Considerations to scan an application code
When you want to use HCL OneTest™ Server to run a scan of the application code for security vulnerabilities, you must read the considerations that you must take into account and complete certain tasks.
Before you can run a scan of the application code on HCL OneTest™ Server, you must have completed
the following tasks:
- Created a file that has the following characteristics:
- The format of the file must be yaml.
- The name must be .codesweep.
- Committed the following assets or resources to the remote repository:
- The .codesweep file.
- The application code can either be in the root directory or another
folder in the root directory.Note: The default root directory is the directory that contains the .codesweep file.
You can specify the following information in the .codesweep file:
- The name of the asset that must be displayed as the test asset in the Execution page of HCL OneTest™ Server. The name must be specified at the first level in the file as the value of the name attribute.
- Optionally, the name of folders that contain the application code.
All files and folders in the root directory are scanned as the default action, if no files or folders are specified under the folders attribute.
You can specify the files or folders to scan by using any of the following options:- Specify the files or folders by using an XML file that is in the same format as the HCL AppScan IRX file.
- Specify the files or folders in the .codesweep
file under the includes or
excludes attributes under the
folders attribute.
- Optionally, you can specify the name of files or folders that must be included in the scan. You must specify the files or folders as the value of the includes attribute under the folders attribute.
- Optionally, you can specify the name of files or folders that contain the application code that need not be scanned. You must specify the files or folders as the value of the excludes attribute under the folders attribute.
Note: You cannot use wildcard characters to indicate the files or folders anywhere in the .codesweep file.
- Optionally, you can specify the rules that are to be ignored in the scan. You
can specify the rules by using any of the following options:
- Specify a file, which is a copy of ~/appscan/custom_scanners_service_ignore.json that is created by the CodeSweep plugin for Visual Studio. With this method, you can reuse the preferences that you have configured in your development environment.
- Specify a list of rules. Each rule is defined by a name and a language identifier.
- Optionally, you can specify the criteria for attributes and their values that specify the verdict of the scan and the range for the security errors in the code.
For example, you can consider the following details:
The contents of the .codesweep file is as
follows:
Where... | Is... |
---|---|
The name of the asset that is to be displayed on the Execution page | mycode |
The folder that contains the code to be scanned | use_code |
The folder that contains the code that is to be excluded in the scan | do_not_use_code |
The value of the attribute Verdict | |
The range for the security errors is classified as follows:
|
The conditions for a pass verdict are as follows:
|
name: mycode
folders: # default=./ , Optional
configuration: configuration.xml # XML Configuration file, Optional
includes: # list of folders to include, Optional
- use_code
excludes: # list of folders to exclude, Optional
- do_not_use_code
ignore: # Ignore rules, Optional
file: custom_scanners_service_ignore.json # json file coming from visual code, Optional
rules: #list of rules to ignore, Optional
- name: com.ouncelabs.languagelite.nodejs.Rules.NodeJS_PrivateDataExposedviaHTTPURL # Name, Required
language: NodeJS # Language, Required
- name: com.ouncelabs.languagelite.nodejs.Rules.NodeJS_PrivateDataExposedviaHTTP # Name, Required
language: NodeJS # Language, Required
verdict: # PASS verdict, Optional
max-high: 0 # default=0, Optional
max-medium: 10 # default=0 , Optional
max-low: 100 # default=-1 (no limit), Optional
You can continue to configure a run of a scan of the code, see Configuring a run to scan the application code.
Restriction: You cannot run the test assets
on a remote Docker host.