What's new

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard version 10.0.5

  • How to fix:
    • New and improved Advisory and Fix Recommendation content for many issues, consolidated into the new How to Fix tab
    • New and detailed code-specific "How to Fix" content for many code languages
  • Non-standard headers: Can now be excluded from testing, like parameters and cookies (Configuration dialog box > Parameters and Cookies tab)
  • Compliance report upgrade: DISA STIG V5R1
  • Security testing:
    • Improved XSS analysis through browser-based validation for some rules
    • New application tests:
      • Referrer policy – Detect misconfigured or insecure referrer policy
      • Host header injection – Test if host header is being parsed dynamically in the application
      • CORS arbitrary origin – Test if CORS policy originated from arbitrary origin header value
    • New infrastructure tests:
      • CVE-2020-5398 - Detect Reflected File Download on Spring Framework
      • CVE-2020-7246 - Remote Command Execution on qdPM
      • CVE-2020-9006 - Popup Builder Wordpress Plugin SQL Injection
      • CVE-2020-11022/11023 - Detect XSS in JQuery before version 3.5.0
      • CVE-2020-17530 - Apache Struts 2 Forced Multi OGNL Evaluation

Fixes and security updates

  • Fixes and security updates are listed here.

Removed in this release

  • Malware detection
  • X-Force categorization in Advisories and Issue Details
  • .NET, J2EE, and PHP-specific information is no longer included in reports, but new code-specific information for many languages, including these three, is available in the UI
  • Ability to edit Advisories and Fix Recommendations

Upcoming changes

  • XML report format will change in the next release
  • The following will be removed in a future release:
    • Scan Expert
    • These test policies: Web Services, The Vital Few, Developer Essentials; as similar reults can now be achieved using other policies (see FAQ)
    • Tasks view