Troubleshooting static analysis scans
Troubleshooting scans in AppScan 360° looks a little different than in AppScan on Cloud. Follow guidance here to troubleshoot SAST scanning issues in AppScan 360°.
- User reviews error messages.
- User reviews common error cases.
- If the issue persists, user downloads scan logs and escalates to an administrator.
- Administrator investigates user supplied information.
- If the issue persists, administrator escalates to HCL support.
User: Review error messages
- Select , or,
- Select
- The scan ID is part of the URL. Look for the character string after
/scans/
. For example, in the following URL, the scan ID is6ecf4111-adf9-47a8-852b-625ff4c954ef
:< ASCP service URL>/70f7db22-1bea-4f55-babc-5668f1f723f4/scans/6ecf4111-adf9-47a8-852b-625ff4c954ef/scanOverview
- The execution ID is listed on the Overview tab,
under Scan details.
User: Review common error cases
Open source
Error: Scan failed. Your subscription does not allow for Open Source scans.
Please contact your sales representative for information regarding activating “Open Source” scanning.
If you need further assistance, please reach out to our Technical Support team
You tried to scan open source files. AppScan 360° does not support open source scanning.
If you uploaded a ZIP file for scanning, review the contents of the ZIP file.
- If the ZIP contains only open source files, upload a ZIP containing non-open source files and try the scan again.
- If the ZIP file contains an appscan-config.xml
configuration file, review properties listed in the file. AppScan 360°
does not support the
openSourceOnly
property. IfopenSourceOnly="true"
is listed, remove this property and try the scan again.
- Rerun
appscan prepare
, confirming the target files are not open source files and theopenSourceOnly
parameter is not used. - If the issue persists, download scan logs and escalate to an administrator.
No IPVA/Corrupted IRX
Error: We are unable to complete the scan successfully. The scan failed since the IRX was not created properly.
It could possibly be due to an incorrect configuration or missing dependencies.
If you need additional assistance, please reach out to our Technical Support team.
Something went wrong during the IRX generation step of the scan.
If you uploaded an IRX:
- If you have access to the location from which
appscan prepare
was run, check for errors in the logs.zip file created during that process. - Look in the SAClientUtil/logs/client.log file for errors.
- For deeper IRX investigation, escalate to an administrator.
If you uploaded a ZIP, download scan log and escalate to an administrator.
Unknown error
Error. An unknown error occurred.
There are a few possibilities. Download the scan log and escalate to a scan administrator for further investigation.
User: Download scan log to escalate to an administrator
- From the ASCP user interface:
- On the scan page (Scan details. or ), copy the Execution ID listed under
- On the upper right of the scan page, select
AppScan 360° downloads a ZIP file to your local system. Note the location of the download.
. - Extract the contents of the ZIP file.
- From a command line:
Download the contents of the directory associated with the scan from
<fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/
.
Scan administrator: Investigate user-supplied information
Access scan logs
To access scan logs:
- Download the contents of the directory associated with the scan from
<fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/
. - Extract and investigate logs for errors.
- Resolve any errors, and try the scan again.
Investigate an IRX with a no IPVA/corrupted IRX error
- Download the contents of the directory associated with the scan from
<fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/
. - Copy the downloaded files to a local system.
-
Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.
-
Double-click internal.scan to open it.
- Check the .log file in the root as well as the logs in the logs folder for any errors.
- Resolve any errors, and try the scan again.
Investigating an IRX with an open source error
Your subscription does
not allow for Open Source scans.
and you uploaded an IRX for scanning,
check for errors in the IRX file:- Download the contents of the directory associated with the scan from
<fileStorageRoot>/SaaSWorkingDirectory/SaaSStorage/Scans/<scanID>/<ExecutionID}/
. -
Using 7-ZIP or a similar tool, right click the IRX file and click Open archive.
- Open the scan.manifest file for examination.If
Total Languages Found = 1
and the only entry in theLanguage
section isOpen Source
, then the IRX file was generated for open source scanning only, or you pointed to a location containing only open source files:- Confirm that the target location contains non-open source
files.
AppScan 360° does not support open source scanning.
- Confirm that you are not using an unsupported property or parameter
in the
appscan prepare
command or in theappscan-config.xml
file. IfopenSourceOnly="true"
is listed, remove this property.AppScan 360° does not support the
openSourceOnly
property in eitherappscan prepare
orappscan-config.xml
.
- Confirm that the target location contains non-open source
files.
- Try the scan again.
Investigating other error cases
Open Source File Types
Problems found during validation.
The prepare operation found only open source files types. To run opensource only, use the -oso flag.
To run security and opensource, include additional supported file types.
You tried to run an open source-only scan, or tried to run a third-party scan, but the scan needs additional configuration.
AppScan 360° does not support open source-only scans.
- Confirm that you are not using an unsupported parameter in the
appscan prepare
command. IfopenSourceOnly="true"
or-oso
is listed, remove this parameter.AppScan 360° does not support the
openSourceOnly
or-oso
parameter inappscan prepare
.
-
If you uploaded an IRX and intended to run a scan on a location with only third-party libraries, enable third-party scanning. Either:
- Add the third-party flag to
appscan prepare
to pick up third-party libraries and try the scan again.The command should look like:
appscan prepare -tp
. - Add
thirdParty="true"
to appscan-config.xml and try the scan again.An example can be found at Configuring IRX file generation with the CLI
- Add the third-party flag to
- If you uploaded a ZIP and intended to run a scan on a location with only
third-party libraries, enable third-party scanning:
- If you want to scan third-party code,
add thirdParty="true"
to appscan-config.xml and try the scan again.
- If you want to scan third-party code,
No Known File Types
No known scan file types were found during discovery.
Please specify a location that contains .class, .jar, .war, .ear, .dll, .exe, PHP, Ruby, NPM packages, or JavaScript files.
You tried to scan a location that does not contain any scannable files.
Verify that the files in the target location are valid files types. Check the list of supported file types at Static analysis language support.
If you used appscan-config.xml, check that the target path is a valid location.
No Scannable Files
Problems found during validation.
No scannable files found. If you are trying to scan third party code, generate the IRX file using the --thirdParty option. If you are trying to scan for open source, generate the IRX using the -oso option. For a list of supported file types, refer to https://help.hcl-software.com/appscan/ASoC/src_language_support.html#src_language_support__table_ylp_rn5_jw.
- If you intended to run a scan on a location with only third-party libraries,
you must enable third-party scanning. Either:
- Add the third-party flag to
appscan prepare
to pick up third-party libraries and try the scan again.The command should look like
appscan prepare -tp
. - Add
thirdParty="true"
to appscan-config.xml and try the scan again.An example can be found at Configuring IRX file generation with the CLI
- Add the third-party flag to
-
If you intended to run a data flow analysis scan, confirm that the target scan location contains the correct compiled file types for Java, .NET, or C/C++, and try the scan again.
- If you intended to run a source code-only scan, confirm the target location contains correct source code file types, and try the scan again.
- If you did not intend to run a source-code only scan, remove the
–sco
flag from theappscan prepare
command, or from appscan-config.xml, and try the scan again.
Scan administrator: Working with HCL support
- Execution ID
- Scan ID
- Preparer pod ID, if applicable
- Analyzer pod ID, if applicable
- Any error reported on the scan page in AppScan 360° or in service.log.
- The log ZIP file.
- Details about the application/project being scanned.
- Details about steps taken to troubleshoot and/or resolve the issue.