Recent updates

Discover upcoming and recently added features.

Updates: AppScan on Cloud announcements, including advance notice of planned changes and scheduled maintenance that might affect your workflow, can be found on AppScan News. To be notified when there is an announcement, you can subscribe to AppScan News.
Translations: If you are reading this page in translation, please be aware that it may not include the latest additions. To see the latest version of this page, switch to the English version, using the "Change Language" option at the top right of the menu bar.

New on Feburary 6, 2023

  • Static analysis client updated to 8.0.1521.
  • Improvements to Software Composition Analysis (SCA) discovery and reporting.
  • Improved accuracy for C, C++, and Python scans.
  • General bug fixes.

New on January 23, 2023

  • Added "Last Found" to the Date filter for issues.
  • Issue status "New" deprecated: UI now has an announcement that from February issues that would have been marked “New” will instead be marked “Open”. Existing “New” issues will not be changed, unless they are found in a new scan, in which case they will be set to “Open”. You will be able to change the status of a “New” issue to any other status, but will not be able to set an issue’s status to “New”. See Issue status.

New on January 16, 2023

  • IAST Java agent (version 1.12.10400): Various fixes and enhancements.

New on January 15, 2023

  • New "Last found" column in the Issues list, shows the most recent date that the issue was found.
    Note: This will apply only to issues found in scans run after this update. For older scans the "Last found" field will be empty.

New on December 21, 2022

New on December 18, 2022

  • IAST:
    • Support for tracking taint for customers using the com.fasterxml.jackson library for JSON.
    • Support for tracking taint for customers using the org.glassfish.jersey framework.
    • Internal optimizations.

New on December 13, 2022

  • Static analysis client updated to 8.0.1517.
  • Software Composition Analysis (SCA) scans can be run against Docker containers and images using the appscan prepare_sca and appscan.sh prepare_sca commands.
  • Improved accuracy for .NET, Java, and JavaScript scans.
  • General bug fixes.

New on November 28, 2022

  • DAST scan scheduling: Additional the option to schedule a repeating monthly scan on the same day of the week each month.

New on November 20, 2022

New on November 16, 2022

AppScan Go! updated to 1.0.1
  • General bug fixes.

New on November 13, 2022

  • DAST: Upload an AppScan Standard LOGIN file for your DAST scan
  • SCA (Software Composition Analysis): Added to SAST in the scan wizard, and SCA Library view added at Application level

New on October 31, 2022

  • IAST Java agent (version 1.12.10200):
    • Update Apache commons-text from 1.9 to 1.10.0 to mitigate a known CVE (CVE-2022-42889).
    • Update Apache httpClient to apache HttpClient5 to mitigate a vulnerability in the old httpClient.
    • Support for tracking taint for customers using the org.owasp.encoder.Encode library.
    • Improved support for tracking taint for customers using the Gson library, including support for Gson htmlSafe feature.
  • SAST:
    • Static analysis client updated to 8.0.1514.
    • Improved accuracy for Java and Kotlin scanners.
    • General bug fixes.

New on October 25, 2022

  • IAST .Net agent (version 1.6.0):
    • Performance improvements.
    • New configuration option to hide passwords, see here.

New on October 3, 2022

  • Static analysis client updated to 8.0.1506.
  • Automatic discovery of Maven and Gradle projects with AppScan Go! and CLI.
  • Improved accuracy for JavaScript, NodeJS, and Kotlin scanners.
  • Improved coverage for Java scans.
  • General bug fixes.

New on October 2, 2022

  • AppScan Presence v1 is no longer supported

    As previously announced, for scanning private sites, AppScan Presence v1 is now replaced by AppScan Presence v2, released in March 2022. For private site scanning you now must have v2 Presence installed. See AppScan Presence.

New on September 21, 2022

AppScan Go! updated to 0.1.10
  • Improved support for different screen resolutions
  • AppScan Go! auto-update for Windows and Macintosh systems
  • Disk space cleanup of temp directory
  • Improved error handling
  • General bug fixes

New on September 18, 2022

  • DAST:
    • Now supports TOTP (time-based one time password). See DAST scans.
    • Single scan view now includes explore data counters (number of cookies, headers etc. found).
  • SAST/SCA:
    • SARIF format option added to the Export Issues dialog.
    • Single scan view now includes list of languages found, and (if subscription includes SCA) counters for open source libraries and licenses found.
  • Community plugins link added on the Plugins and APIs page.
  • Organization Settings: Data Center information added to the Main Settings section.
  • Single fix group page: Security report added to the issues grid.

New on September 14, 2022

  • The AppScan Traffic Recorder now requires a secure (SSL) connection. If you have been using it with an insecure connection you will be prompted to configure a secure one, before you can continue, the next time you use it. See Traffic Recorder connection.

New on September 13, 2022

  • IAST:
    • Support for tracking data sent over WebSockets.
    • Extended support for Spring REST API: Support for REST path variables as sources.
    • Support for tracking taint for customers using the Gson library.
    • When using Java 9 and higher, a flag (BC_SB) must be set in the java properties to properly track taint. Users are now alerted if this flag is not set.

New on August 16, 2022

  • Static analysis client updated to 8.0.1500.
  • Reporting of Java packages and .NET namespaces in scan.manifest and when doing a dry-run.
  • Source code scanner improvements that may change the number of overall findings.
  • Support for additional file extensions for Groovy, JavaScript, PHP, and Ruby.
  • APAR fixes.
  • General fixes and functionality improvements.

New on August 9, 2022

  • DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.8.28196. See AppScan Standard Fix List.

New on July 26, 2022

  • Comprehensive filtering for all lists:
    • Applications view: Filter by Risk rating, Asset group, Business impact, Business unit, Testing status, Max severity. Select start and end dates.
    • Scans view: Filter by Technology and Status (unchanged).
    • All issues view: Filter by Severity, Status, Scan technology, Enables policies, Issue type. Select start and end dates.
    • Scan issues view: Filter by Severity, Status, First found, Enabled policies. Select start and end dates.
    Important: With this update the “Quick filters” have been removed from all lists. By default the quick filters showed only non-compliant issues. All issues are now shown by default, including issues of Informational severity and issues marked as Noise. Therefore, until you apply filters, your lists may show more items than they did before the update.
  • DAST and SAST scans:
    • New Preferences section in the Scan > Configuration tab shows how Notification email (Send / Don't send) and Scan enablement (Allow / Don't allow) are configured for the scan.
    • The updated Rescan dialog lets you change these two settings when rescanning.
  • DAST scans: New Extract log icon in scan view lets you open the Execution log in a separate window that can remain open even when you browse away from the scan page.

New on July 19, 2022

  • DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.8. See AppScan Standard Fix List.

    Note that while automatic API scanning using an imported Postman Collection file is supported in AppScan Standard 10.0.8, uploading a Postman Collection scan to ASoC is not currently supported.

New on July 5, 2022

  • UI:
    • You can now change the severity level of an issue, or of multiple issues together (see Edit issue severity).
    • New indication for scans that are “Completed” but with less than 100% visited pages and/or 100% tested elements. New “Partial scans” filter to view/hide these scans (see Partial scans).
    • Administrators: In role assignment, the “Create scan” and “Rescan” permissions are now separated, so users can be given permission to do one, or the other, or both.

New on June 28, 2022

  • IAST Java agent (version 1.11.10100):
    • Support for JBoss EAP (Enterprise Application Platform) versions 6,7
    • Improved report readability:
      • Print array/map content
      • Dynamic generation of exploit example based on current user input
    • Improved XSS algorithm

New on June 13, 2022

  • Static analysis client updated to 8.0.1498.
  • Java 17 support, including shipping Java 17 in the SAClientUtil package.
  • Replaced Tomcat 7 with Tomcat 9 for JSP precompilation.
  • Source code scanner improvements may result in changes to the overall number of findings.
  • General fixes and functionality improvements.

New on June 12, 2022

  • UI:
    • Added 'OWASP Open API Top 10 2019' policy
    • Added Critical severity to the scan card and to the single scan issues graph
  • Reports:
    • Added SAST open-source resolution and description columns to CSV reports
    • Added Critical severity counters to security reports

New on May 29, 2022

  • Plugins and APIs:
    • The new AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See AppScan Traffic Recorder.
    • Three new JetBrains plugins added: CLion, GoLand and RubyMine.
  • Fix groups: Each group now displays the most relevant columns for that group by default in its Issues table.
  • General bug fixes.

New on May 15, 2022

  • API change: The default value of the FullyAutomatic flag for DAST scans has been changed from false to true. It remains false for SAST scans.

    This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.

    For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.

  • IAST Java agent (version 1.10.10101):
    • New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
    • Security updates:
      • New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
      • New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
      • Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
      • Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
      • Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)

New on May 8, 2022

  • Auto Issue Correlation added: With this new feature AppScan can analyze issues found by IAST, DAST and SAST, to spot common weak links in the code ("correlations") that identify where multiple vulnerabilities can be resolved with a single remediation effort. Learn more...
  • Improved Fix Group design.
  • Improved user registration flow.
  • General bug fixes.

New on May 5, 2022

  • The JetBrains plugin now supports CodeSweep functionality. For information about using the JetBrains plugin, see the JetBrains Marketplace.
  • The JetBrains plugin now supports the following additional IDEs:
    • CLion
    • GoLand
    • RubyMine

New on May 2, 2022

  • Static analysis client updated to 8.0.1495.
  • Improvements to JavaScript, C, and PHP scanning engines to enhance accuracy of findings.
  • Bug fixes.

New on April 6, 2022

  • IAST:
    • Call trace information improved for all vulnerabilities
    • Sink URL is now the main issue URL
  • API: The maximum number of objects returned from the Get Scans API was reduced from 200 to 100
  • General bug fixes

New on April 1, 2022

  • Static analysis client updated to 8.0.1491.
  • Client-only update.
  • Bug fixes.

New on March 25, 2022

  • Static analysis client updated to 8.0.1488.
  • Support for scanning Terraform.
  • Improved Java, JavaScript, and PHP analysis.
  • Upgraded to the latest version of Log4j.
    Important: The Static Analysis Client Utility (SAClientUtil) was not and is not vulnerable to any of the Log4j issues discovered in recent months.

New on March 21, 2022

New on March 13, 2022

  • New AppScan Presence for private site scanning: The new Presence (V2) offers improved stability and performance, and a log that lists all authorities (host:port) that the Presence accessed. Learn more,,,
    • Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
    • Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).
  • CSV reports: Open-source reports can now be generated as CSV (in addition to HTML and PDF).

New on February 20, 2022

  • UI:
    • Improved ‘Create scan’ flow for DAST scans
    • Added Guided Explore and Scheduler when creating a DAST scan from a file
    • Added ability to create open-source license report at application level
    • Added ability to add a comment to multiple issues
  • Reports:
    • CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
    • Libraries table added to the Open-Source Report Summary
  • API:
    • Added ability to add a comment to multiple issues

New on February 15, 2022

  • Static analysis client updated to 8.0.1480.
  • General fixes and functionality improvements.

Deprecated on February 2, 2022

  • API: The LastSuccessfulExecution property is deprecated and will be removed on February 13, 2022. Please use LatestExecution instead. This returns the latest execution even if it failed.

New on January 26, 2022

  • Static analysis client updated to 8.0.1473.
  • Support for static analysis-only scanning.
  • General fixes and functionality improvements.

New on January 25, 2022

  • Scan scheduler:
    • Select which days of the week a scheduled scan will run
    • Add a schedule to an existing scan
    • Remove the schedule from a scheduled scan
    • The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry
  • New issues found in a scan execution are now shown in the scan entry and in filtered issues view
  • Easily change the user interface language at any time from the page header
  • Switch between data centers from the landing page header

New on January 2, 2022

IAST monitoring, Java agent (version 1.9.10200):

New on December 28, 2021

  • UI:
    • Scan cards redesigned and now include a link to the issues per severity in the scan.
    • Rider plugin added to the ‘Plugins & APIs’ page.
  • Reports: "OWASP Top 10, 2021" added to reports and policies.
  • API:
    • Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
    • Added support for viewing issues found for the first time in the application.
    • Language property added to new SAST issues.
  • General bug fixes.

New on December 17, 2021

  • DAST: Added new security rule to test for the Log4j vulnerability.

New on December 15, 2021

Previous updates