Example 4: Validation in depth
Chapter 7. AppScan Source for Analysis and defect tracking
AppScan Source for Analysis integrates with defect tracking systems to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
You can track your software vulnerability defects with AppScan Source for
Analysis's integration with various defect tracking systems, including IBM Rational ClearQuest, IBM Rational Team Concert, HP Quality Center, and Microsoft Team Foundation Server.
Before you submit a finding to a defect tracking system or mail the defect to a developer, you may need to configure the defect tracking system preferences (see
“Enabling defect tracking with preferences” on page 85).
Enabling defect tracking with preferences
Defect Tracking System preferences allow you to enable the submission of findings to a defect tracking system - and determine how defects are submitted.
The General tab in the Defect Tracking System preference page is used to enable or disable the Defect Tracking System integration feature in AppScan Source. If the Enable Defect Tracking System Integration checkbox is selected, the Submit Defectcontext menu action will be available for assessment findings. The General tab also provides discrete control over which Defect Tracking Systems will be available when submitting defects.
To learn about the preferences that can be set for supported defect tracking systems, refer to these help topics:
v “Rational ClearQuest preferences” on page 86 v “Quality Center preferences” on page 87
v “Rational Team Concert preferences” on page 89 v “Team Foundation Server preferences” on page 90
Rational ClearQuest preferences
To be able to complete Rational ClearQuest preferences, your Rational ClearQuest administrator must provide you with the required Rational ClearQuest settings.
The settings are specific to your Rational ClearQuest environment.
Note: When integrating with Rational ClearQuest Version 8.0, the Rational
ClearQuest schema must contain the fields that are available in the DefectTracking predefined schema.
Database set
A collection of one or more defect databases.
Linux default = Connection Name, Windows default = Database Set
Database name
Name of the database to which to submit defects.
Database user name
Default Rational ClearQuest database user name.
Location of CQPerl executable
Location of the Rational ClearQuest CQPerl executable on the local computer. The provided default location maps to the default Rational ClearQuest installation location.
Entity for defect records
Entity (database object) configured by the Rational ClearQuest installation for use for defect objects.
The default entity is Defect.
Description field on record
Default Description is Description.
Headline field on record
Default Headline is Headline.
Single defect per finding
Submit a group of findings as a single defect or as multiple defects. You can change the submission method when you create the defect.
Quality Center preferences
You must first enable HP Quality Center as a General Defect Tracking System preference and then set the individual preference on the Quality Center tab.
Server URL
The Quality Center Server URL - for example, http://<hostname>:<port>/qcbin/
or https://<hostname>:<port>/qcbin/.
User Name (Optional)
A user name to log in to Quality Center
Password (Optional)
If you entered a user name, enter the password for it
Domain
The Quality Center domain to which to connect.
Project
The Quality Center project to which to connect
Auto-login
When true, AppScan Source does not prompt for login information when submitting findings, and logs in with the default credentials specified in the Preferences. When false, you must log in each time you submit a finding to Quality Center.
Auto-submit
When true, the dialog box that is used for submitting new defects does not appear when submitting findings. AppScan Source for Analysis uses the Default Defect Propertiesspecified in the Preferences. When false, a prompt appears requesting that you enter defect information (Severity, Priority, Defect Type, Status, and so forth) when submitting findings.
Resubmit previously-submitted findings
Findings submitted to Quality Center are tagged with Quality Center defect information (Defect ID, submitting user, and submission date). By default, AppScan Source does not resubmit the same finding more than once. This allows you to dispatch multiple findings to Quality Center, only entering new findings in the Quality Center database. When selected (true), previously submitted findings can be resubmitted to Quality Center.
Submit each finding as an individual bug
When submitting multiple findings in a single operation, you can either submit all findings as a single Quality Center defect or as a separate Quality Center defect for each individual AppScan Source finding. Selecting this check box sets the flag to true, creating a separate Quality Center defect for each individual finding. Setting the flag to false creates one Quality Center defect for all findings submitted as part of a bulk submission.
Auto Generate Bug Summary
When true, AppScan Source automatically generates a defect summary for the submission in Quality Center. The summary indicates the number of findings included in the defect and the type of findings included, such as
Validation.Required.
When false, the Summary field appears for you to complete when submitting the defect in the dialog box that opens when you create a new defect.
Auto Load Bug Fields
Default setting is true. When the check box is selected, AppScan Source
automatically loads defect field definitions from the Quality Center database, based on the current user and group settings in Quality Center. When false, AppScan Source does not display defect fields from Quality Center in the dialog box that opens when you create a new defect.
Default Defect Properties
To set default values for the different Quality Center defect attributes, click Default Defect Propertieson the Quality Center preference tab.The default values either pre-populate the New Defect dialog box at submission time, or they are sent to Quality Center silently if the Auto-submit preference is selected.
Note: Defect properties and their available values are pulled dynamically from Quality Center each time the Defect Properties dialog box appears if Auto Load Bug Fieldsis selected. Therefore, any new fields and values added to the Quality Center database automatically appear in AppScan Source for Analysis. Valid server, login, and connection information is required to open and populate the Defect Propertiesdialog box with Quality Center information.
Customizing Quality Center defect fields
Through a configuration file, you can customize the fields and interactions between these fields in the New Defect dialog box. You can find an example configuration file in <data_dir>\config\qc.dts (where <data_dir> is the location of your AppScan Source program data, as described in “Installation and user data file locations” on page 286), which contains sample customizations and additional documentation. These customizations allow you to model your Quality Center Workflow script logic directly in the New Defect dialog box.
Available customizations include:
v Displaying custom fields, missing fields, or both
v Forcing fields to always display (overriding Quality Center settings) v Updating required state of fields based on selection of other fields
v Dynamically updating list box options for a field based on the list box selection in another field
Rational Team Concert preferences
The Rational Team Concert preference tab allows you to configure a connection to a Rational Team Concert server and also to configure the values of work item attributes.
Once you have entered your connection information and successfully logged in, you can then choose to connect to one or more project areas. Each project area can have its own configuration of attribute preset values.
Note: When you connect to Rational Team Concert (by configuring preferences or submitting defects), you may be prompted to accept an SSL certificate. See
“Rational Team Concert SSL certificates” on page 89 for more information.
To configure the attribute values for a given project area, select the project area and choose Configure. In the configuration dialog box, you can set attribute values to either hardcoded values or in some cases to variables that refer to a selected finding. For example, the use of {Finding.fileName} in an attribute value will be replaced with the actual source code file name for a finding during submission.
Content Assist (<Ctrl>+<Space>) is provided for attribute values that support these variables. Teams are encouraged to share these configurations using the Import and Export buttons that are available on the main Rational Team Concert preference page.
Team Foundation Server preferences
The Team Foundation Server preference tab allows you to configure a connection to a Microsoft Team Foundation Server and to configure the values of work item fields.
Once you have entered your connection information and successfully logged in, you can then choose to connect to one or more projects.
Note: When configuring the login to Team Foundation Server 2010, the Server URL must contain the Team Project Collection you want to connect to. For example, http://myserver:8080/tfs/DefaultCollection.
Each project can have its own configuration of field preset values.
To configure the field values for a given project, select the project and choose Configure. In the configuration dialog box, you can set field values to either hardcoded values or in some cases to variables that refer to a selected finding. For example, the use of {Finding.fileName} in a field value will be replaced with the actual source code file name for a finding during submission. Content Assist (<Ctrl>+<Space>) is provided for fields that support these variables.
Teams are encouraged to share these configurations using the Import and Export buttons that are available on the main Team Foundation Server preference page.