Plug-in Documentation

HCL AppScan Enterprise (ASE)

Overview

The AppScan Enterprise plug-in provides integration with an HCL AppScan Enterprise server. This plug-in retrieves the security vulnerability report of the application and displays it as metrics in insights.

Compatibility

Must be running UrbanCode Velocity version 1.2.1 and later to use the plug-in.

Versions

There is no install process for this plug-in. The AppScan Enterprise plug-in is identified to UrbanCode Velocity as a value stream
integration. UrbanCode Velocity plug-in images are located in DockerHub and the UrbanCode Velolcity code accesses the version that you select. To view available versions, see the UrbanCode DockerHub.

History

Version 1.0.23

  • Bug fix.

Version 1.0.21

  • Added Build URL to link Appscan Enterprise scan results in VSM.

Version 1.0.20

  • Bug fix.

Version 1.0.16

  • Update plugin version from 0.x.x to 1.x.x format.

Version 0.0.13

  • Initial release

Usage

To use the AppScan Enterprise plug-in you must define the integration, create a value stream, and upload the integration.

The value stream map contains the properties, you will use to define the plug-in integration. Basically, the plug-in integration is defined with a value stream within the UrbanCode Velocity user interface. Defining the integration includes defining configuration properties that connect the UrbanCode Velocity server to the AppScan Enterprise server.

The basic flow to use the plug-in includes:

  1. Download the value stream map. The value stream map is a JSON file used to define integrations.
  2. Edit the JSON file to include the plug-in configuration properties.
  3. Save and upload the JSON file. This replaces the current JSON file with the new content.
  4. View the new integration on the Integration user interface page.

Send HTTP PUT

To gather data, send an HTTP PUT request to your endpoint:

https:///pluginEndpoint//appscan/callback

The payload for this PUT is {"application":"", "buildUrl": ""}.

  1. application – The application name from the scan ran in Appscan Enterprise. It is a mandatory field to render the scan results in Insights
  2. buildUrl – The build URL from Jenkins or any other CI/CD tool. It is an optional field which links the Appscan Enterprise scan results with VSM

Integration type

The AppScan Enterprise plug-in supports endpoint integration which are listed in the following table.

Endpoints
Name Path Method
AppScan Callback appscan/callback Put

Integration

From the user interface Value Steam page, click Upload to upload the value stream map which is a JSON file.

The JSON file contains the information for creating a value stream and integrating with the AppScan Enterprise server. The following table describes the information for the creating a UrbanCode Velocity value stream map.

Value stream map information
Name Description Required
image The version of the plug-in that you want to use. To view available versions, see the UrbanCode DockerHub. If a value is not specified, the latest version is used. No
name An assigned name to the value stream. Yes
properties List of configuration properties used to connect and communicate with the AppScan Enterprise server. Enclose the properties within braces. Yes
tenant_id The name of the tenant. Yes
type Unique identifier assigned to the plug-in. The value for the AppScan Enterprise plug-in is appscanPlugin Yes

Configuration Properties

The configuration properties which are included in the properties field are unique to the AppScan Enterprise plug-in
and define the connection and communication to the AppScan Enterprise server.

Configuration properties
Name Type Description Required Property Name
Password Secure The password to authenticate with the AppScan Enterprise server. Yes password
UrbanCode Velocity User Access Key Secure The user access key to authenticate with the UrbanCode Velocity server. Yes ucvAccessKey
User Name String The user name to use to authenticate with the AppScan Enterprise server. Yes username
URL String The URL of the AppScan Enterprise server. Include the port number. Yes url