OWASP O2 Platform Blog

Showing IBM Rational AppScan Source Findings inside AppScan Standard (1st PoC)

Here is a PoC I wrote last night for an IBMer which shows a very first rough pass at loading up IBM Rational AppScan Source findings inside AppScan Standard. The demo uses AltoroJ and at the moment connects the *.jsp AppScan Standard findings into the respective AppScan Source findings.

This is what it looks like after the O2 script has been executed and the data loaded:

for reference this is what AppScan Standard looks like without  the O2 Script execution (and the injection of the AppScan Source findings:


How to replicate this?

At the moment there are a couple steps that need to be done in order to get there:

1) start AppScan under O2 control by executing the Util – Launch AppScan Standard (O2 Version).h2 script (see Injecting O2 into IBM Rational AppScan Standard for details on how this works)

2) After AppScan loads (and the O2 .NET injection occours), you should see an O2 menu (on top) and an O2 Scripting environment on the middle left:

3) now drag and drop the Inside AppScan Standard- Add AltoroJ Menu.h2 script into the O2 Scripting environment, and execute it (note the addition of a new AltoroJ Menu after execution)

4) the AltoroJ has 3 options:

 – Open AppScan Standard File,  
 – Configure Source code and
 – Map AppScan Source findings

(the sub menus text is a but different, but that’s what it means)

Note that these need to opened in sequence

5) select ‘Open AltoroJ’ and enter the path to the *.scan file:

this will trigger the load of the saved assessment and should look like this when completed:

6) Next click on ‘Configure AltoroJ source code Mapping’ and enter the path to the source code (note that in this version of the script you need to point to the WebContent folder)

7) test the source code mappings by clicking on a*.jsp  file that exists on the file system

Note how the O2 Scripting control (middle left) was replaced with a SourceCodeViewer control that shows the content of the selected file (in the treeview above it).

Here is an example of another *.jsp file (note that the other servlet mappings are currently not supported (but it is not hard to do since we have access to all artifacts we need))

8) the final step is to select the menu option ‘Map AltoroJ SAST findings’ and enter the location of the AppScan Source saved findings file

9) View all Source code Findings

The last script loaded the findings in memory and added two Tabs to the bottom right tab Control.

The first tab added is called ‘All SAST Findings’ and will show details of all findings loaded

Including a view to see the Finding’s Traces:

10) View the findings that are mapped to the *.Jsp file currently selected

The other tab that was added to the TabControl is called ‘SAST Findings Mapped to Selected File’ and will only show the findings that exist for the file currently loaded:

Here is another example: (note how powerfull it is to see the BlackBox findings on the top and the Source Code findings on the bottom)

11) Next Steps?

There is still a LOT that needs to be done before this script is a good representation of the information that we already have available from both scans

For example one will need to consume the web.xml file in order to get the bean/url mappings from it (we also need to add proper color coding for the *.jsp file loaded on the right , like what happens on the left).  

Another interresting option is to look at the WAFL (Web Application Framework Language) file created by AppScan Source and see if we can extract from it the mappings between the Urls and its the Controllers

November 8, 2011 - Posted by | AppScan, Java, Tools

1 Comment »

  1. […] are a number of smaller scripts I saved when working on the Showing IBM Rational AppScan Source Findings inside AppScan Standard (1st PoC) script. These are great if you are trying to get around O2′s APIs and get a feel for how a […]

    Pingback by O2 Scripting Samples: Automating Rational AppScan Standard GUI and adding AppScan Standard Findings « OWASP O2 Platform Blog | November 8, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: