Media
Integration Demo
Integration Demo
HCL AppScan on Cloud (ASoC) is a SaaS solution for all application security testing needs. It consolidates all HCL security testing capabilities into a single service that provides a uniform experience for all technologies. HCL Security ASoC can scan web, mobile, and desktop applications using dynamic and static techniques.
The HCL AppScan on Cloud (ASoC) plug-in allows for integration with the HCL Appscan on Cloud server. This plug-in uses the Appscan on Cloud REST interface to interact with the HCL Appscan on Cloud application. Data is gathered from the ASoC server and displayed as a graphical view in the HCL Accelerate portfolio.
The following table describes the changes made in each plug-in version.
Version | Description |
---|---|
3.0.19 | The older versions of ASoC plug-in was not reporting critical issues. The issue is fixed. |
3.0.16 | Segregated Static scan and Dynamic scan data. |
3.0.12 |
|
3.0.11 | Fix for Changed API. |
3.0.9 | Reduced vulnerabilities. |
3.0.5 | Auto-generated user access key related changes. |
3.0.1 | Added policy support. |
2.0.1 |
Note: This is a breaking change as the end point changes from ‘POST’ to |
1.0.24 | Proxy support added. |
1.0.23 | Removed IBM related keywords. |
1.0.18 | Bug fixes. |
To use the HCL AppScan on Cloud plug-in (ASoC), the plug-in must be loaded, and an instance is created before you can configure the plug-in integration. You can define configuration properties either in the user interface or in a JSON file of a value stream.
The ASoC plug-in supports endpoint integration and a scheduled event integration.
You can use the ASoC plug-in’s endpoint integration to sync or import the scan data into HCL Accelerate’s application vulnerabilities metrics by triggering the API endpoint with GET or POST request.
The endpoint integration is listed in the following table.
Name | Path | Request Method |
---|---|---|
ASoC Scan | asocScan |
|
The following image shows the endpoint after the integration is defined in Accelerate:
Notes
The following two features are available from version 2.0.1 or later of the plug-in:
curl --location --request POST 'https://cloud.appscan.com/api/v2/Scans/MobileAnalyzer' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer bearer-token-goes-here' \
--data-urlencode 'ApplicationFileId=file-id-goes-here' \
--data-urlencode 'ScanName=scan-name-goes-here' \
--data-urlencode 'AppId=ASoC-AppId-goes-here' \
--data-urlencode 'Execute=true' \
--data-urlencode 'Comment=https://build-url-goes-here'
curl --location --request POST 'https://cloud.appscan.com/api/V2/Webhooks' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer bearer-token-value-goes-here' \
--data-urlencode 'PresenceId=presence-id-goes-here' \
--data-urlencode 'Uri=plugin-endpoint-goes-here?ScanExecutionId={SubjectId}' \
--data-urlencode 'Event=ScaneExecutionCompleted' \
--data-urlencode 'Global=true'
The following example shows calling the plug-in end point using a ‘non webhook’ method, such as CURL, Postman, or as a part of the CI/ CD pipeline.
Send an HTTP GET (For version 2.0.1 or later) or HTTP POST (For version 2.0.0 or earlier) request to your endpoint.
Sample endpoint:
https:///pluginEndpoint//asocScan
The payload for the POST is shown below.
{"scanId":"", "buildUrl": ""}
.
Name | Description | Required |
---|---|---|
scanId | The scan ID from the scan ran in ASoC. It is a mandatory field to render the scan results in Insights. | Yes |
buildUrl | The build URL from the CI/CD tool such as Jenkins, HCL launch and so on. It is an optional field which links the ASoC scan results with HCL Accelerate | No |
You can use the HCL AppScan on Cloud plug-in’s scheduled event integration to automatically sync or import the scan data into HCL Accelerate’s application vulnerabilities metrics at regular interval of time. Currently, HCL AppScan on Cloud plug-in sync or import scan data from HCL AppScan on Cloud to HCL Accelerate at an interval of 5 minutes.
The following image shows the Scheduled Event after the integration is defined in HCL Accelerate:
There are two methods to integrate the plug-in:
The tables in the Configuration properties topic describe the properties used to define the integration.
To install the plug-in, perform the following steps:
To integrate the plug-in, perform the following steps:
The JSON file contains the information for creating a value stream. Within the JSON file there is a section for integrations. In this section the plug-in properties can be defined.
The following image shows the ASoC scan results in the Insights section of Accelerate after the successful plug-in integration.
The HCL AppScan on Cloud (ASoC) Account used to generate the token must have access to the project which is being integrated with HCL Accelerate.
The following tables describe the properties used to configure the integration. Each table contains the field name when using the user interface and the property name when using a JSON file.
properties
configuration property.Some properties might not be displayed in the user interface, to see all properties enable the Show Hidden Properties field.
Name | Description | Required | Property Name |
---|---|---|---|
NA | The version of the plug-in that you want to use. To view available versions, click the Version History tab. If a value is not specified, the version named latest is used. | No | image |
Integration Name | An assigned name to the value stream. | Yes | name |
Logging Level | The level of Log4j messages to display in the log file. Valid values are: all, debug, info, warn, error, fatal, off, and trace. | No | loggingLevel |
NA | List of plug-in configuration properties used to connect and communicate with the HCL AppScan on Cloud Configuration server. Enclose the properties within braces. | Yes | properties |
The name of the tenant. | Yes | tenant_id | |
NA | Unique identifier assigned to the plug-in. The value for the HCL AppScan on Cloud Configuration plug-in is ucv-ext-asoc |
Yes | type |
Name | Type | Description | Required | Property Name |
---|---|---|---|---|
Key ID | String | The key ID to authenticate with the Application Security On Cloud server. | Yes | keyId |
URL | String | The URL of the Application Security on Cloud server. | Yes | asocUrl |
Key Secret | Secure | The key secret to authenticate with the Application Security On Cloud server. | Yes | keySecret |
HCL Accelerate Access Key | Secure | The user access key to authenticate with the HCL Accelerate server. | Yes | ucvAccessKey |
ASoC Applications | Array | Comma separated list of Application names in ASoC – eg: App1, App2. | No | applications |
Run as a Scheduled Event | Boolean | To integrate the plug-in as a Scheduled Event. Set this property to “true” to run the integration as a scheduled event. | No | isScheduledEvent |
The following sample code can be used as a template to define the integration within the JSON file for a value stream. Copy and paste the template into the JSON file Integration section and make the appropriate changes.
"integrations": [
{
"type": "asocPlugin",
"tenant_id": "",
"name": "",
"properties":{
"ucvAccessKey": "",
"keyId" : "",
"keySecret":"",
"isScheduledEvent":"false"
"asocUrl":"",
"applications":""
}
}
]
Uploaded: 10-Mar-2023 14:34
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.19
Uploaded: 15-Dec-2022 14:08
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.16
Uploaded: 13-Sep-2022 06:17
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.12
Uploaded: 07-Jul-2022 04:37
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.11
Uploaded: 24-May-2022 05:47
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.9
Uploaded: 28-Jan-2022 16:57
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.5
Uploaded: 25-Aug-2021 08:38
docker pull hclcr.io/accelerate/ucv-ext-asoc:3.0.1
Uploaded: 03-Aug-2021 08:48
docker pull hclcr.io/accelerate/ucv-ext-asoc:2.0.1
Uploaded: 02-Jul-2021 07:22
docker pull hclcr.io/accelerate/ucv-ext-asoc:1.0.24
Uploaded: 03-May-2021 13:40
docker pull hclcr.io/accelerate/ucv-ext-asoc:1.0.23
Uploaded: 08-Feb-2021 07:31
docker pull hclcr.io/accelerate/ucv-ext-asoc:1.0.18