What's New in AppScan Source
Explore these new features that have been added to AppScan® Source - and note any features and capabilities that have been deprecated in this release.
- What's New in AppScan Source Version 9.0.3.14
- What's New in AppScan Source Version 9.0.3.11
- What's New in AppScan Source Version 9.0.3.10
- What's New in AppScan Source Version 9.0.3.9
- What's New in AppScan Source Version 9.0.3.7
- What's New in AppScan Source Version 9.0.3.6
- What's New in AppScan Source Version 9.0.3.5
- What's New in AppScan Source Version 9.0.3.4
- What's New in AppScan Source Version 9.0.3.3
- What's New in AppScan Source Version 9.0.3.2
- What's New in AppScan Source Version 9.0.3.1
- What's New in AppScan Source Version 9.0.3
What's New in AppScan Source Version 9.0.3.14
Enhanced and new functionality in AppScan Source Version 9.0.3.14
-
IBM AppScan Source is now HCL AppScan Source
In mid-2019, HCL Technologies acquired the AppScan family of products from IBM, including AppScan Enterprise, AppScan Standard, AppScan Source, and AppScan on Cloud. All AppScan products are now owned, developed, and promoted by HCL Software. All licenses, logos, naming conventions, and other intellectual and/or branding rights are owned by HCL. As such all AppScan products have been rebranded to reflect this ownership and its new phase of development and growth.
-
Introducing HCL Licensing for HCL AppScan Source
As part of the transition from IBM to HCL, HCL is introducing HCL-centric license packages for the AppScan family of products. AppScan Enterprise, AppScan Standard, and AppScan Source use a local FlexLM license server, authenticating via a proxy server; AppScan on Cloud uses a market-leasing customer identity access management (CAIM) system from Okta.
Note:AppScan products will continue to support existing IBM licenses until further notice.
- AppScan Source now supports Apex scanning
- AppScan Source now supports Eclipse 4.13
- AppScan Source now supports Ruby scanning
- AppScan Source now supports Visual Studio 2017 plugin
- AppScan
Source
now supports Visual Studio 2019 plugin
For additional information on system requirements, and scanning and plugin support, see HCL AppScan Source system requirements or contact HCL Support.
Capabilities nearing end-of-life in AppScan Source Version 9.0.3.14
- Custom findings
- Quality metrics
- Email/settings
- RSS feed
- Application attributes
Use AppScan Enterprise to store application information.
- Defect tracking system integration
Use the AppScan Issues gateway to integrate from an AppScan Enterprise level
What's New in AppScan Source Version 9.0.3.11
- Enhanced and new scanning support
- Capabilities and features that are no longer supported in AppScan Source Version 9.0.3.11
Enhanced and new scanning support
- As part of JavaScript support, AppScan Source supports AngularJS and Node.js.
- AppScan Source now supports Java Runtime Environment version 8.
- AppScan Source now supports Windows 2016.
Capabilities and features no longer supported in AppScan Source version 9.0.3.11
-
As of version 9.0.3.11, AppScan Source no longer supports macOS or iOS Xcode project scanning.
AppScan Source is a 32-bit application. MacOS 10.14 (Mojave) is the last Mac operating system version that will support 32-bit applications.
You can continue to use AppScan Source version 9.0.3.10 and earlier on Mac operating systems up to and including 10.12.
What's New in AppScan Source Version 9.0.3.10
Enhanced and new scanning support
- AppScan Source now supports the Windows 10 Fall Creators update.
- Scanning Python applications is now supported.
- AppScan Source now supports the RAD v9.5 plugin on all operating systems.
Reporting enhancements
- AppScan Source for Analysis now generates the Open Web Application Security Project (OWASP) Top 10 2013 and 2017 reports.
What's New in AppScan Source Version 9.0.3.9
Enhanced and new scanning support
- NET support now includes both .NET Framework and .NET Core (C#, ASP.NET, VB.NET) for Visual Studio 2017 and earlier.
- Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2017 is now supported.
What's New in AppScan Source Version 9.0.3.7
Enhanced and new scanning support
- Red Hat Enterprise Linux (RHEL) Versions 7.3 and 7.4 are now supported operating systems.
- Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is now supported.
What's New in AppScan Source Version 9.0.3.6
Enhanced and new scanning support
- Xcode 8.1 and 8.2 for Objective-C (for iOS applications only) are now supported compilers on macOS. Support for these versions of Xcode is retroactive to AppScan Source Version 9.0.3.5.
What's New in AppScan Source Version 9.0.3.5
- Enhanced and new scanning support
- Incremental scan support for Java source and bytecode allows for more efficient and faster re-scans
Enhanced and new scanning support
- macOS Version 10.12 is now a supported operating system. Support for macOS Version 10.12 is retroactive to AppScan Source Version 9.0.3.4.
- Xcode 8.0, 8.1, and 8.2 for Objective-C (for iOS applications only) are now supported compilers on macOS.
Incremental scan support for Java source and bytecode allows for more efficient and faster re-scans
As of Version 9.0.3.5, you can enable Java incremental scan support on Windows and Linux. When incremental analysis is enabled, analysis data is cached by AppScan Source. When you then re-scan your project or application, AppScan Source uses this data to determine the code changes and only the portions of the code that are impacted by your changes are analyzed again. The end result is a full analysis of your code - but in a fraction of the time.
This feature is supported when using HCL AppScan Source for Analysis, the AppScan Source for Development Eclipse plug-in, HCL AppScan Source for Automation, or the HCL AppScan Source command line interface (CLI).
What's New in AppScan Source Version 9.0.3.4
- Enhanced and new scanning support
- Publishing assessments to AppScan Enterprise Console is now supported when authenticating by Common Access Card (CAC)
- Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report support
- AppScan Source for Analysis product documentation
- Ability to use scan configurations in AppScan Source for Analysis to remove findings for any exclude filters
- Improved handling of libraries when scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)
- Submitting AppScan Source assessments to the Cloud for analysis
Enhanced and new scanning support
PHP Version 7.0 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).
Publishing assessments to AppScan Enterprise Console is now supported when authenticating by Common Access Card (CAC)
If you are using CAC authentication to connect to the AppScan Enterprise Server, you can now publish assessments to the AppScan Enterprise Console from the AppScan Source user interface, AppScan Source command line interface (CLI), and AppScan Source for Automation.
Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report support
AppScan Source now supports the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 report.
AppScan Source for Analysis product documentation
As of Version 9.0.3.4, when you use the AppScan Source for Analysis, online help for AppScan Source at IBM Knowledge Center opens (for Version 9.0.3.4, the help opens to the HCL AppScan Source V9.0.3.4 documentation). Similarly, when you follow links from the AppScan Source for Analysis Welcome view, they are opened at IBM Knowledge Center.
menu item inAppScan Source for Analysis also offers context-sensitive help for many views, preference pages, and dialog boxes. The keyboard shortcut for context-sensitive help is F1 on Windows, Shift+F1 on Linux, and command+F1 on macOS. This context-sensitive help also opens to AppScan Source at IBM Knowledge Center as of Version 9.0.3.4.
If you are using the product without an internet connection, help is available locally as follows:
- The HCL AppScan Source Readme and Release Notes are available in the readme.html file that is located in your AppScan Source installation directory.
- Javadoc for some AppScan Source
for
Analysis
features is located in the doc/Javadoc or
doc\Javadoc directory of your AppScan
Source installation directory. As of Version
9.0.3.4, Javadoc for these features is available:
- Javadoc for the application server import framework API classes and methods is available in doc/Javadoc/appserverimporter or doc\Javadoc\appserverimporter.
- Javadoc for the Framework for Frameworks API classes and methods is available in doc/Javadoc/frameworks or doc\Javadoc\frameworks.
In these folders, open the index.html file.
Ability to use scan configurations in AppScan Source for Analysis to remove findings for any exclude filters
Exclude filters contain rules for which vulnerability types, application programming interfaces (API), files, directories, projects, or trace rules are removed from findings. If you include multiple exclude filters in a scan configuration, it is possible that they may conflict with each other and affect the findings. For example, given these two filters:
- Filter 1 removes all findings of vulnerability type
Validation.EncodingRequired
. It is not inverted and so these findings are excluded from the assessment. - Filter 2 removes all findings of vulnerability type
Validation.Required
. It is not inverted and so these findings are excluded from the assessment.
If both of these filters are applied using a scan configuration,
they will rule each other out by default. Filter 1 will
exclude Validation.EncodingRequired
findings - but it will include
Validation.Required
findings.
Filter 2 will exclude Validation.Required
findings - but it will include
Validation.EncodingRequired
findings. The end result will be that all
Validation.EncodingRequired
and
Validation.Required
findings are
included.
As of Version 9.0.3.4, you can remove the findings for any
exclude filter specified by selecting Match any
non-inverted exclude filters when
creating a scan configuration. This check box is in the
Filters Information section
of the Scan Configuration view
General tab. Given the above
example, if this check box is selected, all
Validation.EncodingRequired
and
Validation.Required
findings will
be excluded from the assessment.
Improved handling of libraries when scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)
When scanning WAR files, these settings are now available:
-include_all_lib_jars
: Use this setting to include all libraries in the WAR file during the scan.-include_lib_jars
: Use this setting to specify the libraries in the WAR file that you want to include during the scan.
When importing an EAR file, a project is
automatically created for storing shared libraries. If there
are no shared libraries, the project will be created, but it
will be empty. The -no_ear_project
setting
is now available and, when used, no project will be created
for the EAR file.
Submitting AppScan Source assessments to the Cloud for analysis
If you have a subscription to HCL AppScan on Cloud at HCL Cloud Marketplace, you can submit AppScan Source assessments for analysis there. Assessments from AppScan Source Versions 9.0 or higher are supported - and the number of scans that you can submit depends on your AppScan on Cloud subscription. See http://help.hcl-software.com/appscan/ASoC/src_managing_assessments_cloud.html for more information.
What's New in AppScan Source Version 9.0.3.3
- New platform and integration solution support
- Enhanced and new scanning support
- New installation file name for Windows
- Common Access Card (CAC) support on Windows
- DISA Application Security and Development STIG V3R10 report support
New platform and integration solution support
As of AppScan Source Version 9.0.3.3:
- Microsoft Windows 10 is now a supported operating
system. This includes Windows 10 Education,
Enterprise, and Pro editions.Note:
- On Windows 10, the AppScan Source installer (AppScanSrc_Installer.exe file) must be run in Windows 7 compatibility mode. On Windows 10, you must also set the AppScan_Uninstaller.exe file to run in Windows 7 compatibility mode before uninstalling AppScan Source. This file is located in <install_dir>\Uninstall_AppScan\AppScan_Uninstaller.exe (where <install_dir> is the location of your AppScan Source installation, as described in Installation and user data file locations). See Installation of AppScan Source results in "Installer User interface Mode Not Supported" for more information.
- If you are connecting to an AppScan Enterprise
Server Version 9.0.3.1 or higher, the HCL
AppScan Source Database can be installed to an Oracle 12c database.Important: If you have an existing installation of AppScan Source that utilizes an Oracle 11g database, and you want to upgrade to Oracle 12c, you must upgrade AppScan Source before upgrading the Oracle database.
- Tomcat 8 is now included in the installation of AppScan Source.
- Visual Studio 2015 solution and project files can now be
scanned in AppScan Source
for
Analysis, AppScan
Source for
Automation, and the AppScan
Source command line interface. If you have .sln or
.vcproj files that have been
created in Visual Studio 2015, these files can be
imported and scanned when using AppScan Source
for
Analysis, AppScan
Source for
Automation, or the AppScan
Source command line interface on Windows.Important:
- Applying the AppScan Source for Development Visual Studio plug-in to Visual Studio 2015 is not supported.
- Managed C++ projects are supported. Unmanaged C++ projects are supported if they are built with a Platform Toolset from Visual Studio 2015 or earlier (Platform Toolset V140 or earlier).
- Xcode 7.3 for Objective-C (for iOS applications only) is now a supported compiler on macOS (support for Xcode 7.3 is retroactive to AppScan Source Version 9.0.3.2).
Enhanced and new scanning support
- PHP Versions 5.5 and 5.6 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).
- When using AppScan
Source to
scan Java™,
@ValidatorMethod
,@CallbackMethod
, and@SuppressSecurityTrace
method-level annotations are now supported.
New installation file name for Windows
On Windows, the installation file name has changed from setup.exe to AppScanSrc_Installer.exe.
Common Access Card (CAC) support on Windows
The Common Access Card (http://www.cac.mil) is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel in the United States. It is used to enable physical access to buildings and controlled spaces, and provides access to DoD computer networks and systems. The CAC can be used for access into computers and networks that are equipped with various smart card readers. When it is inserted into the reader, the device asks the user for a PIN.
If you are running AppScan Source on Windows and connecting to an AppScan Enterprise Server Version 9.0.3.1 iFix-001 or higher that is enabled for Common Access Card (CAC) authentication, AppScan Source now supports CAC authentication.
DISA Application Security and Development STIG V3R10 report support
AppScan Source now supports the Defense Information Systems Agency (DISA) Application Security and Development Security Technical Implementation Guide (STIG) V3R10 report.
What's New in AppScan Source Version 9.0.3.2
AppScan Source and AppScan Enterprise version compatibility
Some versions of AppScan Source no longer require that AppScan Source and AppScan Enterprise version and release levels match when connecting to the AppScan Enterprise Server or when publishing to the AppScan Enterprise Console. See How to enable connections and publish assessments for different versions of AppScan Source and AppScan Enterprise to learn which versions of AppScan Source and AppScan Enterprise are compatible.
This change is retroactive to some previous versions of AppScan Source, as described in the above linked document.
What's New in AppScan Source Version 9.0.3.1
- New integration solution support
- Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)
New integration solution support
As of AppScan Source Version 9.0.3.1:
- Tomcat 8 is now supported for compiling Java and
JSP.Note: Operating system support is dependent on the operating system supported by individual compilers.
- Xcode 7.0, 7.1, and 7.2 for Objective-C (for iOS applications only) are now supported compilers on macOS.
Scanning WAR and EAR files in AppScan Source for Automation and the AppScan Source command line interface (CLI)
The openapplication (oa)
command in the CLI can now be used to open WAR and
EAR files. In addition, these
files can be scanned in AppScan
Source for
Automation using the ScanApplication
command.
What's New in AppScan Source Version 9.0.3
- New platform and integration solution support
- Scan configuration enhancements
- New rule attributes allow you to identify high severity definitive security findings more accurately
- Automatic lost sink resolution allows for better scan results
- Enhanced and new scanning support
New platform and integration solution support
As of AppScan Source Version 9.0.3, these operating systems are supported:
- Red Hat Enterprise Linux Version 6 Updates 6 and 7
- OS X Version 10.11. Support for OS X Version 10.11 is retroactive to AppScan Source Version 9.0.2.
In addition:
- Xcode 6.3 and 6.4 for Objective-C (for iOS applications only) are now supported compilers on OS X (support for Xcode 6.3 and 6.4 is retroactive to AppScan Source Version 9.0.2). Note that some limitations exist for Xcode 6.3 and 6.4 support. Please see Scan failures when using the "nullability" or "noescape" language enhancements in Xcode 6.3 or higher for details. These limitations do not apply to AppScan Source Version 9.0.3.1 and higher.
- The AppScan Source for Development Eclipse plug-in now integrates with IBM MobileFirst Platform Foundation Version 7.1. You can now scan IBM MobileFirst Platform Version 7.1 projects, applications, environments, and HTML files in AppScan Source products.
- Rational® Application Developer for WebSphere® Software (RAD) Version 9.1.1 project files and workspaces can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to RAD Version 9.1.1.
- Eclipse Version 4.5 project files and workspaces (Java and IBM MobileFirst Platform only) can be scanned - and the AppScan Source for Development (Eclipse plug-in) can be applied to Eclipse Version 4.5.
- IBM®
WebSphere Application Server Version 8.5.5 is now supported for compiling Java
and JSP.Note: Operating system support is dependent on the operating system supported by individual compilers.
Scan configuration enhancements
The Scan Configuration view has been redesigned and now offers these key features:
- The ability to specify filters.
- Setting the type of analysis to perform during a scan. This includes taint-flow analysis and pattern-based analysis.
AppScan Source now includes these built-in scan configurations: Web preview scan, Web quick scan, Web balanced scan, and Web deep scan
New rule attributes allow you to identify high severity definitive security findings more accurately
This release of AppScan
Source
introduces the Attribute.Likelihood.High
and Attribute.Likelihood.Low
attributes.
These attributes have been added to the built-in rules and
can also be used when creating custom rules.
In AppScan Source, likelihood represents the probability or chance that a security finding can be exploited. AppScan Source takes the definition of likelihood that is presented at https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Step_2:_Factors_for_Estimating_Likelihood, and refines it by determining likelihood based on trace properties. Given a set of trace properties - for example, Source API name, Source API type, Source Technology, or Source Mechanism - AppScan Source determines the likelihood that a trace can or will be exploited using a specific vulnerability in the future.
Likelihood is tied to the source element of a trace. A source is an input to the program, such as a file, servlet request, console input, or socket. For most input sources, the data returned is unbounded in terms of content and length. When an input is unchecked, it is considered a source of taint.
Likelihood examples include:
- Given a trace with an HTTP source (for example,
Request.getQueryString
) and a cross-site scripting sink (for example,Response.write
), a high likelihood is determined, thereby raising the confidence of the finding. - Given a trace with a system property source (for
example,
getProperty
) and a cross-site scripting sink (for example,Response.write
), a low likelihood is determined, thereby lowering the confidence of the finding.
Likelihood is used to identify high priority actionable findings that must be acted on or fixed immediately. It is tied to highly-exploitable sources of taint and can provide you with a more fine-grained approach for classifying findings. Likelihood is stored as an attribute that is tied to a source of taint, in the AppScan Source vulnerability database. The feature is available out-of-the-box.
We have conducted extensive research in order to determine the likelihood factor for sources. Using the Custom Rules Wizard, you can add likelihood information to new sources of taint that you add to your rule base. This will improve the classification of findings generated from a scan and, in turn, improve the efficiency of your overall triage workflow.
In the Custom Rules Wizard, there are two values (High and Low) that you can set for the Likelihood property. A value of High means that the source is very susceptible to taint. In other words, the barrier to taint entering the system is very low making it easy for attackers to submit malicious data either manually or in an automated fashion. A value of Low means that the barrier to entering malicious data through this source is very high. This could mean that in order for taint to be introduced to the source, an attacker would have to have insider knowledge of the system and have permissions to operate on the victim's network.
Automatic lost sink resolution allows for better scan results
AppScan Source now tries to resolve lost sinks in traces by automatically inferring markup for lost sink methods such as getters, setters, and methods that return boolean values. This allows for a more thorough analysis of your code and improved lost sink resolution.
Enhanced and new scanning support
- PHP Version 5.4 can now be scanned on Windows and Linux in HCL AppScan Source for Analysis, HCL AppScan Source for Automation, and the HCL AppScan Source command line interface (CLI).
- AppScan Source now includes built-in support for the Spring MVC 4 framework.
- Java scanning optimizations:
- When scanning JavaServer Pages, you now have
the option of scanning precompiled class files
instead of compiling them during a scan. To scan
precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning
(select ) and select the
Precompiled classes check
box. To scan precompiled class files in HCL
AppScan Source for Analysis, select the Precompiled
classes check box in one of these locations:
- The Project Dependencies tab in the project properties.
- The Java Project Dependencies page when creating a new project or application.
- When scanning Java, AppScan Source will now scan Java files and Java byte code with missing dependencies or compilation errors. If there are missing dependencies or compilation errors, information about them will be written to a log file. With this information, you can then add the dependencies to your project properties, re-scan, and achieve full coverage for scan results.
- When scanning JavaServer Pages, you now have
the option of scanning precompiled class files
instead of compiling them during a scan. To scan
precompiled class files in the AppScan Source for Development Eclipse plug-in, configure your project for security scanning
(select ) and select the
Precompiled classes check
box. To scan precompiled class files in HCL
AppScan Source for Analysis, select the Precompiled
classes check box in one of these locations:
- As of AppScan
Source Version 9.0.3, header locations and configuration options are determined more
accurately when Xcode projects are imported and scanned. This change introduces the use
of
xcodebuild -dry-run
to obtain every file's build configuration, so there may be a pause at the beginning of scans while AppScan Source determines file configurations before proceeding.