What's new in HCL AppScan® Enterprise

This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise

Note:
Versions 10.6.0 and earlier reached end of support, so we removed them from the documentation.

New in HCL AppScan® Enterprise 10.11.0

  • Broken access control: You can now more easily identify broken access control vulnerabilities by uploading traffic files for comparison. This new feature is available exclusively via the REST API endpoint: POST /jobs/{jobId}/brokenaccesscontrol/add.
  • CVSS display update: For newly reported vulnerabilities, the CVSS 4.0 vector and score are displayed. However, issue severity continues to be calculated based on CVSS 3.1 standards.
  • DAST-IFA - error page detection: DAST-IFA error page detection now supports Azure OpenAI 5.x models.
  • IPv6 support: AppScan Enterprise now supports modern IPv6-enabled network infrastructures. For more information, refer to the knowledge base article.
  • Post-quantum encryption safety check: AppScan now flags legacy encryption protocols that fail to meet post-quantum security standards, empowering teams to proactively migrate to quantum-resistant encryption before these technologies become a threat.
  • OpenAPI visibility: An informational alert is now raised when a Swagger or OpenAPI definition file is discovered to ensure API visibility.
  • Automatic login improvements: Automatic login capabilities have been improved, including new support for the Vue.js framework.
  • New compliance report: The OWASP Top 10 2025 report has been added.
  • Activity log enhancement: The activity log has been enhanced to include details about 'Modify' actions.
  • System logging improvements: Logging has been enhanced throughout the Security Updater module, Configuration Wizard, and report generation flow to provide detailed error and flow logs for easier debugging.
  • License validation: AppScan now includes a date validity check to ensure at least one of your license entitlements is active as of the current date, not a future date.
  • CVSS 3.1 vector enhancements: The CVSS 3.1 vector now includes Environmental metrics, in addition to the existing Base and Temporal metrics. You can view the complete CVSS 3.1 vector information on the Monitor tab (including the issue view dialog) and within generated Security, Industry Standard, and Regulatory Compliance reports. This information is also accessible via the following REST API endpoints:
    • GET /issues/{issueId}/application/{appId}
    • POST /issues/reports/securitydetails
    • POST /issues/reports/industrystandard
    • POST /issues/reports/regulatorycompliance

IAST agent updates

The IAST agents have been upgraded to the following versions:
  • Java: 1.22.1
  • .NET: 1.16.0
  • Node.js: 1.14.2
  • PHP: 1.2.2

APAR fix list

The following Authorized Program Analysis Reports (APARs) were fixed:

APAR No. Description
KB0127901 Fixed an issue where request and response content appeared unformatted for issues imported from AppScan Standard.
KB0093026 Resolved an issue where 'How To Fix' or advisory information for user-defined issue types was missing from security reports and the issue view dialog.
KB0094972 Fixed an issue that prevented exporting issues or reports from the Monitor tab if they contained user-defined tests.
KB0128370 Resolved a discrepancy where the reasoning text for the same Vulnerable Component issue differed between AppScan Enterprise and AppScan Standard reports.
KB0128321 Fixed an error that occurred when using the "columns" parameter to fetch issue details for a job ID through the API.
KB0129448 Resolved an issue where valid login attempts failed for the legacy /ase/services/login API.
KB0128692 Fixed an issue where scan jobs stopped shortly after starting and returned an "Object reference not set to an instance of an object" error.

Fixes and security updates

New security rules in this release include:

  • attWallosRCECVE202455371 - Wallos RCE CVE-2024-55371 and CVE-2024-55372
  • attAPIOpenAPIFinding - New rule to detect OpenAPI/Swagger endpoints
  • attJSONPathPlusRCECVE20251032 - JSONPath-Plus Remote Code Execution for CVE-2025-1032
  • attNestRCECVE202554782 - Nest Framework for Node.js RCE CVE-2025-54782
  • NonQuantumResistantCiphers - "Non-Quantum-Resistant Cipher Suite[s] Detected"
  • attWordPressFunnelKitAutomationplugincve20251562 - WordPress FunnelKit Automations plugin cve-2025-1562
  • attGetSimpleCMSRCECVE202548492 - GetSimple CMS RCE CVE-2025-48492
  • FlaskWeakSecretKey - "Flask Weak Secret Key"
  • ExpressJsWeakSecretKey - "Express.js Weak Session Secret"
  • DjangoWeakSecretKey - "Django Weak Secret Key"
  • ViewStateWeakSecretKey - "ASP.NET ViewState Weak Secret Key"
  • LaravelWeakSecretKey - "Laravel (PHP) Weak Secret Key"
  • SymfonyWeakSecretKey - "Symfony (PHP) UriSigner Weak Secret"
  • attElysiaCVE202566456 - Elysia RCE CVE-2025-66456
  • The Vulnerable Component Database has been updated to version 1.10.

This release's complete list of fixes, updates, and RFEs is listed here.

Changed in this release

  • The Chromium browser engine has been upgraded to version 145.0.7632.45 to incorporate the latest security fixes.
  • Accessibility: Continuous enhancements have been made to improve overall product accessibility.

Removed in this release

  • The Web Services test policy has been removed.

Upcoming changes

  • End of Support (EOS): AppScan Enterprise version 10.7.0 will reach End of Support by March 31, 2027. Upgrade to the latest available version. For more information, refer to the announcement blog post.
  • The Developer Essentials and Vital Few test policies are now obsolete and will be removed in upcoming releases. It is recommended to use the suggested alternative test policies.
  • Support for the GPT-4.x models will be dropped in a future release, as Azure OpenAI is retiring these models.
  • Support for SSL will be deprecated in a future release.
  • Support for using IP addresses in domain URLs will be removed in a future release.