Scan mode

Scan mode describes whether AppScan on Cloud will scan build outputs (.dll, .jar, and so on) or source code files in projects for specific languages.

Specify scan mode in AppScan Go! or by using the source code-only option in command line utility (CLI). By default, Static Analyzer does not analyze the source code for compiled languages (Java, .NET, and C/C++). For these languages, users have the option of specifying scan mode. For all other languages, scanning is of source code-only.

Understanding the different methods of scanning is critical to the success of your project. Each has specific uses, requirements, and results differ.

Source code-only scanning

Early in the software development lifecycle, source code-only scanning of uncompiled code can be a helpful tool to head off issues and confirm programmatic approach before the project is too far along.

Generally performed by developers, and requiring access to source files, source code-only scans are fast but not necessarily as accurate as scans of compiled code. Results of source code-only scans pinpoint vulnerabilities in specific lines of code; they do not show trace data.

You can specify source code-only scanning for certain languages.

Bytecode/compiled (build output scanning)

When accuracy is preferred over speed of a scan, scanning build outputs can help you understand not just where in an application a vulnerability exists, but also the impact of that vulnerability. Scanning build outputs is sometimes referred to as "dataflow" scanning.

Build output scans require access to the fully built application. Scan results display "traces" showing the flow of tainted data through the application, from the point it enters the application to the point at which the data is used (called the "sink"). The trace shows the line of code and the tainted variable at each point in the trace; its appearance is similar to an exception stack trace.

Build output scanning may have additional requirements, depending on the project type:
  • Application dependencies should be available for the most complete and accurate results.
  • For Java and .NET bytecode is required, so the application needs to be built before running the scan.
  • For C/C++, a Visual Studio solution is required.