Scanning in integrated development environments
How to scan source code using the static analysis plug-in after it has been installed to the Eclipse or Visual Studio integrated development environments (IDE). In Eclipse, you can scan Java projects; in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).
Before you begin
- To include third-party code when scanning in Eclipse or Visual Studio, use one of these methods:
- Set this global or system environment variable before starting the ID:
APPSCAN_OPTS=-DthirdParty
- Each time that you use the IDE, you can issue a command before starting the
IDE:
set APPSCAN_OPTS=-DthirdParty
- Set this global or system environment variable before starting the ID:
- Alternately, when scanning in Eclipse, you can do this: Modify your
eclipse.ini file before you start Eclipse so that the
-vmargs
section includes-DthirdParty
.
If you are a developer of third-party code that would normally be excluded in a scan, you should use the setting to include the third-party code.
In
addition, you can specify scan speed using
-Dscan_speed=<speed>
with
APPSCAN_OPTS
. For example, to set scan speed to balanced
:- Windows:
set APPSCAN_OPTS=-Dscan_speed=balanced
- Linux and Mac:
export APPSCAN_OPTS="-Dscan_speed=balanced"
deep
.Procedure
To scan source code and open assessments or reports:
- Ensure that the plug-in is installed to the IDE. During installation, if the IDE was open, restart it.
-
Select the item that you want to scan:
- In Eclipse, select the project or projects that you want to scan. To scan an entire Eclipse workspace, select all projects.
- In Visual Studio, select the solutions, projects, or websites that you want to scan.
-
Right-click the selection and select .
The Login dialog box opens if you are not already logged in to the service.Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.
-
In the Login dialog box, type in your service credentials:
When you generate an API key in the AppScan on Cloud service, you receive a Key Id and Key Secret. Enter these values in the ID and Secret fields. If you have not yet generated an API key, follow the link in the dialog box for creating one.When you log in to the service, an encrypted key file is created. This token file is then referred to by other actions when they interact with the ASoC service.
- After launching the scan, AppScan on Cloud prompts you with a dialog box to choose the application to associate with the scan. Static analysis scans in your IDE must be associated with an existing AppScan on Cloud application.
- In the same dialog box, use the Personal scan checkbox to indicate whether the scan is a personal scan.
- The My Scans view opens after the scan is submitted.
-
When the scan is complete, a notification opens with links to open Scan
issues. In addition, the My Scans view is updated to
include the scan. The view lists the scan name, status, time started and ended, and number
and severity of vulnerabilities found.
-
To open non-compliant issues for any application:
Note: Non-compliant issues are those that fall outside the policies specified for the application in AppScan on Cloud.
- Select .
- If prompted, enter your service credentials.
- Select the application from the drop-down list in the resulting dialog box and click OK.
Results
Important: Rescanning is not supported in integrated development environments.