Jump to main content
HCL Logo Help Center
HCL TECHNOLOGIES ABOUT US PRODUCTS & SOLUTIONS RESOURCES CONTACT US
HCL AppScan Source
  • HCL® AppScan® Source V9.0.3.14 documentation
  • Security AppScan Source - Windows and Linux
  • Security AppScan Source -- MacOS
  • General product information for troubleshooting and support
  • Glossary
  1. Home
  2. Security AppScan Source -- MacOS

    HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

  3. Developing

    Learn how to develop by using the product.

  4. AppScan Soure trace

    With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

  5. Code examples for tracing

    This section provides code examples which illustrate tracking tainted data from a source to a sink - and how to create a validation and encoding routine.

  • Security AppScan Source -- MacOS

    HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

    • Overview

      Learn general information about the product.

    • Installing

      Learn how to install the product.

    • Configuring

      Learn how to configure the product.

    • Administering

      Learn how to administer the product.

    • Developing

      Learn how to develop by using the product.

      • Scanning source code and managing assessments

        This section explains how to scan your source code and manage assessments.

      • Triage and analysis

        Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

      • AppScan Soure trace

        With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

        • AppScan Source trace scan results

          Scan results may include traces identified by AppScan® Source trace. The icon in the Trace column indicates the existence of a trace of the call graph.

        • Input/output tracing

          An input/output trace is generated when AppScan® Source for Analysis can track the data from a known source to a sink or lost sink.

        • Using the Trace view

        • Validation and encoding scope

          From the Trace view, you can specify custom validation and encoding routines that, once stored in the AppScan® Source Security Knowledgebase, marks data as checked instead of tainted. With the Custom Rules Wizard, you define these routines based on their scope.

        • Creating custom rules from an AppScan Source trace

          You can create custom rules from the Trace view that allow you to filter out findings with traces that are taint propagators, not susceptible to taint, or sinks. You can also mark methods in the trace as validation/encoding routines (or indicate that they are not validation/encoding routines).

        • Code examples for tracing

          This section provides code examples which illustrate tracking tainted data from a source to a sink - and how to create a validation and encoding routine.

          • Example 1: From source to sink

          • Example 2: Modified from source to sink

            Example 2 is a modification of the Example 1 code. It enhances Example 1 by adding a validation routine, called getVulnerableSource, and an encoding routine called in writeToVulnerableSink.

          • Example 3: Different source and sink files

          • Example 4: Validation in depth

            When you scan the Example 4 code, the first scan includes three AppScan® Source traces with a root at the corresponding trace routines. Assume the selection of the FileInputStream.read method in trace1 and the addition of the validate routine. The section following the sample source code describes the effects of each scope for the validation routine.

      • AppScan Soure for Analysis and defect tracking

        AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.

      • Finding reports and audit reports

        Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.

      • Creating custom reports

        In the Report Editor, you create report templates used to generate custom reports.

    • Extending product function

      Learn how to extend the product.

    • Reference

      Review reference information for the product.

    • Glossary

      Learn common product terminology.

    • HCL AppScan Source for Development (Eclipse Plug-In)

      With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

Code examples for tracing

This section provides code examples which illustrate tracking tainted data from a source to a sink - and how to create a validation and encoding routine.

  • Example 1: From source to sink
  • Example 2: Modified from source to sink
    • Example 2: Creating a Validation/Encoding Routine from the Trace view
    • Example 2: Creating a Validation/Encoding Routine from the Custom Rules Wizard
  • Example 3: Different source and sink files
  • Example 4: Validation in depth
© Copyright HCL Technologies Limited 2001, 2019 / About HCL Software / Acquisition FAQ / Government - US Federal / Welcome / Contact Us