What's new
This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
Attention: A new version of HCL
AppScan Standard 10.8.1 is available.
This update includes fixes for the zero-day vulnerability CVE-2025-2783, along with
other improvements. It is recommended to upgrade to this version. For more
information, see the Fix list and refer to 10.8.0 documentation
as there are no new documentation updates for 10.8.1.
New in HCL AppScan Standard 10.8.0
- Download AppScan Standard only through My HCLSoftware (MHS).
- HCL MHS-based licensing: Download or configure your MHS license before
upgrading. All your entitlements from the FlexNet Operations Portal (FNO) are
migrated to MHS. Create new deployments in MHS, then assign and activate your
license for AppScan. Devices and products that were activated through FNO does
not work anymore. Only the licensing management platform is changed, there are
no changes to the license metrics or any additional charges for your licenses
migrated from FNO to MHS. For more information to set up license using MHS, see
Set up floating license using Cloud or Local License Server and Set up a node-locked license. Video tutorials for setting up the license:
- Auto-update: New feature to automatically apply new updates to AppScan by configuring the API key to connect with My HCLSoftware (MHS). For more information, see Auto-updates.
- Custom scripts: Add dynamic behavior to your DAST scan with AppScan’s built-in JavaScript runtime. AppScan can run custom scripts before a request is sent or after a response is received during the scan. The script will be executed for each HTTP request and response.
- Redesigned the Regular Expression dialog across scan configuration to improve usability.
- Restored the option to access the AppScan SSL certificate section through Tools > Options > Recording proxy.
- When a scan is configured for a Postman collection using a URL, rescanning will now fetch the updated Postman contents from that URL.
- When using the Change Host/Scheme/Port option, issues marked as Noise now remain as Noise and do not reappear in the scan results.
- Enhanced automatic login detection in the DAST engine.
Fixes and security updates
New security rules in this release include:
- attAppMetricsDataExposed - Application Metrics endpoint exposed
- attWordPressPluginXSSCVE20237246 - WordPress Plugin Cross-Site Scripting CVE20237246
- attAtlassianConfluenceBrokenAccessCVE202322515 - Atlassian Confluence Broken Access CVE 2023 22515
- SriValidation - Validation for SRI integrity check
- CSP Rules - Reworked CSP evaluation, resulting in detection of 17 new Content-Security-Policy issues
- Vulnerable component database updated to version 1.6
For a complete list of fixes, new and updated security rules, and RFEs in this release, see AppScan Standard Fix List.
Changed in this release
- FlexNet Operations Portal (FNO) is decommissioned and will not be supported.
Upcoming change
- AppScan Standard versions 10.6.0 and earlier will reach End of Support (EOS) by June 2025. It is recommended that you upgrade to the latest version available before then.
- The Web API Wizard (OpenAPI) extension will be removed in a future version of AppScan.