Known issues and workarounds
These are known issues and their workarounds.
Issue | Workaround |
---|---|
If there are more than 500 issues in each category when you "Group by" issues based on IssueType, Severity, Scanner, or Status, we don't display the additional issues and advise using a filter instead. Filters are also limited to only displaying up to 100 values of each column type. |
Remove the "Group by" option, then sort the data based on the column type that you want to use to display the results. |
Components view details cannot be exported or imported from AppScan Enterprise or AppScan Standard. However, the vulnerable components can be exported or imported as issues. | N/A |
Security Reports (xls, excel, xml or PDF) will not display any components details. | N/A |
Running the configuration wizard is the only way to update the CVE records. New CVEs that are introduced after AppScan Enterprise has been installed won't be identified for vulnerable components. | N/A |
In the Activity log, the Date Filter displays data for one day addtional than the date range specified. | N/A |
Overdue calculation is not done for issues that do not have CVSS 3.1 attributes | N/A |
For all issues that were scanned in version 10.1.0 or earlier and associated with an application, the CVSS Version = 2.0 filter might display both CVSS 2.0 and 3.1 issues. | You can sort the issues based on the CVSS Version column that lists all the CVSS 2.0 issues first based on the version. |
IAST .NET agent might fail to install as a NuGet in some .NET framework applications, with an error “Unable to resolve dependency 'MonoModReorg.RuntimeDetour'”. |
Before installing the IAST agent, install the NuGet:
|
Unable to import user groups and to save user properties with correct values when LDAP is configured to ASE, and when scanner and server are installed in the same machine | Rerun the configuration wizard by selecting all the applicable components (User Administration/Enterprise Console/IAST) in the Server components window that you selected previously during the server configuration along with Dynamic Analysis scanner. |
IAST issue with severity as 'Information' displays the CVSS version as 2.0 instead of 3.1. | Ignore the version displayed and consider the version as 3.1 since IAST is an AppScan Enterprise scanner. |
Scan status alerts are not sent to the configured email address. | Restart the alert service. |
When you upgrade from 10.0.8 to 10.1.0, then the IAST java war agent deployment or connectivity fails and it does not interact with AppScan Enterprise. | Disable and then enable the agent again. |
Re-importing issues with Appscan Mobile Analyzer and AppScan Mobile Analyzer IOS scanner profiles results in an error. | Refresh the monitor tab. |
Retest of an issue may result in the status of the issue being reported as 'Fixed' even in the case the issue is not actually fixed. | If your site requires authentication, then you must set login mandatorily at scan level for Retest to provide correct re-testing status. |
Retest of issue type, "Remote Command Execution on Spring MVC (CVE-2022-22965)", may result in the status of the issue being reported as 'Fixed' instead of 'Reopened' even in the case the issue is not actually fixed. | It is recommended to run a full scan of the application to confirm if this issue type is fixed. |
In the Monitor tab, the issue details are not displayed when you click an issue. Instead, the error message, "CRWAS9999E An unknown error has occurred." is displayed. This issue occurs if the text content of the issue details is large. | Navigate to <ASE install Dir>\AppScan Enterprise\Liberty\usr\servers\<server instance> and add the line -Xss1024m to jvm.options and restart the 'HCL AppScan Enterprise Server' service. |
Agent service shows 'Check License' status. | Restart 'HCL AppScan Agent Service' on the scanner machine. |
For DAST proxy, In-session is not detected automatically when traffic is recorded by using the Firefox browser. |
Add In-session manually by selecting the main page URL and clicking the In-session button or before recording traffic, turn off any Firefox plugin that creates a lot of traffic, for example, Clockify. |
Removal of OWASP 2017 and support for OWASP 2021 report: All report pack and report pack templates created prior to 10.0.7 will have OWASP 2017 report. | If required, users must manually remove OWASP Top 10 2017 and add OWASP Top 10 2021 to the report pack for all existing scans and run the report pack. |
In the IAST agent page you may face some UI glitch as follows: | |
When you click the Generate key button from the Actions dropdown, there is no response. | Refresh the page and try again. |
In the generate key popup, when you click the Generate button, there is no response. | Do not click multiple times. Wait for about a minute and still if there is no response, close the pop up and try again. |
When you regenerate the key for the Node.js agent, the package size may increase. | This can be ignored as it works in majority of the cases. |
If the downloaded Node.js agent does not have the appropriate agent key. | Regenerate the agent key and download the agent again. |
For SAST issues, when an imported job is run in the Scans tab, it now generates user-friendly names for common issues. The Monitor tab continues to use the older format of the ID, for consistency with previous releases, and will be updated in future with the user-friendly name. Due to this, if you use the same application to import source data directly into the Monitor tab, and link the same application to a Source import job run in the Scans tab, you may notice some issues classified under different issue types (such as SQL Injection, Cross Site Scripting). | If you import multiple SAST issues to AppScan Enterprise, it is recommended to use the same mechanism for all of them: either import all scans in the Monitor tab, or run all jobs as import job in the Scans tab and link to the application. There is no impact to functionality; this issue affects the display only. |
The Japanese version of the Payment Card Industry Data Security Standard (PCI) report omits compliance details. | For more information about this issue, refer to this defect article: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0094517 |
When the AppScan Enterprise UI language is
set to any other language other than English, the following issues might be observed:
|
Any change in language settings does not impact the UI functionality in any manner except for this information will be available in English language. Hence, it is recommended to continue using the functionality till these issues are address in subsequent releases. |
When a user has configured the How to Fix to a port that is already in use, then from the UI user will not see an appropriate error message when trying to access the Issue details and access the How to fix link. | Rerun the Configuration Wizard pointing the How to Fix to a different port. |
Given a user uploads a User Defined Tests file in the ASE UI then it will show an error message: Error connecting to the Advisory service server. | The UDT file will imports successfully into
AppScan Enterprise. But the user will not see UDT issueTypeIds 'How To Fix'
information in the UI OR reports. To see xml 'How To Fix' information for UDT issueTypeIds:
|
When you edit a folder from the Scan's page without making any changes to the folder's permission and click the Save button, it makes an entry in the ActivityLog table with action marked as 3. The action 3 indicates that the folder is edited. | You must click the Cancel button to exit from the page if you have not edited the folder permissions. |
The domain name is not excluding from the traffic file generated by Postman or SoapUI tool through the ADAC client integration (file with .exd format) using the API POST/jobs/{jobId}/dastconfig/updatetraffic/{action} | You must use the .dast, .config, or .har file to exclude traffic of a domain from the traffic file. |
The scans job is failing on changing the user permission of the AppScan Enterprise service account in Windows. | You must add the service account user to the Windows administrators group on both AppScan Enterprise Server and Scanner machines. |
HCL scanner license check-in does not happen immediately when AppScan Agent service process is killed through the Task Manager. It would take around 15 minutes for the licenses to be released. | It is recommended to start and stop the Agent again through the services to release the licenses. |
If users are not logged out before the AppScan Enterprise Server is shutdown, the open sessions can lead to the licenses not being checked in back to the pool. These licenses that get left over will be checked in back only after 2 hours. | The users should log out before the AppScan Enterprise Server is shut down. |
During installation of AppScan Enterprise the installation of Visual C++ 2015 fails if an higher version Microsoft Visual C++ Redistributable 2017 is already installed in the system because the application is attempting to install Visual C++ 2015 Redistributable without checking for the existence of the newer versions already exist in the system. | Uninstall the Visual C++ 2017 RC Redistributable, install the AppScan Enterprise and reinstall the Visual C++ 2017 Redistributable. |
The product inline help is available in all languages, however the related links are available only in Japanese, French, Chinese Simplified and Traditional languages. | N/A. |
If the extended log file size is large (greater than 2GB), sometimes the download log file operation from Scan tab summary report might result in a 0KB zip file. | In such instances, copy the file from the Logs directory in the AppScan Enterprise Agent server. |
When you edit a scan in the Dynamic Analysis Configuration Client, ensure that the scan you are editing is not running in AppScan Enterprise; otherwise it might suspend the job when you update the scan. | On the Job Properties page of the Client, clear the Run job as soon as possible check box and then click Update Job. |
When a scan job has only the recorded login (no Manual Explore or Starting URLs), the scan will not crawl below that page. | Add at least one URL to the Manual Explore or starting URL of the What to Scan page. |
There is a risk of performance degradation and false negative results when the firewall is deployed between the Agents and the website being scanned. | AppScan Enterprise Server sends security tests that some firewall products could flag as suspicious network activity. |
If the user-defined normalization rules result in an empty URL string, there is a risk of the scan not ending. | When normalization rules are defined within the Job Properties, it is important to ensure that they result in a valid URL. |
If Issue Management has been done on the reports, the Report Pack Summary report will be out of synchronization with the report data. | The Report Pack must be rerun to synchronize the numbers when Issue Management tasks are completed. |
Deleted reports are not immediately removed from the dashboard. | The dashboard must be rerun for the change to take effect. |
When sorting lists, the collation order may not work as expected for Japanese, and Chinese languages. | .NET and SQL collations are used, as are locale-specific collations, but the product does not comply with ICU. |
ADAC job blackout does not work for jobs created before 9.0.3.11 until an edit save is performed on the job. Root Cause: There was an issue in the application where the starting URL was not getting updated into the ASE database for an ADAC job. Since blackout reads the domain from the ASE database, it was causing blackout to not work for ADAC jobs. Since the starting URL is stored within the dast.config file, the existing jobs will have to be manually edited and saved for the URL to be stored into the ASE database. |
|
After running a scan in AppScan Standard and exporting the results as a legacy XML file for use in the AppScan Enterprise, upon using this XML file, it was run as an Imported Job. This was then associated with an application in AppScan Enterprise. However, the generated security report doesn't include Visited URLs, despite their availability in the original AppScan Standard report. |
N/A |
While AppScan Activity Recorder (AAR) encrypted files can be imported using AppScan Enterprise REST APIs. In Content Scan jobs, they're not supported if attempted directly through the AppScan Dynamic Analysis Client (ADAC) user interface. |
Method 1: Use AppScan REST APIs for
encrypted file import: Use AppScan REST APIs (POST /jobs/{jobId}/dastconfig/updatetraffic/{action}) to import encrypted files. This method bypasses the user interface limitations and enables successful imports into AppScan-ADAC, allowing scans to function correctly. Method 2: Consider alternative recording methods:For scenarios where encrypted login sequences are necessary, consider using ADAC recording instead of AAR when executing ADAC jobs. ADAC recording might offer more flexibility without encountering the encryption-related limitations seen with AAR uploads. |
In AppScan Enterprise version 10.4.0, security reports generated in PDF, HTML, or XML formats display the same generic cause for each Vulnerable Component issue, regardless of the specific Common Vulnerabilities and Exposures (CVE) ID associated with it. | N/A |