HCL® AppScan® Source Version 10.10.0 Readme and Release Notes®

Stop Scan no longer available

AppScan® Source no longer allows you to interrupt a scan and return the current results. The scan must complete to see results.

After upgrading AppScan® Source, findings from excluded bundles may appear in scan results

After AppScan® Source is upgraded, the properties of some findings can change, which can result in this known limitation.

IPv6 limitations

AppScan® Source is enabled for Internet Protocol Version 6 (IPv6), with these exceptions:

• Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.

Use precompiled classes when a scan of an Eclipse workspace fails due to missing classes or libraries

If you successfully import an Eclipse workspace, but find that scanning it fails due to missing classes or libraries, it is recommended that you use the option to scan with precompiled classes. To do this, select that option in the project properties and browse to the bin directory of the Eclipse project.

Silent installation is not supported on Turkish locales

If you create a custom silent installation, it will not succeed when running on any Turkish language locale (for example, tr and tr_TR).

UTF-8 character set is required for Oracle databases

If you are connecting the AppScan® Enterprise Server to an Oracle database, you must set the character set to UTF-8 when creating the database (this is typically not the default character set).

Line numbers in JSP files

Line numbers for the .java file that was generated from the .jsp file display along with the JSP file name.

Ounce/Maven

ounce:report mojo does not work for existing assessment XML files, only new scans.

Upgrading AppScan® Source without ending all AppScan® Source java processes may cause the How to Fix view to fail

If you perform a product upgrade when an AppScan® Source java process is still running, the How to Fix view may display an error similar to these after the upgrade:

This page can't be displayed
     - Make sure the web address http://<my_host_and_port> is correct.
     - Look for the page with your search engine.
     - Refresh the page in a few minutes.

or

Error executing query and transform

Before upgrading an AppScan® Source installation that includes the AppScan® Source for Analysis, AppScan® Source for Development (Eclipse plug-in), or AppScan® Source for Development (Visual Studio plug-in) components, ensure that there are no AppScan® Source java processes running.

AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™

On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.

Intermittent shutdown of AppScan® Source for Analysis on Linux™

To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.

Caching may occur when switching national languages

The AppScan® Source for Analysis user interface can be displayed in different national languages by switching the language in the preferences and restarting the workbench. It is common Eclipse behavior for strings to be cached and to display in the previous language that was used. AppScan® Source for Analysis is affected by this behavior. If you switch the national language that is displayed and then restart the workbench, cached strings will be refreshed when you activate the user interface element that the string describes (for example, if a button label has been cached, clicking the button will cause the string to refresh to the new language).

Multibyte characters in the installation path of AppScan® Source for Analysis are not supported

All versions of AppScan® Source for Analysis will fail during installation with an Invalid Directory error if the installation path contains multibyte characters.

Linux™ - Error launching AppScan® Source for Analysis after configuring AppScan® Source daemons to run as user other than 'ounce' during installation

The AppScan® Source for Analysis installer allows you to configure the AppScan® Source daemon processes to run as the default user named 'ounce' or as an existing user.

Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan® Source installation directory (for example, /opt/hcl/appscansource) that consists of this line:

-configuration @user.home/.ounceconfig

Removing AppScan® Source for Analysis as a non-administrative user

AppScan® Source for Analysis on Windows™ requires administrator access to create Add or Remove Programs entries. If you installed AppScan® Source for Analysis as a non-administrator user, to remove AppScan® Source for Analysis, go to <install_dir>\Uninstall_AppScan and run AppScan_Uninstaller.exe (where <install_dir> is the location of your AppScan® Source installation).

To create PDF reports, it may be necessary to install system fonts for some non-English languages

For these languages, you may need to install the indicated fonts to be able to create PDF reports:

• Japanese: MS Gothic or VL Gothic
• Korean: Gulim
• Simplified Chinese: SimSun-18030 or MingLiU
• Traditional Chinese: SimSun-18030 or MingLiU

Modifying custom rules and plug-in use

If you create a custom rule in AppScan® Source for Analysis and are logged in to an AppScan® Source for Development plug-in, to see the changes, you must restart the IDE.

Assessment Summary view chart style selection is no longer supported

In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.

Upgrading AppScan® Source without ending all AppScan® Source java processes may cause the How to Fix view to fail

If you perform a product upgrade when an AppScan® Source java process is still running, the How to Fix view may display an error similar to these after the upgrade:

This page can't be displayed
     - Make sure the web address http://<my_host_and_port> is correct.
     - Look for the page with your search engine.
     - Refresh the page in a few minutes.

or

Error executing query and transform

Before upgrading an AppScan® Source installation that includes the AppScan® Source for Analysis, AppScan® Source for Development (Eclipse plug-in), or AppScan® Source for Development (Visual Studio plug-in) components, ensure that there are no AppScan® Source java processes running.

After applying AppScan® Source for Development to Eclipse, you are not prompted to choose a workspace after the initial Eclipse relaunch

After applying AppScan® Source for Development to Eclipse, you are prompted to restart the workbench. After restarting, you are prompted to choose a workspace. However, when you restart Eclipse again you are not prompted to choose a workspace.

This problem is related to https://bugs.eclipse.org/bugs/show_bug.cgi?id=409552.

You can work around this problem using one of these methods:

• Use the -clean option when starting Eclipse.
• Exit Eclipse and then, in your Eclipse installation directory, delete the configuration\org.eclipse.osgi\.manager directory before starting Eclipse again.

If you do not resolve the problem, you can ensure that you are using the correct workspace by using the File > Switch Workspace action.

Upgrading the AppScan® Source for Development (Eclipse plug-in)

It is recommended that you uninstall AppScan® Source for Development from your Eclipse IDE before upgrading to a more recent version of AppScan® Source for Development or AppScan® Source.

AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™

On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.

AppScan® Source for Development plug-in for Eclipse and Eclipse-based products: multiple prompts for AppScan® Source installation directory

When you use the AppScan® Source for Development Plug-in for Eclipse and Eclipse-based products for the first time, you are prompted by a dialog box to specify the path to your AppScan® Source installation directory. If you specify the installation directory and click OK but then receive the same dialog again, click Cancel, restart the workbench, and then continue with normal product use. Failure to restart the workbench upon receiving multiple prompts for the installation directory can cause scans to fail.

Shared/Global filters in AppScan® Source for Development do not consistently display

The Filtering module in AppScan® Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan® Enterprise Server. Because shared filters are stored in the AppScan® Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan® Source.

Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.

Modifying custom rules and plug-in use

If you create a custom rule in AppScan® Source for Analysis and are logged in to an AppScan® Source for Development plug-in, to see the changes, you must restart the IDE.

Assessment Summary view chart style selection is no longer supported

In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.

Upgrading AppScan® Source without ending all AppScan® Source java processes may cause the How to Fix view to fail

If you perform a product upgrade when an AppScan® Source java process is still running, the How to Fix view may display an error similar to these after the upgrade:

This page can't be displayed
     - Make sure the web address http://<my_host_and_port> is correct.
     - Look for the page with your search engine.
     - Refresh the page in a few minutes.

or

Error executing query and transform

Before upgrading an AppScan® Source installation that includes the AppScan® Source for Analysis, AppScan® Source for Development (Eclipse plug-in), or AppScan® Source for Development (Visual Studio plug-in) components, ensure that there are no AppScan® Source java processes running.

Delay when copying large numbers of findings in large assessments

When you multiselect and copy multiple findings in an assessment that contains a large number of findings, you may experience a several second delay before the copy action is added to the clipboard. Ensure that the copy action completes before attempting to paste what was copied.

Scanning solution files that were created in a version of Microsoft™ Visual Studio that is not installed

If you attempt to scan a solution file that was created in a version of Visual Studio that is not installed on your system, AppScan® Source will attempt to locate a compatible version of Visual Studio on your system and use it for scanning.

AppScan® Source About dialog box in Microsoft™ Visual Studio is truncated

With certain national languages, the About dialog box for the AppScan® Source for Development (Visual Studio plug-in) appears truncated. To address this, adjust the screen resolution and/or the font size for best viewing.

Shared/Global filters in AppScan® Source for Development do not consistently display

The Filtering module in AppScan® Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan® Enterprise Server. Because shared filters are stored in the AppScan® Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan® Source.

Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.

Assessment Summary view chart style selection is no longer supported

In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.

Issuing the publishassessase or pase command results in HttpAuthenticator warnings

If you are using the CLI to publish to an AppScan® Enterprise Console that has only Windows authentication enabled, you may see warnings similar to these when issuing the publishassessase or pase command:

WARN [main] (HttpAuthenticator.java:207) - NEGOTIATE authentication error: org.ietf.jgss.GSSException, major code: 2, minor code: 0
  major string: Unsupported mechanism
  minor string: No factory available to create name for mechanism x.x.x.x.x.x.x
Assessment successfully published to: https://<ase_hostname>/ase

These warnings will not affect the publication of your assessments and can be ignored.

Scanning Windows C/C++ applications

Windows C/C++ applications are now scanned as 64-bit.

C/C++ applications that aren't 64-bit safe may experience scanning errors.

Uninstallation of AppScan® Source hangs on Windows

When both server and client feature sets of AppScan Source v10.0.0 are installed on a Windows system, uninstall hangs when the process tries to delete JRE files from <InstallDir>\engine.

When this occurs, kill the process and finish the uninstall manually.

To end the uninstall process and finish the uninstall:

Installation of AppScan® Source interrupted by Windows Defender

When installing AppScan® Source on older versions of Windows, Windows Defender may interrupt the installation process with a warning pop-up. Click through the pop-up to continue install. For additional information, see https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.

Upgrading AppScan® Source without ending all AppScan® Source java processes may cause the How to Fix view to fail

If you perform a product upgrade when an AppScan® Source java process is still running, the How to Fix view may display an error similar to these after the upgrade:

This page can't be displayed
     - Make sure the web address http://<my_host_and_port> is correct.
     - Look for the page with your search engine.
     - Refresh the page in a few minutes.

or

Error executing query and transform

Before upgrading an AppScan® Source installation that includes the AppScan® Source for Analysis, AppScan® Source for Development (Eclipse plug-in), or AppScan® Source for Development (Visual Studio plug-in) components, ensure that there are no AppScan® Source java processes running.

Errors when AppScan® Source configuration files contain special characters

On Windows™, some special characters (for example, Ç, à, ∾, ¥, §, Æ) in the filenames of configuration files (.ppf, .paf, and .osc) may result in errors.

Library id and progid forms of #import are not supported

The Microsoft™ Visual C++ #import preprocessor directive has several forms. AppScan® Source does not support the two forms that use a library id or a progid. Files containing these forms will not be scanned and an error message appears in the Console.

Referenced assemblies must be in the same directory as the assembly being scanned or registered in the Global Assembly Cache (GAC)

AppScan® Source can only produce a complete scan of a .NET application when all referenced or dependent assemblies are in the same folder as the assembly being scanned, or registered in the GAC. If your assembly references types defined in assemblies in other places on disk, you may see errors such as this:

Skipping file <assembly_name> due to error: Failed (0x80004005) in <type> call
     Referenced assembly <referenced assembly name> was not found.

To fix these errors, copy the referenced assembly to the same directory as the assembly being scanned, or register it in the GAC.

.NET Assembly projects assembled with .NET Core

AppScan® Source does not support .NET Assembly projects containing assembly files generated with .NET Core. .NET Core projects can be scanned in the same way as .NET solutions files. See Adding an existing application with user interface actions for additional information.

Visual Basic 6 scan requires full function declaration

#if, #else if, and #end if must contain the full declaration of a function. For example:

#If NATIVEBINDING Then
Public Function TemplateFromRule(ByVal Rule As OrgMan.Rule) As AcDir.Template
          	Dim oOp As OrgMan.Operation
#Else
Public Function TemplateFromRule(ByVal Rule As Object) As AcDir.Template
          	Dim oOp As Object
#End If
          	If Rule Is Nothing Then Exit Function
          	oOp = Rule.Operation
          	If oOp Is Nothing Then Exit Function
          	TemplateFromRule = BuildTemplate(oOp.Command, Rule.Field, Rule.Value)
End Function

Dialog box and message truncations when running in non-English locales

In AppScan® Source, some dialog boxes and messages can be re-sized even though typical Microsoft™ Windows™ controls that indicate the ability to resize are not present. If you are running an AppScan® Source product graphical user interface on a non-English locale and dialog box and messages contain truncated strings, you may be able to resize the dialog box or message to read the entire contents of the dialog box or message.

AppScan® Source for Development (Visual Studio plug-in) limitations

Any limitations that apply to the AppScan® Source for Development (Visual Studio plug-in) are also specific to Windows. Please see AppScan Source for Development (Visual Studio plug-in).

Nodelocked licenses and Red Hat Enterprise Linux 7.4

IBM-originating nodelocked licenses may not work correctly with Red Hat Enterprise Linux 7.4. Move to HCL-originating nodelocked licenses. Contact HCL Support for additional information.

Uninstalling AppScan Source on Red Hat Enterprise Linux 7.x

On Red Hat Enterprise Linux 7.x, you must restart your system after uninstalling AppScan Source version 9.0.3.x to stop running all AppScan Source processes.

Upgrading AppScan® Source without ending all AppScan® Source java processes may cause the How to Fix view to fail

If you perform a product upgrade when an AppScan® Source java process is still running, the How to Fix view may display an error similar to these after the upgrade:

This page can't be displayed
     - Make sure the web address http://<my_host_and_port> is correct.
     - Look for the page with your search engine.
     - Refresh the page in a few minutes.

or

Error executing query and transform

Before upgrading an AppScan® Source installation that includes the AppScan® Source for Analysis, AppScan® Source for Development (Eclipse plug-in), or AppScan® Source for Development (Visual Studio plug-in) components, ensure that there are no AppScan® Source java processes running.

Linux™ Mozilla requirement for Remediation Assistance view

The Remediation Assistance view on Linux™ requires Mozilla linked against GTK2 or higher.

Install Mozilla linked against GTK2 or higher. After acquiring Mozilla, unpack it, and add the environmental variable MOZILLA_FIVE_HOME to point to it. For example, if you untar the archive to /usr/local and use the bash shell, add export MOZILLA_FIVE_HOME=/usr/local/mozilla to your ~/.bashrc.

SELinux prevents installation, product activation, and running

Security Enhanced Linux™ (SELinux) is a Linux™ feature that provides greater security and access control through the Linux™ Security Modules of the Linux™ kernel. It is included with Red Hat Enterprise 5, by default.

1. Installation: Installation of AppScan® Source is not possible with SELinux in Enforcing mode. SELinux must be changed to Permissive mode. To run SELinux in Permissive mode, issue /usr/bin/system-config-selinux or, if running GNOME, select System > Administration > SELinux Management. You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the AppScan® Source installation as normal. You may change the SELinux setting back to Enforcing after the installation is complete.
2. Product activation: The AppScan® Source license Manager cannot be used in Enforcing mode. SELinux must be changed to Permissive mode. To run SELinux in Permissive mode, issue /usr/bin/system-config-selinux or, if running GNOME, select System > Administration > SELinux Management. You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the License Manager. You may change the SELinux setting back to Enforcing after product activation is complete.
3. Running: The JRE and JDKs that are shipped with AppScan® Source will not operate with SELinux in Enforcing mode. However, it is not necessary to disable Enforcing mode because the files that trigger SELinux may be given permission to operate. This is done using the chcon command by issuing chcon -t textrel_shlib_t <filename>. All of the shared object files (.so) under the <installdir>/jre and <installdir>/JDKS directories need to have this command issued against them. This can be performed in a batch fashion using the find command with the exec parameter. For example:

   cd /opt/ibm/appscansource/jre
   sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print
   cd ../JDKS
   sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print

AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™

On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.

Intermittent shutdown of AppScan® Source for Analysis on Linux™

To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.

Linux™ - Error launching AppScan® Source for Analysis after configuring AppScan® Source daemons to run as user other than 'ounce' during installation

The AppScan® Source for Analysis installer allows you to configure the AppScan® Source daemon processes to run as the default user named 'ounce' or as an existing user.

Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan® Source installation directory (for example, /opt/hcl/appscansource) that consists of this line:

-configuration @user.home/.ounceconfig

Scanning source code compiled with older versions of gcc, such as 2.95.4, produces errors

For example, an error such as:

Skipping file: file.cpp due to error: "/home/file.cpp", line 97: error: namespace "std" has
          	no member "string"
          	std::string mystring;

may appear.

Workaround: Add the --ignore_std option to the compiler options for the project. This option enables a gcc compatibility feature that makes the std namespace a synonym for the global namespace. In AppScan® Source for Analysis, add this option on the Project Dependencies tab of the Properties View for the project. Alternatively, if you use Ounce/Make to create the project file, modify the compiler_options attribute of the GlobalProjectOptions element in the Ounce/Make properties file.

Deprecation of macOS support

As of version 9.0.3.11, AppScan® Source no longer supports macOS or iOS Xcode project scanning.

Enhanced and new functionality in AppScan® Source version 10.10.0

Fixes and security updates for AppScan® Source version 10.10.0

Fixes and security updates are listed here.

Known issues in AppScan® Source version 10.10.0

Capabilities nearing end-of-life or removed as of AppScan® Source version 10.10.0

Enhanced and new functionality in AppScan® Source version 10.9.0

Fixes and security updates in AppScan® Source version 10.9.0

Fixes and security updates are listed here.

Known issues in AppScan® Source version 10.9.0

Capabilities nearing end-of-life or removed as of AppScan® Source version 10.9.0

Enhanced and new functionality in AppScan® Source version 10.8.0

Fixes and security updates in AppScan® Source version 10.8.0

Fixes and security updates are listed here.

Capabilities nearing end-of-life or removed as of AppScan® Source version 10.8.0

Enhanced and new functionality in AppScan® Source version 10.7.0

• Download AppScan® Source from the HCLSoftware Download and License Management Portal or My HCLSoftware (MHS). In future releases, the new My HCLSoftware portal replaces the HCLSoftware Download and License Management Portal.
• AppScan® Source Findings view and reports have a new column for additional CWEs associated with the primary CWE.
• AppScan® Source supports Red Hat Enterprise Linux versions 9.0 and 9.4.
• AppScan® Source supports ESQL.
• AppScan® Source support scanning PowerShell (.ps1) files within Infrastructure-as-Code projects.
• AppScan® Source supports Java 21.
• Updates to rules for Angular, ASP, CSS, Dart, Java source code scanner, JavaScript, JQuery, Objective-C, PHP, Python, secrets scanner, TerraForm, TypeScript, and VueJS.
• AppScan® Source Data Access API classpath updated.

Fixes and security updates in AppScan® Source version 10.7.0

Fixes and security updates are listed here.

Changed in AppScan® Source version 10.7.0

HCLSoftware products are undergoing changes in license acquisition and management. For more information, see Licensing Changes Announcement.

Upcoming changes in AppScan® Source version 10.7.0

Documentation

Information about AppScan® Source documentation can be found at https://help.hcl-software.com/.

Obtaining Technical Support

Information about obtaining technical support for this product is available at https://support.hcl-software.com/.

The product website is located at https://www.hcl-software.com/appscan.