Previous updates 2016-2018

Lists features that were added in previous updates to the AppScan on Cloud service between 2016 and 2018.

New on December 30, 2018

  • Updated Security Scan Report: The Security Scan report is now generated on request rather than at the time of the scan, so that now as with the other reports, Issues whose status has been changed (such as to “Fixed”) will now show with their current status in the report. (Does not apply to scans run before October 2017.)
  • New Open Source License Report for Static Analysis scans (Open Source subscription required): Generate a report for a scan listing all Open Source libraries found in your code. (Applies only to scans run after December 30, 2018.)
  • Personal Scans can now be promoted from the user interface (in addition to the API, as before): Issues in the Personal Scan are merged with the issues in the application and a message indicates how many issues were "New" (issues not previously found in the application), "Merged" (issues found in both the Personal Scan and in the application), and "Reopened" (issues found in the personal Scan that were marked as Fixed in the Application, are reopened).
  • Additional Industry Standard Report: OWASP Top 10 Mobile 2016.
  • Scan History view now shows the name of the user who created each scan.

New on December 3, 2018

  • Support for Visual Studio Team Services (VSTS) plugin.

New on November 29, 2018

  • Enhanced JavaScript scanner for static analysis.
  • Support for AngularJS.

New on November 19, 2018

  • New Dynamic Analysis engine
  • The list of IPs used for Private Site Scanning has been updated in System Requirements.

New on November 7, 2018

  • Additional lists are now divided into pages (10 per page by default, configurable): Asset Group list, Asset Group Users list (Grant User Access), Asset Group Applications list (Move Applications), Users list.
  • For dynamic scanning: Mouse-click on the Info icon next to a scan now shows scan ID and Starting URL.
  • Starting URL field now verifies the URL as you type it.
  • For private site scanning: AppScan Presence status is now displayed during the scan.

New on October 28, 2018

  • For Private Site Scanning, with Windows OS, the AppScan Presence can now be run as a service.

New on October 17, 2018

  • My Scans tab list is now divided into pages (five per page by default, configurable).
  • Fixed a defect in Private Site Scanning with a PAC file.

New on October 9, 2018

  • Mobile Analysis now supports iOS versions between 7 and 12 inclusive, and all versions of Swift up to and including 4.2.
  • Dynamic Analysis now supports sites that require HTTP authentication.
  • Private Site Scanning now supports proxy auto-config (PAC) files.
  • Redesigned landing page.
  • Fixed a defect where promoting a personal scan did not work properly if there were more than 200 issues.
  • Added a missing fix recommendation for SAST in the application report.
  • General bug fixes.

New on September 20, 2018

HCL AppScan on Cloud Static Analyzer Command Line Utility is supported on 64-bit Linux only.

New on September 5, 2018

Application Security on Cloud supports scanning directly from your integrated development environment (IDE) or your build system using the following plugins:
  • Eclipse
  • IntelliJ
  • Visual Studio
  • Jenkins
  • Gradle
  • Maven
Note: The Maven ASoC plugin is now live in the Maven Central Repository; it no longer needs to be installed manually.

New on August 29, 2018

  • Language support: Application Security on Cloud now supports Python scanning.
Dynamic Analysis Engine updates:
  • Added check for latest Apache Struts 2 CVE-2018-11776 to discover critical remote code execution flaw. Available in Dynamic and Open Source Analysis.
  • Added Dynamic Analysis checks for ‘XML External Entity File Disclosure on JSON’ and ‘Older TLS Version is Supported’.
  • Improved existing ‘Apache Struts 2 Remote Command Execution’ check with new variants to improve coverage and accuracy.

New on August 14, 2018

  • Dynamic Analysis engine update, with general improvements and bug fixes.

New on August 7, 2018

  • Personal scans are now indicated as such in the list of scans for the application.

New on August 1, 2018

  • Language support: AppScan on Cloud now supports COBOL scanning.
  • Static Analyzer reporting improvements: Application Security on Cloud has improved fix group categorization, as seen in both reports and the assessment viewer.
  • Pipeline support: The Jenkins plugin has been updated to include support for Jenkins Pipeline.

New on July 10, 2018

  • New Dynamic Analysis engine, with advanced Automatic Explore capabilities, improves speed and testing coverage.

New on July 2, 2018

AppScan on Cloud IDE plugin support for policies includes these changes to security scans:
  • The Scan issues column replaces the Result column in the Security scans view.

    When clicked, Scan issues displays all non-compliant static security issues discovered during the scan.

  • The Application issues column replaces the Report column.

    When clicked, Application issues displays all non-compliant static security issues discovered during scans of this application..

IDE plugins for Static Analyzer are now available through the IDE marketplace for the specific plugin flavor. For more information, see Scanning in integrated development environments.

New on June 27, 2018

  • Subscription management: The new Subscriptions view (Main menu > My Subscriptions) shows the status of all your organization's subscriptions, including the number applications or scans left, and the start and end dates.
  • New Policy Filters in the UI let you easily filter Issues based on either associated or unassociated Policies. For example you can create a Policy to include only High Severity Issues found after a certain date, and then filter the Issues to create a Regulatory Compliance Report for those issues only.
  • API: New report APIs let you create: Issues Report, Security Report, and Regulation Reports for selected issues, and with a defined scope.

New on May 30, 2018

  • Mobile Analysis now supports Android versions up to 8.0.

New on May 9, 2018

  • New policy functionality:
    • Create custom policies through the user interface.
    • Quickly enable or disable associated policies using the new Policy tab in the Application view.
  • Error when trying to import a CSV file using Issue Management > Import Issues has been fixed.

New on April 25, 2018

  • New predefined HIPAA policy identifies issues that fail to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See Policies.

New on April 17, 2018

  • In the Advisory tab for an Issue, some of the links to external reference sites were broken. These have been fixed.
  • The new Compliant column header in the Application table lets you sort issues as Compliant or Not Compliant with the application's associated policies.
  • AppScan on Cloud supports scanning of .NET Core projects through the Command Line Interface (CLI) and through the Visual Studio 2017 plugin on Windows only. For more information, see Generating an IRX for a .NET Core project.
    Note: AppScan on Cloud does not support the portable .pdb format. For more information, see .NET scan results show the assembly file instead of the source file.

New on March 18, 2018


You can now associate one or more policies with an application, allowing you to evaluate the application's compliance with those policies and focus remediation efforts on related vulnerabilities. Policies are applied through the user interface.

Subsequently, impact of policies on a scan and compliance with policies by an application can be highlighted in reports. A new Application Report function is available at the application level. From this function, you can run security and issues reports, as well as the following new compliance reports:
  • CWE/SANS top 25 report
  • EU General Data Protection Regulation (GDPR) report
  • OWASP Top 10 2017 report
  • PCI compliance report
Note: Policies currently are available only on the web and are not compatible with Static Analyzer tools (IDE, CLI, and Jenkins).

New on March 8, 2018

  • The IDE plugins now prompt every scan for the application association, instead of only once per workspace.
  • PHP applications no longer encounter memory limits during IRX generation.
  • The Help Me Fix This button is no longer reactivated in Visual Studio after resolving a fix group.

New on March 5, 2018

  • When an AppScan Standard configuration was used to run an ASoC scan, tests were sent to domains that had been specifically excluded from the scan. This bug is now fixed.
DEPRECATION NOTICE: Some Issue Properties columns will be removed on March 19, 2018

When working with scan results, six Issue Properties are displayed by default: Status, Location, CVSS, Issue Type, Severity, and Scan Name. Columns for additional properties can be added (or removed) using the Column Selection drop-down list). To streamline the UI, the following column options will be removed on March 19, 2018:

Access Complexity, Access Vector, Application Name, Authentication, Availability Impact, Classification, Confidentiality Impact, Description, Discovery Method, Exploitability, Fix Recommendation, Friendly ID, Integrity Impact, Is Third Party, Nessus Plugin ID, Project Name, Protocol, Remediation Level, Report Confidence, Severity Value, Steps to Reproduce, Summary, WhiteHatSecVulnId

As of March 19, 2018 these properties will no longer appear as options in the Column Selection drop-down list, and if selected in a previous scan, will no longer be displayed in the scan results.

New on February 26, 2018

  • The Application Report, that previously downloaded as an HTML file, now downloads as a PDF file.
  • The data included in reports by default is now: Table of Contents, Summary, and Details. The other four categories (Discussion, History, Advisory, and Fix Recommendation), can be selected for inclusion when generating the report.

New on January 30, 2018

  • For scans created in a language other than English, Issue severity was shown correctly in reports but incorrectly shown as "Undetermined" in the online UI. This is now fixed.
  • Incorrect message when rescanning after 30 days is now fixed.

New on January 8, 2018

  • Reset Application Data: Added as a new option in Edit Application, this function permanently deletes all scans and issues from an app while retaining its name and configuration
  • Dynamic Analysis new behavior: If you load a scan file you are given the option to Full Scan or Test Only:
    • Full Scan: Ignores all results saved in the scan and runs a new scan with the same configuration (previously the scan would preserve existing results and continue the scan till completion)
    • Test Only: Ignores any Test stage results and runs a new Test stage using the Explore stage results in the file (previously the Test stage would preserve existing Test stage results and continue till completion)
    Note that in both cases any Manual Explore data and Multi-Step Operations saved in the file are included in the new scan.

New on December 31, 2017

  • New Dynamic Analysis agent.

New on December 26, 2017

  • When generating a report, you can now:
    • Include Details and Discussion (Comments) metadata.
    • Include all issues found by clicking Report without selecting any issues. If you do select issues, the report will, as previously, contain only those issues.

New on December 13, 2017

  • You can now add Comments to Issues Found in your app, that are displayed as a new column in Application view and Issues view.
    Note: Existing users will first need to add the Comments column as one of the displayed columns in the Issues Found tab.
  • Users who are members of more than one organization now have a drop-down list next to their name in User Management, to select which organization’s dashboard to display.

New on December 5, 2017

  • AppScan on Cloud now supports Open Source only scanning through us of the -openSourceOnly option with appscan prepare
  • Improvements to C/C++ scanning and resulting IRX files
  • Edge-case stability improvements for Intelligent Code Analytics (ICA) and Intelligent Findings Analytics (IFA)

New on November 22, 2017

  • Policies: You can now define and use "policies", using the REST API, to show only issues found after a certain date or of a specified minimum severity. See Policies.
  • DAST and Android engines updated with new version that includes bug fixes and improved performance.

New on November 14, 2017

  • New History tab in Issues view shows the Audit Trail for the selected Issue. Note that the trail starts only from the time of this update.
  • DAST and Mobile engines updated with new version that includes bug fixes and improved performance.

New on October 23, 2017

  • You can now use the API to delete issues, scans or application chart data without deleting the application.
  • New Discussion tab in Issues view lets you add your own Comments to Issues in your application.

New on October 20, 2017

  • Improvements to Intelligent Findings Analytics

    Previously, java.sql.Statement.executeBatch and InetAddress returned noisy findings. We improved Intelligent Findings Analytics (IFA) to filter out these false positive findings.

New on October 10, 2017

  • "Update Issue Status" has been added to the permissions you can control.
  • Paging is now available for apps as well as issues.

New on October 3, 2017

  • Mobile Analysis now supports iOS 11.
  • New issue type in Android and iOS scans: Credential Leakage.
  • The main toolbar now shows which organization that the user is currently logged into, next to the Username.

New on September 10, 2017

  • User roles
  • The AppID that is generated automatically has changed from an integer to a GUID. This is transparent to users since the new ID is returned automatically, and the APIs for submitting scans are backwards compatible.

New on August 24, 2017

  • Improvements to Open Source Analyzer support:

    Improved performance with Open Source Analyzer and Eclipse when running multiple scans in the same session.

  • Improvements to C/C++ support:

    Better discovery of C++ macros and compiler options.

  • Identification of Static Analysis issues without trace has changed:

    We improved the Static Analysis engine, and with it the hash algorithm for non-trace findings has been improved. Due to this change, many static analysis findings detected after deploying this latest update will be duplicated once in the Issues tab. This change primarily affects Node.js, Ruby, and JavaScript findings but may also affect other languages.

New on August 14, 2017

  • Removed: The ability to create Application Profile Templates, with customized attributes, has been removed.

New on July 24, 2017

  • Additional iOS support: ASoC now supports scanning iOS mobile apps up to version 10.3.
  • New IP range: One of the IP ranges used by ASoC has changed. See Which IPs does ASoC use?
  • New UI functionality: The new check box at the top of the scan results table lets you Select All scans, and the new Delete button there deletes all scans whose check box is selected. See Results

New on June 22, 2017

  • AppScan on Cloud now supports scanning iOS apps that require entitlements.
  • Better support for C/C++, including Visual Studio 2015:

    C/C++ scanning improvements include the ability to scan 64-bit projects that target the Visual Studio 2015 platform toolset.

  • Better logging for .NET:

    Improvements to logging and stabilizations for all .NET-related projects.

  • Javascript improvements:

    Javascript traces stabilization so that incomplete traces don't cause issues with returning results.

New on June 15, 2017

  • Scan queue: If you try to start a scan when the maximum number of concurrent scans for your subscription are already running, the scan is now added to a queue and will start automatically as soon as possible.
  • OWASP Top 10 Risks in Mobile Analysis reports now follow "Mobile Top 10 2016":
  • Improved support for NodeJS and Ruby:

    Node.js and Ruby scans are fully integrated with the Intelligent Findings Analytics (IFA), providing dramatically faster scan times.

  • Improvements for Client Side Javascript:

    We improved the display of trace and non-trace findings generated by the Javascript engine.

New on March 26, 2017

  • Application Security on Cloud now supports Open Source testing:
    1. Locates Open Source packages in your code
    2. Identifies Open Source packages that are known to be vulnerable
    3. Suggests alternatives to the vulnerable packages
    Results appear in Static Analysis reports and in your Application Security on Cloud portal.
    Note: Open Source testing requires an additional subscription. Once the subscription is active, Open Source testing is automatically included in Static analysis scans.
  • The AppScan Presence now includes an optional Proxy Server for incorporating scanning (of web apps only) as part of your functional testing.

New on February 3, 2017

  • When using the Jenkins plug-in:
    • Dynamic analysis is now supported. With this feature, you can perform analysis of an application that runs in a browser.
    • Using a generated API key is now required when specifying login credentials.
    Note: Connecting to Bluemix from the Jenkins plug-in is not supported.

New on January 25, 2017

  • Intelligent Code Analytics (ICA) is now applied during C/C++ static analysis scans.

    ICA was previously introduced for Java, .NET, and PHP scans. With this technology, new application programming interfaces (API) are discovered and assessed for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.

New on December 21, 2016

New on December 14, 2016

New on December 13, 2016

New on November 16, 2016

  • Static analysis scans now make use of Intelligent Code Analytics (ICA). ICA automatically discovers new application programming interfaces (API) and assesses them for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.
    Note: ICA is currently only applied when scanning Java, C/C++, .NET, and PHP.

New on October 19, 2016

  • Changes in the User Management pages:
    • The "Manage Users" button on the Users & Roles page was removed. The Administration link from the banner to IBM Cloud Marketplace is now also available from the Main menu.
    • The "Invite Users" link on the banner to IBM Cloud Marketplace is also available from the Main menu > User Management > Users & Roles.

New on October 12, 2016

  • Create an application profile template. (This functionality was later removed.)
  • Customize the risk rating formula. (This functionality was later removed.)
  • Determine risk with customized formulas. (This functionality was later removed.)

New on October 5, 2016

  • The static analysis CLI, Eclipse plug-in, and Maven plug-in are now supported on macOS Versions 10.11 and higher.

New on September 28, 2016

  • Import a list of apps to help build your application inventory
  • View issue details, advisories, and fix recommendations
  • Dynamic analysis now supports scans using your own AppScan Standard configuration (SCAN or SCANT file).

New on September 14, 2016

  • Scanning iOS mobile apps now supports iOS 10.
  • Static Analysis now includes support for scanning C/C++ in Visual Studio solutions.
    Note: See Microsoft Visual Studio support (Windows only)

New on September 7, 2016

  • Scanning iOS mobile apps no longer requires the use of the IPAX Generator to create and upload an IPAX file. You can now create and upload an IPA file.

New on August 23, 2016

New on August 3, 2016

  • New Users capabilities. User management helps you restrict access to sensitive apps by assigning them to asset groups and then adding specific users to those groups.
  • New user management REST APIs.
  • Support for filters and statistics on scans (completed successfully, in progress, or failed).

New on July 20, 2016

  • Support for selecting issue columns in an application
  • HCL Cloud Marketplace only: If you are connected to the AppScan on Cloud service at HCL Cloud Marketplace, static analysis scans must now be associated with an existing AppScan on Cloud application. Associating scans with an application allows you to take advantage of the reporting and trending features of the AppScan on Cloud dashboard.

    To learn how to associate an application when submitting scans via the CLI, see Analysis commands (Windows) or Analysis commands (Linux and macOS). To learn how to do this when submitting scans from an IDE, see Scanning in integrated development environments.

  • Enhanced client-side JavaScript discovery during static analysis scans.

New on July 11, 2016

New on June 29, 2016

  • Support for scanning Android mobile apps that require login

New on June 22, 2016

  • Request help from an expert. You can buy Consulting Services Engagement Units as add-ons to your subscription. During your subscription, you can use these Engagement Units to request and receive any combination of OnDemand Consulting services, depending on how many units these services require.
  • Static Analysis now includes support for these languages:
    • Client-side JavaScript
    • PHP
    • Ruby
  • Detect information leakage in both iOS and Android mobile apps

New on June 8, 2016

  • New My Scans page contains a flat list of scans, regardless of the app they belong to
  • You can now select a specific Test Set when scanning with Dynamic Analysis
  • Support for scanning additional verified domains with Dynamic Analysis

New on June 1, 2016

  • Now supporting Node.js for static analysis scans.

New on April 5, 2016

  • Build an inventory of your application assets to understand what you need to protect
  • Classify and rank your applications by business impact to find out what is most important to protect
  • Organize your Analyzer scans by application to get a complete assessment
  • Obtain a security rating for each application to rank your assets by risk
  • Prioritize vulnerabilities and manage their resolution
  • View a dashboard to understand your application security posture and see whether you are making progress
  • Scan Android apps on an Android 6 emulator with Mobile Analyzer to find more vulnerabilities
  • Scan and view vulnerabilities with Static Analyzer from the convenience of your IntelliJ IDE.