Scan release notes

Added a --timeout CLI option that lets you control the maximum time the multi-language source code scan engine scans the specified source code.

The value for this option is a specified number of minutes. This option applies to each language. For example, if you set the value of this option to 120 minutes and your repo contains four languages, potentially, the scan can take up to eight hours (120 minutes x 4 languages).

This feature is only available for the Contrast local scan engine only.

Added support for file and folder exclusions.

To use this feature, add a file named .contrast-scan.json to the root folder of the source code you are going to scan. Exclude files and folders describes how to use this feature.

This feature is only available for the Contrast local scan engine and is only supported for multi-language source code scans.

The file format for the JSON file is:

// File name  ".contrast-scan.json"
{
  "excludes": [
    "**/MavenWrapperDownloader.java",
    "**/*.js"
  ]
}

Scans automatically fail if the multi-language source code scan engine doesn't find any technologies in the submitted code.

Fixed a bug that could cause a race condition, resulting in slow performance.

Fixed a bug that caused incorrect date formats to be generated in the SARIF output. The incorrect formats caused which caused errors when using the SARIF output in Github.

Added support for scanning in the repo for Github customers.

Starting with 1.0.8, Scan supports a new Github action that supports main branch scanning in a Github repo. This feature supports failing builds based on the presence of a specified vulnerability severity (or higher). Learn more at Use Contrast Scan with GitHub repositories.

Increased the minimum memory requirement for the multi-language scan engine to 8 GB and the timeout setting to 60 minutes.  This does not replace the minimum memory requirement of 12 GB when scanning .JAR and .WAR files using the Java binary scanner.  We continue to recommend that all users of the local scan engine should ensure that 12 GB of memory is available when running scans.

Addressed a number of issues that prevented some languages from being correctly identified by the multi-language source code scan engine when scanned by the local scan engine. All languages identified by the mult- language source code scan engine should now correctly identify and be scanned.

Increased the memory that the multi-language source code scan engine uses to 2G to better support larger code bases. The minimum memory requirement when using the local scan engine is still 12GB.

Added a --memory parameter to the CLI that you can use to override the allocated memory for the multi-language source code scan engine.

Added additional logging to capture the parameters used when invoking the local scan engine. This logging captures the entire invocation command for the local scan engine (for example, -r, -p and so forth) for use when troubleshooting errors.

Addressed an issue when scanning .NET applications that resulted in source code being  incorrectly identified

Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact

Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.

Fixed an issue in role-based access control authentication that could trigger a 403 error when you try to assign a project to an empty resource group or when a user has access to multiple resource groups and they do not specify one.

If role-based access control is turned on, the -r <ResourceGroupName> option in the Contrast CLI is now mandatory when you create a scan project.

The Contrast local scan engine now supports the ability to scan source code for over 25 languages. For a complete list of supported languages, see Contrast Scan supported languages.

The local scan engine can now run natively under Windows environments running a suitable JVM.

Fixed an issue where using spaces in the path for an artifact to be scanned caused a fatal scan error.

Removed an unneeded log from the local scan engine, reducing overall disk space utilization when scanning Java binary files (JAR or WAR files).

Fixed an issue that caused the local scan engine to fail when running under Alpine Linux.

Fixed a bug that prevented the local scanner from reporting all vulnerabilities found across multiple JAR files. Only the last JAR file scanned in the ZIP file was reported.

MD5 checksum: f57f9174d0643832f9e38b95998fe280

SHA checksum: 8b2f5680111c5a4e5999a3449ee871bb822d27f6

Added the ability to specify a resource group as a parameter in the local scan engine when you scan a project for the first time.

To use this feature, your organization must have role-based access control enabled and you require sufficient permissions to create a new project (Manage Project Role or higher).

Specify the resource group name using the -r parameter.

MD5 checksum: 0fa38c5c9e46e3b2c6bdb2d2ed3baa20

SHA checksum: 76fe00f7d70d45176904a2b62a9d1083f0731a03

Support for multi-JAR scanning

This release adds the ability to scan multiple JAR files as one artifact. You can add multiple JAR files to a ZIP file and scan it as a single artifact.

To scan a multi-JAR ZIP file, package the JAR files at the top level in a ZIP file and scan it using the Scan local engine, as normal. For example:

multiple-jar-artifact.zip 
-> artifact1.jar 
-> artifact2.jar 
-> artifact3.jar

Once completed, the Contrast web interface displays the scan as a single project under the Scans tab.

Enhanced the CSV report to include code snippets for each vulnerability.

Changed the CSV report so that you can see the file name and line number from the path for each vulnerability.

Changed the CSV report to exclude vulnerabilities with a Remediated and Not a problem status.

Added the ability to supply a filter to the API call when generating a CSV report programmatically.

Added pagination to the API when generating a CSV report so it can exceed the 5,000 line limit.

Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.

Fixed a bug that could cause a race condition, resulting in slow performance in the Contrast web interface.

Fixed a bug in the Contrast web interface that resulted in an error when specifying an underscore (_) as part of a search parameter when searching projects.

Added a detected language column on the vulnerabilities tab for a scan project. This value identifies the language associated with the vulnerability.

On the vulnerabilities tab for a scan project, added the ability to filter the view by detected language.

This release includes an automated Jira integration supporting SAST.

When you configure this Jira integration, you can automatically push notifications about vulnerabilities to a Jira project. To configure this integration, specify a single Jira project and one or more severity levels. Learn more in Jira Cloud.

Support for multiple Jira projects is planned for a future release.

Addressed a number of issues preventing some languages from being correctly identified by the multi-language source code scan engine.

January 25, 2024

New and improved;

Bug fixes:

December 14, 2023

November 28, 2023

November 8, 2023

June 30, 2023

June 12, 2023

Added support for multi-JAR scanning in the Java binary scanner.

You can now include multiple JAR files in a single ZIP file when you use the hosted Java binary scanner (using the Contrast CLI or the Contrast web interface).

The maximum upload size limit for a ZIP file is 1 GB.

Added a vulnerability activity tab that shows information on status changes made to vulnerabilities within a project.

To view this tab, select the Vulnerabilities tab for selected scan project and then, select a specific vulnerability

Added the requirement to add comments when you change the status of a vulnerability in a project.

Added the ability to delete a project and all associated data in the Contrast web interface for users with a Manage all projects role.