Topic
  • 3 replies
  • Latest Post - ‏2011-08-12T17:39:33Z by SystemAdmin
raphg
raphg
2 Posts

Pinned topic Appscan source and ASP.Net 2

‏2011-08-11T12:45:44Z |
Hi everyone,

I'm quite new to Appscan source (Appscan Source Edition for Security 8.0.0.1.60), so sorry if I post a silly question !

I would like to create a .NET2 project type (.aspx, ... files ) but I don't have this choice available in the wizard
... also I didn't find any information to build such project in the documentation (only speaks about ASP or .NET Assembly)

Did I miss something in the installation process or so ?
Thanks for your help.
Updated on 2011-08-12T17:39:33Z at 2011-08-12T17:39:33Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    49 Posts

    Re: Appscan source and ASP.Net 2

    ‏2011-08-11T17:20:27Z  
    At a high level, there are three ways to scan .NET code.

    1) Import the .sln file
    2) Create a new, empty Application, then add Projects to it one at a time.
    3) Scan the .NET assemblies.

    Here is a small how-to:

    1) In AppScan Source for Security, go to the File menu-->Add Existing Application menu item
    Browse to the .sln file you want to scan, open it, and scan it.

    2) Create a new, empty Application, then add Projects to it one at a time.
    In AppScan Source for Security, go to File menu-->Add Application menu item-->http://New Application...
    Give your new Application a name and working directory where the temporary files and Application configuration file (application_name.paf) will be stored. Then click Finish.
    In the Configuration Perspective, in the "Explorer" view, right-click on the Application and choose "Add Projects" or "Add Multiple Projects" (which is the same, but recursively searches a directory), then add all the .csproj and .vbproj files you want to scan.
    You should now have an Application containing only the Projects you want to scan.

    3) Scan the .NET assemblies.
    Compile the entire application in Debug mode.
    This should generate .dll and .exe files and their associated .pdb ("Project De-Bug" information) files.
    Copy the .exe, .dll, and the .pdb files only for the projects you want to scan into a new folder. You must have all these files in a single, flat folder (no subfolders)
    In AppScan Source for Security, go to File menu-->Add Application menu item-->http://New Application...
    Give your new Application a name and working directory where the temporary files and Application configuration file (application_name.paf) will be stored. Then click Next.
    Create a new Project with the type of ".NET Assembly Project" and give it a name and working directory. Then click Next.
    The "Source root" for this type of project is the folder containing the .NET assemblies which you created in step 3.
    When you run a scan, the first time you try to click on a Trace AppScan Source for Security or Developer might ask you to direct it to the source code file, but you should only need to do this once.
    These different options are documented in detail in the Security_User_Guide.pdf

    /eh
  • raphg
    raphg
    2 Posts

    Re: Appscan source and ASP.Net 2

    ‏2011-08-12T08:57:41Z  
    At a high level, there are three ways to scan .NET code.

    1) Import the .sln file
    2) Create a new, empty Application, then add Projects to it one at a time.
    3) Scan the .NET assemblies.

    Here is a small how-to:

    1) In AppScan Source for Security, go to the File menu-->Add Existing Application menu item
    Browse to the .sln file you want to scan, open it, and scan it.

    2) Create a new, empty Application, then add Projects to it one at a time.
    In AppScan Source for Security, go to File menu-->Add Application menu item-->http://New Application...
    Give your new Application a name and working directory where the temporary files and Application configuration file (application_name.paf) will be stored. Then click Finish.
    In the Configuration Perspective, in the "Explorer" view, right-click on the Application and choose "Add Projects" or "Add Multiple Projects" (which is the same, but recursively searches a directory), then add all the .csproj and .vbproj files you want to scan.
    You should now have an Application containing only the Projects you want to scan.

    3) Scan the .NET assemblies.
    Compile the entire application in Debug mode.
    This should generate .dll and .exe files and their associated .pdb ("Project De-Bug" information) files.
    Copy the .exe, .dll, and the .pdb files only for the projects you want to scan into a new folder. You must have all these files in a single, flat folder (no subfolders)
    In AppScan Source for Security, go to File menu-->Add Application menu item-->http://New Application...
    Give your new Application a name and working directory where the temporary files and Application configuration file (application_name.paf) will be stored. Then click Next.
    Create a new Project with the type of ".NET Assembly Project" and give it a name and working directory. Then click Next.
    The "Source root" for this type of project is the folder containing the .NET assemblies which you created in step 3.
    When you run a scan, the first time you try to click on a Trace AppScan Source for Security or Developer might ask you to direct it to the source code file, but you should only need to do this once.
    These different options are documented in detail in the Security_User_Guide.pdf

    /eh
    Thanks for the quick response !

    I did find the third option,
    It worked fine with a previous version of Appscan source (6.0.x) but I wasn't asked (or maybe didn't noticed) to direct to the source code.
    I installed the 8.0 version and then here (with exactly the same project) I have more difficulties to analyze as the process stops because of 'missing referenced assembly files'
    (With v6 version, I had warnings (mainly about missing some Pdb files) during the scan but it went to end)
    I will go futher in that direction ...

    For the two other options, I didn't noticed I had to do it from the import option.
    However, I'm afraid (as I expected) that I'll have to wait until I have Visual Studio installed as I get "unable to create VisualStudio.DTE.9.0 process ..." messagebox if I click on a project in the explorer pane.
    Am I right or is there a way to compile without installing the product ? (I thought that Visual Studio was only necessary for the developper's plug-in).

    Thanks again
  • SystemAdmin
    SystemAdmin
    49 Posts

    Re: Appscan source and ASP.Net 2

    ‏2011-08-12T17:39:33Z  
    • raphg
    • ‏2011-08-12T08:57:41Z
    Thanks for the quick response !

    I did find the third option,
    It worked fine with a previous version of Appscan source (6.0.x) but I wasn't asked (or maybe didn't noticed) to direct to the source code.
    I installed the 8.0 version and then here (with exactly the same project) I have more difficulties to analyze as the process stops because of 'missing referenced assembly files'
    (With v6 version, I had warnings (mainly about missing some Pdb files) during the scan but it went to end)
    I will go futher in that direction ...

    For the two other options, I didn't noticed I had to do it from the import option.
    However, I'm afraid (as I expected) that I'll have to wait until I have Visual Studio installed as I get "unable to create VisualStudio.DTE.9.0 process ..." messagebox if I click on a project in the explorer pane.
    Am I right or is there a way to compile without installing the product ? (I thought that Visual Studio was only necessary for the developper's plug-in).

    Thanks again
    Hi there!

    Visual Studio is necessary to import an .sln / .csproj / .vbprof file. This is because we use Visual Studio to parse that file format. I recommend that you install the same version of Visual Studio as was used to develop the application (if you install a version of Visual Studio which is newer than the .sln you want to scan, you'll have to go through Microsoft's "conversion" process, which sometimes works but isn't always easy or convenient).
    To be honest, I don't know if Visual Studio needs to be installed in order to scan a .NET Assembly Project. One of my co-workers says it is, the other says it isn't, and they are both pretty confident in their answers. All of my Windows computers have Visual Studio on them already so I can't run a quick test for you.

    If you find you are able to scan a .NET Assembly Project without Visual Studio, please let me know! :)

    /eh