Open Source testing locates and analyzes Open Source packages in your code.
Open Source testing requires a specific
Application Security on Cloud Open Source Analyzer subscription. When you have a valid subscription, Open Source testing is
generated by itself or is automatically included in Static analysis scans when Static analysis
entitlements also exist. It does the following:
- Locates Open Source packages in your code
To ensure that Application Security on Cloud collects only data for Open Source testing, use the -openSourceOnly option with
appscan prepare (not
available through plugins and only available through the CLI).
- Identifies Open Source packages that are known to be vulnerable
- Suggests remediation for the vulnerable packages
Results are included in Static Analysis or Open Source reports and in your
Application Security on Cloud portal.
Note: When you use the
-oso or
-openSourceOnly option with
appscan prepare, you may encounter the message
The prepare operation only
found opensource file types, must include other scan file types. Supported binary file
types, by extension, are:
- .jar
- .war
- .ear
- .aar
- .dll
- .exe
- .tar
- .gz
- .egg
- .whl
- .rpm
- .drpm
- .tar
- .bz2
- .tgz
- .deb
- .udeb
- .gzip
- .gem
- .swf
- .swc
- .so
- .ko
- .a
- .ar
- .dmg
- .msi
- .air
- .apk
Supported source file types, by extension, are:
- .c
- .cc
- .cp
- .cpp
- .cxx
- .c++
- .go
- .goc
- .h
- .hh
- .pch
- .h++
- .m
- .mm
- .c#
- .cs
- .csharp
- .js
- .php
- .py
- .rb
- .swift
- .java
- .clj
- .cljx
- .cljs
Static analysis