Product changes when you upgrade from a previous version

Learn about changes that might affect your scans or report data when you upgrade from a previous version. Make sure that you read all the topics so that you understand the upgrade process.

Upgrading from 9.0.3
  • Custom error pages are no longer set globally, they are only set on the content scan job. On upgrade, each content scan job, *.scant job, and AppScan Dynamic Analysis Client scan will move the global custom error pages to the individual job.
  • Existing content scan jobs in the Folder Explorer view, including QuickScan jobs that are not created in the AppScan Dynamic Analysis Client, will have a new check box enabled on the Explore Options page that enables filtering of similar pages based on structure (DOM). If an existing content scan job:
    • had a redundant path limit set to 5, that option is disabled and DOM-based filtering is turned on
    • had a redundant path limit set to a different value, that option is kept enabled and DOM-based filtering is not turned on
    • had a similar content limit set to 5, with HTML structure enabled, that option is turned off and DOM-based filtering is turned on
    • had a similar content limit set to a different value, or it compares Text and HTML structure, that option is kept enabled and DOM-based filtering is not turned on
  • Issue types are changed periodically in the security rules. If you have a scan with old issue types that no longer exist after a security rules update, the issues with those issue types will disappear after the update, and new issues will be found with the new issue types. Those issues will have to be triaged again.
Upgrading from
  • On the Restore AppScan Server Settings screen of the configuration wizard, an additional option has been added that preserves custom scanner *.jar files that might have been added to the <install-dir>\HCL\AppScan Enterprise\Liberty\usr\servers\<instance_name>\lib\scanners.
Upgrading from 9.0.2
  • In previous releases, imported issues were cumulative. In v9.0.2.1, you can remove issues that were previously found in an application but are not included in subsequent imports. In scanner profiles from v9.0.1, the Remove Orphaned Issues check box is disabled in v9.0.2.1 to respect previous behavior (can be overridden by clearing the check box).
  • When you add a new issue attribute name to a scanner profile, the Use Imported Values check box is enabled by default. Keep the Use Imported Values check box enabled if you want to update an existing issue attribute with values contained in the imported file. If you clear the check box, AppScan Enterprise will retain the value previously used. If you select the Unique check box, you cannot clear the Use Imported Values check box.
  • There were changes to the REST APIs.

Upgrading from 9.0.1

  • There is a New issue status. Upon upgrade, the New issue column is available for display in the Portfolio tab in the Monitor view. Formulas are updated to include issues with a New status. Upgrade does not affect the status of issues that were discovered in previous versions.
  • A new Dashboard tab displays the charts that were displayed in the Portfolio tab in v9.0.1. The new dashboard includes trend charts for Security Risk Rating, Testing Status, Applications with Open Issues, and Open Issues.

    Possible naming conflicts between v9.0.1 application attribute customizations and new v9.0.2 dashboard trend charts

    The Open Issues and Applications with Open Issues charts rely on a new application attribute called "Open Issues" that is defined as a formula. However, if you previously created an application attribute called "Open Issues" of any type other than formula, the upgrade does not attempt to resolve the conflict between your attribute and the one that version 9.0.2 needs for the new charts.

    The new charts will not display as intended after upgrade, and you must resolve this problem manually. Rename your "Open Issues" attribute to something else if you want to preserve its values. Update all formulas where you referenced your "Open Issues" attribute to reflect the new name. Then, rerun the configuration wizard to create the "Open Issues" formula attribute that the new charts require.

  • A new approach to create scans consistent with AppScan Standard, for both the security team who creates the templates and for the developers who create the scans. See Overview of scan configuration differences in v9.0.2 and higher and in previous versions.
    • The new method is accessed from both the Monitor and Scans views.
    • Existing scan templates from v9.0.1.1 are kept after upgrade, and the old method of QuickScan template creation still exists.
    • To take advantage of this new method, during upgrade you must run the Default Settings Wizard after the Configuration Wizard to install the templates for v9.0.2.
    • To avoid any template name conflicts in the Templates directory in the Folder Explorer, (v9.0.2) is appended to the template name.
    • If you install a new instance of AppScan Enterprise, you can still access the templates from v9.0.1.1. When you create a new content scan or template from the Scans view, select Create using previously saved settings file and go to <install-dir>\AppScan Enterprise\Initializations\ASE\DefaultTemplates\Job\Version to select the *.xml file.
  • The embedded version of Liberty is now v8.5.5.4. During configuration, you can choose to restore previous AppScan Server customized settings on the Liberty Server. See Restore AppScan Server settings.

For further details on what's new and changed since v9.0.1.1, read this whitepaper.

Upgrading from 9.0

  • AppScan Enterprise v9.0.1 includes an architecture redesign to reduce the installation footprint and to remove IBM Rational Jazz Team Server (Jazz Team Server) as the user authentication component. With the removal of Jazz Team Server, the Apache Tomcat and WebSphere Application Server deployment servers are no longer supported in v9.0.1. They are replaced with IBM WebSphere Application Server Liberty Core v8.5.5.2. See Replacing Jazz Team Server with WebSphere Liberty - Frequently asked questions.
  • For new instances of v9.0.1, the risk rating formula has changed. If you are upgrading from v9.0, the risk rating formula remains the same, and your risk ratings remain consistent. However, you can use the new formula IF(businessimpact = 0, 0, IF(testingstatus > 0, 0, businessimpact * rr_maxseverity)) by replacing the old formula in the application profile template in AppScan Enterprise.
  • Issue management through application view: In v9.0, issue management privileges were set on the folder that contained a scan. In v9.0.1, issue management is set on the application. Upon upgrade from 9.0, if a scan is already associated with an application, users who used to have issue management privileges on the folder will now have basic permissions on the application so they can continue managing these issues. There is the potential of giving them access to scans they previously were not allowed to access. For example,
    v9.0 v9.0.1 Result
    Folder A: (Bob has an Issue Manager role)
    • Scan X
    • Scan Y
    Folder B: (Mary has an Issue Manager role)
    • Scan A
    • Scan B
    Application 1 is associated with these scan jobs:
    • Scan X
    • Scan B
    Mary now has basic access permissions to Scan B so that she can continue to do her job but she also has access to Scan X, which she didn't have in v9.0.
    To restrict a user's permissions to managing issues on specific applications, remove them from the Basic Access on the applications they are not allowed to access. In the example above, remove Mary's Basic Access permissions on Scan X. To find the application that contains Scan X, go to the Scans view and flatten the hierarchy to show only jobs. Find Scan X and click the link for the application name it is associated with. On the Application tab, click View details and in the Users section of the dialog, remove Mary's Basic Access permissions.
Upgrading from 8.8
  • Server Groups are no longer defined by URLs. Any existing URL definitions will be removed from existing Server Groups. Check the WFCfgWiz.log for details.
  • HTTPS has replaced HTTP as the scheme required for login and REST Services.
  • Some reports have been removed because they no longer fit the product direction. Read the Deprecated features topic.
Upgrading from 8.7
  • Common scan engine between AppScan Standard and AppScan Enterprise: A new common scan engine provides a more standardized scan job option configuration. As such, some reports are no longer available in AppScan Enterprise:
    • Correlated Security Issues (AppScan DE) report
    • Image Catalog report
    • Metadata Catalog report
    • Missing Alt Text report
    • Missing Titles report
    • Multimedia Content report
    • Server Side Image Maps report
    • Third Party Links report
    • Web Applications report
    • Web Beacons report
    • Website Technologies report
  • Load balancing option removed: Load balancing on starting URLs and domains is no longer available with the new standardized scan job option configuration. Upon upgrade, jobs that had load balancing set will use the new common engine to run without the load balancing option.
  • User licensing: The service account license type has been removed. Upon database upgrade, the Configuration Wizard will set the service account license type to the same license type as the Default User (one of floating user scanning, floating user reporting, authorized user scanning, or authorized user reporting).
  • Enabling FIPS 140-2 compliance on the Enterprise Console: Name and behavioral changes to incorporate NIST compliance have been made to the General Settings page where this is enabled on the Administration tab. The "Enable enhanced security" check box has been renamed "Disable Manual Explorer Plugin", and upon upgrade, the check box keeps the value it had before upgrade. If you were FIPS compliant, then this check box remains selected; otherwise, it remains cleared. If your organization is a US federal agency and must comply with FIPS 140-2 or NIST SP800-131a, enable the check box to make the Enterprise Console compliant with those security standards.
  • Case-sensitivity has moved from the domain to the job level. Set it on the job's What to Scan page.
  • Deprecated reports: The OWASP Top 10 2010 report has been replaced with the 2013 version in v8.8. However, if you have report packs and dashboards that used the 2010 report, the data will not be lost. New instances of AppScan Enterprise 8.8 will only use the 2013 report.
  • Login attempts algorithm changes: Prior to version 8.8, the scan would attempt to log in three times before suspending. Now the scan attempts for 90 seconds before suspending.
Upgrading from 8.6
Note: Upgrading to 8.7 includes a one-time database optimization step that requires additional time and could extend the overall upgrade process.
  • The previously used method for protecting data 'at rest' (physical media) has been deprecated and will be removed as part of the upgrade process. Read Data protection through encryption before you begin upgrading.
  • Additional disk space is required during the upgrade process on the database server, roughly equal to the size of the existing AppScan Enterprise database. This space will be used temporarily during upgrade and returned after upgrade is completed.
  • Scans will now use a local (embedded) database file. It is important to have sufficient disk space that is allocated to Agent Server machines. For more information, see the Dynamic Analysis Scanner section in theInstalling all required components on one computer topic for more information about how the local database file works during scanning.
  • Enabling FIPS 140-2 compliance: Products that support FIPS 140-2 standards can be set into a mode where the product uses only FIPS 140-2 approved algorithms and methods.
  • Previous folder items that were suspended are now "Ready" after upgrade. Any folder items that were in a suspended state before upgrade are now in a ready state. An icon will identify these items so that you can decide whether further investigation or actions are required.
  • XRule filters on report packs: XRule filters were removed from report packs. Any reports that contain XRules will contain more data after the report pack is rerun.
Upgrading from
  • Aligning default scan job options with AppScan Standard: Existing jobs and templates that are created in versions before 8.6 do not automatically update to use new job options that have new default values. Only new job/templates use new default values.
  • Installer/config wizard workflow: During installation of v8.6, you can choose to install a brand new Jazz Team Server or use an existing one.
Upgrading from
  • User Licenses: During upgrade, the License Serve is queried to determine which user license you have the most licenses for, and changes the license type for all users (excluding the Service Account and Product Administrator) to that license type. If you must change the license type for any of your users, go to Administration > Users and Groups and change them there.
  • Finding variants: When you import an assessment file from AppScan Source, if the findings differ only by the trace, AppScan Enterprise rolls up those findings into a single issue with multiple variants.
  • Changes to service account: Service account impersonation no longer supported. Any jobs that use that service account will suspend. Edit the properties with a proper username/password and re-run the job.

Upgrading from

Version 8.5 and 8.6 use the Rational License Server. It is critical that you read and understand Product and user licenses before you install the current version.