IBM Support

How to set up Maven and AppScan Source Integration

White paper


Abstract

This document provides the steps to setup and use the Apache Maven and IBM Security AppScan Source Integration.

Content

The examples shown are based on the following environment:


  • AppScan Source 9.0
  • Maven 3.2.1
  • Java 8
  • Windows 7 Professional
  • Notepad++

Table of Contents


Prerequisites

Configuring AppScan Source for Automation

Testing the AppScan Source for Automation Configuration

Using the Maven - AppScan Source Integration

Updated Maven Plugin Features

Installing the Updated Maven Plugin

Attachments


Prerequisites

  • AppScan Source for Automation installed
  • Maven installed and configured

Return to the top

Configuring AppScan Source for Automation

The Maven integration leverages AppScan Source for Automation. The first set of steps to configure automation would be to confirm the automation server is set correctly in the ounceautod.ozsettings file and the automation token is created.

Setting the Automation Server

  1. Open unceautod.ozsettings in a text editor
    C:\ProgramData\IBM\AppScanSource\config\ounceautod.ozsettings on Windows
    /var/opt/ibm/appscansource/config/ounceautod.ozsettings on Linux
  2. Search for name="ounceautod_server_hostname"
  3. Set the value attribute to the host name or IP Address of the AppScan Enterprise server used for authentication
  4. Save the changes

Creating an Automation Token

Windows

  1. Open a command prompt
  2. Navigate to C:\Program Files (x86)\IBM\AppScan Source\bin
  3. Run the following command:
    ounceautod -u username -p password --persist

    Note: Substitute the actual username and password for the actual values



  4. Confirm C:\ProgramData\IBM\AppScanSource\config\ounceautod.token exists


Once the above changes have been made the AppScan Source Automation service needs to be restarted. To restart the service run the following commands:

net stop AppScanSourceAutomation


net start AppScanSourceAutomation

Return to the top

Testing the AppScan Source for Automation Configuration

In the previous section AppScan Source for Automation was configured but before moving onto to using the Maven integration the configuration should be tested. To test the configuration the SimpleIOT sample application provided with AppScan Source should be scanned using the ounceauto command, as follows:

  1. Open a command prompt
  2. Navigate to C:\Program Files (x86)\IBM\AppScan Source\bin
  3. Run the following command:
    ounceauto ScanApplication -application_file C:\ProgramData\IBM\AppScanSource\samples\simpleIOT\SimpleIOT.paf



  4. Open C:\ProgramData\IBM\AppScanSource\logs\cli_output_1.log in notepad++
  5. Confirm the scan completed without any errors

In the event the scan does not complete successfully here are some technotes to common errors/issues:
http://www.ibm.com/support/docview.wss?&uid=swg21673744
http://www.ibm.com/support/docview.wss?&uid=swg21669416

Return to the top

Using the Maven - AppScan Source Integration

Now that it has been confirmed the ounceauto ScanApplication command completes successfully, a maven command using the ounce maven plugin can be executed. Attached is the SimpleIOT sample application in a maven format. Please follow the following steps:

  1. Add C:\Program Files (x86)\IBM\AppScan Source\bin to the system path
  2. Unzip SimpleIOT-Maven.zip
  3. Open a command prompt
  4. Navigate to the directory containing the pom.xml for the project
  5. Run the following command:
    mvn ounce:application ounce:project ounce:scan -Dounce.wait=true




The above command should be ran against a project that compiles successfully. The ounce:application goal creates an AppScan Source application file. The ounce:project goal creates an AppScan Source project file which contains the settings necessary to compile the source code such as the path to the JDK, dependencies and etc. The ounce:scan goal performs the scan of the AppScan Source application file which references the project file(s). The variable ounce.wait is type boolean and determines whether the maven command should wait until the scan completes or not. To review the output of the scan the output log will need to be opened in notepad++. The output log for the maven command will be located in the C:\ProgramData\IBM\AppScanSource\logs directory. The log will be cli_output_<requestID>.log and the requestID will be provided in the output of the maven command. In the above example, the log file would be cli_output_12.log.

Return to the top



Updated Maven Plugin Features


mvn ounce:help
Display help information on ounce-maven-plugin.
Call
mvn ounce:help -Ddetail=true -Dgoal=<goal-name> to display parameter details.

Return to the top



Installing the Updated Maven Plugin

To install the updated plugin to the local maven repository follow the steps below:

  1. Download the attached ounce-maven-plugin-<version>.jar

  2. Open a command prompt

  3. Run:
    mvn org.apache.maven.plugins:maven-install-plugin:2.5.1:install-file \
    -Dfile=C:\download\location\ounce-maven-plugin-<version>.jar \
    -DgroupId=org.codehaus.mojo \
    -DartifactId=ounce-maven-plugin \
    -Dversion=<version> \
    -Dpackaging=maven-plugin \
    -DlocalRepositoryPath=C:\Users\<username>\.m2\repository
    \
    -DpomFile=C:\download\location\pom.xml

  4. Once the BUILD SUCCESS is displayed, go C:\Users\<username>\.m2\repository\org\codehaus\mojo\ounce-maven-plugin\<version> to confirm the plugin has been installed.

  5. Enjoy the new functionality

Return to the top

For the most up to date information see the IBM AppScan Source Maven Plug-in page on github

https://github.com/AppSecDev/ounce-maven-plugin


Attachments

DISCLAIMER:
All source code and/or binaries attached to this document are referred to here as "the Program". IBM is not providing program services of any kind for the Program. IBM is providing the Program on an "AS IS" basis without warranty of any kind. IBM WILL NOT BE LIABLE FOR ANY ACTUAL, DIRECT, SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF IBM, OR ITS RESELLER, HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Document information

More support for: IBM Security AppScan Source
Integration with Maven/Ant/Make

Software version: 9.0, 9.0.0.1, 9.0.1, 9.0.2, 9.0.3, 9.0.3.1, 9.0.3.2, 9.0.3.3, 9.0.3.4, 9.0.3.5, 9.0.3.6

Operating system(s): Linux, OS X, Windows

Reference #: 7042209

Modified date: 30 January 2018