What's New in AppScan Source
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
What's new in AppScan Source Version 10.0.1
Enhanced and new functionality in AppScan Source Version 10.0.1
- AppScan Source version 10.0.1 has enhanced licensing functionality including proxy support for HCL-based licenses in the user interface and allowing use of untrusted certificates to make a connection to a local license server.
- AppScan
Source version 10.0.1 introduces
AppScanDelta
. This feature allows users to perform a diff from the command line between two assessments. - AppScan Source supports NetCore 2.1 and 2.2.
- AppScan Source version 10.0.1 includes language support for Scala, Swift, Kotlin, and ReactJS. See System Requirements for additional information.
- AppScan Source version 10.0.1 supports the DISA STG v4r10 report format.
Known issues in AppScan Source version 10.0.1
- If you are scanning a Visual Studio project from 2015 or earlier, the scan may fail with a message to delete discoverymanager.exe.config. Delete the specified file and try again. For more information see here.
AppScan Source interoperability
- 9.0.3x and 10.0.0 versions of AppScan
Enterprise must be configured as
follows to interoperate with AppScan
Source
10.0.1:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Capabilities nearing end-of-life or removed in AppScan Source version 10.0.1
The following capabilities are nearing end-of-life as of AppScan Source version 10.0.1. Please plan accordingly.
- IMPORTANT! Support for IBM licenses in new releases of AppScan will end in the third quarter 2020 (August/September). Subsequent new versions of AppScan products will support HCL Licenses only. For additional information on licensing, see Activating the software. You can also contact your HCL representative or HCL Support.
- SolidDB will no longer be shipped with product updates beginning in the third quarter 2020 (August/September). Existing installations will still be supported.
What's new in AppScan Source Version 10.0.0
HCL AppScan Source version 10.0.0 marks a significant advancement in the technology behind the AppScan family of products. HCL has invested in products in the DevSecOps market, laying the foundation for enhancements to our market-leading security scanning products, now and into the future.
- Enhanced and new functionality
- AppScan Source Version 10.0.0 interoperability
- Additional AppScan Source version 10.0.0 installation instructions
- Known issues in AppScan Source Version 10.0.0
- Capabilities nearing end-of-life in AppScan Source Version 10.0.0
- Functionality no longer supported in AppScan Source Version 10.0.0
Enhanced and new functionality in AppScan Source Version 10.0.0
-
IBM® Security AppScan Source is now HCL AppScan Source.
In mid-2019, HCL Technologies acquired the AppScan family of products from IBM, including AppScan Enterprise, AppScan Standard, AppScan Source, and AppScan on Cloud. All AppScan products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan products have been rebranded to reflect this ownership and its new phase of development and growth.
-
Introducing HCL Licensing for HCL AppScan Source
As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan family of products. AppScan, AppScan Standard, and AppScan Source use a local FlexLM license server, authenticating via a proxy server; AppScan on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.
- AppScan Source now supports the Go programming language (Golang).
- AppScan Source now supports C++ scanning in Visual Studio 2015, 2017, and 2019.
- AppScan Source now supports Oracle 19c.
- New data flow scanning functionality performs a more complete code analysis and more findings as a result.
- For languages for which AppScan Source has custom scanners, you may see a marked difference in findings when scanning with AppScan Source v10. In instances when scanning has been converted to custom scanning, this may mean a reduction in findings. The rules for custom scanners are evolving and being added to on a regular basis, and are easy to enhance.
- Enhanced integration with Intelligent Code Analytics (ICA) and Intelligent Findings
Analytics (IFA).
When ICA/IFA is enabled, you see and can access the Excluded Findings tab. For additional information, see Intelligent Findings Analytics (IFA) in the AppScan Source documentation.
By default, IFA is enabled for all scans. When enabled, it is applied to the current scan and future scans. It cannot be applied to assessments from previous scans.
- Scanning .NET projects (ASP, WEB, Framework, Core) in AppScan Source mirrors the processing inHCL AppScan on Cloud. .NET projects must be able to be compiled before they can be scanned and must have the correct build specification in project properties.
- 15 GB is the minimum amount of space required to install AppScan Source and run basic scans. However, required disk space varies depending on the application being scanned. We recommend a minimum of 8 GB of RAM and 15-20 GB of free disk space. You may also need to increase your Windows page file requirement (see Tips to improve PC performance in Windows 10 for more information).
-
For additional information on system requirements, and scanning and plugin support, see System requirements and installation prerequisites or contact HCL Support.
Additional AppScan Source version 10.0.0 installation instructions
When installing AppScan Source version 10.0.0 with the Visual Studio 2019 plugin, the installation appears to complete successfully but the Visual Studio 2019 plugin may not be installed properly.To install AppScan Source version 10.0.0 plugin in Visual Studio 2019:
- Ensure that HCL AppScan Source version 10.0.0 is installed on the target system. Select Microsoft Visual Studio 2019 plugin during installation.
- If a pre 10.0.0 version of
AppScan
Source has been installed into the
target instance of Visual Studio 2019, uninstall it as follows:
- Start the target Visual Studio 2019 instance.
- Open to .
- On the Installedtab, select AppScan Source Plug-in from the list.
- Click Uninstall plug-in and follow prompts to complete uninstallation.
- Install the HCL
AppScan Source version 10.0.0 plugin into the Visual Studio
2019 instance as follows:
- Close all Visual Studio 2019 instances.
- Download VS2019Plugin.zip from the HCL AppScan Source release download site.
- Extract the contents of the zip file into <AppScan Source Install Dir> (the default location is C:\Program Files (x86)\IBM\AppScanSource). Choose Yes for all options when prompted.
- Double-click AppScanSrcPlugin.vsix from the <AppScan Source Install Dir>/bin directory.
- In the resulting VSIX Installer dialog select Visual Studio
<Edition> 2019 and click Install.
The edition could be Professional, Enterprise or Community based on what is installed on the machine. You can select more than one Edition to install, if available.
- When installation is complete close dialog.
- Restart Visual Studio 2019. AppScan Source plug-in appears under Extensions.
AppScan Source Version 10.0.0 interoperability
- An AppScan Source 10.0.0 client will not scan correctly with a pre 10.0.0 AppScan Source database due to the difference in the contents of the database as they pertain to scan rules.
- Similarly, a pre 10.0.0 AppScan Source client will NOT scan correctly with a 10.0.0 AppScan Source database.
- An instance of AppScan Enterprise configured with an instance of AppScan Source 10.0.0 database cannot be used by 9.0.3.x versions of AppScan Source, and vice versa
- 9.0.3x versions of AppScan
Enterprise must be configured as follows to interoperate with AppScan
Source
10.0.0:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Known issues in AppScan Source Version 10.0.0
- The following languages are not supported:
- Arxan C
- WSDL
- On WebSphere, only default JSP compilation options are supported.
- Single file scanning is not available across all languages.
- There is no mechanism to disable precompilation of JSP files. JSP files will always be precompiled.
- Stop/Cancel scan does not work on Linux systems.
- Stop/Cancel may not work on Windows systems when using the command line interface. To work around this issue, restart AppScan Source and kill the background processes.
- When uninstalling AppScan Source version 10.0.0 from a Windows system, the uninstall process sometimes hangs. For more information, see Uninstallation of AppScan Source hangs on Windows.
- After upgrade to AppScan Source version 10.0.0, PDF reports are not generating. For more information, see AppScan Source 10.0.0 throws "java.lang.reflect.InvocationTargetException" during PDF report generation in upgrade scenario.
Capabilities nearing end-of-life in AppScan Source Version 10.0.0
- Custom findings
- Quality metrics
- Email/settings
- RSS feed
- Application attributes
Use AppScan Enterprise to store application information.
- Defect tracking system integration
Use the AppScan Issues gateway to integrate from an AppScan Enterprise level
Functionality no longer supported in AppScan Source Version 10.0.0
- The vulnerability cache is no longer supported.
- Incremental scanning is not supported.
- Non-CPA scanning is not supported.
-
As of version 9.0.3.11, AppScan Source no longer supports macOS or iOS Xcode project scanning.
Some components of AppScan Source are 32-bit. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.
You can continue to use AppScan Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.