Jump to main content
HCL Logo Product Documentation
  • Customer Support
HCL AppScan Source
  • Welcome
  • Introduction to HCL AppScan Source
  • Overview
  • Installing
  • Configuring
  • Administering
  • Developing
  • Extending product function
  • Reference
  • Glossary
  • HCL® AppScan® Source for Development (Eclipse Plug-in)
  • Troubleshooting and support
  1. Home
  2. HCL® AppScan® Source for Development (Eclipse Plug-in)

    With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

  3. Modifying findings

    Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

  4. Making modifications from a findings table

    You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

  • HCL® AppScan® Source for Development (Eclipse Plug-in)

    With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

    • HCL® MobileFirst Platform Application Scanning

      AppScan® Source for Development is also delivered as MobileFirst Platform Application Scanning. With MobileFirst Platform Application Scanning, you can work in your existing development environment and perform security vulnerability analysis on IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

    • Introduction to HCL® AppScan® Source

      HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

    • Glossary
    • AppScan® Source for Development server mode and local mode

      The AppScan® Source for Development plug-ins can be used with or without an AppScan Enterprise Server. In server mode, you connect to the server to run scans and access shared data, just as in previous product versions. In the new local mode, AppScan Source for Development runs without ever connecting to an AppScan Enterprise Server - and you cannot access shared items such as filters, scan configurations, and custom rules.

    • Creating variables

      To open an assessment or bundle previously created in AppScan® Source for Analysis that relies on a path variable, you should create a matching variable in your development environment. Creating a variable ensures that the data is available across multiple computers. To share assessment data you must define the appropriate variables.

    • Configuring scans

      Depending on the type of project that you are scanning and the type of scanning that you want to conduct, you may need to configure your scan before running it. Projects can be configured to, for example, use an different JDK or JSP compiler than those set by default.

    • General preferences

      General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.

    • General preferences

      General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.

    • Scanning

      You can scan an Eclipse or Rational® Application Developer for WebSphere® Software (RAD) workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.

    • Opening and saving assessments

      AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.

    • Customizing the findings table

      In all views with findings, except the Assessment Diff view in AppScan® Source for Analysis, you can customize the findings table by identifying only the columns and the column order that you wish to see. Each view may have different settings or you can apply the options to all views. To customize the column order, follow the steps in this task topic.

    • Saving selected findings to an assessment

    • Searching for findings

      In multiple views that contain findings, you can search specific findings. The search criterion includes bundles, code, files, projects, or vulnerability types. The search results appear in the Search Results view.

    • Modifying findings

      Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

      • Making modifications from a findings table

        You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

        • Changing the vulnerability type

          Vulnerability types can be changed for individual findings or a group of findings.

        • Promoting finding classifications

          A finding with a classification of suspect security finding or scan coverage finding can be promoted to a definitive finding.

        • Modifying severity

          Selecting a new severity level changes the severity for each selected finding. For example, AppScan® Source might report that an API is of medium severity, but your corporate policy identifies it as more severe. You can modify the severity to meet your requirements, but note that AppScan Source remediation assistance does not contain the modification.

        • Annotating findings

          Notes® can be used as reminders for you to take further action on a finding - or to convey information about the finding to someone else. You can add a note to a single finding or to a group of findings.

      • Modifying findings in the Finding Detail view

      • Removing finding modifications

        If you have modified findings, you can remove the modifications (revert back to original values) using the methods described in this topic.

    • Resolving security issues and viewing remediation assistance

      AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.

    • Triage with exclusions

      After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.

    • Creating and managing filters

      AppScan® Source offers multiple methods for creating and using filters. The main view for filter creation, the Filter Editor view, provides a robust set of rules which can be manually set and then saved to a filter. The Filter Editor view also provides a mechanism for managing filters that you have created - allowing you to easily modify or remove them. Alternately, you can filter the findings table using views that offer graphical representations of the findings - and then save those filters in the Filter Editor view. When you create a filter, the other views update to reflect the filter properties.

    • Supported annotations and attributes

      Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.

    • Working with bundles

      Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).

    • AppScan® Source trace

      With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

    • Views and windows

      AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.

    • Installation and user data file locations

      When you install AppScan® Source, user data and configuration files are stored outside of the installation directory.

    • CWE support

      The Common Weakness Enumeration (CWE) is an industry standard list that provides common names for publicly known software weaknesses. This topic lists the CWE IDs that are supported in the current version of AppScan® Source.

    • Intelligent Findings Analytics (IFA)

      Learn about auto-triage and analysis of findings from AppScan® Source.

Making modifications from a findings table

You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

  • Changing the vulnerability type
  • Promoting finding classifications
  • Modifying severity
  • Supported annotations and attributes
  • Changing the vulnerability type
    Vulnerability types can be changed for individual findings or a group of findings.
  • Promoting finding classifications
    A finding with a classification of suspect security finding or scan coverage finding can be promoted to a definitive finding.
  • Modifying severity
    Selecting a new severity level changes the severity for each selected finding. For example, AppScan Source might report that an API is of medium severity, but your corporate policy identifies it as more severe. You can modify the severity to meet your requirements, but note that AppScan Source remediation assistance does not contain the modification.
  • Annotating findings
    Notes® can be used as reminders for you to take further action on a finding - or to convey information about the finding to someone else. You can add a note to a single finding or to a group of findings.
  • Share: Email
  • Twitter
  • Feedback
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences