AppScan Source for Analysis integrates with IBM Rational Team Concert to deliver confirmed software vulnerabilities directly to the developer desktop. Defect
submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
Before you submit a finding to a defect tracking system or mail the defect to a developer, you may need to configure the defect tracking system preferences (see
“Enabling defect tracking with preferences” on page 55).
Enabling defect tracking with preferences
Defect Tracking System preferences allow you to enable the submission of findings to a defect tracking system - and determine how defects are submitted.
The General tab in the Defect Tracking System preference page is used to enable or disable the Defect Tracking System integration feature in AppScan Source. If the Enable Defect Tracking System Integration checkbox is selected, the Submit Defectcontext menu action will be available for assessment findings.
To learn about the preferences that can be set for supported defect tracking systems, refer to these help topics:
v “Rational Team Concert preferences” on page 55
Rational Team Concert preferences
The Rational Team Concert preference tab allows you to configure a connection to a Rational Team Concert server and also to configure the values of work item attributes.
Once you have entered your connection information and successfully logged in, you can then choose to connect to one or more project areas. Each project area can have its own configuration of attribute preset values.
Note: When you connect to Rational Team Concert (by configuring preferences or submitting defects), you may be prompted to accept an SSL certificate. See
“Rational Team Concert SSL certificates” on page 56 for more information.
To configure the attribute values for a given project area, select the project area and choose Configure. In the configuration dialog box, you can set attribute values to either hardcoded values or in some cases to variables that refer to a selected finding. For example, the use of {Finding.fileName} in an attribute value will be replaced with the actual source code file name for a finding during submission.
Content Assist (<Ctrl>+<Space>) is provided for attribute values that support these variables. Teams are encouraged to share these configurations using the Import and Export buttons that are available on the main Rational Team Concert preference page.
Integrating Rational Team Concert and AppScan Source for Analysis
Rational Team Concert integration with AppScan Source for Analysis does not require that an additional Rational Team Concert client be installed on your computer.
To configure a connection to Rational Team Concert, go to the Rational Team Concert tab in the Defect Tracking System preferences - or you can submit a defect and you will be prompted at that point to log in and configure your connection.
Rational Team Concert preferences also allow you to configure the preset field values that will be used during defect submission. This lets you set values that you want to use for every defect and also to modify the default values that ship with AppScan Source.
Note: When you connect to Rational Team Concert (by configuring preferences or submitting defects), you may be prompted to accept an SSL certificate. See
“Rational Team Concert SSL certificates” on page 56 for more information.
Submitting defects to Rational Team Concert
You can submit bundles with one or more findings to Rational Team Concert - or you can submit individual findings. The first time you submit a finding from AppScan Source for Analysis to Rational Team Concert, you must log in with your username and password. If you want to configure the preset field values that will be used during submission, you can do so in the Rational Team Concert
preferences.
About this task
When you submit a bundle to Rational Team Concert, the work item number is associated with the specific findings in the bundle, rather than the bundle itself.
This ensures that you can manipulate the bundle further while preserving the association of specific findings to work item numbers.
Procedure
1. Select the finding or findings in the table, or open the bundle. (If you open the bundle, select the bundle findings to submit.)
2. Right-click the selection and choose Submit Defect > Dispatch to Rational Team Concertfrom the menu.
3. The submission dialog box will then guide you through the process, including login, if necessary, and filling in required attributes.
Note: When you connect to Rational Team Concert (by configuring preferences or submitting defects), you may be prompted to accept an SSL certificate. See
“Rational Team Concert SSL certificates” on page 56 for more information.
Results
A bundle will be automatically added to the submitted work item that can then be opened at a later time by a user of AppScan Source for Analysis or AppScan Source for Development.
Rational Team Concert SSL certificates
When a Rational Team Concert server is installed, it should be configured to use a valid SSL certificate. If this is not done, you will receive an untrusted connection message when logging in to the server (while configuring preferences or
submitting defects). This topic outlines Rational Team Concert SSL certificate considerations.
SSL certificate storage location
Certificates that have been permanently accepted are stored in
<user_home>/.jazzcerts(where <user_home> is your operating system home directory (for example, on Windows, the directory might be C:\Documents and Settings\Administrator\)). Removing <user_home>/.jazzcerts deletes all stored certificates for AppScan Source and Rational Team Concert clients.
SSL certificate sharing with Rational Team Concert clients
AppScan Source shares its certificate store with Rational Team Concert clients. If you permanently accept a certificate using a Rational Team Concert client, it will be reused by AppScan Source (you will not be prompted in AppScan Source to accept a certificate). Similarly, if you permanently accept a certificate in AppScan Source, it will be reused by Rational Team Concert clients.
Working with submitted defects
When you submit more than a few findings as separate defects, the process runs in the background while you continue the triage process. After the defect submission, a defect ID received from the defect system is attached to the relevant findings and remains with that finding. To work with a defect that has been submitted to your defect tracking system, follow the steps in this topic.
Procedure
1. Open your defect tracking system and locate the defect.
2. Save the attachment as an AppScan Source bundle (.ozbdl) file. You can open this file in AppScan Source for Analysis.
Submitting bundles to defect tracking and by email
The findings in bundles can be submitted to your corporate defect tracking system - or sent by email. Once you place findings in a bundle, you can submit these findings as bugs for developer remediation.
Procedure
1. Open the bundle.
2. Click the Submit bundle to defect tracking toolbar button down arrow and then select your defect tracking system.
Note: Depending on your defect tracking system, you may want to modify Defect Tracking System preferences before submitting the bundle.
Alternatively, on the Bundle toolbar, click Email Bundle to send the bundle to others (email preferences must be configured beforehand).
3. Complete the configuration dialog boxes that open. These vary depending on the defect tracking system that you have chosen - and are described in the AppScan Source for Analysis and defect tracking section of the help.
Tracking defects through email (sending findings by email)
About this task
If you have configured email preferences, you can email findings or bundles directly to developers to advise them of potential defects found after a scan. The email includes an attachment that contains the findings - and text that describes the findings.
Note: Some Simple Mail Transfer Protocol (SMTP) relays only deliver mail to specific domains. In this case, if you send from mydomain.com, only recipients in mydomain.comcan receive the email through AppScan Source for Analysis.
To email findings from a findings table:
Procedure
1. Select the finding or findings in the table, or open a bundle. If you open a bundle, select the bundle findings to mail.
2. Right-click the selection and choose Email Findings from the menu.
3. The email will include a bundle attachment that contains the findings. In the Attachment File Name dialog box, specify a name for the finding bundle. For example, specifying my_finding in the Attachment File Name field causes a bundle with file name my_finding.ozbdl to be attached to the email. Click OK to open the Email Findings dialog box.
4. By default, the Mail To field in the Email Findings dialog box will populate with the To Address that is specified in the email preferences - however, it can easily be changed when preparing the email. In this dialog box, review the contents of the email and then click OK to send the email.
Results
Example email contents:
1 findings:
Name: JavaAny.test_DataInput
Type: Vulnerability.Validation.Required Severity: Low
Classification: Suspect
File Name: C:\TestApps\java\JavaAny\src\JavaAny.java Line / Col: 275 / 0
Context: di . java.io.DataInput.readFully ( ba )
Notes: Check into this vulnerability and report back ASAP.
Tip: You can email individual findings or bundles from the Finding Detail view.
You can also email bundles by clicking Email Bundle on the Bundle toolbar.