Important concepts
Before you begin to use or administer AppScan® Source, you should become familiar with fundamental AppScan® Source concepts. This section defines basic AppScan® Source terminology and concepts. Subsequent chapters repeat these definitions to help you understand their context in AppScan® Source for Analysis.
AppScan® Source for Analysis scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. A bundle is a named collection of individual findings and is stored with an application.
Applications, their attributes, and projects are created and organized in AppScan® Source for Analysis:
- Applications: An application contains one or more projects and their related attributes.
- Projects: A project consists of a set of files (including source code) and their related information (such as configuration data). A project is always part of an application.
- Attributes: An attribute is a characteristic of an application that helps organize the scan results into meaningful groupings, such as by department or project leader. You define attributes in AppScan® Source for Analysis.
The principal activity of AppScan® Source for Analysis is to scan source code and analyze vulnerabilities. Assessments provide an analysis of source code for vulnerabilities including:
- Severity: High, medium, or low, indicating the level of risk
- Vulnerability Type: Vulnerability category, such as SQL Injection or Buffer Overflow
- File: Code file in which the finding exists
- API/Source: The vulnerable call, showing the API and the arguments passed to it
- Method: Function or method from which the vulnerable call is made
- Location: Line and column number in the code file that contains the vulnerable API
- Classification: Security finding or scan coverage finding. For more information, see Classifications.