When you click Start a DynamicDS Scan, the DynamicDS Scan Configuration page opens for you to provide the parameters of the DynamicDS scan. To access this configuration page at any other time, click Scan Configuration in the In Progress section of the left navigation menu. If you have scanned an application before, Veracode automatically populates its parameters from the previous scan. Provide input for all the required fields, denoted by a red asterisk (*), and for any other relevant fields.
- Scan Name
- The scan name is automatically entitled with the current date. You can change it to a name of your choosing.
- Scan Mode
- The appropriate scan mode depends on the type of application. Advanced mode, previously called single-page application mode, provides improved coverage of scans of single-page applications (such as ones that use Angular 1.x, jQuery, Backbone, or HTML5), and produces quicker results on large, content-heavy websites (such as corporate websites, blogs, and eCommerce applications).
- Some advanced options for configuring coverage are not available with advanced mode.
- To use advanced mode with forms-based
authentication, you must provide login and logout scripts, which enable
Veracode to stay logged in throughout the scan. Note: You cannot enable Vulnerability rescans the first time you perform a scan after changing the scan mode. You can enable them when configuring any subsequent scans.
- Enter a starting URL for your scan, including any custom ports. Select the
checkbox if you want to include both the http:// and https:// address in the scan.
The scan starts at this page and then searches the entire web site. Choose a URL
that enables the scan to crawl all the pages on the site. Keep in mind:
- You must precede URLs by: http:// or https://.
- You must enter a final slash (/) after directory names.
- Acceptable formats are: full hostname (http://www. example.com/) or hostname and directory (http://example.com/dir/).
- Do not use wildcards in the target URL.
- You are allowed to use wildcards in the Allowed Hosts and Exclude URLs fields to include or exclude multiple pages or portions of a site all at once. For example, http://*.example.com includes all subdomains such as http://a.example.com, but does not include http://a.b.example.com.
- Directory Restrictions
- This field allows you to control the scope of the scan. From the dropdown menu,
select one of the following options:
- Directory and Subdirectories - This default setting restricts the scan to the links in the URL directory and subdirectories. For example, if you request http://app.foo.com/bar/, the scan will not crawl links on www.foo.com or under the path http://app.foo.com/baz/.
- No Restrictions - This option means the scan crawls all the links in every directory under the target URL.
- Directory Only - This option restricts the scan to only the links in the URL directory. For example, if you request http://www.foo.com/bar/, Veracode scans all links in that directory but not in its subdirectory http://www.foo.com/bar/baz/.
Dynamic Scan Options
- Allowed Hosts
- Veracode prepopulates the first host in this section based on the target URL and directory restrictions you entered above. As an option, you can enter additional hosts if you want the DynamicDS scan to scan links on other hosts of the target URL. For example, if you request a scan hosted at http://www.example.com, you may want to also scan the secure site at https://www.example.com. If your web application spans multiple hosts (for example, https://www.example.com, https://www1.example.com, and https://www2.example.com), specify all hosts to ensure that Veracode is able to crawl and attack the entire application. Select the checkbox if you want to include both the http:// and https:// address in the scan. If you want to restrict the scan of an allowed host to either the directory only or to the directory and its subdirectories, select the appropriate option from the dropdown menu below the host name field. Click Add Another to provide additional allowed hosts.
- Exclude URLs
- If you want to exclude any portions of your application from the scan, select Exclude the following URLs and enter the full URL to exclude. Select the checkbox if you want to exclude both the http:// and https:// address from the scan. Click Add Another to provide additional URLs to exclude. You might want to exclude certain directories, web services, or specific pages.
Optional Application Information
Select a lifecycle stage from the dropdown menu to indicate at which part of the development cycle the application is in, and provide the launch or release date.
Provide a valid IT contact in case Veracode encounters accessibility issues the scan.
If you want to scan for just the Shellshock vulnerability, select the Shellshock Scan
checkbox. Provide any special instructions for Veracode in this field. Use this field to
directly inform Veracode scan engineers if there is something you want Veracode to do or
to know before starting the scan, without having to contact Veracode Support to convey
this information. Please note that the scan is delayed until Veracode can acknowledge
and review these instructions.
Once you have entered the basic configuration, click Save and Continue.