Welcome
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Configure an open source scan in AppScan 360°

Getting started
Welcome to the documentation for HCL AppScan 360°, where you can find information about how to install, maintain, and use this service.
Installation
Learn about AppScan 360° architecture and how to install the product.
Navigation
This section describes the items on the main AppScan 360° menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
HCL AppScan 360° performs security scans for web-applications for production, staging and development environments.
Interactive monitoring
Using an agent installed on your application, AppScan 360° identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
- System requirements for SCA
  The types of files that can be scanned by AppScan 360° when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan 360°
    - Scan status
    - Personal scans
      A personal scan is a way of evaluating the relative security of an application in development without affecting overall application scan data (issues, for example), or compliance.
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. Run the scan in the service or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Runtime Software Composition Analysis
    Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Reference
Some frequently asked questions, and information about integrating AppScan 360° into the product lifecycle (SDLC).

Configure an open source scan in AppScan 360°

Procedure

To scan your application:

Download and set up either:
- A supported plugin.
  Complete information about supported plugins is listed on the Integrations documentation page.
- AppScan Go!, the client utility graphical user interface.
- The Static Analyzer Command Line Utility, as described in Using the Static Analyzer Command Line Utility.
Scan or generate an IRX file for your application, or identify source code files to scan.
1. To generate an IRX file by using the CLI, follow the instructions in Generating an IRX file by using the command line interface (CLI). You can scan all supported languages from the CLI.
  
  Note: To scan open source only, use the -oso command with appscan prepare.
2. To generate an IRX file using AppScan Go!, follow the instructions in Configuring a scan using AppScan Go!.
3. To scan a source code file, identify the appropriate .zip, .war, .jar, or .ear file.
  
  Note: Source code files that are not .war, .jar, or .ear files must be compressed into a .zip file. If a .zip includes .git metadata (a GitHub repository), AppScan 360° supports one repository (.git file) per scan.
Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.
If you have not yet done so: Create an application for your scans.
Use the Create scan wizard to start configuring your scan. Start the wizard from Application > Application > Scans > Create scan > SCA Software Composition Analysis > Create scan.
Upload file tab: Drag-and-drop the .irx file to scan into the dialog box, or click the box to browse for the file.
Click Review and Scan to proceed to the summary dialog.
Edit the default name that was given to the scan. Optional.
Click Scan Now.