Recent static analysis updates

New in version 8.0.1567 (April 17, 2024)

Static analysis client updated to 8.0.1567.
Software Composition Analysis (SCA) now supports config scanning of package.json files from NPM packages.
SCA can retrieve essential package dependency information from the scan, providing users with comprehensive insights into project dependencies. Package dependencies detected by the NPM package manager scans are seamlessly integrated into the Software Bill of Materials (SBOM) report, facilitating a clearer understanding of project dependencies.
Note: Issues found during config scanning are consolidated results from other config scan only. To disable config scanning, use the -nc flag with appscan prepare.
Improvements to secrets scanner.
Improvements to Java source code scanner.
General bug fixes.

New in version 8.0.1561 (March 9, 2024)

Static analysis client updated to 8.0.1561.
General bug fixes.

New in version 8.0.1560 (March 8, 2024)

Static analysis client updated to 8.0.1560.
Static analysis support for .NET 8.
Improvements to Software Composition Analysis (SCA) support for Go Modules.
Improved accuracy for Java, JavaScript and Python languages.
General bug fixes.

New in AppScan Go! version 2.0.0 (February 14, 2024)

AppScan Go! updated to version 2.0.0
AppScan Go! steps you through configuring and running a static, SCA, or secrets scan with a refreshed and improved user interface and refined workflow. You can run a complete scan, prepare an IRX file for scanning later, or configure files for automating scans with AppScan plugins. You can also view account information within the tool.

New in version 8.0.1558 (January 19, 2024)

Static analysis client updated to 8.0.1558.
New Software Composition Analysis (SCA) support for Go Modules.
General bug fixes.

New in version 8.0.1556 (December 13, 2023)

Static analysis client updated to 8.0.1556.
Major enhancements to Intelligent Findings Analytics (IFA) for Java, our AI/ML auto-triage technology, include more precise findings and reduced false positives. Users may notice additional findings in previously scanned code due to improved analysis and prioritization.
The Static Analyzer Command Line Utility (SAClientUtil) supports updated distinct workflows for SCA and SAST. The SAClientUtil, via the appscan queue_analysis command, kicks off two scans: one static analysis scan and one SCA scan for the open source findings. Static analysis and SCA scans are separated as a result.
Automatic discovery of Git repositories. File paths for new issues are relative to the repository root.
Increased coverage for RPG language.
General bug fixes.

New in version 8.0.1546 (October 16, 2023)

Static analysis client updated to 8.0.1546.
Support for scanning cascading style sheets (CSS files).
AppScan on Cloud identifies security vulnerabilities in cascading style sheets, including cross-site scripting, injection, and validation.
Support for IBM WebSphere Application Server 9.x
The Static Analyzer Command Line Utility can be configured to leverage a WebSphere environment to use the JSP compiler included with WebSphere.
Improved accuracy for PHP scanning.
AppScan on Cloud improved verification of PHP content in HTML files.
General fixes.
The AppScan development team regularly reviews functionality and code, making tweaks and adjustments on an ongoing basis to provide optimum scanning functionality.

New in version 8.0.1542 (August 22, 2023)

Static analysis client updated to 8.0.1542.
Additional performance improvements for source code scanners.
General bug fixes.

New in version 8.0.1537 (August 16, 2023)

Static analysis client updated to 8.0.1537.
Secrets scanning is disabled by default.
Use the --enableSecrets and --secretsOnly options to scan secrets.
Improved performance for source code scanners.
General bug fixes.

New in version 8.0.1535 (July 20, 2023)

Static analysis client updated to 8.0.1535.
General bug fixes.

New in version 8.0.1533 (June 30, 2023)

Static analysis client updated to 8.0.1533.
Expanded support for secrets scanning.

New in version 8.0.1531 (June 20, 2023)

Static analysis client updated to 8.0.1531.
Support for secrets scanning.

New in AppScan Go! version 1.0.2 (May 31, 2023)

AppScan Go! updated to version 1.0.2
- Updated icons and logos
- General bug fixes

New in version 8.0.1530 (May 15, 2023)

Static analysis client updated to 8.0.1530.
New language support for Rust.
Improved accuracy for Java and Ruby.
Inline tutorials for fix groups, Jenkins plugin setup, Azure plugin setup, and CodeSweep action.
General bug fixes.

New in version 8.0.1524 (March 21, 2023)

Static analysis client updated to 8.0.1524.
General bug fixes.

New in version 8.0.1521 (February 6, 2023)

Static analysis client updated to 8.0.1521.
Improvements to Software Composition Analysis (SCA) discovery and reporting.
Improved accuracy for C, C++, and Python scans.
General bug fixes.

New in version 8.0.1517 (December 13, 2022)

Static analysis client updated to 8.0.1517.
Software Composition Analysis (SCA) scans can be run against Docker containers and images using the appscan prepare_sca and appscan.sh prepare_sca commands.
Improved accuracy for .NET, Java, and JavaScript scans.
General bug fixes.

New in AppScan Go! version 1.0.1 (November 16, 2022)

AppScan Go! updated to 1.0.1

General bug fixes.

New in version 8.0.1514 (October 31, 2022)

Static analysis client updated to 8.0.1514.
Improved accuracy for Java and Kotlin scanners.
General bug fixes.

New in version 8.0.1506 (October 3, 2022)

Static analysis client updated to 8.0.1506.
Automatic discovery of Maven and Gradle projects with AppScan Go! and CLI.
Improved accuracy for JavaScript, NodeJS, and Kotlin scanners.
Improved coverage for Java scans.
General bug fixes.

New in AppScan Go! version 0.1.10 (September 21, 2022)

AppScan Go! updated to 0.1.10

Improved support for different screen resolutions
AppScan Go! auto-update for Windows and Macintosh systems
Disk space cleanup of temp directory
Improved error handling
General bug fixes

New in version 8.0.1500 (August 16, 2022)

Static analysis client updated to 8.0.1500.
Reporting of Java packages and .NET namespaces in scan.manifest and when doing a dry-run.
Source code scanner improvements that may change the number of overall findings.
Support for additional file extensions for Groovy, JavaScript, PHP, and Ruby.
APAR fixes.
General fixes and functionality improvements.

New in version 8.0.1498 (June 13, 2022)

Static analysis client updated to 8.0.1498.
Java 17 support, including shipping Java 17 in the SAClientUtil package.
Replaced Tomcat 7 with Tomcat 9 for JSP precompilation.
Source code scanner improvements may result in changes to the overall number of findings.
General fixes and functionality improvements.

New in version 8.0.1495 (May 2, 2022)

Static analysis client updated to 8.0.1495.
Improvements to JavaScript, C, and PHP scanning engines to enhance accuracy of findings.
Bug fixes.

New in version 8.0.1491 (April 1, 2022)

Static analysis client updated to 8.0.1491.
Client-only update.
Bug fixes.

New in version 8.0.1488 (March 25, 2022)

Static analysis client updated to 8.0.1488.
Support for scanning Terraform.
Improved Java, JavaScript, and PHP analysis.
Upgraded to the latest version of Log4j.

Important: The Static Analysis Client Utility (SAClientUtil) was not and is not vulnerable to any of the Log4j issues discovered in recent months.

New in version 8.0.1480 (February 15, 2022)

Static analysis client updated to 8.0.1480.
General fixes and functionality improvements.

New in version 8.0.1473 (January 26, 2022)

Static analysis client updated to 8.0.1473.
Support for static analysis-only scanning.
General fixes and functionality improvements.

New in version 8.0.1472 (December 15, 2021)

Static analysis client updated to 8.0.1472.
Support for scanning RPG.
Support for including and excluding .NET namespaces for scanning.
Support for specifying Java parallel processing cache location in appscan-config.xml.
Expanded .NET 5/6 analysis.
General fixes and functionality improvements.

New in AppScan Go! version 0.1.8

AppScan Go! updated to version 0.1.8, including the following enhancements:

New opening page design.
Source code-only scanning support.
Ability to generate appscan-config.xml for open source-only scans.
Consolidation of targets and excludes in appscan-config.xml files.
Ability to disable automatic update of AppScan Go! on startup.
Ability to manually update AppScan Go!.
Refreshed logic for excluded files and clarified error messages.
General fixes and improvements.

New in version 8.0.1461

Static analysis client updated to 8.0.1461
Support for scanning Dart.
Support for scanning Java source code with the source code-only option.
General fixes and functionality improvements.

New in version 8.0.1448

Static analysis client updated to version 8.0.1448.
General fixes and functionality improvements.

New in version 8.0.1445

Static analysis client updated to version 8.0.1445
Support for scanning C++ with the source code-only option.
Support for scanning Objective-C++.
New get_report command for generating reports from the command line interface (CLI).

New in version 8.0.1436

Static analysis client updated to version 8.0.1436.
Support for source-code scanning for VB.NET, which is enabled by the source code-only option.

New in version 8.0.1433 (April 28, 2021)

Static analysis client updated to version 8.0.1433.
General fixes and functionality improvements.
APAR fixes.
Improvements to Java parallel processing.

New in version 8.0.1431 (April 7, 2021)

Static analysis client updated to version 8.0.1431.
New and faster source code-only scanning for C#, ASP.NET, and C.
Additional functionality for the queue_analysis CLI command for both Windows and Linux. These parameters are optional:
- Enable or disable email notification on analysis completion.
- Run the scan as a personal scan.
AppScan Go! is now supported on Mac.

New in version 8.0.1422 (February 3, 2021)

Static analysis client updated to version 8.0.1422.
General fixes and functionality improvements.
Improved performance and memory utilization around parallel processing functionality for Java applications.

New in version 8.0.1419 (December 16, 2020)

Static analysis client updated to version 8.0.1419.
New support for Infrastructure as Code (IaC) scanning.
Support for Java 11.
Support for including and excluding Java namespaces for scanning.

New in version 8.0.1410 (November 3, 2020)

New language support for Vue.js.
Upgraded Java analysis engine for faster and more accurate scans. The upgraded Java engine delivers near-incremental scanning while maintaining scan depth and accuracy. While the engine provides mostly the same results as before, some change in results is expected. See Parallel processing for Java applications to learn more about the new scanning techniques.

New in version 8.0.1408 (October 7, 2020)

New language support for ABAP.
New language support for Android-Java.
New language support for Objective-C.
New language support for ReactNative.
New language support for Xamarin.
General bug fixes and improvements.

New in version 8.0.1393 (September 15, 2020)

General bug fixes and improvements.

New in version 8.0.1387 (August 5, 2020)

Support for AngularJS 8 and 9.
Support for Ionic Framework.
New language support for TypeScript.
General bug fixes and improvements.

New in version 8.0.1383 (June 24, 2020)

New language support for Groovy.
New language support for Symfony.
General bug fixes and improvements.

New in version 8.0.1374 (May 21, 2020)

New language support for Scala.
New language support for ReactJS.
Support for Visual Studio 2017 and Visual Studio 2019 C++ projects.

New in version 8.0.1367 (April 15, 2020)

General bug fixes and improvements.

New in version 8.0.1361 (March 27, 2020)

New language support for Kotlin and Swift.
.NET analysis improvements to reduce false positives.
Improved PHP support.
General bug fixes and improvements.

New in version 8.0.1357 (March 10, 2020)

General bug fixes and improvements.

New in version 8.0.1354 (March 5, 2020)

New language support for Visual Basic.
General bug fixes and improvements.

New in version 8.0.1344 (February 10, 2020)

New language support for ASP Classic.
Improvements to NodeJS scanning:
- 37 new articles
- Refined 29 rules
- These improvements ultimately should reduce the overall number of findings.
- However, updates could cause some existing findings to appear as new findings.

New in version 8.0.1336 (December 18, 2019)

Improved Golang analysis.
General bug fixes.

New in version 8.0.1334 (December 16, 2019)

Similar to AppScan Go!, users scanning with the Command Line Interface can specify scan speed.
When generating an IRX file with CLI, users can specify third-party and/or Open Source scanning with a <configuration> attribute.
General bug fixes.

New in AppScan Go! version 0.13 (November 7, 2019)

The latest update to the AppScan on Cloud GUI, AppScan Go!, introduces the ability to specify the "Thorough" scan speed. Thorough scans deliver the most comprehensive analyses to identify the maximum number of vulnerabilities. Thorough scans also take the longest time to complete.

To take advantage of this scan speed, download and install the latest version of AppScan Go!

Note: Thorough scans are also available through the command line interface by adding -Dpreset_hint=thorough to the appscan prepare command. For example, appscan prepare -Dpreset_hint=thorough.

New in version 8.0.1330 (November 5, 2019)

New language support for Go programming language (Golang).
General bug fixes.

New in version 8.0.1324 (October 24, 2019)

PHP analysis is now achieved with a optimized scanner, thus making scans easier to leverage. For more information.
Please upgrade to version 8.x of the Static Analyzer Command Line Utility:
- Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
- If you try to prepare code for scanning using Static Analyzer Command Line Utility version 7.x or earlier, you see an error message. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
- If you are using AppScan Go!, accept and install the latest update if an update is offered.
General bug fixes.

New in version 8.0.1321 (September 9, 2019)

New user interface for configuring and running static scans.
General bug fixes.

New in version 8.0.1319 (August 7, 2019)

General bug fixes.

New in version 8.0.1313 (June 13, 2019)

General bug fixes.

New in version 8.0.1311 (May 22, 2019)

New language support for Perl, PL/SQL, and TSQL.
Apex support for the VisualStudio framework.
Command line interface (CLI) "dry run" option to check for validation issue prior to a full scan.
Support for Weblogic as a JSP compiler.
New Java staging capability: a new, faster method for determining which files to scan within Java projects offers more comprehensive analysis of user code.
The new Java stager process allows for more intelligent handling of Java projects to determine which files will be analyzed and which files will be treated as dependencies. Rather than a time-consuming process of unzipping all war files, jar files, sub jar files and so on, and saving all the uncompressed files to disk before determining which files to analyze, the stager process employs a surgical approach to evaluating the Java project.
Using the new Java stager process, examination of ear, war, jar, and jar of jar files is substantially faster than the previous process. War files with jar files in the lib are processed more completely, but may exhibit a slower IR time as such. The findings, however, are more complete as the process better identifies user code if it is in jar file or class file form anywhere within the war file.
- Findings
  Using the new Java stager process on projects that were previously analyzed may produce similar findings that appear new, as well as actual new findings given the more comprehensive analysis of war files.
- Logging
  In addition to more robust handling of Java projects, the new stager process generates additional logging. This logging lists currently analyzed Java packages and can be useful in discovering missing Java exclusion entries.
For example:
```
-DSTAGE_INFO=true
For example:
D:\apps\app\appscan prepare -n app -DSTAGE_INFO=true
Discovering targets...
Target added: app
Validating...
Staging D:\apps\app\app.jar
Evaluating Entry: app.jar.files/lib/tomcat-coyote-7.0.12.jar
Java Packages To Be Analyzed For app:
        com.app.java.test
No problems found during validation.
Generating IRX file...
IRX file generation successful.
```

New in version 8.0.1301 (April 10, 2019)

APEX support
Visual Studio 2019 plugin and CLI support
JSP compile arguments can be used in appscan-config.xml.

New in version 8.0.1296 (March 6, 2019)

ColdFusion support.
Expanded Azure DevOps (VSTS) and Team Foundation Server (TFS) support.
Improved include/exclude behavior for SAST scans using appscan-config.xml.

New in version 7.0.1290 (February 26, 2019)

General updates and bug fixes.

New in version 7.0.1283 (February 19, 2019)

SAST bug fixes.

New in version 7.0.1271 (January 16, 2019)

Javascript scanner enhancements.
Enhancements include performance improvements, automatic exclusion of third-party files, improved rules analysis, and bug fixes.

New in version 7.0.1262 (December 3, 2018)

Support for Visual Studio Team Services (VSTS) plugin.

New in version 7.0.1262 (November 29, 2018)

Enhanced JavaScript scanner for static analysis.
Support for AngularJS.

New in version 6.0.1255 (September 20, 2018)

HCL AppScan on Cloud Static Analyzer Command Line Utility is supported on 64-bit Linux only.

New in version 6.0.1245 (September 5, 2018)

HCL AppScan on Cloud supports scanning directly from your integrated development environment (IDE) or your build system using the following plugins:

Note: The Maven ASoC plugin is now live in the Maven Central Repository; it no longer needs to be installed manually.

New in version 6.0.1225 (July 2, 2018)

AppScan on Cloud IDE plugin support for policies includes these changes to security scans:

The Scan issues column replaces the Result column in the Security scans view.
When clicked, Scan issues displays all non-compliant static security issues discovered during the scan.
The Application issues column replaces the Report column.
When clicked, Application issues displays all non-compliant static security issues discovered during scans of this application..

IDE plugins for Static Analyzer are now available through the IDE marketplace for the specific plugin flavor. For more information, see Scanning in integrated development environments.

New in Version 6.0.1222 (April 17, 2018)

.NET Core support
AppScan on Cloud supports scanning of .NET Core projects through the Command Line Interface (CLI) and through the Visual Studio 2017 plugin on Windows only. For more information, see Generating an IRX for a .NET Core project.
Note: AppScan on Cloud does not support the portable .pdb format. For more information, see .NET scan results show the assembly file instead of the source file.

Visual Studio 2017 support. supports Visual Studio 2017 and .NET Core on Windows only.

New in Version 6.0.1195 (March 8, 2018)

The IDE plugins now prompt every scan for the application association, instead of only once per workspace.
PHP applications no longer encounter memory limits during IRX generation.
The Help Me Fix This button is no longer reactivated in Visual Studio after resolving a fix group.

New in Version 6.0.1187 (December 5, 2017)

AppScan on Cloud now supports Open Source only scanning through us of the -openSourceOnly option with appscan prepare
Improvements to C/C++ scanning and resulting IRX files
Edge-case stability improvements for Intelligent Code Analytics (ICA) and Intelligent Findings Analytics (IFA)

New in Version 6.0.1157 (October 20, 2017)

Improvements to Intelligent Findings Analytics
Previously, java.sql.Statement.executeBatch and InetAddress returned noisy findings. We improved Intelligent Findings Analytics (IFA) to filter out these false positive findings.

New on September 10, 2017

Previously, AppScan on Cloud associated applications based on the app_id. A recent update changed this association from app_id to guid. For the most part, the ASoC service will prompt you to reassociate applications based on this update. For the Jenkins and CLI, you must take additional steps. See more information at Security scan fails with Application with id x does not exist error.

New in Version 6.0.1157 (August 24, 2017)

Improvements to Open Source Analyzer support:
Improved performance with Open Source Analyzer and Eclipse when running multiple scans in the same session.
Improvements to C/C++ support:
Better discovery of C++ macros and compiler options.
Identification of Static Analysis issues without trace has changed:
We improved the Static Analysis engine, and with it the hash algorithm for non-trace findings has been improved. Due to this change, many static analysis findings detected after deploying this latest update will be duplicated once in the Issues tab. This change primarily affects Node.js, Ruby, and JavaScript findings but may also affect other languages.

New in Version 6.0.1142 (June 28, 2017)

Better support for C/C++, including Visual Studio 2015:
C/C++ scanning improvements include the ability to scan 64-bit projects that target the Visual Studio 2015 platform toolset.
Better logging for .NET:
Improvements to logging and stabilizations for all .NET-related projects.
Javascript improvements:
Javascript traces stabilization so that incomplete traces don't cause issues with returning results.

New in Version 6.0.1118 (June 14, 2017)

Improved support for NodeJS and Ruby:
Node.js and Ruby scans are fully integrated with the Intelligent Findings Analytics (IFA), providing dramatically faster scan times.
Improvements for Client Side Javascript:
We improved the display of trace and non-trace findings generated by the Javascript engine.

New on February 3, 2017

When using the Jenkins plug-in:
- Dynamic analysis is now supported. With this feature, you can perform analysis of an application that runs in a browser.
- Using a generated API key is now required when specifying login credentials.
Note: Connecting to Bluemix from the Jenkins plug-in is not supported.

New in Version 6.0.1054 (January 25, 2017)

Intelligent Code Analytics (ICA) is now applied during C/C++ static analysis scans.
ICA was previously introduced for Java, .NET, and PHP scans. With this technology, new application programming interfaces (API) are discovered and assessed for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.
General bug fixes

New in Version 6.0.1036 (December 21, 2016)

When using the service at HCL Cloud Marketplace, static analysis now supports logging in using a generated API key.
- When logging in from an integrated development environment, using a generated API key is now required.
- When logging in from the CLI, issue the appscan api_login command (Windows™) or the appscan.sh api_login command (Linux™ and macOS). This command is used with options that are listed in the Authentication commands (Windows™) or Authentication commands (Linux™ and macOS) topics.
General bug fixes

New on December 13, 2016

Adding static and mobile analysis to your Jenkins automation server is now supported. The HCL AppScan on Cloud Jenkins plug-in allows you to add security scan support to your Jenkins projects. The plug-in allows you to connect to HCL AppScan on Cloud on HCL Cloud Marketplace.
Note: Connecting to Bluemix from the Jenkins plug-in is not supported.
General bug fixes

New in Version 6.0.1001 (November 16, 2016)

Static analysis scans now make use of Intelligent Code Analytics (ICA). ICA automatically discovers new application programming interfaces (API) and assesses them for security impact. Through ICA, all third-party API and frameworks are reviewed and assigned the right security impact. This allows for more complete scan results.
Note: ICA is currently only applied when scanning Java, C/C++, .NET, and PHP.
General bug fixes

New in Version 6.0.971 (October 5, 2016)

The static analysis CLI, Eclipse plug-in, and Maven plug-in are now supported on macOS Versions 10.11 and higher.
General bug fixes

New in Version 6.0.934 (September 14, 2016)

Static Analysis now includes support for scanning C/C++ in Visual Studio solutions.
Note: See Microsoft Visual Studio support (Windows only)
General bug fixes

New in Version 6.0.920 (August 23, 2016)

When logging in to the service from the Static Analyzer Command Line Utility, you can now perform these actions to have the utility automatically attempt to reauthenticate to the service when the login token file expires.:
- If you are logging in from the command line interface (CLI), use the -persist option, as described in Authentication commands (Windows™) and Authentication commands (Linux™ and macOS).
- If you are logging in from an integrated development environment (IDE), select the Save credentials check box.
General bug fixes

New in Version 6.0.891 (July 20, 2016)

HCL Cloud Marketplace only: If you are connected to the AppScan on Cloud service at HCL Cloud Marketplace, static analysis scans must now be associated with an existing AppScan on Cloud application. Associating scans with an application allows you to take advantage of the reporting and trending features of the AppScan on Cloud dashboard.
To learn how to associate an application when submitting scans via the CLI, see Analysis commands (Windows™) or Analysis commands (Linux™ and macOS). To learn how to do this when submitting scans from an IDE, see Scanning in integrated development environments.
Enhanced client-side JavaScript discovery during static analysis scans.
General bug fixes

New in Version 6.0.865 (June 22, 2016)

Static Analysis now includes support for these languages:
- Client-side JavaScript
- PHP
- Ruby
General bug fixes

New in Version 6.0.839 (June 1, 2016)

Now supporting Node.js for static analysis scans.
General bug fixes

New on April 5, 2016

Scan and view vulnerabilities with Static Analyzer from the convenience of your IntelliJ IDE.