What's New in AppScan Source

What's New in AppScan Source Version 9.0.3.14

Enhanced and new functionality in AppScan Source Version 9.0.3.14

  • IBM AppScan Source is now HCL AppScan Source

    In mid-2019, HCL Technologies acquired the AppScan family of products from IBM, including AppScan Enterprise, AppScan Standard, AppScan Source, and AppScan on Cloud. All AppScan products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan products have been rebranded to reflect this ownership and its new phase of development and growth.

  • Introducing HCL Licensing for HCL AppScan Source

    As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan family of products. AppScan Enterprise, AppScan Standard, and AppScan Source use a local FlexLM license server, authenticating via a proxy server; AppScan on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.

    Note:

    AppScan products will continue to support existing IBM licenses until further notice.

  • AppScan Source now supports Apex scanning
  • AppScan Source now supports Eclipse 4.13
  • AppScan Source now supports Ruby scanning
  • AppScan Source now supports Visual Studio 2017 plugin
  • AppScan Source now supports Visual Studio 2019 plugin

    For additional information on system requirements, and scanning and plugin support, see HCL AppScan Source system requirements or contact HCL Support.

Capabilities nearing end-of-life in AppScan Source Version 9.0.3.14

The following capabilities are nearing end-of-life as of AppScan Source version 9.0.3.14. please plan accordingly.

What's New in AppScan Source Version 9.0.3.11

Enhanced and new scanning support

  • As part of JavaScript support, AppScan Source supports AngularJS and Node.js.
  • AppScan Source now supports Java Runtime Environment version 8.
  • AppScan Source now supports Windows 2016.

Capabilities and features no longer supported in AppScan Source version 9.0.3.11

  • As of version 9.0.3.11, AppScan Source no longer supports macOS or iOS Xcode project scanning.

    AppScan Source is a 32-bit application. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.

    You can continue to use AppScan Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.

What's New in AppScan Source Version 9.0.3.9

Enhanced and new scanning support

  • NET support now includes both .NET Framework and .NET Core (C#, ASP.NET, VB.NET) for Visual Studio 2017 and earlier.
  • Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2017 is now supported.
Note: AppScan Source for Development does not support C/C++ scanning for Visual Studio 2017.

What's New in AppScan Source Version 9.0.3.7

Enhanced and new scanning support

  • Red Hat Enterprise Linux (RHEL) Versions 7.3 and 7.4 are now supported operating systems.
  • Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is now supported.

What's New in AppScan Source Version 9.0.3.6

Enhanced and new scanning support

  • Xcode 8.1 and 8.2 for Objective-C (for iOS applications only) are now supported compilers on macOS. Support for these versions of Xcode is retroactive to AppScan Source Version 9.0.3.5.

What's New in AppScan Source Version 9.0.3.5

Enhanced and new scanning support

  • macOS Version 10.12 is now a supported operating system. Support for macOS Version 10.12 is retroactive to AppScan Source Version 9.0.3.4.
  • Xcode 8.0, 8.1, and 8.2 for Objective-C (for iOS applications only) are now supported compilers on macOS.

Incremental scan support for Java source and bytecode allows for more efficient and faster re-scans

As of Version 9.0.3.5, you can enable Java incremental scan support on Windows and Linux. When incremental analysis is enabled, analysis data is cached by AppScan Source. When you then re-scan your project or application, AppScan Source uses this data to determine the code changes and only the portions of the code that are impacted by your changes are analyzed again. The end result is a full analysis of your code - but in a fraction of the time.

This feature is supported when using HCL AppScan Source for Analysis, the AppScan Source for Development Eclipse plug-in, HCL AppScan Source for Automation, or the HCL AppScan Source command line interface (CLI).

What's New in AppScan Source Version 9.0.3.4

Enhanced and new scanning support

PHP Version 7.0 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).

Publishing assessments to AppScan Enterprise Console is now supported when authenticating by Common Access Card (CAC)

If you are using CAC authentication to connect to the AppScan Enterprise Server, you can now publish assessments to the AppScan Enterprise Console from the AppScan Source user interface, AppScan Source command line interface (CLI), and AppScan Source for Automation.

Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report support

AppScan Source now supports the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report.

AppScan Source for Analysis product documentation

As of Version 9.0.3.4, when you use the Help > Help Contents menu item in AppScan Source for Analysis, online help for AppScan Source at IBM Knowledge Center opens (for Version 9.0.3.4, the help opens to the HCL AppScan Source V9.0.3.4 documentation). Similarly, when you follow links from the AppScan Source for Analysis Welcome view, they are opened at IBM Knowledge Center.

AppScan Source for Analysis also offers context-sensitive help for many views, preference pages, and dialog boxes. The keyboard shortcut for context-sensitive help is F1 on Windows, Shift+F1 on Linux, and command+F1 on macOS. This context-sensitive help also opens to AppScan Source at IBM Knowledge Center as of Version 9.0.3.4.

If you are using the product without an internet connection, help is available locally as follows:

  • The HCL AppScan Source Readme and Release Notes are available in the readme.html file that is located in your AppScan Source installation directory.
  • Javadoc for some AppScan Source for Analysis features is located in the doc/Javadoc or doc\Javadoc directory of your AppScan Source installation directory. As of Version 9.0.3.4, Javadoc for these features is available:
    • Javadoc for the application server import framework API classes and methods is available in doc/Javadoc/appserverimporter or doc\Javadoc\appserverimporter.
    • Javadoc for the Framework for Frameworks API classes and methods is available in doc/Javadoc/frameworks or doc\Javadoc\frameworks.

    In these folders, open the index.html file.

Ability to use scan configurations in AppScan Source for Analysis to remove findings for any exclude filters

Exclude filters contain rules for which vulnerability types, application programming interfaces (API), files, directories, projects, or trace rules are removed from findings. If you include multiple exclude filters in a scan configuration, it is possible that they may conflict with each other and affect the findings. For example, given these two filters:

  • Filter 1 removes all findings of vulnerability type Validation.EncodingRequired. It is not inverted and so these findings are excluded from the assessment.
  • Filter 2 removes all findings of vulnerability type Validation.Required. It is not inverted and so these findings are excluded from the assessment.

If both of these filters are applied using a scan configuration, they will rule each other out by default. Filter 1 will exclude Validation.EncodingRequired findings - but it will include Validation.Required findings. Filter 2 will exclude Validation.Required findings - but it will include Validation.EncodingRequired findings. The end result will be that all Validation.EncodingRequired and Validation.Required findings are included.

As of Version 9.0.3.4, you can remove the findings for any exclude filter specified by selecting Match any non-inverted exclude filters when creating a scan configuration. This check box is in the Filters Information section of the Scan Configuration view General tab. Given the above example, if this check box is selected, all Validation.EncodingRequired and Validation.Required findings will be excluded from the assessment.

Improved handling of libraries when scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)

When scanning WAR files, these settings are now available:

  • -include_all_lib_jars: Use this setting to include all libraries in the WAR file during the scan.
  • -include_lib_jars: Use this setting to specify the libraries in the WAR file that you want to include during the scan.

When importing an EAR file, a project is automatically created for storing shared libraries. If there are no shared libraries, the project will be created, but it will be empty. The -no_ear_project setting is now available and, when used, no project will be created for the EAR file.

Submitting AppScan Source assessments to the Cloud for analysis

If you have a subscription to HCL AppScan on Cloud at HCL Cloud Marketplace, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription. See http://help.hcl-software.com/appscan/ASoC/src_managing_assessments_cloud.html for more information.

What's New in AppScan Source Version 9.0.3.3

New platform and integration solution support

As of AppScan Source Version 9.0.3.3:

  • Microsoft Windows 10 is now a supported operating system. This includes Windows 10 Education, Enterprise, and Pro editions.
    Note:
  • If you are connecting to an AppScan Enterprise Server Version 9.0.3.1 or higher, the HCL AppScan Source Database can be installed to an Oracle 12c database.
    Important: If you have an existing installation of AppScan Source that utilizes an Oracle 11g database, and you want to upgrade to Oracle 12c, you must upgrade AppScan Source before upgrading the Oracle database.
  • Tomcat 8 is now included in the installation of AppScan Source.
  • Visual Studio 2015 solution and project files can now be scanned in AppScan Source for Analysis, AppScan Source for Automation, and the AppScan Source command line interface. If you have .sln or .vcproj files that have been created in Visual Studio 2015, these files can be imported and scanned when using AppScan Source for Analysis, AppScan Source for Automation, or the AppScan Source command line interface on Windows.
    Important:
    • Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is not supported.
    • Managed C++ projects are supported. Unmanaged C++ projects are supported if they are built with a Platform Toolset from Visual Studio 2015 or earlier (Platform Toolset V140 or earlier).
  • Xcode 7.3 for Objective-C (for iOS applications only) is now a supported compiler on macOS (support for Xcode 7.3 is retroactive to AppScan Source Version 9.0.3.2).

Enhanced and new scanning support

  • PHP Versions 5.5 and 5.6 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).
  • When using AppScan Source to scan Java™, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are now supported.

New installation file name for Windows

On Windows, the installation file name has changed from setup.exe to AppScanSrc_Installer.exe.

Common Access Card (CAC) support on Windows

The Common Access Card (http://www.cac.mil) is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel in the United States. It is used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems. The CAC can be used for access into computers and networks that are equipped with various smart card readers. When it is inserted into the reader, the device asks the user for a PIN.

If you are running AppScan Source on Windows and connecting to an AppScan Enterprise Server Version 9.0.3.1 iFix-001 or higher that is enabled for Common Access Card (CAC) authentication, AppScan Source now supports CAC authentication.

DISA Application Security and Development STIG V3R10 report support

AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R10 report.

What's New in AppScan Source Version 9.0.3.2

AppScan Source and AppScan Enterprise version compatibility

Some versions of AppScan Source no longer require that AppScan Source and AppScan Enterprise version and release levels match when connecting to the AppScan Enterprise Server or when publishing to the AppScan Enterprise Console. See How to enable connections and publish assessments for different versions of AppScan Source and AppScan Enterprise to learn which versions of AppScan Source and AppScan Enterprise are compatible.

This change is retroactive to some previous versions of AppScan Source, as described in the above linked document.

What's New in AppScan Source Version 9.0.3.1

New integration solution support

As of AppScan Source Version 9.0.3.1:

  • Tomcat 8 is now supported for compiling Java and JSP.
    Note: Operating system support is dependent on the operating system supported by individual compilers.
  • Xcode 7.0, 7.1, and 7.2 for Objective-C (for iOS applications only) are now supported compilers on macOS.

Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)

The openapplication (oa) command in the CLI can now be used to open WAR and EAR files. In addition, these files can be scanned in AppScan Source for Automation using the ScanApplication command.

What's New in AppScan Source Version 9.0.3

New platform and integration solution support

As of AppScan Source Version 9.0.3, these operating systems are supported:

  • Red Hat Enterprise Linux Version 6 Updates 6 and 7
  • OS X Version 10.11. Support for OS X Version 10.11 is retroactive to AppScan Source Version 9.0.2.

In addition:

  • Xcode 6.3 and 6.4 for Objective-C (for iOS applications only) are now supported compilers on OS X (support for Xcode 6.3 and 6.4 is retroactive to AppScan Source Version 9.0.2). Note that some limitations exist for Xcode 6.3 and 6.4 support. Please see Scan failures when using the "nullability" or "noescape" language enhancements in Xcode 6.3 or higher for details. These limitations do not apply to AppScan Source Version 9.0.3.1 and higher.
  • The AppScan Source for Development Eclipse plug-in now integrates with IBM MobileFirst Platform Foundation Version 7.1. You can now scan IBM MobileFirst Platform Version 7.1 projects, applications, environments, and HTML files in AppScan Source products.
  • Rational® Application Developer for WebSphere® Software (RAD) Version 9.1.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 9.1.1.
  • Eclipse Version 4.5 project files and workspaces (Java and IBM MobileFirst Platform only) can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse Version 4.5.
  • IBM® WebSphere Application Server Version 8.5.5 is now supported for compiling Java and JSP.
    Note: Operating system support is dependent on the operating system supported by individual compilers.

Scan configuration enhancements

The Scan Configuration view has been redesigned and now offers these key features:

  • The ability to specify filters.
  • Setting the type of analysis to perform during a scan. This includes taint-flow analysis and pattern-based analysis.

AppScan Source now includes these built-in scan configurations: Web preview scan, Web quick scan, Web balanced scan, and Web deep scan

New rule attributes allow you to identify high severity definitive security findings more accurately

This release of AppScan Source introduces the Attribute.Likelihood.High and Attribute.Likelihood.Low attributes. These attributes have been added to the built-in rules and can also be used when creating custom rules.

In AppScan Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future.

Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint.

Likelihood examples include:

  • Given a trace with an HTTP source (for example, Request.getQueryString) and a cross-site scripting sink (for example, Response.write), a high likelihood is determined, thereby raising the confidence of the finding.
  • Given a trace with a system property source (for example, getProperty) and a cross-site scripting sink (for example, Response.write), a low likelihood is determined, thereby lowering the confidence of the finding.

Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box.

We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow.

In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network.

Note: As a result of these rule attributes, if you have generated assessments in previous versions of AppScan Source, you may find that findings classifications for the same source has changed when it is scanned in Version 9.0.3. For more information, and to learn how to disable these rule attributes, see the migration considerations regarding these changes.

Automatic lost sink resolution allows for better scan results

AppScan Source now tries to resolve lost sinks in traces by automatically inferring markup for lost sink methods such as getters, setters, and methods that return boolean values. This allows for a more thorough analysis of your code and improved lost sink resolution.

Note: As a result of this feature, if you have generated assessments in previous versions of AppScan Source, you may notice a change in findings results for lost sinks that were not resolved. For more information, and to learn how to disable automatic markup generation, see the migration considerations regarding these changes.

Enhanced and new scanning support

  • PHP Version 5.4 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).
  • AppScan Source now includes built-in support for the Spring MVC 4 framework.
  • Java scanning optimizations:
    • When scanning JavaServer Pages, you now have the option of scanning precompiled class files instead of compiling them during a scan. To scan precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning (select Security Analysis > Configure Scan > Configure Projects for Security) and select the Precompiled classes check box. To scan precompiled class files in HCL AppScan Source for Analysis, select the Precompiled classes check box in one of these locations:
      • The Project Dependencies tab in the project properties.
      • The Java Project Dependencies page when creating a new project or application.
    • When scanning Java, AppScan Source will now scan Java files and Java byte code with missing dependencies or compilation errors. If there are missing dependencies or compilation errors, information about them will be written to a log file. With this information, you can then add the dependencies to your project properties, re-scan, and achieve full coverage for scan results.
  • As of AppScan Source Version 9.0.3, header locations and configuration options are determined more accurately when Xcode projects are imported and scanned. This change introduces the use of xcodebuild -dry-run to obtain every file's build configuration, so there may be a pause at the beginning of scans while AppScan Source determines file configurations before proceeding.