When incremental analysis is enabled, analysis data is cached by AppScan®
Source. When you then re-scan your project or application,
AppScan
Source uses this data to determine the code
changes and only the portions of the code that are impacted by your changes are analyzed again. The
end result is a full analysis of your code - but in a fraction of the time.
About this task
Incremental analysis is supported on Windows and Linux against unarchived Java class files. When it is enabled, incremental analysis
is performed on AppScan
Source projects or applications -
or on Eclipse projects or workspaces. After you enable incremental analysis, the first scan that you
run on your project, application, or workspace is always a full scan (the vulnerability analysis
cache is only updated during a full scan). This allows AppScan
Source to cache data for subsequent scans. The scans of
your project, application, or workspace thereafter are incremental scans - so long as the
vulnerability analysis cache has not been cleared, and so long as the number of changed files do not
exceed a threshold setting that you can determine.
To enable and use incremental analysis, follow these steps:
Procedure
-
Open <data_dir>\config\scan.ozsettings in a text editor (where <data_dir> is the location of your
AppScan
Source program data, as described in Installation and user data file locations). Locate the
incremental_analysis
setting in the file. This setting will look similar to:
<Setting
name="incremental_analysis"
read_only="false"
default_value="false"
description="Attempt to scan only changed files,
instead of re-scanning everything."
type="bool"
value="false"
display_name="Incremental Analysis"
hidden="true"
/>
In this setting, modify the value
attribute. If the attribute is set to
true
, this setting will be on. If it is set to false
, AppScan
Source will not perform incremental analysis when
scanning.
-
In <data_dir>\config\scan.ozsettings, locate the
percentage_of_files_changed
setting:
<Setting
name="percentage_of_files_changed"
read_only="false"
default_value="50"
description="In incremental scanning, if percentage of files
being changed since last scan exceeds the threshold, full
scan will be initiated. The percentage ranges from 0 to 100.
Default threshold is 50, which represents 50%."
type="int"
value="50"
display_name="Percentage of files being changed"
hidden="true"
/>
This setting allows you to specify the percentage of files that need to be changed before a full
scan is initiated. By default, this threshold percentage is 50% - which means that, if you re-scan
after 50% or more of the files in your project, application, or workspace have changed, a full scan
will be initiated instead of an incremental analysis scan. In this setting, change the
value
attribute, as desired, to your preferred threshold percentage.
-
Save <data_dir>\config\scan.ozsettings after you have modified all
relevant settings and then start or restart your AppScan
Source product that supports incremental analysis. For
example, restart AppScan Source
for
Analysis, the AppScan Source for Development Eclipse plug-in, or the AppScan Source
command line interface
(CLI) - or restart the AppScan
Source for
Automation service.
-
Now, when you re-scan Java applications or projects with the same scan configuration,
incremental analysis will be performed if the number of changed files do not exceed the threshold
and if the vulnerability analysis cache has
not been cleared.
-
Clearing the vulnerability analysis cache: If there are problems with incremental
scanning, or if you want to perform a full analysis scan when incremental analysis is enabled, clear
the vulnerability cache before scanning again:
- AppScan Source
for
Analysis:
- Open the Properties view for your AppScan
Source
project. If you are scanning an application, open the properties view for any child project
(deleting the cache for a project will also delete the cache for its application).
- In the Overview tab, click Clear cache.
- AppScan Source for Development Eclipse plug-in: Delete
<data_dir>\temp\<workspace>\<project>, where:
- <data_dir> is the location of your
AppScan
Source program data, as described in Installation and user data file locations.
- <workspace> is the name of the Eclipse workspace in which you are
scanning. To delete the cache for your entire workspace, delete the entire
<data_dir>\temp\<workspace> directory.
- <project> is the name of the Eclipse project that you are scanning. To
delete the cache for the project, delete the
<data_dir>\temp\<workspace>\<project> directory.
- The AppScan Source
command line interface
(CLI): Use the
clearcache
command, as described in the HCL® AppScan Source Utilities User Guide.
- AppScan
Source for
Automation: Use the
ScanApplication
command -clearcache
argument, as described in ScanApplication.
Results
After scanning in AppScan Source
for
Analysis, you can use
the Assessment Diff feature to compare assessments before and after your code
changes.
Tip:
- To force a full analysis scan, disable incremental analysis or clear the vulnerability analysis
cache.
- When performing incremental analysis, you should run a full analysis scan after making any of
these modifications:
- Security rule changes or changes to custom rules that are applicable to the project or
application.
- Scan configuration changes.
- Changes to .ozsettings files that affect scans.
- Changes to the application or project properties. For example, any changes that you make in the
AppScan Source
for
Analysis Properties view for All
Applications or a selected application or project.
- Adding a new project to an application or deleting an existing project.
- Excluding files from scans. For example, in AppScan Source
for
Analysis, you can choose to exclude a file from
scanning by right-clicking it in the Explorer view and choosing Exclude from
Scans.
- Current information about incremental analysis can be found at Incremental scan for java.
Note:
- After an incremental scan, findings markers in the editor may no longer be in the correct
location.
- Remediated findings that do not have a trace may appear in incremental scan results.
- You cannot have more than one AppScan
Source products
or components open at the same time during incremental scans. In addition, another user cannot scan
the same application or project as you are scanning, at the same time and on the same machine.
- When performing incremental scans on EAR or WAR files, if the file contains additional WAR or JAR files, unarchive those files before performing the incremental scan to see complete findings.