What's new in HCL AppScan® Enterprise

This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise 10.6.0

AppScan Enterprise now displays CVSS vector for your issues
- The Issue attributes window within the Monitor page now displays the Common Vulnerability Scoring System (CVSS 3.1) vector string along with CVSS version and score.
- The CVSS 3.1 vector string is also included in the security report generated from the Monitor page.
Enhanced CWE mapping
- AppScan now maps multiple CWEs to issues in the Monitor tab. Every issue will now have a primary CWE and may also have additional CWEs that are relevant to the issue. This gives a wider perspective of the issue.
Dashboard now enables deeper analytics capability
- The Monitor page dashboard has been upgraded with additional filters for more in-depth analytics for your issues
New login page
- A new login page has been implemented to improve the user experience.
Added new industry-standard test policy:
- OWASP Cloud-Native Application Security Top 10
Added new Regulatory Compliance report:
- Network & Information Security Directive (NIS2)

APAR fix list

The following Authorized Program Analysis Reports (APARs) were fixed:


APAR No.	Description
KB0109261	Unable to submit defects to RTC from scan tab.
KB0113413	DTS server application: Creation of issue from ASE console is resulting in errors.
KB0113281	Scan starting after the configured blackout period, reports Unknown time zone error in some cases.
KB0110975	AppScan Enterprise should handle the "Use settings from an imported file" setting correctly.
KB0112780	"folderitems" REST API is not returning the error code after failure.

Fixes and security updates

New security rules in this release include:

attWPHelperLitePluginXSSCVE20230448 - Detection for CVE-2023-0448
WordPressWBPUPluginXSSCVE202328665 - Detection for CVE-2023-28665
WordPressLWPPluginXSSCVE202323492 - Detection for CVE-2023-23492
attNoSQLInjection - Improved support for NoSQL vulnerabilities (demonstrated in crAPI)
attCactiRemoteCommandExecutionCVE202246169 - Cacti Detection for CVE-2022-46169
Vulnerable component database updated to version 1.4

This release's complete list of fixes, updates, and RFEs is listed here.

Changed in this release

The Web Service Test Policy is now deprecated. While it remains functional, its use is discouraged as it will be removed in a future release.
WebSphere® Application Server (WAS) Liberty Core updated to version 24.0.0.4.
The jQuery library has been upgraded from version 1.8.0 to version 3.7.1.

Upcoming changes

AppScan Enterprise is planning to upgrade to Java 17 in the next release.
Starting with version 10.7.0, the licensing procedure is changing. This change doesn't impact existing usage. For more details and upcoming updates, please refer to the following resources:
- HCL AppScan Announces Plans for End of Support for Versions 10.0.0–10.6.0
- Important Announcement: HCL AppScan Plans Licensing Changes to Take Effect June 2025