What's new in HCL AppScan® Enterprise
New in HCL AppScan® Enterprise 10.1.0
This section describes new product features and enhancements in this release, as well
as deprecations and anticipated changes, where relevant.
- New template for scanning a GraphQL web API. For more information, see Creating a scan using the GraphQL template.
- Reworked action-based web crawler: AppScan’s action-based web crawler has
undergone a thorough overhaul, and now offers:
- Improved memory consumption, together with
- Similar or better coverage
In the unlikely event of any reduced coverage for your application, please contact Support.
- SQL authentication is now supported for connecting to SQL Server Database.
- Encryption of sensitive information in login or scan files.
- Import DAST issues from one AppScan Enterprise instance to another.
- IAST Improvements:
- .Net core support
- WebSocket support for java agent
- AppScan Enterprise web console is now supported with HTTP2. TLS 1.2 must be enabled on the client and server for HTTP/2.
APAR fix list
The following Authorized Program Analysis Reports (APARs) were fixed:
| APAR No. | Description |
|---|---|
| KB0074640 | Edit User Group does not have a License Option |
| KB0078311 | Assessment published to AppScan Enterprise results in "Suspended (Failed to run import script)" status in scan tab |
| KB0089195 | Optimize SP - ap_App_Formula_Update |
| KB0089387 | Wrong User-Agent is shown in the traffic data in scan result |
| KB0089535 | Recording a login for a content scan job using a browser plug-in displays an incorrect message for browsers other than Internet Explorer |
| KB0090266 | Scans created using ASE REST API might fail while running the scan if the template used to create scans contains non-ASCII characters |
| KB0091555 | AppScan Enterprise configuration wizard fails when a carat symbol (^) is used in the bindDN password |
| KB0092139 | When filtering by "Scan Name" in the Monitor view, there is a difference in the number of issues shown and listed. |
| KB0092639 | Retest and traffic logs are created with scan start time instead of the reset start time |
| KB0092666 | CRWAE1701E The scan is shutting down because it includes domains that are not permitted for security testing. |
| KB0095393 | Test Only scans still running the Explore phase |
| KB0095992 | Scan jobs are suspended with the error message "The INSERT statement conflicted with the FOREIGN KEY constraint message" |
| KB0097121 | Documentation enhancements for the AppScan Enterprise "keylogin" REST API |
| KB0099075 | Encoding in some of the languages is not handled properly in some of the REST APIs |
| KB0099087 | Unable to import applications into AppScan Enterprise's monitor tab using CSV files |
| KB0099538 | SQL server with an instance name, is not configured properly for IAST and DBService when it contains '\' character |
| KB0099643 | Error messages for REST API calls are not returned as per the requested response type "no-html-encoding" |
Fixes and security updates
New security rules in this release include:- attWebminFileManagerRCECVE20220824 - Added detection of Webmin RCE in file manager (CVE-2022-0824)
- attNoHttpsRedirection - Added a check for HTTPS redirection when HTTP scheme is used
The complete list of fixes, updates, and RFEs in this release is listed here.
Removed in this release
- Internet Explorer (IE) browser support for v10.0 and v11.0.
- Import of issues from Mobile Analyzer report.
Upcoming changes
The following will be removed in a future release:
- The Web Services, The Vital Few, and Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
- CVSS 2.0 scoring will be dropped and replaced with CVSS 3.1.
- Ability to edit CVSS ratings on an issue.