Publishing assessments to the AppScan Enterprise Console

If your AppScan® Enterprise Server has been installed with the Enterprise Console option, you can publish assessments to it. The Enterprise Console offers a variety of tools for working with your assessments - such as reporting features, issue management, trend analysis, and dashboards.

About this task

Before you can publish assessments to the Enterprise Console, you must configure server settings in the AppScan Enterprise Console preference page. For information about setting preferences, see AppScan Enterprise Console preferences.

Note: For some versions of AppScan Source and AppScan Enterprise, the version and release level of the two products must match in order to publish from AppScan Source to the AppScan Enterprise Console. See How to enable connections and publish assessments for different versions of AppScan Source and AppScan Enterprise to learn which versions of AppScan Source and AppScan Enterprise are compatible when publishing assessments.
Restriction: When you scan multiple applications or projects, a parent node containing assessments for each scanned item is created in the My Assessments view. The individual child assessments cannot be managed in this case (for example, the child assessments cannot be removed or published individually). When multiple applications or projects are scanned at the same time, you can only manage the assessments as a group (the parent node).

Procedure

  1. Use one of these methods to publish one or more assessments to the Enterprise Console:
    1. Select one or more assessments in the My Assessments view and then click Publish Assessment to AppScan Enterprise Console.
    2. Right-click the assessment (or a selection of assessments) in the My Assessments view and select the Publish Assessment to AppScan Enterprise Console menu item.
    3. When an assessment is open, choose File > Publish Assessment to AppScan Enterprise Console from the main menu.
  2. In the Publish to AppScan Enterprise Console dialog box:
    1. Specify an AppScan Enterprise Console application to associate the assessment with. This is required when connected to AppScan Enterprise Server Version 9.0.3 and higher (unless you disable the requirement, as described here). Associating an application is optional when connected to earlier versions of AppScan Enterprise Server. If you are connected to an earlier version of AppScan Enterprise Server, by default, the application is set to the last application that was specified for publishing. If no applications have previously been specified when publishing, no application will be used by default. To specify an application:
      1. Click the Application field Select button.
      2. The Select Application dialog box opens, displaying all applications that already exist in the AppScan Enterprise Console. To view an application's attributes in the AppScan Enterprise Console, click View Profile next to it.
      3. Select the application to associate the scan with - or create a new application for this purpose by clicking Create new application. Clicking this link will open the AppScan Enterprise Console and allow you to create a new application. Once the new application's attributes have been saved, the Select Application dialog box will automatically refresh to include it for selection (if it does not automatically include the new application, click Refresh).
        Tip: In the Select Application dialog box, you can use the filter field to narrow down the list of applications. As you type, the filter is automatically applied to the list of applications. The asterisk (*) and question mark (?) characters can be used as wildcards. An asterisk matches any group of zero or more characters, while a question mark matches any single character.
      4. Click OK after you have selected the application.
    2. Required: In the Name field, specify a name that the assessment will be saved as in the AppScan Enterprise Console.
    3. Optional: When connected to AppScan Enterprise Server versions prior to Version 9.0.3: Use the Folder field to set the location to publish to. By default, the location is set to the last location that was used for publishing. If no assessments have previously been published, your default AppScan Enterprise Console folder is selected (note that this is the default folder for the user ID that is specified in the AppScan Enterprise Console preference page). To choose a different folder to publish to, click the Folder field Select button and then choose the folder that you want (only folders that you have permission to publish to are available). If the folder that you want to publish to is not available, click Refresh to update the folder tree with any changes that have been made on the server.
  3. Click Publish.

Results

When saving an assessment, AppScan Source for Analysis writes absolute paths to the assessment file to reference items such as source files. These absolute paths may cause difficulty in sharing the file on another computer that has a different directory structure. To be able to create portable assessment files, you should create a variable (see Defining variables or Defining variables when publishing and saving).

After the assessment has been published, a link to AppScan Enterprise (Enterprise Console) will be provided in an information message. Clicking the link will open the portal page in your default external web browser.

Tip: If publishing fails, check that the Enterprise Console server is running and that you are able to access its control center URL in a browser (use the same Enterprise Console URL that you have specified in the AppScan Enterprise Console preference page).
Note:
  • Large assessments may take longer to appear at the portal. If you receive no error messages after publishing and the report does not appear at the portal, check with your administrator.
  • Any attempts to publish an assessment that has the same name as one that is currently being processed by the Enterprise Console will fail. In addition, if you publish the commonly-named assessment after the first one has been processed, the second assessment will overwrite the first one (the Enterprise Console can provide a trending analysis for commonly-named reports if it has been configured to do so ahead-of-time). To determine if an assessment has finished processing, access the Enterprise Console control center in a web browser and then navigate to the appropriate user folder and check the status of the report.
  • AppScan Source does not support publishing to an Enterprise Console instance that has been configured to use proxy settings. Attempting to publish to an instance that uses proxy settings will result in an error.
Important:

When you upgrade to AppScan Source Version 9.0.3.4, you will notice these changes:

  • When you publish an assessment to AppScan Enterprise Console, you must now associate the assessment with an application in AppScan Enterprise (if you are running AppScan Enterprise Server Version 9.0.3 and higher). As a result, automation scripts may fail if they do not include application association. In AppScan Enterprise Server, application association is required if you want to take advantage of AppScan Enterprise Server application security risk management features. See http://help.hcl-software.com/appscan/Enterprise/9.0.3/topics/c_overview.html.
  • In addition, you must remove the port from the AppScan Enterprise URL.
    1. In AppScan Source for Analysis, click Edit > Preferences.
    2. In the AppScan Enterprise Console settings, remove the port from the Enterprise Console URL field.
  • After you publish your assessment, it will only be available in the AppScan Enterprise Monitor view (in previous releases, the assessment was available in the AppScan Enterprise Scans view). Migrating to this view is described in http://help.hcl-software.com/appscan/Enterprise/9.0.3/topics/t_workflow_for_applications.html.

This is the result of a changed communication protocol between AppScan Source and AppScan Enterprise Server that is required for publishing to AppScan Enterprise Server when using Common Access Card (CAC) authentication.

If you do not want to publish assessments to AppScan Enterprise Server when CAC authentication is enabled - or if you do not want to take advantage of Enterprise Server application security risk management features - you can revert to the previous communication protocol as follows:

  1. Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations)).
  2. In this file, locate this setting:
    <Setting 
    		name="force_ase902_assessment_publish"
    		value="false"
    		default_value="false"
    		description="Use ASE 9.0.2-style assessment publish"
    		display_name="Use ASE 9.0.2-style assessment publish"
    		type="boolean"
    		read_only="true"
    		hidden="true"
    />
  3. In the setting, change value="false" to value="true" and then save the file.
  4. Restart the AppScan Source product that you will publish assessments from.

When this setting is set to value="true":

  • If you associate an assessment with an application in AppScan Enterprise when publishing, the assessment will be available in the Monitor and Scans views.
  • If you do not associate an assessment with an application when publishing, the assessment will be available in the Scans view.
  • You will not be able to publish assessments to AppScan Enterprise Server when CAC authentication is enabled.

For further information, see Publishing from AppScan Source version 9.0.3.4 and higher to AppScan Enterprise requires application.