Docs

Documentation versions (currently viewingVaadin 24)

Advanced Topics

Highlights advanced topics related to AppSec Kit.

This page highlights some advanced topics related to AppSec Kit. For more basic information, see the Getting Started with AppSec page.

AppSec Kit Configuration

This section describes the configuration options and their default values. The AppSec Kit has the AppSecConfiguration class. An instance of this class can be set to configure the AppSecService like so:

AppSecConfiguration configuration = new AppSecConfiguration();
configuration.setAutoScanInterval(Duration.ofDays(2));

AppSecService.getInstance().setConfiguration(appSecConfiguration);

You can set or override the following configuration values in the AppSecConfiguration:

appSecRoute

The route of the AppSec Kit user interface.

dataFilePath

The path of the data file for storing information about vulnerabilities.

bomFilePath

The path of the SBOM (Software Bill Of Materials) file used as a source of Maven dependencies.

bomNpmFilePath

The path of the SBOM file used as a source of npm dependencies.

taskExecutor

The executor used to run asynchronous tasks during vulnerability scanning.

autoScanInterval

The duration of the interval between automatic scanning for vulnerabilities.

osvApiRatePerSecond

The rate per second for the OSV (Open Source Vulnerability) API calls.

includeNpmDevDependencies

The boolean value to decide if the npm development dependencies should be included during vulnerability scanning.

automaticallyActivatePush

The boolean value to decide if the server push should be automatically activated in the application.

AppSec Kit Route

You can configure the route of the AppSec Kit user interface. The default value is vaadin-appsec-kit.

Data File Path

In the Vulnerability Details View, you can add analysis of the vulnerability. When this analysis is saved with the vulnerability information, it’s stored in a data file in JSON format. Its default path is the application’s root; the file name is appsec-data.json. The path can also be configured with the vaadin.appsec.data system property.

Maven SBOM File Path

An application’s Maven dependencies in the Dependencies View are populated from the Maven SBOM file. The file should contain the dependencies in CycloneDX JSON schema format. Its default path is the /resources; the file name is bom.json. The path can also be configured with the vaadin.appsec.bom system property.

npm SBOM File Path

An application’s npm dependencies in the Dependencies View are populated from the npm SBOM file. The file should contain the dependencies in CycloneDX JSON schema format. Its default path is the /resources; the file name is bom-npm.json. The path can also be configured with the vaadin.appsec.bom-npm system property.

Task Executor

You can set a custom executor for the background, and any scheduled jobs run by the AppSec Kit. For example, scheduled jobs are run when an automatic or manual vulnerability scan happens. The default task executor is a single-thread executor.

Auto Scan Interval

You can configure the duration of the interval between automatic scanning for vulnerabilities. The default interval is 1 day.

OSV Rate per Second

You can configure the rate per second for the OSV API (Open Source Vulnerability) calls. The default value is 25.

npm Development Dependencies

If applicable, you can set whether the npm development dependencies should be included during vulnerability scanning. The default value is true.

Automatically Activate Push

You can set whether the server push should be automatically activated if needed. When enabled, which is the default, AppSec Kit automatically activates PushMode#AUTOMATIC if neither push nor polling is active for a UI where AppSec Kit is used. When disabled, no automatic changes are made to the application’s push configuration.