Home
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Scanning libraries and third-party code for security vulnerabilities
To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
Runtime Software Composition Analysis
Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
  - Configure an open source scan in AppScan on Cloud
  - Configuring a scan using AppScan Go!
    AppScan Go! steps you through configuring and running a static scan. You run the scan in the cloud or use a plugin to automate scanning.
  - Generating an IRX file using the command-line interface (CLI)
    To initiate an analysis of your files, you must generate an IRX file to submit for scanning. To use the CLI to generate the IRX file, follow these instructions.
  - Generating in IRX file using a plugin or IDE
  - Runtime Software Composition Analysis
    Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

Runtime Software Composition Analysis

Identify and manage vulnerabilities in open source components and libraries used by an application at runtime.

Software Composition Analysis (SCA) is a powerful tool for locating and analyzing open source and third-party packages used by your code. However, as applications become ever more complex, with more and more libraries and packages in use, results of SCA scanning can be unwieldy. Runtime SCA allows organizations to understand not just what libraries and packages are referenced in code, but what libraries and packages are actually used by the application at runtime.

Runtime Software Composition Analysis (SCA) identifies and manages vulnerabilities in the open-source components and libraries that are used within software applications during execution. Unlike traditional SCA, which analyzes dependencies statically (that is, by examining code and libraries during the build process), runtime SCA continuously monitors applications as they run to detect any use of libraries during runtime.

Runtime SCA provides more accurate context into potential vulnerabilities, and thus helps prioritization issue remediation and resolution.

Runtime SCA can be applied to applications in production or in lower testing environments

To take advantage of runtime Software Composition Analysis:

Deploy an IAST agent.
ASoC supports Java and .NET agents for use with runtime SCA.
Enable SCA runtime-specific environment variables, IAST_RUNTIME_SCA or IAST_SCA_PROD, in the IAST configuration file.
Test your application by running functional tests, a dynamic scan, or exploring the application manually.
The IAST agent monitors and reports on every third party library being loaded in runtime.
Create and run a SCA scan.
Libraries identified by IAST during runtime and by the SCA scan are correlated and shown in a correlation group. For example: