Release news for hosted customers

Incident management with ADR. New and improved features for ADR.

Improved Operator framework currency. We've updated the Agent Operator to be fully compatible with .NET 8. By leveraging the latest .NET framework, we minimize potential security vulnerabilities associated with outdated technologies. (PROD-3333)

More robust agent authentication with multiple user agent keys. We've added user key support for multiple users and teams within an application. This allows Organization Admins to create more precise, narrowly scoped keys for better access control. Additionally, it facilitates improved key rotation processes, ensuring that application downtime is eliminated. (PROD-3155)

Enhanced server monitoring with First Seen timestamp. We've added a First Seen column to the Servers tab in Contrast, to help identify server onboarding times and quickly detect anomalies. (PROD-3458)

Server SBOM Generation & CycloneDX/SPDX Format Updates The SBOM export has updated the CycloneDX format from version 1.4 to 1.6, and we have added support for SPDX 3.0. We also added the ability to generate SBOMs at the server level and the application level. (PROD-3356)

Contrast Security Observability now reports Security controls with detailed attributes. (This feature is supported for Java applications only) To provide a more complete picture of application behavior, we've added Security control as a new Action Type. This change means that actions taken by security controls will now be reported in a consistent format with other Observe mode action types. Each security control action will include the following attributes:

Improved Helm Chart Deployment. To enhance security and deployment consistency, we've updated our Helm charts to adhere to namespace management best practices. We now recommend and support deploying to pre-existing, designated namespaces. (RFE-222)

Enhanced filtering option within the Vulnerabilities tab. We've added the ability to filter Vulnerabilities by the Protected in <environment> column. Now you can quickly see which vulnerabilities are being monitored, blocked, or not covered by Contrast ADR. (PROD-3359)

New feature to export attack event data. To support issue triage, we've added the ability to export attack event data. This allows you to download the attack event data to identify possible issues and share data if needed. (ADR-90)

Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.

Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.

CVE details: The improved CVE details screen now has key enhancements and helps you quickly understand the impact of CVEs on your organization. First Seen in Contrast provides insights into your exposure window, while the Organizational Impact highlights which applications and servers are affected. Key metrics like Severity, CVSS score, and EPSS help you understand the full scope of risk and prioritize remediation efforts. (PROD-2972)

Enhanced server cleanup: Contrast now offers enhanced server cleanup to remove historical routes associated with inactive servers. This is ideal for customers with ephemeral servers, in which each test run of a Contrast-instrumented application is used to represent a unique, point-in-time scan. For continuous instrumentation and long-running servers, route expiration remains the recommended approach. Enhanced server cleanup helps manage Assess results by simultaneously cleaning up outdated servers, routes, and vulnerabilities. (PROD-3060)

Automatically set arbitrary session metadata via Fingerprinting: Contrast will track and report unique builds of your application, even when session metadata has not been defined. This makes it easy for you to refine your view of important information so you can find what you need quickly while also eliminating manual configuration steps. (PROD-1745)

The minimum agent versions that support this feature are:

Server details: When a user opens the Server > Libraries tab and selects a library to view its details, they will now see the server-specific applications on the application list. (PROD-3489)

Specific record names: When attack events are reported for IP denylists or virtual patches, the specific name of the individual IP denylist or virtual patch record will be displayed instead of the generic IP denylist or Virtual Patch labels. (PROD-3547)

Copy a role: You can copy an existing role, change its settings, and add it as a new role. Copying a role is useful if you need several roles with the same or similar settings or use a specific role as a template. Note that this is for users of role-based access control. (PROD-3276)

RBAC: Items for improved RBAC (Role-based access control). (PROD-3206)

Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.

Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.

MS Teams Integration. To ensure our customers can continue using MS Teams after the January 2025 Webhook URL deprecation, as Microsoft has already shared here, we have added support for the new power automate integration. This will be enabled by request, and we recommend customers follow the instructions in the integration documents to prepare for the change. Once complete, please contact Support to enable this integration. Note, that if you use the MS Teams integration and do not make these changes by January 31st, the integration will fail. (PROD-3092)

Mapping Assess to ADR. Contrast can associate Assess and AVM findings with ADR (Application and Detection Response) to see which vulnerabilities have corresponding ADR rules. (PROD-2619)

NEW: Wiz Integration. Addition of a Wiz integration to send runtime security information regarding applications from Contrast to a Wiz deployment. (PROD-2694)

Guidance AI. Contrast AI provides additional information about how to fix discovered vulnerabilities with AI guidance that is specific to the frameworks and libraries used by your application. Available to USA users only now and is disabled by default. It can be enabled under the Organization settings section. (PROD-3064)

Jira integration. Enhancements to the Jira integration:

RBAC. RBAC administrators (Role-based access control) can deactivate users from the user grid and properties. This will deactivate the user and the user’s endpoints but keep the record of the user in Contrast with an Inactive status. (PROD-3194)

Assess Vulnerability report. The audit log record now includes details of downloading the reports from the aggregated vulnerability dashboard. Please get in touch with your account manager if you are interested in using this report. (PROD-3198).

Resource group command in CLI. A new resource group command (under the Contrast audit function will specify the required resource groups to eliminate the manual process of generating SCA projects. (PROD-3352)

Applications in the libraries detail view. When viewing the Libraries tab under the Server section, the application list now clearly shows which applications are on the server. (PROD-3489)

On January 31st, 2025, the Microsoft Webhook-based connectors within the O365 Connectors service in Teams are transitioning to a new URL structure due to the implementation of further service hardening updates. This will impact the Contrast MS Teams Integration. As a result, we will update the MS Teams integration to support this change as part of our January release. We ask customers using the MS Teams integration to follow this guide to prepare themselves for the change. More information on our upcoming change can be found on the Microsoft Teams preview page.

Added support for dynamic scoring when you change the status of a vulnerability to Not a Problem. (PROD-3103)

NEW: Attack event view based on a new data service that provides improved performance, better stability, expanded data retention time, and an overall better user experience. (PROD-2300, PROD-2308, PROD-2330, PROD-2654, PROD-2935)

NEW: Updated and improved view of the Audit log. (PROD-2094, PROD-3158, PROD-3083, PROD-3074, PROD-3075)

Release of role-based access control (RBAC) for all existing organizations in Preview mode. (PROD-3098, PROD-3211, PROD-3204)

New organizations will use RBAC in Enforce mode.

Improved and simplified agent deployment process with updated Agent wizards. (PROD-3079, PROD-3080, PROD-3081, and PROD-3089)

Added the ability to recommend a minimum library upgrade. This recommendation identifies the closest library version to the one you currently have that contains as few vulnerabilities as possible. (PROD-3072)

Added documentation for creating custom rule exclusions for the Contrast Scan local engine. (PROD-2824)

Added the ability to change the severity for Contrast Scan vulnerabilities. (PROD-2951)

Added the ability to filter Contrast Scan vulnerabilities by CWE. (PROD-3046)

Added Secure Code Warrior recommendations for fixing Contrast Scan vulnerabilities. (PROD-2577)

Preview: Added the ability to view role-based access control permissions for users in an organization. (PROD-2573)

This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.

Preview: Added the ability for users to view their own role-based access control permissions. (PROD-2572)

This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.

NEW: Added the ability to use the API and CLI to generate a SARIF file for Assess or SCA vulnerabilities. (PROD-3084)

Added the ability to download a Scan CSV report that contains more than 2,000 results. (PROD-3005)

You have the option of selecting individual pages of results to download.

Improved the workflow of Agent wizards (accessed from Add New) to simplify the task of adding applications to Contrast. (PROD-2812)

Added a link to the Agent Configuration Editor to Agent wizards. (PROD-2773)

PREVIEW: New Attack events page that makes it easier to view and manage attack event data. (PROD-2300).

For access to this feature, contact your Contrast representative.

NEW: Added the ability to query audit log events using the new Audit API. (PROD-2887)

The new API allows you to query the audit log for SAST, Assess, and role-based access control (RBAC) events. The new events for SAST (Contrast Scan) and RBAC include:

PREVIEW: Report dashboard that shows aggregated data for open and closed vulnerabilities, trends for meantime to remediate vulnerabilities, and more. To access the dashboard, go to user menu > Report Dashboard. (PROD-3097)

Role-based access control (preview): Added guidance to help you select resource groups that match your selected actions when you add custom roles. (PROD-2878)

Contrast notifies you if your selected actions and resources don't match.

New! Contrast security observability: This new feature models an application’s security architecture and behavior at runtime. Use this information to better understand the underlying behavior of your applications for threat modeling, pen test support, and contextual information around vulnerabilities and attacks.

Currently, this feature supports Java applications only.

New! Generate a SARIF file with Assess and SCA findings

A new sarif CLI command lets you create a SARIF file that includes findings from Assess and SCA for a specific application. (PROD-2809)

Batch edit of Scan vulnerability status: You can now change the status for multiple Scan vulnerabilities at the same time. (PROD-2760)

Filter by last Contrast Scan: You can now create filters to view scans based on a specified time frame. (PROD-3045)

Protect for PHP. The PHP agent now supports Protect rules and features including Command Injection, SQL Injection, Path Traversal, Reflected XSS, Bot Blocking, IP Blocking, and Sensitive Data Masking. (PROD-1636)

Vulnerability tab enhancements. Added a column on the vulnerabilities tab under Scan projects that displays the specific language the vulnerability belongs to. You can also filter the results by language for the column. (PROD-2796, PROD-2798)

CSV report enhancements. CSV report can now be generated to include only specific criteria based on filter selections. (PROD-2933)

Authentication. It is strongly recommended to enable multi-factor authentication if single sign-on is not enabled for the organization. (PROD-1881)

Maven wrapper. Added CLI support for Maven wrapper. (PROD-3021)

Improved endpoint performance. Improved the performance of the /Contrast/api/ng/?/libraries/filter endpoint. (SCA-1671)

Compatibility Check. Contrast is now able to check if routing frameworks are supported after agent instrumentation. The Contrast dashboard will display details about which frameworks it finds during route discovery. Currently, the latest versions of the Java and .NET agents support this feature. (PROD-2447)

Java Agent. Added gRPC support for Java. (PROD-2546)

Java Agent. Added support for Glassfish/Payara 5 and 6 for Java. (PROD-2792)

.NET Agent. Added gRPC support for DOTNET.  (PROD-2289)