APAR status
Closed as program error.
Error description
What's expected: Scanning of a Java/Jsp application and Framework analysis is expected to complete successfully with findings. What's noticed: F4F scan of Java/JSP app is resulting in an java.lang.AssertionError and other error messages like: 02/19/16 17:27:07 Error(30082) from Log4jLogger.cpp(128) java.lang.AssertionError at com.ibm.appscan.frameworks.analyzers.javaee.taglibs.SpringBindIn fo.getBindPath(SpringBindInfo.java:73) at com.ibm.appscan.frameworks.analyzers.javaee.taglibs.SpringBindIn fo.getFact(SpringBindInfo.java:42) at com.ibm.appscan.frameworks.analyzers.javaee.taglibs.TagLibraryDe fs.getAllFactNumbers(TagLibraryDefs.java:85) at com.ibm.appscan.frameworks.analyzers.javaee.taglibs.TagLibraryDe fs.<init>(TagLibraryDefs.java:62) at com.ibm.appscan.frameworks.analyzers.javaee.taglibs.TagLibraryDe fs.make(TagLibraryDefs.java:41) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JasperInfo.getTa gLibDefInfo(JasperInfo.java:149) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPFile.findAcce ssPathsInELExpressions(JSPFile.java:96) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPFile.<init>(J SPFile.java:76) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPAnalyzer.coll ectAllJSPFiles(JSPAnalyzer.java:96) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPAnalyzer.coll ectAllJSPFiles(JSPAnalyzer.java:111) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPAnalyzer.coll ectAllJSPFiles(JSPAnalyzer.java:111) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPAnalyzer.coll ectAllJSPFiles(JSPAnalyzer.java:113) at com.ibm.appscan.frameworks.analyzers.javaee.jsp.JSPAnalyzer.<ini t>(JSPAnalyzer.java:68) at com.ibm.appscan.frameworks.analyzers.javaee.CoreJavaEEFrameworkH andler.getFrameworkInfo(CoreJavaEEFrameworkHandler.java:53) at com.ibm.appscan.frameworks.java.WAFLSpecGen.getWAFLSpecForJavaEE App(WAFLSpecGen.java:144) at com.ibm.appscan.frameworks.java.WAFLSpecGen.getWAFLSpecAndCHAFor JavaEEApp(WAFLSpecGen.java:120) at com.ibm.appscan.frameworks.java.JavaFrameworkInfoGenerator.gener ateFrameworkInfo(JavaFrameworkInfoGenerator.java:28) at com.ibm.appscan.frameworks.FrameworksCLI$HandlerJarsGenerator.ge nerateFrameworkInfo(FrameworksCLI.java:80) at com.ibm.appscan.frameworks.FrameworkGeneratorHarness.run(Framewo rkGeneratorHarness.java:29) at com.ibm.appscan.frameworks.FrameworksCLI.runMain(FrameworksCLI.j ava:59) at com.ibm.appscan.frameworks.FrameworksCLI.main(FrameworksCLI.java :37) could not handle EL expression ${(externalpayee.fromAccount.accountStatusId eq '2' and externalpayee.fromAccount.accountApprovalMethod eq '1' and externalpayee.fromAccount.cdStatus eq '3') or (externalpayee.fromAccount.accountStatusId eq '2' and externalpayee.fromAccount.accountApprovalMethod eq '1' and externalpayee.fromAccount.cdStatus eq '5')} 02/19/16 17:27:06 Debug(30082) from Log4jLogger.cpp(145) 2016-02-19 17:26:45,993 DEBUG com.ibm.appscan.frameworks.analyzers.javaee.taglibs.CForEach Info com.ibm.appscan.frameworks.analyzers.javaee.taglibs.CForEachInfo .getFact(CForEachInfo.java:47) failed for c:forEach usage in Node: < Application, Lmyfi_002dcb_002ewar/WEB_002dINF/jsp/movemoney/feesCutoffLimitsE xternal_jsp, _jspx_meth_c_005fforEach_005f0(Ljavax/servlet/jsp/tagext/JspTag; Ljavax/servlet/jsp/PageContext;)Z > Context: Everywhere 399. [Moderate] class com.ibm.wala.ipa.cha.ClassHierarchy$ClassExclusion : <Extension,Lorg/apache/portals/bridges/struts/config/AbstractCon figComponent$SetParentRule> No superclass found for <Extension,Lorg/apache/portals/bridges/struts/config/AbstractCon figComponent$SetParentRule> Superclass name Lorg/apache/commons/digester/Rule 573. [SEVERE] class com.ibm.wala.classLoader.BytecodeClass$ClassNotFoundWarning : Lantlr/ASTVisitor 574. [SEVERE] class com.ibm.wala.classLoader.BytecodeClass$ClassNotFoundWarning : Lcom/ecyrd/jspwiki/auth/authorize/GroupDatabase Other technical info: None.
Local fix
Problem summary
When scanning a Java/JSP based application using IBM Security AppScan Source results in failure with assertion errors.
Problem conclusion
The issue of assertions during the application scan is taken care of in 9.0.3.4 release.
Temporary fix
Comments
APAR Information
APAR number
PI58023
Reported component name
SEC APPSCAN SRC
Reported component ID
5724Z3400
Reported release
903
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-02-24
Closed date
2017-01-23
Last modified date
2017-01-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SEC APPSCAN SRC
Fixed component ID
5724Z3400
Applicable component levels
R870 PSY
UP
R880 PSY
UP
R900 PSY
UP
R901 PSY
UP
R902 PSY
UP
R903 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSS9LM","label":"IBM Security AppScan Source for Automation"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"903","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
23 January 2017