Previous updates 2023-2024
Lists features that were added in previous updates to the AppScan on Cloud service in 2023.
New on December 17, 2024
- Static analysis client updated to 8.0.1605.
- Client-only update.
- Software Composition Analysis (SCA) file path processing adjustments.
New on December 12, 2024
New on December 11, 2024
- New IAST Java agent (1.18.1)
- Improve reporting and avoid reporting similar issues
- New IAST .NET agent (1.12.1)
- Support for .NET 9
- Support rabbit MQ
- New issue types PasswordLeakageDB (CWE 256) and PasswordLeakageSentData (CWE 201)
- New IAST PHP agent (1.0.5)
- Use Curl for communication with ASoC instead of built in client (requires Curl installed on the machine running IAST)
- Support installing the agent on Ubuntu 24
- New vulnerability: Unvalidated redirect (CWE 601)
- New vulnerability: Password leakage to HTTP response (CWE 256)
- All agents
- Reduce frequency of heartbeat communication to ASoC when agent is disabled.
New on December 10, 2024
- AppScan Go! updated to version 2.2.0.
- Scan names allow special characters.
- The prefix static_ is no longer included in scan name automatically.
- Secrets scanning per scan enabled by default.
- User interface improvements.
- General bug fixes.
New on December 3, 2024
- Static analysis client updated to 8.0.1596.
- Additional support for Python Django.
- Updates to secrets scanning.
- Added new CLI command to retrieve logs.
- Updates to rules.
- General bug fixes.
New on December 01, 2024
-
Software Composition Analysis (SCA):
- Integrated library and vulnerability data: Open-source library and license information is viewable on the new Library tab on the Issue information pane, offering a complete view of the impact of open-source components on your application and to better manage security risks and compliance requirements.
- Dynamic analysis (DAST):
- Predefined test policy: You can now choose a pre-defined test policy, which would run only relevant tests that are important to you and reduce scan time. For more information, see Test policy.
- Exclude/Exception: Configure DAST scans to ignore specific application paths and add an exception (include) to an excluded path, which helps with focused and faster scans. For more information, see Exclude paths.
- Support Retest and Continue tests when uploading a scan file and added more clarity to the test options when uploading a template file.
- Platform improvements
- Dashboard updates: Updated dashboard filters including the ability to filter the dashboard by application.
- Integrations Updates
- The ASoC Integrations page modified to include a comprehensive list of all available integrations.
New on October 29, 2024
- Static analysis client updated to 8.0.1585.
- Client-only update.
- Fixed an issue where some source code only scans were failing to generate a proper IRX.
New on October 28, 2024
- New IAST PHP agent (1.0.4)
- Support PHP 7.4 on Ubuntu
- Support communication to AppScan Enterprise
- Support insecure Cookie vulnerabilities (CWE 614, 1004)
- Support password leakage to database and to response vulnerabilities (CWE 201, 256)
- Improve stability across different environments
- Fix installation on Apache
- Bug fixes
- IAST for Kubernetes (1.0.4)
- Fix installation on Linux
- Support installing agents only on specified namespaces
New on October 23, 2024
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.7.0. See AppScan Standard Fix List.
- Added support to scan applications configured for TLS 1.3
New on October 21, 2024
- AppScan Go! updated to version 2.1.1.
- Improvements to the UI and error handling.
- General bug fixes.
New on October 20, 2024
-
Software Composition Analysis (SCA):
- When auto-close of issues is enabled, and an open source library is not found on rescan, the library is treated like other scan issues and removed from scan results.
- Runtime SCA updates.
- Dynamic analysis (DAST):
- API testing: Secure your APIs seamlessly with our new native API scan workflow, ensuring vulnerabilities are detected and fixed early in the development process. This release supports API scan workflows using Postman and manual recording. Look forward to seamless support for additional API scan workflows in future updates.
- Vulnerable Third-Party Component Detection: This new feature enhances the existing DAST capabilities by identifying the most-used client and server-side technologies and reporting their vulnerabilities.
- Platform improvements
- Dashboard updates: Added Scans, Technology and SCA cards to the Dashboard. These allow you to view scans or applications by technology and see the top five licenses in applications for SCA.
- Dark theme: You can now switch to dark theme in AppScan on Cloud.
- Application creation updates: The default Business Impact is set to medium and added to the quick application setup instead of Presence.
- Issue severity/status for an issue: You can update the Issue severity or the status for an individual issue in the issue details view.
- Removal of status "New”: The issue status “New” previously deprecated is now completely removed from ASoC.
- Applications’ names can now be up to 120 characters.
- Integrations Updates
- HCL AppScan Visual Studio extension for Visual
Studio 2022
- Support to create SAST and SCA scans on HCL AppScan on Cloud from within Visual Studio 2022 IDE.
- Support for Scan Configuration options from within the IDE. You can also view information about initiated scans via the new "My Scans" tab in the Visual Studio IDE.
- HCL AppScan Jenkins plugin
- Support for Rescan of SAST and SCA Scans in HCL AppScan on Cloud
- HCL AppScan Azure plugin
- Support for Rescan of SAST and SCA Scans in HCL AppScan on Cloud.
- HCL AppScan Visual Studio extension for Visual
Studio 2022
New on September 26, 2024
- Static analysis client updated to 8.0.1583.
- Support for config scanning for NPM package lock files for Software Composition Analysis (SCA).
New on September 19, 2024
- Static analysis client updated to 8.0.1582.
- Updates to rules for IaC, PHP, Python, and more.
- General bug fixes.
New on September 15, 2024
- Integrations:
- The following plugins are deprecated and removed
from the ASoC Integrations page:
- Visual Studio 2012 – 2019
- Eclipse
- Bamboo
- GoCD
- UrbanCode
- Date of Removal from ASoC Integrations Page: 15 September 2024
- Plugin/Integration Functionality Cease Date: 21 September 2024
- Action Required: Upgrade to latest versions of Available plugins
- The following plugins are deprecated and removed
from the ASoC Integrations page:
- AppScan on Cloud EU domain changes:
- The default domain for the AppScan on Cloud EU instance was changed to eu.cloud.appscan.com during July, 2024. The old domain, cloud.appscan.com/eu will be decommissioned soon. So, make sure to update any bookmarks or embedded URLs in the documentation or webpages to avoid any disruption.
- New column in CSV report:
- The "Critical Issues" column was missing from the security reports generated in CSV format, and this has been added. Ensure that the new column does not break any automation scripts. Please update any as required.
New on September 10, 2024
- Static analysis client updated to 8.0.1580.
- Client only update.
- Support for .NET and Python config file scanning for Software Composition Analysis (SCA).
New on September 4, 2024
- Static analysis client updated to 8.0.1577.
- Updates to rules for PHP, JavaScript, Ruby, C/C++, and more.
- Support for eSQL.
- General bug fixes.
New on August 22, 2024
- New IAST Java agent (1.17.2)
- Use updated issue type for runtime SCA issues.
- Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.
- Improved support for RabbitMQ.
- Use new issue types: PasswordLeakageDB and PasswordLeakageSentData.
- New IAST .NET agent (1.11.3)
- Use updated issue type for runtime SCA issues.
- Show URL in method-signature field of stack-less issues, to be shown in location field in AppScan on Cloud.
New on August 19, 2024
- Dashboard redesigned: Gain deeper insights into your applications and identified issues with the new dashboard. View real-time analytics using easy-to-understand charts and graphs to keep track of important metrics.
- Repository link in issue Details tab: The "Location" field in the issue Details tab includes a link to the specified file and line in the source code repository, when applicable. This enables direct access to the relevant code without switching tabs.
New on August 6, 2024
- REST API update
- Version 2 of REST API was deprecated on July 30,2024, it is no longer supported and will be removed soon. Please use REST API V4 instead. Review the technical overview for assistance in migrating to the updated API.
- IAST update
- New IAST .NET agent (1.11.2)
- Support for runtime SCA.
- Alternative installation method to NuGet, using a startup hook.
- New IAST .NET agent (1.11.2)
- Static Analysis (SAST):
- Static analysis client updated to 8.0.1574.
- Support for Java 21. In addition, Java 21 is included in the Static Analyzer Command Line Utility (
SAClientUtil
) package. - CLI command
queue_analysis
displays scan IDs for both static analysis (SAST) and Software Composition Analysis (SCA). - Added the parameters
--oso
and --sao
to theappscan queue_analysis
command to specify open source only scanning or static analysis only scanning. - IFA 2.0 enabled for .NET trace findings.
- Secrets scanner scans PowerShell (
.ps1
) files. - When users have more than 5000 applications, scan submissions from the command line interface or AppScan Go! no longer fail.
- Updates to rules for Angular, ASP, CSS, Dart, Java source code scanner, JavaScript, JQuery, Objective-C, PHP, Python, secrets scanner, TerraForm, TypeScript, and VueJS.
- General bug fixes.
New on August 01, 2024
- Dynamic Analysis (DAST): Released a new version
of the HCL AppScan Traffic Recorder (1.5.5055)
- Updated autoupdate to use AppScan on Cloud v4 REST API.
- Fixed third party vulnerabilities.
New on July 28, 2024
- Static Analysis (SAST):
- Auto fix: Curated autofix recommendations are now provided with a GenAI-summarized explanation in the AppScan on Cloud user interface. Auto fix previously was available only in CodeSweep IDE plugin.
- GitHub Enterprise integration for SAST repository scanning: Run static analysis scans on GitHub Enterprise repositories.
- Dynamic Analysis (DAST):
- Domain management: Manage domains within your organization, including permissions to different asset groups, and domain authorization without the need to verify them. This feature is now available for Silver, Gold, Platinum, and Per-application subscriptions. To migrate from Domain verification to Domain management contact the Support team for assistance.
- Software Composition Analysis (SCA):
- SCA runtime: Building on IAST functionality, SCA can identify and manage vulnerabilities in open source components and libraries used by an application at runtime. Runtime SCA provides more accurate context into potential vulnerabilities, and thus helps prioritize issue remediation and resolution.
- Malware detection: Software Composition Analysis detects and reports open-source libraries that are suspected as malware. AppScan employs a comprehensive, advanced approach that combines automated analysis with human expertise, scanning multiple repositories and performing multi-domain analysis for a holistic security assessment. Our continuous monitoring of package updates, coupled with targeted attack detection and binary analysis, helps uncover hidden threats. Our team of experts reviews suspicious findings, ensuring accurate results.
- Method and root dependence identification: SCA method and root dependence details enhance the detection and analysis of libraries within a software project. The dependency root represents the original library that initiated the inclusion of other libraries that resulted in the inclusion of a vulnerable library, thus allowing users to understand the origin of a vulnerable package. Full dependency hierarchy and information is included in the SBOM report.
- Interactive monitoring (IAST):
- IAST for Kubernetes: AppScan supports automatic installation of IAST agents on Kubernetes clusters, providing support for Java, .Net, and Node.js applications.
- Platform updates:
- New Compliance Reports and
Policies:
- Network and Information Security Directive (NIS2)
- OWASP Cloud-Native Application Security Top 10
- Automated comment propagation: Automatically propagates the latest comments along with issue status from the same issue in another application to the current app. This ensures that both the status and comments are consistently updated, providing a complete and synchronized issue record across all applications.
- New Compliance Reports and
Policies:
- Integrations:
- Renamed the Plugins and APIs page to Integrations to provide a clearer and more intuitive representation of the diverse third-party integrations and customizations available within AppScan on Cloud.
- Added Jira Cloud plugin and AppScan on Cloud CLI.
- Removed AppScan automation framework.
New on July 21, 2024
- New IAST Java agent (1.17.1)
- Support RabbitMQ as a source and sink.
- Support vulnerabilities of type Privacy.DataLeakage, reported when a password is written unencrypted to the database or response.
- Support vulnerabilities of type AppDOS.Flood, reported when a Vert.x app does not set limits to the request body.
- Merge repeated reports on insecure and HTTP-only cookies when the source is similar.
- New IAST .NET agent (1.11.1)
- Reduce agent dependencies to avoid application conflicts.
New on July 10, 2024
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.6.0. See AppScan Standard Fix List.
New on June 20, 2024
- AppScan Go! updated to version 2.1.0.
- Added the ability to scan SCM repositories in AppScan Go! with a URL.
- AppScan Go! now auto-recommends scan mode, either bytecode/compiles or source code.
- Bug fixes
New on May 29, 2024
- Static analysis client updated to 8.0.1570.
- Client-only update.
- Retrieving key for IRX encryption fixed.
New on May 29, 2024
- Static Analysis:
- SAST scans can now be configured and scheduled to pull source code directly from a public GitHub repository. See Scan a GitHub repository.
- While triaging SAST findings, users can view the relevant source code directly on GitHub.com.
- Findings can now be filtered by filename or path, making triaging more efficient by focusing on specific areas of the codebase.
- Dynamic Analysis:
- The Domain verification wizard is enhanced to allow users to test the connection after placing the file in the root folder. Domains pending verification for more than 30 days will be deleted. Domains remain in a pending state until the verification file is detected in the root folder, or the email verification is confirmed.
- Compliance Reports and Policies:
- Two new industry-standard reports were
added:
- OWASP API Security Top 10 2023
- CWE Top 25 Most Dangerous Software Weaknesses 2023
- The following reports were updated:
- [US] DISA's Application Security and Development STIG, Version 5 Release 3
- The Payment Card Industry Data Security Standard (PCI DSS) - Version 4
- Two new industry-standard reports were
added:
- AppScan on Cloud service status page:
- This page provides real-time information on the operational status of the AppScan on Cloud service and planned maintenance. It is now accessible from the AppScan on Cloud portal.
- You can access this page from the following
locations:
- Within the AppScan on Cloud portal, the AppScan Resources page is accessible under the Support menu at the top of each page. A link to the service status page is at the bottom of the AppScan Resources page.
- AppScan on Cloud documentation: The link to the status page is included on the Getting started page under the Product Resources section.
- You can bookmark the URL directly: AppScan on Cloud Service Status page.
New on May 28, 2024
- Static analysis client updated to 8.0.1569.
- Support for Makefile/GNUMakefile.
- Improvements to rules.
- General bug fixes.
New on May 16, 2024
- New IAST Java agent (1.16.2)
- Support for Vertx version 3.x.
- API endpoint discovery for Vertx.
- New IAST .NET agent (1.10.1)
- Update dependencies
- Alternative deployment of the .NET core agent during runtime without need for build (Beta).
New on April 17, 2024
- Static analysis client updated to 8.0.1567.
- Software Composition
Analysis (SCA) now supports config scanning of
package.json
files from NPM packages.SCA can retrieve essential package dependency information from the scan, providing users with comprehensive insights into project dependencies. Package dependencies detected by the NPM package manager scans are seamlessly integrated into the Software Bill of Materials (SBOM) report, facilitating a clearer understanding of project dependencies.Note: Issues found during config scanning are consolidated results from other config scan only. To disable config scanning, use the-nc
flag withappscan prepare
. - Improvements to secrets scanner.
- Improvements to Java source code scanner.
- General bug fixes.
New on April 14, 2024
- User experience (UX) improvements:
- The Create scan dialog box has been redesigned to streamline workflow for DAST scanning.
- The Settings page has been redesigned with improved organization, and now requires confirmation of changes to page settings.
- The Correlation groups page has been redesigned for greater ease-of-use.
- A date filter has been added to the Fix groups page. View fix groups according to a date range and/or according to time-related properties associated with component issues.
- A share option has been added to the Issue details pane. Copy a link or issue ID to share issue details quickly and efficiently via text or email.
New on March 27, 2024
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.5.0. See AppScan Standard Fix List.
New on March 25, 2024
- New IAST Java agent (1.16.1)
- Improved support for customers using the Vertx framework.
- Support components discovery and more accurate stack report for IAST Total.
- New IAST PHP agent (1.0.1)
- Support PHP 8.3 on Ubuntu.
- Support environment variables from server config files.
New on March 9, 2024
-
Static analysis client updated to 8.0.1561.
- General bug fixes.
New on March 8, 2024
- Static analysis client updated to 8.0.1560.
- Static analysis support for .NET 8.
- Improvements to Software Composition Analysis (SCA) support for Go Modules.
- Improved accuracy for Java, JavaScript and Python languages.
- General bug fixes.
New on February 21, 2024
- New IAST Java agent (version 1.16.0):
- Added support for the VertX framework.
- New IAST .NET agent (version 1.10.0):
- Added support for .NET 8.
- Enhanced support for IAST Total on .NET.
- Optimization.
New on February 18, 2024
- REST API update: Version 4 of our REST API is available now. Please review the technical overview for assistance in migrating to the updated API.
- Default issues view: By default, ASoC displays non-compliant issues only at the application level.
- Fix groups filtering: ASoC supports filtering fix groups by vulnerability and policy, in addition to existing filters. With additional filtering capabilities, you can pinpoint issues and optimize fixes for faster remediation.
- Issue properties tab: New Properties tab on the Issue details pane lists expanded issue details, including how and when the issue was found, type, status, severity, scanner, and location, and including issue ID.
- Auto-close of issues: ASoC auto-closes issues when they do not appear in rescans, thus reducing the manual effort of closing issues.
- 2k scan limit: When auto-cleanup is not enabled at the organization level, ASoC enforces the 2k scan limit.
New on February 14, 2024
- AppScan Go! updated to version
2.0.0
AppScan Go! steps you through configuring and running a static, SCA, or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.
New on January 19, 2024
- Static analysis client updated to 8.0.1558.
- New Software Composition Analysis (SCA) support for Go Modules.
- General bug fixes.
New on January 15, 2024
- Software Composition Analysis (SCA):
- Software Bill of Materials (SBOM) report: New support for Software Bill of Materials (SBOM) reports. Generate an SPDX industry-standard report of open source libraries in your application
- Open source library search: SCA users can search for open source libraries in applications to which they have access through asset groups. The ability to locate all instances of a library increases the speed and confidence with which users can remediate library-related issues and concerns.
- Open source library details: Library search results include license details of libraries found in applications. Details include license information that enables you to evaluate the legal risks and benefits of a particular library.
- Static analysis (SAST):
- Source code view: The Issue details pane includes the ability to access source code in the local directory structure or, if the scan was created in GitHub, to view the code in the GitHub repository.
- C++ scanner: Improved source code-only scanning for C++.
- Enhanced DAST scanning with IAST Total: IAST Total provides enhanced automatic configuration, quicker scan and remediation processes, detailed call stack information for detected vulnerabilities, and deeper insight into the application backend. For more information, see IAST Total.
- User experience (UX) improvements:
- Asset groups: The new delete asset group flow simplifies the process of deleting an asset group. Users with the delete asset group permission (default roles like Administrator and Manager, as well as custom roles) can delete an asset group along with its associated applications, including scans and findings, facilitating the removal of unnecessary applications. Users can also opt to move the applications to another asset group, either with or without their members.
- Fix groups: Comments field added to security report for fix groups, allowing for better inclusion and tracking of notes and comments.
New on December 13, 2023
- Static analysis client updated to 8.0.1556.
- Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
- The Static Analyzer Command Line Utility
(SAClientUtil) supports updated distinct workflows for SCA and SAST. The SAClientUtil,
via the
appscan queue_analysis
command, kicks off two scans: one static analysis scan and one SCA scan for the open source findings. Static analysis and SCA scans are separated as a result. - Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
- Increased coverage for RPG language.
- General bug fixes.
New on December 04, 2023
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.4.0. See AppScan Standard Fix List.
New on December 3, 2023
- IAST now supports PHP:
- PHP agent (version 1.0.0) is supported in addition to Java, Node.js and .NET.
- User experience (UX) improvements:
- Source code tab on Issues detail pane: View source code associated with issues in the AppScan on Cloud interface for faster remediation.
- Asset groups: The new interface simplifies the process of creating Asset groups and ensures that a default contact is set. The default contact cannot be cleared, although it can be modified.
- Fix groups: Additional functionality in the Fix groups interface allows for more robust triaging and management of issues sorted into fix gropus.
- New Regulatory Compliance report: [SA] Protection of Personal Information Act (PoPIA), 2013.
- Updated Regulatory Compliance reports:
- [US] The Federal Risk and Authorization Management Program (FedRAMP), Revision 5.
- [US] DISA's Application Security and Development STIG, V5R2
- [US] Federal Information Security Modernization Act (FISMA), 2014.
- AWS integration added to the Plugins &
APIs page:
- The AWS CodeBuild and CodePipeline plugin enables effortless execution of Dynamic Application Security Testing (DAST) scans through AppScan on Cloud, ensuring seamless integration into your DevOps cycle.
New on November 1, 2023
- New IAST Java agent (version 1.15.1):
- New methods to specify a proxy to the agent for
accessing ASoC:
- Environment variables: IAST_PROXY_HOST and IAST_PROXY_PORT.
- Custom Java properties: Iast.proxyHost and Iast.proxyPort
This is in addition to the existing method of defining a proxy through the standard Java properties https.proxyHost and https.proxyPort.
- New methods to specify a proxy to the agent for
accessing ASoC:
New on October 29, 2023
- Software Composition
Analysis (SCA) and static analysis are now
distinct workflows within AppScan on Cloud.
This separation of static and open-source scanning technologies allows for greater flexibility in testing strategies. You can scan only open-source libraries using SCA and work with issues in an SCA-specific single scan view or run both static and open-source scanning on files, as your organization needs.
- Send tests to login and logout pages as
part of dynamic analysis.
The DAST wizard test options allow you to specify whether to send tests to login and logout pages.
- Updated user interface for creating and managing assets
groups.
Asset groups are a useful means for managing user access to data. With this updated user interface, you can easily define and manage asset groups, and thus better manage which team members work with specific data.
New on October 16, 2023
- Static analysis client updated to 8.0.1546.
- Support for scanning cascading style sheets
(CSS files).
AppScan on Cloud identifies security vulnerabilities in cascading style sheets, including cross-site scripting, injection, and validation.
- Support for IBM WebSphere Application Server
9.x
The Static Analyzer Command Line Utility can be configured to leverage a WebSphere environment to use the JSP compiler included with WebSphere.
- Improved accuracy for PHP scanning.
AppScan on Cloud improved verification of PHP content in HTML files.
- General fixes.
The AppScan development team regularly reviews functionality and code, making tweaks and adjustments on an ongoing basis to provide optimum scanning functionality.
New on September 28, 2023
- New IAST Java agent (version 1.14.3):
- Corrected the message displayed when the user sets incorrect proxy settings.
- Updated the IAST log to include both date and time.
- IAST Java agent (version 1.14.2) previously released:
- "Detected APIs", a new issue type is used instead of the "Miscellaneous" issue type for the issues that report the full list of the application's APIs.
- Improved deployment process: Setting of
BC_SB
environment variable is no longer needed in Java versions 9 and later. - Additional framework support for Java: Spring 6.
- OWASP testing: Improved logging for demo purposes. For more information, see OWASP Benchmark with IAST agent.
New on September 10, 2023
- DAST:
- Support for incremental scanning that significantly shortens the DAST rescans by identifying new areas and changes in the application and focusing the scan on them.
-
An update: As described in New on September 5, 2023, only AppScan Standard results uploaded to AppScan on Cloud via AppScan Connect will include vulnerable component results. Currently, DAST scanning on ASoC does not support this capability.
- SAST: AppScan on Cloud allows upload of archive files for scanning without first generating an IRX file. This saves the user time by offloading the preparation of the files to ASoC.
- ServiceNow plugin: Issues can now be triaged in ServiceNow by importing vulnerability data from AppScan on Cloud (DAST or SAST findings) into the ServiceNow Vulnerability Response platform by using the ServiceNow plugin.
- User experience (UX) improvements:
- Single scan view: Now includes the option to display Active Issues, in addition to Total Issues, and New Issues. Active issues are issues whose status is "New (deprecated)", "Open", "In progress", or "Reopened". In addition, improvements were made to the "Issues by severity" graph.
- You can now assign up to three unique presences and restrict the application's scanning exclusively to those presences.
New on September 5, 2023
- Correction to New on July 31,
2023: DAST engine update: Dynamic Analysis engine updated
to AppScan Standard version 10.3.0 on July 31,
2023. See AppScan Standard Fix List.Note:
- Although the identification of third-party components is a new feature in AppScan Standard 10.3.0, it is not supported for scans run in ASoC.
- The July 31, 2023, release stated that scans initiated via "scan" or "scant" files from AppScan Standard include detection of vulnerable components. However, this support will be disabled in the upcoming deployment.
- Scan results imported to ASoC from AppScan Standard via AppScan Connect will still include vulnerable components detected by AppScan Standard.
New on August 22, 2023
- Static analysis client updated to 8.0.1542.
- Additional performance improvements for source code scanners.
- General bug fixes.
New on August 16, 2023
- Static analysis client updated to 8.0.1537.
- Secrets scanning is disabled by
default.
Use the
--enableSecrets
and--secretsOnly
options to scan secrets. - Improved performance for source code scanners.
- General bug fixes.
New on July 31, 2023
- DAST engine update: Dynamic Analysis engine updated to
AppScan Standard version 10.3.0. See AppScan Standard Fix List.Attention: Refer to New on September 5, 2023, for the latest information on third-party component support in ASoC. The following note is no longer valid. Only scan results uploaded to ASoC via AppScan Connect will include vulnerable components if they are detected.Note: Although identifying third-party components is a new feature in AppScan Standard 10.3.0, it is not supported in ASoC. However, scans or templates imported from AppScan Standard (if the option is selected in AppScan Standard) will include third-party components.
New on July 20, 2023
- Static analysis client updated to 8.0.1535.
- General bug fixes.
New on July 16, 2023
- Updated Create and Edit Application dialogs.
- Create application: The new quick setup lets you create the application by assigning a name and asset group only. You can add additional parameters later using Edit application.
- Users with permission can now create a new asset group from within the Create and Edit application dialogs.
- Plugins: Added VS 2022 plugin.
- Open-source issues now include library Location.
- Industry Standard Report "NIST Special Publication 800-53" updated to version 5.
New on June 30, 2023
- Static analysis client updated to 8.0.1533.
- Expanded support for secrets scanning.
New on June 20, 2023
- Static analysis client updated to 8.0.1531.
- Support for secrets scanning.
New on June 11, 2023
- DAST:
- Scan configuration wizard now supports adding additional domains to the scan.
- Dashboard: ‘Applications with most active issues’ graph replaces the 'Common issue types’ graph.
- Option to select Staging or Production environment has been removed due to the addition of the new configuration options like automatic form fill. For details, see Why can I no longer specify the environment to be Staging or Production?
- API:
- Create scan API: DAST number of threads now supports up to 20 threads.
- Open-source information is now displayed with more consolidated and accurate data, on a library level and not on a file level.
New on May 31, 2023
- AppScan Go! updated to version 1.0.2
- Updated icons and logos
- General bug fixes
New on May 18, 2023
- New IAST Java agent (version 1.12. 10501):
- Performance improvements
- Added new vulnerabilities:
- Sensitive API Requires Logging – CWE 778, (A09:2021 –Security Logging and monitoring in OWASP top10 2021 list). Supported for applications using log4j.
- Regex injection (CWE 624).
- API detection: A new issue reports all detected APIs in an application. Supported for Spring applications.
New on May 15, 2023
- Static analysis client updated to 8.0.1530.
- New language support for Rust.
- Improved accuracy for Java and Ruby.
- Inline tutorials for fix groups, Jenkins plugin setup, Azure plugin setup, and CodeSweep action.
- General bug fixes.
New on April 23, 2023
- When you delete a scan, SCA libraries that belong to that scan only are now also deleted, like issues.
- SAST/SCA: Improved data flow display in Issue details pane.
- Subscriptions page: Added ‘AppScan for You’ service details.
New on April 18, 2023
- New IAST .NET agent (version 1.7.3)
New on March 29, 2023
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.2.0. See AppScan Standard Fix List.
New on March 26, 2023
- Audit trail page added (Organization > Audit trail).
- CVSS scoring for DAST issues is now based on v3.1. CVSS version can be added as a column in issues view See CVSS. Note that as CVSS thresholds vary between versions, there can be different CVSS scores for the same issue in scans run before and after this update.
- API: Added support for Postman collections (Scans/FileUpload and Scans/DynamicAnalysisWithFiles).
New on March 21, 2023
- Static analysis client updated to 8.0.1524.
- General bug fixes.
New on March 13, 2023
- New IAST .NET agent (v 1.7.2): Bug fixes
New on March 5, 2023
- New IAST .NET agent (v 1.7.1):
- Bug fixes and performance improvements
- Support for WebSockets in .NET core
- New vulnerability types: Missing "Content-Security-Policy" header (CWE 1032), Missing "Referrer policy" Security Header (CWE 200)
- Basic support for customers that use System.Net.WebClient
New on February 19, 2023
- Issue status “New” is deprecated and new issues found are now classified as “Open”. Issues marked "New" in previous scans are not affected unless also found in the new scan (see Issue status).
- When creating a DAST scan, the default Environment
("ScanType" in the API) has been changed from
production to staging (see Creating a DAST scan.Attention: If you are scanning a live production environment it is important that you change this setting when creating your scan.
- New regulatory compliance policy and report: [US] California Consumer Privacy Act (CCPA) - AB-375.
- Scan statistics are now shown to administrators graphically in the organization’s ‘Scans and Sessions’ view.
- ‘Automatic cleanup’ configuration added to organization and application settings (see Cleanup).
- Correlation data added to Correlation groups view.
- Roles API: ‘IsAssignable’ added to the role model, to indicate that the user can invite users with this role or change the role of another user to this role.
New on February 6, 2023
- Static analysis client updated to 8.0.1521.
- Improvements to Software Composition Analysis (SCA) discovery and reporting.
- Improved accuracy for C, C++, and Python scans.
- General bug fixes.
New on January 23, 2023
- Added "Last Found" to the Date filter for issues.
- Issue status "New" deprecated: UI now has an announcement that from February issues that would have been marked “New” will instead be marked “Open”. Existing “New” issues will not be changed, unless they are found in a new scan, in which case they will be set to “Open”. You will be able to change the status of a “New” issue to any other status, but will not be able to set an issue’s status to “New”. See Issue status.
New on January 16, 2023
- IAST Java agent (version 1.12.10400): Various fixes and enhancements.
New on January 15, 2023
- New "Last found" column in the Issues list, shows the
most recent date that the issue was found.Note: This will apply only to issues found in scans run after this update. For older scans the "Last found" field will be empty.