Release news for hosted customers
The Release News is published every month for hosted customers.
February 2025
Contrast for hosted customers was released on February 20, 2025. For product-specific release information, see the Scan release notes and Integration release notes.
New and improved
CVE details: The improved CVE details screen now has key enhancements and helps you quickly understand the impact of CVEs on your organization. First Seen in Contrast provides insights into your exposure window, while the Organizational Impact highlights which applications and servers are affected. Key metrics like Severity, CVSS score, and EPSS help you understand the full scope of risk and prioritize remediation efforts. (PROD-2972)
Enhanced server cleanup: Contrast now offers enhanced server cleanup to remove historical routes associated with inactive servers. This is ideal for customers with ephemeral servers, in which each test run of a Contrast-instrumented application is used to represent a unique, point-in-time scan. For continuous instrumentation and long-running servers, route expiration remains the recommended approach. Enhanced server cleanup helps manage Assess results by simultaneously cleaning up outdated servers, routes, and vulnerabilities. (PROD-3060)
Automatically set arbitrary session metadata via Fingerprinting: Contrast will track and report unique builds of your application, even when session metadata has not been defined. This makes it easy for you to refine your view of important information so you can find what you need quickly while also eliminating manual configuration steps. (PROD-1745)
The minimum agent versions that support this feature are:
Java 6.11.1
.NET Framework 51.1.9
.NET Core 4.3.9
Python 9.7
Node 5.24
Server details: When a user opens the Server > Libraries tab and selects a library to view its details, they will now see the server-specific applications on the application list. (PROD-3489)
Specific record names: When attack events are reported for IP denylists or virtual patches, the specific name of the individual IP denylist or virtual patch record will be displayed instead of the generic IP denylist or Virtual Patch labels. (PROD-3547)
Bug fixes
RBAC: Items for improved RBAC (Role-based access control). (PROD-3206)
Improved performance on top five endpoints and gateway
Over 10 behind-the-scenes bug fixes and improvements
Deprecated feature
CodeSec EOL: Contrast's CodeSec offering will reach its end-of-life (EOL) on May 1, 2025. As of January 28, 2025, new users can no longer sign up for CodeSec. Existing CodeSec users will have access until the EOL date.
For any CodeSec users needing access beyond May 1:
Existing Contrast customers will continue to have access to the CLI by connecting to their instance. Customers will need to authenticate using their user credentials and can follow this documentation to do so.
Non-Contrast customers are encouraged to Try Contrast to explore our complete portfolio or contact a sales representative at info@contrastsecurity.com.
January 2025
Contrast for hosted customers was released on January 21, 2025.
New and improved
MS Teams Integration. To ensure our customers can continue using MS Teams after the January 2025 Webhook URL deprecation, as Microsoft has already shared here, we have added support for the new power automate integration. This will be enabled by request, and we recommend customers follow the instructions in the integration documents to prepare for the change. Once complete, please contact Support to enable this integration. Note, that if you use the MS Teams integration and do not make these changes by January 31st, the integration will fail. (PROD-3092)
Mapping Assess to ADR. Contrast can associate Assess and AVM findings with ADR (Application and Detection Response) to see which vulnerabilities have corresponding ADR rules. (PROD-2619)
NEW: Wiz Integration. Addition of a Wiz integration to send runtime security information regarding applications from Contrast to a Wiz deployment. (PROD-2694)
Guidance AI. Contrast AI provides additional information about how to fix discovered vulnerabilities with AI guidance that is specific to the frameworks and libraries used by your application. Available to USA users only now and is disabled by default. It can be enabled under the Organization settings section. (PROD-3064)
Jira integration. Enhancements to the Jira integration:
Added the ability to synchronize comments under the Activity tab to link the comments between the Activity tab and the Jira issue. Note that the Jira administrator must register and configure a webhook in Jira using the Comment... actions. (PROD-3118)
Added the ability to delete expired credentials. (PROD-3119)
Users can select the ability to mask sensitive information being sent to Jira. Remove sensitive information from the Issue title and additional fields when creating the ticket. (PROD-3120)
Added the feature to show session metadata associated with the vulnerability in the Jira ticket. (PROD-3369)
RBAC. RBAC administrators (Role-based access control) can deactivate users from the user grid and properties. This will deactivate the user and the user’s endpoints but keep the record of the user in Contrast with an Inactive status. (PROD-3194)
Assess Vulnerability report. The audit log record now includes details of downloading the reports from the aggregated vulnerability dashboard. Please get in touch with your account manager if you are interested in using this report. (PROD-3198).
Resource group command in CLI. A new resource group command (under the Contrast audit function will specify the required resource groups to eliminate the manual process of generating SCA projects. (PROD-3352)
Applications in the libraries detail view. When viewing the Libraries tab under the Server section, the application list now clearly shows which applications are on the server. (PROD-3489)
December 2024
Contrast for hosted customers was released on December 10, 2024.
Advance notice regarding Contrast MS Teams Integration
On January 31st, 2025, the Microsoft Webhook-based connectors within the O365 Connectors service in Teams are transitioning to a new URL structure due to the implementation of further service hardening updates. This will impact the Contrast MS Teams Integration. As a result, we will update the MS Teams integration to support this change as part of our January release. We ask customers using the MS Teams integration to follow this guide to prepare themselves for the change. More information on our upcoming change can be found on the Microsoft Teams preview page.
New and improved
Added support for dynamic scoring when you change the status of a vulnerability to Not a Problem. (PROD-3103)
November 2024
Contrast for hosted customers was released on November 12, 2024.
New and improved
NEW: Attack event view based on a new data service that provides improved performance, better stability, expanded data retention time, and an overall better user experience. (PROD-2300, PROD-2308, PROD-2330, PROD-2654, PROD-2935)
NEW: Updated and improved view of the Audit log. (PROD-2094, PROD-3158, PROD-3083, PROD-3074, PROD-3075)
Release of role-based access control (RBAC) for all existing organizations in Preview mode. (PROD-3098, PROD-3211, PROD-3204)
New organizations will use RBAC in Enforce mode.
October 2024
Contrast for hosted customers was released on October 8, 2024
New and improved
Improved and simplified agent deployment process with updated Agent wizards. (PROD-3079, PROD-3080, PROD-3081, and PROD-3089)
Added the ability to recommend a minimum library upgrade. This recommendation identifies the closest library version to the one you currently have that contains as few vulnerabilities as possible. (PROD-3072)
Added documentation for creating custom rule exclusions for the Contrast Scan local engine. (PROD-2824)
Added the ability to change the severity for Contrast Scan vulnerabilities. (PROD-2951)
Added the ability to filter Contrast Scan vulnerabilities by CWE. (PROD-3046)
Added Secure Code Warrior recommendations for fixing Contrast Scan vulnerabilities. (PROD-2577)
Preview: Added the ability to view role-based access control permissions for users in an organization. (PROD-2573)
This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.
Preview: Added the ability for users to view their own role-based access control permissions. (PROD-2572)
This feature is available only if role-based access control is turned on for your organization. This feature is not available if you are using user and groups for access control.
September 2024
Contrast for hosted customers was released on September 10, 2024
New and improved
NEW: Added the ability to use the API and CLI to generate a SARIF file for Assess or SCA vulnerabilities. (PROD-3084)
Added the ability to download a Scan CSV report that contains more than 2,000 results. (PROD-3005)
You have the option of selecting individual pages of results to download.
August 2024
Contrast for hosted customers was released on August 13, 2024.
New and improved
Improved the workflow of Agent wizards (accessed from Add New) to simplify the task of adding applications to Contrast. (PROD-2812)
Added a link to the Agent Configuration Editor to Agent wizards. (PROD-2773)
PREVIEW: New Attack events page that makes it easier to view and manage attack event data. (PROD-2300).
For access to this feature, contact your Contrast representative.
NEW: Added the ability to query audit log events using the new Audit API. (PROD-2887)
The new API allows you to query the audit log for SAST, Assess, and role-based access control (RBAC) events. The new events for SAST (Contrast Scan) and RBAC include:
SAST
Creating/Deleting projects
Running scans
Changing vulnerability status
RBAC:
Creating/Updating/Deleting users
Creating/Updating/Deleting resource groups
Creating/Updating/Deleting roles: Includes updates to built-in roles.
Creating/Updating/Deleting user access groups
PREVIEW: Report dashboard that shows aggregated data for open and closed vulnerabilities, trends for meantime to remediate vulnerabilities, and more. To access the dashboard, go to user menu > Report Dashboard. (PROD-3097)
Role-based access control (preview): Added guidance to help you select resource groups that match your selected actions when you add custom roles. (PROD-2878)
Contrast notifies you if your selected actions and resources don't match.
July 2024
Contrast for hosted customers was released on July 16, 2024.
New and improved
New! Contrast security observability: This new feature models an application’s security architecture and behavior at runtime. Use this information to better understand the underlying behavior of your applications for threat modeling, pen test support, and contextual information around vulnerabilities and attacks.
Currently, this feature supports Java applications only.
New! Generate a SARIF file with Assess and SCA findings
A new
sarif
CLI command lets you create a SARIF file that includes findings from Assess and SCA for a specific application. (PROD-2809)Batch edit of Scan vulnerability status: You can now change the status for multiple Scan vulnerabilities at the same time. (PROD-2760)
Filter by last Contrast Scan: You can now create filters to view scans based on a specified time frame. (PROD-3045)
June 2024
Contrast for hosted customers was released on June 14, 2024.
New and improved
Protect for PHP. The PHP agent now supports Protect rules and features including Command Injection, SQL Injection, Path Traversal, Reflected XSS, Bot Blocking, IP Blocking, and Sensitive Data Masking. (PROD-1636)
Vulnerability tab enhancements. Added a column on the vulnerabilities tab under Scan projects that displays the specific language the vulnerability belongs to. You can also filter the results by language for the column. (PROD-2796, PROD-2798)
CSV report enhancements. CSV report can now be generated to include only specific criteria based on filter selections. (PROD-2933)
Authentication. It is strongly recommended to enable multi-factor authentication if single sign-on is not enabled for the organization. (PROD-1881)
Maven wrapper. Added CLI support for Maven wrapper. (PROD-3021)
Improved endpoint performance. Improved the performance of the
/Contrast/api/ng/?/libraries/filter
endpoint. (SCA-1671)
May 2024
Contrast for hosted customers was released on May 14, 2024.
New and improved
Compatibility Check. Contrast is now able to check if routing frameworks are supported after agent instrumentation. The Contrast dashboard will display details about which frameworks it finds during route discovery. Currently, the latest versions of the Java and .NET agents support this feature. (PROD-2447)
Java Agent. Added gRPC support for Java. (PROD-2546)
Java Agent. Added support for Glassfish/Payara 5 and 6 for Java. (PROD-2792)
.NET Agent. Added gRPC support for DOTNET. (PROD-2289)