Advanced Topics
This page highlights some advanced topics related to AppSec Kit. For more basic information, see the Getting Started with AppSec page.
AppSec Kit Configuration
This section describes the configuration options and their default values. The AppSec Kit has the AppSecConfiguration
class. An instance of this class can be set to configure the AppSecService
like so:
AppSecConfiguration configuration = new AppSecConfiguration();
configuration.setAutoScanInterval(Duration.ofDays(2));
AppSecService.getInstance().setConfiguration(appSecConfiguration);
You can set or override the following configuration values in the AppSecConfiguration
:
appSecRoute
-
The route of the AppSec Kit user interface.
dataFilePath
-
The path of the data file for storing information about the vulnerabilities.
bomFilePath
-
The path of the SBOM (Software Bill Of Materials) file used as a source of Maven dependencies.
bomNpmFilePath
-
The path of the SBOM (Software Bill Of Materials) file used as a source of npm dependencies.
taskExecutor
-
The executor used to run asynchronous tasks during the vulnerability scanning.
autoScanInterval
-
The duration of the interval between automatic scanning for vulnerabilities.
osvApiRatePerSecond
-
The rate per second for the OSV (Open Source Vulnerability) API calls.
includeNpmDevDependencies
-
The boolean value to decide if the npm development dependencies should be included during vulnerability scanning.
automaticallyActivatePush
-
The boolean value to decide if the server push should be automatically activated in the application.
AppSec Kit Route
You can configure the route of the AppSec Kit user interface. The default value is vaadin-appsec-kit
.
Path of Data File
In the Vulnerability Details View
, you can add analysis of the vulnerability. When this analysis is saved with the vulnerability information, it’s stored in a data file in JSON format. Its default path is the application’s root and the file name is appsec-data.json
. The path can also be configured with the vaadin.appsec.data
system property.
Path of Maven SBOM File
Your application’s Maven dependencies in the Dependencies View are populated from the Maven SBOM file. It should contain the dependencies in CycloneDX JSON schema format. Its default path is /resources
; the file name is bom.json
. The path can also be configured with the vaadin.appsec.bom
system property.
Path of npm SBOM File
Your application’s npm dependencies in the Dependencies View are populated from the npm SBOM file. It should contain the dependencies in CycloneDX JSON schema format. Its default path is /resources
; the file name is bom-npm.json
. The path can also be configured with the vaadin.appsec.bom-npm
system property.
Task Executor
You can set a custom executor for the background and scheduled jobs run by the AppSec Kit. For example, scheduled jobs are run when an automatic or manual vulnerability scan happens. The default task executor is a single-thread executor.
Auto Scan Interval
You can configure the duration of the interval between automatic scanning for vulnerabilities. The default interval is 1 day.
OSV Rate per Second
You can configure the rate per second value for the OSV API (Open Source Vulnerability) calls. The default value is 25.
npm Development Dependencies
If applicable, you can configure if the npm development dependencies should be included during vulnerability scanning. The default value is true
.
Automatically Activate Push
You can configure whether the server push should be automatically activated if needed. When enabled, which is the default, AppSec Kit automatically activates PushMode#AUTOMATIC
if neither push nor polling is active for a UI where AppSec Kit is used. When disabled, no automatic changes are made to the application’s push configuration.