NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:
AppVet Logo

5.  User's Guide


5.1 Launching AppVet

To launch AppVet for operational use, start the Tomcat service using Windows Services. During AppVet development, however, it is recommended to launch AppVet from within Eclipse. To launch AppVet from Eclipse's Servers panel, select the Start the server button on the Servers panel. As AppVet starts up, you will see output generated in the Eclipse console. Note that only one instance of Tomcat can be running at time. If Tomcat is running as a Windows Service, it will not run in Eclipse (and vice versa).

After Tomcat is started, open a browser to the AppVet URL https://<host>:<port>/appvet where <host> : <port> is the hostname or IP address and port number of your server. The AppVet login screen should be visible as shown in Figure 5-1.


appvet_logon

Figure 5-1. AppVet logon screen. (Enlarge)



5.2 App Management Interface

After logging into AppVet, the AppVet app management interface is displayed as shown in Figure 5-2.


appvet_screenshot

Figure 5-2. AppVet App Management Interface. (Enlarge)



The AppVet app management interface comprises two main panels: an apps list panel on the left and an app information panel on the right. The apps list panel displays apps that have been uploaded to the system while the app information panel displays information about the selected app. The apps list panel displays general information about uploaded apps including their AppVet-generated app ID, app name, current status and risk assessment, user (app owner), and the date/time when the app was uploaded to the system. The app info panel contains information about a selected app including:

  • App name and icon
  • Version number
  • Registration and app pre-processing statuses
  • Tool service reports
  • Tool service status and risk assessments

5.2.1 Operation Buttons

The apps list panel contains operation buttons used to manage apps and their related reports. Table 5-1 describes the functions of AppVet operation buttons.


Table 5-1. Operation buttons.

Icon Name Description
button_view_all View All View all apps.
button_upload_app Upload Upload app file.
button_download_reports Download Download report files.
button_override_reports Override report Override a report for the selected app.
button_delete_app Delete App Deletes the selected app.
button_view_log View Log View app processing log for the selected app.



5.2.2 Menus

AppVet provides three menus: User, Help, and Admin. The User menu is displayed as the user's first name and first letter of the last name in the top left corner as shown in Figure 5-3.


menu_user

Figure 5-3. User settings. (Enlarge)



The User menu allows users to edit their account information (via Account Settings), view apps that they have uploaded (via My Apps), or log out (via Logout).

The Help menu provides help-related information including a link to the AppVet website.

For AppVet administrators, the Admin menu provides access to the AppVet system log and user management functions.

5.2.3 Tool Status

In the app information panel, each tool service is associated with a processing status or risk assessment as shown in Figure 5-4.


tool_status_screenshot

Figure 5-4. Tool statuses. (Enlarge)



A tool service status indicates the current processing status of, or the risk assessment generated by, a tool service. In general, the risk assessment generated by a tool service should conform to a standardized risk scoring system, such as the Common Vulnerability Scoring System (CVSS). AppVet requires that these assessments be mapped to one of three risk categories: PASS , WARNING , or FAIL . Table 5-2 describes these risk assessment categories and AppVet tool service statuses.


Table 5-2. Tool status and risk assessments.

Type Tool Status Description
Processing Status N/A No status information is available for the tool service.
PENDING App is waiting to be submitted to the tool service.
SUBMITTED App has been submitted to the tool service.
PROCESSING The tool service is analyzing the app.
ERROR The tool service could not analyze the app.
Risk Assessment PASS The tool service designates the app as low-risk.
WARNING The tool service designates the app as moderate-risk.
FAIL The tool service designates the app as high-risk.



Note that a risk assessment is only displayed after the tool has successfully completed processing. Further note that risk assessments generated by a tool service can be later overridden if needed. This feature is used to mitigate false positive analysis results.

5.2.4 App Status

In the apps list panel, each app is associated with a status or risk assessment as shown in Figure 5-5.


app_status

Figure 5-5. App status. (Enlarge)



An app status indicates the current status or risk assessment of an app which, in turn, is based on the statuses and risk assessments of the tool services. Table 5-3 describes the AppVet app statuses and risk assessments.


Table 5-3. App status and risk assessments.

Type App Status Description
Processing Status REGISTERING App is being registered by AppVet.
PENDING App is waiting to be analyzed.
PROCESSING App is being analyzed by one or more tool services.
ERROR One or more tools could not analyze the app.
Risk Assessment PASS All tool services designate the app as low-risk.
WARNING At least one tool service designates te app as moderate-risk, but no tool service designates the app as high-risk.
FAIL At least one tool service designates the app as high-risk.



Note that the decision to approve or reject an app is dependent upon the policies and security requirements of the organization that owns and operates the instance of AppVet. In addition, overall risk assessments generated by AppVet are based solely on the risk assessments provided by the tools used.