Previous updates 2019-2020

Lists features that were added in previous updates to the AppScan on Cloud service between 2019 and 2020.

New on December 16, 2020

New on December 7, 2020

  • DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.3. See AppScan Standard Fix List
  • Plugins & APIs page: HackEDU added

New on November 30, 2020

  • CSV file changes: The column headers used in CSV files when importing issues to ASoC have been changed to bring them in line with the ASoC UI:
    • Renamed:
      • Status > Issue Status
      • Severity Value > Severity
      • Source File > File Name
    • Added: External Id and CVSS
    • Removed: Protocol
    Note: CWE and Scan Technology values are not currently supported.

New on November 9, 2020

  • Mobile Scanning now supports iOS versions up to 14.1.

New on November 3, 2020

  • New language support for Vue.js.
  • Upgraded Java analysis engine for faster and more accurate scans. The upgraded Java engine delivers near-incremental scanning while maintaining scan depth and accuracy. While the engine provides mostly the same results as before, some change in results is expected. See Parallel processing for Java applications to learn more about the new scanning techniques.

New on November 2, 2020

  • Downloadable logs added for SAST and DAST demo scans.
  • Graph in landing page updated now includes APIs.
  • APAR fixed: Users of expired subscriptions in grace period cannot generate scan report.

New on October 19, 2020

  • Reports: Test Policy added back to the DAST scan report.
  • API: Added two new values for policies: Created by, and Number of associated applications.

New on October 11, 2020

  • The translated versions of the documentation have been updated.

New on October 7, 2020

New on October 6, 2020

  • UI: The title bar now includes a link to the new Plugins and APIs page
  • API: Administrators can now update organization details (put /api/V2/Account/TenantInfo)
  • Reports: If PDF report creation fails you now receive an HTML report
  • APAR fixes:
    • Creating a 'NIST Special Publication 800-53' app report instead creates a 'Sarbanes-Oxley Act (SOX)' report
    • Open source security issues not shown as non-compliant although included in application policy

New on September 21, 2020

  • As previously announced, all Personal scans more than 30 days old have been deleted. Going forward the current behavior will continue: Every Personal scan will be deleted when it is 30 days old, unless it is promoted within that time. For details, see Personal scans.

New on September 15, 2020

  • General bug fixes and improvements.

New on September 14, 2020

  • IAST monitoring now supports .NET Framework.
  • SAST: Added ability to download logs (Actions > Log File).
  • CSV Reports: Dates are now shown in ISO 8601 format.
  • Bug fixes:
    • Application Data is now (as expected) included in Reports only when the Metadata > Coverage checkbox is selected in the UI, or the Coverage flag used in the REST API.
    • PRB0067750: Optimization Level changes when scan job is transferred for scanning agent, is fixed.

New on September 9, 2020

New on September 6, 2020

  • IP Ranges: In System Requirements the list of IP ranges used by ASoC for Mobile scans has been updated, but this does not represent any change in practice. We changed this range: to this more standard notation:, but the two ranges are in fact identical.

New on August 24, 2020

  • Updated Sample DAST scan results and report
  • General bug fixes and improvements

New on August 5, 2020

  • Support for AngularJS 8 and 9.
  • Support for Ionic Framework.
  • New language support for TypeScript.
  • General bug fixes and improvements.

New on August 4, 2020

  • Mobile: Android 10 is now supported
  • DAST: Scan logs can now be downloaded from the UI
  • SAST: Updated the uniqueness (hash) calculation for SAST findings to reduce duplicates; existing findings will be transitioned automatically to the new hash version
  • API:
    • Implemented an API function that returns the number of issues per Status
    • Domains API added
    • Swagger functions now include the possible error response codes
  • Reports: Parameters, comments, Java Scripts, Cookies and Filtered URLs were added to the Application Data section in the DAST scan report

New on July 19, 2020

  • Exported Users CSV file now includes Inviter name column.
  • Fix Group ID is now included in CSV Reports (it was already included in other formats).
  • API: New “InformationalIssues” field added to the application, showing the number of Active Informational issues it contains.
    Note: Since all Applications include this new field, the ‘Last Updated’ field in the UI has changed to the time of this change.

New on July 12, 2020

  • User interface:
    • Scans “Under Review” can now be deleted
    • Swagger can now be opened automatically from the UI Settings page if the user is logged in
  • API: DAST Scan Log download is now available
  • Documentation: The online Help menubar now includes a "Change Language" drop-down list that lets you switch easily between languages on any page.

New on June 28, 2020

  • IAST:
    • IAST technology is now referred to as “IAST Monitoring Session” or "IAST Session" rather than “IAST Scan”
    • Simplified the wizard for starting an IAST Session
    • Agent download now always includes the agent key
  • Reports: DISA report updated to R4V10
  • API:
    • Improved error notification
    • Last few characters of FlexNet LicenseKey are now exposed on GetTenantInfo

New on June 24, 2020

New on June 22, 2020

  • iOS: StackTrace of insecure connection is added to the Scan Report.

New on June 10, 2020

  • IAST: Additional security rules (server and x-powered-by header detection, password leakage), bug fixes and performance enhancements.

New on June 7, 2020

  • Reports: Users can now create CSV format application reports and filtered issues reports.

New on May 25, 2020

  • Execution date and time added to scan details, so that duration represents Scan Execution time, excluding any queue or pending time.
  • Quick filter on the Fix Groups tab changed to ‘Non-Compliant’ (instead of ‘Active Status’).
  • Link to IAST documentation added to Create IAST Scan dialog.
  • New API added for getting count of issues by severity.
  • Webhooks added to the API, to receive notifications about events that occur in AppScan On Cloud. Two event types are supported: completion of scan execution and change in application counters or status. For more details see Webhooks.
  • Improved filtering of duplicate issues for SAST scans: The Hash algorithm used to uniquely identify SAST Issues has been improved to reduce duplicate Issues. New Issues will be stored with the new internal hash. However the hash value of existing Issues will not be changed.
  • Reports: Fix Groups ID added to the Fix Group sections on the report.
Advance Notice: See Personal Scans: Important Change

New on May 21, 2020

New on May 10, 2020

  • Rename scans: You can now rename scans in the UI. Previously found Issues remain listed under the old scan name, but new and repeat issues will be listed with the new name.
  • Reports:
    • Changed SAST Custom Advisory structure.
    • Unified cover page for all reports.
    • DAST XML report: The order of the "URL Group" and "Entity Group" sections in DAST XML reports has been changed. Other versions of the report are not affected.
  • Dashboard: Improved performance.
  • Scan History: Improved loading, especially when there are many scans in the list.
  • General bug fixes.
Advance Notice: See Personal Scans: Important Change

New on April 22, 2020

  • Scan Reports:
    • SAST Fix Group name and content now match those shown in the UI and Application Reports.
    • SAST Scan Reports now include Custom Advisories, as in Application Reports.
    • Cover page updated and TOC added, to match Application Reports.
    • Discussion and History check boxes added to the Metadata options.
  • User Interface: Search capability added in "Users & Roles" and "Asset Groups".
  • Improved performance and bug fixes.

New on April 15, 2020

  • General bug fixes and improvements.

New on April 7, 2020

  • Documentation: The localized versions of the documentation (French, Japanese, Simplified Chinese, and Traditional Chinese) have been updated.

New on April 6, 2020

  • User interface improvements:
    • You can now sort the Issues and AppScan Presences columns in the All Issues tab by clicking the column header.
    • Added an auto-complete to the URL field when creating a Dynamic Scan.
  • General improvements and bug fixes

New on April 3, 2020

New on March 27, 2020

  • New language support for Kotlin and Swift.
  • .NET analysis improvements to reduce false positives.
  • Improved PHP support.
  • General bug fixes and improvements.

New on March 25, 2020

  • IAST Scans: Our latest scan technology uses an agent deployed on the web server of the tested application to monitor traffic sent during runtime, and report vulnerabilities it finds. Unlike other ASoC scans, an IAST scan doesn't generate its own traffic, but monitors your system tests, or traffic sent during a DAST Scan. So you can have ongoing identification of runtime issues without the need to send dedicated test requests. See About interactive monitoring (IAST).
  • Test Optimization for DAST Scans: The DAST scan setup wizard has a new Test Optimization slider that lets you control the extent of tradeoff between issue coverage and scan speed. Test Optimization selectively sends tests most likely to discover significant issues in your application, so during product development you can take advantage of faster scans with a relatively small loss of thoroughness. You can choose between four optimization levels, for various needs such as initial testing, DevSecOps, pre-release, compliance and more. The fastest option includes a Test stage up to 10 times faster than a non-optimized scan, with approximately 70% of the vulnerability coverage. See Test optimization.
  • Test Policy for DAST Scans: The AppScan Standard Default Test Policy is now applied to all DAST scans configured using the wizard. You can apply a different Test Policy by configuring the scan in AppScan Standard, or through the API.
  • General improvements and bug fixes.

New on March 17, 2020

  • Improved support for SSL (HTTPS) using self-signed root certificates
  • General improvements and bug fixes

New on March 10, 2020

  • General bug fixes and improvements.

New on March 5, 2020

New on February 26, 2020

  • Enhanced details and guidance for SAST issues.
  • New DAST engine with stability bug fixes.
  • General improvements and bug fixes.

New on February 18, 2020

  • General improvements and bug fixes.

New on February 10, 2020

  • New language support for ASP Classic.
  • Improvements to NodeJS scanning:
    • 37 new articles
    • Refined 29 rules
    • These improvements ultimately should reduce the overall number of findings.
    • However, updates could cause some existing findings to appear as new findings.

New on February 5, 2020

  • General improvements and bug fixes

New on February 2, 2020

  • Dynamic Analysis engine updated to AppScan Standard version iFix001. See Fix List here.

New on January 21, 2020

  • DAST Proxy now supports DAST.CONFIG file encryption
  • ASoC now supports scanning encrypted DAST.CONFIG files
  • Changes to Proxy Server CLI commands and REST API commands.

New on January 19, 2020

  • In the Application > All Issues tab:
    • The default listing now shows only non-compliant issues (New, Open, In-Progress, Reopened)
    • New filter display
    • SAST scans: A Fix Group link is added to each Issue in the All Issues list, to open the Fix Group tab for that Issue
  • Security Reports:
    • You can now generate a report even when there are no issues, or all issues are compliant
    • SAST scans: “Issues by Fix Group” section added to the Application Security Report
  • General improvements and bug fixes

New on January 12, 2020

  • Mobile Analysis now supports iOS versions up to 13.3.

New on January 1, 2020

New on December 19, 2019

  • Improved Golang analysis.
  • General bug fixes.

New on December 17, 2019

  • For SAST Fix Groups you can now:
    • Change status per Issue
    • Add notes per Fix Group
    • Filter Issues by compliance to a specific Policy or Policies

New on December 16, 2019

New on December 5, 2019

  • Dynamic Analysis engine updated to AppScan Standard version See Fix List here.

New on November 18, 2019

  • New CIAM (Customer Identity Access Management) system: Users are now required to create an HCL Software ID to use the product. Existing ASoC users can continue to log in with their IBMid until December 18, 2019, but are encouraged to create an HCL Software ID as soon as possible, to ensure your workflow is uninterrupted. This can be done per organization, or per user. Once you have created your HCL Software ID, you simply log in and continue to work with ASoC as usual. For details, see Creating an AppScan on Cloud account.
  • A new function was added to ASoC REST API:

    GET /api/v2/Issues/{scope}/{scopeId}

    This function returns issues for the given scope (Application, Scan or Scan Execution). It accepts the regular odata parametes (filter and paging) and it also has a parameter that determines if and which policies should be applied to filter issues. This new function is replaces all the following functions (that are now marked as Obsolete):

    GET /api/V2/Issues/Count

    GET /api/v2/Apps/{id}/NonCompliantCount

    GET /api/v2/Apps/{id}/NonCompliantIssues

    GET /api/v2/Apps/{id}/Issues

    GET /api/v2/Apps/{id}/IssuesAsPage

    GET /api/v2/Apps/{id}/IssuesCount

    GET /api/v2/Scans/Executions/{executionId}/Issues

    GET /api/v2/Scans/{scanId}/Executions/{executionId}/Issues

    GET /api/v2/Scans/{scanId}/NonCompliantIssues

    GET /api/v2/Scans/{scanId}/NonCompliantCount

    GET /api/v2/Scans/{scanId}/Issues

New on November 7, 2019

  • The latest update to the AppScan on Cloud GUI, AppScan Go!, introduces the ability to specify the "Thorough" scan speed. Thorough scans deliver the most comprehensive analyses to identify the maximum number of vulnerabilities. Thorough scans also take the longest time to complete.

    To take advantage of this scan speed, download and install the latest version of AppScan Go!

    Note: Thorough scans are also available through the command line interface by adding -Dpreset_hint=thorough to the appscan prepare command. For example, appscan prepare -Dpreset_hint=thorough.

New on November 5, 2019

  • General bug fixes.

New on October 30, 2019

  • Fix groups are now shown in the UI: Issues found in Static Analysis are assigned to fix groups, where all issues in the group share a common fix point, API, or Open Source. For details, see Fix Groups.
    Note: The new Fix Groups tab in Application view appears only if you have run a Static Analysis scan. The tab is populated only with issues found in new scans. Scans run before the feature was added will not be assigned to fix groups.
  • Dynamic Analysis engine updated to AppScan Standard version See Fix List here.
  • Your Organization ID is added to your Subscriptions page, to use when raising support requests.

New on October 24, 2019

  • PHP analysis is now achieved with a optimized scanner, thus making scans easier to leverage. For more information.
  • Please upgrade to version 8.x of the Static Analyzer Command Line Utility:
    • Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
    • If you try to prepare code for scanning using Static Analyzer Command Line Utility version 7.x or earlier, you see an error message. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
    • If you are using AppScan Go!, accept and install the latest update if an update is offered.
  • General bug fixes.

New on September 25, 2019

  • New “Fix Groups” API for Issues found in Static Analysis. Each Issue now belongs to a “Fix Group”, that is shown in Scan Reports. You can use the API to:
    • List or update the Issues in a Fix Group, at Application or Scan level.
    • Set the Status (New, Open, Noise, etc.) for all Issues in a Fix Group to:
      • StickyStatus=True: Applied automatically to any additional Issues in that Fix Group found in future scans), or
      • StickyStatus=False: If a new Issue from this Fix Group is found, its status remains New and the group status changes to Mixed.
    Currently this feature is available only through the API, but it will soon be added to the UI. See!/FixGroups
  • Dynamic Analysis: You can now configure a scan and save it to run later.
  • A performance issue when displaying the status of multiple running scans has been fixed.
  • General bug fixes.

New on September 9, 2019

New on August 6, 2019

  • Improved DAST engine:
    • Identifies new cookies created by JavaScript; Improved URL filters; Improved coverage
    • Improved Cross-Site Scripting analysis: Better detection of DOM-Based Cross-Site Scripting
    • Improved Server/application-down detection: The server/application-down heartbeat now tests the full Starting URL for the scan rather than just its root path, improving scan accuracy.
  • General bug fixes.

New on July 31, 2019

  • Scan reports can now be downloaded in CSV format, in addition to the other formats.
  • DAST Scans can now be Paused and Resumed.
  • A new IP range has been added to the list of IP ranges used by ASoC. Please make sure not is not blocked by your firewall (see the IP List in the new System Requirements tab in the user interface).

New on July 18, 2019

  • DAST scans: You can now upload to ASoC a login sequence recorded using the AppScan Activity Recorder (a Chrome extension).
  • Android: Now supports Network Security Configuration (Android API Level 24 and later): Identifies lack of certificate pinning, and other security vulnerabilities, through the NSC configuration file.

New on July 9, 2019

  • New wizards simplify setting up all scan types when you click New Scan.
  • Domain verification can now be done before you create a scan (Menu > Settings > Domain Verification).
  • DAST scan file can now be downloaded from ASoC, to open in AppScan Standard for advanced review.
  • When deleting a scan, you can choose to remove from the application all issues that were found only in that scan.

New on July 1, 2019

"IBM Application Security on Cloud" has moved to a new location:, and is now called "HCL AppScan on Cloud."
  • The new domain uses a different IP:, so verify that you can access it. If your organization blocks unknown IPs, make sure that the new IP is whitelisted.
  • If you use ASoC REST API in your tools or scripts, you must change the domain of all API calls from to
  • We have released new versions of all tools and DevOps plugins used with ASoC, and these are set to use the new domain. If you use ASoC through one of the tools or plugins, please update to the latest version to implement this change.
The change includes the following updates:
  • New Create Scan dialog box, and improved Create Scan flow.
  • New Create Presence dialog box, improved Create Presence flow, and improved AppScan Presences view.
  • New Add Users dialog box and improved Add Users flow.
  • You can set the User Role when inviting new users.
  • Updated Application > Scan History view, and Scans view.
  • Option to delete all the Issues found in a scan when deleting the scan itself, if your role permits this. Issues found also in other scans are not deleted.
  • The scan configuration file for a DAST scan (.scan) can now be downloaded after scan completes, to review and configure using AppScan Standard. The file is available to download for 60 days after the scan.
  • Scan Optimization for DAST scans is available, and active by default.
  • Settings > Domain Verification can now be performed before you start a scan.
  • API: API/V2/Account/IBMIdLogin was deprecated on June 17th and has now been removed. Please use API/V2/Account/ApiKeyLogin instead.

New on June 17, 2019

  • Improved report generation: In the case of Static Analysis HTML reports for large scans, up to five times faster.
  • API change: API/V2/Account/IBMIdLogin is deprecated and will be removed in the next two weeks. Please use API/V2/Account/ApiKeyLogin instead.
  • ASoC Issue ID (as shown in the UI), is now included in all reports (XML, HTML, PDF).
    Note: (XML Reports only) The <issue><item id>, an additional ID that appears in XML reports only, is not the same as the <asoc-issue-id> referred to here.
  • General improvements and bug fixes.

New on June 13, 2019

  • General bug fixes.

New on May 22, 2019

  • New language support for Perl, PL/SQL, and TSQL.
  • Apex support for the VisualStudio framework.
  • Command line interface (CLI) "dry run" option to check for validation issue prior to a full scan.
  • Support for Weblogic as a JSP compiler.
  • New Java staging capability: a new, faster method for determining which files to scan within Java projects offers more comprehensive analysis of user code.

    The new Java stager process allows for more intelligent handling of Java projects to determine which files will be analyzed and which files will be treated as dependencies. Rather than a time-consuming process of unzipping all war files, jar files, sub jar files and so on, and saving all the uncompressed files to disk before determining which files to analyze, the stager process employs a surgical approach to evaluating the Java project.

    Using the new Java stager process, examination of ear, war, jar, and jar of jar files is substantially faster than the previous process. War files with jar files in the lib are processed more completely, but may exhibit a slower IR time as such. The findings, however, are more complete as the process better identifies user code if it is in jar file or class file form anywhere within the war file.
    • Findings

      Using the new Java stager process on projects that were previously analyzed may produce similar findings that appear new, as well as actual new findings given the more comprehensive analysis of war files.

    • Logging

      In addition to more robust handling of Java projects, the new stager process generates additional logging. This logging lists currently analyzed Java packages and can be useful in discovering missing Java exclusion entries.

    For example:
    For example:
    D:\apps\app\appscan prepare -n app -DSTAGE_INFO=true
    Discovering targets...
    Target added: app
    Staging D:\apps\app\app.jar
    Evaluating Entry: app.jar.files/lib/tomcat-coyote-7.0.12.jar
    Java Packages To Be Analyzed For app:
    No problems found during validation.
    Generating IRX file...
    IRX file generation successful.

New on May 14, 2019

  • System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.

New on May 6, 2019

  • General updates and bug fixes.

New on April 10, 2019

  • APEX support
  • Visual Studio 2019 plugin and CLI support
  • JSP compile arguments can be used in appscan-config.xml.

New on April 2, 2019

  • Test Optimization
    • This new feature for DAST scans (active by default, and controlled during scan setup) speeds up scanning for those occasions when fast results are more important to you than a thorough, in-depth scan. See Test Optimization.
    • The General Information section of DAST scan reports now indicates whether or not the scan was Optimized.

New on March 28, 2019

  • System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.

New on March 18, 2019

  • New Testing Status behavior (see Application Attributes):
    • When you Create a Scan, Testing Status for the application changes to "In Progress".
    • When you Reset an application (UI: Edit > Reset > Delete all… | API: Apps/Reset/Delete Issues), the application's Testing Status changes to "Not Started".
  • New API options:
    • Filters added to GET Presences API function, for example:GET: ..Presences/?$select=PresenceName%2C%20Idreturns a list of all Presences and their IDs
    • Download a DAST Scan file using:GET ..Scans/DynamicAnalyzerScanFile/{executionId}
  • The XML Scan Report is back. To align it with AppScan Enterprise there have been changes to its content and structure, including the order of some of the main sections. The changes are detailed in technote:
  • If a scan reveals more than 20,000 issues, ASoC now selects 20,000 representative issues, and includes only them in the Scan Results.

New on March 6, 2019

  • In Users and Roles view, the new Export User List button lets you download the list of users to your machine, as a CVS file.
  • ColdFusion support.
  • Expanded Azure DevOps (VSTS) and Team Foundation Server (TFS) support.
  • Improved include/exclude behavior for SAST scans using appscan-config.xml.

New on February 26, 2019

  • General updates and bug fixes.

New on February 20, 2019

  • Open Source Report now includes Library Version for relevant entries.
  • Personal Scans: It is now possible to create Users with permission to create Personal Scans only (not regular scans).

New on February 14, 2019

  • SAST bug fixes.

New on February 13, 2019

New on February 6, 2019

  • User Management: When creating or editing User Roles (User Management > Users & Roles > Add/Edit Role), Admins can now enable them to "View Users and Roles" without giving them Edit permissions. This gives view-only access to the User Management views.

New on January 24, 2019

  • Regulatory Compliance Reports: Two new reports are now available:
    • Payment Application Data Security Standard
    • US DISA’s Application Security and Development STIG. V4R3
Note: Two additional IP ranges will be added to System Requirements as of January 29, 2019. Please make sure they are not blocked by your firewall.

New on January 16, 2019

  • Javascript scanner enhancements.

    Enhancements include performance improvements, automatic exclusion of third-party files, improved rules analysis, and bug fixes.

New on January 15, 2019

  • Industry Standard Reports: Four new reports are now available:
    • International Standard - ISO 27001
    • International Standard - ISO 27002
    • NIST Special Publication 800-53
    • WASC Threat Classification v2.0
  • Regulatory Compliance Reports: Four new reports are now available:
    • CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
    • US Electronic Funds and Transfer Act (EFTA)
    • US Federal Information Security Mgmt. Act (FISMA)
    • US Sarbanes-Oxley Act (SOX)
  • Sample Reports: The sample reports have all been updated, and a new Open Source License sample report has been added.
  • Static Analysis Report: The bug causing Fix Groups to be omitted from Static Analysis reports has been fixed.

New on January 10, 2019

  • iOS version 12.1 is now supported for scanning iOS mobile apps.

New on January 8, 2019

  • Private site scanning:
    • You can now run the AppScan Presence as a service on Linux OS as well as Windows.
    • In Windows OS the AppScan Presence is now started with EXE files.
  • Industry Standard and Regulatory Compliance Reports can now be run for individual scans, from the Scan Reports dialog box.
  • Application Reports are now run from a dialog that opens from the Application Report button at the top of the screen. The options are unchanged.