ScanApplication
Description
Scan the specified application and perform other actions related to scanning.
Syntax
ounceauto ScanApplication
-application <name of application>|
-application_file <path to application file>
[-name <assessment name>]
[-scanconfig <scan_configuration_name>]
[-save <filename>]
[-caller <caller>]
[-publish]
[-clearcache]
[-report <report type> <output format>
<output location>]
[-includeSrcBefore <n>]
[-includeSrcAfter <n>]
[-includeTraceDefinitive]
on[-includeTraceSuspect]
[-includeTraceCoverage]
[-appserver_type]
[-include_all_lib_jars]
[-include_lib_jars]
[-no_ear_project]
-application <name of application>
or-application_file <path to application file>
: One of these are required.- If you specify
-application <name of application>
, indicate the name of the application to scan. - If you specify
-application_file <path to application file>
, indicate the full path and file name for one of these file types:- AppScan® Source application files (.paf).
- Eclipse or Rational® Application
Developer for WebSphere® Software
(RAD) workspaces
(.ewf)Note: .ewf files are generated when you use
openapplication
to open a workspace directory (by specifying its path). - WAR files (.war)
- EAR files (.ear)
- Xcode projects (.xcodeproj)
- Xcode workspaces (.xcworkspace)
- Windows only: Microsoft™ Visual C++ Workspace files (.dsw)
- Windows only: Microsoft Visual Studio.NET solution files (.sln)
Note: To learn which versions of imported files are supported by AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface, see HCL AppScan Source system requirements. At this page, select the tab for the version of AppScan Source that you are using - and then select the AppScan Source component that you are using. If AppScan Source supports opening and scanning files from other development environments, that support is listed in the Compilers and Languages section of the Supported Software tab.
- If you specify
-name <assessment name>
: Optional. A name for the assessment.-scanconfig <scan_configuration_name>
: Optional. Specify the name of a scan configuration to use for the scan. If a scan configuration is not specified, the default scan configuration will be used for the scan.-save <filename>
: Optional. Save the assessment results to this file.-caller <caller>
: Optional. Assign a caller to the operation. The caller can be the name of an actual user, but this is not required. The caller name is written to theounceauto
log file.-publish
: Optional. Publish the assessment after scanning.-clearcache
: Optional. Remove the vulnerability analysis cache and custom rules signature data before scanning. If you have Java incremental analysis enabled, the scan will be a full scan.-report
: Optional. Generate a report after the scan.- Required
-report
command options:<report type>
: Type of report. The report types consist of Findings reports, AppScan Source reports, and custom reports. Refer to the options in GenerateReport.<output format>
: Specify the report format. Refer to the options in GenerateReport.<output location>
: The location to save the report.
- Optional
-report
command options:-includeSrcBefore <n>
: The number of lines of source code to include before each finding.-includeSrcAfter <n>
: The number of lines of source code to include after each finding.-includeTraceDefinitive
: Include trace information in the report for definitive findings (see Classifications to learn about findings classifications).-includeTraceSuspect
: Include trace information in the report for suspect findings.-includeTraceCoverage
: Include trace information in the report for scan coverage findings.
- Required
-appserver_type
: Optional. If the application that you are opening includes JavaServer Pages (for example, a WAR or EAR file), use this setting to specify the application server to use for JSP compilation. Specify one of these, in double quotation marks:Tomcat 7
Tomcat 8
WebSphere 7.0
WebSphere 8.0
WebSphere 8.5
WebLogic 11g
WebLogic 12c
Note:- Before specifying an application server, ensure that it has been configured properly in the AppScan Source for Analysis preferences.
- If
-appserver_type
is not used, the default JSP compiler that is currently set in AppScan Source for Analysis will be used for JSP compilation. Out-of-the-box, Tomcat 7 is the default JSP compiler.
- For WAR files:
-include_all_lib_jars
: Use this setting to include all libraries in the WAR file during the scan.-include_lib_jars
: Use this setting to specify the libraries in the WAR file that you want to include during the scan. When using the setting, do not include library path information - and separate multiple libraries with commas.
-no_ear_project
: When importing an EAR file, a project is automatically created for storing shared libraries. If there are no shared libraries, the project will be created, but it will be empty. When this setting is used, no project will be created for the EAR file.
Return Value
The Request ID if successful, or -1 if the request submission was unsuccessful.
Examples
- Scan the WebGoat application, publish it, and annotate the log
with John Smith as the caller:
ounceauto scanapplication -application_file C:\WebGoat\WebGoat.paf -publish -caller JohnSmith
- Scan the WebGoat application and create a Findings report in the C:\WebGoat
directory. In the report, include trace information for
definitive findings:
ounceauto scanapplication -application WebGoat -report Findings html C:\WebGoat\MyReport.html -includeTraceDefinitive
- Scan a WAR file and include only some of its
libraries:
ounceauto scanapplication -application_file c:\mywar.war -include_lib_jars lib1.jar,lib2.jar