Known issues and workarounds

These are known issues and their workarounds.

Table 1. Known issues and workarounds
Issue Workaround
When using the proxy with TLS, only TLS 1.0 is accepted. To enable TLS 1.1 or 1.2 you need to change a line in the following file:

In app.js, search for this line: var commandArgs = ['-jar', dastProxyJar, '-mcm', 'start', portFlag, port, '-sdcftf', recordingDir];

and change it to this: var commandArgs = ['-Dcom.ibm.jsse2.overrideDefaultTLS=true', '-jar', dastProxyJar, '-mcm', 'start', portFlag, port, '-sdcftf', recordingDir];

On Exporting the Security Test Policies from the AppScan Enterprise Administration page, the .policy file does not have the test details. Install the AppScan Standard and export the .policy file for the desired Security Test Policy.
When the AppScan Enterprise UI language is set to any other language other than English, the following issues might be observed:
  • In the Scan tab, the How to Fix menu is displayed in English.
  • In the report that is generated from the Scan tab the heading name is printed as Advisories and Fix Recommendation instead of new heading name How to Fix.
  • In the Monitor or Scan page, the check box label that you must select for generating the Security report is displayed as Advisories and Fix Recommendation instead of the new name How to Fix.
  • When UI language is set to Espanola (Spanish), the Reference API link and the How to Fix report content is printed in English.
  • In the Security Report generated in *.PDF format from the Scan tab, the Risk and External References headers is printed in English.
  • In the Monitor page for a tested application having security vulnerabilities, when you click the issue number the How to Fix link is displayed in English.

  • When you select different language and export issues from Monitor tab the IssueType name is displayed in English.
  • On switching to a different language the How to Fix(different programming language content) in Scans tab is displayed in the previous language.
Any change in language settings does not impact the UI functionality in any manner except for these information will be available in English language. Hence, it is recommended to continue using the functionality till these issues are address in subsequent releases.
The last step of the instruction text is truncated and not visible when you choose Node.js agent type in the IAST page that is opened in Google Chrome or Mozilla Firefox browser with its page view Zoom percentage set to 100%. It is recommended to open the IAST page in Internet Explorer to avoid such issues or in the browser where you are viewing the IAST page you should adjust the zoom in view percentage until the truncated instruction text is visible.
While performing an upgrade to v10.0.5 the Advisory service port is not retained if the previously non-default port was set. While upgrading to v10.0.5 the port changes to default port, that is, 9444, hence you need to change it manually.
When the AppScan Enterprise is configured with the Local License Server, and has IAST licenses and on creating an IAST agent if the error message is displayed CRWAS2308E License checkout failed for the IAST agent you are creating. Verify whether the IAST service is running and the license server is configured properly. CRWAS2308E. Launch the Windows Services and restart the IAST Communication Service.
When a user has configured the How to Fix to a port that is already in use, then from the UI user will not see an appropriate error message when trying to access the Issue details and access the How to fix link. Rerun the Configuration Wizard pointing the How to Fix to a different port.
Given a user uploads a User Defined Tests file in the ASE UI then it will show an error message: Error connecting to the Advisory service server. The UDT file will imports successfully into AppScan Enterprise But the user will not see UDT issueTypeIds 'How To Fix' information in the UI OR reports.
To see xml 'How To Fix' information for UDT issueTypeIds:
  1. Navigate to <ASE install Dir>\AppScan Enterprise\CustomAdvisory\advisories\archives folder path then extract the corresponding UDT IssueTypeName zip file(Example: UserDefined_UDT1.zip).
  2. User can see How To Fix/Advisory information xml (Example:UserDefined_UDT1.xml) file in <ASE install Dir>\AppScan Enterprise\CustomAdvisory\advisories\archives\Advisories\en-US folder path.
Duplicate entries added in configuration file while upgrading to 10.0.4 in some cases For information about resolving this issue, refer to the Technical Note,https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0090236.
During the Security rules update by Configuration Wizard in AppScan Enterprise application, an error message may be displayed stating An error occurred while extracting the content of the security rules update. Refer to the log for more details. Contact HCL Support. You must run the Configuration Wizard using the same service account of the user that you have used for configuring AppScan Enterprise instance.
When you edit a Folder from the Scan's page without making any changes to the folder's permission and click the Save button, it makes an entry in the ActivityLog table with action marked as 3. The action 3 indicates that the folder is edited. You must click the Cancel button to exit from the page if you have not edited the folder permissions.
The domain name is not excluding from the traffic file generated by Postman or SoupUI tool through the ADAC client integration (file with .exd format) using the API POST/jobs/{jobId}/dastconfig/updatetraffic/{action} You must use the .dast, .config, or .har file to exclude traffic of a domain from the traffic file.
The scans job is failing on changing the user permission of the AppScan Enterprise service account in Windows. You must add the service account user to the Windows administrators group on both AppScan Enterprise Server and Scanner machines.
HCL scanner license check-in does not happen immediately when AppScan Agent service process is killed through the Task Manager. It would take around 15 minutes for the licenses to be released. It is recommended to start and stop the Agent again through the services to release the licenses.
If users are not logged out before the AppScan Enterprise Server is shutdown, the open sessions can lead to the licenses not being checked in back to the pool. These licenses that get left over will be checked in back only after 2 hours. The users should log out before the AppScan Enterprise Server is shut down.
An error message is displayed while upgrading 9.0.3.12 to 10.0.3. When you are upgrading from AppScan Enterprise v9.0.3.12 to v10.0.3, if the WFWEO.dll failed to register error message is displayed, then you must uninstall v10.0.3 (even while uninstallation also you may encounter the same error message). After you uninstall AppScan Enterprise v10.0.3, you must again reinstall AppScan Enterprise v10.0.3 pointing to the existing database.
During installation of AppScan Enterprise the installation of Visual C++ 2015 fails if an higher version Microsoft Visual C++ Redistributable 2017 is already installed in the system because the application is attempting to install Visual C++ 2015 Redistributable without checking for the existence of the newer versions already exist in the system. Uninstall the Visual C++ 2017 RC Redistributable, install the AppScan Enterprise and reinstall the Visual C++ 2017 Redistributable.
On trying to perform a QuickScan, the manual explore tool browser does not launch the application or the browser freezes intermediately. Manually record the traffic through the Manual Explore tool or the Activity Recorder and update the traffic and run the QuickScan.
Knowledge Center (KC) is updated with all the changes but product inline help is not updated in this release. NA
If the extended log file size is large ( beyond 2GB ), sometimes the download log file operation from Scan tab summary report might result in a 0KB zip file. In such instances, copy the file from the Logs directory in the AppScan Enterprise Agent server.
Removal of OWASP 2013 and support for OWASP 2017 Report: All report pack and report pack templates created prior to 9.0.3.9 will have OWASP 2013 report. If required, user must manually remove the OWASP 2013 report pack and add the new OWASP 2017 report.
When you edit a scan in the Dynamic Analysis Configuration Client, ensure that the scan you are editing is not running in AppScan Enterprise; otherwise it might suspend the job when you update the scan. On the Job Properties page of the Client, clear the Run job as soon as possible check box and then click Update Job.
Rendering Dojo functionality. Use Microsoft Silverlight with Internet Explorer 8.0 to properly render Dojo functionality.
When a scan job has only the recorded login (no Manual Explore or Starting URLs), the scan will not crawl below that page. Add at least one URL to the Manual Explore or starting URL of the What to Scan page.
If you upgrade a database from pre-8.8, and then click any existing job, the scan log will be empty. Run your jobs again to generate a new scan log.
When editing the Edit Application Profile Template page in IE 8/9, changes are not saved. Navigate away from the field you are editing and return to the page and save your changes. Alternatively, upgrade the browser to Internet Explorer 11 or FireFox 24.
JavaScript Analyzer (JSA) is turned off by default on scans, including upgraded scans. Enable JSA on the Security page of your content scan job.
There is a risk of performance degradation and false negative results when the firewall is deployed between the Agents and the website being scanned. AppScan Enterprise Server sends security tests that some firewall products could flag as suspicious network activity.
If the user-defined normalization rules results in an empty URL string, there is a risk of the scan not ending. When normalization rules are defined within the Job Properties, it is important to ensure that they result in a valid URL.
If Issue Management has been done on the reports, the Report Pack Summary report will be out of synchronization with the report data. The Report Pack must be re-run to synchronize the numbers when Issue Management tasks are completed.
Deleted reports are not immediately removed from the dashboard. The dashboard must be re-run for the change to take effect.
Connectivity issues and/or performance degradation may occur when using Manual Explore functionality in Internet Explorer. When using Manual Explore functionality in Internet Explorer, it is advised to enable the Internet/Advanced option for Use HTTP 1.1 through proxy connections
When sorting lists, the collation order may not work as expected for Danish, Japanese, and Chinese languages. .NET and SQL collations are used, as are locale-specific collations, but the product does not comply with ICU.

Running config wizard of ASE 9.0.3.12 (after upgrading security rules steps) gives below error message :

Unable to start Liberty server. Details: TRAS0038E: The system could not delete file \IBM\AppScan Enterprise\Liberty\usr\servers\ase\logs\trace.log

This error message occurs only when ASE is being upgraded from 9.0.3.x version to 9.0.3.12 with liberty trace log enabled (i.e enabling debug log from admin tab-UI).

Solution

  • Before upgrade to 9.0.3.12, please check in the existing ASE UI (Admin tab>General setting>Log setting>edit) if the logging is enabled. If yes, disable the log from admin tab.
  • Navigate to the location - ‘ASE installation directory’\HCL\AppScan Enterprise\Liberty\usr\servers\ase\logs\?
  • Delete all the log files which start with trace in the above directory.
  • Perform the ASE upgrade. The issue should not be encountered again.
  • If the issue is encountered while running config wizard, close config wizard.
    • Go to ASE installation directory’\HCL\AppScan Enterprise\Liberty\usr\servers\ase\logs\
    • Delete all the log files which start with “trace�? in the above directory.
    • Run config wizard from the beginning. It should resolve the issue.

ADAC job blackout does not work for jobs created before 9.0.3.11 until an edit save is performed on the job.

Root Cause: There was an issue in the application where the starting URL was not getting updated into the ASE database for an ADAC job. Since blackout reads the domain from the ASE database, it was causing blackout to not work for ADAC jobs. Since the starting URL is stored within the dast.config file, the existing jobs will have to be manually edited and saved for the URL to be stored into the ASE database.

  1. Edit an ADAC Job (Created before 9.0.3.11).
  2. Perform an update of the job.
  3. Blackout should work as configured (similarly to Content Scan job).
Search using StartingURL for the REST API get /jobs/search api works only for scan jobs created in and after 9.0.3.11 release. NA