Static analysis language support

The types of files that can be scanned by AppScan 360° when you perform static analysis.

Language support

Language Supported file types Frameworks and library support Autofix1 Operating system support
.NET (C#, ASP.NET, VB.NET) Default:
  • Visual Studio solutions
  • .NET assemblies
  • ASP .NET MVC
  • .NET Core
 Yes Windows
Source code-only:
  • .aspx
  • .ascx
  • .cs
  • .vb
  • .vbs
  • ASP .NET MVC
Yes All supported operating systems
ABAP
  • .abap
 No All supported operating systems
Android
  • .java
  • .kt
 Yes All supported operating systems
Angular
  • .ts
  • .tsx
 Yes All supported operating systems
AngularJS
  • .js
 No All supported operating systems
APEX
  • .cls
  • .page
 Yes All supported operating systems
ASP Classic
  • .asp
  • .asa
  • .inc
 Yes All supported operating systems
C/C++ Default:
  • Visual Studio solutions
Note: See "Microsoft Visual Studio support" for important additional information.
 Yes Windows
Source code-only:
  • .c
  • .cpp
  • .c+
  • .cc
  • .cxx
  • .C
  • .h
  • .h++
  • .hh
  • .hxx
  • .hpp
  • .H
  • .ii
  • .ixx
  • .ipp
  • .inl
  • .mm
  • .txx
  • .tpp
  • .tpl
  • Makefile
  • GNUMakefile
 Yes All supported operating systems
Cascading style sheets
  • .css
 No All supported operating systems
COBOL
  • .cob
  • .cbl
  • .ws
  • .sqb
 Yes All supported operating systems
ColdFusion
  • .cfc
  • .cfm
 Yes All supported operating systems
Dart
  • .dart
 Yes All supported operating systems
eSQL
  • .esql
 Yes All supported operating systems
Go
  • .go
 Yes All supported operating systems
Groovy
  • .groovy
  • .gsp
  • .gvy
  • .gy
  • .gsh
 Yes All supported operating systems
HTML
  • htm
  • html
  • rhtml
  • xhtml
  • cshtml
  • vbhtml
 Yes All supported operating systems
Infrastructure as Code (IaC)
  • .bat
  • .ps12
  • .sh
  • .yaml
  • .yml
  • Dockerfile
  • Docker
  • Kubernetes
 Yes All supported operating systems
Terraform:
  • .tf
  • .tf.json
  • AWS
  • Google Cloud
  • Azure
 Yes All supported operating systems
Java and Java web content
  • .class
  • .jar
  • .war
  • .ear
  • Enterprise JavaBeans™ (EJB) 2
  • JavaServer Faces (JSF) 2
  • Jax - RS (1.0 and 1.1)
  • Jax - WS (2.2)
  • Spring MVC (2.5, 3, and 4)
  • SpringBoot (using the Spring v3 annotations)
 Yes All supported operating systems
Source code-only:
  • .java
  • .jsp
  • .jspx
  • .jspf
 Yes All supported operating systems
JavaScript
  • .asp
  • .aspx
  • .asa
  • .hbs
  • .htm
  • .html
  • .inc
  • .js
  • .jsf
  • .jsp
  • .jspx
  • .jspi
  • .mjs
  • .php*
  • .rhtml
  • .rjs
  • .svg
  • .ts
  • .tsx
  • .wlapp
  • .xhtml
  • Ionic
  • JQuery
  • MooTools
 Yes All supported operating systems
Kotlin
  • .kt
 Yes All supported operating systems
NodeJS
  • .js
 Yes All supported operating systems
Objective-C/Objective-C++
  • .m
  • .mm
 Yes All supported operating systems
Perl
  • .cgi
  • .pl
  • .pm
  • .t
 No All supported operating systems
PHP
  • .ctp
  • .php
  • .php*
  • .phtm
  • .phps
  • .htaccess
  • .html
  • .inc
  • .module
  • .xml
  • .yaml
  • .yml
 Symfony Yes All supported operating systems
PL/SQL
  • .arc
  • .dbf
  • .lst
  • .pck
  • .pkb
  • .pks
  • .plb
  • .pls
  • .rdo
  • .sf
  • .sp
  • .spb
  • .sps
  • .sql
  • .tst
 No All supported operating systems
Python
  • .py
  • .pyt
  • .pyw
  • Django
  • Flask
 Yes All supported operating systems
ReactJS
  • .js
 No All supported operating systems
ReactNative
  • .js
 No All supported operating systems
RPG
  • .rpg
  • .rpgl
  • .rpgle
  • .sqlrpgle
 No All supported operating systems
Ruby
  • .gem
  • .rb
  • .rhtml
  • .rjs
 Yes All supported operating systems
Rust
  • .rs
  • .json
  • .json5
  • .toml
 No All supported operating systems
Scala
  • .scala
  • .sc
 Yes All supported operating systems
Swift
  • .plist
  • .swift
 Yes All supported operating systems
TSQL
  • .arc
  • .dbf
  • .lst
  • .rdo
  • .sql
 No All supported operating systems
TypeScript
  • .ts
  • .tsx
 Yes All supported operating systems
Visual Basic
  • .bas
  • .cls
  • .frm
 Yes All supported operating systems
Vue.js
  • .vue
 No All supported operating systems
Xamarin
  • .cs
 Yes All supported operating systems
  1. Autofix is available for certain findings.
  2. PowerShell files (.ps1) are scanned only if secrets scanning is enabled, and are scanned only for secrets.
Note: Additional file extensions can be added in SAClientUtil/config/file_extensions.xml.

You can scan all supported languages from the static analysis command line interface (CLI). In addition, you can scan .NET projects in Visual Studio.

File upload types by language for AppScan 360° Static Analysis

Common user workflows for AppScan 360° Static Analysis include:
  • Upload source code and build artifacts
  • Generate IRX locally and upload IRX
Based on the language being scanned, the following table lists the file upload types for the these workflows:
Important: The filename must contain ASCII characters only.
Language Upload source code Upload source code + build artifacts Upload IRX (generate IRX locally)
C/C++ To scan file types listed as "source code-only" in the language support table. To scan byte code file types listed under default content in the language support table.
Java and Java web content N/A

  • .jar

    Customize scan target and dependencies using config file.

  • .class

    Archive directory structure containing the class files,

  • .war
    Note: Tomcat is the default JSP compiler.

  • .ear

  • .jar and .class, when all dependencies cannot be included in the archive
  • .war, if JSP compile requires a webserver other than Tomcat
.NET To scan file types listed as "source code-only" in the language support table. To scan byte code file types listed under default content in the language support table.
Others

Always. appscan-config is not needed.

Archive must contain the entire directory structure of the target code to be scanned.