Advanced Topics
This page highlights some advanced topics related to AppSec Kit. For more basic information, see the Getting Started with AppSec page.
AppSec Kit Configuration
This section describes the configuration options and their default values. The AppSec Kit has the AppSecConfiguration class. An instance of this class can be set to configure the AppSecService like so:
Source code
Java
AppSecConfiguration configuration = new AppSecConfiguration();
configuration.setAutoScanInterval(Duration.ofDays(2));
AppSecService.getInstance().setConfiguration(appSecConfiguration);You can set or override the following configuration values in the AppSecConfiguration:
vaadinPlatformVersion-
The Vaadin platform version that the application is using.
appSecRoute-
The route of the AppSec Kit user interface.
dataFilePath-
The path of the data file for storing information about vulnerabilities.
bomFilePath-
The path of the SBOM (Software Bill Of Materials) file used as a source of Maven dependencies.
bomNpmFilePath-
The path of the SBOM file used as a source of npm dependencies.
taskExecutor-
The executor used to run asynchronous tasks during vulnerability scanning.
autoScanInterval-
The duration of the interval between automatic scanning for vulnerabilities.
osvApiRatePerSecond-
The rate per second for the OSV (Open Source Vulnerability) API calls.
includeNpmDevDependencies-
The boolean value to decide if the npm development dependencies should be included during vulnerability scanning.
automaticallyActivatePush-
The boolean value to decide if the server push should be automatically activated in the application.
Vaadin Version
The AppSec Kit requires the Vaadin platform version that is used in the application when getting the Vaadin platform BOM. First, it checks if the vaadin-core dependency is present in the application and uses the version of that dependency as the Vaadin platform version. If the vaadin-core dependency is not present then it gets the version defined in the AppSec Kit configuration through this configuration option. If this configuration option is not defined then an AppSecException is thrown. The version should be defined as a String. The default value is null.
AppSec Kit Route
You can configure the route of the AppSec Kit user interface. The default value is vaadin-appsec-kit.
Data File Path
In the Vulnerability Details View, you can add analysis of the vulnerability. When this analysis is saved with the vulnerability information, it’s stored in a data file in JSON format. Its default path is the application’s root; the file name is appsec-data.json. The path can also be configured with the vaadin.appsec.data system property.
Maven SBOM File Path
An application’s Maven dependencies in the Dependencies View are populated from the Maven SBOM file. The file should contain the dependencies in CycloneDX JSON schema format. Its default path is the /resources; the file name is bom.json. The path can also be configured with the vaadin.appsec.bom system property.
npm SBOM File Path
An application’s npm dependencies in the Dependencies View are populated from the npm SBOM file. The file should contain the dependencies in CycloneDX JSON schema format. Its default path is the /resources; the file name is bom-npm.json. The path can also be configured with the vaadin.appsec.bom-npm system property.
Task Executor
You can set a custom executor for the background, and any scheduled jobs run by the AppSec Kit. For example, scheduled jobs are run when an automatic or manual vulnerability scan happens. The default task executor is a single-thread executor.
Auto Scan Interval
You can configure the duration of the interval between automatic scanning for vulnerabilities. The default interval is 1 day.
OSV Rate per Second
You can configure the rate per second for the OSV API (Open Source Vulnerability) calls. The default value is 25.
npm Development Dependencies
If applicable, you can set whether the npm development dependencies should be included during vulnerability scanning. The default value is true.
Automatically Activate Push
You can set whether the server push should be automatically activated if needed. When enabled, which is the default, AppSec Kit automatically activates PushMode#AUTOMATIC if neither push nor polling is active for a UI where AppSec Kit is used. When disabled, no automatic changes are made to the application’s push configuration.