Jump to main content
HCL Logo Product Documentation
Customer Support HCLSoftware U Community Forums Customer Idea Portal
HCL AppScan Source
  • Welcome
  • What's New
  • Installing
  • Configuring
  • Administering
  • Scanning
  • Triage and analysis
  • Reporting
  • Extending product function
  • Reference
  • Troubleshooting and support
  1. Home
  2. Triage and analysis

    Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

  3. Triage with exclusions

    After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.

  4. Example: Specifying filter exclusions

    Filter criteria determine if the filter excludes the findings that match or do not match the filter.

  • Welcome

    Welcome to the documentation for HCL® AppScan® Source.

  • What's New

    Explore new features added to AppScan® Source and note any features and capabilities deprecated in this release.

  • Installing

    Learn how to install, upgrade, and activate HCL® AppScan® Source.

  • Configuring

    Learn how to configure applications, folders, and projects, and set attributes and properties in HCL® AppScan® Source.

  • Administering

    Learn how to administer user accounts and permissions, audit user activity, and manage integrations in HCL® AppScan® Source.

  • Scanning

    This section explains how to scan your source code and manage assessments in HCL® AppScan® Source.

  • Triage and analysis

    Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

    • Displaying findings

      The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.

    • The AppScan® Source triage process

      The triage process includes manipulating findings through bundles, filters, and exclusions, and comparing assessment results.

    • Sample triage

      This example describes an AppScan® Source triage workflow used by a security analyst. Triage workflow may vary according to your business needs.

    • Triage with filters

      AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.

    • Triage with exclusions

      After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.

      • The scope of exclusions

        Exclusions apply to all applications (global), individual applications, or projects.

      • Specifying exclusions

        Findings can be marked as exclusions from a findings table or the Properties view. Exclusions may consist of individual findings, filters, or bundles. Typically, exclusions created from a findings table take effect immediately. Exclusions created in the Properties view require an additional scan to take effect.

      • Marking findings as exclusions in a findings table

      • Re-including findings that have been marked as exclusions

        Excluded findings appear in the Excluded Findings view . From this view, you can re-include excluded findings.

      • Example: Specifying filter exclusions

        Filter criteria determine if the filter excludes the findings that match or do not match the filter.

        • Example: Filtering and excluding a directory

          In this example, a filter is created that only shows findings that contain Microsoft™ include files. This filter is then used to narrow down the list of findings (we will exclude all findings that match the filter).

        • Example: Filtering and excluding APIs

          A common triage scenario might occur early in the triage process when you want to prioritize your findings and there are certain findings that you want to exclude. For example, you determine that three APIs are not threats and you would like to exclude these APIs from subsequent scans.

      • Specifying bundle exclusions from the Properties view

        A bundle exclusion eliminates the findings in the bundle. You can only exclude bundles from applications.

    • Working with bundles

      Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).

    • Working with static analysis fix groups

      Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task.

    • Modifying findings

      Modified findings are findings that have changed vulnerability types, classifications, or severities, or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

    • Comparing findings

      Use the Diff Assessments action or the AppScanDelta utility to compare assessments. When two assessments are compared, the differences between the two are displayed in the Assessment Diff view or in an .ozasmt file. The results summarize new, fixed/missing, and common findings.

    • Custom findings

      To augment your analysis results, you can create custom findings. These are user-created findings that AppScan® Source for Analysis adds to the currently-open assessment or selected application. Custom findings impact assessment metrics and can be included in reports. Once created, a custom finding is automatically included in future scans of the application.

    • Resolving security issues and viewing remediation assistance

      AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebaseand internal or external code editors help with this process.

    • Supported annotations and attributes

      Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.

    • AppScan® Source trace

      With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

  • Reporting

    Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.

  • Extending product function

    Learn how to extend the product to meet specific development requirements.

  • Reference

    Review reference information for HCL® AppScan® Source, including using utilities, plug-ins, and APIs.

  • Troubleshooting and support

    Self-help information, resources, and tools to help you troubleshoot issues while using HCL® AppScan® Source.

Example: Specifying filter exclusions

Filter criteria determine if the filter excludes the findings that match or do not match the filter.

These examples describe how to create filters that exclude findings:

This example describe how to create filters that exclude findings:

  • Example: Filtering and excluding a directory
  • Example: Filtering and excluding APIs
  • Example: Filtering and excluding a directory
    In this example, a filter is created that only shows findings that contain Microsoft™ include files. This filter is then used to narrow down the list of findings (we will exclude all findings that match the filter).
  • Example: Filtering and excluding APIs
    A common triage scenario might occur early in the triage process when you want to prioritize your findings and there are certain findings that you want to exclude. For example, you determine that three APIs are not threats and you would like to exclude these APIs from subsequent scans.
  • Share: Email
  • Twitter
  • Disclaimer
  • Privacy
  • Terms of use
  • Cookie Preferences