Welcome
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis troubleshooting
If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
IRX upload fails due to mismatched encryption

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About static analysis (SAST)
- System requirements for static analysis
  Supported operating systems and the types of files, locations, and projects that can be scanned by ASoC when you perform static analysis.
- Scanning for security vulnerabilities
  To scan source code for security vulnerabilities, follow the steps in these topics.
- Sample apps and scripts
  Use these sample applications to practice scanning with ASoC.
- Static analysis troubleshooting
  If you experience problems with static analysis, you can perform these troubleshooting tasks to determine the corrective action to take.
  - Errors or warnings occur when generating a static analysis IRX file
  - .NET scan results show the assembly file instead of the source file
    When the .pdb file is in the wrong format, .NET scan results can show the assembly file instead of the source file.
  - Static analysis of ASP.NET site fails due to problems with precompilation
  - Static analysis Failed to create application 'Default' error
  - Security scan fails with Application with id x does not exist error
  - IRX file is too large to analyze
  - IRX upload fails due to mismatched encryption
  - Manual update of AppScan Go! is unsuccessful
  - Error in log on Linux at AppScan Go! installation
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.The Scans and Sessions page lists scans under the categories where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

IRX upload fails due to mismatched encryption

Symptom

When you attempt to upload an IRX file for scanning, you see this error:

Error: The .irx file was encrypted for use in a different service.

Cause

The IRX file was encrypted with the wrong public key for your current service instance.

Each AppScan service instance (AppScan on Cloud, AppScan 360°, or a private instance) uses a unique encryption key pair:

Public key: Distributed by the service to encrypt IRX files.
Private key: Held by the service to decrypt and process uploads.

Public and private keys are mathematically related and uniquely identify the user; data encrypted by one of the keys in a pair can be decrypted only by the other key in the pair. As such, an IRX file encrypted with a public key for a service can be analyzed only by the service with the matching private key. Attempting to upload a file encrypted for a different service results in the error above.

Resolution

To resolve the issue:

Check your service URL.
1. Open the server.apsettings file.
  - AppScan on Cloud, AppScan 360°, and private instances: SAClientUtil\config\server.apsettings
  - AppScan Go! and plugins: <user_home>\.appscan\<SAClientUtil>\config\server.apsettings
2. Verify that service_url exactly matches the service to which you are attempting to upload the IRX file.
  For example, if you are uploading to ASoC, service_url should be https://cloud.appscan.com or https://eu.cloud.appscan.com. If you are uploading to AppScan 360°, service_url should match the location specified during install. If you are using a private instance, service_url should match the private instance URL.
Update your public key.
- From the SAClientUtil folder, fetch the correct rsa.pub key for your selected service. Run:
```
appscan get_pubkey
```
Regenerate the IRX and try again to upload it.