What's new in HCL AppScan 360°
Explore new features that have been added to HCL AppScan 360°, and note any features and capabilities that have been deprecated in this release.
New in HCL AppScan 360° version 1.3.0
June 2024
- HCL AppScan 360° significantly increases security coverage with
the addition of dynamic analysis (DAST) scanning. See Dynamic Analysis (DAST).
Our market-leading DAST technology enables organizations to scan running applications and APIs for vulnerabilities before they are deployed to the web. Incremental scanning and test optimization allow companies to balance the speed and depth of scans based on the needs of the development lifecycle.
- AppScan Central Platform updates:
- A date filter has been added to the Fix groups page. View fix groups according to a date range and/or according to time-related properties associated with component issues.
- A share option has been added to the Issue details pane. Copy a link or issue ID to share issue details quickly and efficiently via text or email.
- User experience (UX) improvements:
- The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
- The following AppScan plugins
support AppScan 360° version 1.3:
- Azure: DAST, SAST
- Jenkins: DAST, SAST
- Visual Studio 2022: SAST
New in HCL AppScan 360° version 1.2.0
April 2024
- AppScan 360° has a new, simplified installation process. Installation of AppScan Central Platform includes installation of the static analysis agent in a single procedure. AppScan Remediation Advisories are installed separately so that you always have the most up-to-date cause, risk, and remediation content.
- Default issues view: By default, AppScan 360° displays non-compliant issues only at the application level.
- Fix groups filtering: AppScan 360° supports filtering fix groups by vulnerability and policy, in addition to existing filters. With additional filtering capabilities, you can pinpoint issues and optimize fixes for faster remediation.
- Issue properties tab: New Properties tab on the Issue details pane lists expanded issue details, including how and when the issue was found, type, status, severity, scanner, and location, and including issue ID.
- Auto-close of issues: AppScan 360° auto-closes issues when they do not appear in rescans, thus reducing the manual effort of closing issues.
- 2k scan limit: When auto-cleanup is not enabled at the organization level, AppScan 360° enforces the 2k scan limit.
-
User experience (UX) improvements:
- Asset groups: The new delete asset group flow simplifies the process of deleting an asset group. Users with the delete asset group permission (default roles like Administrator and Manager, as well as custom roles) can delete an asset group along with its associated applications, including scans and findings, facilitating the removal of unnecessary applications. Users can also opt to move the applications to another asset group, either with or without their members.
- Fix groups: Comments field added to security report for fix groups, allowing for better inclusion and tracking of notes and comments.
- AppScan 360° Static Analysis scanning
updates:
- Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
- Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
- Increased coverage for RPG language.
- AppScan Go! updated to version 2.0.0
AppScan Go! steps you through configuring and running a static or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.
- Static analysis support for .NET 8.
- Improved accuracy for Java, JavaScript and Python languages.
New in HCL AppScan 360° version 1.1.0
December 2023
- Single scan view now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
- Enhanced deployment script:
- Deploy in any Kubernetes environment.
- Accepts the AppScan Central Platform server’s hostname (FQDN) part of ‘
--server
’ option. - Storage class name (
--storage-class
) must be provided during the deployment. - The default AppScan 360° Static Analysis
ingress hostname for the option ‘
--ingress-host
’ is changed from ‘sast.appscan.com
’ to ‘sast.example.com
’.
- Introduced probes to monitor the health of AppScan 360° Static Analysis components.
- Enhanced Management API to produce additional details of each microservice, version info, and its availability with readiness probes.
- Updated out-of-the-box configuration based on typical resource usage.
- Updated base images.
- Various fixes to improve API integration with AppScan Central Platform, serviceability, and performance.
- Static analysis client updated to 8.0.1546.
- Support for scanning cascading style sheets (CSS files): AppScan 360° identifies security vulnerabilities in cascading style sheets, including cross-site scripting-, injection-, and validation-related vulnerabilities.
- Support for IBM WebSphere Application Server 9.x: The Static Analyzer Command Line Utility can be configured to leverage a WebSphere environment to use the JSP compiler included with WebSphere.
- Improved accuracy for PHP scanning: AppScan 360° improved verification of PHP content in HTML files.
- Support for secrets scanning:
Secrets scanning is disabled by default. Use the
--enableSecrets
and--secretsOnly
options to scan secrets. - Improved performance for source code scanners.
- Command line and plugins now allow upload of archive files for scanning without first generating an IRX file.
- General fixes.
- PRB0123164 - Fix groups tab displays file name instead of library name for open source component.
- PRB0123969 - SAST scan shows empty line number when "Line" column is added in Dashboard.
- PRB0123727 - Several CSV issues reported by customers.