HCL AppScan extension for Visual Studio 2022

HCL AppScan Visual Studio 2022 extension enables you to scan your source code and eliminate vulnerabilities early in the development life cycle.

Prerequisites

Before installing the extension, ensure the target system meets these requirements:

Windows: AMD64
Java Runtime (JRE) 8 or higher.
Microsoft Visual Studio Enterprise/Community/Professional 2022 (17.6) version or above.

Installation

To install the HCL AppScan for Visual Studio 2022 extension:

Click the Download Extension link on this page.
Alternatively, you can also download the extension from within Visual Studio IDE via Extensions->Manage Extension. Search for HCL AppScan and select Download.
Double-click on installer.
Restart Visual Studio 2022 to activate the extension.
Once you install the HCL AppScan extension, HCL AppScan option is available on the View menu in Visual Studio 2022 (View->HCL AppScan).

What's new in HCL AppScan extension for Visual Studio 2022

HCL AppScan extension supports scanning for vulnerabilities in 35+ languages.
Issues can be marked as noise or remediated using the fix recommendations.
Auto-fix is available across language rules.
Single or multiple rules across languages can be enabled or disabled from the new Language rules panel in Visual Studio 2022.
Support for vulnerable code highlight option for issues identified in a scan.
Connect to HCL AppScan on Cloud to ensure issues that have been set to “Noise” in AppScan on Cloud are not shown in CodeSweep.

Extension configuration

Below settings are available for HCL AppScan Visual Studio extension under Tools->Options->HCL AppScan

ASoC Configuration

You can connect HCL AppScan Visual Studio extension to HCL AppScan on Cloud. To configure connection details: 1. Go to Tools->Options->HCL AppScan->ASoC. 2. Provide the API Key ID and API Key Secret. If you don’t have a Key ID/Secret, create one by following the steps [here](https://help.hcltechsw.com/appscan/ASoC/appseccloud_generate_api_key_cm.html). 4. Click OK to save the credentials.”

Once connected, issues that have been set to “Noise” in AppScan on Cloud are not shown in CodeSweep.

To remove the connection to AppScan on Cloud, remove the keyID and keySecret credentials and restart Visual Studio.

Manage Telemetry

We are collecting telemetry data [rules ignored, rules info viewed, file types scanned] to give you a better user experience with our future releases. No information about specific issues is captured or stored. In case you want to opt out, please disable this option by navigating to Tools->Options->HCL AppScan->General->Manage Telemetry and choose "Disable".

Manage Vulnerable Code Highlight

This settings enables you to choose the code highlight option for issues identified in a scan.

Select the Don't highlight option if you don't want to highlight the vulnerable code in the editor on file save.
Select the Highlight all issues option if you want to highlight all the security issues in the file immediately after the file save.
Select the Highlight when selected option if you want to highlight the issue only when it is clicked in the findings table.
By default Highlight When Selected option will be selected.

Extension features

CodeSweep Findings table

Severity - Issue Severity
Issue Type - Click to open rule information in the How To Fix tab of AppScan Details tool window.
Location - Line number where the issue is located. Click to navigate to that line location in the IDE pane.
Auto fix - If available for the vulnerability, choose Select Auto fix from the drop-down menu.
Mark as noise - Indicates it should be ignored. To unmark an issue as noise, click on Clear Status.

CodeSweep Findings operations

Mark issue as noise

Marking an issue as “noise” indicates it should be ignored now and in the future; it will not be reported in future scans of the file. Issues marked as noise are strike through and greyed out until the next save of the corresponding file or an editor restart, whichever happens first. To mark an issue as noise, click Mark as noise.

CodeSweep_MarkAsNoise

Unmark Issue as Noise

Unmarking an issue as noise ensures that the issue considered in future scans. You can clear the noise status only for issues marked as noise in the current session, provided the file has not been saved since being labelled as noise. To unmark an issue as noise, click Clear status.

CodeSweep_ClearStatus

CodeSweep Rules Panel

This view displays applicable rules grouped by supported programming languages. Within every group, the rules are ordered based on severity.

CodeSweep Rules operation

1. Disable Rule

Disabling a rule means it will not be considered for future scans. Once disabled, the rule name is annotated with the “Rule Disabled” label and the severity icon changes to note the disabled status. Once a rule is disabled, issues listed for a rule are no longer displayed. To disable a rule, either:

Select a single or multiple rules or single or multiple languages and click Disable.
Right-click on rule and select Disable.

CodeSweep_DisableRule

2. Enable Rule

Enabling a rule means that it will be considered for future scans. Enabling a rule will not display any issues belonging to that rule reported earlier in the same session; they are listed after you save a file which has issues corresponding to that rule. To enable a rule, either:

Select a single or multiple rules or single or multiple languages and click Enable.
Right-click on rule and select Enable.

CodeSweep_EnableRule

3. Rule Info

The AppScan Rule Info pane in Visual Studio displays relevant information both enabled and disabled rules. To view the advisory and remediation information for a rule, either:

Select a rule and click Info.
Double-click on the rule.
Right-click a rule and select Info.

CodeSweep_RuleInfo

Troubleshooting

Unable to see HCL AppScan windows in the IDE. Go to View->HCL AppScan and click on CodeSweep Findings and CodeSweep Rules windows.
Error encountered: "Compatible version of Java 8 or 11 could not be found". Close the IDE, install JRE 8 or 11 and restart the IDE. Once these steps are completed, HCL AppScan CodeSweep integration will be available in Visual Studio IDE.
If rules are not displayed in "CodeSweep language rules" view, close the view and reopen it from View->HCL AppScan->CodeSweep Language Rules.
When the IDE is reopened "How To Fix" tab will be blank until a rule info is clicked to display the corresponding advisory information.

Known issues

Issues encountered in visual display of UI elements in HCL AppScan Extension in Dark theme are known bugs and will be fixed in upcoming releases.

Report feedback

Use the CodeSweep slack channel to report feedback or ask general questions about the extension.

HCL AppScan

HCL Software