ScanApplication

Description

Scan the specified application and perform other actions related to scanning.

Syntax

ounceauto ScanApplication
-application <name of application>|
  -application_file <path to application file>
[-name <assessment name>]
[-scanconfig <scan_configuration_name>]
[-waitforlicense <wait_time>]
[-save <filename>]
[-caller <caller>]
[-publish]
[-clearcache]
[-report <report type> <output format> <output location>]
[-export <export type> <output location>]
[-includeSrcBefore <n>]
[-includeSrcAfter <n>]
[-includeTraceDefinitive]
[-includeTraceSuspect]
[-includeTraceCoverage]
[-includeHowToFix]
[-appserver_type]
[-include_all_lib_jars] 
[-include_lib_jars] 
[-no_ear_project]
  • -application <name of application> or -application_file <path to application file>: One of these are required.
    • If you specify -application <name of application>, indicate the name of the application to scan.
    • If you specify -application_file <path to application file>, indicate the full path and file name for one of these file types:
      • AppScan® Source application files (.paf).
      • Eclipse workspaces (.ewf)
        Note: .ewf files are generated when you use openapplication to open a workspace directory (by specifying its path).
      • WAR files (.war)
      • EAR files (.ear)
      • Windows only: Microsoft Visual C++ Workspace files (.dsw)
      • Windows only: Microsoft Visual Studio.NET solution files (.sln)
      Note: To learn which versions of imported files are supported by AppScan® Source for Analysis, AppScan® Source for Automation, and the AppScan® Source command line interface, see System requirements and installation prerequisites. At this page, select the tab for the version of AppScan® Source that you are using - and then select the AppScan® Source component that you are using. If AppScan® Source supports opening and scanning files from other development environments, that support is listed in the Compilers and Languages section of the Supported Software tab.
  • -name <assessment name>: Optional. A name for the assessment.
  • -scanconfig <scan_configuration_name>: Optional. Specify the name of a scan configuration to use for the scan. If a scan configuration is not specified, the default scan configuration will be used for the scan.
  • -waitforlicense <wait_time>: Optional. Specify the wait time in minutes for which a scan will wait when a AppScan® Source for Automation license is not available. If a wait time is not indicated using -waitforlicense, a default value is drawn from CLI.ozsettings. Wait time can be disabled by setting the value to 0.
  • -save <filename>: Optional. Save the assessment results to this file.
  • -caller <caller>: Optional. Assign a caller to the operation. The caller can be the name of an actual user, but this is not required. The caller name is written to the ounceauto log file.
  • -publish: Optional. Publish the assessment after scanning.
  • -clearcache: Optional. Remove the vulnerability analysis cache and custom rules signature data before scanning.
  • -report: Optional. Generate a report after the scan.
    • Required -report command options:
      • <report type>: Type of report. The report types consist of Findings reports, AppScan® Source reports, and custom reports. Refer to the options in GenerateReport.
      • <output format>: Specify the report format. Refer to the options in GenerateReport.
      • <output location>: The location to save the report.
    • Optional -report command options:
      • -includeSrcBefore <n>: The number of lines of source code to include before each finding.
      • -includeSrcAfter <n>: The number of lines of source code to include after each finding.
      • -includeTraceDefinitive: Include trace information in the report for definitive findings (see Classifications to learn about findings classifications).
      • -includeTraceSuspect: Include trace information in the report for suspect findings.
      • -includeTraceCoverage: Include trace information in the report for scan coverage findings.
  • -export: Optional. Export scan findings to a CSV or SARIF file. If used, the following command options are required.
    • <export type>: Format of the exported report, CSV or SARIF.
    • <output location>: The path and file name to which to save the report.
  • -includeHowToFix: Include advisory information for how to address and correct findings.
  • -appserver_type: Optional. If the application that you are opening includes JavaServer Pages (for example, a WAR or EAR file), use this setting to specify the application server to use for JSP compilation. Specify one of these, in double quotation marks:
    • Tomcat 8
    • Tomcat 9
    • WebSphere 7.0
    • WebSphere 8.0
    • WebSphere 8.5
    • WebLogic 11g
    • WebLogic 12c
    Note:
    • Before specifying an application server, ensure that it has been configured properly in the AppScan® Source for Analysis preferences.
    • If -appserver_type is not used, the default JSP compiler that is currently set in AppScan® Source for Analysis will be used for JSP compilation. Out-of-the-box, Tomcat 9 is the default JSP compiler.
  • For WAR files:
    • -include_all_lib_jars: Use this setting to include all libraries in the WAR file during the scan.
    • -include_lib_jars: Use this setting to specify the libraries in the WAR file that you want to include during the scan. When using the setting, do not include library path information - and separate multiple libraries with commas.
  • -no_ear_project: When importing an EAR file, a project is automatically created for storing shared libraries. If there are no shared libraries, the project will be created, but it will be empty. When this setting is used, no project will be created for the EAR file.

Return Value

The Request ID if successful, or -1 if the request submission was unsuccessful.

Examples

  • Scan the WebGoat application, publish it, and annotate the log with John Smith as the caller:
    ounceauto scanapplication -application_file C:\WebGoat\WebGoat.paf
    -publish -caller JohnSmith
  • Scan the WebGoat application and create a Findings report in the C:\WebGoat directory. In the report, include trace information for definitive findings:
    ounceauto scanapplication -application WebGoat
    -report Findings html C:\WebGoat\MyReport.html
    -includeTraceDefinitive
  • Scan a WAR file and include only some of its libraries:
    ounceauto scanapplication -application_file c:\mywar.war 
    -include_lib_jars lib1.jar,lib2.jar