Product changes when you upgrade from a previous version

Learn about changes that might affect your scans or report data when you upgrade from a previous version. Make sure that you read all the topics so that you understand the upgrade process.

Upgrading to 10.0.5

From AppScan Enterprise V10.0.5 and later, the AppScan Enterprise IAST feature requires a valid License to be functional. Hence, the functionality of the IAST agents depends on the following licensing scenarios:
  • If you do not subscribe to (or install) IAST license while upgrading to AppScan Enterprise V10.0.5 and later, then all the deployed IAST agents are disabled irrespective of their predefined status.
  • If you have deployed more number of IAST agents than the number of IAST licenses purchased in AppScan Enterprise V10.0.5 and later versions you are upgrading, then the extra IAST agents are Disabled due to insufficient licenses.

Upgrading from 10.0.2 to 10.0.3

For customers who use AppScan Enterprise IAST Communication Service and/or AppScan Source Database Service.
  • When you are upgrading from AppScan Enterprise V10.0.2 to AppScan Enterprise V10.0.3 version, it is recommended that you must manually stop two services - AppScan Enterprise IAST Communication Service and AppScan Source Database Service - by running the batch file shutdown.bat that is provided for each of these respective services in the AppScan Enterprise V10.0.2 installation directory.

    For each of these services the batch file is available in the AppScan Enterprise installation directory.

    Assuming the default installation directory is chosen, following would be the location:
    • shutdown.bat to stop IAST service is available at C:\Program Files (x86)\IBM\AppScan Enterprise\IASTService.
    • shutdown.bat to stop AppScan Source Database Service is available at C:\Program Files (x86)\IBM\AppScan Enterprise\AppScanDBService.
Upgrading from 9.0.3
  • Custom error pages are no longer set globally, they are only set on the content scan job. On upgrade, each content scan job, *.scant job, and AppScan Dynamic Analysis Client scan will move the global custom error pages to the individual job.
  • Existing content scan jobs in the Folder Explorer view, including QuickScan jobs that are not created in the AppScan Dynamic Analysis Client, will have a new check box enabled on the Explore Options page that enables filtering of similar pages based on structure (DOM). If an existing content scan job:
    • had a redundant path limit set to 5, that option is disabled and DOM-based filtering is turned on
    • had a redundant path limit set to a different value, that option is kept enabled and DOM-based filtering is not turned on
    • had a similar content limit set to 5, with HTML structure enabled, that option is turned off and DOM-based filtering is turned on
    • had a similar content limit set to a different value, or it compares Text and HTML structure, that option is kept enabled and DOM-based filtering is not turned on
  • Issue types are changed periodically in the security rules. If you have a scan with old issue types that no longer exist after a security rules update, the issues with those issue types will disappear after the update, and new issues will be found with the new issue types. Those issues will have to be triaged again.
Upgrading from 9.0.2.1
  • On the Restore AppScan Server Settings screen of the configuration wizard, an additional option has been added that preserves custom scanner *.jar files that might have been added to the <install-dir>\HCL\AppScan Enterprise\Liberty\usr\servers\<instance_name>\lib\scanners.
Upgrading from 9.0.2
  • In previous releases, imported issues were cumulative. In v9.0.2.1, you can remove issues that were previously found in an application but are not included in subsequent imports. In scanner profiles from v9.0.1, the Remove Orphaned Issues check box is disabled in v9.0.2.1 to respect previous behavior (can be overridden by clearing the check box).
  • When you add a new issue attribute name to a scanner profile, the Use Imported Values check box is enabled by default. Keep the Use Imported Values check box enabled if you want to update an existing issue attribute with values contained in the imported file. If you clear the check box, AppScan Enterprise will retain the value previously used. If you select the Unique check box, you cannot clear the Use Imported Values check box.
  • There were changes to the REST APIs.
  • There is a new Overdue formula available. If you created an Overdue attribute in a previous version of AppScan Enterprise, v9.0.3 appends "_1" to the name and then creates a new Overdue attribute for the formula to use.

Upgrading from 9.0.1

  • There is a New issue status. Upon upgrade, the New issue column is available for display in the Portfolio tab in the Monitor view. Formulas are updated to include issues with a New status. Upgrade does not affect the status of issues that were discovered in previous versions.
  • A new Dashboard tab displays the charts that were displayed in the Portfolio tab in v9.0.1. The new dashboard includes trend charts for Security Risk Rating, Testing Status, Applications with Open Issues, and Open Issues.
    Note:

    Possible naming conflicts between v9.0.1 application attribute customizations and new v9.0.2 dashboard trend charts

    The Open Issues and Applications with Open Issues charts rely on a new application attribute called "Open Issues" that is defined as a formula. However, if you previously created an application attribute called "Open Issues" of any type other than formula, the upgrade does not attempt to resolve the conflict between your attribute and the one that version 9.0.2 needs for the new charts.

    The new charts will not display as intended after upgrade, and you must resolve this problem manually. Rename your "Open Issues" attribute to something else if you want to preserve its values. Update all formulas where you referenced your "Open Issues" attribute to reflect the new name. Then, rerun the configuration wizard to create the "Open Issues" formula attribute that the new charts require.

  • A new approach to create scans consistent with AppScan Standard, for both the security team who creates the templates and for the developers who create the scans. See Overview of scan configuration differences in v9.0.2 and higher and in previous versions.
    • The new method is accessed from both the Monitor and Scans views.
    • Existing scan templates from v9.0.1.1 are kept after upgrade, and the old method of QuickScan template creation still exists.
    • To take advantage of this new method, during upgrade you must run the Default Settings Wizard after the Configuration Wizard to install the templates for v9.0.2.
    • To avoid any template name conflicts in the Templates directory in the Folder Explorer, (v9.0.2) is appended to the template name.
    • If you install a new instance of AppScan Enterprise, you can still access the templates from v9.0.1.1. When you create a new content scan or template from the Scans view, select Create using previously saved settings file and go to <install-dir>\AppScan Enterprise\Initializations\ASE\DefaultTemplates\Job\Version 9.0.1.1 to select the *.xml file.
  • The embedded version of Liberty is now v8.5.5.4. During configuration, you can choose to restore previous AppScan Server customized settings on the Liberty Server. See Restore AppScan Server settings.

For further details on what's new and changed since v9.0.1.1, read this whitepaper.

Upgrading from 9.0

  • AppScan Enterprise v9.0.1 includes an architecture redesign to reduce the installation footprint and to remove IBM Rational Jazz Team Server (Jazz Team Server) as the user authentication component. With the removal of Jazz Team Server, the Apache Tomcat and WebSphere Application Server deployment servers are no longer supported in v9.0.1. They are replaced with IBM WebSphere Application Server Liberty Core v8.5.5.2. See Replacing Jazz Team Server with WebSphere Liberty - Frequently asked questions.
  • For new instances of v9.0.1, the risk rating formula has changed. If you are upgrading from v9.0, the risk rating formula remains the same, and your risk ratings remain consistent. However, you can use the new formula IF(businessimpact = 0, 0, IF(testingstatus > 0, 0, businessimpact * rr_maxseverity)) by replacing the old formula in the application profile template in AppScan Enterprise.
  • Issue management through application view: In v9.0, issue management privileges were set on the folder that contained a scan. In v9.0.1, issue management is set on the application. Upon upgrade from 9.0, if a scan is already associated with an application, users who used to have issue management privileges on the folder will now have basic permissions on the application so they can continue managing these issues. There is the potential of giving them access to scans they previously were not allowed to access. For example,
    v9.0 v9.0.1 Result
    Folder A: (Bob has an Issue Manager role)
    • Scan X
    • Scan Y
    Folder B: (Mary has an Issue Manager role)
    • Scan A
    • Scan B
    Application 1 is associated with these scan jobs:
    • Scan X
    • Scan B
    Mary now has basic access permissions to Scan B so that she can continue to do her job but she also has access to Scan X, which she didn't have in v9.0.
    To restrict a user's permissions to managing issues on specific applications, remove them from the Basic Access on the applications they are not allowed to access. In the example above, remove Mary's Basic Access permissions on Scan X. To find the application that contains Scan X, go to the Scans view and flatten the hierarchy to show only jobs. Find Scan X and click the link for the application name it is associated with. On the Application tab, click View details and in the Users section of the dialog, remove Mary's Basic Access permissions.