Docs

Vaadin 8 reached End of Life on February 21, 2022. Discover how to make your Vaadin 8 app futureproof →

Docs

Advanced Topics

This page highlights some advanced topics related to AppSec Kit.

AppSec Kit Configuration

This section describes the configuration options and their default values. The AppSec Kit has the AppSecConfiguration class. An instance of this class can be set to configure the AppSecService like so:

AppSecConfiguration configuration = new AppSecConfiguration();
configuration.setAutoScanInterval(Duration.ofDays(2));

AppSecService.getInstance().setConfiguration(appSecConfiguration);

You can set or override the following configuration values in the AppSecConfiguration:

  • dataFilePath is the path of the data file for storing information about the vulnerabilities;

  • bomFilePath is the path of the SBOM (Software Bill Of Materials) file used as a source of dependencies;

  • taskExecutor is the executor used to run asynchronous tasks during the vulnerability scanning;

  • autoScanInterval is the duration of the interval between automatic scanning for vulnerabilities; and

  • osvApiRatePerSecond is the rate per second for the OSV (Open Source Vulnerability) API calls.

Data File Path

In the Vulnerability Details View, you can add an analysis of the vulnerability. When this analysis is saved with the vulnerability information, it’s stored in a data file in JSON format. Its default path is the application’s root; the file name is appsec-data.json. The path can be configured by the vaadin.appsec.data system property.

SBOM File Path

An application’s Maven dependencies in the Dependencies View are populated from this file. The file should contain the dependencies in CycloneDX JSON schema format. Its default path is the /resources; the file name is bom.json. The path can be configured by the vaadin.appsec.bom system property.

Task Executor

You can set a custom executor for the background and scheduled jobs run by the AppSec Kit. For example, scheduled jobs are run when an automatic or manual vulnerability scan happens. The default task executor is a single-thread executor.

Auto Scan Interval

You can configure the duration of the interval between automatic scanning for vulnerabilities. The default interval is 1 day.

OSV Rate Per Second

You can configure the rate per second value for the OSV (Open Source Vulnerability) API calls. The default value is 25.