Recent updates
Discover upcoming and recently added features.
New on July 1, 2019
Important: NEW DOMAIN AND PRODUCT NAME
The change includes the following updates:"IBM Application Security on Cloud"
has moved to a new location: https://cloud.appscan.com, and is now called "HCL AppScan on Cloud."
- The new domain uses a different IP: 108.168.255.173, so verify that you can access it. If your organization blocks unknown IPs, make sure that the new IP is whitelisted.
- If you use ASoC REST API in your tools or scripts, you must change the domain of all API calls from appscan.ibmcloud.com to cloud.appscan.com.
- We have released new versions of all tools and DevOps plugins used with ASoC, and these are set to use the new domain. If you use ASoC through one of the tools or plugins, please update to the latest version to implement this change.
- New Create Scan dialog box, and improved Create Scan flow.
- New Create Presence dialog box, improved Create Presence flow, and improved AppScan Presences view.
- New Add Users dialog box and improved Add Users flow.
- Updated Application > Scan History view, and Scans view.
- Option to delete all the Issues found in a scan when deleting the scan itself, if your role permits this. Issues found also in other scans are not deleted.
- The scan configuration file for a DAST scan (.scan) can now be downloaded after scan completes, to review and configure using AppScan Standard. The file is available to download for 60 days after the scan.
- Scan Optimization for DAST scans is available, and active by default.
- Settings > Domain Verification can now be performed before you start a scan.
- API: API/V2/Account/IBMIdLogin was deprecated on June 17th and has now been removed. Please use API/V2/Account/ApiKeyLogin instead.
New on June 17, 2019
- Improved report generation: In the case of Static Analysis HTML reports for large scans, up to five times faster.
- API change: API/V2/Account/IBMIdLogin is deprecated and will be removed in the next two weeks. Please use API/V2/Account/ApiKeyLogin instead.
- ASoC Issue ID (as shown in the UI), is now included in all reports (XML, HTML, PDF).Note: (XML Reports only) The <issue><item id>, an additional ID that appears in XML reports only, is not the same as the <asoc-issue-id> referred to here.
- General improvements and bug fixes.
New on June 13, 2019
- General bug fixes.
New on May 22, 2019
- New language support for Perl, PL/SQL, and TSQL.
- Apex support for the VisualStudio framework.
- Command line interface (CLI) "dry run" option to check for validation issue prior to a full scan.
- Support for Weblogic as a JSP compiler.
- New Java staging capability: a new, faster method for determining which
files to scan within Java projects offers more comprehensive analysis of user code.
The new Java stager process allows for more intelligent handling of Java projects to determine which files will be analyzed and which files will be treated as dependencies. Rather than a time-consuming process of unzipping all war files, jar files, sub jar files and so on, and saving all the uncompressed files to disk before determining which files to analyze, the stager process employs a surgical approach to evaluating the Java project.
Using the new Java stager process, examination of ear, war, jar, and jar of jar files is substantially faster than the previous process. War files with jar files in the lib are processed more completely, but may exhibit a slower IR time as such. The findings, however, are more complete as the process better identifies user code if it is in jar file or class file form anywhere within the war file.- Findings
Using the new Java stager process on projects that were previously analyzed may produce similar findings that appear new, as well as actual new findings given the more comprehensive analysis of war files.
- Logging
In addition to more robust handling of Java projects, the new stager process generates additional logging. This logging lists currently analyzed Java packages and can be useful in discovering missing Java exclusion entries.
For example:-DSTAGE_INFO=true For example: D:\apps\app\appscan prepare -n app -DSTAGE_INFO=true Discovering targets... Target added: app Validating... Staging D:\apps\app\app.jar Evaluating Entry: app.jar.files/lib/tomcat-coyote-7.0.12.jar Java Packages To Be Analyzed For app: com.app.java.test No problems found during validation. Generating IRX file... IRX file generation successful. - Findings
New on May 14, 2019
- System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.
New on May 6, 2019
- General updates and bug fixes.
New on April 10, 2019
- APEX support
- Visual Studio 2019 plugin and CLI support
- JSP compile arguments can be used in appscan-config.xml.
New on April 2, 2019
- Test Optimization
- This new feature for DAST scans (active by default, and controlled during scan setup) speeds up scanning for those occasions when fast results are more important to you than a thorough, in-depth scan. See Test Optimization.
- The General Information section of DAST scan reports now indicates whether or not the scan was Optimized.
New on March 28, 2019
- System Requirements: A new IP address has been added to the list of IP ranges used. These must not be blocked by your firewall.
New on March 18, 2019
- New Testing Status behavior (see Application
Attributes):
- When you Create a Scan, Testing Status for the application changes to "In Progress".
- When you Reset an application (UI: Edit > Reset > Delete all… | API: Apps/Reset/Delete Issues), the application's Testing Status changes to "Not Started".
- New API options:
- Filters added to GET Presences API function, for example:
GET: ..Presences/?$select=PresenceName%2C%20Id
returns a list of all Presences and their IDs - Download a DAST Scan file using:
GET ..Scans/DynamicAnalyzerScanFile/{executionId}
- Filters added to GET Presences API function, for example:
- The XML Scan Report is back. To align it with AppScan Enterprise there have been changes to its
content and structure, including the order of some of the main sections. The changes are detailed in
technote:
http://www.ibm.com/support/docview.wss?uid=ibm10876392 - If a scan reveals more than 20,000 issues, ASoC now selects 20,000 representative issues, and includes only them in the Scan Results.
New on March 6, 2019
- In Users and Roles view, the new Export User List button lets you download the list of users to your machine, as a CVS file.
- ColdFusion support.
- Expanded Azure DevOps (VSTS) and Team Foundation Server (TFS) support.
- Improved include/exclude behavior for SAST scans using appscan-config.xml.
New on February 26, 2019
- General updates and bug fixes.
New on February 20, 2019
- Open Source Report now includes Library Version for relevant entries.
- Personal Scans: It is now possible to create Users with permission to create Personal Scans only (not regular scans).
New on February 14, 2019
- SAST bug fixes.
New on February 13, 2019
- Payment Card Industry Data Security Standard (PCI) Report updated to Version 3.2.1
- DAST engine was updated to version AppScan Standard 9.0.3.11 iFix002
New on February 6, 2019
- User Management: When creating or editing User Roles (User Management > Users & Roles > Add/Edit Role), Admins can now enable them to "View Users and Roles" without giving them Edit permissions. This gives view-only access to the User Management views.
New on January 24, 2019
- Regulatory Compliance Reports: Two new reports are now available:
- Payment Application Data Security Standard
- US DISA’s Application Security and Development STIG. V4R3
Note: Two additional IP ranges will be added to System Requirements as of January 29,
2019. Please make sure they are not blocked by your firewall.
New on January 16, 2019
- Javascript scanner enhancements.
Enhancements include performance improvements, automatic exclusion of third-party files, improved rules analysis, and bug fixes.
New on January 15, 2019
- Industry Standard Reports: Four new reports are now available:
- International Standard - ISO 27001
- International Standard - ISO 27002
- NIST Special Publication 800-53
- WASC Threat Classification v2.0
- Regulatory Compliance Reports: Four new reports are now available:
- CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
- US Electronic Funds and Transfer Act (EFTA)
- US Federal Information Security Mgmt. Act (FISMA)
- US Sarbanes-Oxley Act (SOX)
- Sample Reports: The sample reports have all been updated, and a new Open Source License sample report has been added.
- Static Analysis Report: The bug causing Fix Groups to be omitted from Static Analysis reports has been fixed.
New on January 10, 2019
- iOS version 12.1 is now supported for scanning iOS mobile apps.
New on January 8, 2019
- Private site scanning:
- You can now run the AppScan Presence as a service on Linux OS as well as Windows.
- In Windows OS the AppScan Presence is now started with EXE files.
- Industry Standard and Regulatory Compliance Reports can now be run for individual scans, from the Scan Reports dialog box.
- Application Reports are now run from a dialog that opens from the Application Report button at the top of the screen. The options are unchanged.