Previous updates 2021-2022
Lists features that were added in previous updates to the AppScan on Cloud service between 2021 and 2022.
New on December 21, 2022
- DAST: Released a new version of the HCL AppScan Traffic Recorder (1.2.5035): Updated third party dependencies.
New on December 18, 2022
- New IAST Java agent (version 1.12.10300):
- Support for tracking taint for customers using the com.fasterxml.jackson library for JSON.
- Support for tracking taint for customers using the org.glassfish.jersey framework.
- Internal optimizations.
New on December 13, 2022
- Static analysis client updated to 8.0.1517.
- Software Composition Analysis (SCA) scans can be run against Docker
containers and images using the
appscan prepare_sca
andappscan.sh prepare_sca
commands. - Improved accuracy for .NET, Java, and JavaScript scans.
- General bug fixes.
New on November 28, 2022
- DAST scan scheduling: Additional the option to schedule a repeating monthly scan on the same day of the week each month.
New on November 20, 2022
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.1.0. See AppScan Standard Fix List.
New on November 16, 2022
- General bug fixes.
New on November 13, 2022
- DAST: Upload an AppScan Standard LOGIN file for your DAST scan
- SCA (Software Composition Analysis): Added to SAST in the scan wizard, and SCA Library view added at Application level
New on October 31, 2022
- IAST Java agent (version 1.12.10200):
- Update Apache commons-text from 1.9 to 1.10.0 to mitigate a known CVE (CVE-2022-42889).
- Update Apache httpClient to apache HttpClient5 to mitigate a vulnerability in the old httpClient.
- Support for tracking taint for customers using the org.owasp.encoder.Encode library.
- Improved support for tracking taint for customers using the Gson library, including support for Gson htmlSafe feature.
- SAST:
- Static analysis client updated to 8.0.1514.
- Improved accuracy for Java and Kotlin scanners.
- General bug fixes.
New on October 25, 2022
- IAST .Net agent (version 1.6.0):
- Performance improvements.
- New configuration option to hide passwords, see here.
New on October 3, 2022
- Static analysis client updated to 8.0.1506.
- Automatic discovery of Maven and Gradle projects with AppScan Go! and CLI.
- Improved accuracy for JavaScript, NodeJS, and Kotlin scanners.
- Improved coverage for Java scans.
- General bug fixes.
New on October 2, 2022
- AppScan Presence v1 is no longer supported
As previously announced, for scanning private sites, AppScan Presence v1 is now replaced by AppScan Presence v2, released in March 2022. For private site scanning you now must have v2 Presence installed. See AppScan Presence.
New on September 21, 2022
- Improved support for different screen resolutions
- AppScan Go! auto-update for Windows and Macintosh systems
- Disk space cleanup of
temp
directory - Improved error handling
- General bug fixes
New on September 18, 2022
- DAST:
- Now supports TOTP (time-based one time password). See DAST scans.
- Single scan view now includes explore data counters (number of cookies, headers etc. found).
- SAST/SCA:
- SARIF format option added to the Export Issues dialog.
- Single scan view now includes list of languages found, and (if subscription includes SCA) counters for open source libraries and licenses found.
- Community plugins link added on the Plugins and APIs page.
- Organization Settings: Data Center information added to the Main Settings section.
- Single fix group page: Security report added to the issues grid.
New on September 14, 2022
- The HCL AppScan Traffic Recorder now requires a secure (SSL) connection. If you have been using it with an insecure connection you will be prompted to configure a secure one, before you can continue, the next time you use it. See Traffic Recorder connection.
New on September 13, 2022
- IAST:
- Support for tracking data sent over WebSockets.
- Extended support for Spring REST API: Support for REST path variables as sources.
- Support for tracking taint for customers using the Gson library.
- When using Java 9 and higher, a flag (BC_SB) must be set in the java properties to properly track taint. Users are now alerted if this flag is not set.
New on August 16, 2022
- Static analysis client updated to 8.0.1500.
- Reporting of Java packages and .NET namespaces in
scan.manifest
and when doing a dry-run. - Source code scanner improvements that may change the number of overall findings.
- Support for additional file extensions for Groovy, JavaScript, PHP, and Ruby.
- APAR fixes.
- General fixes and functionality improvements.
New on August 9, 2022
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.8.28196. See AppScan Standard Fix List.
New on July 26, 2022
- Comprehensive filtering for all lists:
- Applications view: Filter by Risk rating, Asset group, Business impact, Business unit, Testing status, Max severity. Select start and end dates.
- Scans view: Filter by Technology and Status (unchanged).
- All issues view: Filter by Severity, Status, Scan technology, Enables policies, Issue type. Select start and end dates.
- Scan issues view: Filter by Severity, Status, First found, Enabled policies. Select start and end dates.
- DAST and SAST scans:
- New Preferences section in the Scan > Configuration tab shows how Notification email (Send / Don't send) and Scan enablement (Allow / Don't allow) are configured for the scan.
- The updated Rescan dialog lets you change these two settings when rescanning.
- DAST scans: New Extract log icon in scan view lets you open the Execution log in a separate window that can remain open even when you browse away from the scan page.
New on July 19, 2022
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard
version 10.0.8. See AppScan Standard Fix List.
Note that while automatic API scanning using an imported Postman Collection file is supported in AppScan Standard 10.0.8, uploading a Postman Collection scan to ASoC is not currently supported.
New on July 5, 2022
- UI:
- You can now change the severity level of an issue, or of multiple issues together (see Edit issue severity).
- New indication for scans that are “Completed” but with less than 100% visited pages and/or 100% tested elements. New “Partial scans” filter to view/hide these scans (see Partial scans).
- Administrators: In role assignment, the “Create scan” and “Rescan” permissions are now separated, so users can be given permission to do one, or the other, or both.
New on June 28, 2022
- IAST Java agent (version 1.11.10100):
- Support for JBoss EAP (Enterprise Application Platform) versions 6,7
- Improved report readability:
- Print array/map content
- Dynamic generation of exploit example based on current user input
- Improved XSS algorithm
New on June 13, 2022
- Static analysis client updated to 8.0.1498.
- Java 17 support, including shipping Java
17 in the
SAClientUtil
package. - Replaced Tomcat 7 with Tomcat 9 for
JSP
precompilation. - Source code scanner improvements may result in changes to the overall number of findings.
- General fixes and functionality improvements.
New on June 12, 2022
- UI:
- Added 'OWASP Open API Top 10 2019' policy
- Added Critical severity to the scan card and to the single scan issues graph
- Reports:
- Added SAST open-source resolution and description columns to CSV reports
- Added Critical severity counters to security reports
New on May 29, 2022
- Plugins and APIs:
- The new HCL AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See HCL AppScan Traffic Recorder.
- Three new JetBrains plugins added: CLion, GoLand and RubyMine.
- Fix groups: Each group now displays the most relevant columns for that group by default in its Issues table.
- General bug fixes.
New on May 15, 2022
- API change: The default value of the FullyAutomatic flag for
DAST scans has been changed from false to true. It remains false for SAST
scans.
This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.
For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.
- IAST Java agent (version 1.10.10101):
- New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
- Security updates:
- New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
- New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
- Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
- Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
- Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)
New on May 8, 2022
- Auto Issue Correlation added: With this new feature AppScan can analyze issues found by IAST, DAST and SAST, to spot common weak links in the code ("correlations") that identify where multiple vulnerabilities can be resolved with a single remediation effort. Learn more...
- Improved Fix Group design.
- Improved user registration flow.
- General bug fixes.
New on May 5, 2022
- The JetBrains plugin now supports CodeSweep functionality. For information about using the JetBrains plugin, see the JetBrains Marketplace.
- The JetBrains plugin now supports the following additional IDEs:
- CLion
- GoLand
- RubyMine
New on May 2, 2022
- Static analysis client updated to 8.0.1495.
- Improvements to JavaScript, C, and PHP scanning engines to enhance accuracy of findings.
- Bug fixes.
New on April 6, 2022
- IAST:
- Call trace information improved for all vulnerabilities
- Sink URL is now the main issue URL
- API: The maximum number of objects returned from the Get Scans API was reduced from 200 to 100
- General bug fixes
New on April 1, 2022
- Static analysis client updated to 8.0.1491.
- Client-only update.
- Bug fixes.
New on March 25, 2022
- Static analysis client updated to 8.0.1488.
- Support for scanning Terraform.
- Improved Java, JavaScript, and PHP analysis.
- Upgraded to the latest version of
Log4j
.Important: The Static Analysis Client Utility (SAClientUtil
) was not and is not vulnerable to any of theLog4j
issues discovered in recent months.
New on March 21, 2022
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.7. See AppScan Standard Fix List.
New on March 13, 2022
- New AppScan Presence for private site scanning: The new Presence (V2) offers
improved stability and performance, and a log that lists all authorities
(host:port) that the Presence accessed. Learn
more,,,
- Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
- Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).
- CSV reports: Open-source reports can now be generated as CSV (in addition to HTML and PDF).
New on February 20, 2022
- UI:
- Improved ‘Create scan’ flow for DAST scans
- Added Guided Explore and Scheduler when creating a DAST scan from a file
- Added ability to create open-source license report at application level
- Added ability to add a comment to multiple issues
- Reports:
- CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
- Libraries table added to the Open-Source Report Summary
- API:
- Added ability to add a comment to multiple issues
New on February 15, 2022
- Static analysis client updated to 8.0.1480.
- General fixes and functionality improvements.
Deprecated on February 2, 2022
- API: The
LastSuccessfulExecution
property is deprecated and will be removed on February 13, 2022. Please useLatestExecution
instead. This returns the latest execution even if it failed.
New on January 26, 2022
- Static analysis client updated to 8.0.1473.
- Support for static analysis-only scanning.
- General fixes and functionality improvements.
New on January 25, 2022
- Scan scheduler:
- Select which days of the week a scheduled scan will run
- Add a schedule to an existing scan
- Remove the schedule from a scheduled scan
- The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry
- New issues found in a scan execution are now shown in the scan entry and in filtered issues view
- Easily change the user interface language at any time from the page header
- Switch between data centers from the landing page header
New on January 2, 2022
- Improved performance
- Support Java 17
- Support communication with ASE in environment with proxy set through Java properties (https.proxyHost/https.proxyPort or http.proxyHost/http.proxyPort)
- New security features:
- XXE on JaxB class (CWE 661). This potentially vulnerable class is mentioned in this OWASP XXE documentation: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
- JSON XSS informational issue (CWE 79), an XSS variant of vulnerable data written to the response as JSON
New on December 28, 2021
- UI:
- Scan cards redesigned and now include a link to the issues per severity in the scan.
- Rider plugin added to the ‘Plugins & APIs’ page.
- Reports: "OWASP Top 10, 2021" added to reports and policies.
- API:
- Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
- Added support for viewing issues found for the first time in the application.
- Language property added to new SAST issues.
- General bug fixes.
New on December 17, 2021
- DAST: Added new security rule to test for the Log4j vulnerability.
New on December 15, 2021
- Static analysis client updated to 8.0.1472.
- Support for scanning RPG.
- Support for including and excluding .NET namespaces for scanning.
- Support for specifying Java parallel processing cache location in appscan-config.xml.
- Expanded .NET 5/6 analysis.
- General fixes and functionality improvements.
New on November 23, 2021
- UI:
- Schedule scans: You can now schedule a DAST scan to run later, with or without repetition (Create scan > Schedule step). You can edit a configured schedule (Scan actions menu > Edit schedule). New icons indicate “Scheduled” and “Repeat” status of scans.
- IAST: Added ability to update IAST Agent configuration.
- Automatic log out: Users are now logged out if there is no activity for 30 minutes.
- Business units can now be merged (Admins only: Organization > Settings).
- Single scan view: Columns are now clickable and lead to a filtered list in the issues tab.
- API:
- Support for scan scheduling (with additional settings).
- Support for merging two business units, and ability to add a limit to the number of business units allowed in the organization.
New on November 16, 2021
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.6. See AppScan Standard Fix List.
New on October 24, 2021
- UI:
- Administrators only: New Settings view added (Organization > Settings), to create and manage business units.
- IAST: When deleting an agent, the UI now offers you the option to delete agent configuration only, or the agent configuration and also the issues found by the agent.
- New scan status added: “Initializing” (before scan actually starts).
- API: SAST and IAST issues set as Fixed will not be reopened if found again.
New on October 18, 2021
- Java agent (version 1.9.10100):
- Pause execution when memory consumption (threshold) is too high
- New Config file parameter to specify names of apps to be monitored
- Memory and GC debug flags
- Reduced memory consumption
- New security features:
- Improved CSRF rule (less FP)
- Improved coverage of Insecure Login rule
- Fixed: XSS bug on Spring
- .NET agent (version 1.3.1):
- Pause execution when memory consumption (threshold) is too high
- Filter issues from being reported based on header/cookie name
- Performance improvements
- Issue Information tab for IAST issues:
- New Additional Info section
- Exploit Example included for many more issues
- New security features:
- Path traversal algorithm
- Improved coverage of Insecure Login rule
- Fixed: Bug when issues are sent to ASoC/ASE
- Node.js agent (version 1.2.1):
- Pause execution when memory consumption (threshold) is too high
- Filter issues from being reported based on header/cookie name
- Issue Information tab for IAST issues:
- New Additional Info section
- Exploit Example included for many more issues
- New security features:
- Path traversal algorithm
- Improved coverage of Insecure Login rule
- Fixed: Handle Communication EPIPE error
New on October 12, 2021
- New opening page design.
- Source code-only scanning support.
- Ability to generate appscan-config.xml for open source-only scans.
- Consolidation of targets and excludes in appscan-config.xml files.
- Ability to disable automatic update of AppScan Go! on startup.
- Ability to manually update AppScan Go!.
- Refreshed logic for excluded files and clarified error messages.
- General fixes and improvements.
New on October 10, 2021
- Single scan view: "Manage Execution" options button added
- DAST: When creating a scan, you can now choose whether the scan will be fully automatic or assisted by the scan enablement team if needed
- SAST: Single scan view added, as for DAST scans
- IAST:
- Sessions are now displayed in Scans view
- Scan report can be created
- If you manually stopped an IAST session, you can now restart it from the UI even if the agent is disconnected, and monitoring will begin automatically when the agent is connected. Previously this was possible only through the API.
New on September 30, 2021
New on September 12, 2021
- DAST scans: You can now upload multiple DAST.CONFIG files for a single scan (see Explore with guidance).
New on August 4, 2021
- Static analysis client updated to version 8.0.1448.
- General fixes and functionality improvements.
New on August 2, 2021
- DAST scanning:
- New single scan page:
- Gives you access to detailed data about the scan, with three tabs: Overview, Issues, Configuration, and the scan log pane (see Single scan view.
- Shows real-time status of running scans.
- Scan log can now be viewed while scan runs.
- New indicator for scans that were handled by an enabler from the scan support team to review their configuration.
- Scan wizard additions:
- Choose to explore automatically, or with guidance (see About dynamic analysis (DAST), and Explore with guidance).
- Upload a manual explore or multistep file
- Configure the request-rate limit.
- API:
- Create a scan with multiple files.
- Choose between automatic explore and explore with guidance.
- Added automatic timeout
- The number of issues new to the application is now included in the scan results.
- New single scan page:
- IAST monitoring, Java agent (version 1.8.10110):
- Now supports uploading a CONFIG file.
- Monitoring will now reflect changes you make to the CONFIG file on your local server.
- Issue Information tab for IAST issues:
- New Additional info section.
- Exploit example included for many more issues.
- Security rule updates:
- path traversal advanced algorithm
- Deserialization - Xtream, xmlDecode
- Reduce FP on escapeHtml
- Fixes and memory improvements for wildfly server.
- Export icon: Lets you export applications, scans, single application scans, fix groups, fix group issues, single scan issues, users, asset groups.
- List of domains is now visible to all users.
New on July 13, 2021
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.5. See AppScan Standard Fix List.
New on June 29, 2021
- Static analysis client updated to version 8.0.1445
- Support for scanning C++ with the source code-only option.
- Support for scanning Objective-C++.
- New get_report command for generating reports from the command line interface (CLI).
New on June 23, 2021
- UI:
- New “Ask an expert” feature added
- Export to CSV/JSON added to applications and issues pages
- Create Scan: Added Timeout and Number of threads configuration
- Fix group ID {“Group ID”) added to issue panel
- IAST: Additional info added to issue panel
- Column configurations and filters are now saved between sessions
- Sample Applications CSV: Description and Tags columns removed
- New plugin: Github
- API:
- Added ability to add comments to ScanExecution
- DAST configuration: Added ability to configure Number of threads and Communication timeout
- General bug fixes
New on May 27, 2021
- IAST scanning:
- Node.js agent (version 1.1.0) now supported in addition to Java and .NET
- .NET agent (version 1.2.2):
- Now supports .NET 4.6.2
- Library updates
- Support setting host and token through environment variables and through Web.config file
- Java agent (version 1.8.10000:
- Performance improvements
- Support 32-bit JRE environments
- Support more Java environments for auto-attach
- New rules to detect spring sanitization (reduce Spring FP)
- Change env var names to IAST_HOST and IAST_ACCESS_TOKEN
- Report attCookieNotSecureSSL instead of SessionManagement.Cookies
- Simplified reports
- Bug fixes
New on May 26, 2021
- Static analysis client updated to version 8.0.1436.
- Support for source-code scanning for VB.NET, which is enabled by the source code-only option.
New on May 23, 2021
- Asset groups: New design, and ability to add a user as contact person for the group
- IAST: JavaScript Agent added
- Reports: DISA report upgraded to version 5, release 1
New on May 11, 2021
- DAST automation updates:
- Various Java libraries updated to newer versions
- Proxy Server now supports TLS connections
- You can now start a Recording Proxy with a range of ports rather than a specific port (the lowest available port in the range will be used)
- You can now set the port for the Proxy Server in Settings.json
- Fixed a bug importing JKS certificates to the Proxy Server
New on April 28, 2021
- Static analysis client updated to version 8.0.1433.
- General fixes and functionality improvements.
- APAR fixes.
- Improvements to Java parallel processing.
New on April 27, 2021
- UI:
- Accept invitation to join an organization from the "Choose an Organization" dialog
- Added Cipher Suite information to issue details
- Reports: Cipher Suite information added
- API:
- Scan ID added to ScanExecution model
- Export data in CSV format
- Invitations to new users are now valid for 30 days.
New on April 12, 2021
- UI: Applications can now be imported using a CSV file.
- Reports:
- IAST: Additional info table added.
- Fix groups table added to the CSV format of the security report.
New on April 7, 2021
- Static analysis client updated to version 8.0.1431.
- New and faster source code-only scanning for C#, ASP.NET, and C.
- Additional functionality for the
queue_analysis
CLI command for both Windows and Linux. These parameters are optional:- Enable or disable email notification on analysis completion.
- Run the scan as a personal scan.
- AppScan Go! is now supported on Mac.
New on March 21, 2021
- Improved and updated user interface including the following changes:
- Collapsible menu bar with a new order and several new menu items.
- Navigate between all views with breadcrumbs.
- Applications page: The create application wizard flow has been updated.
- Single application page: A new dashboard gives you a graphic overview of the status of your application with risk rating and compliance status, scan status, issues by severity, most common issue types found, and more.
- Policies:
- Improved Policies page now shows a list of policies, and the applications associated with each policy, rather than the reverse.
- Many new predefined policies are now available to associate with your applications.
- Baseline policy is now set directly from the application page, rather than the Policies page.
- Create scan wizard: Improved flow, and for DAST scans there is now a separate path for creating scans with an uploaded file.
- Email and personal scan preferences are now set on the new Summary page.
- Select which columns to display in tables, adjust width and change column order.
- Share pages with other authorized users by simply sending them the link (ID) to the specific page.
- Issues: Improved content and functionality
- New and updated content for many issues.
- How to fix: Advisory and Fix Recommendation sections have been consolidated into a comprehensive “How to fix” tab.
- For many issues custom “How to fix” content for specific code languages is available.
- Share issues with other authorized users by simply sending them the link (ID) to the specific issue in the application.
- Reports include the new “How to fix” content.
- API: You can now upload your own configuration for IAST monitoring.
New on March 4, 2021
- AppScan Go! version 0.1.7 for Mac is now available, in addition to the Linux and Windows versions.
New on February 22, 2021
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.4. See AppScan Standard Fix List.
New on February 21, 2021
- API: IAST agent can now be downloaded (with or without key) using the API (in addition to the UI).
New on February 3, 2021
- Static analysis client updated to version 8.0.1422.
- General fixes and functionality improvements.
- Improved performance and memory utilization around parallel processing functionality for Java applications.
New on January 31, 2021
- UI: Updated calculation of an application’s “Risk rating":
- New applications are now assigned Business Impact “Medium” by default, but existing applications with the previous default of “Undefined” will not be changed. “Undefined” can still be assigned to an application manually.
- If an application contains a completed scan, even though there are no active issues, the Risk rating is now set to "Low" (previously it was set to "Unknown").
- API and UI: Scan files now download faster.
New on January 26, 2021
- IAST:
- Support for Tomcat 10
- Improved taint tracking
- Revised OS Commanding detection rules