HCL AppScan Source Version 9.0.3.14 Readme and Release Notes
December 2019
Please read this document carefully. This document lists important issues and topics concerning AppScan® Source. It is recommended that you read the entire document before you install the product or any of its components.
You can find information on the following topics in this file:
- AppScan Source licensing
- IMPORTANT: New installation file name for Windows
- Changes when publishing to AppScan Enterprise from AppScan Source Version 9.0.3.7
- Changes when publishing to AppScan Enterprise Server from AppScan Source Version 9.0.3.4 and higher
- IMPORTANT: Custom installation files that include AppScan Source for Automation must be recreated after installing AppScan Source Version 9.0.3.3 or higher
- AppScan Source for Analysis product documentation
- Known limitations and workarounds:
- General
- Publishing to AppScan Enterprise Version 9.0.3.6 or earlier from AppScan Source Version 9.0.3.7 or later
- After upgrading AppScan Source, findings from excluded bundles may appear in scan results
- For AppScan Source Version 8.5 and above, there is a known limitation when comparing assessments that were generated by different versions of AppScan Source
- Comparing assessments that are generated using different versions of the iOS SDK
- Compilation errors when using Tomcat 7 with a JDK earlier than Java Version 1.6
- IPv6 limitations
- Use precompiled classes when a scan of an Eclipse workspace fails due to missing classes or libraries
- Process VM Limit (per_proc_VM_limit) setting deprecation
- Migration of LDAP user accounts to AppScan Source Version 8.5 or above
- Silent installation is not supported on Turkish locales
- UTF-8 character set is required for Oracle databases
- JavaScript trace support is only available for .js and .html files
- Line numbers in JSP files
- Ounce/Maven
- AppScan Source for Analysis
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
- Intermittent shutdown of AppScan Source for Analysis on Linux
- Caching may occur when switching national languages
- Multibyte characters in the installation path of AppScan Source for Analysis are not supported
- Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
- Removing AppScan Source for Analysis as a non-administrative user
- To create PDF reports, it may be necessary to install system fonts for some non-English languages
- Modifying custom rules and plug-in use
- Assessment Summary view chart style selection is no longer supported
- Submission of defects to ClearQuest from a non-English machine may fail
- Password required to submit findings to Rational ClearQuest on Linux
- Scanning JSP Projects with IBM WebSphere Application Server on Linux
- AppScan Source command line interface (CLI)
- AppScan Source for Development (Eclipse plug-in)
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- After applying AppScan Source for Development to Eclipse, you are not prompted to choose a workspace after the initial Eclipse relaunch
- Attempts to run AppScan Source for Development (Eclipse plug-in) results in Unable to link native library shared-win32-x64.dll error
- Installing the AppScan Source for Development Eclipse plug-in no longer includes the option to install the plug-in prerequisites
- Using 64-bit Eclipse on macOS: Warning: [options] bootstrap class path not set in conjunction with -source 1.6
- On Microsoft Windows 7, component review panel may be blank when applying the AppScan Source for Development Plug-in to Eclipse or Eclipse-based products
- Upgrading the AppScan Source for Development (Eclipse plug-in)
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
- AppScan Source for Development plug-in for Eclipse and Eclipse-based products: multiple prompts for AppScan Source installation directory
- Shared/Global filters in AppScan Source for Development do not consistently display
- Configuring Eclipse or Rational Application Developer for WebSphere Software (RAD) environments
- Modifying custom rules and plug-in use
- Assessment Summary view chart style selection is no longer supported
- Rational Application Developer for WebSphere Software (RAD) Plug-in on Windows 7 must run as administrator
- AppScan Source for Development (Visual Studio plug-in)
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- Delay when copying large numbers of findings in large assessments
- AppScan Source About dialog box in Microsoft Visual Studio is truncated
- Compatibility error when installing AppScan Source for Development to Visual Studio 2012
- When using AppScan Source for Development (Visual Studio plug-in) on Windows 7, findings cannot be modified multiple times
- Shared/Global filters in AppScan Source for Development do not consistently display
- Assessment Summary view chart style selection is no longer supported
- Scanning solution files that were created in a version of Microsoft Visual Studio that is not installed
- Microsoft Windows
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- On Windows 7, you must run as administrator to scan an asp.net website, if the website is included via http reference, such as under the local web server root
- On Microsoft Windows 7, component review panel may be blank when applying the AppScan Source for Development Plug-in to Eclipse or Eclipse-based products
- Errors when AppScan Source configuration files contain special characters
- Ounce/Ant -java.lang.NoClassDefFoundError when using Ant Version 1.8.1 on Microsoft Windows 7 64-bit
- Publishing to AppScan Enterprise Server hosted on Windows 2008 fails with a 401 Authentication Denied error
- Library id and progid forms of #import are not supported
- Referenced assemblies must be in the same directory as the assembly being scanned or registered in the Global Assembly Cache (GAC)
- Visual Basic 6 scan requires full function declaration
- Dialog box and message truncations when running in non-English locales
- Rational Application Developer for WebSphere Software (RAD) Plug-in on Windows 7 must run as administrator
- AppScan Source for Development (Visual Studio plug-in) limitations
- Linux
- Nodelocked licenses and Red Hat Enterprise Linux 7.4
- Uninstalling AppScan Source on Red Hat Enterprise Linux 7.x
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- SELinux prevents installation, product activation, and running
- IBM Rational Application Development and Remediation Assistance view
- Linux Mozilla requirement for Remediation Assistance view
- Scanning JSP Projects with IBM WebSphere Application Server on Linux
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
- Intermittent shutdown of AppScan Source for Analysis on Linux
- Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
- Scanning source code compiled with older versions of gcc, such as 2.95.4, produces errors
- Password required to submit findings to Rational ClearQuest on Linux
- macOS
- Deprecation of macOS support
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the Remediation Assistance view to fail
- Comparing assessments that are generated using different versions of the iOS SDK
- In AppScan Source Version 9.0.3.4 and earlier, scanning IBM MobileFirst iOS applications using Xcode 7 results in an error
- Xcode project import changes
- Preparing Xcode projects that have dependencies for scanning
- Using 64-bit Eclipse on macOS: Warning: [options] bootstrap class path not set in conjunction with -source 1.6
- On macOS, manual steps are required to operate in FIPS 140-2 mode
- Silent installation of fix packs is not supported on macOS
- Objective-C language support limitation
- General
- Additional information
AppScan Source licensing
AppScan Source provides a License Manager utility that is used for loading and updating license information on your client machine. This utility allows you to view your current license status - or you can use the utility to activate the product by importing a nodelocked license file or by using a floating license on a license server. Nodelocked licenses are tied to individual machines - while floating licenses can be checked out for use on different client machines.
The License Manager utility can be opened from the product installation wizard after installation is complete - or you can launch it from the Windows™ Start menu.
AppScan Source licenses are obtained from the HCL® License Key Center. For detailed information about obtaining licenses and license activation, see How to obtain and apply licenses for AppScan Source products and Activating the software in the help.
IMPORTANT: New installation file name for Windows
In previous releases, the Windows installation file was named setup.exe. The installation file is now named AppScanSrc_Installer.exe.
Changes when publishing to AppScan Enterprise Server from AppScan Source Version 9.0.3.4 and higher
When you upgrade to AppScan Source Version 9.0.3.4, you will notice these changes:
- When you publish an assessment to AppScan Enterprise Console, you must now associate the assessment with an application in AppScan Enterprise (if you are running AppScan Enterprise Server Version 9.0.3 and higher). As a result, automation scripts may fail if they do not include application association. In AppScan Enterprise Server, application association is required if you want to take advantage of AppScan Enterprise Server application security risk management features. See http://help.hcl-software.com/appscan/Enterprise/9.0.3/topics/c_overview.html.
- In addition, you must remove the port from the AppScan Enterprise
URL.
- In AppScan Source for Analysis, click .
- In the AppScan Enterprise Console settings, remove the port from the Enterprise Console URL field.
- After you publish your assessment, it will only be available in the AppScan Enterprise Monitor view (in previous releases, the assessment was available in the AppScan Enterprise Scans view). Migrating to this view is described in http://help.hcl-software.com/appscan/Enterprise/9.0.3/topics/t_workflow_for_applications.html.
This is the result of a changed communication protocol between AppScan Source and AppScan Enterprise Server that is required for publishing to AppScan Enterprise Server when using Common Access Card (CAC) authentication.
If you do not want to publish assessments to AppScan Enterprise Server when CAC authentication is enabled - or if you do not want to take advantage of Enterprise Server application security risk management features - you can revert to the previous communication protocol as follows:
- Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations)).
- In this file, locate this
setting:
<Setting name="force_ase902_assessment_publish" value="false" default_value="false" description="Use ASE 9.0.2-style assessment publish" display_name="Use ASE 9.0.2-style assessment publish" type="boolean" read_only="true" hidden="true" />
- In the setting, change
value="false"
tovalue="true"
and then save the file. - Restart the AppScan Source product that you will publish assessments from.
When this setting is set to value="true"
:
- If you associate an assessment with an application in AppScan Enterprise when publishing, the assessment will be available in the Monitor and Scans views.
- If you do not associate an assessment with an application when publishing, the assessment will be available in the Scans view.
- You will not be able to publish assessments to AppScan Enterprise Server when CAC authentication is enabled.
For further information, see Publishing from AppScan Source version 9.0.3.4 and higher to AppScan Enterprise requires application.
Changes when publishing to AppScan Enterprise from AppScan Source Version 9.0.3.7
To publish to AppScan Enterprise from
AppScan
Source Version 9.0.3.7, you must upgrade
to AppScan Enterprise Version 9.0.3.7 first, or publishing will fail with the message
CRWSA1653E Error: Scanner AppScan Source has not been configured on the
server
.
To work around this issue, see Publishing to AppScan Enterprise Version 9.0.3.6 or earlier from AppScan Source Version 9.0.3.7 or later. Undo this change when AppScan Enterprise is upgraded to Version 9.0.3.7.
For more information on publishing to AppScan Enterprise, see Publishing assessments to the AppScan Enterprise Console.
IMPORTANT: Custom installation files that include AppScan Source for Automation must be recreated after installing AppScan Source Version 9.0.3.3 or higher
In August, 2016, these fixes for AppScan Source Version 9.0.3.3 were made available at IBM Fix Central:
- AppScanSource-9.0.3.3-Windows-PSIRT7-iFix
- AppScanSource-9.0.3.3-MacOSX-PSIRT7-iFix
- AppScanSource-9.0.3.3-Linux-PSIRT7-iFix
The fix that is applied by these PSIRT7 updates requires you to recreate existing AppScan Source custom or silent installation properties files - only if those installation files are used to install AppScan Source for Automation. If you have existing custom or silent installation properties files that do not include the installation of AppScan Source for Automation, you are unaffected by this change.
If you have affected AppScan Source custom or silent installation properties files that were created with an AppScan Source version that is lower than the above fix version (PSIRT7), you will need to create them again after installing the PSIRT7 fix or subsequent fixes. Once you recreate your custom installation files, you will not need to do so again after applying future updates.
Examples:
- If you have custom or silent installation files that were created with AppScan Source Version 9.0.3.3 or lower, you will need to recreate those files after installing the above fixes or any version of or fix for AppScan Source that was released after the above fixes.
- If you have custom or silent installation files that were created with AppScan Source Version 9.0.3.3 PSIRT7 or higher, you do not need to recreate those files when applying future updates.
- If you have custom or silent installation files that were created with AppScan Source Version 9.0.3.4 or higher, you do not need to recreate those files when applying future updates.
If you attempt to use an outdated silent or custom installation file, the installation of AppScan Source for Automation will appear to succeed, however the HCL AppScan Source for Automation service will fail to start.
To learn what version of AppScan
Source you have
installed, locate the AppScan
Source data
directory (described in Installation and user data file locations) and open
config/install.properties or
config\install.properties. In this file, locate the
install.version
and install.build
properties. For
PSIRT7, these values are install.version=9.0.3.3
and
install.build=177
.
AppScan Source for Analysis product documentation
As of Version 9.0.3.4, when you use the AppScan Source for Analysis, online help for AppScan Source at IBM Knowledge Center opens (for Version 9.0.3.4, the help opens to the HCL AppScan Source V9.0.3.4 documentation). Similarly, when you follow links from the AppScan Source for Analysis Welcome view, they are opened at IBM Knowledge Center.
menu item inAppScan Source for Analysis also offers context-sensitive help for many views, preference pages, and dialog boxes. The keyboard shortcut for context-sensitive help is F1 on Windows, Shift+F1 on Linux, and command+F1 on macOS. This context-sensitive help also opens to AppScan Source at IBM Knowledge Center as of Version 9.0.3.4.
If you are using the product without an internet connection, help is available locally as follows:
- The HCL AppScan Source Readme and Release Notes are available in the readme.html file that is located in your AppScan Source installation directory.
- Javadoc for some AppScan Source
for
Analysis
features is located in the doc/Javadoc or
doc\Javadoc directory of your AppScan
Source installation directory. As of Version
9.0.3.4, Javadoc for these features is available:
- Javadoc for the application server import framework API classes and methods is available in doc/Javadoc/appserverimporter or doc\Javadoc\appserverimporter.
- Javadoc for the Framework for Frameworks API classes and methods is available in doc/Javadoc/frameworks or doc\Javadoc\frameworks.
In these folders, open the index.html file.
General
After upgrading AppScan Source, findings from excluded bundles may appear in scan results
After AppScan Source is upgraded, the properties of some findings can change, which can result in this known limitation.
Publishing to AppScan Enterprise Version 9.0.3.6 or earlier from AppScan Source Version 9.0.3.7 or later
<data_dir>\config\ounce.ozsettings
, where
<data_dir>
is the location of your AppScan
Source program data as described in Installation and user data file locations. Set the
allow_publish_to_old_ase
to
true
:<Setting
name="allow_publish_to_old_ase"
value="false"
default_value="false"
description="Use this setting when Source for Analysis is at 9.0.3.7 level but ASE is still at older version."
display_name="Publishing from AppScan Source 9.0.3.7 to older version of ASE. "
type="boolean"
read_only="true"
hidden="true"
/>
Setting the allow_publish_to_old_ase
configuration value to
true
allows publishing from AppScan
Source Version 9.0.3.7 to AppScan
Enterprise Versions9.0.3.4 to
9.0.3.6.
force_ase902_assessment_publish
is
still applicable if users want to publish to pre-9.0.3.4 versions of AppScan
Enterprise (as described in Changes when publishing to AppScan Enterprise Server from AppScan Source Version 9.0.3.4 and higher), but it cannot be used in combination
of the new configuration switch mentioned above.For AppScan Source Version 8.5 and above, there is a known limitation when comparing assessments that were generated by different versions of AppScan Source
When using the Diff Assessments action to compare two assessments that were generated by different versions of AppScan Source, some findings may appear as Fixed/Missing, even though they match. After AppScan Source is upgraded, the properties of some findings can change, which can result in this known limitation.
This limitation only exists in AppScan Source Version 8.5 and above.
Comparing assessments that are generated using different versions of the iOS SDK
If you generate an assessment using one version of the iOS SDK and then use AppScan Source for Analysis to compare it to an assessment of the same code that was generated using a different version of the iOS SDK, identical findings in the assessment will appear to be different. This is a result of internal differences in iOS SDK versions.
Compilation errors when using Tomcat 7 with a JDK earlier than Java™ Version 1.6
Out-of-the-box, the default compiler for JSP projects is Tomcat 7, which requires Java Version 1.6 or higher. If Tomcat 7 is kept as default, selecting an earlier JDK will result in compilation errors such as this during scans:
bad class file: <AppScan Source>\tc70\servlet-api.jar(javax/servlet/ServletContext.class)
class file has wrong version 50.0, should be 49.0
To resolve these compilation errors, ensure that you are using JDK 1.6 or higher - or choose a different version of the Tomcat JSP compiler.
IPv6 limitations
AppScan Source is enabled for Internet Protocol Version 6 (IPv6), with these exceptions:
- Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
- IPv6 is not supported when connecting to Rational Team Concert™.
Use precompiled classes when a scan of an Eclipse workspace fails due to missing classes or libraries
If you successfully import an Eclipse workspace, but find that scanning it fails due to missing classes or libraries, it is recommended that you use the option to scan with precompiled classes. To do this, select that option in the project properties and browse to the bin directory of the Eclipse project.
Process VM Limit (per_proc_VM_limit
) setting deprecation
As of AppScan Source Version 8.7, this setting is deprecated. It is no longer available in the Scan Configuration view - and it is marked as deprecated in <data_dir>\config\memory.ozsettings.
Migration of LDAP user accounts to AppScan Source Version 8.5 or above
If you are upgrading Rational® AppScan Source Edition for Core to AppScan Source Version 8.5 or above, LDAP-authenticated user accounts will be migrated to user accounts in the AppScan Source user repository that are not LDAP-authenticated. These user accounts will have a blank password. It is strongly advised that these user accounts be given passwords as soon as possible.
Silent installation is not supported on Turkish locales
If you create a custom silent installation, it will not succeed when running on any
Turkish language locale (for example, tr
and tr_TR
).
UTF-8 character set is required for Oracle databases
If you are connecting the AppScan Enterprise Server to an Oracle database, you must set the character set to UTF-8 when creating the database (this is typically not the default character set).
JavaScript™ trace support is only available for .js and .html files
Other JavaScript file types can be scanned, however, trace information is only provided for .js and .html files.
Line numbers in JSP files
Line numbers for the .java file that was generated from the .jsp file display along with the JSP file name.
Ounce/Maven
ounce:report
mojo does not work for existing assessment XML files, only
new scans.
AppScan Source for Analysis
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux™
On Linux, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan Source for Analysis and theAppScan Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use. See the HCL AppScan Source Installation and Administration Guide to learn how to enable browser-based content for these products.
The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
If you need to install Mozilla XULRunner to enable browser-based content on Linux for AppScan Source for Analysis or AppScan Source for Development (Eclipse plug-in) (as described in the product documentation), libstdc++.so.5 is required. In many cases, this library will already be on your machine. If it is not on your machine, you will receive an error message that includes text similar to:
libstdc++.so.5: cannot open shared object file: No such file or directory.
For libstdc++.so.5: If you are a member of the Red Hat network and
have up2date
, run this command as root
to install
libstdc++.so.5:
up2date --install compat-libstdc++-33
If you are not a member of the Red Hat network or do not have up2date
,
you will need to obtain a copy of the compat-libstdc++ RPM from an
RPM archive site or obtain libstdc++.so.5 from another source. After
it has been installed and placed on your LD_LIBRARY_PATH
, you will be
able to run the AppScan
Source setup binary.
Intermittent shutdown of AppScan Source for Analysis on Linux
To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.
Caching may occur when switching national languages
The AppScan Source for Analysis user interface can be displayed in different national languages by switching the language in the preferences and restarting the workbench. It is common Eclipse behavior for strings to be cached and to display in the previous language that was used - and AppScan Source for Analysis is affected by this behavior. If you switch the national language that is displayed and then restart the workbench, cached strings will be refreshed when you activate the user interface element that the string describes (for example, if a button label has been cached, clicking the button will cause the string to refresh to the new language).
Multibyte characters in the installation path of AppScan Source for Analysis are not supported
All versions of AppScan Source for Analysis will fail during installation with an Invalid Directory error if the installation path contains multibyte characters.
Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
The AppScan Source for Analysis installer allows you to configure the AppScan Source daemon processes to run as the default user named 'ounce' or as an existing user.
Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan Source installation directory (for example, /opt/ibm/appscansource) that consists of this line:
-configuration @user.home/.ounceconfig
Removing AppScan Source for Analysis as a non-administrative user
AppScan Source for Analysis on Windows requires administrator access to create Add or Remove Programs entries. If you installed AppScan Source for Analysis as a non-administrator user, to remove AppScan Source for Analysis, go to <install_dir>\Uninstall_AppScan and run AppScan_Uninstaller.exe (where <install_dir> is the location of your AppScan Source installation).
To create PDF reports, it may be necessary to install system fonts for some non-English languages
For these languages, you may need to install the indicated fonts to be able to create PDF reports:
- Japanese: MS Gothic or VL Gothic
- Korean: Gulim
- Simplified Chinese: SimSun-18030 or MingLiU
- Traditional Chinese: SimSun-18030 or MingLiU
Modifying custom rules and plug-in use
If you create a custom rule in AppScan Source for Analysis and are logged in to an AppScan Source for Development plug-in, to see the changes, you must restart the IDE.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
Submission of defects to ClearQuest® from a non-English machine may fail
The submission of defects to Rational ClearQuest may fail with code page-related error messages if your Rational ClearQuest server's configured code page does not support characters from the locale in which AppScan Source is running.
Password required to submit findings to Rational ClearQuest on Linux
When you submit findings to Rational ClearQuest, you cannot log in to Rational ClearQuest if the password is blank.
Workaround: Use the Rational ClearQuest User Administration tool to change the password to be equal to or greater than one character.
Scanning JSP Projects with IBM® WebSphere® Application Server on Linux
By default, the WebSphere Application
Server JSP compiler is only
available to administrator (root
) users on Linux machines. To run the WebSphere Application
Server JSP compiler as a user other than
root
, your administrator needs to create an additional WebSphere Application
Server profile for you according to instructions at
IBM Knowledge Center
When creating the profile, the administrator will need to know the login user ID. The
administrator will then need to provide you with the new profile name and the path to the
profile (for example, profile01
at
/opt/IBM/WebSphere7/AppServer/profiles/profile01).
After the profile has been created, you will need to customize the WebSphere JSP Compiler command line used by AppScan Source by following these directions:
- Launch AppScan Source for Analysis.
- Launch from the main workbench menu.
- In the Preferences dialog box, select WebSphere Application Server that you are running. or , depending on the version of
- In the WebSphere Application Server installation directory field, enter or browse for the local directory in which the application server is installed.
- Select the Enable Advanced Configuration Options check box.
- Edit the entry in the WebSphere JSP Compiler Command Line field:
- Replace
%JSP_COMPILER_INSTALL_DIR%/bin
with<path_to_profile_directory>/bin
, where<path_to_profile_directory>
is the path to the new profile, as provided by your administrator. For example, replace%JSP_COMPILER_INSTALL_DIR%/bin
with/opt/IBM/WebSphere7/AppServer/profiles/profile01/bin
. - Insert
-profileName <new_profile>
(where<new_profile>
is the new profile name, as provided by your administrator) before the-response.file
entry.
For example, if the original entry was this:
%CMD_EXE% %CMD_ARGS% '%FILE(%%JSP_COMPILER_INSTALL_DIR%/bin/JspBatchCompiler%BAT%%)%' -response.file ...
It should be changed to this:
%CMD_EXE% %CMD_ARGS% '%FILE(%/opt/IBM/WebSphere7/AppServer/profiles/profile01/bin/JspBatchCompiler%BAT%%)%' -profileName profile01 -response.file ...
- Replace
- Click OK to save the changes to the preferences.
AppScan Source for Development (Eclipse plug-in)
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
After applying AppScan Source for Development to Eclipse, you are not prompted to choose a workspace after the initial Eclipse relaunch
After applying AppScan Source for Development to Eclipse, you are prompted to restart the workbench. After restarting, you are prompted to choose a workspace. However, when you restart Eclipse again - or close it and start it - you are not prompted to choose a workspace.
This problem is related to https://bugs.eclipse.org/bugs/show_bug.cgi?id=409552.
You can work around this problem using one of these methods:
- Use the
-clean
option when starting Eclipse. - Exit Eclipse and then, in your Eclipse installation directory, delete the configuration\org.eclipse.osgi\.manager directory before starting Eclipse again.
If you do not resolve the problem, you can ensure that you are using the correct workspace by using the
action.Attempts to run AppScan Source for Development (Eclipse plug-in) results in
Unable to link native library shared-win32-x64.dll
error
Attempts to run some actions in AppScan Source for Development (Eclipse plug-in) (for example, launching a scan or starting actions that require a login) can result in this error message (or one that is similar to it):
Unable to link native library shared-win32-x64.dll.
You may need to install an appropriate Microsoft Visual C++
2010 Redistributable Package for your system.
When running on a 64-bit Java Runtime Environment, this typically indicates that the 64-bit Microsoft™ Visual C++ runtime library is unavailable. To resolve this problem, install the Microsoft Visual C++ 2010 Redistributable Package, available at http://www.microsoft.com/en-ca/download/details.aspx?id=14632.
Installing the AppScan Source for Development Eclipse plug-in no longer includes the option to install the plug-in prerequisites
In Version 9.0, the options to install the prerequisites for the Eclipse plug-in
(Graphical Editing Framework (GEF) and Draw2d) are no longer available. Most versions of
Eclipse that are supported by AppScan
Source for
Development include these features. If
yours does not, install these components into your Eclipse environment using the
appropriate eclipse.org
update site before installing the AppScan Source for Development Eclipse plug-in.
Using 64-bit Eclipse on macOS: Warning: [options] bootstrap class path not
set in conjunction with -source 1.6
This message can occur when scanning from a 64-bit Eclipse IDE using the AppScan Source for Development Eclipse plug-in when the contents of the class path and the default JDK in Eclipse do not match.
To work around this issue:
- 1. Choose from the main menu.
- 2. If your workspace contains more than one project, the Choose Projects dialog box will open. In this dialog box, select the project to configure and then click OK.
- 3. Set the JDK to use for scanning this project to IBM JDK 1.7.
Click OK to close the dialog box and re-scan the application.
On Microsoft Windows 7, component review panel may be blank when applying the AppScan Source for Development Plug-in to Eclipse or Eclipse-based products
In some cases (for example, if you use a .bat file to launch Eclipse), when you use the Software Updates feature to apply the AppScan Source for Development plug-in to Eclipse, the page that allows you to review installation components will appear blank even when components are going to be installed. If you click Finish on this panel, the installation will complete provided there are no other issues.
Upgrading the AppScan Source for Development (Eclipse plug-in)
It is recommended that you uninstall AppScan Source for Development from your Eclipse IDE before upgrading to a more recent version of AppScan Source for Development or AppScan Source.
AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
On Linux, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan Source for Analysis and theAppScan Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use. See the HCL AppScan Source Installation and Administration Guide to learn how to enable browser-based content for these products.
The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
If you need to install Mozilla XULRunner to enable browser-based content on Linux for AppScan Source for Analysis or AppScan Source for Development (Eclipse plug-in) (as described in the product documentation), libstdc++.so.5 is required. In many cases, this library will already be on your machine. If it is not on your machine, you will receive an error message that includes text similar to:
libstdc++.so.5: cannot open shared object file: No such file or directory.
For libstdc++.so.5: If you are a member of the Red Hat network and
have up2date
, run this command as root
to install
libstdc++.so.5:
up2date --install compat-libstdc++-33
If you are not a member of the Red Hat network or do not have up2date
,
you will need to obtain a copy of the compat-libstdc++ RPM from an
RPM archive site or obtain libstdc++.so.5 from another source. After
it has been installed and placed on your LD_LIBRARY_PATH
, you will be
able to run the AppScan
Source setup binary.
AppScan Source for Development plug-in for Eclipse and Eclipse-based products: multiple prompts for AppScan Source installation directory
When you use the AppScan Source for Development Plug-in for Eclipse and Eclipse-based products for the first time, you are prompted by a dialog box to specify the path to your AppScan Source installation directory. If you specify the installation directory and click OK but then receive the same dialog again, click Cancel, restart the workbench, and then continue with normal product use. Failure to restart the workbench upon receiving multiple prompts for the installation directory can cause scans to fail.
Shared/Global filters in AppScan Source for Development do not consistently display
The Filtering module in AppScan Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan Enterprise Server. Because shared filters are stored in the AppScan Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan Source.
Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.
Configuring Eclipse or Rational Application Developer for WebSphere Software (RAD) environments
AppScan Source supports importing projects from external Eclipse environments (see the Supported Project Files sections in the HCL AppScan Source Installation and Administration Guide (to learn more about this guide, see Documentation)). Before you import an Eclipse or RAD project, you may need to create an Eclipse importer configuration for it in your AppScan Source for Analysis preferences and install the AppScan Source for Development plug-ins into the environment.
Modifying custom rules and plug-in use
If you create a custom rule in AppScan Source for Analysis and are logged in to an AppScan Source for Development plug-in, to see the changes, you must restart the IDE.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
Rational Application Developer for WebSphere Software (RAD) Plug-in on Windows 7 must run as administrator
If the installation location or shared resources directory for RAD is in a directory in the path C:\Program Files, then you must run RAD as administrator. To run as administrator, right-click the program shortcut and click Run as administrator. On Windows 7, the Program Files directory is virtualized in order to allow users who are not running as the administrator to have write access to this protected directory. However, the virtualization workaround is not compatible with RAD.
If you selected an installation location or shared resources directory in the path C:\Program Files and do not want to require running RAD as administrator, then complete one of these tasks:
- If you selected an installation location in a directory in the path C:\Program Files, then reinstall RAD (and any other programs sharing the same installation location) and select an installation location that is not in the path C:\Program Files.
- If you selected a shared resources directory in the path C:\Program Files, then reinstall RAD and all Rational Software Development Platform products (regardless of their installation location) and select shared resources directory and installation locations that are not in the path C:\Program Files.
For more information on running RAD on Windows 7, refer to Running version 7.0.0.2 or later Rational Software Development Platform products on Microsoft Windows Vista.
AppScan Source for Development (Visual Studio plug-in)
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
Delay when copying large numbers of findings in large assessments
When you multiselect and copy multiple findings in an assessment that contains a large number of findings, you may experience a several second delay before the copy action is added to the clipboard. Ensure that the copy action completes before attempting to paste what was copied.
Scanning solution files that were created in a version of Microsoft Visual Studio that is not installed
If you attempt to scan a solution file that was created in a version of Visual Studio that is not installed on your system, AppScan Source will attempt to locate a compatible version of Visual Studio on your system and use it for scanning.
AppScan Source About dialog box in Microsoft Visual Studio is truncated
With certain national languages, the About dialog box for the AppScan Source for Development (Visual Studio plug-in) appears truncated. To address this, adjust the screen resolution and/or the font size for best viewing.
Compatibility error when installing AppScan Source for Development to Visual Studio 2012
If you receive an error indicating known compatibility issues when installing AppScan Source for Development for Visual Studio 92, this is a result of a known Microsoft issue that is outlined in http://support.microsoft.com/kb/2781514. This problem occurs during the AppScan Source installation. To resolve this problem:
- Close the error message by clicking Cancel and then allow AppScan Source to complete installation (if you receive the error message multiple times, click Cancel each time).
- Install the update listed in http://support.microsoft.com/kb/2781514.
- Launch the AppScan Source installer again. The installer will automatically launch in repair mode.
- The Visual Studio 2012 install option will already be selected and greyed out. Proceed through the install panels with their default selections, clicking Next in each panel.
- Complete the installation by clicking Finish.
- When the installation completes, the AppScan Source for Development (Visual Studio plug-in) will be ready for use.
When using AppScan Source for Development (Visual Studio plug-in) on Windows 7, findings cannot be modified multiple times
This is a known issue on 64-bit Microsoft Windows 7 that affects the AppScan Source for Development plug-in when it is applied to most versions of Microsoft Visual Studio. Findings can typically be modified one or two times. However, some aspects of findings will fail to refresh after multiple modifications. These include modifying severity, setting the vulnerability type, and annotating findings.
Shared/Global filters in AppScan Source for Development do not consistently display
The Filtering module in AppScan Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan Enterprise Server. Because shared filters are stored in the AppScan Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan Source.
Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
AppScan Source command line interface (CLI)
Publishing to AppScan Enterprise from the Command Line Interface
- Open the assessment in AppScan Source for Analysis and publish from there.
- Use the new AppScan
Source scanner in
the AppScan
Enterprise Version
9.0.3.7 web interface to import the
.ozasmt
. - For automation, use the REST API to publish.
Issuing the publishassessase
or pase
command
results in HttpAuthenticator
warnings
If you are using the CLI to publish to an AppScan Enterprise
Console that has only
Windows authentication enabled, you may see warnings similar to these when issuing the
publishassessase
or pase
command:
WARN [main] (HttpAuthenticator.java:207) - NEGOTIATE authentication error: org.ietf.jgss.GSSException, major code: 2, minor code: 0
major string: Unsupported mechanism
minor string: No factory available to create name for mechanism x.x.x.x.x.x.x
Assessment successfully published to: https://<ase_hostname>/ase
These warnings will not affect the publication of your assessments and can be ignored.
Microsoft Windows
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
On Windows 7, you must run as administrator to scan an asp.net website, if the website is included via http reference, such as under the local web server root
Windows 7 requires you to run as administrator when working in Visual Studio with asp.net projects under the local web server. AppScan Source has the same requirement. To import and scan asp.net projects included via http reference in either AppScan Source for Analysis or the AppScan Source command line interface (CLI), you must run those executables as an administrator.
On Microsoft Windows 7, component review panel may be blank when applying the AppScan Source for Development Plug-in to Eclipse or Eclipse-based products
In some cases (for example, if you use a .bat file to launch Eclipse), when you use the Software Updates feature to apply the AppScan Source for Development plug-in to Eclipse, the page that allows you to review installation components will appear blank even when components are going to be installed. If you click Finish on this panel, the installation will complete provided there are no other issues.
Errors when AppScan Source configuration files contain special characters
On Windows, some special characters (for
example, Ç, à, ∾, ¥, §, Æ
) in the
filenames of configuration files (.ppf, .paf,
and .osc) may result in errors.
Publishing to AppScan Enterprise Server hosted on Windows 2008 fails with a 401 Authentication Denied error
When using systems based on Windows 2008 and Internet Information Services (IIS), with only Windows authentication enabled, attempts to test the connection or publish to AppScan Enterprise Server will fail. Basic authentication and anonymous authentication will also be disabled.
This occurs as a result of a Windows setting described in http://technet.microsoft.com/en-us/library/cc757582(v=ws.10).aspx.
To work around this problem:
- Open the Local Security Policy applet and select .
- Set the Network security: Do not store LAN Manager hash value on next password change entry to Disabled.
- Restart the server.
- Reset your password.
Information about these corrective actions can be found at http://social.technet.microsoft.com/Forums/en/exchangesvrdevelopment/thread/bf62848a-5ce8-49cb-b9f3-d7267dfbd53d.
This workaround assumes that Windows authentication has been configured (see http://technet.microsoft.com/en-us/library/cc757582(v=ws.10).aspx for more information).
Ounce/Ant -java.lang.NoClassDefFoundError
when using Ant Version
1.8.1 on Microsoft
Windows 7 64-bit
If you receive this error, locate <install_dir>\lib\xercesImpl.jar (where <install_dir> is the location of your AppScan Source installation) and complete one of these tasks:
- Copy the .jar file to the lib directory in your Ant installation.
- Set your class path to <install_dir>\lib so that the .jar file can be located by Ant.
Library id
and progid
forms of
#import
are not supported
The Microsoft Visual C++
#import
preprocessor directive has several forms. AppScan
Source does not support the two forms that use
a library id
or a progid
. Files containing these forms
will not be scanned and an error message appears in the Console.
Referenced assemblies must be in the same directory as the assembly being scanned or registered in the Global Assembly Cache (GAC)
AppScan Source can only produce a complete scan of a .NET application when all referenced or dependent assemblies are in the same folder as the assembly being scanned, or registered in the GAC. If your assembly references types defined in assemblies in other places on disk, you may see errors such as this:
Skipping file <assembly_name> due to error: Failed (0x80004005) in <type> call
Referenced assembly <referenced assembly name> was not found.
To fix these errors, copy the referenced assembly to the same directory as the assembly being scanned - or register it in the GAC.
Visual Basic 6 scan requires full function declaration
#if
, #else if
, and #end if
must
contain the full declaration of a function. For example:
#If NATIVEBINDING Then
Public Function TemplateFromRule(ByVal Rule As OrgMan.Rule) As AcDir.Template
Dim oOp As OrgMan.Operation
#Else
Public Function TemplateFromRule(ByVal Rule As Object) As AcDir.Template
Dim oOp As Object
#End If
If Rule Is Nothing Then Exit Function
oOp = Rule.Operation
If oOp Is Nothing Then Exit Function
TemplateFromRule = BuildTemplate(oOp.Command, Rule.Field, Rule.Value)
End Function
Dialog box and message truncations when running in non-English locales
In AppScan Source, some dialog boxes and messages can be re-sized even though typical Microsoft Windows controls that indicate the ability to resize are not present. If you are running an AppScan Source product graphical user interface on a non-English locale and dialog box and messages contain truncated strings, you may be able to resize the dialog box or message to read the entire contents of the dialog box or message.
Rational Application Developer for WebSphere Software (RAD) Plug-in on Windows 7 must run as administrator
If the installation location or shared resources directory for RAD is in a directory in the path C:\Program Files, then you must run RAD as administrator. To run as administrator, right-click the program shortcut and click Run as administrator. On Windows 7, the Program Files directory is virtualized in order to allow users who are not running as the administrator to have write access to this protected directory. However, the virtualization workaround is not compatible with RAD.
If you selected an installation location or shared resources directory in the path C:\Program Files and do not want to require running RAD as administrator, then complete one of these tasks:
- If you selected an installation location in a directory in the path C:\Program Files, then reinstall RAD (and any other programs sharing the same installation location) and select an installation location that is not in the path C:\Program Files.
- If you selected a shared resources directory in the path C:\Program Files, then reinstall RAD and all Rational Software Development Platform products (regardless of their installation location) and select shared resources directory and installation locations that are not in the path C:\Program Files.
For more information on running RAD on Windows 7, refer to Running version 7.0.0.2 or later Rational Software Development Platform products on Microsoft Windows Vista.
AppScan Source for Development (Visual Studio plug-in) limitations
Any limitations that apply to the AppScan Source for Development (Visual Studio plug-in) are also specific to Windows. Please see AppScan Source for Development (Visual Studio plug-in).
Linux
Nodelocked licenses and Red Hat Enterprise Linux 7.4
IBM-originating nodelocked licenses may not work correctly with Red Hat Enterprise Linux 7.4. Move to HCL-originating nodelocked licenses. Contact HCL Support for additional informaiton.
Uninstalling AppScan Source on Red Hat Enterprise Linux 7.x
On Red Hat Enterprise Linux 7.x, you must restart your system after uninstalling AppScan Source version 9.0.3.x to stop running all AppScan Source processes.
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
IBM Rational Application Development and Remediation Assistance view
When running RHEL 7.3 or higher and IBM Rational Application Developer 9.5 or higher, to view Remediation Assistance properly first install webkitgtk-2.4.9-el7.x86_64.rpm.
Linux Mozilla requirement for Remediation Assistance view
The Remediation Assistance view on Linux requires Mozilla linked against GTK2 or higher.
Install Mozilla linked against GTK2 or higher. After acquiring Mozilla, unpack it, and
add the environmental variable MOZILLA_FIVE_HOME
to point to it. For
example, if you untar the archive to /usr/local
and use the bash shell,
add export MOZILLA_FIVE_HOME=/usr/local/mozilla
to your
~/.bashrc.
SELinux prevents installation, product activation, and running
Security Enhanced Linux (SELinux) is a Linux feature that provides greater security and access control through the Linux Security Modules of the Linux kernel. It is included with Red Hat Enterprise 5, by default.
- Installation: Installation of AppScan
Source is not possible with SELinux in
Enforcing mode. SELinux must be changed to Permissive mode. To run SELinux in Permissive
mode, issue
/usr/bin/system-config-selinux
or, if running GNOME, select . You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the AppScan Source installation as normal. You may change the SELinux setting back to Enforcing after the installation is complete. - Product activation: The AppScan
Source license Manager cannot be used in Enforcing mode. SELinux must be changed to
Permissive mode. To run SELinux in Permissive mode, issue
/usr/bin/system-config-selinux
or, if running GNOME, select . You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the License Manager. You may change the SELinux setting back to Enforcing after product activation is complete. - Running: The JRE and JDKs that are shipped with AppScan
Source will not operate with SELinux in
Enforcing mode. However, it is not necessary to disable Enforcing mode because the files
that trigger SELinux may be given permission to operate. This is done using the
chcon
command by issuingchcon -t textrel_shlib_t <filename>
. All of the shared object files (.so) under the <installdir>/jre and <installdir>/JDKS directories need to have this command issued against them. This can be performed in a batch fashion using thefind
command with theexec
parameter. For example:cd /opt/ibm/appscansource/jre sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print cd ../JDKS sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print
AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
On Linux, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan Source for Analysis and theAppScan Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use. See the HCL AppScan Source Installation and Administration Guide to learn how to enable browser-based content for these products.
The libstdc++.so.5 GCC library may be required for Red Hat Enterprise Linux Versions 5 and 6
If you need to install Mozilla XULRunner to enable browser-based content on Linux for AppScan Source for Analysis or AppScan Source for Development (Eclipse plug-in) (as described in the product documentation), libstdc++.so.5 is required. In many cases, this library will already be on your machine. If it is not on your machine, you will receive an error message that includes text similar to:
libstdc++.so.5: cannot open shared object file: No such file or directory.
For libstdc++.so.5: If you are a member of the Red Hat network and
have up2date
, run this command as root
to install
libstdc++.so.5:
up2date --install compat-libstdc++-33
If you are not a member of the Red Hat network or do not have up2date
,
you will need to obtain a copy of the compat-libstdc++ RPM from an
RPM archive site or obtain libstdc++.so.5 from another source. After
it has been installed and placed on your LD_LIBRARY_PATH
, you will be
able to run the AppScan
Source setup binary.
Intermittent shutdown of AppScan Source for Analysis on Linux
To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.
Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
The AppScan Source for Analysis installer allows you to configure the AppScan Source daemon processes to run as the default user named 'ounce' or as an existing user.
Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan Source installation directory (for example, /opt/ibm/appscansource) that consists of this line:
-configuration @user.home/.ounceconfig
Scanning source code compiled with older versions of gcc, such as 2.95.4, produces errors
For example, an error such as:
Skipping file: file.cpp due to error: "/home/file.cpp", line 97: error: namespace "std" has
no member "string"
std::string mystring;
may appear.
Workaround: Add the --ignore_std
option to the compiler options
for the project. This option enables a gcc compatibility feature that makes the std
namespace a synonym for the global namespace. In AppScan Source
for
Analysis, add this option on the Project
Dependencies tab of the Properties View for the project. Alternatively, if you use
Ounce/Make to create the project file, modify the compiler_options
attribute of the GlobalProjectOptions
element in the Ounce/Make
properties file.
Password required to submit findings to Rational ClearQuest on Linux
When you submit findings to Rational ClearQuest, you cannot log in to Rational ClearQuest if the password is blank.
Workaround: Use the Rational ClearQuest User Administration tool to change the password to be equal to or greater than one character.
Scanning JSP Projects with IBM WebSphere Application Server on Linux
By default, the WebSphere Application
Server JSP compiler is only
available to administrator (root
) users on Linux machines. To run the WebSphere Application
Server JSP compiler as a user other than
root
, your administrator needs to create an additional WebSphere Application
Server profile for you according to instructions at
IBM Knowledge Center
When creating the profile, the administrator will need to know the login user ID. The
administrator will then need to provide you with the new profile name and the path to the
profile (for example, profile01
at
/opt/IBM/WebSphere7/AppServer/profiles/profile01).
After the profile has been created, you will need to customize the WebSphere JSP Compiler command line used by AppScan Source by following these directions:
- Launch AppScan Source for Analysis.
- Launch from the main workbench menu.
- In the Preferences dialog box, select WebSphere Application Server that you are running. or , depending on the version of
- In the WebSphere Application Server installation directory field, enter or browse for the local directory in which the application server is installed.
- Select the Enable Advanced Configuration Options check box.
- Edit the entry in the WebSphere JSP Compiler Command Line field:
- Replace
%JSP_COMPILER_INSTALL_DIR%/bin
with<path_to_profile_directory>/bin
, where<path_to_profile_directory>
is the path to the new profile, as provided by your administrator. For example, replace%JSP_COMPILER_INSTALL_DIR%/bin
with/opt/IBM/WebSphere7/AppServer/profiles/profile01/bin
. - Insert
-profileName <new_profile>
(where<new_profile>
is the new profile name, as provided by your administrator) before the-response.file
entry.
For example, if the original entry was this:
%CMD_EXE% %CMD_ARGS% '%FILE(%%JSP_COMPILER_INSTALL_DIR%/bin/JspBatchCompiler%BAT%%)%' -response.file ...
It should be changed to this:
%CMD_EXE% %CMD_ARGS% '%FILE(%/opt/IBM/WebSphere7/AppServer/profiles/profile01/bin/JspBatchCompiler%BAT%%)%' -profileName profile01 -response.file ...
- Replace
- Click OK to save the changes to the preferences.
macOS
Deprecation of macOS support
As of version 9.0.3.11, AppScan Source no longer supports macOS or iOS Xcode project scanning.
Upgrading AppScan
Source without ending all
AppScan
Source
java
processes may cause the Remediation Assistance view to fail
If you perform a product upgrade when an AppScan
Source
java
process is still running, the Remediation Assistance view may
display an error similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan
Source installation
that includes the AppScan Source
for
Analysis,
AppScan Source for Development (Eclipse plug-in), or
AppScan
Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan
Source
java
processes running.
Comparing assessments that are generated using different versions of the iOS SDK
If you generate an assessment using one version of the iOS SDK and then use AppScan Source for Analysis to compare it to an assessment of the same code that was generated using a different version of the iOS SDK, identical findings in the assessment will appear to be different. This is a result of internal differences in iOS SDK versions.
In AppScan Source Version 9.0.3.4 and earlier, scanning IBM MobileFirst iOS applications using Xcode 7 results in an error
To work around this issue, edit /Users/Shared/AppScanSource/config/XCodeConfig.xml and locate this line:
<XCodeBuildDryrunCommand command="/usr/bin/xcodebuild
CODE_SIGN_IDENTITY= PROVISIONING_PROFILE= CODE_SIGNING_REQUIRED=NO -project
"%PROJECT_ROOT%" -configuration %CONFIGURATION% -destination
platform=generic/iOS -dry-run build" working_directory="/tmp"
filename="appscan_xcodebuilddryrun_temp_file"
compile_command="/usr/bin/clang"/>
In this line, change
-dry-run
to clean
, so that the line
reads:
<XCodeBuildDryrunCommand command="/usr/bin/xcodebuild
CODE_SIGN_IDENTITY= PROVISIONING_PROFILE= CODE_SIGNING_REQUIRED=NO -project
"%PROJECT_ROOT%" -configuration %CONFIGURATION% -destination
platform=generic/iOS clean build" working_directory="/tmp"
filename="appscan_xcodebuilddryrun_temp_file"
compile_command="/usr/bin/clang"/>
This issue does not affect AppScan Source Version 9.0.3.5 and later.
Xcode project import changes
As of AppScan
Source Version 9.0.3, header locations and configuration options are determined more
accurately when Xcode projects are imported and scanned. This change introduces the use
of xcodebuild -dry-run
to obtain every file's build configuration, so
there may be a pause at the beginning of scans while AppScan
Source determines file configurations before
proceeding.
Preparing Xcode projects that have dependencies for scanning
In order to scan Xcode projects that have dependencies, the project must be built a single time in Xcode in order to create the dependencies needed by the AppScan Source scanner. For example, if you have an IBM MobileFirst Platform-generated Xcode project, in order to scan the iPhone or iPad environment, or any Xcode project beneath one of those environments, you must build the project for the iOS device in Xcode. This can be accomplished from the command line by executing:
xcodebuild -project <project_dir_name>.xcodeproj -configuration Release
Where <project_dir_name>
is the Xcode project
path and filename.
If the Xcode project has not been built first, the following types of errors may appear during a scan:
01/11/14 07:33:03 - Scanning /Users/smith/MobileFirst_Apps/
wl_newapps/BasicHybridApp/apps/HybridApp/iphone/native/
Classes/CDVMainViewController.m (1 of 3)
01/11/14 07:33:05 - In file included from /Users/smith/MobileFirst_Apps/
wl_newapps/BasicHybridApp/apps/HybridApp/iphone/native/Classes/
CDVMainViewController.m:14:
In file included from /Users/smith/MobileFirst_Apps/wl_newapps/
BasicHybridApp/apps/HybridApp/iphone/native/Classes/
CDVMainViewController.h:15:
/Users/smith/MobileFirst_Apps/wl_newapps/BasicHybridApp/apps/HybridApp/
iphone/native/MobileFirstSDK/include/MainViewController.h:35:9:
fatal error: 'Cordova/CDVViewController.h' file not found
#import <Cordova/CDVViewController.h>
or
2/06/14 15:19:43 - Scanning /Users/smith/MobileFirst_Apps/
xcodeapps/WLMarkupTest-1.0-iphone/Classes/
CDVMainViewController.m (1 of 3)
02/06/14 15:19:45 - In file included from /Users/smith/MobileFirst_Apps/
xcodeapps/WLMarkupTest-1.0-iphone/Classes/CDVMainViewController.m:14:
In file included from /Users/smith/MobileFirst_Apps/xcodeapps/
WLMarkupTest-1.0-iphone/Classes/CDVMainViewController.h:15:
/Users/smith/MobileFirst_Apps/xcodeapps/WLMarkupTest-1.0-iphone/
MobileFirstSDK/include/MainViewController.h:41:63: error: expected ':'
- (BOOL) execute:(CDVInvokedUrlCommand*)command CDV_DEPRECATED
(2.2, "Use direct method calls instead, this is now a no-op");
Using 64-bit Eclipse on macOS: Warning: [options] bootstrap class path not
set in conjunction with -source 1.6
This message can occur when scanning from a 64-bit Eclipse IDE using the AppScan Source for Development Eclipse plug-in when the contents of the class path and the default JDK in Eclipse do not match.
To work around this issue:
- 1. Choose from the main menu.
- 2. If your workspace contains more than one project, the Choose Projects dialog box will open. In this dialog box, select the project to configure and then click OK.
- 3. Set the JDK to use for scanning this project to IBM JDK 1.7.
Click OK to close the dialog box and re-scan the application.
On macOS, manual steps are required to operate in FIPS 140-2 mode
On Windows and Linux platforms that are supported by AppScan Source, AppScan Source supports Federal Information Processing Standard (FIPS) Publication 140-2. On macOS platforms that are supported by AppScan Source, manual steps are needed to operate in FIPS 140-2 mode. These are described in Operating AppScan Source in FIPS 140-2 mode on OS X.
Silent installation of fix packs is not supported on macOS
If you attempt to run a silent installation of an AppScan Source fix pack on macOS, the installation will abort.
Objective-C language support limitation
Not all GNU extensions are supported. For example, vectors are not supported.
Additional information
Enhanced and new functionality in AppScan Source Version 9.0.3.14
-
IBM AppScan Source is now HCL AppScan Source
In mid-2019, HCL Technologies acquired the AppScan family of products from IBM, including AppScan Enterprise, AppScan Standard, AppScan Source, and AppScan on Cloud. All AppScan products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan products have been rebranded to reflect this ownership and its new phase of development and growth.
-
Introducing HCL Licensing for HCL AppScan Source
As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan family of products. AppScan Enterprise, AppScan Standard, and AppScan Source use a local FlexLM license server, authenticating via a proxy server; AppScan on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.
Note:AppScan products will continue to support existing IBM licenses until further notice.
- AppScan Source now supports Apex scanning
- AppScan Source now supports Eclipse 4.13
- AppScan Source now supports Ruby scanning
- AppScan Source now supports Visual Studio 2017 plugin
- AppScan
Source
now supports Visual Studio 2019 plugin
For additional information on system requirements, and scanning and plugin support, see HCL AppScan Source system requirements or contact HCL Support.
Capabilities nearing end-of-life in AppScan Source Version 9.0.3.14
- Custom findings
- Quality metrics
- Email/settings
- RSS feed
- Application attributes
Use AppScan Enterprise to store application information.
- Defect tracking system integration
Use the AppScan Issues gateway to integrate from an AppScan Enterprise level
Capabilities and features no longer supported in AppScan Source version 9.0.3.14
As of version 9.0.3.11, AppScan Source no longer supports macOS or iOS Xcode project scanning.
AppScan Source is a 32-bit application. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.
You can continue to use AppScan Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.
Documentation
Information about AppScan Source documentation can be found at Where to find documentation for AppScan Source.
Obtaining Technical Support
Information about obtaining technical support for this product is available at https://support.hcltech.com/csm?id=csm_index.
The product website is located at https://www.hcl-software.com/wps/portal/products/appscan.
Copyright
(C) Copyright HCL Technologies Limited and its licensors 2019. All Rights Reserved.
HCL, HCL Technologies Limited, HCL Software, the HCL logo, hcl.com®, hcltech.com, and AppScan are trademarks or registered trademarks of HCL Technologies Limited, registered in many jurisdictions worldwide. Rational, Rational Team Concert, WebSphere and ClearQuest are trademarks or registered trademarks of IBM Corp. Other product and service names might be trademarks of HCL or other companies. A current list of HCL trademarks is available on the web at Copyright and trademark information at http://www.hcltech.com/disclaimer. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT™ and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program.