5. User's Guide
5.1 Launching AppVet
To launch AppVet for operational use, start the Tomcat service using
Windows Services. During AppVet development, however, it is recommended
to launch AppVet from within Eclipse. To launch AppVet from Eclipse's
Servers panel, select the Start the server button on the Servers panel.
As AppVet starts up, you will see output generated in the Eclipse
console. Note that only one instance of Tomcat can be running at time.
If Tomcat is running as a Windows Service, it will not run in Eclipse
(and vice versa).
After Tomcat is started, open a browser to the AppVet URL
is the hostname or IP address and port number of your server. The AppVet
login screen should be visible as shown in Figure 5-1.
AppVet logon screen. (Enlarge)
5.2 App Management Interface
After logging into AppVet, the AppVet app management interface is
displayed as shown in Figure 5-2.
AppVet App Management Interface. (Enlarge)
The AppVet app management interface comprises two main panels:
apps list panel
on the left and an
app information panel
on the right. The apps list panel displays
apps that have been uploaded to the system while the app information
panel displays information about the selected app. The apps list panel
displays general information about uploaded apps including their
AppVet-generated app ID, app name, current status and risk assessment,
user (app owner), and the date/time when the app was uploaded to the
system. The app info panel contains information about a selected app
- App name and icon
- Version number
- Registration and app pre-processing statuses
- Tool service reports
- Tool service status and risk assessments
5.2.1 Operation Buttons
The apps list panel contains operation buttons used to manage apps and
their related reports. Table 5-1 describes the functions of AppVet
Table 5-1. Operation buttons.
||View all apps.
||Upload app file.
||Download report files.
||Override a report for the selected app.
||Deletes the selected app.
||View app processing log for the selected app.
AppVet provides three menus:
menu is displayed as the user's first name and first letter
of the last name in the top left corner as shown in Figure 5-3.
Figure 5-3. User settings. (Enlarge)
menu allows users to edit their account information (via
Account Settings), view apps that they have uploaded (via My Apps), or
log out (via Logout).
menu provides help-related information including a link to
the AppVet website.
For AppVet administrators, the
menu provides access to the AppVet system log and user
In the app information panel, each tool service is associated with a
processing status or risk assessment as shown in Figure 5-4.
5-4. Tool statuses. (Enlarge)
A tool service status indicates the current processing status
of, or the risk assessment generated by, a tool service. In general, the
risk assessment generated by a tool service should conform to a
standardized risk scoring system, such as the Common Vulnerability
Scoring System (CVSS). AppVet requires that these assessments be mapped
to one of three risk categories:
. Table 5-2 describes these risk assessment categories and AppVet tool
Table 5-2. Tool status and risk assessments.
||No status information is available for the tool service.
||App is waiting to be submitted to the tool service.
||App has been submitted to the tool service.
||The tool service is analyzing the app.
||The tool service could not analyze the app.
||The tool service designates the app as low-risk.
||The tool service designates the app as moderate-risk.
||The tool service designates the app as high-risk.
Note that a risk assessment is only displayed after the tool
has successfully completed processing. Further note that risk
assessments generated by a tool service can be later overridden if
needed. This feature is used to mitigate false positive analysis
5.2.4 App Status
In the apps list panel, each app is associated with a status or risk
assessment as shown in Figure 5-5.
Figure 5-5. App status. (Enlarge)
An app status indicates the current status or risk assessment
of an app which, in turn, is based on the statuses and risk assessments
of the tool services. Table 5-3 describes the AppVet app statuses and
Table 5-3. App status and risk assessments.
||App is being registered by AppVet.
||App is waiting to be analyzed.
||App is being analyzed by one or more tool services.
||One or more tools could not analyze the app.
||All tool services designate the app as low-risk.
||At least one tool service designates te app as
moderate-risk, but no tool service designates the app as high-risk.
||At least one tool service designates the app as high-risk.
Note that the decision to approve or reject an app is dependent upon the
policies and security requirements of the organization that owns and
operates the instance of AppVet. In addition, overall risk assessments
generated by AppVet are based solely on the risk assessments provided by
the tools used.