What's new in HCL AppScan® Enterprise
This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan® Enterprise 10.8.0
- Downloads update:
- Starting with AppScan Enterprise 10.8.0, downloads are available only through the My HCLSoftware (MHS) portal.
- Licensing update:
- My HCLSoftware (MHS) portal has replaced the FlexNet Operations (FNO) portal for licensing management.
- FNO is now decommissioned and will no longer be supported.
- End of Support (EOS): AppScan versions 10.6.0 and earlier will reach EOS by June 2025. Upgrade to the latest version to maintain support and access new features.
- Video tutorial for setting up the license:
- New SCA scanner:
- A new SCA scanner has been introduced on the monitor page. This scanner supports SCA XML files generated from AppScan on Cloud.
- Custom script scans:
- AppScan Enterprise now supports custom Java scripts via AppScan Standard.
- These scripts enable dynamic behavior by executing custom code for each HTTP request and response.
- Postman collection URL support for scans:
- Scans can now be created and executed using a Postman collection URL from AppScan Standard. When the Postman collection is updated, rescanning will automatically fetch the latest contents from the URL, ensuring the most recent API changes are included in the scan.
- Custom scripts can now be executed before sending a request or after receiving a response, allowing fine-tuned control over scan behavior.
- Activity log REST API:
- A new activity log REST API (GET
/activitylog/{dateRange}) is now available in the
activitylogsection of the AppScan Enterprise REST APIs page. You can retrieve activity details within a specified date range.
- A new activity log REST API (GET
/activitylog/{dateRange}) is now available in the
- Improved CWE mapping in security reports:
- Security reports generated from the monitor tab, including DAST security reports, now display multiple CWE details alongside the primary CWE for each issue type.
- This enhancement provides a broader security perspective, helping you assess vulnerabilities more effectively.
- CVSS vector display in API response:
- The API GET/issues/{issueId}/application/{appId} now returns the CVSS vector for reported issues, enhancing risk assessment and prioritization.
- Accessibility enhancements:
- AppScan Enterprise now includes enhancements aligned with Web Content Accessibility Guidelines (WCAG), improving user accessibility.
IAST agent updates
IAST agents have been upgraded to newer versions:
- Java: 1.19.0
- .NET: 1.13.0
- Node.js: 1.11.0
APAR fix list
The following Authorized Program Analysis Reports (APARs) were fixed:
| APAR No. | Description |
|---|---|
| KB0118668 | Resolved an issue where the "Scans trend by application" section in the dashboard report from the Monitor view displayed a disordered report. |
| KB0118669 | Fixed an occasional internal server error occurring during AppScan Source login to AppScan Enterprise. |
| KB0117778 | Fixed an issue where the checkbox and warning text were not visible on the license server window in the configuration wizard for non-English operating systems. |
| KB0119182 | Fixed an issue where the AppScan Enterprise dashboard functionality didn't work correctly for non-English languages. |
| KB0119107 | Fixed an issue where URLs weren't populated when uploading some encrypted traffic files for a content scan. |
Fixes and security updates
New security rules in this release include:- attAppMetricsDataExposed - Application Metrics endpoint exposed
- attWordPressPluginXSSCVE20237246 - WordPress Plugin Cross-Site Scripting CVE20237246
- attAtlassianConfluenceBrokenAccessCVE202322515 - Atlassian Confluence Broken Access CVE 2023 22515
- SriValidation - Validation for SRI integrity check
- CSP Rules - Reworked CSP evaluation, resulting in detection of 17 new Content-Security-Policy issues
- Vulnerable component database updated to version 1.6
This release's complete list of fixes, updates, and RFEs is listed here.
Changed in this release
- WebSphere® Application Server (WAS) Liberty Core upgraded to version 24.0.0.11
- jQuery upgraded to version 1.14.0
- ASRA updates: Omnia package has been renamed to ASRA, and ArticleService package has been renamed to ASRAService.
- Java 17 upgrade: After upgrading to AppScan Enterprise 10.7.0 or later, which includes the Java 17 upgrade, secure communication between AppScan Enterprise and the SQL Server requires importing the SQL Server Signer certificate. This step is necessary to avoid connection issues due to SSL/TLS validation. For detailed instructions on how to import the certificate into AppScan Enterprise, refer to the KB article on importing the SQL Server Signer Certificate.
Removed in this release
- Integration with IBM Security SiteProtector.
- Integration with IBM Security QRadar.
- Removal of module license details in the Administration section, including enabled modules, number of licensed pages, and number of scanned Pages.
Upcoming changes
- No major upcoming changes have been announced for this release.