While the default scanning options will work for scanning most applications, Lucent Sky AVM provides advanced scan options to fine-tune the analysis and remediation behaviors. This article describes the scan options available and when to use them.
In this article, you will learn how to:
- Scan a specific project inside the source code archive or directory.
- Scan with a custom set of weakness policies.
- Scan with a custom set of vectors.
At the end, you will be able to scan a specific project, and scan with a custom set of weakness policies or vectors.
Scan a specific project inside the source code archive or directory
Lucent Sky AVM has the capability of automatically detecting the project inside a source code archive or directory. However, if the source code archive or directory contains multiple potential project files (such as multiple .*proj, build.xml, or pom.xml files), Lucent Sky AVM might not be able to select the correct project. By specifying the relative path of the project file inside the source code archive or directory, Lucent Sky AVM will be able to correctly identify the project and use the project as the entry point of the scan. To learn more about how to choose the correct project file, view the following article in the Lucent Sky Knowledge Base:
Prepare an application for scanning
Scan with a custom set of weakness policies
The built-in rule package includes a set of policies setting which weaknesses should be identified and remediated. This behavior can be changed by specifying a custom set of weakness policies. There are two types of policies: security standard (such as OWASP Top 10) and CWE (such as CWE-79). Combining different types of weakness policies is not supported.
Security standard weakness policy
Use security standard weakness policies to identify and remediate weaknesses included in these security standards. Each security standard weakness policy has two parts, the security standard and the corresponding behavior. Available security standards are CWE Top 25 (CWETop25), OWASP ASVS (OWASPASVS), OWASP Top 10 combined list (OWASPTop10), OWASP Top 10 individual lists (OWASPTop102004, OWASPTop102007, OWASPTop102010, OWASPTop102013, OWASPTop102017, OWASPTop102021, OWASPMobileTop102014, and OWASPMobileTop102016), PCI DSS (PCIDSS3 for v3.2.1 and PCIDSS4 for v4.0), and SANS Top 25 (SANSTop25). Available behaviors are identify and remediate (2) and only identify (1). To enable multiple security standards, separate them by semicolons.
If a weakness is included in multiple enabled security standard weakness policies with different behaviors, identify and remediate (2) prevails. Weaknesses not included in any of the enabled security standard weakness policies are set to ignore. For example, OWASPTop10,1;PCIDSS4,2 sets the weaknesses in OWASP Top 10 to identify, the weaknesses in PCI DSS v4.0 to identify and remediate, and all other weaknesses to ignore.
CWE weakness policy
Use CWE weakness policies to explicitly set the behavior of certain weaknesses. Each CWE weakness policy has two parts, the CWE ID and the corresponding behavior. Available behaviors are identify and remediate (2), only identify (1), and ignore (0). To specify multiple CWE weakness policies, separate them by semicolons. Weaknesses not specified retain their default behaviors.
For example, CWE79,0;CWE501,2 sets CWE-79 to ignore, CWE-501 to identify and remediate, and lets all other CWE weaknesses retain their default behaviors.
Scan with a custom set of vectors
Vectors are data that Lucent Sky AVM considers to be in a different trust sphere than the one the application operates in, such as user input of a web form or the content of an external file. Lucent Sky AVM has a set of vectors enabled by default, but each organization and each application might have its own definition of what data should be considered untrusted. For example, if the database of an application is considered within the same trust sphere as the application itself, the database vector can be disabled when scanning the application to reduce false positives.
The following vectors are available:
- Client - user input through client-side logic, such as JavaScript, that does not interact with server-side logic.
- Database - data from a database or a data source commonly classified as a database, such as XML files.
- Dependency - dependencies used by the application, such as packages from public package repositories and other common open source libraries.
- Exception - information of an exception message or stack trace.
- File System - file name, metadata, or content from a file on the local file system or a network share.
- MVC Entry Point - user input through a MVC controller or a MVVM view model.
- None - data without a vector, such as a hard-coded password in the source code.
- Public Method - the parameters of a public method. Parameters of public methods are not directly externally-influenced in most circumstances.
- Private Method - the parameters of a private or protected method. Parameters of private and protected methods are not directly externally-influenced in most circumstances.
- Untrusted - data from a source marked as untrusted in a custom rule. This vector is reserved for use by custom rule packages.
- User Input - user input from a non-web source, such as command line arguments or text inputs on a GUI.
- Web Request - content of a web request.
- Web Service - data from an external web service.
Vectors in italic are disabled by default.
Scan with scan arguments
Scan arguments provide precise control over the scan process, and are powerful tools to fine-tune how an application is built, analyzed, and remediated. While they are powerful, misusing scan arguments can cause serious problems. Scan arguments should only be used when suggested as a solution to a scan error or when advised to use one by Lucent Sky support.
Scan arguments are name-value-pairs separated by semicolons. For example, FirstArgument,foo;SecondArgument,bar. The name of scan arguments are not case-sensitive, but the value of scan arguments might be.