod to a secure location. Data on the pod is cleaned up by default after 10 days.