Recent updates

• Java 17 support (includes shipping Java 17 in the SAClientUtil package)
• Replaced Tomcat 7 with Tomcat 9 for jsp precompilation
• Source code scanner improvements that may result in changes to the overall number of findings

• Added 'OWASP Open API Top 10 2019' policy
• Added Critical severity to the scan card and to the single scan issues graph

• Added SAST open-source resolution and description columns to CSV reports
• Added Critical severity counters to security reports

• The new AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See AppScan Traffic Recorder.
• Three new JetBrains plugins added: CLion, GoLand and RubyMine.

This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.

For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.

• New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
• Security updates:
  • New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
  • New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
  • Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
  • Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
  • Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)

• CLion
• GoLand
• RubyMine

• Call trace information improved for all vulnerabilities
• Sink URL is now the main issue URL

• Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
• Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).

• Improved ‘Create scan’ flow for DAST scans
• Added Guided Explore and Scheduler when creating a DAST scan from a file
• Added ability to create open-source license report at application level
• Added ability to add a comment to multiple issues

• CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
• Libraries table added to the Open-Source Report Summary

• Added ability to add a comment to multiple issues

• Select which days of the week a scheduled scan will run
• Add a schedule to an existing scan
• Remove the schedule from a scheduled scan
• The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry

• XXE on JaxB class (CWE 661). This potentially vulnerable class is mentioned in this OWASP XXE documentation: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
• JSON XSS informational issue (CWE 79), an XSS variant of vulnerable data written to the response as JSON

• Scan cards redesigned and now include a link to the issues per severity in the scan.
• Rider plugin added to the ‘Plugins & APIs’ page.

• Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
• Added support for viewing issues found for the first time in the application.
• Language property added to new SAST issues.