Home
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
System requirements for SCA
The types of files that can be scanned by ASoC when you perform open source testing.

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

System requirements for SCA

The types of files that can be scanned by ASoC when you perform open source testing.

Language support

AppScan on Cloud strives to support as many open source packages as possible; we update CVE data daily. However, license information may not always be available for less common packages.

Note: For some package managers, you must be able to build the project before testing it with ASoC. Some dependencies are only resolved when the project is built.

Table 1.
Language and version	Supported source/binary file types	Package/Build manager and version	Package/Build manager supported config files
.NET	`.dll` `.exe` `.lib`	Nuget	The project is already built and all build outputs include `projects.assets.json` or `packages.lock.json`. OR .NET CLI and Nuget installed with the ability to `build` successfully and the project includes the build file `*.csproj`.
		Paket	The project is already built and all build outputs include packet.lock. OR .NET and Paket is installed with the ability to `install` and `restore` successfully, and the project includes the config files `paket.dependencies` and `paket.references`.
		.NET Framework 3.5, 4.6.2, 4.7.2, 4.8, 4.8.1 .NET 5, 6, 7, 8	For .NET only, SCA can analyze the configuration file before build, but the results will include only direct libraries and will be less accurate.
Java	`.jar`
JavaScript NodeJS	`.js`	NPM (version 5.0.0/2017 and newer)	Create the poject after building. The project must include `package.json` and `package-lock.json` . OR NPM CLI is installed with the ability to run `npm install` and project includes the config file `package.json`.
Python (version 3.3 and newer)	`.py` `.whl` Note: When scanning `.py` and `.whl` files, the project should be built as a virtual environment (`verv`).	Pip (version 3.4 and newer)	Python and Pip installed `setup.py` `requirements.txt`
Python (version 3.3 and newer)		Poetry (all versions)	Create the project after building with the configuration files `pyproject.toml` and `poetry.lock`. OR Python and Poetry are installed with the ability to `poetry.lock` successfully, and project includes the config file `pyproject.toml`.
GO	`.go`	Go Modules (GO version 1.15 and later)	GO and GO CLI installed, and the project includes the config file `go.mod`.
PHP	`.php`
C	`.c` `.cc` `.dll`
C++	`.cpp` `.hpp` `.dll`