Running static analysis for a Gradle project
To initiate an analysis of your files, you must generate an IRX file that you submit to the cloud. The HCL AppScan on Cloud Gradle plugin is used to automate the scanning of Java and Java web projects in Gradle. It generates an IRX file for Gradle projects that have the "java" plugin and/or "war" plugins applied. It can also submit the generated IRX file to the ASoC service for analysis automatically. For information on applying the plugin and to determine the latest plugin version, see Gradle plugins.
Procedure
- At the command prompt, issue a command to change directory to the location that contains your Gradle project.
-
Set the
APPSCAN_OPTS
environment variable to specify global options before running a scan.UseAPPSCAN_OPTS
to set scan speed, enable secrets scanning, enable debug logging, and more. -
Issue one of these commands:
- To generate the IRX file only, issue
appscan-prepare
.This command generates an IRX file for all Java and War projects in the build. The IRX file is generated in the root project's build directory by default. You can submit the IRX file to ASoC at a later time.
- To generate the IRX file and send it to the ASoC service for
analysis, issue
appscan-analyze
.This command generates an IRX file and submits it to the ASoC service for analysis. This task requires an API key, secret, and application ID.
Configurable options
The following options can be set through JVM parameters on the command line using the syntax
-Doption=value
or through anappscanSettings
block in the build script.Table 1. Configurable options for Gradle plugin Option Default Value Description irxName
The name of the root project. The name of the generated .irx file. irxDir
The build directory of the root project. The location for the generated .irx file. appId
Null. Required for appscan-analyze
The id of the application in the ASoC service. appscanKey
Null. Required for appscan-analyze
The user’s API key for authentication. appscanSecret
Null. Required for appscan-analyze
The user’s API key secret for authentication. namespaces
Null. Override automatic namespace detection. Set to ""
to disable namespace detection.Example 1: Specifying options at the command line:gradle appscan-prepare -DirxName=MyApp
Example 2: Specifying options in the build script:appscanSettings { irxName="MyApp" irxDir="/myApplication/sample" }
Note: The appscanKey and appscanSecret options can be specified in the user's gradle.properties file. This avoids the need to specify authentication information in the build script or command line. For example, add the following lines to ~/.gradle/gradle.properties (create the file if it doesn't exist):appscanKey="2358cd02-3fs3-322c-62c9-b5cc63c61f2a"
You can generate an API key/secret here. See Generating API Keys for additional information.appscanSecret="qU939siTXgF7csk3jSig+Vza7ilWLu/Uy/ReWye5E/c="
Note: To override default namespaces behavior, use the-Dnamespaces="<semi-colon delimited list of namespaces to scan>"
command line option. By default, ASoC detects the namespaces of source files for the given project and adds to the allowed list the classes scanned to only include those that exist in the same namespace. Setting that property to an empty string (""
) disables whitelisting completely.Note: If you would like to make your own modifications to the plugin, you can find the source here. - To generate the IRX file only, issue
Encrypting appscanSecret
using the Gradle plugin
About this task
appscan-gradle-plugin
. gradle-credentials-plugin
.Procedure
-
Apply the credentials plugin in your project along with the
appscan-gradle-plugin
:plugins { id 'nu.studer.credentials' version '2.1' id ' com.hcl.security.appscan' version '1.0.2' }
-
Run the following command to encrypt your API secret:
By default, the encrypted value will be stored and retrieved fromgradle addCredentials --key appscanSecret --value Yq9M+iFHyhRU2eEx+XobXwhX9xoW4hEXWz2fJDI8I=1
~/.gradle/ gradle.encrypted.properites
. Specify a different location using thecredentialsLocation
property.gradle addCredentials --key appscanSecret --value Yq9M+iFHyhRU2eEx+XobXwhX9xoW4hEXWz2fJDI8I=1 -PcredentialsLocation=/some/directory
-
Set the
appscanKey
value and the encryptedappscanSecret
value using anappscanSettings
block in the build script:
You can set the ASoCappscanSettings { appscanKey=22iFHyhRU2eEx+XobXwhX9xoW4hEXWz2fJDI8I=1 appscanSecret=credentials.appscanSecret appId=95e69f47-9547-4378-ab93-f5d48ada52cc1 }
appId
here, as well. -
Run
appscan-analyze
:gradle appscan-analyze
If you did not specify theappId
in the build script, set it on the command line at runtime:
If you used thegradle appscan-analyze -DappId=95e69f47-9547-4378-ab93-f5d48ada52cc1
credentialsLocation
property when encrypting theappscanSecret
value, specify that property at runtime as well:gradle appscan-analyze -PcredentialsLocation=/some/directory