Migrating to the current version of AppScan® Source
This topic contains migration information for changes that have gone into this version of AppScan® Source. If you are upgrading from an older version of AppScan® Source, be sure to note the changes for the version of AppScan® Source that you are upgrading and all versions leading up to this current version.
Migrating from Version 9.0.3
HCL licensing
As part of the transition from IBM to HCL, HCL introduced HCL-centric license packages for the AppScan family of products. AppScan products continued to support existing IBM licenses through version 10.0.1. As of version 10.0.2, an HCL license is required.
New licenses are available only through HCL.
To acquire and apply a new AppScan Source license, first obtain the appropriate license through the HCL FlexNet portal, then apply the license using the AppScan Source License Manager.
For additional information, see How to obtain and apply licenses for AppScan Source products.
AppScan® Source interoperability
- An AppScan® Source 10.0.0 client will not scan correctly with a pre 10.0.0 AppScan® Source database due to the difference in the contents of the database as they pertain to scan rules.
- Similarly, a pre 10.0.0 AppScan® Source client will NOT scan correctly with a 10.0.0 AppScan® Source database.
- An instance of AppScan® Enterprise configured with an instance of AppScan® Source 10.0.0 database cannot be used by 9.0.3.x versions of AppScan® Source, and vice versa
- 9.0.3x versions of AppScan®
Enterprise must be configured as follows to interoperate with AppScan®
Source 10.0.0:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Migrating from Version 9.0.2
- New rule attributes may result in findings classification changes in existing scans
- Automatic lost sink generation
New rule attributes may result in findings classification changes in existing scans
After Version 9.0.2, Attribute.Likelihood.High
and
Attribute.Likelihood.Low
rule attributes were introduced. When these
attributes are used, AppScan®
Source can more
accurately determine if findings are definitive and/or suspect. As a result, if you scan
source code in AppScan®
Source Version 9.0.2 or
earlier, you may find that some findings classifications will change when the same source
code is scanned in product versions after 9.0.2. This will be most noticeable for findings
related to highly exploitable web sources - or for property or environment sources that
are less exploitable.
These rule attributes are used by default. You can disable them, as follows:
- Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your
AppScan®
Source program data, as described in Installation and user data file locations). Locate the
allow_likelihood
setting in the file. This setting will look similar to:
In this setting, modify the<Setting name="allow_likelihood" value="true" default_value="true" description="Allow the processing of the Likelihood attributes to help determine trace confidence based on the source API" display_name="Allow Likelihood" type="bool" />
value
attribute. If the attribute is set totrue
, this setting will be on. If it is set tofalse
, AppScan® Source will not use these rule attributes during scans. - Save the file after you have modified this setting and start or restart AppScan® Source.
Automatic lost sink generation
After Version 9.0.2, automatic lost sink resolution was introduced for traces that end in getters/setters and methods that return boolean values. This is done by automatically inferring markup for these application programming interfaces (API). As a result, if you scan source code in AppScan® Source Version 9.0.2 or earlier, you may notice changes in findings results that contained unresolved lost sinks when the same source code is scanned in product versions after 9.0.2.
Automatic markup generation is on by default. You can disable it if you want to use other means of lost sink resolution such as custom rules, as follows:
- Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your
AppScan®
Source program data, as described in Installation and user data file locations). Locate the
automatic_lost_sink_resolution
setting in the file. This setting will look similar to:
In this setting, modify the<name="automatic_lost_sink_resolution" value="true" default_value="true" description="This setting tries to perform automatic lost sink resolution by assuming taint propagation for getters, setters and APIs which return boolean with no arguments." display_name="Auto Lost Sink Resolution" type="bool" />
value
attribute. If the attribute is set totrue
, this setting will be on. If it is set tofalse
, AppScan® Source will not automatically generate markup for these methods. - Save the file after you have modified this setting and start or restart AppScan® Source.
Migrating from Version 9.0
AppScan® Enterprise Server authentication: Migration considerations for replacement of the IBM® Rational® Jazz™ user authentication component with IBM® WebSphere® Liberty
- Migrating from an Enterprise Server that only has local Jazz™ users: In this upgrade scenario, the former Jazz™ users will appear in the AppScan® Source Database as AppScan® Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan® Source users. Contact HCL Support for information on enabling former Jazz users in AppScan® Source.
- Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan® Source.
- Migrating from an Enterprise Server that was configured with Windows™ authentication: If your Enterprise Server was configured with Windows™ authentication, existing users will work in AppScan® Source, provided the new Enterprise Server Liberty is configured to use Windows™ authentication.
Migrating from Version 8.7
- Changes to findings classifications
- Default settings changes that will improve scan coverage
- Restoring AppScan Source predefined filters from previous versions
Changes to findings classifications
After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications:
Findings classifications prior to AppScan® Source Version 8.8 | Classifications as of AppScan® Source Version 8.8 |
---|---|
Vulnerability | Definitive security finding |
Type I Exception | Suspect security finding |
Type II Exception | Scan coverage finding |
An example of these changes can be seen in the Vulnerability Matrix view.
As of Version 8.8, the view looks like this:
Default settings changes that will improve scan coverage
As of AppScan® Source Version 8.8:
- The default value of
show_informational_findings
in scan.ozsettings has changed fromtrue
tofalse
. - The default value of
wafl_globals_tracking
in ipva.ozsettings has changed fromfalse
totrue
. This setting enables AppScan® Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view).
The change to show_informational_findings
will result in assessments not
including findings with a severity level of Info by default.
Restoring AppScan® Source predefined filters from previous versions
In AppScan® Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan® Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier)), follow the instructions in Restoring archived predefined filters.