Properties view: selected project

In this mode of the Properties view, you configure parameters for the selected project. Project attributes depend on previously created global attributes. Properties vary according to the selected project.

Selected project Overview tab

The Overview tab displays:

  • Project Name. The project can be renamed by entering a new name in the field.
  • Project File name and path
  • Project Type
  • Configuration: This section displays the target configuration. For .NET and C++Objective-C projects, this section displays the target configuration that has been saved in the Project Dependencies tab. For all other project types, this section displays Default.
  • Filter option: Select Filter findings contained in external sources to filter out any findings discovered in files that are not source files of the scanned project. This option reduces noise for projects where findings are reported in compiler-generated or temporary files, such as ASP.NET.
  • Scan for secrets: Select Enable scanning for secrets to invoke secrets scanning for source code only scan along with other relevant scanners. When invoked, the engine checks for hardcoded passwords, credit card numbers, and Social Security numbers (SSN) when those secrets are detected in the code being scanned.
  • Vulnerability analysis cache options: If you are refining your assessment of a code base by scanning iteratively and adding custom rules, and then re-scanning without changing the source code, you can dramatically reduce scan time by setting the project properties to use a vulnerability analysis cache. To do this, select the Enable Vulnerability Analysis cache check box in the project properties. The first time you scan the project after selecting this check box, a vulnerability analysis cache will be created. For every subsequent scan of the project, the vulnerability analysis cache will be used and scan time will be reduced.

    To clear the vulnerability analysis cache, click Clear cache. The next time you scan the project, a full scan will take place and a new vulnerability analysis cache will be created. You may want to clear the cache if:

    • Source code in the project has changed since the last scan.
    • You have made project configuration changes, such as adding or deleting source files.
    • You have changed code configuration options. For example, you may want to clear the cache if you are scanning Java and the class path has changed - or if you are scanning C or C++ and you have changed the include path or preprocessor definitions.
    Note: You can also clear the vulnerability analysis cache by selecting the Clear cache check box when creating custom rules in the Custom Rules Wizard.
  • String Analysis: String analysis monitors string manipulation in Java or Microsoft .NET projects. It provides the automatic detection of sanitizer and validator routines. With this detection, false positives and negatives can be reduced. Select the Enable String Analysis to find validator/sanitizer functions check box to enable string analysis. The Apply imported rules to Global Scope check box determines if the discovered sanitizer or validator routines should be applied to a single project or on a global level (to all projects).
    Note: The application of string analysis can slow a scan. It is therefore recommended that it should only be applied after code changes and then disabled for subsequent scans. In addition, the discovered routines should be viewed as suggestions and reviewed by auditors. These routines can be viewed in the Custom Rules view.
  • File Encoding: The character encoding of files in your project must be set so that AppScan® Source can read the files properly (and, for example, display them correctly in the source view).
    Note: The default file encoding for AppScan® Source projects is ISO-8859-1. The default file encoding can be changed in the General preference page.

Filters

This tab allows you to specify existing filters for the selected project, and how you want the filters applied (a filter can be applied directly - or its inverse can be applied). See Triage and analysis for information about filters - and Applying filters globally for details about applying them globally.

Pattern Rules and Rule Sets

When you select a project in the Explorer view, the Pattern Rules and Rule Sets tab in the Properties view allows you to add pattern rules and rule sets that will be applied when scanning the project. Using pattern-based scanning, you search for text patterns that you want to appear as findings. Individual rules and rule sets can be applied to both applications and projects. See Customizing with pattern-based rules to learn about pattern-based analysis and Applying pattern rules and rule sets to learn how to apply rules and rule sets in the Properties view.

File Extensions

Use this tab to configure or add valid file extensions for the project - and to exclude files from scans and specify extensions as web files.

The File Extensions section lists the extensions that have been set globally in the Project file extensions preference page for the current project type (you can choose file extensions for a different project type using the File Extension Set menu). To exclude an extension from scans of the current project, select it in the list and click Exclude Extension. This causes the extension to be listed in the Excluded Extensions section of the tab.

To add an additional extension for the project, select Add Extension in the Additional Extensions section, and then enter the file extension and indicate if files with the extension should be scanned, considered as a web file, or excluded.

Table 1. File extension settings
Setting Description Usage examples
Scan or Assess Include files with the indicated extension in full analysis.
  • If a .xxx extension is created for Java projects and marked as Scan or Assess, files with that extension will be compiled and scanned.
  • A file can be part of a project but not marked as Scan or Assess if it should not be compiled and scanned (such as header files in C++). These files would be included in the project and searched during pattern-based analysis.
Web File Mark files with the indicated extension for JSP compilation. This setting allows AppScan® Source to separate web sources from non-web sources. If a .yyy extension is created for Java projects and marked as a Web File, files with that extension will be arranged as web sources in the projects. When AppScan® Source prepares for analysis, these files will be precompiled into classes to be analyzed.
Exclude Do not create source files in the project for files with the indicated extension. Files with this extension will not be scanned. Create a .zzz extension for files that are necessary to your projects for compilation, but do not need to be included in analysis.

Sources

Specify the sources to include in the scan.

  • Working Directory: The location of the AppScan® Source project file (ppf) and the base for all relative paths.
  • Add Source Root and Remove Source Root: The Sources tab displays the properties established for the project from the Project Configuration Wizard or defined in the imported ppf.

    Remove Source Root is available only when the Source Root icon is selected. It is used to remove the source code root directory.

  • Find Source Roots (Java projects only): Allow AppScan® Source for Analysis to find all valid source roots automatically.
  • Project folders and files are listed under the Source Root icon. Files and folders that are excluded from scanning have a red file icon (if an excluded file is right-clicked, its menu has Exclude disabled and Include enabled). To exclude an included file or folder, right-click it and choose Exclude in the menu. To include an excluded file or folder, right-click it and choose Include in the menu.

JavaServer Page (JSP) Project Dependencies

The JSP Project Dependencies tab displays the properties established for the specified JSP project.

  • Contains web (JSP) content: Identifies if the project is a web application that contains JavaServer Pages.
  • Web context root: A WAR file or a directory that contains the WEB-INF directory. The web context root must be the root of a valid web application.
  • JSP Compiler: Out-of-the-box, Tomcat 9 is the default JSP compiler setting (the default JSP compiler can be changed in the Java and JSP preference page). To learn about the compilers that are supported by AppScan® Source, see System requirements and installation prerequisites.

    Apache Tomcat Versions 8 and 9 are included in the installation of AppScan® Source. If the Tomcat 8 and Tomcat 9 preference pages are not configured, AppScan® Source will compile JSP files using the supplied Tomcat JSP compiler that is currently marked as default. If you want to employ an external supported Tomcat compiler, use the Tomcat preference pages to point to your local Tomcat installation.

    If you are using Oracle WebLogic Server or WebSphere® Application Server, you must configure the applicable preference page to point to your local installation of the application server so that it can be used for JSP compilation during analysis. If you have not already completed this configuration, you will be prompted by a message to do so when you select the JSP compiler. If you click Yes in the message, you will be taken to the appropriate preference page. If you click No, a warning link will display next to the JSP compiler selection (following the link will open the preference page).

Project Dependencies

The Project Dependencies tab displays project properties. Configuration settings on this tab vary by language, for example:

  • Options allow you to select any additional required compiler parameters.
  • JDK settings are specific to Java.
  • Preprocessor definitions are specific to C/C++ code. When specifying preprocessor definitions, do not include the compiler's -D option (for example, specify a=definition1 instead of -Da=definition1). When specifying multiple definitions, use a semicolon-delimited list.
  • The target configuration is available only for .NET and C++Objective-C projects.
Note: In the Project Dependencies tab for an Objective-C project, only the Target Configuration can be edited. All other sections in the tab are read-only.

Compilation

  • Options: Additional required compiler parameters for the project configuration.
  • Use JDK: Identify the JDK used for the project compilation, as configured in Preferences. See Preferences.

    Java projects may refer to a local Java Development Kit (JDK) location. When projects move to the server, the JDK path may no longer be valid. To transfer local projects to the server, you must identify the default JDK path for each project that specifies a named JDK.

    Note: Out-of-the-box, the default compiler for JSP projects is Tomcat 9, which requires Java Version 1.8 or higher. If Tomcat 8 is kept as default, using an earlier JDK will result in compilation errors during scans.
  • Validate: Validate assures that project dependencies are correctly configured. It checks Java projects for configuration conflicts between sources and the class path and for compilation errors. A conflict exists if a class in a class path is duplicated in a source root. (If a conflict exists, modify the class path to remove the conflicting class.)

    After checking for conflicts, Validate determines if the project compiles and reports any compilation errors.

Optimizations

  • Precompiled classes: Use precompiled Java or JSP class files instead of compiling during the scan. When selected, this option disables the source stage options.
  • Stage sources files to minimize effects of compile errors: Controls whether AppScan® Source copies the sources to the staging directory.

    Correct for packages not matching the directory requires Java Compile to open each source file.

    Clean staging area between scans increases performance between scans.

Precompile Tab (ASP.NET only)

Precompilation is accomplished by making an HTTP request to a special page (by default, precompile.axd ) in the website. This page is processed by a special HTTP handler specified in the web.config. This handler compiles the entire site, including client.aspx files, to the Temporary ASP.NET Files directory in the .NET framework directory, where they are all then scanned.

To scan ASP.NET 1.1, you must instrument the website such that the website compiles and builds debug information. Subsequently, the fact that a website compiles and builds debug information is, in and of itself, a security vulnerability. You can safely ignore this vulnerability as the scan requires it. However, ensure that your deployed application is not compiled with debug=true in the web.config.

To precompile an ASP.NET 1.1 website, add this element as a child to the <system.web> element in your web.config file:

<httpHandlers><add verb="*" path="precompile.axd"
type="System.Web.Handlers.BatchHandler"/></httpHandlers>

You should also set debug=true in the compilation element. For example:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
	<system.web>
		<httpHandlers><add verb="*" path="precompile.axd"
		type="System.Web.Handlers.BatchHandler"/>
		</httpHandlers>
			<compilation
				defaultLanguage="c#"
				debug="true"
			/>
...

This element specifies to the website that the page, precompile.axd will be handled by the special .Net System.Web.Handlers.BatchHandler class. This class precompiles the contents of the website to the Temporary ASP.NET Files directory.

  • Website: Request target to precompile the site. The default location is precompile.axd. Precompile.axd is a virtual file and maps to the file specified in the web.config file.
  • Output directory: The directory targeted by the precompilation. AppScan® Source finds the precompilation output in this directory.
  • Precompile the ASP.NET website: AppScan® Source automatically precompiles and scans the precompiled output during a scan.
  • Stop scan if precompile fails: Selecting Precompile the ASP.NET website and Stop scan if precompile fails, stops a scan if precompilation fails. Otherwise, the scan continues only on the website's primary output.
  • Compile Now: Test to see that the precompilation, based on the current settings, succeeds before scanning. Compilation output displays in the Precompile Output pane.
  • Additional Assemblies: For any .NET project type, specify additional assemblies to scan.
  • Project References: List the directories in which to search for referenced assemblies in .NET assembly projects and existing .NET projects.