Quick Info
Media
Description
HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all HCL security testing capabilities into a single service that provides a uniform experience for all technologies. HCL Security ASoC can scan web, mobile, and desktop applications using dynamic and static techniques.Quick Info
ucv-ext-asoc:3.0.16.tar
Uploaded: 15-Dec-2022 14:08
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.16
Release Notes
ucv-ext-asoc:3.0.12.tar
Uploaded: 13-Sep-2022 06:17
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.12
Release Notes
ucv-ext-asoc:3.0.11.tar
Uploaded: 07-Jul-2022 04:37
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.11
Release Notes
ucv-ext-asoc:3.0.9.tar
Uploaded: 24-May-2022 05:47
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.9
Release Notes
ucv-ext-asoc:3.0.5.tar
Uploaded: 28-Jan-2022 16:57
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.5
Release Notes
ucv-ext-asoc:3.0.1.tar
Uploaded: 25-Aug-2021 08:38
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.1
Release Notes
ucv-ext-asoc:2.0.1.tar
Uploaded: 03-Aug-2021 08:48
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:2.0.1
Release Notes
ucv-ext-asoc:1.0.24.tar
Uploaded: 02-Jul-2021 07:22
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:1.0.24
Release Notes
ucv-ext-asoc:1.0.23.tar
Uploaded: 03-May-2021 13:40
Pull Command
docker pull hclcr.io/accelerate/ucv-ext-asoc:1.0.23
Release Notes
Summary
The HCL AppScan on Cloud (ASoC) plugin allows for integration with the HCL Application Security on Cloud server. This plugin uses the Application Security on Cloud REST interface to interact with the HCL Application Security on Cloud application. Data is gathered from the Application Security on Cloud server and displayed as a graphical view in the HCL Accelerate portfolio.
History
The following table describes the changes made in each plugin version.
Version | Description |
---|---|
3.0.5 | User Access Key Related Changes. |
2.0.1 | Syncs historic data from ASoC. Also webhook support enabled. Note: This is a breaking change as the end point changes from ‘POST’ to ‘GET’ |
1.0.24 | Proxy support added |
1.0.18 | Bug fix |
Usage
To use the HCL AppScan on Cloud plugin, the plugin must be loaded and an instance created before you can configure the plugin integration. You define configuration properties in the user interface or in a JSON file.
Integration type
The HCL AppScan on Cloud plugin supports endpoint integration which is listed in the following table.
Name | Path | Method |
---|---|---|
ASoC Scan | asocScan | GET (from version 2.0.1 and above) POST (before version 2.0.1) |
The following picture shows the endpoint after the integration is defined in Accelerate:
Notes
The following two features are available from version 2.0.1 and above of the plugin:
- the plugin imports historical scan data from ASoC
- To sync / import the historical scan data in to Accelerate, update the ‘ASoC applications’ field in the plugin configuration with the Application names in ASoC. The plugin will pull all the scan data till date.
- the plugin supports ASoC webhooks.
- The plugin endpoint can be defined as a webhook in ASoC. When the webhook is invoked by ASoC after every scan execution, the plugin will run and import the scan data to Accelerate.
- If the ASoC scan is invoked using REST API, pass the ‘build url’ as ‘Comment’ as shown in the below example. This will enable the plugin to import the ‘build url’ and associate the scan result to that specific ‘build’ / ‘build url’ in Accelerate. If the scan is invoked from ASoC UI, this feature is not available, but it is soon expected to be available in UI as well.
curl –location –request POST ‘https://cloud.appscan.com/api/v2/Scans/MobileAnalyzer’ \
–header ‘Content-Type: application/x-www-form-urlencoded’ \
–header ‘Authorization: Bearer bearer-token-goes-here‘ \
–data-urlencode ‘ApplicationFileId=file-id-goes-here‘ \
–data-urlencode ‘ScanName=scan-name-goes-here‘ \
–data-urlencode ‘AppId=ASoC-AppId-goes-here‘ \
–data-urlencode ‘Execute=true’ \
–data-urlencode ‘Comment=https://build-url-goes-here‘
-
- In order to use the webhook, a software named AppScan presence must be installed on the machine where Accelerate is running. Refer this link from ASoC for more details: https://help.hcltechsw.com/appscan/ASoC/asp_scanning.html
- The following is an example of creating a webhook in ASoC.
curl –location –request POST ‘https://cloud.appscan.com/api/V2/Webhooks’ \
–header ‘Content-Type: application/x-www-form-urlencoded’ \
–header ‘Authorization: Bearer bearer-token-value-goes-here‘ \
–data-urlencode ‘PresenceId=presence-id-goes-here‘ \
–data-urlencode ‘Uri=plugin-endpoint-goes-here?ScanExecutionId={SubjectId}’ \
–data-urlencode ‘Event=ScaneExecutionCompleted’ \
–data-urlencode ‘Global=true’
The following example shows invoking the plugin end point using a ‘non webhook’ method, i.e, CURL, Postman or as part of the CI/ CD pipeline.
Send an HTTP GET (POST if using versions lower than 2.0.1) request to your endpoint such as the following sample.
https:///pluginEndpoint//asocScan
The payload for the POST is shown below.
{"scanId":"", "buildUrl": ""}
.
Name | Description |
---|---|
scanId | The scan ID from the scan ran in ASoC. It is a mandatory field to render the scan results in Insights |
buildUrl | The build URL from Jenkins or any other CI/CD tool. It is an optional field which links the ASoC scan results with VSM |
The following picture shows the ASoC scan results in the Insights section of Accelerate.
Integration
There are two methods to integrate the plugin:
- Using the user interface
- Using a JSON file
The tables in the Configuration properties topic describe the properties used to define the integration.
Using the user interface
- From the Plugins page, click Settings > Integrations > Plugins.
- Under the Action column for the plugin, click Add Integration.
- On the Add Integration page enter values for the fields used to configure the integration and define communication.
- Click Save.
Using a JSON file
The JSON file contains the information for creating a value stream. Within the JSON file is a section for integrations. It is in this section that plugin properties can be defined.
- From a value stream page, download the value stream map. The value stream map is a JSON file used to define integrations.
- Edit the JSON file to include the plugin configuration properties.
- Save and upload the JSON file. This replaces the current JSON file with the new content.
- View the new integration on the Integrations pages.
Minimum permission to integrate with HCL AppScan on Cloud (ASoC)
The HCL AppScan on Cloud (ASoC) Account used to generate the token must have access to the project which is being integrated with HCL Accelerate.
Configuration Properties
The following tables describe the properties used to configure the integration. Each table contains the field name when using the user interface and the property name when using a JSON file.
- The General Configuration Properties table describes configuration properties used by all plugin integrations.
- The HCL AppScan on Cloud Configuration Properties table describes the configuration properties that define the connection and communications with the HCL Accelerate server. When using the JSON method to integrate the plugin these properties are coded within the
properties
configuration property.
Some properties might not be displayed in the user interface, to see all properties enable the Show Hidden Properties field.
Name | Description | Required | Property Name |
---|---|---|---|
NA | The version of the plugin that you want to use. To view available versions, click the Version History tab. If a value is not specified, the version named latest is used. | No | image |
Integration Name | An assigned name to the value stream. | Yes | name |
Logging Level | The level of Log4j messages to display in the log file. Valid values are: all, debug, info, warn, error, fatal, off, and trace. | No | loggingLevel |
NA | List of plugin configuration properties used to connect and communicate with the HCL AppScan on Cloud Configuration server. Enclose the properties within braces. | Yes | properties |
The name of the tenant. | Yes | tenant_id | |
NA | Unique identifier assigned to the plugin. The value for the HCL AppScan on Cloud Configuration plugin is ucv-ext-asoc |
Yes | type |
Name | Type | Description | Required | Property Name |
---|---|---|---|---|
Key ID | String | The key ID to authenticate with the Application Security On Cloud server. | Yes | keyId |
URL | String | The URL of the Application Security on Cloud server. | Yes | asocUrl |
Key Secret | Secure | The key secret to authenticate with the Application Security On Cloud server. | Yes | keySecret |
HCL Accelerate Access Key | Secure | The user access key to authenticate with the HCL Accelerate server. | Yes | ucvAccessKey |
ASoC Applications | Array | Comma separated list of Application names in ASoC – eg: App1, App2. | No | applications |
JSON code sample
The following sample code can be used as a template to define the integration within the JSON file for a value stream. Copy and paste the template into the JSON file Integration section and make the appropriate changes.
"integrations": [
{
"type": "asocPlugin",
"tenant_id": "",
"name": "",
"properties":{
"ucvAccessKey": "",
"keyId" : "",
"keySecret":"",
"asocUrl":"",
"applications":""
}
}
]