HCL® AppScan® Source Version 10.7.0 Readme and Release Notes®
October, 2024
Please read this entire document carefully before you install the product or any of its components.
This document lists important issues and topics concerning AppScan® Source:
- AppScan Source licensing
- IMPORTANT: New installation file name for Windows
- AppScan Source for Analysis product documentation
- Known limitations and workarounds:
- General
- Stop Scan no longer available
- After upgrading AppScan Source, findings from excluded bundles may appear in scan results
- IPv6 limitations
- Use precompiled classes when a scan of an Eclipse workspace fails due to missing classes or libraries
- Silent installation is not supported on Turkish locales
- UTF-8 character set is required for Oracle databases
- Line numbers in JSP files
- Ounce/Maven
- AppScan Source for Analysis
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the How to Fix view to fail
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- Intermittent shutdown of AppScan Source for Analysis on Linux
- Caching may occur when switching national languages
- Multibyte characters in the installation path of AppScan Source for Analysis are not supported
- Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
- Removing AppScan Source for Analysis as a non-administrative user
- To create PDF reports, it may be necessary to install system fonts for some non-English languages
- Modifying custom rules and plug-in use
- Assessment Summary view chart style selection is no longer supported
- AppScan Source command line interface (CLI)
- AppScan Source for Development (Eclipse plug-in)
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the How to Fix view to fail
- After applying AppScan Source for Development to Eclipse, you are not prompted to choose a workspace after the initial Eclipse relaunch
- Upgrading the AppScan Source for Development (Eclipse plug-in)
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- AppScan Source for Development plug-in for Eclipse and Eclipse-based products: multiple prompts for AppScan Source installation directory
- Shared/Global filters in AppScan Source for Development do not consistently display
- Modifying custom rules and plug-in use
- Assessment Summary view chart style selection is no longer supported
- AppScan Source for Development (Visual Studio plug-in)
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the How to Fix view to fail
- Delay when copying large numbers of findings in large assessments
- AppScan Source About dialog box in Microsoft Visual Studio is truncated
- Shared/Global filters in AppScan Source for Development do not consistently display
- Assessment Summary view chart style selection is no longer supported
- Scanning solution files that were created in a version of Microsoft Visual Studio that is not installed
- Microsoft Windows
- Scanning Windows C/C++ applications
- Uninstallation of AppScan Source hangs on Windows
- Installation of AppScan Source interrupted by Windows Defender
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the How to Fix view to fail
- Errors when AppScan Source configuration files contain special characters
- Library id and progid forms of #import are not supported
- Referenced assemblies must be in the same directory as the assembly being scanned or registered in the Global Assembly Cache (GAC)
- .NET Assembly projects assembled with .NET Core
- Visual Basic 6 scan requires full function declaration
- Dialog box and message truncations when running in non-English locales
- AppScan Source for Development (Visual Studio plug-in) limitations
- Linux
- Nodelocked licenses and Red Hat Enterprise Linux 7.4
- Uninstalling AppScan Source on Red Hat Enterprise Linux 7.x
- Upgrading AppScan Source without ending all AppScan Source java processes may cause the How to Fix view to fail
- SELinux prevents installation, product activation, and running
- Linux Mozilla requirement for Remediation Assistance view
- AppScan Source for Analysis and AppScan Source for Development (Eclipse plug-in) component prerequisite on Linux
- Intermittent shutdown of AppScan Source for Analysis on Linux
- Linux - Error launching AppScan Source for Analysis after configuring AppScan Source daemons to run as user other than 'ounce' during installation
- Scanning source code compiled with older versions of gcc, such as 2.95.4, produces errors
- macOS
- General
- Additional information
- AppScan® Source version 10.7.0
- AppScan® Source version 10.6.0
- AppScan® Source version 10.5.0
- AppScan® Source version 10.4.0
- AppScan® Source version 10.3.0
- AppScan® Source version 10.2.0
- AppScan® Source version 10.1.0
- AppScan® Source version 10.0.8
- AppScan® Source version 10.0.7
- AppScan® Source version 10.0.6
- AppScan® Source version 10.0.5
- AppScan® Source version 10.0.4
- AppScan® Source version 10.0.3
- AppScan® Source version 10.0.2
- AppScan® Source version 10.0.1
- AppScan®
Source version 10.0.0
- Enhanced and new functionality in AppScan Source version 10.0.0
- AppScan Source version 10.0.0 interoperability
- Additional AppScan Source version 10.0.0 installation instructions
- Known issues in AppScan Source version 10.0.0
- Capabilities and features no longer supported in AppScan Source version 10.0.0
- Documentation
- Obtaining Technical Support
AppScan® Source licensing
AppScan® Source provides a License Manager utility that is used for loading and updating license information on your client machine. This utility allows you to view your current license status - or you can use the utility to activate the product by importing a nodelocked license file or by using a floating license on a license server. Nodelocked licenses are tied to individual machines - while floating licenses can be checked out for use on different client machines.
The License Manager utility can be opened from the product installation wizard after installation is complete - or you can launch it from the Windows™ Start menu.
AppScan® Source licenses are obtained from the HCL® License & Delivery Portal. For detailed information about obtaining licenses and license activation, see How to obtain and apply licenses for AppScan Source products and Activating the software in the help.
IMPORTANT: New installation file name for Windows
In previous releases, the Windows installation file was named setup.exe. The installation file is now named AppScanSrc_Installer.exe.
AppScan® Source for Analysis product documentation
When you use the AppScan® Source for Analysis, online help for AppScan® Source at HCL Software Product Documentation opens. Similarly, when you follow links from the AppScan® Source for Analysis Welcome view, they open at HCL Software Product Documentation.
menu item inAppScan® Source for Analysis also offers context-sensitive help for many views, preference pages, and dialog boxes. The keyboard shortcut for context-sensitive help is F1 on Windows and Shift+F1 on Linux. This context-sensitive help also opens to AppScan® Source at HCL Software Product Documentation.
If you are using the product without an internet connection, help is available locally as follows:
- Javadoc for some AppScan® Source for
Analysis
features is located in the doc/Javadoc or
doc\Javadoc directory of your AppScan®
Source installation directory. As of Version
9.0.3.4, Javadoc for these features is available:
- Javadoc for the application server import framework API classes and methods is available in doc/Javadoc/appserverimporter or doc\Javadoc\appserverimporter.
- Javadoc for the Framework for Frameworks API classes and methods is available in doc/Javadoc/frameworks or doc\Javadoc\frameworks.
In these folders, open the index.html file.
General
Stop Scan no longer available
AppScan® Source no longer allows you to interrupt a scan and return the current results. The scan must complete to see results.
After upgrading AppScan® Source, findings from excluded bundles may appear in scan results
After AppScan® Source is upgraded, the properties of some findings can change, which can result in this known limitation.
IPv6 limitations
AppScan® Source is enabled for Internet Protocol Version 6 (IPv6), with these exceptions:
- Inputting IPv6 numerical addresses is not supported and a host name must be entered instead. Inputting IPv4 numerical addresses is supported.
Use precompiled classes when a scan of an Eclipse workspace fails due to missing classes or libraries
If you successfully import an Eclipse workspace, but find that scanning it fails due to missing classes or libraries, it is recommended that you use the option to scan with precompiled classes. To do this, select that option in the project properties and browse to the bin directory of the Eclipse project.
Silent installation is not supported on Turkish locales
If you create a custom silent installation, it will not succeed when running on any
Turkish language locale (for example, tr
and tr_TR
).
UTF-8 character set is required for Oracle databases
If you are connecting the AppScan® Enterprise Server to an Oracle database, you must set the character set to UTF-8 when creating the database (this is typically not the default character set).
Line numbers in JSP files
Line numbers for the .java file that was generated from the .jsp file display along with the JSP file name.
Ounce/Maven
ounce:report
mojo does not work for existing assessment XML files, only
new scans.
AppScan® Source for Analysis
Upgrading AppScan®
Source without ending all
AppScan®
Source
java
processes may cause the How to Fix view to fail
If you perform a product upgrade when an AppScan®
Source
java
process is still running, the How to Fix view may display an error
similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan®
Source installation
that includes the AppScan® Source for
Analysis,
AppScan® Source for Development (Eclipse plug-in), or
AppScan® Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan®
Source
java
processes running.
AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™
On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.
Intermittent shutdown of AppScan® Source for Analysis on Linux™
To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.
Caching may occur when switching national languages
The AppScan® Source for Analysis user interface can be displayed in different national languages by switching the language in the preferences and restarting the workbench. It is common Eclipse behavior for strings to be cached and to display in the previous language that was used - and AppScan® Source for Analysis is affected by this behavior. If you switch the national language that is displayed and then restart the workbench, cached strings will be refreshed when you activate the user interface element that the string describes (for example, if a button label has been cached, clicking the button will cause the string to refresh to the new language).
Multibyte characters in the installation path of AppScan® Source for Analysis are not supported
All versions of AppScan® Source for Analysis will fail during installation with an Invalid Directory error if the installation path contains multibyte characters.
Linux™ - Error launching AppScan® Source for Analysis after configuring AppScan® Source daemons to run as user other than 'ounce' during installation
The AppScan® Source for Analysis installer allows you to configure the AppScan® Source daemon processes to run as the default user named 'ounce' or as an existing user.
Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan® Source installation directory (for example, /opt/hcl/appscansource) that consists of this line:
-configuration @user.home/.ounceconfig
Removing AppScan® Source for Analysis as a non-administrative user
AppScan® Source for Analysis on Windows™ requires administrator access to create Add or Remove Programs entries. If you installed AppScan® Source for Analysis as a non-administrator user, to remove AppScan® Source for Analysis, go to <install_dir>\Uninstall_AppScan and run AppScan_Uninstaller.exe (where <install_dir> is the location of your AppScan® Source installation).
To create PDF reports, it may be necessary to install system fonts for some non-English languages
For these languages, you may need to install the indicated fonts to be able to create PDF reports:
- Japanese: MS Gothic or VL Gothic
- Korean: Gulim
- Simplified Chinese: SimSun-18030 or MingLiU
- Traditional Chinese: SimSun-18030 or MingLiU
Modifying custom rules and plug-in use
If you create a custom rule in AppScan® Source for Analysis and are logged in to an AppScan® Source for Development plug-in, to see the changes, you must restart the IDE.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
AppScan® Source for Development (Eclipse plug-in)
Upgrading AppScan®
Source without ending all
AppScan®
Source
java
processes may cause the How to Fix view to fail
If you perform a product upgrade when an AppScan®
Source
java
process is still running, the How to Fix view may display an error
similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan®
Source installation
that includes the AppScan® Source for
Analysis,
AppScan® Source for Development (Eclipse plug-in), or
AppScan® Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan®
Source
java
processes running.
After applying AppScan® Source for Development to Eclipse, you are not prompted to choose a workspace after the initial Eclipse relaunch
After applying AppScan® Source for Development to Eclipse, you are prompted to restart the workbench. After restarting, you are prompted to choose a workspace. However, when you restart Eclipse again - or close it and start it - you are not prompted to choose a workspace.
This problem is related to https://bugs.eclipse.org/bugs/show_bug.cgi?id=409552.
You can work around this problem using one of these methods:
- Use the
-clean
option when starting Eclipse. - Exit Eclipse and then, in your Eclipse installation directory, delete the configuration\org.eclipse.osgi\.manager directory before starting Eclipse again.
If you do not resolve the problem, you can ensure that you are using the correct workspace by using the
action.Upgrading the AppScan® Source for Development (Eclipse plug-in)
It is recommended that you uninstall AppScan® Source for Development from your Eclipse IDE before upgrading to a more recent version of AppScan® Source for Development or AppScan® Source.
AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™
On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.
AppScan® Source for Development plug-in for Eclipse and Eclipse-based products: multiple prompts for AppScan® Source installation directory
When you use the AppScan® Source for Development Plug-in for Eclipse and Eclipse-based products for the first time, you are prompted by a dialog box to specify the path to your AppScan® Source installation directory. If you specify the installation directory and click OK but then receive the same dialog again, click Cancel, restart the workbench, and then continue with normal product use. Failure to restart the workbench upon receiving multiple prompts for the installation directory can cause scans to fail.
Shared/Global filters in AppScan® Source for Development do not consistently display
The Filtering module in AppScan® Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan® Enterprise Server. Because shared filters are stored in the AppScan® Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan® Source.
Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.
Modifying custom rules and plug-in use
If you create a custom rule in AppScan® Source for Analysis and are logged in to an AppScan® Source for Development plug-in, to see the changes, you must restart the IDE.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
AppScan® Source for Development (Visual Studio plug-in)
Upgrading AppScan®
Source without ending all
AppScan®
Source
java
processes may cause the How to Fix view to fail
If you perform a product upgrade when an AppScan®
Source
java
process is still running, the How to Fix view may display an error
similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan®
Source installation
that includes the AppScan® Source for
Analysis,
AppScan® Source for Development (Eclipse plug-in), or
AppScan® Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan®
Source
java
processes running.
Delay when copying large numbers of findings in large assessments
When you multiselect and copy multiple findings in an assessment that contains a large number of findings, you may experience a several second delay before the copy action is added to the clipboard. Ensure that the copy action completes before attempting to paste what was copied.
Scanning solution files that were created in a version of Microsoft™ Visual Studio that is not installed
If you attempt to scan a solution file that was created in a version of Visual Studio that is not installed on your system, AppScan® Source will attempt to locate a compatible version of Visual Studio on your system and use it for scanning.
AppScan® Source About dialog box in Microsoft™ Visual Studio is truncated
With certain national languages, the About dialog box for the AppScan® Source for Development (Visual Studio plug-in) appears truncated. To address this, adjust the screen resolution and/or the font size for best viewing.
Shared/Global filters in AppScan® Source for Development do not consistently display
The Filtering module in AppScan® Source for Development allows you to open saved assessments and perform filtering actions without having to log in and authenticate to the AppScan® Enterprise Server. Because shared filters are stored in the AppScan® Source Database (which requires login and authentication to access), they are not available in the plug-ins if you have not yet logged your current plug-in session into AppScan® Source.
Workaround: Perform a scan (or any other action that requires login) before accessing the filtering module in the plug-in. Once you log in, shared filters will be available.
Assessment Summary view chart style selection is no longer supported
In the Assessment Summary view, you can no longer choose the style of chart to display. The bar chart is the only chart style available.
AppScan® Source command line interface (CLI)
Issuing the publishassessase
or pase
command
results in HttpAuthenticator
warnings
If you are using the CLI to publish to an AppScan® Enterprise
Console that has only
Windows authentication enabled, you may see warnings similar to these when issuing the
publishassessase
or pase
command:
WARN [main] (HttpAuthenticator.java:207) - NEGOTIATE authentication error: org.ietf.jgss.GSSException, major code: 2, minor code: 0
major string: Unsupported mechanism
minor string: No factory available to create name for mechanism x.x.x.x.x.x.x
Assessment successfully published to: https://<ase_hostname>/ase
These warnings will not affect the publication of your assessments and can be ignored.
Microsoft™ Windows™
Scanning Windows C/C++ applications
Windows C/C++ applications are now scanned as 64-bit.
C/C++ applications that aren't 64-bit safe may experience scanning errors.
Uninstallation of AppScan® Source hangs on Windows
When both server and client feature sets of AppScan Source v10.0.0 are installed on a
Windows system, uninstall hangs when the process tries to delete JRE files from
<InstallDir>\engine
.
When this occurs, kill the process and finish the uninstall manually.
To end the uninstall process and finish the uninstall:
- First try to close the installer dialog manually by clicking on the x in the top right corner.
- If manually closing the dialog is unsuccessful:
- Open Windows Task Manager.
- On the Details tab, find
AppScanSrc_Uninstaller.exe
process. - Right-click on the process and select End task.
- From Windows Explorer, delete the installation directory. By default, the
installation directory for AppScan®
Source version 10.0.6 and earlier is
C:\Program Files(x86)\IBM\AppScanSource
. - Delete the data directory. By default the data directory for AppScan®
Source version 10.0.6 and earlier is,
C:\ProgramData\IBM\AppScanSource
.
Installation of AppScan® Source interrupted by Windows Defender
When installing AppScan® Source on older versions of Windows, Windows Defender may interrupt the installation process with a warning pop-up. Click through the pop-up to continue install. For additional information, see https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.
Upgrading AppScan®
Source without ending all
AppScan®
Source
java
processes may cause the How to Fix view to fail
If you perform a product upgrade when an AppScan®
Source
java
process is still running, the How to Fix view may display an error
similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan®
Source installation
that includes the AppScan® Source for
Analysis,
AppScan® Source for Development (Eclipse plug-in), or
AppScan® Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan®
Source
java
processes running.
Errors when AppScan® Source configuration files contain special characters
On Windows™, some special characters (for
example, Ç, à, ∾, ¥, §, Æ
) in the
filenames of configuration files (.ppf, .paf,
and .osc) may result in errors.
Library id
and progid
forms of
#import
are not supported
The Microsoft™ Visual C++
#import
preprocessor directive has several forms. AppScan®
Source does not support the two forms that use
a library id
or a progid
. Files containing these forms
will not be scanned and an error message appears in the Console.
Referenced assemblies must be in the same directory as the assembly being scanned or registered in the Global Assembly Cache (GAC)
AppScan® Source can only produce a complete scan of a .NET application when all referenced or dependent assemblies are in the same folder as the assembly being scanned, or registered in the GAC. If your assembly references types defined in assemblies in other places on disk, you may see errors such as this:
Skipping file <assembly_name> due to error: Failed (0x80004005) in <type> call
Referenced assembly <referenced assembly name> was not found.
To fix these errors, copy the referenced assembly to the same directory as the assembly being scanned - or register it in the GAC.
.NET Assembly projects assembled with .NET Core
AppScan® Source does not support .NET Assembly projects containing assembly files generated with .NET Core. .NET Core projects can be scanned in the same way as .NET solutions files. See Adding an existing application with user interface actions for additional information.
Visual Basic 6 scan requires full function declaration
#if
, #else if
, and #end if
must
contain the full declaration of a function. For example:
#If NATIVEBINDING Then
Public Function TemplateFromRule(ByVal Rule As OrgMan.Rule) As AcDir.Template
Dim oOp As OrgMan.Operation
#Else
Public Function TemplateFromRule(ByVal Rule As Object) As AcDir.Template
Dim oOp As Object
#End If
If Rule Is Nothing Then Exit Function
oOp = Rule.Operation
If oOp Is Nothing Then Exit Function
TemplateFromRule = BuildTemplate(oOp.Command, Rule.Field, Rule.Value)
End Function
Dialog box and message truncations when running in non-English locales
In AppScan® Source, some dialog boxes and messages can be re-sized even though typical Microsoft™ Windows™ controls that indicate the ability to resize are not present. If you are running an AppScan® Source product graphical user interface on a non-English locale and dialog box and messages contain truncated strings, you may be able to resize the dialog box or message to read the entire contents of the dialog box or message.
AppScan® Source for Development (Visual Studio plug-in) limitations
Any limitations that apply to the AppScan® Source for Development (Visual Studio plug-in) are also specific to Windows. Please see AppScan Source for Development (Visual Studio plug-in).
Linux™
Nodelocked licenses and Red Hat Enterprise Linux 7.4
IBM-originating nodelocked licenses may not work correctly with Red Hat Enterprise Linux 7.4. Move to HCL-originating nodelocked licenses. Contact HCL Support for additional information.
Uninstalling AppScan Source on Red Hat Enterprise Linux 7.x
On Red Hat Enterprise Linux 7.x, you must restart your system after uninstalling AppScan Source version 9.0.3.x to stop running all AppScan Source processes.
Upgrading AppScan®
Source without ending all
AppScan®
Source
java
processes may cause the How to Fix view to fail
If you perform a product upgrade when an AppScan®
Source
java
process is still running, the How to Fix view may display an error
similar to these after the upgrade:
This page can't be displayed
- Make sure the web address http://<my_host_and_port> is correct.
- Look for the page with your search engine.
- Refresh the page in a few minutes.
or
Error executing query and transform
Before upgrading an AppScan®
Source installation
that includes the AppScan® Source for
Analysis,
AppScan® Source for Development (Eclipse plug-in), or
AppScan® Source for Development (Visual Studio plug-in) components,
ensure that there are no AppScan®
Source
java
processes running.
Linux™ Mozilla requirement for Remediation Assistance view
The Remediation Assistance view on Linux™ requires Mozilla linked against GTK2 or higher.
Install Mozilla linked against GTK2 or higher. After acquiring Mozilla, unpack it, and
add the environmental variable MOZILLA_FIVE_HOME
to point to it. For
example, if you untar the archive to /usr/local
and use the bash shell,
add export MOZILLA_FIVE_HOME=/usr/local/mozilla
to your
~/.bashrc.
SELinux prevents installation, product activation, and running
Security Enhanced Linux™ (SELinux) is a Linux™ feature that provides greater security and access control through the Linux™ Security Modules of the Linux™ kernel. It is included with Red Hat Enterprise 5, by default.
- Installation: Installation of AppScan®
Source is not possible with SELinux in
Enforcing mode. SELinux must be changed to Permissive mode. To run SELinux in Permissive
mode, issue
/usr/bin/system-config-selinux
or, if running GNOME, select . You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the AppScan® Source installation as normal. You may change the SELinux setting back to Enforcing after the installation is complete. - Product activation: The AppScan®
Source license Manager cannot be used in Enforcing mode. SELinux must be changed to
Permissive mode. To run SELinux in Permissive mode, issue
/usr/bin/system-config-selinux
or, if running GNOME, select . You will be prompted for your root password. Select Status in the left pane if it is not already selected. In the right pane, change the Current Enforcing Mode drop-down to Permissive. After setting SELinux to Permissive, run the License Manager. You may change the SELinux setting back to Enforcing after product activation is complete. - Running: The JRE and JDKs that are shipped with AppScan®
Source will not operate with SELinux in
Enforcing mode. However, it is not necessary to disable Enforcing mode because the files
that trigger SELinux may be given permission to operate. This is done using the
chcon
command by issuingchcon -t textrel_shlib_t <filename>
. All of the shared object files (.so) under the <installdir>/jre and <installdir>/JDKS directories need to have this command issued against them. This can be performed in a batch fashion using thefind
command with theexec
parameter. For example:cd /opt/ibm/appscansource/jre sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print cd ../JDKS sudo find . -name "*.so" -exec chcon -t textrel_shlib_t {} \; -print
AppScan® Source for Analysis and AppScan® Source for Development (Eclipse plug-in) component prerequisite on Linux™
On Linux™, Eclipse requires the installation of a third-party component in order to render browser-based content. Without this component, AppScan® Source for Analysis and theAppScan® Source for Development (Eclipse plug-in) may exhibit symptoms such as a hang after login or a fail during product use.
Intermittent shutdown of AppScan® Source for Analysis on Linux™
To prevent an unexpected shutdown, upgrade Pango. The Pango upgrade may require an upgrade of glib.
Linux™ - Error launching AppScan® Source for Analysis after configuring AppScan® Source daemons to run as user other than 'ounce' during installation
The AppScan® Source for Analysis installer allows you to configure the AppScan® Source daemon processes to run as the default user named 'ounce' or as an existing user.
Workaround: If you do not choose the default user, you must create an eclipse.ini file in the AppScan® Source installation directory (for example, /opt/hcl/appscansource) that consists of this line:
-configuration @user.home/.ounceconfig
Scanning source code compiled with older versions of gcc, such as 2.95.4, produces errors
For example, an error such as:
Skipping file: file.cpp due to error: "/home/file.cpp", line 97: error: namespace "std" has
no member "string"
std::string mystring;
may appear.
Workaround: Add the --ignore_std
option to the compiler options
for the project. This option enables a gcc compatibility feature that makes the std
namespace a synonym for the global namespace. In AppScan® Source for
Analysis, add this option on the Project
Dependencies tab of the Properties View for the project. Alternatively, if you use
Ounce/Make to create the project file, modify the compiler_options
attribute of the GlobalProjectOptions
element in the Ounce/Make
properties file.
macOS
Deprecation of macOS support
As of version 9.0.3.11, AppScan® Source no longer supports macOS or iOS Xcode project scanning.
Additional information
Enhanced and new functionality in AppScan® Source version 10.7.0
- Download AppScan® Source from the FlexNet Operations Portal (FNO) or My HCL Software (MHS). In future releases, the new MHS portal replaces FNO.
- AppScan® Source Findings view and reports have a new column for additional CWEs associated with the primary CWE.
- AppScan® Source supports Red Hat Enterprise Linux versions 9.0 and 9.4.
- AppScan® Source supports ESQL.
- AppScan®
Source support scanning PowerShell
(
.ps1
) files within Infrastructure-as-Code projects. - AppScan® Source supports Java 21.
- Updates to rules for Angular, ASP, CSS, Dart, Java source code scanner, JavaScript, JQuery, Objective-C, PHP, Python, secrets scanner, TerraForm, TypeScript, and VueJS.
- AppScan® Source Data Access API classpath updated.
Fixes and security updates in AppScan® Source version 10.7.0
Fixes and security updates are listed here.
Changed in AppScan® Source version 10.7.0
HCLSoftware products are undergoing changes in license acquisition and management. For more information, see Licensing Changes Announcement.
Upcoming changes in AppScan® Source version 10.7.0
- AppScan® Source versions 10.6.0 and earlier will reach end-of-support (EOS) by June, 2025.
Enchanced and new functionality in AppScan® Source version 10.6.0
- AppScan® Source supports Windows Server 2022.
- AppScan® Source supports WebSphere Application Server 9.0.
- AppScan® Source supports .NET 8.
- Support for DISA Application and Security Development STIG V5R3.
- AppScan® Source for
Analysis user interface
improvements for scanning
folders:
- Support for excluding findings in assessments generated using folder scanning.
- Support for retaining options under base folder properties for scanning an individual file or a collection of files in a folder or subfolder.
- AppScan® Source for Development (Eclipse Plug-in) supports Eclipse IDE 2022-09 to 2024-03.
- Extended support for C/C++ source-code-only scans by supporting scan for Makefile and GNUMakefile
- AppScan®
Source supports folder scanning with
ounceauto
. - AppScan®
Source supports enabling secrets scanning
globally through the
scan.ozsettings
file. - Improved accuracy for Java, JavaScript, and Python languages, and to secrets scanning.
Fixes and security updates in AppScan® Source version 10.6.0
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.6.0
- Required Draw2d jar for AppScan® Source Eclipse Plug-in is not available in Eclipse
IDE for "Java Developers."
To workaround this issue, download this jar manually and copy it to the
eclipse\plugins
folder before installing the plugin.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.6.0
- Starting with version 10.7.0, the licensing procedure is changing. This change does not impact existing usage. Stay tuned for more details and updates from HCL® AppScan®.
- The DISA Application and Security Development STIG V4R10 report is no longer supported.
Enhanced and new functionality in AppScan® Source version 10.5.0
- AppScan® Source for Analysis client supports scanning of folders through the user interface.
- Support for scanning cascading style sheets (CSS).
- AppScan® Source Visual Studio Plugin Supports Visual Studio 2022.
- Extended support for IaC, RPG and
VB.NET by supporting new file extensions:.
- IaC:
.conf
,.curl
,.ini
,.properties
,tf.json
- RPG:
.rpgl
,.sqlrpgle
- VB.NET:
.vbs
- IaC:
- Improved accuracy for PHP scanning.
- Support for OWASP API Security Top 10 - 2023 report.
-
AppScan® Source supports including GitHub repository information in assessment files and publishing it to AppScan® Enterprise. This feature can be enabled through the
scan.ozsettings
file. -
New property added in the license config file for using local SSL certificates (
use_local_ssl_cert
).
Additional AppScan® Source upgrade information
- Close all Visual Studio 2022 instances.
- Download
VS2022Plugin.zip
from the HCL Software Download and License Management Portal. - Extract the contents of the zip file into the default installation directory.
The default location is
C:\Program Files\HCL\AppScanSource
. - Double-click
AppScanSourcePlugin2022.vsix
from the<default_installation_directory>/bin
. - In the resulting VSIX Installer dialog, select Visual Studio <Edition>
2022 and click Install.
The edition could be Professional, Enterprise, or Community based on what is installed on the system. You can select more than one edition to install, if available.
- When installation is complete, close the dialog box.
- Restart Visual Studio 2022.
AppScan® Source plug-in appears under Extensions.
Fixes and security updates in AppScan® Source version 10.5.0
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.5.0
- CAC authentication is not working with TLS 1.2 in theAppScan®
Source Eclipse pluginTo workaround this issue, add the following to the
eclipse.ini
file under-vmargs
:--add-exports=java.base/sun.security.internal.spec=ALL-UNNAMED
- The right-click option for scanning an individual file or a collection of files in a folder or subfolder is not retaining options under base folder properties.
- Renaming a folder set up for scanning at the file system level could lead to
unexpected results.
To workaround this issue, remove the folder using the remove folder option, rename it, then add it again.
- When assessments are generated using folder scanning, the filters to exclude findings in Findings view and include findings in Excluded Findings view are not working.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.5.0
- Microsoft Visual Studio 2013 will reach end-of-service (EOS) on April 9, 2024. HCL® AppScan® Source will not support Microsoft Visual Studio 2013 after the EOS date.
Enhanced and new functionality in AppScan® Source version 10.4.0
- AppScan® Source supports Windows 11.
- AppScan® Source supports Red Hat Enterprise Linux 8.8.
- AppScan®
Source supports initiating a scan
with a wait time in case of license unavailability using either the command line
interface (CLI) scan command, or ounceauto ScanApplication command.
When an AppScan® Source for Automation license is not available, a scan waits for a period of time configured in
CLI.ozsettings
or with a value passed with-waitforlicense
argument in thescan
command. Disable the wait time feature by setting its value to zero. - AppScan®
Source supports secrets-only
scanning, either with a secrets-only
project, or using the
-secretsonly
parameter with thescan
CLI command for folder scanning.Secrets-only scanning checks for hardcoded passwords, credit card numbers, and Social Security numbers (SSN) when those secrets are detected in the code being scanned.
- AppScan®
Source allows you to enable or
disable secrets scanning for source code-only scans by editing application or project properties, or using
the
-enablesecrets
parameter with thescan
CLI command for folder scanning. You can also enable secrets scanning at project creation.Secrets scanning checks for hardcoded passwords, credit card numbers, and Social Security numbers (SSN) when those secrets are detected in the code being scanned, along with the other relevant scanners.
- AppScan® Source supports automating scans using GitHub Action or GitLab CI/CD and an AppScan® Source command line interface (CLI) container.
Fixes and security updates in AppScan® Source version 10.4.0
Fixes and security updates are listed here.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.4.0
-
RSS feed is no longer supported.
Enhanced and new functionality in AppScan® Source version 10.3.0
- AppScan® Source supports exporting scan findings to CSV and SARIF file formats using either the command line interface (CLI), the Tools menu, or using the ounceauto command.
- The HCL® AppScan® Source for Development (Eclipse Plug-in) supports Eclipse IDE 2022-09.
- AppScan® Source supports Rust.
- Version 10.3.0 of AppScan® Source has enhanced support for Java and Ruby scanning.
- AppScan® Source supports secrets scanning.
- AppScan® Source command line interface (CLI) support for comparing two assessment files.
- AppScan® Source supports running a command line interface (CLI) container in a Podman environment.
- The Data Access API requires JDK 11 or above.
- AppScan® Source supports automating scans using Jenkins or Azure and an AppScan® Source command line interface (CLI) container.
Fixes and security updates in AppScan® Source version 10.3.0
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.3.0
- By default, AppScan® Source compiles Java projects using Java 11. If your project is not compatible with Java 11 and you want to configure scanning to use a different Java compiler version, follow the steps provided here.
- When using the AppScan®
Source command line
interface (CLI) to scan a folder that contains
AndroidManifest.xml, scanning fails with the error,
An error occurred copying files to the staging directory
.To work around this issue, either:- Use appscan-config.xml to configure the scan.
- Delete (or move) AndroidManifest.xml from the target folder and/or subfolders.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.3.0
-
The HCL® AppScan® Source for Development (RAD plug in) is no longer supported.
-
The HCL® AppScan® Source for Development (Eclipse Plug-in) is no longer supported on Eclipse IDE 4.13 (2019-09)
Enhanced and new functionality in AppScan® Source version 10.2.0
- AppScan® Source enables you to configure license inactivity time in the license config file.
- AppScan® Source CLI now allows for source code only scanning when scanning folders.
- Project file extensions preferences now lists available language/project types in a drop-down list instead of on tabs.
- AppScan® Source supports Red Hat Linux 8.6.
- AppScan® Source supports .NET 7
Additional AppScan® Source and AppScan® Enterprise interoperability information
- AppScan® Enterprise version10.2.0 has upgraded support for CVSS 3.1. As an AppScan® Source user, if you upgrade to the AppScan® Enterprise version 10.2.0, there might be discrepancy in severity values due to the nature of the CVSS 3.1 specification. Learn more here.
Fixes and security updates in AppScan® Source version 10.2.0
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.2.0
- When running AppScan® Source on Windows 2016 and using a non-English locale, AppScan® Source cannot publish assessment to AppScan® Enterprise.
- When scanning a folder with C# files, folder scan uses the Xamarin scanner. This can result in a high number of false positives when the user is not also using Xamarin.
Enhanced and new functionality in AppScan® Source version 10.1.0
- AppScan® Source supports Red Hat Enterprise Linux 8.3.
- The HCL® AppScan® Source for Development (Eclipse Plug-in) is now supported on Eclipse IDE 2022-06.
- AppScan® Source supports Java 17, and includes it in the installation package.
- AppScan® Source supports Tomcat 9, and includes it in the installation package.
- AppScan® Source now allows for scanning folders without creating .PAF or .PPF files.
- Expanded support for Ruby, Groovy, JavaScript, and PHP scanning. Find system requirements information here.
Additional AppScan® Source and AppScan® Enterprise interoperability information
AppScan® Source version 10.1.0 supports AppScan® Enterprise Server version 10.1.0. AppScan® Source version 10.0.8 and earlier does not support AppScan® Enterprise Server version 10.1.0. Upgrade both products to ensure proper interoperability.
Fixes and security updates in AppScan® Source version 10.1.0
Fixes and security updates are listed here.
Capabilities nearing end-of-life or removed as of AppScan® Source version 10.1.0
- The following reports and report filters have been removed:
- CWE SANS Top 25 2011 report
- OWASP Top 10 2013 report
- CWE SANS Top 25 2011 report filter
- OWASP Top 25 2010 report filter
- OWASP Top 25 2013 report filter
- Defect tracking system integration is no longer supported.
-
Sending findings by email is no longer supported.
- Quality metrics are no longer supported.
- Tomcat 7 is no longer included in the AppScan® Source installation package.
- AppScan® Source will be dropping support for SolidDB and OracleDB in future releases.
Enhanced and new functionality in AppScan® Source version 10.0.8
- The AppScan® Source command line interface (CLI) has been containerized, thus allowing the application and security scanning to be more efficient and more robust. Once installed and configured, a testing environment can be created on-demand, and quickly, and scans can be run concurrently.For additional information on containerization, see this document at HCL Support.
- AppScan® Source supports configuring license information through the command line.
- AppScan® Source supports Terraform.
- Support for the following reports:
- Support for the following report filters:
Fixes and security updates in AppScan® Source version 10.0.8
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.0.8
- When using the Eclipse plugin, AppScan® Source for Development must be configured with Java 8.
Enhanced and new functionality in AppScan® Source version 10.0.7
- As of version 10.0.7, AppScan®
Source has
an updated installation path,
replacing
IBM
withHCL
.However, upgrading from version 10.0.6 or earlier will retain the original install path that uses
IBM
in the path. - AppScan® Source supports IBM RPG projects.
- AppScan® Source supports .NET 5/6.
- AppScan® Source supports the OWASP Top 10 2021 report.
- Enabling Common Access Card (CAC) authentication no longer requires manual update of the java.security file.
Fixes and security updates in AppScan® Source version 10.0.7
Fixes and security updates are listed here.
Known issues in AppScan® Source version 10.0.7
- On Windows, when upgrading to AppScan®
Source
version 10.0.7 from AppScan®
Source versions
9.0.3.x or 10.0.0, you must first perform an interim upgrade to an AppScan®
Source version between 10.0.1 and 10.0.6.
Important: Do not uninstall then reinstall. To maintain databases, you must upgrade in two steps.
- AppScan® Source configured with Oracle database requires a strong password using 16 or more characters.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.7
-
Support for SolidDB/Oracle will be removed in a future version of AppScan® Source. Please make plans now to migrate to data from SolidDB/Oracle to AppScan® Enterprise Server, whether manually or through the database migration utility.
Enhanced and new functionality in AppScan® Source version 10.0.6
- As it does in AppScan® Source for Analysis, the Findings view in the Visual Studio plug-in now displays findings by fix group by default.
- The algorithm used for assessment comparisons in AppScan® Source for
Analysis has been updated with a new
algorithm. Assessment comparison results from the AppScan® Source for
Analysis client will be consistent
with
AppScanDelta
command; however, there could be some difference in comparison results from the previous versions of AppScan® Source. -
As part of the algorithm update, you can now choose to save assessments for new and/or resolved findings from the Assessments Diff view in AppScan® Source for Analysis.
- AppScan® Source support for source code-only scanning for C/C++, .Net, and Java.
- AppScan® Source has added advisory information to industry standard reports to assist with findings remediation.
- AppScan® Source supports CAC authentication with Subject Alternative Name - Multi-Domain (SAN) certificates.
- AppScan® Source supports Dart programming language.
- Support for Stop/Cancel scan on Linux systems.
Known issues in AppScan® Source version 10.0.6
- Scans for Objective-C projects fail if you run the scan using an Objective-C .paf/.ppf file created with AppScan® Source version 10.0.5 or older. Reconfigure Objective-C projects in AppScan® Source version 10.0.6 and try again.
Fixes and security updates in AppScan® Source version 10.0.6
- Fixes and security updates are listed here.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.6
- AppScan® Source ceased supporting single file scanning version 10.0.0.
Enhanced and new functionality in AppScan® Source version 10.0.5
- The KBArticle server has been replaced with AppScan Security Info Server. The content and interface of AppScan Security Info Server have been updated to better serve users, but it serves the same purpose as the KBArticle server in prior AppScan® Source versions: assisting users with mitigating and resolving application security findings.
- AppScan® Source has added advisory information to reports to assist with findings remediation.
- Remediation Assistance view has been renamed How to fix.
- AppScan®
Source has added support for the
DISA STIG v5r1 report format.
This new report lists the vulnerability categories specified in the Application Security Checklist Version 5, Release 1. Wherever possible, AppScan® Source generates pertinent results to help the reviewer determine whether an application is in compliance with the STIG's requirements.
- Support for the HCL Common Local License Server 2.0 on both Windows and Linux.
- AppScan® Source supports generating findings reports where the findings are grouped by fix groups.
Additional AppScan® Source version 10.0.5 and AppScan® Enterprise version 10.0.5 interoperability information
- Speed of publishing to AppScan®
Enterprise or importing issues to
AppScan®
Enterprise from the
Monitor tab can now be balanced according to desired user
responsiveness using a new property in the asc.properties file in
AppScan®
Enterprise. See the
AppScan®
Enterprise
documentation for details on using the
issue.import.batch.interval
property.
Known issues in AppScan® Source version 10.0.5
- The locale set for AppScan Source should match the system locale to avoid garbled characters in the console output.
- There are some rendering issues in the How to fix view on Linux. In addition, external reference links do not open from the How to fix view on Linux; open the article in an external browser to render correctly and to access the external links.
- How to fix information is not included in reports when
reports are generated using
ounceauto
command as the automation server fails to start AppScan Security Info server. To work around this issue, start AppScan® Source for Analysis or the command line interface (CLI client) prior to generating a report usingounceauto
; the AppScan Security Info server is started automatically by AppScan® Source for Analysis and by the CLI client.
Enhanced and new functionality in AppScan® Source version 10.0.4
- As of version 10.0.4, AppScan®
Source
supports the following operating systems:
- Windows Server 2019
- Red Hat Linux versions 7.8 and 7.9
For additional information see System requirements and installation prerequisites.
- As of version 10.0.4, AppScan®
Source
supports the following languages and language versions:
- Java versions 9, 10, and 11:
- AdoptOpenJDK 11 is the default
- Any alternate JDKs specified must be 64-bit
- .NET Core 3.1
- Infrastructure as Code (IaC)
For additional information, see System requirements and installation prerequisites.
- Java versions 9, 10, and 11:
Known issues in AppScan® Source version 10.0.4
- Bundles created in AppScan® Source version 9.3.14 or earlier and marked as excluded in the Properties view will not exclude the findings after upgrading to AppScan® Source version 10.0.0 and higher. The bundle should be recreated in AppScan® Source version 10.0.0 or higher.
- Performing a scan on all applications in an AppScan® Source for Analysis client may populate the Findings view without populating fix groups. Perform the scan on individual applications to avoid this result and display findings in fix groups appropriately.
- Publishing assessments to AppScan® Enterprise fails in non-English locales if the assessment file name contains native characters. Remove the native characters from the file name and republish.
Enhanced and new functionality in AppScan® Source version 10.0.3
- As of version 10.0.3, AppScan®
Source adds
support for the following languages:
- Android Java
- Ionic
- Objective C
- React Native
- SAP ABAP
- Vue.js
- Xamarin
For additional information, see System requirements.
- Fix group support for static analysis.
Fix groups are a new approach to managing, triaging, and resolving issues found in static analysis scans. After running a static scan, AppScan® Source organizes issues into fix groups based on vulnerability type and the required remediation task. For additional information, see Working with static analysis fix groups.
- As part of fix group support, a tech preview of a companion report is visible in the Select Findings Report dialog box. The report currently displays high-level information on fix group type only. In a future release, additional depth will be added to the report functionality, including best fix locations for fix groups.
Known issues in AppScan® Source version 10.0.3
- The CLI command
details
intermittently reports an error. However, the functionality of the command is not affected.ERROR [main] (PrexisLogger.java:263) - Exception javax.xml.stream.XMLStreamException: Element type "Site" must be followed by either attribute specifications, ">" or "/>".
-
When opening assessments published to the AppScan® Source database to view fix group information,
NULL
may be displayed in place of fix group type or fix group id. Save the assessment to a local file system then open it using the Open Assessment command to view fix group information for published static analysis assessments.
Additional AppScan Source version 10.0.3 installation and interoperability information
- If you upgrade AppScan®
Source or perform a
repair install of AppScan®
Source version
10.0.3, when the previous installation was configured with a database, you must start
the
AppScan Source DB
service manually.
Enhanced and new functionality in AppScan® Source version 10.0.2
- As of AppScan® Source version 10.0.2, an HCL license is required. See How to obtain and apply licenses for AppScan Source products for additional information.
- AppScan® Source for Analysis version 10.0.2 does not require a database connection to perform scans. Integration with AppScan Enterprise for sharing scan configurations and results is configured in AppScan® Enterprise. Disconnected functionality is described in more detail here.
- AppScan® Source introduces support for the following languages: Angular 8, Angular 9, Groovy, Symfony, and TypeScript. See System requirements for complete information.
Additional AppScan® Source version 10.0.2 installation and interoperability information
- When installing AppScan® Source version 10.0.2 to a clean system, there is no database to install, and therefore no database configuration to perform. Configure integration with AppScan Enterprise to store and retrieve shared information.
- When installing AppScan® Source version 10.0.2 to a clean system for use in connected mode, AppScan® Enterprise version 10.0.2 is required. Older versions of AppScan® Enterprise are not supported. In addition, AppScan Enterprise Server must be installed with both User Administration and Enterprise Console.
-
When upgrading to AppScan® Source version 10.0.2 from a previous version, any previously installed database is fully supported, including configuration functionality.
- If you perform a repair install of AppScan®
Source version 10.0.2, when the previous
installation was configured with a database, you must start the
AppScan Source DB
service manually. - If you upgrade AppScan®
Sourcewhere only
automation server or client components are installed and later perform a repair
installation, update the following properties in
'ounce.ozsettings:
name=core_provider value=1
name=connect_mode value=false
- Silent installer response files created prior to version 10.0.2 are not supported. New silent installer response files must be created for use with AppScan® Source version 10.0.2.
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.2
- AppScan Source no longer supports IBM licenses and they can no longer be configured in the license manager. See How to obtain and apply licenses for AppScan Source products for additional information.
- AppScan® Source version 10.0.2 no longer supports Visual Studio 2010.
- SolidDB no longer ships with AppScan® Source and is not installed as part of the solution. Existing installations of SolidDB continue to be supported.
- The Audit Log option under the Admin menu is no longer available.
Enhanced and new functionality in AppScan® Source version 10.0.1
- AppScan® Source version 10.0.1 has enhanced licensing functionality including proxy support for HCL-based licenses in the user interface and allowing use of untrusted certificates to make a connection to a local license server.
- AppScan®
Source version 10.0.1 introduces
AppScanDelta
. This feature allows users to perform a diff from the command line between two assessments. - AppScan® Source supports NetCore 2.1 and 2.2.
- AppScan® Source version 10.0.1 includes language support for Scala, Swift, Kotlin, and ReactJS. See System Requirements for additional information.
- AppScan® Source version 10.0.1 supports the DISA STG v4r10 report format.
Known issues in AppScan® Source version 10.0.1
- If you are scanning a Visual Studio project from 2015 or earlier, the scan may fail with a message to delete discoverymanager.exe.config. Delete the specified file and try again. For more information see here.
AppScan® Source interoperability
- 9.0.3x and 10.0.0 versions of AppScan®
Enterprise must be configured as
follows to interoperate with AppScan®
Source
10.0.1:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Capabilities nearing end-of-life or removed in AppScan® Source version 10.0.1
The following capabilities are nearing end-of-life as of AppScan® Source version 10.0.1. Please plan accordingly.
- IMPORTANT! Support for IBM licenses in new releases of AppScan® will end in the third quarter 2020 (August/September). Subsequent new versions of AppScan® products will support HCL Licenses only. For additional information on licensing, see Activating the software. You can also contact your HCL representative or HCL Support.
- SolidDB will no longer be shipped with product updates beginning in the third quarter 2020 (August/September). Existing installations will still be supported.
Enhanced and new functionality in AppScan® Source version 10.0.0
-
IBM® Security AppScan® Source is now HCL® AppScan® Source.
In mid-2019, HCL Technologies acquired the AppScan® family of products from IBM, including AppScan® Enterprise, AppScan® Standard, AppScan® Source, and AppScan® on Cloud. All AppScan® products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan® products have been rebranded to reflect this ownership and its new phase of development and growth.
-
Introducing HCL Licensing for HCL® AppScan® Source
As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan® family of products. AppScan®, AppScan® Standard, and AppScan® Source use a local FlexLM license server, authenticating via a proxy server; AppScan® on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.
- AppScan® Source now supports the Go programming language (Golang).
- AppScan® Source now supports C++ scanning in Visual Studio 2015, 2017, and 2019.
- AppScan® Source now supports Oracle 19c.
- New data flow scanning functionality performs a more complete code analysis and more findings as a result.
- For languages for which AppScan® Source has custom scanners, you may see a marked difference in findings when scanning with AppScan® Source v10. In instances when scanning has been converted to custom scanning, this may mean a reduction in findings. The rules for custom scanners are evolving and being added to on a regular basis, and are easy to enhance.
- Enhanced integration with Intelligent Code Analytics (ICA) and Intelligent Findings
Analytics (IFA).
When ICA/IFA is enabled, you see and can access the Excluded Findings tab. For additional information, see Intelligent Findings Analytics (IFA) in the AppScan® Source documentation.
By default, IFA is enabled for all scans. When enabled, it is applied to the current scan and future scans. It cannot be applied to assessments from previous scans.
- Scanning .NET projects (ASP, WEB, Framework, Core) in AppScan® Source mirrors the processing inHCL AppScan on Cloud. .NET projects must be able to be compiled before they can be scanned and must have the correct build specification in project properties.
- 15 GB is the minimum amount of space required to install AppScan® Source and run basic scans. However, required disk space varies depending on the application being scanned. We recommend a minimum of 8 GB of RAM and 15-20 GB of free disk space. You may also need to increase your Windows page file requirement (see Tips to improve PC performance in Windows 10 for more information).
-
For additional information on system requirements, and scanning and plug-in support, see System requirements and installation prerequisites or contact HCL Support.
AppScan® Source version 10.0.0 interoperability
- An AppScan® Source 10.0.0 client will not scan correctly with a pre-10.0.0 AppScan® Source database due to the difference in the contents of the database as they pertain to scan rules.
- Similarly, a pre-10.0.0 AppScan® Source client will NOT scan correctly with a 10.0.0 AppScan® Source database.
- An instance of AppScan® Enterprise configured with an instance of AppScan® Source 10.0.0 database cannot be used by 9.0.3.x versions of AppScan® Source, and vice versa
- 9.0.3.x versions of AppScan®
Enterprise must be configured as
follows to interoperate with AppScan®
Source
10.0.0:
set "allow.newer.source.clients=true" in \Program Files (x86)\IBM\AppScan Enterprise\Liberty\usr\servers\ase\config\asc.properties file
Additional AppScan® Source version 10.0.0 installation instructions
When installing AppScan® Source version 10.0.0 with the Visual Studio 2019 plug-in, the installation appears to complete successfully but the Visual Studio 2019 plug-in may not be installed properly.To install AppScan® Source version 10.0.0 plug-in in Visual Studio 2019:
- Ensure that HCL® AppScan® Source version 10.0.0 is installed on the target system. Select Microsoft Visual Studio 2019 plug-in during installation.
- If a pre-10.0.0 version of AppScan®
Source
has been installed into the target instance of Visual Studio 2019, uninstall it as
follows:
- Start the target Visual Studio 2019 instance.
- Open to .
- On the Installedtab, select AppScan Source Plug-in from the list.
- Click Uninstall plug-in and follow prompts to complete uninstallation.
- Install the HCL®
AppScan® Source version
10.0.0 plug-in into the Visual Studio 2019 instance as follows:
- Close all Visual Studio 2019 instances.
- Download VS2019Plugin.zip from the HCL® AppScan® Source release download site.
- Extract the contents of the zip file into <AppScan Source Install Dir> (the default location is C:\Program Files (x86)\IBM\AppScanSource). Choose Yes for all options when prompted.
- Double-click AppScanSrcPlugin.vsix from the <AppScan Source Install Dir>/bin directory.
- In the resulting VSIX Installer dialog select Visual Studio
<Edition> 2019 and click Install.
The edition could be Professional, Enterprise or Community based on what is installed on the machine. You can select more than one Edition to install, if available.
- When installation is complete close dialog.
- Restart Visual Studio 2019. AppScan Source plug-in appears under Extensions.
Known issues in AppScan® Source version 10.0.0
- The following languages are not supported:
- Arxan C
- WSDL
- On WebSphere, only default JSP compilation options are supported.
- Single file scanning is not available across all languages.
- There is no mechanism to disable precompilation of JSP files. JSP files will always be precompiled.
- Stop/Cancel scan does not work on Linux systems.
- Stop/Cancel may not work on Windows systems when using the command line interface. To work around this issue, restart AppScan® Source and kill the background processes.
- When uninstalling AppScan® Source version 10.0.0 from a Windows system, the uninstall process sometimes hangs. For more information, see Uninstallation of AppScan Source hangs on Windows.
- After upgrade to AppScan® Source version 10.0.0, PDF reports are not generating. For more information, see AppScan Source 10.0.0 throws "java.lang.reflect.InvocationTargetException" during PDF report generation in upgrade scenario.
Capabilities nearing end-of-life in AppScan® Source version 10.0.0
- Custom findings
- Quality metrics
- Email/settings
- RSS feed
- Application attributes
Use AppScan Enterprise to store application information.
- Defect tracking system integration
Use the AppScan® Issues gateway to integrate from an AppScan Enterprise level
Capabilities and features no longer supported in AppScan® Source version 10.0.0
- The vulnerability cache is no longer supported.
- Incremental scanning is not supported.
- Non-CPA scanning is not supported.
-
As of version 9.0.3.11, AppScan® Source no longer supports macOS or iOS Xcode project scanning.
Some components of AppScan® Source are 32-bit. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.
You can continue to use AppScan® Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.
Documentation
Information about AppScan® Source documentation can be found at https://support.hcltechsw.com/csm.
Obtaining Technical Support
Information about obtaining technical support for this product is available at https://support.hcltechsw.com/csm.
The product website is located at https://www.hcl-software.com/appscan.
Copyright
(C) Copyright HCL Technologies Limited® and its licensors 2024. All Rights Reserved.
HCL®, HCL Technologies Limited, HCL Software, the HCL® logo, hcl.com®, hcltech.com, and AppScan® are trademarks or registered trademarks of HCL Technologies Limited, registered in many jurisdictions worldwide. Rational®, WebSphere® and ClearQuest® are trademarks or registered trademarks of IBM Corp. Other product and service names might be trademarks of HCL® or other companies. A current list of HCL® trademarks is available on the web at Copyright and trademark information at http://www.hcltech.com/disclaimer. Linux™ is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft™, Windows™, Windows NT™ and the Windows™ logo are trademarks of Microsoft™ Corporation in the United States, other countries or both. Unix is a registered trademark of The Open Group in the United States and other countries. Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
This program includes: Jacorb 2.3.0, Copyright 1997-2006 The JacORB project; and XOM1.0d22, Copyright 2003 Elliotte Rusty Harold, each of which is available under the Gnu Library General Public License (LGPL), a copy of which is available in the Notices file that accompanied this program.