Recent updates

Discover upcoming and recently added features.

Updates: AppScan on Cloud announcements, including advance notice of planned changes and scheduled maintenance that might affect your workflow, can be found on AppScan News. To be notified when there is an announcement, you can subscribe to AppScan News.
Translations: If you are reading this page in translation, please be aware that it may not include the latest additions. To see the latest version of this page, switch to the English version, using the "Change Language" option at the top right of the menu bar.

New on June 13, 2022

  • SAST:
    • Java 17 support (includes shipping Java 17 in the SAClientUtil package)
    • Replaced Tomcat 7 with Tomcat 9 for jsp precompilation
    • Source code scanner improvements that may result in changes to the overall number of findings

New on June 12, 2022

  • UI:
    • Added 'OWASP Open API Top 10 2019' policy
    • Added Critical severity to the scan card and to the single scan issues graph
  • Reports:
    • Added SAST open-source resolution and description columns to CSV reports
    • Added Critical severity counters to security reports

New on May 29, 2022

  • Plugins and APIs:
    • The new AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See AppScan Traffic Recorder.
    • Three new JetBrains plugins added: CLion, GoLand and RubyMine.
  • Fix groups: Each group now displays the most relevant columns for that group by default in its Issues table.
  • General bug fixes.

New on May 15, 2022

  • API change: The default value of the FullyAutomatic flag for DAST scans has been changed from false to true. It remains false for SAST scans.

    This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.

    For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.

  • IAST updates:
    • New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
    • Security updates:
      • New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
      • New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
      • Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
      • Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
      • Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)

New on May 8, 2022

  • Auto Issue Correlation added: With this new feature AppScan can analyze issues found by IAST, DAST and SAST, to spot common weak links in the code ("correlations") that identify where multiple vulnerabilities can be resolved with a single remediation effort. Learn more...
  • Improved Fix Group design.
  • Improved user registration flow.
  • General bug fixes.

New on May 5, 2022

  • The JetBrains plugin now supports CodeSweep functionality. For information about using the JetBrains plugin, see the JetBrains Marketplace.
  • The JetBrains plugin now supports the following additional IDEs:
    • CLion
    • GoLand
    • RubyMine

New on May 2, 2022

  • Static analysis client updated to 8.0.1945.
  • Improvements to JavaScript, C, and PHP scanning engines to enhance accuracy of findings.
  • Bug fixes.

New on April 6, 2022

  • IAST:
    • Call trace information improved for all vulnerabilities
    • Sink URL is now the main issue URL
  • API: The maximum number of objects returned from the Get Scans API was reduced from 200 to 100
  • General bug fixes

New on April 1, 2022

  • Static analysis client updated to 8.0.1491.
  • Client-only update.
  • Bug fixes.

New on March 25, 2022

  • Static analysis client updated to 8.0.1488.
  • Support for scanning Terraform.
  • Improved Java, JavaScript, and PHP analysis.
  • Upgraded to the latest version of Log4j.
    Important: The Static Analysis Client Utility (SAClientUtil) was not and is not vulnerable to any of the Log4j issues discovered in recent months.

New on March 21, 2022

New on March 13, 2022

  • New AppScan Presence for private site scanning: The new Presence (V2) offers improved stability and performance, and a log that lists all authorities (host:port) that the Presence accessed. Learn more,,,
    • Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
    • Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).
  • CSV reports: Open-source reports can now be generated as CSV (in addition to HTML and PDF).

New on February 20, 2022

  • UI:
    • Improved ‘Create scan’ flow for DAST scans
    • Added Guided Explore and Scheduler when creating a DAST scan from a file
    • Added ability to create open-source license report at application level
    • Added ability to add a comment to multiple issues
  • Reports:
    • CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
    • Libraries table added to the Open-Source Report Summary
  • API:
    • Added ability to add a comment to multiple issues

New on February 15, 2022

  • Static analysis client updated to 8.0.1480.
  • General fixes and functionality improvements.

Deprecated on February 2, 2022

  • API: The LastSuccessfulExecution property is deprecated and will be removed on February 13, 2022. Please use LatestExecution instead. This returns the latest execution even if it failed.

New on January 26, 2022

  • Static analysis client updated to 8.0.1473.
  • Support for static analysis-only scanning.
  • General fixes and functionality improvements.

New on January 25, 2022

  • Scan scheduler:
    • Select which days of the week a scheduled scan will run
    • Add a schedule to an existing scan
    • Remove the schedule from a scheduled scan
    • The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry
  • New issues found in a scan execution are now shown in the scan entry and in filtered issues view
  • Easily change the user interface language at any time from the page header
  • Switch between data centers from the landing page header

New on January 2, 2022

IAST monitoring, Java agent (version 1.9.10200):

New on December 28, 2021

  • UI:
    • Scan cards redesigned and now include a link to the issues per severity in the scan.
    • Rider plugin added to the ‘Plugins & APIs’ page.
  • Reports: "OWASP Top 10, 2021" added to reports and policies.
  • API:
    • Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
    • Added support for viewing issues found for the first time in the application.
    • Language property added to new SAST issues.
  • General bug fixes.

New on December 17, 2021

  • DAST: Added new security rule to test for the Log4j vulnerability.

New on December 15, 2021

Previous updates