Jump to main content
HCL Logo Help Center
HCL TECHNOLOGIES ABOUT US PRODUCTS & SOLUTIONS RESOURCES CONTACT US
HCL AppScan Source
  • HCL® AppScan® Source V9.0.3.14 documentation
  • Security AppScan Source - Windows and Linux
  • Security AppScan Source -- MacOS
  • General product information for troubleshooting and support
  • Glossary
  1. Home
  2. Security AppScan Source -- MacOS

    HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

  3. Developing

    Learn how to develop by using the product.

  4. Triage and analysis

    Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

  5. Modifying findings

    Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

  6. Making modifications from a findings table

    You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

  • Security AppScan Source -- MacOS

    HCL® AppScan® Source delivers maximum value to every user in your organization who plays a role in software security. Whether a security analyst, quality assurance professional, developer, or executive, the AppScan Source products deliver the functionality, flexibility, and power you need - right to your desktop.

    • Overview

      Learn general information about the product.

    • Installing

      Learn how to install the product.

    • Configuring

      Learn how to configure the product.

    • Administering

      Learn how to administer the product.

    • Developing

      Learn how to develop by using the product.

      • Scanning source code and managing assessments

        This section explains how to scan your source code and manage assessments.

      • Triage and analysis

        Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.

        • Displaying findings

          The Findings view, or any view with findings, displays a findings tree (a hierarchical grouping of assessment criteria) and a findings table for each scan. The item that is selected in the findings tree determines the findings that are presented in the table.

        • The AppScan Source traige process

          The triage process includes manipulating findings through bundles, filters, and exclusions - and comparing assessment results.

        • Triage with filters

          AppScan® Source for Analysis reports on all potential security vulnerabilities and may produce many thousands of findings for a medium to large code base. When you scan, you may find that the findings list contains items that are not important to you. To remove certain findings from the Findings view, you can choose a predefined filter or you can create your own filter. A filter specifies the criteria that determine which findings to remove from view.

        • Triage with exclusions

          After a scan, you may decide that some findings are irrelevant to your current work, and you do not want them visible in the findings table when you triage the scan results. These exclusions (or excluded findings) no longer appear in the Findings view and the assessment metrics update immediately with the changed results. Filter and bundle exclusions added to a configuration only take effect on subsequent scans.

        • Triage with bundles

          Bundles (a grouping mechanism for findings) allow you to import a snapshot of findings from AppScan® Source for Analysis to AppScan Source for Development. Once findings are in bundles, you can use AppScan Source for Development to open the project that contains the bundle, import the bundle, or open a saved bundle file (file_name.ozbdl).

        • Modifying findings

          Modified findings are findings that have changed vulnerability types, classifications, or severities - or that have annotations. The Modified Findings view displays these findings for the current application (the application that is active as a result of opening an assessment for it). In the My Assessments view (available only in AppScan® Source for Analysis), the Modified column indicates if a finding has changed in the current assessment.

          • Making modifications from a findings table

            You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

            • Changing the vulnerability type

              Vulnerability types can be changed for individual findings or a group of findings.

            • Promoting finding classifications

              A finding with a classification of suspect security finding or scan coverage finding can be promoted to a definitive finding.

            • Modifying severity

              Selecting a new severity level changes the severity for each selected finding. For example, AppScan® Source might report that an API is of medium severity, but your corporate policy identifies it as more severe. You can modify the severity to meet your requirements, but note that AppScan Source remediation assistance does not contain the modification.

            • Annotating findings

              Notes® can be used as reminders for you to take further action on a finding - or to convey information about the finding to someone else. You can add a note to a single finding or to a group of findings.

          • Modifying findings in the Finding Detail view

          • Removing finding modifications

            If you have modified findings, you can remove the modifications (revert back to original values) using the methods described in this topic.

        • Comparing findings

          Assessments are compared using the Diff Assessments action. When two assessments are compared, the differences between the two are displayed in the Assessment Diff view. This view displays new, fixed/missing, and common findings.

        • Custom findings

          To augment your analysis results, you can create custom findings. These are user-created findings that AppScan® Source for Analysis adds to the currently-open assessment or selected application. Custom findings impact assessment metrics and can be included in reports. Once created, a custom finding is automatically included in future scans of the application.

        • Resolving security issues and viewing remediation assistance

          AppScan® Source alerts you to security errors or common design flaws and assists in the resolution process. The AppScan Source Security Knowledgebase - and internal or external code editors - help with this process.

        • Supported annotations and attributes

          Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.

      • AppScan Soure trace

        With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.

      • AppScan Soure for Analysis and defect tracking

        AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.

      • Finding reports and audit reports

        Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.

      • Creating custom reports

        In the Report Editor, you create report templates used to generate custom reports.

    • Extending product function

      Learn how to extend the product.

    • Reference

      Review reference information for the product.

    • Glossary

      Learn common product terminology.

    • HCL AppScan Source for Development (Eclipse Plug-In)

      With AppScan® Source for Development, you can work in your existing development environment and perform security vulnerability analysis on Java and IBM® MobileFirst Platform projects. Security analysis lets you pinpoint vulnerabilities in the source code and eliminate them entirely with AppScan Source Security Knowledgebase remediation assistance.

Making modifications from a findings table

You may want to modify findings via a findings table if you will be making the same changes to multiple files. If you will be modifying an individual finding, use a findings table or the Finding Detail view.

  • Changing the vulnerability type
  • Promoting finding classifications
  • Modifying severity
  • Supported annotations and attributes
© Copyright HCL Technologies Limited 2001, 2019 / About HCL Software / Acquisition FAQ / Government - US Federal / Welcome / Contact Us