Setting up the Static Analyzer Command Line Utility

For static analysis, download a small Command Line Utility. When you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis.

About this task

When you use static analysis, you scan source code to generate a file that is uploaded to the cloud. The file, an encrypted IRX (.irx) file, is scanned using trace analysis to find security vulnerabilities.
  • When the IRX file is generated for compiled languages, application byte code files are converted into an Intermediate Representation of the code.
  • When an IRX file is generated for scripting languages, source files are included in the encrypted IRX file.
  • When you use the Visual Studio plug-in, IRX file generation and upload happens automatically from the IDE.
Important: The Command Line Utility should not be placed in a directory that contains non-ASCII characters.
Note: To generate an IRX file using AppScan Go!, follow the instructions at Configuring a scan using AppScan Go!.

Procedure

To set up the Command Line Utility:
  1. Start the Create scan wizard.
    Important: AppScan 360° users must use the versions of the Static Analyzer Command Line Utility (SAClientUtil) and AppScan Go! included with the AppScan 360° installation. AppScan on Cloud users must use the versions downloaded from the AppScan on Cloud service. They are not interchangeable.
  2. Click Create scan under SAST.
  3. Click Upload an archive to scan.
  4. Under Generate the IRX file, select the platform on which you plan to run the Command Line Utility, and then click Download. This downloads an SAClientUtil_<version>_<os>.zip file (where <version> is the current version of the Command Line Utility and <os> is the operating system that the Command Line Utility is for).
    Note: You can reopen the welcome form by selecting How do I create an IRX file? in the form to select an IRX file.
  5. Extract the file to a local drive.
  6. If you plan to use the CLI for IRX file generation, uploading IRX files, or for managing scans: Add the location of the \bin directory of the extracted SAClientUtil_<version>_<os>.zip file to your PATH environment variable. If you do not do this, all commands will need to be qualified by using the \bin directory of the extracted SAClientUtil_<version>_<os>.zip file each time the command is issued.
    Tip: After you change the PATH, issue appscan version (Windows) or appscan.sh version (Linux and macOS) at a command prompt. If the Static Analyzer Command Line Utility version, home, and other information are returned, the PATH is set correctly.

What to do next

If you are running the Command Line Utility on a computer that is behind a proxy, use one of these methods for specifying the proxy so that the Command Line Utility can connect to the cloud:

  • Command Line Utility CLI and supported integrated development environments (IDE): Set this global or system environment variable so that the proxy is automatically recognized:
    • Windows: APPSCAN_OPTS=-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>
    • Linux and macOS: APPSCAN_OPTS="-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>"

    Where <proxy> is the host name of the proxy server and <port> is the port number that the proxy server is using.

    Or, each time that you use the CLI or IDE (launched from a command prompt or terminal), you can set the Command Line Utility to use the proxy by issuing a command:

    • Windows: set "APPSCAN_OPTS=-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>"
    • Linux and macOS: export APPSCAN_OPTS="-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>"
  • Maven: If you added the static analysis plug-in to Maven, you can add the property to the MAVEN_OPTS environment variable globally or you can add the property to each command.
Note: To take best advantage AppScan on Cloud functionality, the Static Analyzer Command Line Utility and all plugins must be up-to-date:
  • Static Analyzer Command Line Utility updates are available on a regular basis and details listed in Recent updates. Updates may include:
    • New language support
    • Updated language support (new files types associated with supported languages, for example)
    • New features
    • Fixes
  • Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
  • If you try to prepare code for scanning using an outdated version of the Static Analyzer Command Line Utility, you may see a message directing you to update the utility to the latest version. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
  • If you are using AppScan Go!, accept and install the latest update if an update is offered.