scan (sc)

Description

Scans an application (or all applications), project, folder (or all folders), or file. A valid AppScan® Source for Automation license is required for use of this command.

Important: If you are working with an AppScan® Source project that has dependencies in a development environment (for example, an IBM® MobileFirst Platform project), ensure that you build the project in the development environment before importing it. After importing the project, if you modify files in it, be sure to rebuild it in the development environment before scanning in AppScan® Source (if you do not do this, modifications made to files will be ignored by AppScan® Source).
Note: When scanning folders, by default all the files in the target folder are scanned, regardless of language. As such, the scan results can differ from scanning applications or projects. To target specific files, create an appscan-config.xml file to define the scan targets. When an appscan-config.xml file is present in the target folder, then the configuration information therein is considered automatically by the scanning process.

Syntax

scan [path][config <proj_config>][-name <assessment_name>][-scanconfig <scan_configuration_name>] [-sourcecodeonly <true/false>] [-enablesecrets <true/false>] [-secretsonly <true/false>] [-waitforlicense <wait_time>]
  • path: Optional. Full path and file name (.ozasmt) that the exported assessment will be saved as.
    Note:
    • If you specify a valid directory without a file name, an assessment file (.ozasmt) will be created for you based on the application name, project name, and scan configuration used when creating the assessment.
    • If you specify a valid directory with a file name that does not exist, an assessment file will be created in that location using the file name specified.
    • If you specify a file that already exists, the existing file will be overwritten.
    • If you specify a file name (.ozasmt) in a directory that does not exist, no assessment will be saved.
  • config <proj_config>: Optional. This argument is only valid for project-level assessments. If your project has a configuration file, specify it using this argument.
  • -name <assessment_name>: Optional. Provide a name for the assessment. The AppScan® Source client products use this name to distinguish assessments from one another (for example, in AppScan® Source for Analysis, the name appears in the Name column of the My Assessments view).
  • -enablesecrets <true/false>: Optional. Specify to scan source files with secret scanner in addition to the other relevant scanners. Valid values are true and false.
    Note: -enablesecrets and -secretsonly are mutually exclusive. They cannot be true at the same time.
    Note: You can enable secrets scanning globally using the enable_secrets_scanner setting in scan.ozsettings.
  • -scanconfig <scan_configuration_name>: Optional. Specify the name of a scan configuration to use for the scan. If a scan configuration is not specified, the default scan configuration will be used for the scan.
  • -secretsonly <true/false>: Optional. Specify to scan source files only with secret scanner. Valid values are true and false.
    Note: -enablesecrets and -secretsonly are mutually exclusive. They cannot be true at the same time.
  • -sourcecodeonly <true/false>: Optional. Specify to scan only source files and ignore other supported file types (.dll, .exe). Valid values are true and false
  • -waitforlicense <wait_time>: Optional. Specify the wait time in minutes for which a scan will wait when a AppScan® Source for Automation license is not available. If a wait time is not indicated using -waitforlicense, a default value is drawn from CLI.ozsettings. Wait time can be disabled by setting the value to 0.
Note: The -enablesecrets, -secretsonly, and -sourcecodeonly options are supported only in case of folder scans. It does not apply to application and project scans.

Examples

  • To scan the default configurations of projects in all applications:
    AllApplications>> Scan

    The results appear as:

    New Scan started
    		.
    		.
    Preparing for Vulnerability Analysis...
    Performing Vulnerability Analysis...
    Generating Findings...
    Preparing project for scan...
    		.
    		.
    Scanned Project:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Scanned Application:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Scan completed:
      Total files: 15
      Total findings: 167
      Total lines: 385
    	vkloc: 0.44448395412925595
    	v-Density: 22.446439683527426
    Elapsed Time - 18 Seconds
    New Scan started. Please wait...
    Assessment complete
    -------------------
    Total Call Sites: 75
    Total Definitive Security Findings with High Severity: 25
    Total Definitive Security Findings with Medium Severity: 37
    Total Definitive Security Findings with Low Severity: 9
    Total Suspect Security Findings with High Severity: 20
    Total Suspect Security Findings with Medium Severity: 80
    Total Suspect Security Findings with Low Severity: 60
    Total Scan Coverage Findings with High Severity: 50
    Total Scan Coverage Findings with Medium Severity: 33
    Total Scan Coverage Findings with Low Severity: 17
    Total Lines: 3000
    ...
  • To scan the debug configuration of Prj1:
    AllApplications\Prj1>> SC config debug
  • To scan a folder:
    AllApplications>> of C:\workspace\SimpleIOT
    SimpleIOT>> Scan