What's New in AppScan® Source
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
- What's new in AppScan Source version 10.2.0
- What's new in AppScan Source version 10.1.0
- What's new in AppScan Source version 10.0.8
- What's new in AppScan Source version 10.0.7
- What's new in AppScan Source version 10.0.6
- What's new in AppScan Source version 10.0.5
- What's new in AppScan Source version 10.0.4
- What's new in AppScan Source version 10.0.3
- What's new in AppScan Source version 10.0.2
- What's new in AppScan Source version 10.0.1
- What's new in AppScan Source version 10.0.0
What's new in AppScan® Source version 10.2.0
Enhanced and new functionality in AppScan® Source version 10.2.0
- AppScan® Source enables you to configure license inactivity time in the license config file.
- AppScan® Source CLI now allows for source code only scanning when scanning folders.
- Project file extensions preferences now lists available language/project types in a drop-down list instead of on tabs.
- AppScan® Source supports Red Hat Linux 8.6.
- AppScan® Source supports .NET 7
Additional AppScan® Source and AppScan® Enterprise interoperability information
- AppScan® Enterprise version10.2.0 has upgraded support for CVSS 3.1. As an AppScan® Source user, if you upgrade to the AppScan® Enterprise version 10.2.0, there might be discrepancy in severity values due to the nature of the CVSS 3.1 specification. Learn more here.
Fixes and security updates in AppScan® Source version 10.2.0
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.2.0
- When running AppScan® Source on Windows 2016 and using a non-English locale, AppScan® Source cannot publish assessment to AppScan® Enterprise.
- When scanning a folder with C# files, folder scan uses the Xamarin scanner. This can result in a high number of false positives when the user is not also using Xamarin.
What's new in AppScan® Source version 10.1.0
Enhanced and new functionality in AppScan® Source version 10.1.0
- AppScan® Source supports Red Hat Enterprise Linux 8.3.
- The HCL® AppScan® Source for Development (Eclipse Plug-in) is now supported on Eclipse IDE 2022-06.
- AppScan® Source supports Java 17, and includes it in the installation package.
- AppScan® Source supports Tomcat 9, and includes it in the installation package.
- AppScan® Source now allows for scanning folders without creating .PAF or .PPF files.
- Expanded support for Ruby, Groovy, JavaScript, and PHP scanning. Find system requirements information here.
Additional AppScan® Source and AppScan® Enterprise interoperability information
AppScan® Source version 10.1.0 supports AppScan® Enterprise Server version 10.1.0. AppScan® Source version 10.0.8 and earlier does not support AppScan® Enterprise Server version 10.1.0. Upgrade both products to ensure proper interoperability.
Fixes and security updates in AppScan® Source version 10.1.0
Fixes and security updates are listed here.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.1.0
- The following reports and report filters have been removed:
- CWE SANS Top 25 2011 report
- OWASP Top 10 2013 report
- CWE SANS Top 25 2011 report filter
- OWASP Top 25 2010 report filter
- OWASP Top 25 2013 report filter
- Defect tracking system integration is no longer supported.
-
Sending findings by email is no longer supported.
- Quality metrics are no longer supported.
- Tomcat 7 is no longer included in the AppScan® Source installation package.
- AppScan® Source will be dropping support for SolidDB and OracleDB in future releases.
What's new in AppScan® Source version 10.0.8
Enhanced and new functionality in AppScan® Source version 10.0.8
- The AppScan® Source command line interface (CLI) has been containerized, thus allowing the application and security scanning to be more efficient and more robust. Once installed and configured, a testing environment can be created on-demand, and quickly, and scans can be run concurrently.For additional information on containerization, see this document at HCL Support.
- AppScan® Source supports configuring license information through the command line.
- AppScan® Source supports Terraform.
- Support for the following reports:
- Support for the following report filters:
Fixes and security updates in AppScan® Source version 10.0.8
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.0.8
- When using the Eclipse plugin, AppScan® Source for Development must be configured with Java 8.
What's new in AppScan® Source version 10.0.7
HCL® AppScan® Source version 10.0.7 is the seventh fix pack release since the release of HCL® AppScan® Source major version 10.0.0.
Enhanced and new functionality in AppScan® Source version 10.0.7
- As of version 10.0.7, AppScan®
Source has
an updated installation path,
replacing
IBM
withHCL
.However, upgrading from version 10.0.6 or earlier will retain the original install path that uses
IBM
in the path. - AppScan® Source supports IBM RPG projects.
- AppScan® Source supports .NET 5/6.
- AppScan® Source supports the OWASP Top 10 2021 report.
- Enabling Common Access Card (CAC) authentication no longer requires manual update of the java.security file.
Fixes and security updates in AppScan® Source version 10.0.7
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.0.7
- On Windows, when upgrading to AppScan®
Source
version 10.0.7 from AppScan®
Source versions
9.0.3.x or 10.0.0, you must first perform an interim upgrade to an AppScan®
Source version between 10.0.1 and 10.0.6.
Important: Do not uninstall then reinstall. To maintain databases, you must upgrade in two steps.
- AppScan® Source configured with Oracle database requires a strong password using 16 or more characters.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.7
-
Support for SolidDB/Oracle will be removed in a future version of AppScan® Source. Please make plans now to migrate to data from SolidDB/Oracle to AppScan® Enterprise Server, whether manually or through the database migration utility.
What's new in AppScan® Source version 10.0.6
Enhanced and new functionality in AppScan® Source version 10.0.6
- As it does in AppScan® Source for Analysis, the Findings view in the Visual Studio plug-in now displays findings by fix group by default.
- The algorithm used for assessment comparisons in AppScan® Source for
Analysis has been updated with a new
algorithm. Assessment comparison results from the AppScan® Source for
Analysis client will be consistent
with
AppScanDelta
command; however, there could be some difference in comparison results from the previous versions of AppScan® Source. -
As part of the algorithm update, you can now choose to save assessments for new and/or resolved findings from the Assessments Diff view in AppScan® Source for Analysis.
- AppScan® Source support for source code-only scanning for C/C++, .Net, and Java.
- AppScan® Source has added advisory information to industry standard reports to assist with findings remediation.
- AppScan® Source supports CAC authentication with Subject Alternative Name - Multi-Domain (SAN) certificates.
- AppScan® Source supports Dart programming language.
- Support for Stop/Cancel scan on Linux systems.
Fixes and security updates in AppScan® Source version 10.0.6
- Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.0.6
- Scans for Objective-C projects fail if you run the scan using an Objective-C .paf/.ppf file created with AppScan® Source version 10.0.5 or older. Reconfigure Objective-C projects in AppScan® Source version 10.0.6 and try again.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.6
- AppScan® Source ceased supporting single file scanning version 10.0.0.
What's new in AppScan® Source version 10.0.5
Enhanced and new functionality in AppScan® Source version 10.0.5
- The KBArticle server has been replaced with AppScan Security Info Server. The content and interface of AppScan Security Info Server have been updated to better serve users, but it serves the same purpose as the KBArticle server in prior AppScan® Source versions: assisting users with mitigating and resolving application security findings.
- AppScan® Source has added advisory information to reports to assist with findings remediation.
- Remediation Assistance view has been renamed How to fix.
- AppScan®
Source has added support for the
DISA STIG v5r1 report format.
This new report lists the vulnerability categories specified in the Application Security Checklist Version 5, Release 1. Wherever possible, AppScan® Source generates pertinent results to help the reviewer determine whether an application is in compliance with the STIG's requirements.
- Support for the HCL Common Local License Server 2.0 on both Windows and Linux.
- AppScan® Source supports generating findings reports where the findings are grouped by fix groups.
Additional AppScan® Source version 10.0.5 and AppScan® Enterprise version 10.0.5 interoperability information
- Speed of publishing to AppScan®
Enterprise or importing issues to
AppScan®
Enterprise from the
Monitor tab can now be balanced according to desired user
responsiveness using a new property in the asc.properties file in
AppScan®
Enterprise. See the
AppScan®
Enterprise
documentation for details on using the
issue.import.batch.interval
property.
Known issues in AppScan® Source version 10.0.5
- The locale set for AppScan Source should match the system locale to avoid garbled characters in the console output.
- There are some rendering issues in the How to fix view on Linux. In addition, external reference links do not open from the How to fix view on Linux; open the article in an external browser to render correctly and to access the external links.
- How to fix information is not included in reports when
reports are generated using
ounceauto
command as the automation server fails to start AppScan Security Info server. To work around this issue, start AppScan® Source for Analysis or the command line interface (CLI client) prior to generating a report usingounceauto
; the AppScan Security Info server is started automatically by AppScan® Source for Analysis and by the CLI client.
What's new in AppScan® Source version 10.0.4
Enhanced and new functionality in AppScan® Source version 10.0.4
- As of version 10.0.4, AppScan®
Source
supports the following operating systems:
- Windows Server 2019
- Red Hat Linux versions 7.8 and 7.9
For additional information see System requirements and installation prerequisites.
- As of version 10.0.4, AppScan®
Source
supports the following languages and language versions:
- Java versions 9, 10, and 11:
- AdoptOpenJDK 11 is the default
- Any alternate JDKs specified must be 64-bit
- .NET Core 3.1
- Infrastructure as Code (IaC)
For additional information, see System requirements and installation prerequisites.
- Java versions 9, 10, and 11:
Known issues in AppScan® Source version 10.0.4
- Bundles created in AppScan® Source version 9.3.14 or earlier and marked as excluded in the Properties view will not exclude the findings after upgrading to AppScan® Source version 10.0.0 and higher. The bundle should be recreated in AppScan® Source version 10.0.0 or higher.
- Performing a scan on all applications in an AppScan® Source for Analysis client may populate the Findings view without populating fix groups. Perform the scan on individual applications to avoid this result and display findings in fix groups appropriately.
- Publishing assessments to AppScan® Enterprise fails in non-English locales if the assessment file name contains native characters. Remove the native characters from the file name and republish.
What's new in AppScan® Source version 10.0.3
Enhanced and new functionality in AppScan® Source version 10.0.3
- As of version 10.0.3, AppScan®
Source adds
support for the following languages:
- Android Java
- Ionic
- Objective C
- React Native
- SAP ABAP
- Vue.js
- Xamarin
For additional information, see System requirements.
- Fix group support for static analysis.
Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task. For additional information, see Working with static analysis fix groups.
- As part of fix group support, a tech preview of a companion report is visible in the Select Findings Report dialog box. The report currently displays high-level information on fix group type only. In a future release, additional depth will be added to the report functionality, including best fix locations for fix groups.
Known issues in AppScan® Source version 10.0.3
- The CLI command
details
intermittently reports an error. However, the functionality of the command is not affected.ERROR [main] (PrexisLogger.java:263) - Exception javax.xml.stream.XMLStreamException: Element type "Site" must be followed by either attribute specifications, ">" or "/>".
-
When opening assessments published to the AppScan® Source database to view fix group information,
NULL
may be displayed in place of fix group type or fix group id. Save the assessment to a local file system then open it using the Open Assessment command to view fix group information for published static analysis assessments.
Additional AppScan Source version 10.0.3 installation and interoperability information
- If you upgrade AppScan®
Source or perform a
repair install of AppScan®
Source version
10.0.3, when the previous installation was configured with a database, you must start
the
AppScan Source DB
service manually.
What's new in AppScan® Source version 10.0.2
Enhanced and new functionality in AppScan® Source version 10.0.2
- As of AppScan® Source version 10.0.2, an HCL license is required. See How to obtain and apply licenses for AppScan Source products for additional information.
- AppScan® Source for Analysis version 10.0.2 does not require a database connection to perform scans. Integration with AppScan Enterprise for sharing scan configurations and results is configured in AppScan® Enterprise. Disconnected functionality is described in more detail here.
- AppScan® Source introduces support for the following languages: Angular 8, Angular 9, Groovy, Symfony, and TypeScript. See System requirements for complete information.
Additional AppScan® Source version 10.0.2 installation and interoperability information
- When installing AppScan® Source version 10.0.2 to a clean system, there is no database to install, and therefore no database configuration to perform. Configure integration with AppScan Enterprise to store and retrieve shared information.
- When installing AppScan® Source version 10.0.2 to a clean system for use in connected mode, AppScan® Enterprise version 10.0.2 is required. Older versions of AppScan® Enterprise are not supported. In addition, AppScan Enterprise Server must be installed with both User Administration and Enterprise Console.
-
When upgrading to AppScan® Source version 10.0.2 from a previous version, any previously installed database is fully supported, including configuration functionality.
- If you perform a repair install of AppScan®
Source version 10.0.2, when the previous
installation was configured with a database, you must start the
AppScan Source DB
service manually. - If you upgrade AppScan®
Sourcewhere only
automation server or client components are installed and later perform a repair
installation, update the following properties in
'ounce.ozsettings:
name=core_provider value=1
name=connect_mode value=false
- Silent installer response files created prior to version 10.0.2 are not supported. New silent installer response files must be created for use with AppScan® Source version 10.0.2.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.2
- AppScan Source no longer supports IBM licenses and they can no longer be configured in the license manager. See How to obtain and apply licenses for AppScan Source products for additional information.
- AppScan® Source version 10.0.2 no longer supports Visual Studio 2010.
- SolidDB no longer ships with AppScan® Source and is not installed as part of the solution. Existing installations of SolidDB continue to be supported.
- The Audit Log option under the Admin menu is no longer available.
What's new in AppScan® Source version 10.0.1
Enhanced and new functionality in AppScan® Source version 10.0.1
- AppScan® Source version 10.0.1 has enhanced licensing functionality including proxy support for HCL-based licenses in the user interface and allowing use of untrusted certificates to make a connection to a local license server.
- AppScan®
Source version 10.0.1 introduces
AppScanDelta
. This feature allows users to perform a diff from the command line between two assessments. - AppScan® Source supports NetCore 2.1 and 2.2.
- AppScan® Source version 10.0.1 includes language support for Scala, Swift, Kotlin, and ReactJS. See System Requirements for additional information.
- AppScan® Source version 10.0.1 supports the DISA STG v4r10 report format.
Known issues in AppScan® Source version 10.0.1
- If you are scanning a Visual Studio project from 2015 or earlier, the scan may fail with a message to delete discoverymanager.exe.config. Delete the specified file and try again. For more information see here.
AppScan® Source interoperability
- 9.0.3x and 10.0.0 versions of AppScan®
Enterprise must be configured as
follows to interoperate with AppScan®
Source
10.0.1:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.1
The following capabilities are nearing end-of-life as of AppScan® Source version 10.0.1. Please plan accordingly.
- IMPORTANT! Support for IBM licenses in new releases of AppScan® will end in the third quarter 2020 (August/September). Subsequent new versions of AppScan® products will support HCL Licenses only. For additional information on licensing, see Activating the software. You can also contact your HCL representative or HCL Support.
- SolidDB will no longer be shipped with product updates beginning in the third quarter 2020 (August/September). Existing installations will still be supported.
What's new in AppScan® Source version 10.0.0
HCL® AppScan® Source version 10.0.0 marks a significant advancement in the technology behind the AppScan® family of products. HCL has invested in products in the DevSecOps market, laying the foundation for enhancements to our market-leading security scanning products, now and into the future.
- Enhanced and new functionality
- AppScan Source version 10.0.0 interoperability
- Additional AppScan Source version 10.0.0 installation instructions
- Known issues in AppScan® Source Version 10.1.0
- Capabilities nearing end-of-life in AppScan Source version 10.0.0
- Functionality no longer supported in AppScan® Source Version 10.1.0
Enhanced and new functionality in AppScan® Source version 10.0.0
-
IBM® Security AppScan® Source is now HCL® AppScan® Source.
In mid-2019, HCL Technologies acquired the AppScan® family of products from IBM, including AppScan® Enterprise, AppScan® Standard, AppScan® Source, and AppScan® on Cloud. All AppScan® products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan® products have been rebranded to reflect this ownership and its new phase of development and growth.
-
Introducing HCL Licensing for HCL® AppScan® Source
As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan® family of products. AppScan®, AppScan® Standard, and AppScan® Source use a local FlexLM license server, authenticating via a proxy server; AppScan® on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.
- AppScan® Source now supports the Go programming language (Golang).
- AppScan® Source now supports C++ scanning in Visual Studio 2015, 2017, and 2019.
- AppScan® Source now supports Oracle 19c.
- New data flow scanning functionality performs a more complete code analysis and more findings as a result.
- For languages for which AppScan® Source has custom scanners, you may see a marked difference in findings when scanning with AppScan® Source v10. In instances when scanning has been converted to custom scanning, this may mean a reduction in findings. The rules for custom scanners are evolving and being added to on a regular basis, and are easy to enhance.
- Enhanced integration with Intelligent Code Analytics (ICA) and Intelligent Findings
Analytics (IFA).
When ICA/IFA is enabled, you see and can access the Excluded Findings tab. For additional information, see Intelligent Findings Analytics (IFA) in the AppScan® Source documentation.
By default, IFA is enabled for all scans. When enabled, it is applied to the current scan and future scans. It cannot be applied to assessments from previous scans.
- Scanning .NET projects (ASP, WEB, Framework, Core) in AppScan® Source mirrors the processing inHCL AppScan on Cloud. .NET projects must be able to be compiled before they can be scanned and must have the correct build specification in project properties.
- 15 GB is the minimum amount of space required to install AppScan® Source and run basic scans. However, required disk space varies depending on the application being scanned. We recommend a minimum of 8 GB of RAM and 15-20 GB of free disk space. You may also need to increase your Windows page file requirement (see Tips to improve PC performance in Windows 10 for more information).
-
For additional information on system requirements, and scanning and plug-in support, see System requirements and installation prerequisites or contact HCL Support.
Additional AppScan® Source version 10.0.0 installation instructions
When installing AppScan® Source version 10.0.0 with the Visual Studio 2019 plug-in, the installation appears to complete successfully but the Visual Studio 2019 plug-in may not be installed properly.To install AppScan® Source version 10.0.0 plug-in in Visual Studio 2019:
- Ensure that HCL® AppScan® Source version 10.0.0 is installed on the target system. Select Microsoft Visual Studio 2019 plug-in during installation.
- If a pre-10.0.0 version of AppScan®
Source
has been installed into the target instance of Visual Studio 2019, uninstall it as
follows:
- Start the target Visual Studio 2019 instance.
- Open to .
- On the Installedtab, select AppScan Source Plug-in from the list.
- Click Uninstall plug-in and follow prompts to complete uninstallation.
- Install the HCL®
AppScan® Source version
10.0.0 plug-in into the Visual Studio 2019 instance as follows:
- Close all Visual Studio 2019 instances.
- Download VS2019Plugin.zip from the HCL® AppScan® Source release download site.
- Extract the contents of the zip file into <AppScan Source Install Dir> (the default location is C:\Program Files (x86)\IBM\AppScanSource). Choose Yes for all options when prompted.
- Double-click AppScanSrcPlugin.vsix from the <AppScan Source Install Dir>/bin directory.
- In the resulting VSIX Installer dialog select Visual Studio
<Edition> 2019 and click Install.
The edition could be Professional, Enterprise or Community based on what is installed on the machine. You can select more than one Edition to install, if available.
- When installation is complete close dialog.
- Restart Visual Studio 2019. AppScan Source plug-in appears under Extensions.
AppScan® Source version 10.0.0 interoperability
- An AppScan® Source 10.0.0 client will not scan correctly with a pre-10.0.0 AppScan® Source database due to the difference in the contents of the database as they pertain to scan rules.
- Similarly, a pre-10.0.0 AppScan® Source client will NOT scan correctly with a 10.0.0 AppScan® Source database.
- An instance of AppScan® Enterprise configured with an instance of AppScan® Source 10.0.0 database cannot be used by 9.0.3.x versions of AppScan® Source, and vice versa
- 9.0.3.x versions of AppScan®
Enterprise must be configured as
follows to interoperate with AppScan®
Source
10.0.0:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Known issues in AppScan® Source version 10.0.0
- The following languages are not supported:
- Arxan C
- WSDL
- On WebSphere, only default JSP compilation options are supported.
- Single file scanning is not available across all languages.
- There is no mechanism to disable precompilation of JSP files. JSP files will always be precompiled.
- Stop/Cancel scan does not work on Linux systems.
- Stop/Cancel may not work on Windows systems when using the command line interface. To work around this issue, restart AppScan® Source and kill the background processes.
- When uninstalling AppScan® Source version 10.0.0 from a Windows system, the uninstall process sometimes hangs. For more information, see Uninstallation of AppScan Source hangs on Windows.
- After upgrade to AppScan® Source version 10.0.0, PDF reports are not generating. For more information, see AppScan Source 10.0.0 throws "java.lang.reflect.InvocationTargetException" during PDF report generation in upgrade scenario.
Capabilities nearing end-of-life in AppScan® Source version 10.0.0
- Custom findings
- Quality metrics
- Email/settings
- RSS feed
- Application attributes
Use AppScan Enterprise to store application information.
- Defect tracking system integration
Use the AppScan® Issues gateway to integrate from an AppScan Enterprise level
Functionality no longer supported in AppScan® Source version 10.0.0
- The vulnerability cache is no longer supported.
- Incremental scanning is not supported.
- Non-CPA scanning is not supported.
-
As of version 9.0.3.11, AppScan® Source no longer supports macOS or iOS Xcode project scanning.
Some components of AppScan® Source are 32-bit. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.
You can continue to use AppScan® Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.