What's new in HCL AppScan® Enterprise
This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan® Enterprise 10.2.0
- Issue severity and CVSS score are now based on CVSS 3.1 scoring. Any new scans will be based on CVSS 3.1 scoring. Scan findings prior to the upgrade will be preserved using CVSS 2.0 scoring until rescan. For more information, see the CVSS 3.1 Specification. Ensure that AppScan Standard and AppScan Enterprise are on the same version, 10.2.0, for the integrations to work as expected.
- Read-only users can now comment on issues if the global option is enabled.
- Granular access control to restrict modification of the issue status.
- Mandate comment on the status change of an issue.
- New API to report findings of the scan. API: /issues/(jobID)
- Activity Log is updated with multi-level filtering and other improvements.
- Updated regulatory compliance report template: [US] California Consumer Privacy Act (CCPA) - AB-375.
APAR fix list
The following Authorized Program Analysis Reports (APARs) were fixed:
| APAR No. | Description |
|---|---|
| KB0068965 | Severity headers missing (critical, high, low, informational) in a report sent by alert set in AppScan Enterprise |
| KB0074147 | False Positives may result when Retesting Security Issues that contain multiple positive attack variants |
| KB0075778 | AppScan Enterprise and AppScan Source integration is not working when a short name is configured as an AppScan Source hostname in AppScan Enterprise |
| KB0082136 | TcpSourcePort and SourceInterfaceIP options are missing in AppScan Enterprise |
| KB0084932 | AppScan Enterprise is not logging in user access changes into activity log report in some instances |
| KB0087169 | AppScan Source fails to publish assessments to AppScan Enterprise in non-English locales |
| KB0090230 | Creating DAST scan through AppScan Enterprise swagger using a custom template causes problems |
| KB0093324 | Change of severity (Med to Low) from AppScan Source is not reflected in AppScan Enterprise after publishing or importing through the monitor tab |
| KB0094173 | Discrepancy found in results displayed in AppScan Enterprise and Standard in some scans |
| KB0095164 | post /issueimport/{appId}/{scannerId} API should work irrespective of the params order specified |
| KB0095837 | When starting an ADAC job, user security permission is not checked |
| KB0095868 | The job owner of the job created by the Standard user is being changed to the Admin, after being edited by Administrator in ADAC |
| KB0095919 | Scan Job is running for a Standard user even after the Job owner has been changed to Administrator |
| KB0098572 | Log Retention is converted into Hexadecimal value instead of Decimal value |
| KB0099738 | LDAP user search does not display full list of users |
| KB0102486 | Export of a multistep sequence recorded using an external browser fails |
| KB0102819 | When doing a full scan via ADAC with Page Limit enabled, the scan does not find anything in the explore phase |
Fixes and security updates
New security rules in this release include:- MaxLengthVuln - Search for "maxlength" attributes with a very large constraint
- LeakedSecretTokens - Search for secret tokens in the response
- SecurityRule_AbstractContentSecurityPolicyRule - New abstract CSP rule added (containing common detection and mutation)
- attNoHttpsRedirection - Check for HTTPS redirection when HTTP scheme is used.
- attText4Shell - Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
- attGraphqlIntrospectionMutation - Check if introspection is enabled in GraphQL API oHttpsRedirection - Added a check for HTTPS redirection when HTTP scheme is used
The complete list of fixes, updates, and RFEs in this release is listed here.
Changed in this release
The default scan templates are upgraded. Hence verify your automation scripts to reflect the xpath modifications if you are using the upgraded templates. For better scan coverage and results, use the latest templates.
Removed in this release
None
Upcoming changes
The following will be removed in a future release:
- CVSS attribute field on issues will be removed and replaced with a non editable CVSS vector string.
- Create Job using template from AppScan Source/AppScan Standard will be removed from the Scans tab. The results from AppScan Source/Standard can be imported using the Monitor tab.
- The Web Services, The Vital Few, and Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
- The embedded Internet Explorer browser will be removed in a future version.
- QRadar integration support.