Plug-in Documentation

HCL AppScan on Cloud (ASoC)

 

Overview

The AppScan on Cloud plug-in allows for integration with the IBM Application Security on Cloud server. This plug-in uses the Application Security on Cloud REST interface to interact with the IBM Application Security on Cloud application. Data is gathered from the IBM Application Security on Cloud server and displayed as a graphical view in the UrbanCode Velocity portfolio.

Compatibility

Must be running UrbanCode Velocity version 1.2.1 and later to use this plug-in.

Versions

There is no install process for this plug-in. The AppScan On Cloud plug-in is identified to UrbanCode Velocity as a value stream integration. UrbanCode Velocity plug-in images are located in DockerHub and the UrbanCode Velolcity code accesses the version that you select. To view available versions, see the UrbanCode DockerHub.

History

Version 1.0.17

  • Added Build URL to link ASoC scan results in VSM.

Version 1.0.16

  • Bug fixes.

Version 1.0.14

  • Name field in Insights mapped to the scan name in ASoC.

Version 1.0.13

  • Bug fixes.

Version 1.0.9

  • Update plugin version from 0.x.x to 1.x.x format.

Version 0.0.4

  • Initial release

Usage

To use the AppScan On Cloud plug-in you must complete the following:

  1. Define the integration
  2. Send an HTTP Post to request the new endpoint.

Define integration

The value stream map contains the properties, you will use to define the plug-in integration. Basically, the plug-in integration is defined with a value stream within the UrbanCode Velocity user interface. Defining the integration includes defining configuration properties that connect the UrbanCode Velocity server to the Application Security On Cloud server.

To define the integration, the basic flow includes:

  1. Download the value stream map. The value stream map is a JSON file used to define integrations.
  2. Edit the JSON file to include the plug-in configuration properties.
  3. Save and upload the JSON file. This replaces the current JSON file with the new content.
  4. View the new integration on the Integration user interface page.

Send HTTP Post

To gather data, send an HTTP POST request to your endpoint:


https:///pluginEndpoint//asocScan

The payload for this POST is {"scanId":"", "buildUrl": ""}.

  1. scanId – The scan id from the scan ran in ASoC. It is a mandatory field to render the scan results in Insights
  2. buildUrl – The build URL from Jenkins or any other CI/CD tool. It is an optional field which links the ASoC scan results with VSM

Integration type

The AppScan On Cloud plug-in supports endpoint integration which are listed in the following table.

Endpoints
Name Path Method
ASoC Scan asocScan Post

Integration

From the user interface Value Steam page, click Upload to upload the value stream map which is a JSON file.

The JSON file contains the information for creating a value stream and integrating with the Application Security on Cloud server. The following table describes the information for the creating a UrbanCode Velocity value stream map.

Value stream map information
Name Description Required
image The version of the plug-in that you want to use. To view available versions, see the UrbanCode DockerHub. If a value is not specified, the latest version is used. No
name An assigned name to the value stream. Yes
properties List of configuration properties used to connect and communicate with the Application Security on Cloud server. Enclose the properties within braces. Yes
tenant_id The name of the tenant. Yes
type Unique identifier assigned to the plug-in. The value for the Application Security On Cloud plug-in is asocPlugin Yes

Configuration Properties

The configuration properties which are included in the properties field are unique to the Application Security On Cloud plug-in and define the connection and communication to the Application Security On Cloud server.

Configuration properties
Name Type Description Required Project Name
Key ID String The key ID to authenticate with the Application Security On Cloud server. Yes keyId
URL String The URL of the Application Security on Cloud server. Yes asocUrl
Key Secret Secure The key secret to authenticate with the Application Security On Cloud server. Yes keySecret
UrbanCode Velocity User Access Key Secure The user access key to authenticate with the UrbanCode Velocity server. Yes ucvAccessKey

Example

The following example can be used as as template to include the AppScan On Cloud plug-in integration into the JSON file. Copy and paste the template into the JSON file and make the appropriate changes.


"integrations": [
  {
    "type": "asocPlugin",
    "tenant_id": "",
    "name": "",
    "properties":{
      "ucvAccessKey": "",
      "keyId" : "",
      "keySecret":""
    }
 }
]