Welcome
Extending product function
Learn how to extend the product to meet specific development requirements.
Customizing the vulnerability database and pattern rules
This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
Customizing with pattern-based rules
AppScan® Source pattern-based scanning is an analysis of your source code based on customized search criteria. Pattern-based scanning is similar to grep (grep searches one or more files for a given character string or pattern). Auditors or security analysts performing triage might use pattern-based scanning to search for specific patterns in specific applications or in a project. Once you define a pattern as a vulnerability type, a scan of your source code identifies the pattern as a vulnerability. When AppScan Source finds a match, the item appears in the findings table. The out-of-the-box AppScan Source rule library includes predefined rules and rule sets (collections of rules).

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore new features added to AppScan® Source and note any features and capabilities deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
- Customizing the vulnerability database and pattern rules
  This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
  - Extending the AppScan® Source Security Knowledgebase
    This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans. Custom rules tailor the AppScan® Source Security Knowledgebase (or vulnerability database) to your specific security standards and apply those standards consistently across your enterprise.
  - Customizing input/output tracing through AppScan® Source trace
    Some applications (particularly web applications) require input/output tracing to identify security vulnerabilities related to SQL injection, command injection, and cross-site scripting. Through AppScan® Source trace, you can specify a validation routine that, if used, eliminates the reporting of any vulnerability. All other outputs are marked as vulnerabilities if input has not been validated.
  - Customizing with pattern-based rules
    AppScan® Source pattern-based scanning is an analysis of your source code based on customized search criteria. Pattern-based scanning is similar to grep (grep searches one or more files for a given character string or pattern). Auditors or security analysts performing triage might use pattern-based scanning to search for specific patterns in specific applications or in a project. Once you define a pattern as a vulnerability type, a scan of your source code identifies the pattern as a vulnerability. When AppScan Source finds a match, the item appears in the findings table. The out-of-the-box AppScan Source rule library includes predefined rules and rule sets (collections of rules).
    - Pattern rule sets
      A pattern rule set is a collection of pattern rules. You can add new pattern rule sets or you can modify or remove existing ones. AppScan® Source provides a series of language-specific pattern rule sets that you can choose to apply to your projects or applications (for example, you may want to apply the Java pattern rule set to your Java/JSP projects).
    - Pattern rules
      AppScan® Source text rules can be Extended Global Regular Expressions Print (egrep), Global Regular Expressions (grep), or Perl regular expressions. These regular expressions (expressions that have string values that use the complete set of alphanumeric and special characters) match the rules.
    - Applying pattern rules and rule sets
      Rules and rule sets are applied at the application or project level in the Properties view or in a scan configuration. After you scan applications or projects with applied rules, or use a scan configuration that includes rules, the results of the rule search appear in the views that contain findings.
    - Pattern Rule Library view
      Pattern-based scanning is an analysis of your source code based on customized search criteria. The Pattern Rule Library view allows you to view existing pattern-based rules, by language (including the out-of-the-box AppScan® Source pattern rule library). In addition, the view allows you to add rules and patterns for pattern-based scanning.
- Extending the application server import framework
  AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
- HCL® AppScan® Source for Development (Eclipse Plug-in)
  With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Customizing with pattern-based rules

AppScan® Source pattern-based scanning is an analysis of your source code based on customized search criteria. Pattern-based scanning is similar to grep (grep searches one or more files for a given character string or pattern). Auditors or security analysts performing triage might use pattern-based scanning to search for specific patterns in specific applications or in a project. Once you define a pattern as a vulnerability type, a scan of your source code identifies the pattern as a vulnerability. When AppScan® Source finds a match, the item appears in the findings table. The out-of-the-box AppScan® Source rule library includes predefined rules and rule sets (collections of rules).

Pattern-based scanning searches for a regular expression. A regular expression, often called a pattern, is a string that describes or matches a set of strings, according to certain syntax rules. You specify a search by creating a rule. A rule is similar to a custom rule that you add to the AppScan® Source Security Knowledgebase in the Custom Rules view. When you create a rule, you define severity, classification, vulnerability type, and other criteria.

The Pattern Rule Library view allows you to create new pattern rules and rule sets, and to modify or remove existing ones. You then use the Properties view for a selected application, the Properties view for a selected project, or scan configurations to apply the pattern rules and rule sets (you can also launch the dialog box that allows you to create a new rule from these views). To learn more about applying rules and rule sets, see Applying pattern rules and rule sets.

Examples of pattern rules that can be created include:

File name pattern matches
Single rule with multiple patterns
Absence rules

Note: You must have Manage Patterns permission to be able to create pattern rules or rule sets, or to modify and remove custom rules and rule sets.