About scanning using an archive file
AppScan on Cloud supports uploading archive files of code for scanning without first generating an IRX file. This saves the user time by offloading the preparation of the files to ASoC.
File upload types by language for AppScan on Cloud
- Upload source code and build artifacts
- Generate IRX locally and upload IRX
Language | Upload source code | Upload source code + build artifacts | Upload IRX (generate IRX locally) |
---|---|---|---|
C/C++ | To scan file types listed as "source code-only" in the language support table. | To scan byte code file types listed under default content in the language support table. | |
Java and Java web content | N/A |
|
|
.NET | To scan file types listed as "source code-only" in the language support table.1 | To scan byte code file types listed under default content in the language support table. | |
Others |
Always. appscan-config is not needed. Archive must contain the entire directory structure of the target code to be scanned. |
Language-specific behaviors
Java
When scanning Java code archive files, the default behavior is for ASoC to perform data flow analysis (DFA) and scan byteccode only. Default functionality does not scan source code.
To scan source code only from Java code archive files, and not scan bytecode,
specify
sourceCodeOnly=true
in
appscan-config.xml.
C/C++ and .NET
Other languages
When scanning archive files for other languages, the default behavior is for ASoC to scan source code only.
Limitations of archive file scanning
- .NET assemblies are not supported
- Visual Studio solution files (.sln) are not supported
- Ruby .gem files are not supported
- When preparing to scan code from a Linux system, take care not to use Windows reserved names when creating archive files. For example, .aux, .com, .nul, and so on. Our analysis runs on Windows and thus cannot process such filenames.