Previous updates 2021-2022

• Support for tracking taint for customers using the com.fasterxml.jackson library for JSON.
• Support for tracking taint for customers using the org.glassfish.jersey framework.
• Internal optimizations.

• Update Apache commons-text from 1.9 to 1.10.0 to mitigate a known CVE (CVE-2022-42889).
• Update Apache httpClient to apache HttpClient5 to mitigate a vulnerability in the old httpClient.
• Support for tracking taint for customers using the org.owasp.encoder.Encode library.
• Improved support for tracking taint for customers using the Gson library, including support for Gson htmlSafe feature.

• Static analysis client updated to 8.0.1514.
• Improved accuracy for Java and Kotlin scanners.
• General bug fixes.

• Performance improvements.
• New configuration option to hide passwords, see here.

As previously announced, for scanning private sites, AppScan Presence v1 is now replaced by AppScan Presence v2, released in March 2022. For private site scanning you now must have v2 Presence installed. See AppScan Presence.

• Now supports TOTP (time-based one time password). See DAST scans.
• Single scan view now includes explore data counters (number of cookies, headers etc. found).

• SARIF format option added to the Export Issues dialog.
• Single scan view now includes list of languages found, and (if subscription includes SCA) counters for open source libraries and licenses found.

• Support for tracking data sent over WebSockets.
• Extended support for Spring REST API: Support for REST path variables as sources.
• Support for tracking taint for customers using the Gson library.
• When using Java 9 and higher, a flag (BC_SB) must be set in the java properties to properly track taint. Users are now alerted if this flag is not set.

• Applications view: Filter by Risk rating, Asset group, Business impact, Business unit, Testing status, Max severity. Select start and end dates.
• Scans view: Filter by Technology and Status (unchanged).
• All issues view: Filter by Severity, Status, Scan technology, Enables policies, Issue type. Select start and end dates.
• Scan issues view: Filter by Severity, Status, First found, Enabled policies. Select start and end dates.

• New Preferences section in the Scan > Configuration tab shows how Notification email (Send / Don't send) and Scan enablement (Allow / Don't allow) are configured for the scan.
• The updated Rescan dialog lets you change these two settings when rescanning.

Note that while automatic API scanning using an imported Postman Collection file is supported in AppScan Standard 10.0.8, uploading a Postman Collection scan to ASoC is not currently supported.

• You can now change the severity level of an issue, or of multiple issues together (see Edit issue severity).
• New indication for scans that are “Completed” but with less than 100% visited pages and/or 100% tested elements. New “Partial scans” filter to view/hide these scans (see Partial scans).
• Administrators: In role assignment, the “Create scan” and “Rescan” permissions are now separated, so users can be given permission to do one, or the other, or both.

• Support for JBoss EAP (Enterprise Application Platform) versions 6,7
• Improved report readability:
  • Print array/map content
  • Dynamic generation of exploit example based on current user input
• Improved XSS algorithm

• Added 'OWASP Open API Top 10 2019' policy
• Added Critical severity to the scan card and to the single scan issues graph

• Added SAST open-source resolution and description columns to CSV reports
• Added Critical severity counters to security reports

• The new HCL AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See HCL AppScan Traffic Recorder.
• Three new JetBrains plugins added: CLion, GoLand and RubyMine.

This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.

For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.

• New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
• Security updates:
  • New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
  • New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
  • Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
  • Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
  • Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)

• CLion
• GoLand
• RubyMine

• Call trace information improved for all vulnerabilities
• Sink URL is now the main issue URL

• Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
• Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).

• Improved ‘Create scan’ flow for DAST scans
• Added Guided Explore and Scheduler when creating a DAST scan from a file
• Added ability to create open-source license report at application level
• Added ability to add a comment to multiple issues

• CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
• Libraries table added to the Open-Source Report Summary

• Added ability to add a comment to multiple issues

• Select which days of the week a scheduled scan will run
• Add a schedule to an existing scan
• Remove the schedule from a scheduled scan
• The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry

• XXE on JaxB class (CWE 661). This potentially vulnerable class is mentioned in this OWASP XXE documentation: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
• JSON XSS informational issue (CWE 79), an XSS variant of vulnerable data written to the response as JSON

• Scan cards redesigned and now include a link to the issues per severity in the scan.
• Rider plugin added to the ‘Plugins & APIs’ page.

• Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
• Added support for viewing issues found for the first time in the application.
• Language property added to new SAST issues.

• Schedule scans: You can now schedule a DAST scan to run later, with or without repetition (Create scan > Schedule step). You can edit a configured schedule (Scan actions menu > Edit schedule). New icons indicate “Scheduled” and “Repeat” status of scans.
• IAST: Added ability to update IAST Agent configuration.
• Automatic log out: Users are now logged out if there is no activity for 30 minutes.
• Business units can now be merged (Admins only: Organization > Settings).
• Single scan view: Columns are now clickable and lead to a filtered list in the issues tab.

• Support for scan scheduling (with additional settings).
• Support for merging two business units, and ability to add a limit to the number of business units allowed in the organization.

• Administrators only: New Settings view added (Organization > Settings), to create and manage business units.
• IAST: When deleting an agent, the UI now offers you the option to delete agent configuration only, or the agent configuration and also the issues found by the agent.
• New scan status added: “Initializing” (before scan actually starts).

• Pause execution when memory consumption (threshold) is too high
• New Config file parameter to specify names of apps to be monitored
• Memory and GC debug flags
• Reduced memory consumption
• New security features:
  • Improved CSRF rule (less FP)
  • Improved coverage of Insecure Login rule
• Fixed: XSS bug on Spring

• Pause execution when memory consumption (threshold) is too high
• Filter issues from being reported based on header/cookie name
• Performance improvements
• Issue Information tab for IAST issues:
  • New Additional Info section
  • Exploit Example included for many more issues
• New security features:
  • Path traversal algorithm
  • Improved coverage of Insecure Login rule
• Fixed: Bug when issues are sent to ASoC/ASE

• Pause execution when memory consumption (threshold) is too high
• Filter issues from being reported based on header/cookie name
• Issue Information tab for IAST issues:
  • New Additional Info section
  • Exploit Example included for many more issues
• New security features:
  • Path traversal algorithm
  • Improved coverage of Insecure Login rule
• Fixed: Handle Communication EPIPE error

• Sessions are now displayed in Scans view
• Scan report can be created
• If you manually stopped an IAST session, you can now restart it from the UI even if the agent is disconnected, and monitoring will begin automatically when the agent is connected. Previously this was possible only through the API.

• New single scan page:
  • Gives you access to detailed data about the scan, with three tabs: Overview, Issues, Configuration, and the scan log pane (see Single scan view.
  • Shows real-time status of running scans.
  • Scan log can now be viewed while scan runs.
  • New indicator for scans that were handled by an enabler from the scan support team to review their configuration.
• Scan wizard additions:
  • Choose to explore automatically, or with guidance (see About dynamic analysis (DAST), and Explore with guidance).
  • Upload a manual explore or multistep file
  • Configure the request-rate limit.
• API:
  • Create a scan with multiple files.
  • Choose between automatic explore and explore with guidance.
  • Added automatic timeout
  • The number of issues new to the application is now included in the scan results.

• Now supports uploading a CONFIG file.
• Monitoring will now reflect changes you make to the CONFIG file on your local server.
• Issue Information tab for IAST issues:
  • New Additional info section.
  • Exploit example included for many more issues.
• Security rule updates:
  • path traversal advanced algorithm
  • Deserialization - Xtream, xmlDecode
  • Reduce FP on escapeHtml
• Fixes and memory improvements for wildfly server.

• New “Ask an expert” feature added
• Export to CSV/JSON added to applications and issues pages
• Create Scan: Added Timeout and Number of threads configuration
• Fix group ID {“Group ID”) added to issue panel
• IAST: Additional info added to issue panel
• Column configurations and filters are now saved between sessions
• Sample Applications CSV: Description and Tags columns removed
• New plugin: Github

• Added ability to add comments to ScanExecution
• DAST configuration: Added ability to configure Number of threads and Communication timeout

• Node.js agent (version 1.1.0) now supported in addition to Java and .NET
• .NET agent (version 1.2.2):
  • Now supports .NET 4.6.2
  • Library updates
  • Support setting host and token through environment variables and through Web.config file
• Java agent (version 1.8.10000:
  • Performance improvements
  • Support 32-bit JRE environments
  • Support more Java environments for auto-attach
  • New rules to detect spring sanitization (reduce Spring FP)
• Change env var names to IAST_HOST and IAST_ACCESS_TOKEN
• Report attCookieNotSecureSSL instead of SessionManagement.Cookies
• Simplified reports
• Bug fixes

• Various Java libraries updated to newer versions
• Proxy Server now supports TLS connections
• You can now start a Recording Proxy with a range of ports rather than a specific port (the lowest available port in the range will be used)
• You can now set the port for the Proxy Server in Settings.json
• Fixed a bug importing JKS certificates to the Proxy Server

• Accept invitation to join an organization from the "Choose an Organization" dialog
• Added Cipher Suite information to issue details

• Scan ID added to ScanExecution model
• Export data in CSV format

• IAST: Additional info table added.
• Fix groups table added to the CSV format of the security report.

• Enable or disable email notification on analysis completion.
• Run the scan as a personal scan.

• Collapsible menu bar with a new order and several new menu items.
• Navigate between all views with breadcrumbs.
• Applications page: The create application wizard flow has been updated.
• Single application page: A new dashboard gives you a graphic overview of the status of your application with risk rating and compliance status, scan status, issues by severity, most common issue types found, and more.
• Policies:
  • Improved Policies page now shows a list of policies, and the applications associated with each policy, rather than the reverse.
  • Many new predefined policies are now available to associate with your applications.
  • Baseline policy is now set directly from the application page, rather than the Policies page.
• Create scan wizard: Improved flow, and for DAST scans there is now a separate path for creating scans with an uploaded file.
• Email and personal scan preferences are now set on the new Summary page.
• Select which columns to display in tables, adjust width and change column order.
• Share pages with other authorized users by simply sending them the link (ID) to the specific page.

• New and updated content for many issues.
• How to fix: Advisory and Fix Recommendation sections have been consolidated into a comprehensive “How to fix” tab.
• For many issues custom “How to fix” content for specific code languages is available.
• Share issues with other authorized users by simply sending them the link (ID) to the specific issue in the application.

• New applications are now assigned Business Impact “Medium” by default, but existing applications with the previous default of “Undefined” will not be changed. “Undefined” can still be assigned to an application manually.
• If an application contains a completed scan, even though there are no active issues, the Risk rating is now set to "Low" (previously it was set to "Unknown").

• Support for Tomcat 10
• Improved taint tracking
• Revised OS Commanding detection rules