What's new in HCL AppScan® Enterprise

This section describes new AppScan Enterprise product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan® Enterprise 10.2.0

  • Issue severity and CVSS score are now based on CVSS 3.1 scoring. Any new scans will be based on CVSS 3.1 scoring. Scan findings prior to the upgrade will be preserved using CVSS 2.0 scoring until rescan. For more information, see the CVSS 3.1 Specification. Ensure that AppScan Standard and AppScan Enterprise are on the same version, 10.2.0, for the integrations to work as expected.
  • Read-only users can now comment on issues if the global option is enabled.
  • Granular access control to restrict modification of the issue status.
  • Mandate comment on the status change of an issue.
  • New API to report findings of the scan. API: /issues/(jobID)
  • Activity Log is updated with multi-level filtering and other improvements.
  • Updated regulatory compliance report template: [US] California Consumer Privacy Act (CCPA) - AB-375.

APAR fix list

The following Authorized Program Analysis Reports (APARs) were fixed:

APAR No. Description
KB0068965 Severity headers missing (critical, high, low, informational) in a report sent by alert set in AppScan Enterprise
KB0074147 False Positives may result when Retesting Security Issues that contain multiple positive attack variants
KB0075778 AppScan Enterprise and AppScan Source integration is not working when a short name is configured as an AppScan Source hostname in AppScan Enterprise
KB0082136 TcpSourcePort and SourceInterfaceIP options are missing in AppScan Enterprise
KB0084932 AppScan Enterprise is not logging in user access changes into activity log report in some instances
KB0087169 AppScan Source fails to publish assessments to AppScan Enterprise in non-English locales
KB0090230 Creating DAST scan through AppScan Enterprise swagger using a custom template causes problems
KB0093324 Change of severity (Med to Low) from AppScan Source is not reflected in AppScan Enterprise after publishing or importing through the monitor tab
KB0094173 Discrepancy found in results displayed in AppScan Enterprise and Standard in some scans
KB0095164 post /issueimport/{appId}/{scannerId} API should work irrespective of the params order specified
KB0095837 When starting an ADAC job, user security permission is not checked
KB0095868 The job owner of the job created by the Standard user is being changed to the Admin, after being edited by Administrator in ADAC
KB0095919 Scan Job is running for a Standard user even after the Job owner has been changed to Administrator
KB0098572 Log Retention is converted into Hexadecimal value instead of Decimal value
KB0099738 LDAP user search does not display full list of users
KB0102486 Export of a multistep sequence recorded using an external browser fails
KB0102819 When doing a full scan via ADAC with Page Limit enabled, the scan does not find anything in the explore phase

Fixes and security updates

New security rules in this release include:
  • MaxLengthVuln - Search for "maxlength" attributes with a very large constraint
  • LeakedSecretTokens - Search for secret tokens in the response
  • SecurityRule_AbstractContentSecurityPolicyRule - New abstract CSP rule added (containing common detection and mutation)
  • attNoHttpsRedirection - Check for HTTPS redirection when HTTP scheme is used.
  • attText4Shell - Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
  • attGraphqlIntrospectionMutation - Check if introspection is enabled in GraphQL API oHttpsRedirection - Added a check for HTTPS redirection when HTTP scheme is used

The complete list of fixes, updates, and RFEs in this release is listed here.

Changed in this release

The default scan templates are upgraded. Hence verify your automation scripts to reflect the xpath modifications if you are using the upgraded templates. For better scan coverage and results, use the latest templates.

Removed in this release

None

Upcoming changes

The following will be removed in a future release:

  • CVSS attribute field on issues will be removed and replaced with a non editable CVSS vector string.
  • Create Job using template from AppScan Source/AppScan Standard will be removed from the Scans tab. The results from AppScan Source/Standard can be imported using the Monitor tab.
  • The Web Services, The Vital Few, and Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
  • The embedded Internet Explorer browser will be removed in a future version.
  • QRadar integration support.