Product changes when you upgrade from a previous version
Learn about changes that might affect your scans or report data when you upgrade from a previous version. Make sure that you read all the topics so that you understand the upgrade process.
- Custom error pages are no longer set globally, they are only set on the content scan job. On upgrade, each content scan job, *.scant job, and AppScan Dynamic Analysis Client scan will move the global custom error pages to the individual job.
- Existing content scan jobs in the Folder Explorer view, including QuickScan jobs that are not
created in the AppScan Dynamic Analysis Client, will have a new check box enabled on the
Explore Options page that enables filtering of similar pages based on
structure (DOM). If an existing content scan job:
- had a redundant path limit set to 5, that option is disabled and DOM-based filtering is turned on
- had a redundant path limit set to a different value, that option is kept enabled and DOM-based filtering is not turned on
- had a similar content limit set to 5, with HTML structure enabled, that option is turned off and DOM-based filtering is turned on
- had a similar content limit set to a different value, or it compares Text and HTML structure, that option is kept enabled and DOM-based filtering is not turned on
- Issue types are changed periodically in the security rules. If you have a scan with old issue types that no longer exist after a security rules update, the issues with those issue types will disappear after the update, and new issues will be found with the new issue types. Those issues will have to be triaged again.
- On the Restore AppScan Server Settings screen of the configuration wizard, an additional option has been added that preserves custom scanner *.jar files that might have been added to the <install-dir>\HCL\AppScan Enterprise\Liberty\usr\servers\<instance_name>\lib\scanners.
- In previous releases, imported issues were cumulative. In v9.0.2.1, you can remove issues that were previously found in an application but are not included in subsequent imports. In scanner profiles from v9.0.1, the Remove Orphaned Issues check box is disabled in v9.0.2.1 to respect previous behavior (can be overridden by clearing the check box).
- When you add a new issue attribute name to a scanner profile, the Use Imported Values check box is enabled by default. Keep the Use Imported Values check box enabled if you want to update an existing issue attribute with values contained in the imported file. If you clear the check box, AppScan Enterprise will retain the value previously used. If you select the Unique check box, you cannot clear the Use Imported Values check box.
- There were changes to the REST APIs.
Upgrading from 9.0.1
- There is a New issue status. Upon upgrade, the New issue column is available for display in the Portfolio tab in the Monitor view. Formulas are updated to include issues with a New status. Upgrade does not affect the status of issues that were discovered in previous versions.
- A new Dashboard tab displays the charts that were
displayed in the Portfolio tab in v9.0.1. The new dashboard includes trend
charts for Security Risk Rating, Testing Status,
Applications with Open Issues, and Open Issues.Note:
Possible naming conflicts between v9.0.1 application attribute customizations and new v9.0.2 dashboard trend charts
The Open Issues and Applications with Open Issues charts rely on a new application attribute called "Open Issues" that is defined as a formula. However, if you previously created an application attribute called "Open Issues" of any type other than formula, the upgrade does not attempt to resolve the conflict between your attribute and the one that version 9.0.2 needs for the new charts.
The new charts will not display as intended after upgrade, and you must resolve this problem manually. Rename your "Open Issues" attribute to something else if you want to preserve its values. Update all formulas where you referenced your "Open Issues" attribute to reflect the new name. Then, rerun the configuration wizard to create the "Open Issues" formula attribute that the new charts require.
- A new approach to create scans consistent with AppScan Standard, for both the security team who
creates the templates and for the developers who create the scans. See Overview of scan configuration differences in v9.0.2 and higher and in previous versions.
- The new method is accessed from both the Monitor and Scans views.
- Existing scan templates from v9.0.1.1 are kept after upgrade, and the old method of QuickScan template creation still exists.
- To take advantage of this new method, during upgrade you must run the Default Settings Wizard after the Configuration Wizard to install the templates for v9.0.2.
- To avoid any template name conflicts in the Templates directory in the Folder Explorer, (v9.0.2) is appended to the template name.
- If you install a new instance of AppScan Enterprise, you can still access the templates from v9.0.1.1. When you create a new content scan or template from the Scans view, select Create using previously saved settings file and go to <install-dir>\AppScan Enterprise\Initializations\ASE\DefaultTemplates\Job\Version 9.0.1.1 to select the *.xml file.
- The embedded version of Liberty is now v8.5.5.4. During configuration, you can choose to restore previous AppScan Server customized settings on the Liberty Server. See Restore AppScan Server settings.
For further details on what's new and changed since v9.0.1.1, read this whitepaper.
Upgrading from 9.0
- AppScan Enterprise v9.0.1 includes an architecture redesign to reduce the installation footprint and to remove IBM Rational Jazz Team Server (Jazz Team Server) as the user authentication component. With the removal of Jazz Team Server, the Apache Tomcat and WebSphere Application Server deployment servers are no longer supported in v9.0.1. They are replaced with IBM WebSphere Application Server Liberty Core v8.5.5.2. See Replacing Jazz Team Server with WebSphere Liberty - Frequently asked questions.
- For new instances of v9.0.1, the risk rating formula has changed. If you are upgrading from
v9.0, the risk rating formula remains the same, and your risk ratings remain consistent. However,
you can use the new formula
IF(businessimpact = 0, 0, IF(testingstatus > 0, 0, businessimpact * rr_maxseverity))
by replacing the old formula in the application profile template in AppScan Enterprise. - Issue management through
application view: In v9.0, issue management privileges were set
on the folder that contained a scan. In v9.0.1, issue management is
set on the application. Upon upgrade from 9.0, if a scan is already
associated with an application, users who used to have issue management
privileges on the folder will now have basic permissions on the application
so they can continue managing these issues. There is the potential
of giving them access to scans they previously were not allowed to
access. For example,
To restrict a user's permissions to managing issues on specific applications, remove them from the Basic Access on the applications they are not allowed to access. In the example above, remove Mary's Basic Access permissions on Scan X. To find the application that contains Scan X, go to the Scans view and flatten the hierarchy to show only jobs. Find Scan X and click the link for the application name it is associated with. On the Application tab, click View details and in the Users section of the dialog, remove Mary's Basic Access permissions.v9.0 v9.0.1 Result Folder A: (Bob has an Issue Manager role) - Scan X
- Scan Y
- Scan A
- Scan B
Application 1 is associated with these scan jobs: - Scan X
- Scan B
Mary now has basic access permissions to Scan B so that she can continue to do her job but she also has access to Scan X, which she didn't have in v9.0.
- Server Groups are no longer defined by URLs. Any existing URL definitions will be removed from existing Server Groups. Check the WFCfgWiz.log for details.
- HTTPS has replaced HTTP as the scheme required for login and REST Services.
- Some reports have been removed because they no longer fit the product direction. Read the Deprecated features topic.
- Common scan engine between AppScan Standard
and AppScan Enterprise:
A new common scan engine provides a more standardized scan job option
configuration. As such, some reports are no longer available in AppScan Enterprise:
- Correlated Security Issues (AppScan DE) report
- Image Catalog report
- Metadata Catalog report
- Missing Alt Text report
- Missing Titles report
- Multimedia Content report
- Server Side Image Maps report
- Third Party Links report
- Web Applications report
- Web Beacons report
- Website Technologies report
- Load balancing option removed: Load balancing on starting URLs and domains is no longer available with the new standardized scan job option configuration. Upon upgrade, jobs that had load balancing set will use the new common engine to run without the load balancing option.
- User licensing: The service account license type has been removed. Upon database upgrade, the Configuration Wizard will set the service account license type to the same license type as the Default User (one of floating user scanning, floating user reporting, authorized user scanning, or authorized user reporting).
- Enabling FIPS 140-2 compliance on the Enterprise Console: Name and behavioral changes to incorporate NIST compliance have been made to the General Settings page where this is enabled on the Administration tab. The "Enable enhanced security" check box has been renamed "Disable Manual Explorer Plugin", and upon upgrade, the check box keeps the value it had before upgrade. If you were FIPS compliant, then this check box remains selected; otherwise, it remains cleared. If your organization is a US federal agency and must comply with FIPS 140-2 or NIST SP800-131a, enable the check box to make the Enterprise Console compliant with those security standards.
- Case-sensitivity has moved from the domain to the job level. Set it on the job's What to Scan page.
- Deprecated reports: The OWASP Top 10 2010 report has been replaced with the 2013 version in v8.8. However, if you have report packs and dashboards that used the 2010 report, the data will not be lost. New instances of AppScan Enterprise 8.8 will only use the 2013 report.
- Login attempts algorithm changes: Prior to version 8.8, the scan would attempt to log in three times before suspending. Now the scan attempts for 90 seconds before suspending.
- The previously used method for protecting data 'at rest' (physical media) has been deprecated
and will be removed as part of the upgrade process. Read Data protection through encryption before you begin upgrading.
- A new method is available, Transparent Data Encryption (TDE), which is built into Microsoft™ SQL Server 2008 Enterprise Edition and higher. See Enabling Transparent Data Encryption on SQL Server databases for details on encryption and how to enable TDE. To improve database upgrade performance, enable TDE after the database upgrade has completed.
- For Microsoft SQL Server 2008 Standard Edition and higher, other third party encryption methods are also available, including MS Windows™ Encrypting File System. See Encrypting, backing up, and restoring a SQL Server database with EFS.
- Additional disk space is required during the upgrade process on the database server, roughly equal to the size of the existing AppScan Enterprise database. This space will be used temporarily during upgrade and returned after upgrade is completed.
- Scans will now use a local (embedded) database file. It is important to have sufficient disk space that is allocated to Agent Server machines. For more information, see the Dynamic Analysis Scanner section in theInstalling all required components on one computer topic for more information about how the local database file works during scanning.
- Enabling FIPS 140-2 compliance: Products that support FIPS 140-2 standards can be set into a mode where the product uses only FIPS 140-2 approved algorithms and methods.
- Previous folder items that were suspended are now "Ready" after upgrade. Any folder items that were in a suspended state before upgrade are now in a ready state. An icon will identify these items so that you can decide whether further investigation or actions are required.
- XRule filters on report packs: XRule filters were removed from report packs. Any reports that contain XRules will contain more data after the report pack is rerun.
- Aligning default scan job options with AppScan Standard: Existing jobs and templates that are created in versions before 8.6 do not automatically update to use new job options that have new default values. Only new job/templates use new default values.
- Installer/config wizard workflow: During installation of v8.6, you can choose to install a brand new Jazz Team Server or use an existing one.
- User Licenses: During upgrade, the License Serve is queried to determine which user license you have the most licenses for, and changes the license type for all users (excluding the Service Account and Product Administrator) to that license type. If you must change the license type for any of your users, go to and change them there.
- Finding variants: When you import an assessment file from AppScan Source, if the findings differ only by the trace, AppScan Enterprise rolls up those findings into a single issue with multiple variants.
- Changes to service account: Service account impersonation no longer supported. Any jobs that use that service account will suspend. Edit the properties with a proper username/password and re-run the job.
Upgrading from 8.0.0.0
Version 8.5 and 8.6 use the Rational License Server. It is critical that you read and understand Product and user licenses before you install the current version.