What's new

This section describes new AppScan Standard product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

New in HCL AppScan Standard 10.2.0

  • Issue severity and CVSS scoring are now based on CVSS version 3.1. Scans run using 2.0 scoring can have 3.1 scoring applied (this may change some issue scores and severities) or viewed as they are.
    Note: Due to the change in CVSS version, when importing from or exporting to AppScan Enterprise, be sure that AppScan Enterprise is updated to version 10.2.0 so the integration works as expected.
  • New Critical severity for security issues has been added, in line with CVSS 3.1.
  • The previous Configuration dialog box has been revamped, reorganized, and integrated as a native view in the main user interface.
  • Web API scanning is now configured through the new Configuration view (see API).
  • The scan wizards have been replaced with Presets in the new Configuration view, showing you the essential options for fast setup.
  • Incremental scans are now available from the File menu (File > New > Incremental scan).
  • Updated regulatory compliance report template: [US] California Consumer Privacy Act (CCPA) - AB-375.

Fixes and security updates

New security rules in this release include:
  • MaxLengthVuln - Search for "maxlength" attributes with a very large constraint
  • LeakedSecretTokens - Search for secret tokens in the response
  • attNoHttpsRedirection - Check for HTTPS redirection when HTTP scheme is used
  • attText4Shell - Added new rule for Text4Shell Vulnerability (CVE-2022-42889)
  • attGraphqlIntrospectionMutation - Check if introspection is enabled in GraphQL API

For a complete list of fixes, security rule updates, and RFEs in this release see AppScan Standard Fix List.

Changed in this release

  • The option to use an external Internet Explorer browser has been removed in this version, as IE is no longer supported by Microsoft.
  • Scan data that is exported as XML, and relevant reports, now indicate which CVSS version was used to score issue severity, and the full CVSS vector string.
  • In Configuration view, Test policy and Test optimization have been combined into a single panel.
  • The ability to switch to the old user interface has been removed.
  • Configuration changes now take effect immediately, without the need to click OK.
  • Incremental scans are now available from the File menu (File > New > Incremental scan).

Upcoming changes

The following will be removed in a future release:
  • The embedded Internet Explorer browser will be removed in a future version of AppScan.
  • The Web Services, The Vital Few, and Developer Essentials test policies will be removed, as similar results can now be achieved using other policies (see here)
  • The ability to export scan results as XML for versions of AppScan Enterprise earlier than 9.0.3.1.