Static analysis client support

This topics describes the supported operating systems and the types projects that can be scanned by AppScan 360° when you perform static analysis.

Operating system support

HCL AppScan 360° clients are supported on the following operating systems:
  • Windows: HCL AppScan 360° is supported on 64-bit systems and runs in 64-bit mode.
  • macOS: HCL AppScan 360° is supported on 64-bit systems and runs in 64-bit mode.
    Note: The HCL AppScan 360° version 1.6.0 FIPS-compliant package does NOT support macOS. Downloading a macOS client (Static Analyzer Command Line Utility or AppScan Go!) from a 1.6.0 FIPS-compliant service results in an error.
  • Linux: HCL AppScan 360° is supported on 64-bit systems only.

Command Line Utility support

Application server support

The Command Line Utility includes Apache Tomcat Version 7 application server .jar files that are used for basic JavaServer Page compilation. To achieve better compatibility, you can configure the CLI to use your own application server (supported application servers include Apache Tomcat versions 7 and higher, WebSphere® Application Server Versions 7, 8.0, and 8.5.x, and Oracle Weblogic Server version 10.3 and 12.x).

Command Line Utility and version compatibility

Your Static Analyzer Command Line Utility version is automatically checked when you:

  • Issue the appscan prepare command on Windows or the appscan.sh prepare command on Linux and macOS.
  • Use the Run Static Analysis action in an integrated development environment that has the static analysis plug-in installed.
  • Use the prepare option to generate an IRX file for a Maven project.
  • Upload an IRX file by using the appscan queue_analysis command on Windows or the appscan.sh queue_analysis command on Linux and macOS.
  • Upload an IRX file to the service.
When you perform any of the prepare or Run Static Analysis actions, you may receive a message indicating that a new version of the Command Line Utility is available. In this case, you can proceed without upgrading the Command Line Utility - or you can upgrade the Command Line Utility to take advantage of new features and capabilities.
Important: AppScan Go! requires the Static Analyzer Command Line Utility (SAClientUtil). AppScan 360° users must use the versions of the Static Analyzer Command Line Utility and AppScan Go! included with the AppScan 360° installation. AppScan on Cloud users must use the versions downloaded from the AppScan on Cloud service. They are not interchangeable.

When you perform any of the above actions using a version of the Command Line Utility that is no longer supported, a message will indicate that the Command Line Utility must be updated. In this case, download and set up the latest Command Line Utility

Plugin support

JetBrains support

You can choose to install a plug-in to a supported JetBrains IDE from its user interface. JetBrains versions 2021.1 and later are supported.

To acquire and install the plug-in, locate the plug-in at the JetBrains Plugins Repository. Or, in the JetBrains IDE, go to File > Settings, select Plugins and click Browse repositories.... Search for HCL AppScan.

Microsoft Visual Studio support

You can choose to install a plug-in to Visual Studio so you can scan .NET (C#, ASP.NET, VB.NET) solutions, projects, and websites from its user interface. Visual Studio must be installed on your system before you can install the Visual Studio plug-in.

To acquire and install the Visual Studio plug-in, locate the plug-in at the Visual Studio marketplace. Or, in Visual Studio, go to Tools > Extensions and Updates. Select Online and search for AppScan.

AppScan 360° supports the following Visual Studio versions:
.NET (C#, ASP.NET, VB.NET) C++
Visual Studio 2015 X X
Visual Studio 2017 X X
Visual Studio 2019 X X
Visual Studio 2022 X
Note: AppScan 360° supports C++14 language standard mode (/std:c++14) for Visual Studio 2015, 2017, and 2019. AppScan 360° supports C++17 language standard mode (/std:c++17) for Visual Studio 2017 and 2019.
For the supported languages, AppScan 360° enables scanning of Visual Studio projects both interactively through an IDE plugin and in your automation using the AppScan CLI. The following integrations are available:
Visual Studio Plugin Command Line Interface (CLI)
Visual Studio 2015 X
Visual Studio 2017 X
Visual Studio 2019 X
Visual Studio 2022 X X
Note: The Visual Studio plug-in is not supported on macOS or Linux.

Jenkins support

The AppScan 360° Jenkins plug-in allows you to add dynamic and static analysis build steps to your Jenkins build projects. You can install the plug-in to Jenkins Versions 2.222.4 or higher. From the plug-in, you can connect to the AppScan 360° service on Cloud Marketplace.

Visual Studio Team Services/Team Foundation Server (Azure DevOps) support

The Visual Studio Team Services/Team Foundation Server (Azure DevOps) plugin allows you to scan static and dynamic VSTS and TFS projects. HCL AppScan 360° supports TFS version 2018 update 2 and newer. To learn more about the plugin, see, Installing and using the Azure DevOps Services plugin.

AppScan Go! support

AppScan Go! is supported on Windows, Linux, and Mac.

REST APIs

Communication through REST APIs can be scripted for ease of integration with DevOps tools. DevOps plugins for use with the AppScan 360° Static Analysis will be available in the future.
Language Upload source code Upload source code + build artifacts Upload IRX (generate IRX locally)
C/C++ To scan file types listed as "source code-only" in the language support table.1 To scan byte code file types listed under default content in the language support table.
Java and Java web content N/A

  • .jar

    Customize scan target and dependencies using config file.

  • .class

    Archive directory structure containing the class files,

  • .war
    Note: Tomcat is the default JSP compiler.

  • .ear

  • .jar and .class, when all dependencies cannot be included in the archive
  • .war, if JSP compile requires a webserver other than Tomcat
.NET To scan file types listed as "source code-only" in the language support table.1 To scan byte code file types listed under default content in the language support table.
Others

Always. appscan-config is not needed.

Archive must contain the entire directory structure of the target code to be scanned.
  1. Source code-only option performs a scan on the source code without resolving dependencies. Set the source code-only option in a configuration file as follows: 
    <?xml version="1.0" encoding="UTF-8"?>
<Configuration sourceCodeOnly="true">
  <Targets>
   <Target path=./SimpleIOT" />
  </Targets>
</Configuration>