Recent updates
Discover upcoming and recently added features.
Updates: AppScan on Cloud announcements, including advance notice of planned changes and
scheduled maintenance that might affect your workflow, can be found
on AppScan News. To be
notified when there is an announcement, you can subscribe to AppScan
News.
Translations: If you are reading this page in
translation, please be aware that it may not include the latest
additions. To see the latest version of this page, switch to the
English version, using the "Change Language" option at the top right
of the menu bar.
New on June 13, 2022
- SAST:
- Java 17 support (includes shipping Java 17 in the SAClientUtil package)
- Replaced Tomcat 7 with Tomcat 9 for jsp precompilation
- Source code scanner improvements that may result in changes to the overall number of findings
New on June 12, 2022
- UI:
- Added 'OWASP Open API Top 10 2019' policy
- Added Critical severity to the scan card and to the single scan issues graph
- Reports:
- Added SAST open-source resolution and description columns to CSV reports
- Added Critical severity counters to security reports
New on May 29, 2022
- Plugins and APIs:
- The new AppScan Traffic Recorder (previously called the DAST Proxy) is now available on the ASoC Plugins and APIs page. See AppScan Traffic Recorder.
- Three new JetBrains plugins added: CLion, GoLand and RubyMine.
- Fix groups: Each group now displays the most relevant columns for that group by default in its Issues table.
- General bug fixes.
New on May 15, 2022
- API change: The default value of the
FullyAutomatic flag for DAST scans has been
changed from false to true. It remains false for
SAST scans.
This means that DAST scans started from the API, or from the plugins, will not be sent to the Scan Enablement Team for review (see Scan status: Under review) unless the user specifically sets the parameter to false.
For scans started through the UI, the default setting - “Allow intervention” - remains unchanged.
- IAST updates:
- New supported environments: Jetty server, Quarkus (JVM Node), Resteasy framework
- Security updates:
- New vulnerability: Unsafe reflection (CWE 470). Reference: https://cwe.mitre.org/data/definitions/470.html
- New vulnerability: Open redirect (CWE 601). Reference: https://cwe.mitre.org/data/definitions/601.html
- Improved accuracy of injection analysis algorithms - affects CWE 78: OS Command Injection)
- Eliminate potential False positives when page not found - affects CWE 352 (CSRF) and 523 (Unprotected transport of credentials)
- Additional information added to issues of CWE 352 (CSRF) and CWE 523 (Unprotected transport of credentials)
New on May 8, 2022
- Auto Issue Correlation added: With this new feature AppScan can analyze issues found by IAST, DAST and SAST, to spot common weak links in the code ("correlations") that identify where multiple vulnerabilities can be resolved with a single remediation effort. Learn more...
- Improved Fix Group design.
- Improved user registration flow.
- General bug fixes.
New on May 5, 2022
- The JetBrains plugin now supports CodeSweep functionality. For information about using the JetBrains plugin, see the JetBrains Marketplace.
- The JetBrains plugin now supports the following
additional IDEs:
- CLion
- GoLand
- RubyMine
New on May 2, 2022
- Static analysis client updated to 8.0.1945.
- Improvements to JavaScript, C, and PHP scanning engines to enhance accuracy of findings.
- Bug fixes.
New on April 6, 2022
- IAST:
- Call trace information improved for all vulnerabilities
- Sink URL is now the main issue URL
- API: The maximum number of objects returned from the Get Scans API was reduced from 200 to 100
- General bug fixes
New on April 1, 2022
- Static analysis client updated to 8.0.1491.
- Client-only update.
- Bug fixes.
New on March 25, 2022
- Static analysis client updated to 8.0.1488.
- Support for scanning Terraform.
- Improved Java, JavaScript, and PHP analysis.
- Upgraded to the latest version of
Log4j
.Important: The Static Analysis Client Utility (SAClientUtil
) was not and is not vulnerable to any of theLog4j
issues discovered in recent months.
New on March 21, 2022
- DAST engine update: Dynamic Analysis engine updated to AppScan Standard version 10.0.7. See AppScan Standard Fix List.
New on March 13, 2022
- New AppScan Presence for private site scanning: The new
Presence (V2) offers improved stability and
performance, and a log that lists all authorities
(host:port) that the Presence accessed. Learn more,,,
- Note: The legacy Presence (V1) is still supported, but will not be supported after October 1, 2022.
- Note: The new Presence (V2) does not include the DAST proxy. If you need this, you can download and use the legacy Presence (V1).
- CSV reports: Open-source reports can now be generated as CSV (in addition to HTML and PDF).
New on February 20, 2022
- UI:
- Improved ‘Create scan’ flow for DAST scans
- Added Guided Explore and Scheduler when creating a DAST scan from a file
- Added ability to create open-source license report at application level
- Added ability to add a comment to multiple issues
- Reports:
- CWE/SANS Top 25 report ASREG in ASoC is replaced by CWE Top 25 Most Dangerous Software Weaknesses 2021
- Libraries table added to the Open-Source Report Summary
- API:
- Added ability to add a comment to multiple issues
New on February 15, 2022
- Static analysis client updated to 8.0.1480.
- General fixes and functionality improvements.
Deprecated on February 2, 2022
- API: The
LastSuccessfulExecution
property is deprecated and will be removed on February 13, 2022. Please useLatestExecution
instead. This returns the latest execution even if it failed.
New on January 26, 2022
- Static analysis client updated to 8.0.1473.
- Support for static analysis-only scanning.
- General fixes and functionality improvements.
New on January 25, 2022
- Scan scheduler:
- Select which days of the week a scheduled scan will run
- Add a schedule to an existing scan
- Remove the schedule from a scheduled scan
- The recurrence end date (last date that a scan is scheduled to run) is now shown in the scan entry
- New issues found in a scan execution are now shown in the scan entry and in filtered issues view
- Easily change the user interface language at any time from the page header
- Switch between data centers from the landing page header
New on January 2, 2022
IAST monitoring, Java agent (version 1.9.10200):
- Improved performance
- Support Java 17
- Support communication with ASE in environment with proxy set through Java properties (https.proxyHost/https.proxyPort or http.proxyHost/http.proxyPort)
- New security features:
- XXE on JaxB class (CWE 661). This potentially vulnerable class is mentioned in this OWASP XXE documentation: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
- JSON XSS informational issue (CWE 79), an XSS variant of vulnerable data written to the response as JSON
New on December 28, 2021
- UI:
- Scan cards redesigned and now include a link to the issues per severity in the scan.
- Rider plugin added to the ‘Plugins & APIs’ page.
- Reports: "OWASP Top 10, 2021" added to reports and policies.
- API:
- Added ability to define the ‘Recurrence End Date’ from the post DAST scan API.
- Added support for viewing issues found for the first time in the application.
- Language property added to new SAST issues.
- General bug fixes.
New on December 17, 2021
- DAST: Added new security rule to test for the Log4j vulnerability.
New on December 15, 2021
- Static analysis client updated to 8.0.1472.
- Support for scanning RPG.
- Support for including and excluding .NET namespaces for scanning.
- Support for specifying Java parallel processing cache location in appscan-config.xml.
- Expanded .NET 5/6 analysis.
- General fixes and functionality improvements.