Jump to main content
Welcome
Welcome to the documentation for HCL® AppScan® Source.
HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.
What's New in AppScan® Source
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
HCL® AppScan® Source Version 10.0.2 Readme and Release Notes®
Migrating to the current version of AppScan® Source
This topic contains migration information for changes that have gone into this version of AppScan® Source. If you are upgrading from an older version of AppScan Source, be sure to note the changes for the version of AppScan Source that you are upgrading and all versions leading up to this current version.
Important concepts
Before you begin to use or administer AppScan® Source, you should become familiar with fundamental AppScan Source concepts. This section defines basic AppScan Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan Source for Analysis.
AppScan® Source deployment models
This section describes three different deployment models and the components that comprise each model.
Introduction to HCL® AppScan® Source for Analysis
This section describes how AppScan® Source for Analysis fits into the total AppScan Source solution and provides a basis for understanding the software assurance workflow.
Logging in to AppScan® Enterprise Server from AppScan® Source products
Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments. All user management occurs in AppScan Enterprise.
United States government regulation compliance
Compliance with United States government security and information technology regulations help to remove sales impediments and roadblocks. It also provides a proof point to prospects worldwide that HCL® is working to make their products the most secure in the industry. This topic lists the standards and guidelines that AppScan® Source supports.
AppScan® Source and accessibility
Accessibility affects users with physical disabilities, such as restricted mobility or limited vision. Accessibility issues can impede the ability to use software products successfully. This topic outlines known AppScan® Source accessibility issues and their workarounds.
Notices
Copyright
Learn how to install the product.
System requirements and installation prerequisites
Sample installation scenarios
When installing AppScan® Source, it is important to follow the correct installation workflow. These topics guide you through the workflow involved in some sample installation scenarios.
Upgrading AppScan® Source
Advanced installation and activation topics
This section describes advanced installation options and activation procedures.
AppScan® Source silent installers
The AppScan® Source custom installation wizard is used for creating silent installers.
Activating the software
Removing AppScan® Source from your system
You can remove AppScan® Source from the Windows™ Control Panel or with a Linux™ uninstall script. The AppScan Source uninstall does not remove or back up an installed Oracle database. Deleting the AppScan Source user from an Oracle instance is a manual database administrative task.
Learn how to configure the product.
Configuring applications and projects
Before you scan, you must configure applications and projects. This section explains the Application Discovery Assistant, New Application Wizard, and the New Project Wizard. You will learn how to configure attributes for AppScan® Source for Analysis. In addition, this section teaches you how to add existing applications and projects for scanning - and how to add files to projects.
Preferences
Preferences are personal choices about the appearance and operation of AppScan® Source for Analysis.
Learn how to administer the product.
Administering AppScan® Source
This section explains user management, permissions, application and project registration, and port configuration.
Auditing user activity
AppScan® Source offers a convenient location for auditing user activity. The Audit view logs events such as authentication to the AppScan Enterprise Server, the creation of new users, and the creation of new rules in the database.
Logging in to AppScan® Enterprise Server from AppScan® Source products
Most AppScan® Source products and components require a connection to an AppScan Enterprise Server. The server provides centralized user management capabilities and a mechanism for sharing assessments. All user management occurs in AppScan Enterprise.
LDAP integration
To add an AppScan® Source user that will be authenticated via LDAP, you must have configured the AppScan Enterprise Server user repository to use an LDAP repository.
Registering applications and projects for publishing to AppScan® Source
AppScan® Source application and project files
AppScan® Source applications and projects have corresponding files that maintain configuration information required for scanning, as well as triage customization. It is recommended that these files reside in the same directory as the source code, since configuration information (dependencies, compiler options, and so forth) required to build the projects is very similar to that required for AppScan Source to scan them successfully. Best practice includes managing these files with your source control system.
Port configuration
Learn how to develop by using the product.
Scanning source code and managing assessments
This section explains how to scan your source code and manage assessments.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
AppScan® Source trace
With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
AppScan® Source for Analysis and defect tracking
AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
Findings reports and audit reports
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Creating custom reports
In the Report Editor, you create report templates used to generate custom reports.
Learn how to extend the product.
Customizing the vulnerability database and pattern rules
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
Extending the application server import framework
AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
HCL® AppScan® Source for Development (Eclipse Plug-in)
With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
Review reference information for the product.
The Ounce/Make build utility
Ounce/Make is a tool that automates the importing of configuration information into AppScan® Source from build environments that use makefile. Ounce/Make eliminates the need to import configuration information from makefiles manually.
AppScan® Source command line interface (CLI)
The CLI is an interface to core AppScan® Source functionality.
The Ounce/Ant build tool
This section describes how to use Ounce/Ant, an AppScan® Source build utility that integrates AppScan Source and Apache Ant. Integrating Ounce/Ant with your Ant environment helps you automate builds and code assessments.
AppScan® Source Data Access API
The Data Access API provides access to AppScan® Source-generated assessment results, including findings and finding details. It also provides access to assessment metrics such as analysis date and time, lines of code, V-density, and number of findings.
Ounce/Maven plug-in
This section describes the Ounce/Maven plug-in, which uses Maven, an Apache build tool, to integrate AppScan® Source into the Maven workflow.
AppScan® Source for Automation
The Automation Server (ounceautod) allows you to automate key aspects of the AppScan® Source workflow and integrate security with build environments during the software development life cycle (SDLC). The Automation Server allows you to queue requests to scan and publish assessments, and generate reports on the security of application code.
Framework for Frameworks handling APIs
AppScan® Source provides a set of Java™ APIs that allow you to add support for frameworks that are used in your applications. The classes and methods offered in these APIs allow you to account for frameworks for which built-in support is not provided.
AppScan® Source client component error messages
AppScan® Source for Analysis samples
AppScan® Source for Analysis includes a sample applicationsample applications that you can use to familiarize yourself with the product.
The AppScan® Source for Analysis work environment
To get the most out of AppScan® Source, you should understand the basic concepts behind the AppScan Source for Analysis working environment and how to use the options that best fit your workflow.
Views and windows
AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.
CWE support
The Common Weakness Enumeration (CWE) is an industry standard list that provides common names for publicly known software weaknesses. This topic lists the CWE IDs that are supported in the current version of AppScan® Source.
Glossary
Learn common product terminology.
There are a number of self-help information resources and tools to help you troubleshoot problems.
Troubleshooting process overview
Troubleshooting is the process of finding and eliminating the cause of a problem. Whenever you have a problem with your IBM® software, the troubleshooting process begins as soon as you ask yourself what happened?
Contacting HCL® Software Support
If the self-help resources have not provided a resolution to your problem, you can contact HCL® Software Support. HCL Software Support provides assistance in resolving product issues.