Application Scan Tab

The application Scan tab provides various statuses related to your selected application and lets you configure and schedule future scans.

asset application scan
  1. Scan Configuration

    Click on Scan Configuration to configure your scan. Here you can select a scan profile if desired (Default, SCA only, Mobile, Web, or Desktop Application), enable or disable directed remediation, exclude particular languages or files, and/or upload a configuration file (Maven, Gradle, NuGet, NPM, Composer, Yarn, or Bower).

    application scan configuration dialog
  2. Scan Schedule

    Refer to Scheduling an Application Scan for guidance on this.

  3. Start Pre-Scan

    Start Pre-Scan is only available for applications that have never been scanned before. Once an application has been scanned once, this option is removed for that particular application.

    To run a pre-scan (which will determine the license requirements) click on Start Pre-Scan. A green banner is displayed for success, but if there is an error, you will see a red banner.

    pre scan started banner

    Pre-scan typically completes in under 30 minutes and does not consume any licenses. It does not verify or display any vulnerabilities, but rather it is a lightweight scan intended for the following purposes:

    • to validate scan configurations and codebase access, including the ability to check out code.

    • to check for scan errors and missing dependencies.

    • to count the lines of code and determine the file size, to determine the type of license required for a full scan.

    • to provide a list of files scanned to allow you to exclude files that should not be included in the full scan.

  4. Scan Now

    Clicking on Scan Now assigns an appropriate license to this application if necessary and begins the scan. If an appropriate license is not available, the request will be rejected and you will see a red banner.

    Full Scan may take up to 24 hours to complete, depending on your application’s complexity and the process will consume one license. This is a deep scan intended for the following purposes:

    • to perform full static or binary analysis of your application.

    • to perform Software Composition Analysis and identify open-source and third-party libraries used in your application, with the version, license information and CVEs if available.

    • to verify and display security vulnerabilities found in your application.

  5. Scan status fields:

    Field No. Field Name Description

    5a

    Scan Status

    This shows the status of the current scan. This may be Complete, Scan Running, Failed, or WHS Updating Configuration (Scans are paused for some kinds of maintenance).

    5b

    Scan Schedule

    This displays the scanning schedule for the selected application.

    5c

    Next Scan Scheduled

    The date on which the next scan is scheduled to begin.

    5d

    WhiteHat Asset Size

    The relative size of the asset being scanned, according to Black Duck’s terminology.

    5e

    Code Sent to WhiteHat (%)

    The percentage of the code scanned that was sent to Black Duck as 'code snippets' to verify potential vulnerabilities.

    5f

    Last Completed Scan

    Most recent date on which a scan was completed.

    5g

    Last Scan Request By

    Provides the name of the user that requested the last scan.

    5h

    Lines of Code Scanned

    Number of lines of code covered in the most recent scan.

    5i

    Average Lines of Code Scanned

    Number of lines of code scanned on average overall.

    5j

    Last Scanned File Size

    File size of the asset in the most recent scan.

    5k

    Average Scanned File Size

    Average file size scanned overall.

    5l

    Potential Vulnerabilities - Scanner Found

    The number of possible vulnerabilities identified by the scan.

    5m

    Open Vulnerabilities - Verified

    The number of verified vulnerabilities currently open for this asset.

    5n

    Extensions Scanned

    This table provides a list of the file types and the count for each file type scanned.

  6. Scan Log

    The Scan Log table at the bottom of this screen essentially provides an application scan history for the user. It records the following:

    1. Scan Completed Date, which notes the completion date and timestamp for every scan performed on the selected application.

    2. The File Size that was scanned.

    3. The number of Lines of Code Scanned.

    4. The Codebase Metadata. When View is clicked, the following information displays:

      • The scanned repository Name.

      • The URL to the scanned repository.

      • The Revision sha which notes the exact revision of the codebase that was scanned.

If no codebase metadata exists, the View link will not appear next to that particular scan.

Video Tutorial - SAST Scan Tab