What's new in HCL AppScan® Enterprise
This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
New in HCL AppScan® Enterprise 10.9.1
- IAST enhancements:
- Introduces new PHP IAST agents, extending support to Windows, Ubuntu, and Red Hat servers.
- API scanning enhancements: This release enhances API scanning capabilities with
added support for OpenAPI specifications and improved scanning for Postman
collections. The following new REST API endpoints are now available:
POST /jobs/{jobId}/dastconfig/postman/url/add: Enables you to add a Postman collection URL, including associated environment and global variable URLs, to a DAST scan configuration.POST /jobs/{jobId}/dastconfig/openapi/add: Allows for the addition of an OpenAPI Description file to a DAST scan configuration.POST /jobs/{jobId}/dastconfig/openapi/url/add: Facilitates adding an OpenAPI Description to a DAST scan configuration using a URL.
- Updated security standards and compliance reports on the Monitor tab:
- The ‘CWE Top 25 Most Dangerous Software Weaknesses’ report has been updated to the 2024 edition from the 2023 version.
- The ‘[US] DISA's Application Security and Development STIG’ regulatory compliance report is now V6R3, updated from V6R1.
- WebSocket scan support:
- Support for the WebSocket protocol that uses JSON or XML messages for data exchange.
- Enhanced CWE reporting:
- For a more comprehensive vulnerability assessment, key security reports on the Monitor tab now display multiple CWEs alongside the primary one.
APAR fix list
The following Authorized Program Analysis Reports (APARs) were fixed:
| APAR No. | Description |
|---|---|
| KB0119487 | Resolved a discrepancy in the issue count for scans imported from AppScan Standard, where multiple issues shared the same 'Item Id'. |
| KB0120978 | Fixed an issue where Excel reports failed to generate if the content exceeded the cell character limit. |
| KB0120294 | Corrected an issue where scan results uploaded from AppScan Standard did not display in the associated application when using non-English language settings. |
Fixes and security updates
New security rules in this release include:attWordpressGalleryPluginPathTraversalCVE20233279- WordPress Gallery Plugin Path Traversal CVE-2023-3279attWordPressBackupMigrationplugincve20235737- WordPress Backup and Migration plugin Broken Access CVE-2023-5737attMobileMouseRCECVE202331902- Mobile Mouse Remote Command Execution CVE-2023-31902attOpenWireApacheServerRCECVE202346604- OpenWire Apache Server RCE for CVE-2023-46604attApacheHugeGraphRCECVE202427348- Apache HugeGraph RCE CVE-2024-27348attApacheOFBizRCECVE202438856- Apache OFBiz RCE for CVE-2024-38856attCactiRCECVE202425641- Cacti RCE CVE-2024-25641attLMSBlindSqlInjectionTimeoutCVE20248529- WordPress Learnpress Plugin SQL Injection CVE-2024-8529attWordPressUltimateExporterRCECVE202456278- Wordpress Ultimate Exporter RCE for CVE-2024-56278JwtWeakSecretKey- Detects weak JWT secret keys- The Vulnerable Component Database has been updated to version 1.7.
Additionally, the following security rules have been updated:
LiferayPortalJSONWSRCEIssue- Liferay Portal JSONWS remote code execution: Added an ADNS variant.attConfluenceRemoteCommandExecutionCVE202126084- Confluence Server Webwork OGNL injection (CVE-2021-26084): Added two TWS variants (Wget and Curl).attBlindSqlInjectionTWSMSSQL- Blind SQL Injection Out-Of-Band for MS-SQL: Added 4 TWS variants (curl + wget, string + numeric).WeakJWTExpiration- Fixed JWT detection regex.attJWTWeakSignature- Fixed JWT detection regex.
This release's complete list of fixes, updates, and RFEs is listed here.
Changed in this release
- The Underscore.js library has been upgraded to version 1.13.7.
- The Chromium browser engine has been upgraded to version 138.0.7204.96 to incorporate the latest security fixes.
- A comprehensive VPAT assessment has been completed to document compliance with accessibility standards like WCAG, Section 508, and EN 301 549. For more information, see Accessibility features for AppScan Enterprise.
Removed in this release
- No items were removed in this release.
Upcoming changes
- AppScan versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended to upgrade to the latest version available before then.
- Support for Microsoft® Windows® 10 and Microsoft® Windows® Server 2019 will be removed in a future version of AppScan as these operating systems have reached the end of their main support period.
- Support for Microsoft® Windows® Server 2025 is planned for an upcoming release.
- In an upcoming release, a single, unified REST API will replace the current endpoints for OpenAPI configuration (.../openapi/url/add and .../openapi/add). The new API also adds support for authorization and additional parameters.