Incremental analysis for Java

When incremental analysis is enabled, analysis data is cached by AppScan® Source. When you then re-scan your project or application, AppScan Source uses this data to determine the code changes and only the portions of the code that are impacted by your changes are analyzed again. The end result is a full analysis of your code - but in a fraction of the time.

About this task

Incremental analysis is supported on Windows and Linux against unarchived Java class files. When it is enabled, incremental analysis is performed on AppScan Source projects or applications - or on Eclipse projects or workspaces. After you enable incremental analysis, the first scan that you run on your project, application, or workspace is always a full scan (the vulnerability analysis cache is only updated during a full scan). This allows AppScan Source to cache data for subsequent scans. The scans of your project, application, or workspace thereafter are incremental scans - so long as the vulnerability analysis cache has not been cleared, and so long as the number of changed files do not exceed a threshold setting that you can determine.

To enable and use incremental analysis, follow these steps:

Procedure

  1. Open <data_dir>\config\scan.ozsettings in a text editor (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations). Locate the incremental_analysis setting in the file. This setting will look similar to:
    <Setting 
      name="incremental_analysis" 
      read_only="false" 
      default_value="false" 
      description="Attempt to scan only changed files, 
        instead of re-scanning everything." 
      type="bool" 
      value="false" 
      display_name="Incremental Analysis" 
      hidden="true" 
    />
    

    In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan Source will not perform incremental analysis when scanning.

  2. In <data_dir>\config\scan.ozsettings, locate the percentage_of_files_changed setting:
    <Setting 
      name="percentage_of_files_changed" 
      read_only="false"
      default_value="50"
      description="In incremental scanning, if percentage of files 
      being changed since last scan exceeds the threshold, full 
      scan will be initiated. The percentage ranges from 0 to 100. 
      Default threshold is 50, which represents 50%."
      type="int"
      value="50"
      display_name="Percentage of files being changed"
      hidden="true"
    />
    

    This setting allows you to specify the percentage of files that need to be changed before a full scan is initiated. By default, this threshold percentage is 50% - which means that, if you re-scan after 50% or more of the files in your project, application, or workspace have changed, a full scan will be initiated instead of an incremental analysis scan. In this setting, change the value attribute, as desired, to your preferred threshold percentage.

  3. Save <data_dir>\config\scan.ozsettings after you have modified all relevant settings and then start or restart your AppScan Source product that supports incremental analysis. For example, restart AppScan Source for Analysis, the AppScan Source for Development Eclipse plug-in, or the AppScan Source command line interface (CLI) - or restart the AppScan Source for Automation service.
  4. Now, when you re-scan Java applications or projects with the same scan configuration, incremental analysis will be performed if the number of changed files do not exceed the threshold and if the vulnerability analysis cache has not been cleared.
  5. Clearing the vulnerability analysis cache: If there are problems with incremental scanning, or if you want to perform a full analysis scan when incremental analysis is enabled, clear the vulnerability cache before scanning again:
    • AppScan Source for Analysis:
      1. Open the Properties view for your AppScan Source project. If you are scanning an application, open the properties view for any child project (deleting the cache for a project will also delete the cache for its application).
      2. In the Overview tab, click Clear cache.
    • AppScan Source for Development Eclipse plug-in: Delete <data_dir>\temp\<workspace>\<project>, where:
      • <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations.
      • <workspace> is the name of the Eclipse workspace in which you are scanning. To delete the cache for your entire workspace, delete the entire <data_dir>\temp\<workspace> directory.
      • <project> is the name of the Eclipse project that you are scanning. To delete the cache for the project, delete the <data_dir>\temp\<workspace>\<project> directory.
    • The AppScan Source command line interface (CLI): Use the clearcache command, as described in the HCL® AppScan Source Utilities User Guide.
    • AppScan Source for Automation: Use the ScanApplication command -clearcache argument, as described in ScanApplication.

Results

After scanning in AppScan Source for Analysis, you can use the Assessment Diff feature to compare assessments before and after your code changes.

Tip:
  • To force a full analysis scan, disable incremental analysis or clear the vulnerability analysis cache.
  • When performing incremental analysis, you should run a full analysis scan after making any of these modifications:
    • Security rule changes or changes to custom rules that are applicable to the project or application.
    • Scan configuration changes.
    • Changes to .ozsettings files that affect scans.
    • Changes to the application or project properties. For example, any changes that you make in the AppScan Source for Analysis Properties view for All Applications or a selected application or project.
    • Adding a new project to an application or deleting an existing project.
    • Excluding files from scans. For example, in AppScan Source for Analysis, you can choose to exclude a file from scanning by right-clicking it in the Explorer view and choosing Exclude from Scans.
  • Current information about incremental analysis can be found at Incremental scan for java.
Note:
  • After an incremental scan, findings markers in the editor may no longer be in the correct location.
  • Remediated findings that do not have a trace may appear in incremental scan results.
  • You cannot have more than one AppScan Source products or components open at the same time during incremental scans. In addition, another user cannot scan the same application or project as you are scanning, at the same time and on the same machine.
  • When performing incremental scans on EAR or WAR files, if the file contains additional WAR or JAR files, unarchive those files before performing the incremental scan to see complete findings.