Home
Extending product function
Learn how to extend the product to meet specific development requirements.
HCL® AppScan® Source for Development (Eclipse Plug-in)
With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
Views and windows
AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.
Assessment Summary view
The Assessment Summary view, a bar chart graphical view of the open assessment, displays information for select findings.

Welcome
Welcome to the documentation for HCL® AppScan® Source.
What's New
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
Installing
Learn how to install, upgrade, and activate HCL® AppScan® Source.
Configuring
Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.
Administering
Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.
Scanning
This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.
Triage and analysis
Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
Reporting
Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
Extending product function
Learn how to extend the product to meet specific development requirements.
- Customizing the vulnerability database and pattern rules
  This section describes how to customize the database and integrate customized vulnerabilities and other routines into scans.
- Extending the application server import framework
  AppScan® Source allows you to import Java™ applications from Apache Tomcat and WebSphere® Application Server Liberty profile. You can import Java applications from other application servers by extending the application server import framework, as explained in this topic.
- HCL® AppScan® Source for Development (Eclipse Plug-in)
  With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
  - HCL® MobileFirst Platform Application Scanning
    AppScan® Source for Development is also delivered as MobileFirst Platform Application Scanning. With MobileFirst Platform Application Scanning, you can work in your existing development environment and perform security vulnerability analysis on IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.
  - Glossary
  - AppScan® Source for Development server mode and local mode
    The AppScan® Source for Development plug-ins can be used with or without an AppScan Enterprise Server. In server mode, you connect to the server to run scans and access shared data, just as in previous product versions. In the new local mode, AppScan Source for Development runs without ever connecting to an AppScan Enterprise Server - and you cannot access shared items such as filters, scan configurations, and custom rules.
  - Creating variables
    To open an assessment or bundle previously created in AppScan® Source for Analysis that relies on a path variable, you should create a matching variable in your development environment. Creating a variable ensures that the data is available across multiple computers. To share assessment data you must define the appropriate variables.
  - Configuring scans
    Depending on the type of project that you are scanning and the type of scanning that you want to conduct, you may need to configure your scan before running it. Projects can be configured to, for example, use an different JDK or JSP compiler than those set by default.
  - General preferences
    General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.
  - General preferences
    General preferences allow you to tailor some of the AppScan® Source for Development default settings to fit your personal preferences.
  - Scanning workspaces, projects, and files
    You can scan an Eclipse workspace, project, or file. This includes scanning Java™ (including Android), JavaServer Pages (JSP), and IBM® MobileFirst Platform projects.
  - Opening and saving assessments
    AppScan® Source scans source code for vulnerabilities and produces findings. Findings are the vulnerabilities identified during a scan, and the result of a scan is an assessment. You can open a saved assessment from AppScan Source for Development or AppScan Source for Analysis. After you scan, you can save the assessment to a file. Then you can open the assessment again at any time. Assessments are saved as filename.ozasmt.
  - Customizing the findings table
    In all views with findings, except the Assessment Diff view in AppScan® Source for Analysis, you can customize the findings table by identifying only the columns and the column order that you wish to see. Each view may have different settings or you can apply the options to all views. To customize the column order, follow the steps in this task topic.
  - Saving selected findings to an assessment
  - Searching for findings
    In multiple views that contain findings, you can search specific findings. The search criterion includes bundles, code, files, projects, or vulnerability types. The search results appear in the Search Results view.
  - Modifying findings
    Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.
  - Resolving security issues and viewing remediation assistance
    AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.
  - Triage with exclusions
    After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.
  - Creating and managing filters
    AppScan® Source offers multiple methods for creating and using filters. The main view for filter creation, the Filter Editor view, provides a robust set of rules which can be manually set and then saved to a filter. The Filter Editor view also provides a mechanism for managing filters that you have created - allowing you to easily modify or remove them. Alternately, you can filter the findings table using views that offer graphical representations of the findings - and then save those filters in the Filter Editor view. When you create a filter, the other views update to reflect the filter properties.
  - Supported annotations and attributes
    Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.
  - Working with bundles
    Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).
  - AppScan® Source trace
    With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
  - Views and windows
    AppScan® Source for Development views and windows provide alternative presentations of findings, support code editing, and allow you to navigate the information in your workbench. A view might appear by itself, or stacked with other views in a tabbed notebook. You can change the layout of a perspective or window layout by opening and closing views and by docking them in different positions in the Workbench window.
    - Assessment Summary view
      The Assessment Summary view, a bar chart graphical view of the open assessment, displays information for select findings.
    - Vulnerability Matrix view
      The Vulnerability Matrix view displays the aggregate number of findings for all applications included in the scan. Modifications to findings update the matrix.
    - Filter Editor view
      The Filter Editor view provides a more granular manipulation of the currently selected filter than other AppScan® Source views. This view consists of all criteria on which you can filter.
    - Findings table
    - Findings view
      The Findings view contains data for findings in an assessment. The findings can be grouped by parameters listed in this topic.
    - Excluded Findings view
      The Excluded Findings view contains only excluded findings. An excluded finding is a finding that you omit from scans. In this view, you can search for specific findings. The columns in this view are identical to those in the Findings view.
    - Modified Findings view
      The Modified Findings view contains all changed findings of the current application. Modified findings are findings with altered vulnerability type, severity, classification, or notes. Lost findings (findings not in the currently open assessment) appear in green italics and cannot be modified.
    - Resolved Findings view
      The Resolved Findings view identifies findings that are in bundles but not in the current assessment. A finding is identified as a fixed/missing finding because it was resolved, removed, or the source file was not scanned.
    - Search Results view
      When you search findings, the results appear in the Search Results view.
    - Custom Findings view
      The Custom Findings view displays the user-defined or custom findings that exist in the currently opened assessment. In this view, you can create, delete, and modify custom findings for the current assessment. When a custom finding is created in the Custom Findings view, the new finding is added to the current assessment, and the assessment metrics update.
    - Report view
      The Report view allows you to organize the results of a scan according to a variety of audit reports that measure compliance with software security best practices and regulatory requirements.
    - Finding Detail view
      When you select a finding, the Finding Detail view displays and allows you to modify its properties. With this view, you can modify an individual finding.
    - Metrics view
      The Metrics view presents statistics on a per-assessment basis and includes lines of code scanned, total number of findings, V-Density, and V/KLoC.
    - Bundles view
      The Bundles view lists all bundles that are associated with your AppScan® Source for Development workspace/application (including any projects that it contains)(any bundles other than the Excluded Bundle must first have been created in AppScan Source for Analysis).
    - How to Fix view
      The AppScan® Source Security Knowledgebase provides context-specific intelligence for each vulnerability. The Knowledgebase tells you what the vulnerability is, why it is insecure, how to fix it, and how to avoid it in the future. Once you scan source code, the Knowledgebase provides the specific information needed to eliminate the risk from your mission-critical applications. Knowledgebase remediation advice appears in the How to Fix view. Once you scan, the Knowledgebase provides the specific information needed to eliminate the risk from your mission-critical applications.
    - Trace view
      AppScan® Source performs input/output analysis and identifies and displays these vulnerabilities. An icon appears in the findings list to identify the row that contains an AppScan Source trace graph.
    - Sources and Sinks view
      The Sources and Sinks view provides the ability to view findings based on a trace of input and output.
    - Eclipse editors and AppScan® Source
      Editors display the source code for the current project. When you navigate to an error in the Findings View, Problems View, or Bundles View, the corresponding line of code is underlined in the editor. Hover help appears in the left scroll bar. Problem markers, which indicate the location of code vulnerabilities, appear in the right scroll bar.
    - Problems view
      The Problems View displays code problems, errors, and warnings. When you double-click the icon for a problem, error, or warning, the Java™ Editor opens with the problem code underlined.
  - Installation and user data file locations
    When you install AppScan® Source, user data and configuration files are stored outside of the installation directory.
  - CWE support
    The Common Weakness Enumeration (CWE) is an industry standard list that provides common names for publicly known software weaknesses. This topic lists the CWE IDs that are supported in the current version of AppScan® Source.
  - Intelligent Findings Analytics (IFA)
    Learn about auto-triage and analysis of findings from AppScan® Source.
Reference
Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.
Troubleshooting and support
Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Assessment Summary view

The Assessment Summary view, a bar chart graphical view of the open assessment, displays information for select findings.

Note: In AppScan® Source for Development (Visual Studio plug-in), this view is part of the Edit Filters window.

You can view by a chart property:

Vulnerability Type: Vulnerability type, such as Validation.Encoding or Injection.SQL.
API: API name in which the vulnerability occurs.
Project: Findings by project if more than one project exists. This option is not available when the assessment is generated by scanning folders.
File: Individual file in which the vulnerabilities appear.

Click the chart to drill down to findings details and begin triage.

Tip: Hovering over a graph bar in the Assessment Summary view provides the exact number of findings represented by the bar.