IBM Support

Ability to post AppScan Enterprise job results asynchronously to the configured endpoint URL

Question/Answer


Question

How AppScan Enterprise post the scan job status asynchronously to endpoint URL?

Answer

Note1: Currently, this capability is available only for Content Scan jobs. This will be enhanced further for jobs created through ADAC or AppScan Standard.

Note2: This capability will be available only for new content scan jobs created through REST API.

In the DevOps environment, automation framework (ex: Urban Code Deployment) create and initiate a scan job. AppScan Enterprise performs the scan and once the scan is completed, scan job status is posted to integration/automation framework. Framework need not wait in a loop or ping AppScan Enterprise periodically for scan status.

The scan management REST API in AppScan Enterprise “/services/folders/<folderId>/folderitems?templateid=<id>” (https://www.ibm.com/support/knowledgecenter/SSW2NF_9.0.3/com.ibm.ase.help.doc/topics/t_create_job_based_templates.html ) creates a content scan job. This API is modified to accept additional and optional parameter “payload”. Payload would be a structured JSON format having these details.

 


• Endpoint URL (URL to which AppScan Enterprise posts the data. The URL should have a mechanism to read the HTTP PUT data to retrieve scan job status)
• Username (optional, it is required only if endpoint URL expects)
• Password (encrypted/unencrypted, optional, it is required only if endpoint URL expects)
• Placeholder for job details like job completion code (status) and job name.

Ex:
{
"endpointURL": "http(s)://www.endpoint.com",
"username": "admin",
"password": "admin",
"application": "AppScan Application",
"applicationProcess": "Run Scan",
"description": "Initiatied asynchronously by the completion of $fiid.",
"environment": "Dev",
"properties": {
"fiid": "$fiid",
"completionCode": "$completionCode",
"jobName": "$jobName"
},
"versions": [{
"component": "ComponentName",
"version": "1.0.0"
}]
}

Flow:
- Integration framework would create a job invoking AppScan Enterprise REST API. Additional configuration parameter (payload) in JSON format is passed to this API.
- The framework would start the scan job by calling rest API.
- The framework would not wait for the job to be completed to get the status.
- Once the job is completed in AppScan Enterprise, the job status is posted (HTTP PUT) to endpoint URL. This callback would carry the payload data.
- The payload data is updated with job information like job name and job completion code.

The sample callback data would look as below
{
"application":"AppScan Application",
"applicationProcess":"Run Scan","description":"Initiatied asynchronously by the completion of 99.","environme
nt":"Dev","properties":{
"fiid":"99","completionCode":"SUCCESS","jobName":"webhook-2"
},
"versions":{
"component":"ComponentName","version":"1.0.0"
}}

 

The supported job completion codes are SUCCESS, FATALERROR, SUSPENDED,CANCELLED.

 

Note 3: The endpoint URL should start with “http://” or “https://”

Document information

More support for: IBM Security AppScan Enterprise

Component: REST API

Software version: 9.0.3.8

Operating system(s): Windows

Reference #: 2015122

Modified date: 04 July 2018