Scanning in integrated development environments

How to scan source code using the static analysis plug-in after it has been installed to the Eclipse or Visual Studio integrated development environments (IDE). In Eclipse, you can scan Java projects; in Visual Studio, you can scan .NET (C#, ASP.NET, VB.NET).

Before you begin

By default, third-party code is not included when scanning Java and .NET. You can modify third-party code exclusion settings by following the instructions in Managing third-party Java and .NET exclusions.
  • To include third-party code when scanning in Eclipse or Visual Studio, use one of these methods:
    • Set this global or system environment variable before starting the ID:
      APPSCAN_OPTS=-DthirdParty
    • Each time that you use the IDE, you can issue a command before starting the IDE:
      set APPSCAN_OPTS=-DthirdParty
  • Alternately, when scanning in Eclipse, you can do this: Modify your eclipse.ini file before you start Eclipse so that the -vmargs section includes -DthirdParty.

If you are a developer of third-party code that would normally be excluded in a scan, you should use the setting to include the third-party code.

In addition, you can specify scan speed using -Dscan_speed=<speed> with APPSCAN_OPTS. For example, to set scan speed to balanced:
  • Windows:
    set APPSCAN_OPTS=-Dscan_speed=balanced
  • Linux and Mac:
    export APPSCAN_OPTS="-Dscan_speed=balanced"
The default scan speed is deep.

Procedure

To scan source code and open assessments or reports:
  1. Ensure that the plug-in is installed to the IDE. During installation, if the IDE was open, restart it.
  2. Select the item that you want to scan:
    • In Eclipse, select the project or projects that you want to scan. To scan an entire Eclipse workspace, select all projects.
    • In Visual Studio, select the solutions, projects, or websites that you want to scan.
  3. Right-click the selection and select Security Analysis > Run Static Analysis.
    The Login dialog box opens if you are not already logged in to the service.
    Note: When you scan code or generate an IRX file, you might receive a message about updating to the latest Static Analyzer Command Line Utility. See Command Line Utility (CLI) support.
  4. In the Login dialog box, type in your service credentials:
    When you generate an API key in the AppScan on Cloud service, you receive a Key Id and Key Secret. Enter these values in the ID and Secret fields. If you have not yet generated an API key, follow the link in the dialog box for creating one.
    When you log in to the service, an encrypted key file is created. This token file is then referred to by other actions when they interact with the ASoC service.
  5. After launching the scan, AppScan on Cloud prompts you with a dialog box to choose the application to associate with the scan. Static analysis scans in your IDE must be associated with an existing AppScan on Cloud application.
  6. In the same dialog box, use the Personal scan checkbox to indicate whether the scan is a personal scan.
  7. The My Scans view opens after the scan is submitted.
  8. When the scan is complete, a notification opens with links to open Scan issues. In addition, the My Scans view is updated to include the scan. The view lists the scan name, status, time started and ended, and number and severity of vulnerabilities found.
    1. Scan issues: Select the link in the notification to open the result - or double-click the icon in the Scan issues column in the view (in Visual Studio, the result can also be opened using the system tray). This opens an interactive assessment that lists all non-compliant security issues discovered during the scan, by fix group. A fix group represents the most common node that grouped findings flow through. Typically, if a fix is implemented for a fix group, you can achieve the greatest effect for less work. A fix group can also be considered a logical grouping point wherein related findings can be reviewed at the same time. Note that a fix group may not be the exact place at which a fix should be placed. Future refactoring, code practices, and other factors might preclude using the fix group location for a fix.

      In the assessment:

      • Each fix group displays the recommended fix location, a link that opens the source of that fix location, the vulnerability, and the number of occurrences of the vulnerability that will be fixed if the source code is corrected.
      • If you select the vulnerability, a description of it opens (usually with examples and recommendations).
      • If you select the Details button, the fix group opens to all findings that will be fixed if the source code is corrected. In the detailed view, if you select the source location, it opens in the source editor. Selecting the trace icon opens a trace that displays the flow of data through the application.
  9. To open non-compliant issues for any application:
    Note: Non-compliant issues are those that fall outside the policies specified for the application in AppScan on Cloud.
    1. Select View > Security Analysis > Application Issues.
    2. If prompted, enter your service credentials.
    3. Select the application from the drop-down list in the resulting dialog box and click OK.

Results

Important: Rescanning is not supported in integrated development environments.