For static analysis, you download a small Client Utility. When you extract the utility to your local disk, you can use its command line interface (CLI) to perform security analysis.
About this task
When you use static analysis,
you scan source code to generate a file that is uploaded to the cloud. The file, an encrypted
IRX
(.irx) file, is scanned using trace analysis to find security vulnerabilities. When the IRX
file is generated for compiled languages, application byte code files are converted into an Intermediate Representation of the code. When an IRX
file is generated for scripting languages, source files are included in the encrypted IRX
file.
When you use the Eclipse, IntelliJ IDEA, or Visual Studio plug-ins,
IRX
file generation and upload happens automatically from the IDE when you use static analysis actions.
Tip: After you change the PATH, issue appscan version
(Windows) or appscan.sh version
(Linux and
macOS) at a command prompt. If the
Static Analyzer Client Utility version, home, and other information are returned, the PATH is
set correctly.
What to do next
If you are running the Client Utility on a computer that is behind a proxy - Use one of these methods for specifying the proxy so
that the Client Utility can connect to the cloud:
- Client Utility CLI and supported integrated development environments (IDE): Set this global or system
environment variable so that the proxy is automatically recognized:
- Windows: APPSCAN_OPTS=-Dhttps.proxyHost=<proxy>
-Dhttps.proxyPort=<port>
- Linux and macOS: APPSCAN_OPTS="-Dhttps.proxyHost=<proxy>
-Dhttps.proxyPort=<port>"
Where <proxy> is the host name of the proxy server and
<port> is the port number that the proxy server is using.
Or, each time
that you use the CLI or IDE (launched from a command prompt or terminal), you can set the Client Utility to use the proxy by issuing a command:
- Windows: set
"APPSCAN_OPTS=-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>"
- Linux and macOS: export
APPSCAN_OPTS="-Dhttps.proxyHost=<proxy> -Dhttps.proxyPort=<port>"
- Maven: If you added the static analysis plug-in to Maven, you can add the property to the MAVEN_OPTS environment variable
globally or you can add the property to each command.