Previous updates 2023-2024

• Improve reporting and avoid reporting similar issues

• Support for .NET 9
• Support rabbit MQ
• New issue types PasswordLeakageDB (CWE 256) and PasswordLeakageSentData (CWE 201)

• Use Curl for communication with ASoC instead of built in client (requires Curl installed on the machine running IAST)
• Support installing the agent on Ubuntu 24
• New vulnerability: Unvalidated redirect (CWE 601)
• New vulnerability: Password leakage to HTTP response (CWE 256)

• Reduce frequency of heartbeat communication to ASoC when agent is disabled.

• Integrated library and vulnerability data: Open-source library and license information is viewable on the new Library tab on the Issue information pane, offering a complete view of the impact of open-source components on your application and to better manage security risks and compliance requirements.

• Predefined test policy: You can now choose a pre-defined test policy, which would run only relevant tests that are important to you and reduce scan time. For more information, see Test policy.
• Exclude/Exception: Configure DAST scans to ignore specific application paths and add an exception (include) to an excluded path, which helps with focused and faster scans. For more information, see Exclude paths.
• Support Retest and Continue tests when uploading a scan file and added more clarity to the test options when uploading a template file.

• Dashboard updates: Updated dashboard filters including the ability to filter the dashboard by application.

• The ASoC Integrations page modified to include a comprehensive list of all available integrations.

• Support PHP 7.4 on Ubuntu
• Support communication to AppScan Enterprise
• Support insecure Cookie vulnerabilities (CWE 614, 1004)
• Support password leakage to database and to response vulnerabilities (CWE 201, 256)
• Improve stability across different environments
• Fix installation on Apache
• Bug fixes

• Fix installation on Linux
• Support installing agents only on specified namespaces

• When auto-close of issues is enabled, and an open source library is not found on rescan, the library is treated like other scan issues and removed from scan results.
• Runtime SCA updates.

• API testing: Secure your APIs seamlessly with our new native API scan workflow, ensuring vulnerabilities are detected and fixed early in the development process. This release supports API scan workflows using Postman and manual recording. Look forward to seamless support for additional API scan workflows in future updates.
• Vulnerable Third-Party Component Detection: This new feature enhances the existing DAST capabilities by identifying the most-used client and server-side technologies and reporting their vulnerabilities.

• Dashboard updates: Added Scans, Technology and SCA cards to the Dashboard. These allow you to view scans or applications by technology and see the top five licenses in applications for SCA.
• Dark theme: You can now switch to dark theme in AppScan on Cloud.
• Application creation updates: The default Business Impact is set to medium and added to the quick application setup instead of Presence.
• Issue severity/status for an issue: You can update the Issue severity or the status for an individual issue in the issue details view.
• Removal of status "New”: The issue status “New” previously deprecated is now completely removed from ASoC.
• Applications’ names can now be up to 120 characters.

• HCL AppScan Visual Studio extension for Visual Studio 2022
  • Support to create SAST and SCA scans on HCL AppScan on Cloud from within Visual Studio 2022 IDE.
  • Support for Scan Configuration options from within the IDE. You can also view information about initiated scans via the new "My Scans" tab in the Visual Studio IDE.
• HCL AppScan Jenkins plugin
  • Support for Rescan of SAST and SCA Scans in HCL AppScan on Cloud
• HCL AppScan Azure plugin
  • Support for Rescan of SAST and SCA Scans in HCL AppScan on Cloud.

• Use updated issue type for runtime SCA issues.
• Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.
• Improved support for RabbitMQ.
• Use new issue types: PasswordLeakageDB and PasswordLeakageSentData.

• Use updated issue type for runtime SCA issues.
• Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.

• Version 2 of REST API was deprecated on July 30,2024, it is no longer supported and will be removed soon. Please use REST API V4 instead. Review the technical overview for assistance in migrating to the updated API.

• New IAST .NET agent (1.11.2)
  • Support for runtime SCA.
  • Alternative installation method to NuGet, using a startup hook.

• Static analysis client updated to 8.0.1574.
• Support for Java 21. In addition, Java 21 is included in the Static Analyzer Command Line Utility (SAClientUtil) package.
• CLI command queue_analysis displays scan IDs for both static analysis (SAST) and Software Composition Analysis (SCA).
• Added the parameters --oso and --sao to the appscan queue_analysis command to specify open source only scanning or static analysis only scanning.
• IFA 2.0 enabled for .NET trace findings.
• Secrets scanner scans PowerShell (.ps1) files.
• When users have more than 5000 applications, scan submissions from the command line interface or AppScan Go! no longer fail.
• Updates to rules for Angular, ASP, CSS, Dart, Java source code scanner, JavaScript, JQuery, Objective-C, PHP, Python, secrets scanner, TerraForm, TypeScript, and VueJS.
• General bug fixes.

• Updated autoupdate to use AppScan on Cloud v4 REST API.
• Fixed third party vulnerabilities.

• Auto fix: Curated autofix recommendations are now provided with a GenAI-summarized explanation in the AppScan on Cloud user interface. Auto fix previously was available only in CodeSweep IDE plugin.
• GitHub Enterprise integration for SAST repository scanning: Run static analysis scans on GitHub Enterprise repositories.

• Domain management: Manage domains within your organization, including permissions to different asset groups, and domain authorization without the need to verify them. This feature is now available for Silver, Gold, Platinum, and Per-application subscriptions. To migrate from Domain verification to Domain management contact the Support team for assistance.

• SCA runtime: Building on IAST functionality, SCA can identify and manage vulnerabilities in open source components and libraries used by an application at runtime. Runtime SCA provides more accurate context into potential vulnerabilities, and thus helps prioritize issue remediation and resolution.
• Malware detection: Software Composition Analysis detects and reports open-source libraries that are suspected as malware. AppScan employs a comprehensive, advanced approach that combines automated analysis with human expertise, scanning multiple repositories and performing multi-domain analysis for a holistic security assessment. Our continuous monitoring of package updates, coupled with targeted attack detection and binary analysis, helps uncover hidden threats. Our team of experts reviews suspicious findings, ensuring accurate results.
• Method and root dependence identification: SCA method and root dependence details enhance the detection and analysis of libraries within a software project. The dependency root represents the original library that initiated the inclusion of other libraries that resulted in the inclusion of a vulnerable library, thus allowing users to understand the origin of a vulnerable package. Full dependency hierarchy and information is included in the SBOM report.

• IAST for Kubernetes: AppScan supports automatic installation of IAST agents on Kubernetes clusters, providing support for Java, .Net, and Node.js applications.

• New Compliance Reports and Policies:
  • Network and Information Security Directive (NIS2)
  • OWASP Cloud-Native Application Security Top 10
• Automated comment propagation: Automatically propagates the latest comments along with issue status from the same issue in another application to the current app. This ensures that both the status and comments are consistently updated, providing a complete and synchronized issue record across all applications.

• Renamed the Plugins and APIs page to Integrations to provide a clearer and more intuitive representation of the diverse third-party integrations and customizations available within AppScan on Cloud.
• Added Jira Cloud plugin and AppScan on Cloud CLI.
• Removed AppScan automation framework.

• Support RabbitMQ as a source and sink.
• Support vulnerabilities of type Privacy.DataLeakage, reported when a password is written unencrypted to the database or response.
• Support vulnerabilities of type AppDOS.Flood, reported when a Vert.x app does not set limits to the request body.
• Merge repeated reports on insecure and HTTP-only cookies when the source is similar.

• Reduce agent dependencies to avoid application conflicts.

• SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
• While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
• Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.

• The Domain verification wizard is enhanced to allow users to test the connection after placing the file in the root folder. Domains pending verification for more than 30 days will be deleted. Domains remain in a pending state until the verification file is detected in the root folder, or the email verification is confirmed.

• Two new industry-standard reports were added:
  • OWASP API Security Top 10 2023
  • CWE Top 25 Most Dangerous Software Weaknesses 2023
• The following reports were updated:
  • [US] DISA's Application Security and Development STIG, Version 5 Release 3
  • The Payment Card Industry Data Security Standard (PCI DSS) - Version 4

• This page provides real-time information on the operational status of the AppScan on Cloud service and planned maintenance. It is now accessible from the AppScan on Cloud portal.
• You can access this page from the following locations:
  • Within the AppScan on Cloud portal, the AppScan Resources page is accessible under the Support menu at the top of each page. A link to the service status page is at the bottom of the AppScan Resources page.
  • AppScan on Cloud documentation: The link to the status page is included on the Getting started page under the Product Resources section.
  • You can bookmark the URL directly: AppScan on Cloud Service Status page.

• Support for Vertx version 3.x.
• API endpoint discovery for Vertx.

• Update dependencies
• Alternative deployment of the .NET core agent during runtime without need for build (Beta).

• The Create scan dialog box has been redesigned to streamline workflow for DAST scanning.
• The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
• The Correlation groups page has been redesigned for greater ease-of-use.

• Improved support for customers using the Vertx framework.
• Support components discovery and more accurate stack report for IAST Total.

• Support PHP 8.3 on Ubuntu.
• Support environment variables from server config files.

Static analysis client updated to 8.0.1561.

• Added support for the VertX framework.

• Added support for .NET 8.
• Enhanced support for IAST Total on .NET.
• Optimization.

AppScan Go! steps you through configuring and running a static, SCA, or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.

This separation of static and open-source scanning technologies allows for greater flexibility in testing strategies. You can scan only open-source libraries using SCA and work with issues in an SCA-specific single scan view or run both static and open-source scanning on files, as your organization needs.

The DAST wizard test options allow you to specify whether to send tests to login and logout pages.

Asset groups are a useful means for managing user access to data. With this updated user interface, you can easily define and manage asset groups, and thus better manage which team members work with specific data.

AppScan on Cloud identifies security vulnerabilities in cascading style sheets, including cross-site scripting, injection, and validation.

The Static Analyzer Command Line Utility can be configured to leverage a WebSphere environment to use the JSP compiler included with WebSphere.

AppScan on Cloud improved verification of PHP content in HTML files.

The AppScan development team regularly reviews functionality and code, making tweaks and adjustments on an ongoing basis to provide optimum scanning functionality.

• Corrected the message displayed when the user sets incorrect proxy settings.
• Updated the IAST log to include both date and time.

• "Detected APIs", a new issue type is used instead of the "Miscellaneous" issue type for the issues that report the full list of the application's APIs.
• Improved deployment process: Setting of BC_SB environment variable is no longer needed in Java versions 9 and later.
• Additional framework support for Java: Spring 6.
• OWASP testing: Improved logging for demo purposes. For more information, see OWASP Benchmark with IAST agent.

• Support for incremental scanning that significantly shortens the DAST rescans by identifying new areas and changes in the application and focusing the scan on them.

• An update: As described in New on September 5, 2023, only AppScan Standard results uploaded to AppScan on Cloud via AppScan Connect will include vulnerable component results. Currently, DAST scanning on ASoC does not support this capability.

• Single scan view: Now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New (deprecated)", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
• You can now assign up to three unique presences and restrict the application's scanning exclusively to those presences.

Use the --enableSecrets and --secretsOnly options to scan secrets.

• Create application: The new quick setup lets you create the application by assigning a name and asset group only. You can add additional parameters later using Edit application.
• Users with permission can now create a new asset group from within the Create and Edit application dialogs.

• Scan configuration wizard now supports adding additional domains to the scan.
• Dashboard: ‘Applications with most active issues’ graph replaces the 'Common issue types’ graph.
• Option to select Staging or Production environment has been removed due to the addition of the new configuration options like automatic form fill. For details, see Why can I no longer specify the environment to be Staging or Production?

• Create scan API: DAST number of threads now supports up to 20 threads.
• Open-source information is now displayed with more consolidated and accurate data, on a library level and not on a file level.

• Updated icons and logos
• General bug fixes

• Performance improvements
• Added new vulnerabilities:
  • Sensitive API Requires Logging – CWE 778, (A09:2021 –Security Logging and monitoring in OWASP top10 2021 list). Supported for applications using log4j.
  • Regex injection (CWE 624).
• API detection: A new issue reports all detected APIs in an application. Supported for Spring applications.

• Bug fixes and performance improvements
• Support for WebSockets in .NET core
• New vulnerability types: Missing "Content-Security-Policy" header (CWE 1032), Missing "Referrer policy" Security Header (CWE 200)
• Basic support for customers that use System.Net.WebClient