Release news for hosted customers
The Release News is published monthly for hosted customers.
Contrast for hosted customers was released on June 17, 2025. For product-specific release information, see Scan release notes and Integration release notes.
New and improved
ANNOUNCING Contrast's Northstar Release. Contrast’s new user experience is the industry’s first platform to unite developers, security, and operations teams. Contrast’s enhanced workflow experience is essential for immediate threat detection, providing a real-time view of attacks and critical vulnerabilities, from development to production and how they relate to one another.
At the core of the platform is the Contrast Graph, which powers its most advanced capabilities. The Graph builds a real-time Digital Twin of an organization’s application and API environment, mapping live attack paths, correlating runtime behavior, and exposing how vulnerabilities, threats, and assets are connected. This deep, dynamic context eliminates the guesswork that plagues traditional tools, enabling accurate and automated prioritization and remediation, so teams can focus on real risks and act with confidence.
This includes the following new features:
Contrast Northstar is currently only available to hosted customers and is only offered in English.
Contrast Northstar issue permissions managed through Access Control. This introduces granular access control for Northstar issues, allowing organizations to define specific permissions for viewing and managing incidents. New Manage Issues actions are available in custom roles, ensuring users can only interact with issues for applications they are authorized to view. (PROD-3402)
Optimized All Applications access for Contrast Northstar. This release optimizes data retrieval for users across all applications, particularly within Contrast Northstar. Previously, even with full access, the system would still process and filter by individual application IDs, leading to unnecessary lookups. Now, the system intelligently recognizes users with complete access, streamlining data fetching for Contrast Northstar issue and application list data and significantly improving performance. (PROD-3630)
ANNOUNCING Deployment Hub. Deployment Hub is your command center for getting up and running on day one. Assign and manage tasks across teams, get help with in-app videos and documentation, and manage progress. With step-by-step guidance, even complex environments can be set up quickly and confidently. (PROD-3062)
Security risks in Java applications using an R2DBC connector. This release improves the Java Agent's capabilities to detect and report SQL Injection vulnerabilities and other security risks in Java applications using Spring-data, H2, MariaDB, PostgreSQL, MySQL, Oracle, and MS SQL Server with the R2DBC connector. Previously, the agent lacked support for this configuration, leading to false negatives. Now, users can ensure their applications remain secure by addressing reported customer issues and improving overall protection. (RFE-342,JAVA-8984)
Enhanced CVE scoring with CNA fallback. CVE scoring improved by introducing a fallback mechanism to use CNA (CVE Numbering Authority) scores when NVD (National Vulnerability Database) scores are unavailable. Users will now have timely vulnerability severity information, ensuring informed remediation decisions. Once NVD scores become available, they will automatically override the CNA values for consistency. (PROD-3469,RFE-329)
Set minimum route coverage policy. Users can now set a policy for the percentage of route coverage and set which applications this minimum coverage policy applies to. Contrast will create a bug ticket for the developer when route coverage falls below the threshold to help users of Contrast improve their route coverage. (AS-6)
Route coverage download enhancement. This release enhances the route coverage download process by making it asynchronous. Previously, large downloads could cause 504 gateway timeout errors due to memory issues. Now, users can efficiently download route coverage for even the largest applications without interruption, with clear feedback and progress tracking for a smoother experience. (AS-4)
Preview
Contrast AI SmartFix. SmartFix significantly reduces the time and effort developers spend on vulnerability remediation, allowing them to focus more on feature development. Leveraging Contrast's unique runtime context (including full data flow, stack traces, HTTP requests and more) and AI, SmartFix automatically generates fixes for critical and high-impact vulnerabilities identified by Contrast Assess. It integrates with your organization's approved, self-managed LLM to analyze code and create a pull request with the proposed fix in your GitHub repository, complete with optional security unit tests to validate the solution.
Contrast AI SmartFix is a limited release feature for June and is available by request until general availability.
Bug fixes
SARIF output and GitHub Advanced Security. This release addresses issues with SARIF file generation, ensuring successful uploads to GitHub Advanced Security (GHAS) even when the underlying data may be incomplete. Previously, missing information caused errors during the upload process. Now, the system produces a more robust SARIF file, thereby improving compatibility and user experience with GHAS. (SCA-1867)
Libraries tab permissions. This release addresses an issue where the static libraries filter under the Libraries tab failed to correctly apply user permissions. Previously, users could inadvertently view all static SCA projects regardless of their assigned access rights. This fix ensures that the static libraries filter now properly enforces permissions, displaying only authorized projects to users. (SCA-1994)
Contrast for hosted customers was released on May 20, 2025. For product-specific release information, see Scan release notes and Integration release notes.
New and improved
CLI for .NET projects. Removed the requirement for the
--legacyflag when running an audit against .NET projects. This will display results under the Projects tab rather than the Applications tab. (RFE-247)(Correction) Application pacing algorithm enhancement. Contrast now provides an enhanced pacing algorithm to fine-tune the way Contrast performs strategic analysis of your code. These settings are available when Assess is enabled under Server configuration. Use the settings to select a pacing algorithm level that balances the pacing algorithm with application performance impact, based on the server environment. (AS-8)
Improved date range options. Enabled more date range options for the ATTR (Average Time To Remediate) graph. (AS-7)
Bug fixes
Fixed a defect so that the correct behavior of masking of data happens across all parts of the Overview, Details, and Request tabs. Previously, the defect was that it was only being masked in some of these, and switching to another tab would show the unmasked values. (PHP-1207)
Deprecated feature
CodeSec EOL: Contrast's CodeSec offering will reach its end-of-life (EOL) on May 1, 2025. As of January 28, 2025, new users can no longer sign up for CodeSec. Existing CodeSec users will have access until the EOL date.
For any CodeSec users needing access beyond May 1:
Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.
Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.
Contrast for hosted customers was released on April 15, 2025. For product-specific release information, see Scan release notes and Integration release notes.
New and improved
New logo change: Contrast has updated the logo on the login page, logout page, error pages, and the banner for the Contrast web interface.
Enhanced route coverage monitoring with First Seen timestamp. We've added a First Seen column to the Route Coverage tab for applications to help identify when Contrast first sees a specific route. (PROD-3457)
Improved SARIF output. We've improved the format and content of the SARIF file that you can export with Assess (IAST) and SCA details. These improvements ensure better compatibility with VSCode integration and GitHub issues. (SCA-1953)
Improvements for Contrast Security Observability. We've improved the display and performance of the data in the Observability tab. (ADR-193)
Bug fixes
Fixed an issue that caused an interruption with a Jira connection following a maintenance window. (PROD-3513)
Deprecated feature
CodeSec EOL: Contrast's CodeSec offering will reach its end-of-life (EOL) on May 1, 2025. As of January 28, 2025, new users can no longer sign up for CodeSec. Existing CodeSec users will have access until the EOL date.
For any CodeSec users needing access beyond May 1:
Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.
Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.
Contrast for hosted customers was released on March 18, 2025. For product-specific release information, see Scan release notes and Integration release notes.
New and improved
Incident management with ADR. New and improved features for ADR.
Attack event mapping to MITRE ATT&CK tactics. This enrichment provides defenders with greater visibility into threat actor activity. It can be combined with mappings from other elements of the security stack, like EDR or WAF, to improve precision and provide greater context during extended multi-stage attack campaigns. These mappings can also create detection coverage heat maps that identify threat detection gaps and inform future use case development. View the Attack events tab in Contrast, use filters, select the desired attack event, and then view the mapped MITRE tactics. This feature is available in SaaS deployments of ADR. (ADR-5)
Improved event prioritization with categorized severity definitions. Updated attack event severity levels enabling teams to prioritize triage and response efforts. This enhancement ensures critical events are addressed promptly and streamlines your security workflow. This feature is available in SaaS deployments of ADR. (ADR-4)
Improved Operator framework currency. We've updated the Agent Operator to be fully compatible with .NET 8. By leveraging the latest .NET framework, we minimize potential security vulnerabilities associated with outdated technologies. (PROD-3333)
More robust agent authentication with multiple user agent keys. We've added user key support for multiple users and teams within an application. This allows Organization Admins to create more precise, narrowly scoped keys for better access control. Additionally, it facilitates improved key rotation processes, ensuring that application downtime is eliminated. (PROD-3155)
Enhanced server monitoring with First Seen timestamp. We've added a First Seen column to the Servers tab in Contrast, to help identify server onboarding times and quickly detect anomalies. (PROD-3458)
Server SBOM Generation & CycloneDX/SPDX Format Updates The SBOM export has updated the CycloneDX format from version 1.4 to 1.6, and we have added support for SPDX 3.0. We also added the ability to generate SBOMs at the server level and the application level. (PROD-3356)
Contrast Security Observability now reports Security controls with detailed attributes. (This feature is supported for Java applications only) To provide a more complete picture of application behavior, we've added Security control as a new Action Type. This change means that actions taken by security controls will now be reported in a consistent format with other Observe mode action types. Each security control action will include the following attributes:
Type
API
Regex (if type regex)
Rules (“All Rules” or comma-delimited list of selected rules)
Name (if available)
(PROD-2372)
Improved Helm Chart Deployment. To enhance security and deployment consistency, we've updated our Helm charts to adhere to namespace management best practices. We now recommend and support deploying to pre-existing, designated namespaces. (RFE-222)
Enhanced filtering option within the Vulnerabilities tab. We've added the ability to filter Vulnerabilities by the Protected in <environment> column. Now you can quickly see which vulnerabilities are being monitored, blocked, or not covered by Contrast ADR. (PROD-3359)
New feature to export attack event data. To support issue triage, we've added the ability to export attack event data. This allows you to download the attack event data to identify possible issues and share data if needed. (ADR-90)
Deprecated feature
CodeSec EOL: Contrast's CodeSec offering will reach its end-of-life (EOL) on May 1, 2025. As of January 28, 2025, new users can no longer sign up for CodeSec. Existing CodeSec users will have access until the EOL date.
For any CodeSec users needing access beyond May 1:
Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.
Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.
Contrast for hosted customers was released on February 20, 2025. For product-specific release information, see the Scan release notes and Integration release notes.
New and improved
CVE details: The improved CVE details screen now has key enhancements and helps you quickly understand the impact of CVEs on your organization. First Seen in Contrast provides insights into your exposure window, while the Organizational Impact highlights which applications and servers are affected. Key metrics like Severity, CVSS score, and EPSS help you understand the full scope of risk and prioritize remediation efforts. (PROD-2972)
Enhanced server cleanup: Contrast now offers enhanced server cleanup to remove historical routes associated with inactive servers. This is ideal for customers with ephemeral servers, in which each test run of a Contrast-instrumented application is used to represent a unique, point-in-time scan. For continuous instrumentation and long-running servers, route expiration remains the recommended approach. Enhanced server cleanup helps manage Assess results by simultaneously cleaning up outdated servers, routes, and vulnerabilities. (PROD-3060)
Automatically set arbitrary session metadata via Fingerprinting: Contrast will track and report unique builds of your application, even when session metadata has not been defined. This makes it easy for you to refine your view of important information so you can find what you need quickly while also eliminating manual configuration steps. (PROD-1745)
The minimum agent versions that support this feature are:
Java 6.11.1
.NET Framework 51.1.9
.NET Core 4.3.9
Python 9.7
Node 5.24
Server details: When a user opens the Server > Libraries tab and selects a library to view its details, they will now see the server-specific applications on the application list. (PROD-3489)
Specific record names: When attack events are reported for IP denylists or virtual patches, the specific name of the individual IP denylist or virtual patch record will be displayed instead of the generic IP denylist or Virtual Patch labels. (PROD-3547)
Copy a role: You can copy an existing role, change its settings, and add it as a new role. Copying a role is useful if you need several roles with the same or similar settings or use a specific role as a template. Note that this is for users of role-based access control. (PROD-3276)
Bug fixes
RBAC: Items for improved RBAC (Role-based access control). (PROD-3206)
Improved performance on top five endpoints and gateway
Over 10 behind-the-scenes bug fixes and improvements
Deprecated feature
CodeSec EOL: Contrast's CodeSec offering will reach its end-of-life (EOL) on May 1, 2025. As of January 28, 2025, new users can no longer sign up for CodeSec. Existing CodeSec users will have access until the EOL date.
For any CodeSec users needing access beyond May 1:
Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.
Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.
Contrast for hosted customers was released on January 21, 2025.
New and improved
MS Teams Integration. To ensure our customers can continue using MS Teams after the January 2025 Webhook URL deprecation, as Microsoft has already shared here, we have added support for the new power automate integration. This will be enabled by request, and we recommend customers follow the instructions in the integration documents to prepare for the change. Once complete, please contact Support to enable this integration. Note, that if you use the MS Teams integration and do not make these changes by January 31st, the integration will fail. (PROD-3092)
Mapping Assess to ADR. Contrast can associate Assess and AVM findings with ADR (Application and Detection Response) to see which vulnerabilities have corresponding ADR rules. (PROD-2619)
NEW: Wiz Integration. Addition of a Wiz integration to send runtime security information regarding applications from Contrast to a Wiz deployment. (PROD-2694)
Guidance AI. Contrast AI provides additional information about how to fix discovered vulnerabilities with AI guidance that is specific to the frameworks and libraries used by your application. Available to USA users only now and is disabled by default. It can be enabled under the Organization settings section. (PROD-3064)
Jira integration. Enhancements to the Jira integration:
Added the ability to synchronize comments under the Activity tab to link the comments between the Activity tab and the Jira issue. Note that the Jira administrator must register and configure a webhook in Jira using the Comment... actions. (PROD-3118)
Added the ability to delete expired credentials. (PROD-3119)
Users can select the ability to mask sensitive information being sent to Jira. Remove sensitive information from the Issue title and additional fields when creating the ticket. (PROD-3120)
Added the feature to show session metadata associated with the vulnerability in the Jira ticket. (PROD-3369)
RBAC. RBAC administrators (Role-based access control) can deactivate users from the user grid and properties. This will deactivate the user and the user’s endpoints but keep the record of the user in Contrast with an Inactive status. (PROD-3194)
Assess Vulnerability report. The audit log record now includes details of downloading the reports from the aggregated vulnerability dashboard. Please get in touch with your account manager if you are interested in using this report. (PROD-3198).
Resource group command in CLI. A new resource group command (under the Contrast audit function will specify the required resource groups to eliminate the manual process of generating SCA projects. (PROD-3352)
Applications in the libraries detail view. When viewing the Libraries tab under the Server section, the application list now clearly shows which applications are on the server. (PROD-3489)
Archive
Contrast for hosted customers was released on December 10, 2024.
Advance notice regarding Contrast MS Teams Integration
On January 31st, 2025, the Microsoft Webhook-based connectors within the O365 Connectors service in Teams are transitioning to a new URL structure due to the implementation of further service hardening updates. This will impact the Contrast MS Teams Integration. As a result, we will update the MS Teams integration to support this change as part of our January release. We ask customers using the MS Teams integration to follow this guide to prepare themselves for the change. More information on our upcoming change can be found on the Microsoft Teams preview page.
New and improved
Added support for dynamic scoring when you change the status of a vulnerability to Not a Problem. (PROD-3103)
Contrast for hosted customers was released on November 12, 2024.
New and improved
NEW: Attack event view based on a new data service that provides improved performance, better stability, expanded data retention time, and an overall better user experience. (PROD-2300, PROD-2308, PROD-2330, PROD-2654, PROD-2935)
NEW: Updated and improved view of the Audit log. (PROD-2094, PROD-3158, PROD-3083, PROD-3074, PROD-3075)
Release of role-based access control (RBAC) for all existing organizations in Preview mode. (PROD-3098, PROD-3211, PROD-3204)
New organizations will use RBAC in Enforce mode.
Contrast for hosted customers was released on October 8, 2024
New and improved
Improved and simplified agent deployment process with updated Agent wizards. (PROD-3079, PROD-3080, PROD-3081, and PROD-3089)
Added the ability to recommend a minimum library upgrade. This recommendation identifies the closest library version to the one you currently have that contains as few vulnerabilities as possible. (PROD-3072)
Added documentation for creating custom rule exclusions for the Contrast Scan local engine. (PROD-2824)
Added the ability to change the severity for Contrast Scan vulnerabilities. (PROD-2951)
Added the ability to filter Contrast Scan vulnerabilities by CWE. (PROD-3046)
Added Secure Code Warrior recommendations for fixing Contrast Scan vulnerabilities. (PROD-2577)
Preview: Added the ability to view role-based access control permissions for users in an organization. (PROD-2573)
This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.
Preview: Added the ability for users to view their own role-based access control permissions. (PROD-2572)
This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.
Contrast for hosted customers was released on September 10, 2024
New and improved
NEW: Added the ability to use the API and CLI to generate a SARIF file for Assess or SCA vulnerabilities. (PROD-3084)
Added the ability to download a Scan CSV report that contains more than 2,000 results. (PROD-3005)
You have the option of selecting individual pages of results to download.
Contrast for hosted customers was released on August 13, 2024.
New and improved
Improved the workflow of Agent wizards (accessed from Add New) to simplify the task of adding applications to Contrast. (PROD-2812)
Added a link to the Agent Configuration Editor to Agent wizards. (PROD-2773)
PREVIEW: New Attack events page that makes it easier to view and manage attack event data. (PROD-2300).
For access to this feature, contact your Contrast representative.
NEW: Added the ability to query audit log events using the new Audit API. (PROD-2887)
The new API allows you to query the audit log for SAST, Assess, and role-based access control (RBAC) events. The new events for SAST (Contrast Scan) and RBAC include:
SAST
Creating/Deleting projects
Running scans
Changing vulnerability status
RBAC:
Creating/Updating/Deleting users
Creating/Updating/Deleting resource groups
Creating/Updating/Deleting roles: Includes updates to built-in roles.
Creating/Updating/Deleting user access groups
PREVIEW: Report dashboard that shows aggregated data for open and closed vulnerabilities, trends for meantime to remediate vulnerabilities, and more. To access the dashboard, go to user menu > Report Dashboard. (PROD-3097)
Role-based access control (preview): Added guidance to help you select resource groups that match your selected actions when you add custom roles. (PROD-2878)
Contrast notifies you if your selected actions and resources don't match.
Contrast for hosted customers was released on July 16, 2024.
New and improved
New! Contrast security observability: This new feature models an application’s security architecture and behavior at runtime. Use this information to better understand the underlying behavior of your applications for threat modeling, pen test support, and contextual information around vulnerabilities and attacks.
Currently, this feature supports Java applications only.
New! Generate a SARIF file with Assess and SCA findings
A new
sarifCLI command lets you create a SARIF file that includes findings from Assess and SCA for a specific application. (PROD-2809)Batch edit of Scan vulnerability status: You can now change the status for multiple Scan vulnerabilities at the same time. (PROD-2760)
Filter by last Contrast Scan: You can now create filters to view scans based on a specified time frame. (PROD-3045)
Contrast for hosted customers was released on June 14, 2024.
New and improved
Protect for PHP. The PHP agent now supports Protect rules and features including Command Injection, SQL Injection, Path Traversal, Reflected XSS, Bot Blocking, IP Blocking, and Sensitive Data Masking. (PROD-1636)
Vulnerability tab enhancements. Added a column on the vulnerabilities tab under Scan projects that displays the specific language the vulnerability belongs to. You can also filter the results by language for the column. (PROD-2796, PROD-2798)
CSV report enhancements. CSV report can now be generated to include only specific criteria based on filter selections. (PROD-2933)
Authentication. It is strongly recommended to enable multi-factor authentication if single sign-on is not enabled for the organization. (PROD-1881)
Maven wrapper. Added CLI support for Maven wrapper. (PROD-3021)
Improved endpoint performance. Improved the performance of the
/Contrast/api/ng/?/libraries/filterendpoint. (SCA-1671)
Contrast for hosted customers was released on May 14, 2024.
New and improved
Compatibility Check. Contrast is now able to check if routing frameworks are supported after agent instrumentation. The Contrast dashboard will display details about which frameworks it finds during route discovery. Currently, the latest versions of the Java and .NET agents support this feature. (PROD-2447)
Java Agent. Added gRPC support for Java. (PROD-2546)
Java Agent. Added support for Glassfish/Payara 5 and 6 for Java. (PROD-2792)
.NET Agent. Added gRPC support for DOTNET. (PROD-2289)
Release date: June 17, 2025
New and improved:
The Contrast Visual Studio Code IDE plugin has been updated to support Scan. This assists in retrieving SAST (Static Application Security Testing) and IAST (Interactive Application Security Testing) vulnerabilities in the IDE. (PROD-3102)
Our Azure Boards integration now adds an optional prefix for application names to ticket titles. This new checkbox in the configuration settings allows users to easily identify which application a vulnerability ticket belongs to at a glance, especially when managing numerous applications within Azure DevOps. (INT-1277)
The Azure Boards integration now enables users to automatically populate custom fields within ADO tickets created by Contrast. Users can now configure preset values for custom fields, eliminating the need for manual input during both auto-creation and manual sending of tickets, streamlining their workflow. (INT-1278)
Real-time streaming of new Incident objects to Splunk now complements the existing Event data. A new application on the Splunk marketplace will parse this incident data into the Common Information Model (CIM), enabling triage incidents alongside other events for comprehensive risk analysis of their application infrastructure. (PROD-3521)
The Contrast Security plugin is now fully compatible with IntelliJ IDEA versions up to 2025.1, alongside a wide range of other JetBrains IDEs. This update resolves all API deprecation issues, guaranteeing seamless functionality across the latest development environments. (INT-1270)
Release date: May 20, 2025
New and improved:
Gradle Plugin 3.0.0
Plugin released to the
Gradle Plugin Portal.Added Assess Support for Gradle Plugin: The verify goal verifies that none of the vulnerabilities found by Contrast Assess during integration testing violates the project’s security policy (fails the build when violations are detected).
(JAVA-8252)
Contrast Java SDK 3.4.3 (JAVA-9200)
Added tags to
ServerModel.(JAVA-9200)
Bug fixes:
Maven Plugin 2.13.3
Fixed an issue where the Maven plugin failed to download the agent when the target folder was cleaned or did not exist.
(JAVA-8975)
Release date: April 15, 2025
New and improved:
Revised and improved the Contrast Azure Pipelines extension. (PROD-3504)
Updated the Contrast Azure Boards integration to include options for excluding sensitive data in tickets, bi-directional integration, managing credentials in Contrast configurations, and sending Contrast session metadata to tickets. (PROD-3144, PROD-3143, PROD-3114, and PROD-3370)
Updated the Java agent to support Maven 3.9.9 and the Gradle plugin. (PROD-2855)
Added a link to the Contrast AI guidance in the How to Fix information sent to Jira tickets. (PROD-3431)
Added a link to the Contrast AI guidance in the How to Fix information sent to Azure Boards tickets. (PROD-3576)
Bug fixes:
Fixed an issue that caused an interruption with a Jira connection following a maintenance window. (PROD-3513)
Release date: March 18, 2025
New and improved:
Contrast ADR has a new API-based integration with Splunk to provide timely actionable attack exploit events across your entire application portfolio. (PROD-3269)
Release date: February 20, 2025
New and improved:
Preview: Update Visual Studio Code IDE plugin to support SAST. (PROD-3112)
Update to IntelliJ IDE support for static and runtime. (PROD-2753)
Release date: January 21, 2025
New and improved:
NEW: Addition of a Wiz integration to send runtime security information regarding applications from Contrast to a Wiz deployment. (PROD-2694)
To ensure our customers can continue using MS Teams after the January 2025 Webhook URL deprecation, as Microsoft has already shared here, we have added support for the new power automate integration. This will be enabled by request, and we recommend customers follow the instructions in the integration documents to prepare for the change. Once complete, please contact Support to enable this integration. Note, if you use the MS Teams integration and do not make these changes by January 31st, the integration will fail. (PROD-3092)
Added the ability to synchronize comments under the Activity tab to link the comments between the Activity tab and the Jira issue. Note that the Jira administrator must register and configure a webhook in Jira using the Comment... actions. (PROD-3118)
Added the ability to delete expired credentials. (PROD-3119)
Users can select the ability to mask sensitive information being sent to Jira. Remove sensitive information from the Issue title and additional fields when creating the ticket. (PROD-3120)
Support for the Japanese language was added to the MS Teams Integration. (PROD-3261)
Added the feature to show session metadata associated with the vulnerability in the Jira ticket. (PROD-3369)
Bug fixes:
Fixed a bug that would cause bi-directional status updates to stop working between the Contrast vulnerability record and the Jira ticket. (PROD-3117)
Release date: December 10, 2024
Advance notice regarding Contrast MS Teams Integration
On January 31st, 2025, the Microsoft Webhook-based connectors within the O365 Connectors service in Teams are transitioning to a new URL structure due to the implementation of further service hardening updates. This will impact the Contrast MS Teams Integration. As a result, we will update the MS Teams integration to support this change as part of our January release. We ask customers using the MS Teams integration to follow this guide to prepare themselves for the change. More information on our upcoming change can be found on the Microsoft Teams preview page.
Release date: August 29, 2024
These updates apply to the source code scan engine which you can use with the Scan local engine and a hosted deployment of Contrast.
New and improved:
Made a significant number of improvements across languages to reduce false positives.
Improved parsing of Natural source code to reduce false positives and improve scan performance.
Improved parsing of COBOL source code to reduce false positives and improve scan performance.
Updated the supported version of Kotlin to 1.6.0.
Added support for scanning of Java 16 and 17 files.
Improved support for Vue.JS.
Bug fixes:
Fixed a bug that caused the source code scan engine to fail for all scans.
Release date: April 15, 2025
New and improved:
Added new options to only fail a scan on a branch if it would introduce new vulnerabilities.
Bug fixes:
Multiple fixes to improve Scan local engine behavior and performance.
Checksum:
MD5 checksum: fa99a209ba3662a198df735fa4c795eb
SHA1 checksum: 1c78f9570e20c18b01c4b609904f4bdf9cfe8eff
SHA256 checksum: e4316485cba75bf032cfcd4537d1c9281bf8813bac03d84004e55b5bf415ec99
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: March 18, 2025
New and improved:
Added these rules:
Improper Neutralization of Special Elements used in an SQLCommand (SQL injection) in ASP.NET Core | Open-source web framework for .NET applications.
Improper Control of Remote Code Execution for JavaScript.
Updated Log4j libraries throughout codebase.
Added the ability to identify and upload total lines of code and files scanned.
Bug fixes:
Fixed a stack overflow error resulting from PHP scans under specific circumstances.
Fixed an issue where the engine failed to parse some C# extension methods properly.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: November 26, 2024
New and improved:
Added a new
--metadataoption for the Scan local engine that lets you specify metadata when you create a scan project.Added optional support for Rust and Terraform using the Semgrep open source engine.
If you want to scan code in these languages and send the results to the Contrast web interface, you must download the Semgrep engine. If the Scan local engine identifies the presence of either of these languages, it sends the relevant files to Semgrep and combines the SARIF results with the file that Contrast creates.
Scan languages with the Semgrep engine provides additional details about this feature.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: October 8, 2024
New and improved:
The
--memoryoption now works with the binary scan engine.Recommendation: Keep your memory allocation for the binary scan engine at 12GB or higher. A lower memory allocation can adversely affect the binary scan engine's performance and accuracy.
To reduce noise and potential false positives,
.hfiles are no longer implicitly scanned for C, C++, or ObjectiveC languages.If, during the course of scanning these languages, the source code calls a
.hfile, then that file is scanned as part of the overall code analysis.
Checksum:
MD5 checksum: fa99a209ba3662a198df735fa4c795eb
SHA1 checksum: 1c78f9570e20c18b01c4b609904f4bdf9cfe8eff
SHA256 checksum: e4316485cba75bf032cfcd4537d1c9281bf8813bac03d84004e55b5bf415ec99
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: August 29, 2024
New and improved:
Added a
--levelcommand option that provides better logging from the multi-language scan engine. To turn on logging for a specific log level, use one of these values: ERROR, WARN, INFO, DEBUG, or TRACE.Use this option only when the Contrast Support team instructs you to do so rather than using it with all scans
Changed the maximum log size to 20MB before creating a new log file.
Bug fixes:
Due to a bug that caused the source code scan engine to fail, all customers should upgrade their local scanner to version 1.1.2 to resume operations.
All previous versions are now considered end of life.
To help you understand the Contrast version control policy, Scan local engine releases and versions describes the policy that applies to all future releases.
Checksum:
MD5 checksum: 7be87ce1ab990c45e91c7060e5300ce2
SHA1 checksum: e55d9fa9323dc93bc29d4f68e927763c6e5fb12b
SHA256 checksum: ef8c84c1ad4549ab4e22a638dbf5d5d4d5700f6209ddcabfe66a20639880e0be
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: June 14, 2024
New and improved:
The Scan local engine now creates a unique output folder for each scan. The location of the folder name is:
.contrast-scan/<CURRENT_TIMESTAMP>.where<CURRENT_TIMESTAMP>is the date and time when the scan ran.
Bug fixes:
Updated configuration for C/C++ languages to avoid duplication of results.
In previous versions of the Scan local engine, scans analyzed
.hand.cfiles using C++ and C rules. This behavior generated duplicate vulnerabilities. The latest version of the scan engine no longer generates duplicate vulnerabilities. If you had this issue previously, when you run the new version of the scan engine, it will change the status of the duplicates to Remediated.
Important
The new multi-language source code scan engine is now version 1.1.1. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.
Checksum:
MD5 checksum: 4ad02dbb651afd65aa34540b74070460
SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce
SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: April 30, 2024
New and improved:
Added these exclusions to the Java binary scanner:
com.azure,org.apache, andcom.nimbusds.Added a
--severityparameter for the Scan local engine to let you get a build fail status. The specified values is the minimum level of severity that returns a build fail status code that you can use to gate builds in pipelines.For example, if you specify
--severity high, a finding of that severity or higher returns a build fail status code.Added support for multi-branch scanning when using the GitHub action for the Scan local engine.
You can now download the Scan local engine with a reusable script.
Bug fixes:
Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.
Important
The new multi-language source code scan engine is now version 1.1.0. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.
Checksum:
MD5 checksum: 4ad02dbb651afd65aa34540b74070460
SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce
SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.
Application signing verification
To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the Scan local engine that you want to verify.
Release date: March 15, 2024
Note
This version of the Scan local engine is available by request only. Contrast is not publishing checksum information at this time.
To request access to this version of the Scan local engine, follow your normal Contrast support process.
Contrast plans to make the new Scan local engine generally available in the near future.
New and improved:
Added a
--timeoutCLI option that lets you control the maximum time the multi-language source code scan engine scans the specified source code.The value for this option is a specified number of minutes. This option applies to each language. For example, if you set the value of this option to 120 minutes and your repo contains four languages, potentially, the scan can take up to eight hours (120 minutes x 4 languages).
This feature is only available for the Contrast local scan engine only.
Added support for file and folder exclusions.
To use this feature, add a file named
.contrast-scan.jsonto the root folder of the source code you are going to scan. Exclude files and folders describes how to use this feature.This feature is only available for the Contrast local scan engine and is only supported for multi-language source code scans.
The file format for the JSON file is:
// File name ".contrast-scan.json" { "excludes": [ "**/MavenWrapperDownloader.java", "**/*.js" ] }Scans automatically fail if the multi-language source code scan engine doesn't find any technologies in the submitted code.
Bug fixes:
Fixed a bug that could cause a race condition, resulting in slow performance.
Fixed a bug that caused incorrect date formats to be generated in the SARIF output. The incorrect formats caused which caused errors when using the SARIF output in Github.
Important
The new multi-language source code scan engine is now version 1.0.9. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: February 15, 2024
Note
This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.
To request access to this version of the local scan engine, follow your normal Contrast support process.
Contrast plans to make the new local scan engine generally available in the near future.
New and improved:
Added support for scanning in the repo for Github customers.
Starting with 1.0.8, Scan supports a new Github action that supports main branch scanning in a Github repo. This feature supports failing builds based on the presence of a specified vulnerability severity (or higher). Learn more at Use Contrast Scan with GitHub repositories.
Increased the minimum memory requirement for the multi-language scan engine to 8 GB and the timeout setting to 60 minutes. This does not replace the minimum memory requirement of 12 GB when scanning .JAR and .WAR files using the Java binary scanner. We continue to recommend that all users of the local scan engine should ensure that 12 GB of memory is available when running scans.
Bug fixes:
Addressed a number of issues that prevented some languages from being correctly identified by the multi-language source code scan engine when scanned by the local scan engine. All languages identified by the mult- language source code scan engine should now correctly identify and be scanned.
Important
The new multi-language source code scan engine is now version 1.0.8. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: January 25, 2024
Note
This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.
To request access to this version of the local scan engine, follow your normal Contrast support process.
Contrast plans to make the new local scan engine generally available in the near future.
New and improved:
Increased the memory that the multi-language source code scan engine uses to 2G to better support larger code bases. The minimum memory requirement when using the local scan engine is still 12GB.
Added a
--memoryparameter to the CLI that you can use to override the allocated memory for the multi-language source code scan engine.Added additional logging to capture the parameters used when invoking the local scan engine. This logging captures the entire invocation command for the local scan engine (for example,
-r,-pand so forth) for use when troubleshooting errors.
Important
The new multi-language source code scan engine is now version 1.0.7. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.06 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.
Bug fixes:
Addressed an issue when scanning .NET applications that resulted in source code being incorrectly identified
Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: December 14, 2023
Note
This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.
To request access to this version of the local scan engine, follow your normal Contrast support process.
Contrast plans to make the new local scan engine generally available in the near future.
Bug fixes:
Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.
Important
The new multi-language source code scan engine is now version 1.0.4. Versions 1.0.0, 1.0.1, and 1.0.2 are considered internal test and beta versions of the multi-language scan engine and are not available for download for Contrast customers.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: November 2023
Note
Local Scan Engine 1.0.3 is currently on restricted release. As a result, we are not providing checksum information at this time.
To get access to this version, open a support ticket to request it. We apologize for this inconvenience and are working hard to address this issue as soon as possible.
New and improved:
November 29, 2023
Fixed an issue in role-based access control authentication that could trigger a 403 error when you try to assign a project to an empty resource group or when a user has access to multiple resource groups and they do not specify one.
If role-based access control is turned on, the
-r <ResourceGroupName>option in the Contrast CLI is now mandatory when you create a scan project.
November 8, 2023
The Contrast local scan engine now supports the ability to scan source code for over 25 languages. For a complete list of supported languages, see Contrast Scan supported languages.
The local scan engine can now run natively under Windows environments running a suitable JVM.
Fixed an issue where using spaces in the path for an artifact to be scanned caused a fatal scan error.
Removed an unneeded log from the local scan engine, reducing overall disk space utilization when scanning Java binary files (JAR or WAR files).
Fixed an issue that caused the local scan engine to fail when running under Alpine Linux.
Important
The new multi-language source code scan engine is now version 1.0.3. Versions 1.0.0, 1.0.1, and 1.0.2 are considered internal test and beta versions of the multi-language scan engine and are not available for download for Contrast customers.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: July 24, 2023
Bug fixes:
Fixed a bug that prevented the local scanner from reporting all vulnerabilities found across multiple JAR files. Only the last JAR file scanned in the ZIP file was reported.
Checksum:
MD5 checksum: f57f9174d0643832f9e38b95998fe280
SHA checksum: 8b2f5680111c5a4e5999a3449ee871bb822d27f6
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: May 22, 2023
New and improved:
Added the ability to specify a resource group as a parameter in the local scan engine when you scan a project for the first time.
To use this feature, your organization must have role-based access control enabled and you require sufficient permissions to create a new project (Manage Project Role or higher).
Specify the resource group name using the
-rparameter.
Checksum:
MD5 checksum: 0fa38c5c9e46e3b2c6bdb2d2ed3baa20
SHA checksum: 76fe00f7d70d45176904a2b62a9d1083f0731a03
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: April 6, 2023
New and improved:
Support for multi-JAR scanning
This release adds the ability to scan multiple JAR files as one artifact. You can add multiple JAR files to a ZIP file and scan it as a single artifact.
To scan a multi-JAR ZIP file, package the JAR files at the top level in a ZIP file and scan it using the Scan local engine, as normal. For example:
multiple-jar-artifact.zip -> artifact1.jar -> artifact2.jar -> artifact3.jar
Once completed, the Contrast web interface displays the scan as a single project under the Scans tab.
Bug fixes:
Releases 0.0.57 through 0.0.59 contained internal bug fixes that had no effect on the Scan behavior or performance.
Release date: June 17, 2025
New and improved:
You can now view and filter on OWASP-related risks when you view the vulnerabilities for a Scan project.
Release date: May 20, 2025
New and improved:
Added the ability to archive multiple scan projects at the same time.
Added the ability to exclude files and folders with scan you run in the Contrast web interface.
Added the ability to configure dynamic scoring for scan projects at the organization level.
Release date: April 15, 2025
New and improved:
Added a Created time column to the Scan project list that shows the date and time when you created a scan project.
This feature applies to new scans only.
Added a new tab on the Scan project page that shows files and rule that were excluded based on file exclusions and policies.
This tab is available only for scans with the Contrast Scan local engine.
The Contrast web interface now shows a warning message when you upload a code artifact to be scanned that navigating away before the upload completes cancels the upload operation.
Added support to configure notifications for failed scans in the Contrast web interface.
Release date: March 18, 2025
New and improved:
Added the ability to see the total number of lines of code scanned during a particular scan.
Added the ability to see the total number of files scanned during a particular scan.
Added the ability to see the version of the local scanner used during a scan.
Release date: February 20, 2025
New and improved:
Adjusted the default sorting of projects.
By default, projects are now automatically sorted by last scan date in ascending order (the newest project is at the top, the oldest is at the bottom).
Added a 90 day option to the Last Scan filter on the Scan project page.
For organizations with role-based access control enabled, the Scan project page now shows the resource groups with which the project is associated.
The displayed resource groups are based on the role for the logged-in user. Different users could see different resource groups. For example, a standard user could see different resource groups than a user with administrator permissions.
Added a Branch tab to the Scan project page.
This tab is visible only when you run scans using the branch command with the Scan local engine.
Release date: January 21, 2025
New and improved:
Added more details about the source of a vulnerability.
Where relevant, the vulnerability overview displays the source file name, line number and code snippet as well as the sink file name, line number and code snippet.
Added more details for the reason a scan failure.
In the Scan history, you can hover over a scan fail message to see a tool tip that displays information on the reason for a scan failure.
Release date: December 10, 2024
New and improved:
Added support for dynamic scoring when you change the status of a vulnerability to Not a Problem.
Bug fixes:
Fixed an issue that prevented the display of metadata values as tags for a scan project.
Release date: November 26, 2024
New and improved:
Added support for metadata for scan projects.
Metadata consists of a key-value pair that is displayed on the Scan project page. You have the option of restricting scan project creation when required metadata is missing.
Currently, this feature is available for new scan projects only.
For enhanced clarity, the Scan vulnerability list now shows the names of source files and line numbers.
Bug fixes:
Fixed a bug that prevented the Language column on the Scan project page from correctly reflecting in scope languages when you selected other filters.
Fixed a bug that caused a scan to appear as though it failed due to overly large code snippets being present in the vulnerability overview.
Release date: October 8, 2024 (updated October 17, 2024)
New and improved:
When your download a CSV file that contains more than 2,000 vulnerabilities, you are now prompted to select individual pages of results that contain up to 2,000 vulnerabilities. For example, if a report contains 5,400 vulnerabilities, when you download it, you have the option of selecting Page 1, Page 2, or Page 3. You download each page individually and can combine them afterwards.
Selecting multiple pages is not supported.
Increased the number of vulnerabilities included in the Attestation report from 100 to 3,000.
Increased the number of vulnerabilities included in the General Vulnerability report to 3,000
Added a new column to the Vulnerabilities tab that shows the CWE for the vulnerability. This column can has a filter you can use to refine the view.
Added the ability for a user with the View, edit, and delete project action (role-based access control) or Organization Admin (organization users and groups access control) to change the severity of a detected vulnerability.
To change the severity of a vulnerability, select the current severity and select an option from the dropdown (for example, select High and change it to Critical or Medium).
If more than one vulnerability of the same type exists, you have the option of changing the severity for the selected vulnerability only or the severity of all matching vulnerabilities. Future scans do not override this severity change.
Added a Secure Code Warrior Guidelines tab to an individual vulnerability. This tab uses the associated CWE for a particular vulnerability to provide Secure Code warrior guidelines and training video information. The purpose of this information is to provide additional context on the vulnerability and ways to resolve it.
Where possible, the guidelines reflect the vulnerability language. If the CWE does not support that language is not supported, the tab displays generic guidelines. If no guidelines or information exists for a specific CWE, the tab is not available.
Release date: September 10, 2024
New and improved:
Fixed an issue where changing the status of a vulnerability to Not a Problem could change to Remediated if subsequent scans didn't discover the vulnerability. Now, the status of Not a Problem never changes.
To have vulnerabilities assessed again, change the status to Confirmed or Suspicious.
You can now change the status of a single vulnerability and apply that change to all vulnerabilities of the same type.
Release date: August 29, 2024
New and improved:
Added the ability to create tags for Scan projects.
Add tags to Scan projects describes how to use this feature.
NEW: General Vulnerability report: a PDF report based on the CSV report.
This report includes the first 3,000 open vulnerabilities in the project based on severity and status.
Added the ability to change the status for all vulnerabilities of the same type simultaneously.
If you update the status of a large number of vulnerabilities (1,000 or more) at one time, this change can take several minutes to complete. Contrast displays a message in the web interface when this action is done.
Added the ability to use the last Contrast Scan date to filter and sort scan projects.
Release date: July 16, 2024
New and improved:
Added the ability to update the status of multiple vulnerabilities at the same time, as described in Batch edit Scan vulnerability status.
Bug fixes:
Fixed an issue that prevented some how-to-fix information from displaying correctly for VB.NET and ABAP vulnerabilities
Release date: June 11, 2024
New and improved:
Added the ability to see the language associated with a detected vulnerability.
To see content in the new Language column, run a new scan in the project. The Contrast web interface doesn't display the language for older scans.
If you are using the Scan local engine, you must use version 1.1.1. Using an earlier version of the local scan engine results in the Contrast web interface displaying Composite as the language. If you see this and you are using the Scan local engine, upgrade to version 1.1.1.
Added the ability to filter views based on the language associated with a detected vulnerability.
Bug fixes:
Fixed a bug that prevented the How-to-fix information from being properly displayed in the Web interface.
Fixed an issue that caused C++ and C# vulnerabilities to be counted twice.
As a result of this change, the system remediation workflow marks duplicate vulnerabilities as remediated for C++. For C#, these vulnerabilities remain open.
Release date: May 14, 2024
Bug fixes:
Due to performance issues when generating the Scan attestation report, the report is now limited to generating 100 open vulnerabilities, by severity and status. Larger reports will be supported in the future.
Addressed an issue with file uploads to Contrast where files over 500 MB could cause out of memory (OOM) errors, especially when you used the Scan CLI commands. . This fix does not increase the file upload size beyond 1GB but provides a consistent user experience between uploads to the Contrast web interface and with the CLI. If you have repos that are larger than 1 GB, consider using the Contrast Scan local engine.
Release date: April 25, 2024
New and improved:
Enhanced the CSV report to include code snippets for each vulnerability.
Changed the CSV report so that you can see the file name and line number from the path for each vulnerability.
Changed the CSV report to exclude vulnerabilities with a Remediated and Not a problem status.
Added the ability to supply a filter to the API call when generating a CSV report programmatically.
To aid in timely generation of the CSV report and address performance issues, the CSV report is now limited to the first 2,000 open entries based on severity and status.
Added pagination to the API when generating a CSV report so it can exceed the 2,000 line limit.
Bug fixes:
Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.
Release date: March 2024
Bug fixes:
Fixed a bug that could cause a race condition, resulting in slow performance in the Contrast web interface.
Fixed a bug in the Contrast web interface that resulted in an error when specifying an underscore (_) as part of a search parameter when searching projects.
Release date: January 2024
New and improved:
January 25, 2024
New and improved;
On the Scan project page in the Contrast web interface, you can view the languages that the multi-language source code scan engine detected.
Added the ability to search for scan projects based on detected languages.
Bug fixes:
Fixed a bug in the CLI that suggested a scan had failed when it invoked the multi-language source code scan engine.
Fixed a bug in the CLI that prevented the list of found vulnerabilities from being displayed in the CLI output once a scan completes.
Addressed an issue when scanning .NET applications that resulted in source code being incorrectly identified
Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact
Release date: December 2023
New and improved:
December 14, 2023
NEW: You can now generate an Attestation report for your scan projects from a scan project page and from the vulnerability tab on the scan project page.
Removed the ability for a user to change a vulnerability status to Fixed. The Scan engine determines this status based on whether a vulnerability is still seen in the source code in subsequent scans.
Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.
Release date: November 2023
New and improved:
November 28, 2023
If role-based access control is turned on, creating a scan project now requires that you specify a resource group. The Create your scan project screen has a dropdown that displays a list of the resource groups assigned to the user who is creating the project. If users have a single resource group assigned to their role, this resource group is the default selection.
In addition, users need a role that includes the Create project action.
Create a scan project describes this new requirement.
November 8, 2023
NEW: Contrast Scan now provides two types of scans: Java binary for Java files, and source code for most other languages and technologies.
When you select a source code scan, upload a ZIP file that contains the source code you want to scan.
NEW: Source code scanning is expanded to include over 25 additional languages and technologies, as listed in Scan supported languages and technologies. To use the expanded source code scanner, select the Source code option when you create a new project.
For hosted customers: Contrast Scan now supports multi-language detection for source code scanning. When you upload a ZIP file, the scan engine determines which languages are present in the ZIP file and scans each file. Contrast displays the results in a single scan project.
Removed the need to select a language when you create a scan project. Scan can now determine the type of code artifact you are uploading. .Scan continues to support single JAR and WAR files as well as ZIP files that contain multiple JAR files or source code.
Added two fields to the CSV file you can download:
Language: Identifies the language for a specific vulnerability.
Comment: Shows the last comment made for a vulnerability.
The CSV file populates these fields after you run a new scan for an existing project.
Release date: June 2023
New and improved
June 30, 2023
Added the ability to add a comment for a vulnerability status without changing the current status. The Activity tab for a specific vulnerability lets you add comments.
June 12, 2023
Added the ability to see who created a project by displaying the project creator's name at the top of the Scans page and the Scan details page.
Added the ability to see who ran a specific scan for a project.
The Scan history in the Scans page has a new Name column that shows the name of the individual who ran a specific scan. The Summary section of the Scan details page also shows who ran the scan.
Note
Both of these features apply to new projects and new scans. Existing projects or scans do not display the new information.
Release date: May 2023
New and improved:
Added support for multi-JAR scanning in the Java binary scanner.
You can now include multiple JAR files in a single ZIP file when you use the hosted Java binary scanner (using the Contrast CLI or the Contrast web interface).
The maximum upload size limit for a ZIP file is 1 GB.
Release date: April 2023
New and improved:
Added a vulnerability activity tab that shows information on status changes made to vulnerabilities within a project.
To view this tab, select the Vulnerabilities tab for selected scan project and then, select a specific vulnerability
Added the requirement to add comments when you change the status of a vulnerability in a project.
Added the ability to delete a project and all associated data in the Contrast web interface for users with a Manage all projects role.