Migrating to the current version of AppScan® Source

This topic contains migration information for changes that have gone into this version of AppScan® Source. If you are upgrading from an older version of AppScan® Source, be sure to note the changes for the version of AppScan® Source that you are upgrading and all versions leading up to this current version.

Migrating from Version 9.0.3

HCL licensing

As part of the transition from IBM to HCL, HCL introduced HCL-centric license packages for the AppScan family of products. AppScan products continued to support existing IBM licenses through version 10.0.1. As of version 10.0.2, an HCL license is required.

New licenses are available only through HCL.

To acquire and apply a new AppScan Source license, first obtain the appropriate license through the HCL FlexNet portal, then apply the license using the AppScan Source License Manager.

For additional information, see How to obtain and apply licenses for AppScan Source products.

AppScan® Source interoperability

HCL® AppScan® Source 10.0.0 requires a AppScan® Source 10.0.0 database:
  • An AppScan® Source 10.0.0 client will not scan correctly with a pre 10.0.0 AppScan® Source database due to the difference in the contents of the database as they pertain to scan rules.
  • Similarly, a pre 10.0.0 AppScan® Source client will NOT scan correctly with a 10.0.0 AppScan® Source database.
AppScan® Source 10.0.0 will interoperate with a pre 9.0.3.x versions of AppScan® Enterprise :
  • An instance of AppScan® Enterprise configured with an instance of AppScan® Source 10.0.0 database cannot be used by 9.0.3.x versions of AppScan® Source, and vice versa
  • 9.0.3x versions of AppScan® Enterprise must be configured as follows to interoperate with AppScan® Source 10.0.0:
    set "allow.newer.source.clients=true" in 
    \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file

Migrating from Version 9.0.2

Note: As of version 9.0.3.11, AppScan® Source no longer supports macOS or iOS Xcode scanning.

New rule attributes may result in findings classification changes in existing scans

After Version 9.0.2, Attribute.Likelihood.High and Attribute.Likelihood.Low rule attributes were introduced. When these attributes are used, AppScan® Source can more accurately determine if findings are definitive and/or suspect. As a result, if you scan source code in AppScan® Source Version 9.0.2 or earlier, you may find that some findings classifications will change when the same source code is scanned in product versions after 9.0.2. This will be most noticeable for findings related to highly exploitable web sources - or for property or environment sources that are less exploitable.

These rule attributes are used by default. You can disable them, as follows:

  1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations). Locate the allow_likelihood setting in the file. This setting will look similar to:
    <Setting
      name="allow_likelihood"
      value="true"
      default_value="true"
      description="Allow the processing of the Likelihood 
        attributes to help determine trace confidence based 
        on the source API"
      display_name="Allow Likelihood"
      type="bool"
    />
    In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan® Source will not use these rule attributes during scans.
  2. Save the file after you have modified this setting and start or restart AppScan® Source.

Automatic lost sink generation

After Version 9.0.2, automatic lost sink resolution was introduced for traces that end in getters/setters and methods that return boolean values. This is done by automatically inferring markup for these application programming interfaces (API). As a result, if you scan source code in AppScan® Source Version 9.0.2 or earlier, you may notice changes in findings results that contained unresolved lost sinks when the same source code is scanned in product versions after 9.0.2.

Automatic markup generation is on by default. You can disable it if you want to use other means of lost sink resolution such as custom rules, as follows:

  1. Open <data_dir>\config\ipva.ozsettings in a text editor (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations). Locate the automatic_lost_sink_resolution setting in the file. This setting will look similar to:
    <name="automatic_lost_sink_resolution"
      value="true"
      default_value="true"
      description="This setting tries to perform automatic 
        lost sink resolution by assuming taint propagation 
        for getters, setters and APIs which return boolean 
        with no arguments."
      display_name="Auto Lost Sink Resolution"
      type="bool"
    />
    In this setting, modify the value attribute. If the attribute is set to true, this setting will be on. If it is set to false, AppScan® Source will not automatically generate markup for these methods.
  2. Save the file after you have modified this setting and start or restart AppScan® Source.

Migrating from Version 9.0

AppScan® Enterprise Server authentication: Migration considerations for replacement of the IBM® Rational® Jazz user authentication component with IBM® WebSphere® Liberty

  • Migrating from an Enterprise Server that only has local Jazz users: In this upgrade scenario, the former Jazz users will appear in the AppScan® Source Database as AppScan® Enterprise Server users, however, they will not be valid. These users can be removed from the Database - or they can be converted to AppScan® Source users. Contact HCL Support for information on enabling former Jazz users in AppScan® Source.
  • Migrating from an Enterprise Server that was configured with LDAP: During the Enterprise Server upgrade, you have the option of configuring the Enterprise Server with LDAP again. If you do this, existing users will still work in AppScan® Source.
  • Migrating from an Enterprise Server that was configured with Windows authentication: If your Enterprise Server was configured with Windows authentication, existing users will work in AppScan® Source, provided the new Enterprise Server Liberty is configured to use Windows authentication.

Migrating from Version 8.7

Changes to findings classifications

After Version 8.7, findings classifications changed. This table lists the old classifications mapped to the new classifications:

Table 1. Findings classification changes
Findings classifications prior to AppScan® Source Version 8.8 Classifications as of AppScan® Source Version 8.8
Vulnerability Definitive security finding
Type I Exception Suspect security finding
Type II Exception Scan coverage finding

An example of these changes can be seen in the Vulnerability Matrix view.


Vulnerability Matrix view in versions of AppScan Source prior to Version 8.8

As of Version 8.8, the view looks like this:


Vulnerability Matrix view in AppScan Source Version 8.8

Default settings changes that will improve scan coverage

As of AppScan® Source Version 8.8:

  • The default value of show_informational_findings in scan.ozsettings has changed from true to false.
  • The default value of wafl_globals_tracking in ipva.ozsettings has changed from false to true. This setting enables AppScan® Source to find dataflow between different components of a framework-based application (for example, dataflow from a controller to a view).

The change to show_informational_findings will result in assessments not including findings with a severity level of Info by default.

Note: If you have scan configurations that were created prior to Version 8.8 that did not explicitly set values for these settings, the scan configurations will now use their new default values.

Restoring AppScan® Source predefined filters from previous versions

In AppScan® Source Version 8.8, predefined filters were improved to provide better scan results. If you need to continue using the predefined filters from older versions of AppScan® Source (archived filters are listed in AppScan Source predefined filters (Version 8.7.x and earlier)), follow the instructions in Restoring archived predefined filters.