DescriptionHCL AppScan on Cloud (ASoC) is an application security offering that allows you to scan on prem, web, and mobile applications for security vulnerabilities. The plugin allows you to run all supported types of scans and manage ASoC presences. Presences allow you to run scans on apps that are not connected to the internet or require a proxy server to make a connection.
HCL Launch can process the output of the ASoC plugin and treat the build accordingly.
If your build was deployed successfully to a lower-level environment but failed the Dynamic ASoC scan with high severity issues, HCL Launch will automatically rollback to the last deployed version and mark the build with a status indicating there are problems. If ASoC identifies lesser severity issues in your build, HCL Launch with slap a deployment warning onto it but leave it installe don the target machines. And if ASoC spots no major issues, HCL Launch will give that version an app status that signifies it’s passed all AppScan scans. In other words, HCL Launch creates environment gates that can prevent deployments to Prod or other high-level environments if it doesnot pass AppScan approval.
See Installing plugins in HCL Launch for installing and removing plugins.
The following table describes the changes made in each plugin version.
|12||Updated to the new ASoC domain cloud.appscan.com.|
|11||Set high, medium, low, informational issue count output properties on dynamic scan.|
|9||Remove old deprecated projectLocation and workspaceScheme fields from Start iOS Scan step (ipaFileLocation already replaced them).|
|8||Add testPolicy to Start Dynamic Analyzer ASoC Scan step. Migrate the Start iOS Analyzer ASoC Scan from working with IPAX generator, to working with ipa file.|
|7||Add step Start iOS Analyzer ASoC Scan.|
|6||Rename the step “Start Mobile Analyzer Scan” into Start Android Mobile Analyzer ASoC Scan.|
|5||Rename plugin from Application Security Testing (Smartcloud Exchange) to IBM Application Security on Cloud and add support for running a DAST(Domain Verification not supported) and SAST scans.|
|4||Upgrade to http-builder-0.7.2-uc.jar, and change our portal domain from appscan.bluemix.net to appscan.ibmcloud.com|
|3||Changing our portal domain from appscan.ibmcloud.com to appscan.bluemix.net (and adding hidden experimental feature PSS).|
|2||Migrate internal logic to work with cloud V2 APIs.|
|1||Initial release of the plug-in.|
HCL Launch AppScan Enterprise – Process Steps
HCL Launch has a free installable plugin for AppScan on Cloud. This plug-in includes steps to do each of the following on the AppScan server:
- Create ASoC Presence
- Delete ASoC Presence
- Start ASoC Presence
- Start Android Mobile Analyzer ASoC Scan
- Start Dynamic Analyzer ASoC Scan
- Start Static Analyzer ASoC Scan
- Start iOS Analyzer ASoC Scan
- Stop ASoC Presence
Each HCL Launch plugin step must be configured with the ASoC Application ID, Key ID, and Key Secret.
The static analyzer step also requires an IRX file, which points to either the IRX file to be uploaded for scanning, or the directory that contains the files or other locations to scan. The field accepts scan configuration files, eclipse workspaces, as well as .jar, .war, and .ear file types. In addition to the Application ID, Key ID, and Key Secret, the dynamic analyzer step requires the URL for the location to scan. If the page requires a login, the application login credentials must also be provided.