Release news for on-premises customers

Performance improvements in vulnerability search. (TS-23239)

Addition of application name in audit log entries when a new exclusion is created. (TS-24005)

A dot character is now allowed in Contrast Server usernames. (TS-24558)

For on-premises installations of Contrast running behind a load balancer, the ability has been added to use Tomcat’s RemoteIPValve logging component to allow client IP addresses (i.e. the server running a Contrast Agent) to be logged in the access_log instead of the IP address of the load balancer. (TS-24643)

Fixed broken access control. (COMP-315)

Node Agent (v4.32.0) - several updates to outdated dependencies. (COMP-341)

Resolved issue where detail was missing from Response Without X-Content-Type-Options Header detected vulnerabilities in the overview. (TS-22390)

Fixed the mismatch between the count of vulnerabilities pending review in notifications versus the actual number pending review. (TS-23268)

Removed extraneous warning messages in on-premises Contrast Server logs when starting the server. (TS-3916)

Fixed issues with session metadata not being displayed in merged applications where large numbers of routes and vulnerabilities caused a backend query to time out. (TS-24734)

Fixed issue where the Number of allowed vulnerabilities field in Jenkins Job Outcome Policy configuration would not allow a zero value. (TS-25102)

Incorrect cookies reported in some attack events. (TS-25130)

Unmerging applications would sometimes result in a 500 - Internal Server Error. (TS-25477)

Improved visibility of Protect and Assess servers and licenses in use. The Contrast web interface dashboard now reflects the complete, accurate and latest enablement, licensing, and agent configuration for Protect and Assess. (PROD-2186)

Patched Apache HTTP server vulnerabilities. (COMP-300)

VM Options revisited in On-Premises installs to better manage garbage collection per Java 11 best practices. (TS-24107)

On-Premises installations using the embedded database now correctly support customization of database server options via the my_extra.cnf file. (TS-23316)

Better handling of agent user names containing whitespace characters. (TS-24379)

Improved auto-verification feature. Implemented session-based auto verification and added an End Session endpoint. Users will be able to see vulnerabilities are closed out in a convenient way and will see the Autoverified with Session Based Autoverification status. (PROD-1737)

Resolved unauthorized access vulnerability. (COMP-296)

Resolved issue around locked accounts for SSO users. (COMP-297)

Removed defunct Usage Survey from Activity Digest email messages. (TS-23049)

Added Message Queue Support for Java (Kafka). (PROD-2151)

The Contrast .NET Core agent now supports Azure ServiceBus Triggers in Assess for Azure Functions. (PROD-2158)

Compliance reports now include the latest standard for PCI DSS v4. (PROD-2387)

Created an entry in the Contrast Hub for the Software Bill of Materials (SBOM) of the latest EOP release. (PROD-2450)

Customer IP restrictions applied in Contrast during Impersonation workflow. (COMP-244)

Organization administrators can no longer edit a SuperAdmin’s user settings if the SuperAdmin is a member of their organization. (COMP-226)

Fixed “Internal Server Failure” when opening the Overview tab of some NodeJS application vulnerabilities. (TS-23973)

CSV file export from the Route Coverage tab will now honor the currently configured view when filtering by session - so the export will only include routes matching the chosen set of session_metadata. (TS-23027)

Fixed display of virtual patch names where the name showed up as “rule.name.null”. (TS-23799)

Fixed the inability to assign licenses to organizations (403 response code) when the license file contained only Assess instances. (TS-23045)

Fixed error when uninstalling on-premises Contrast instances on Linux. (TS-23044)

The Contrast PHP Agent now supports applications written with the Symfony framework. (PROD-1552)

The Contrast dashboard’s summary elements now link directly to the data they are summarizing. Navigating between the dashboard and its underlying data is simpler and more direct than ever. Beta version. (PROD-1911)

Route Coverage CSV file export via the API can now include an agentSessionId to allow the export of routes that match a given set of session_metadata. (TS-22425)

Try out the new Projects experience to run SCA on non-instrumented applications by installing v2 of the CLI from npm.

Contrast EOP packaged with an updated version of JRE - jdk-v11.0.16+8. (COMP-291)

SuperAdmins can be removed from an organization by Organization Administrators. (COMP-238)

When on the latest version of a library - display “up to date” instead of the version number. (SCA-608)

Under some circumstances, if a library had an associated CVE that was subsequently removed, the removal did not take effect in on-premises Contrast installations. (SCA-683)

Attacks performed against a module of a merged application would show up in the application overview but the target of the corresponding hyperlink only showed attacks against the parent. (TS-20125)

Protect licensing update. Contrast Security will no longer place a cap on Protect licenses and will alert users if they have gone over their purchased amount. The Superadmin will now have to go into the License summary on the Organizations page to allocate licenses. No customer action is required. (PROD-1499)

The Software Bill of materials (SBOM) report now meets the minimum requirements for the National Telecommunications and Information Administration (NTIA). Information now includes supplier details and component relationships. (PROD-2194)

Ability to configure the on-premises instance to ensure super admin access even if an LDAP configuration is misconfigured.  (TS-18955)

Upgraded JRE bundle (openjdk11) to v11.0.17 (Oracle’s recommended security baseline for JDK 11). (COMP-291)

Session Metadata filtering in the Route coverage grid will now correctly filter exercised routes to only show those associated with the filter. (TS-22269)

Host validation would bypass any proxy configuration (on-premises instances only) when configuring webhook integration.  The proxy is now correctly honored. (TS-22403)

Fix to the issue where changes to associated applications for an existing Azure DevOps integration changes were not being saved. (TS-22091)

Fix to the issue where JIRA integrations did not correctly display “options-with-child” fields. (TS-21666)

Contrast now enables users to filter the applications list by the “Score” field. (PROD-1910)

Fix to occasional 403 when opening a vulnerability in the case where a user is a member of more than one organization. (TS-21471)

Fix to ensure that active attacks have an “end”.  This issue caused searches to produce no results if an old attack didn’t “end” within the search window. (TS-21406)

Fix to regression that caused bugtracker integrations not to be marked unavailable if an auto-create fails. (TS-21611)

Added support for the Chi framework in the Go agent for Contrast Assess. (PROD-2312)

Added contrast learn command to Contrast CLI, which launches Contrast’s Secure Code Learning Hub. (PROD-2306)

Improved handling of tags in the vulnerability list to address readability when the number of tags would otherwise cause the vulnerability name to be obscured. (TS-19594)

Authentication and Authorization added to API Playground. (COMP-261)

Contrast CLI patched for arbitrary command injection. (COMP-249)

Ability to lock or unlock users in Contrast On-Premises installations when SSO is in use. (TS-21171)

Added support for Go 1.19 in the Go agent. (PROD-2299)

New Contrast CLI with improved SCA (including SBOM) and scan features. (PROD-2275)

Enabled setting up exclusions for message queues. (PROD-2089)

Added message queue support for JMS MQ. JMS 2.0, which includes IBM MQ 9.2.x and Spring JMS 2.4. Reach out to your customer service representative to enable it in your environment. (PROD-1846)

Added support for .NET 7 for the .NET Core agent. (PROD-1819)

Implemented session metadata filters on Route and Vulnerability grids to view vulnerabilities and route information for a specific branch, build, committer, repository, or any custom session metadata a user selects. (PROD-1698)

Implemented the ability to create exclusions based on input and URL to suppress events from security analysis in the Ruby and Python agents (NET and Java already support this). This leads to better performance and accuracy. (PROD-1034,PROD-1035)

Added feature flag to enable BIRT reporting (TS-20400_enable_birt-reporting) - can be disabled (set false) to address potential security concerns in Contrast on-premises. (TS-20400)

Internal Server Error when saving application exclusions. (TS-20557)

Route Coverage Exclude icon available for users without the necessary permissions leading to a 403 when clicked. (TS-19873)

The .NET Framework and .NET Core agent installers now include Agent Explorer, a separate GUI application that provides high-level information about locally running .NET and .NET Framework agents. Use Agent Explorer to see high-level information such as:

New Contrast GitHub Action for SCA that can automatically check open source dependencies on pull requests. (PROD-2126)

Added a new event for the Generic Webhook integration called VULNERABILITY_DELETE that gets triggered whenever a user deletes a vulnerability via API or UI. The support article can be found here. (PROD-2124)

Contrast SuperAdmin on-premises (EOP) users can now configure proxy settings via JVM arguments during EOP startup. (PROD-1841)

Added the ability to set secrets for the Generic Webhook integration. The support article can be found here. (PROD-1840)

For hosted (SaaS) customers, a flag is now available at the organization level to enable and disable Impersonation access. This feature can be modified via the System Administrator or Organization Administrator API. Impersonation is turned off by default. (PROD-1807)

New APIs were created as of the 3.9.7 and 3.9.8 releases for users to more easily identify application vulnerability and route coverage data associated with a given session. Recall a session requires session metadata to be set.

Ultimately, to return vulnerabilities or route data by session, a user needs the agentSessionId. Th IDs can be returned by using the first call or the second call. The first call returns all sessions that correspond to the given session metadata values. Note the user must append the metadata label and values as shown below:

% curl -X POST
'https://apptwo.contrastsecurity.com/Contrast/api/ng/organizations/3c3a73d6-78a0-46c7-944a-b07b94d557f1/applications/2a0b1763-9314-4b55-a946-031d2741d628/agent-sessions/filter' \
     -HAccept:application/json \
     -H "Content-Type: application/json" \
     -HAuthorization:REDACTED \
     -HAPI-Key:REDACTED \
     -d '{"metadata": [
         {"label": "branchName", "values": ["test-branch"]},
         {"label": "committer", "values": ["Some Dev", "Another Dev"]}
        ]}'

The second call returns the most recent session. It requires no filters. See below:

curl
'https://apptwo.contrastsecurity.com/Contrast/api/ng/organizations/3c3a73d6-78a0-46c7-944a-b07b94d557f1/applications/2a0b1763-9314-4b55-a946-031d2741d628/agent-sessions/latest' \
                -HAccept:application/json \
                -HAuthorization:REDACTED \
                -HAPI-Key:REDACTED

Using the agentSessionId, the user can filter the route or vulnerability calls to return data only for that session. These APIs enable easier access to session-based data, which in turn allows users to gate builds or conduct other analyses based on data specific to that build. (PROD-1698)

The PHP agent now supports PHP 8.1. (PROD-1657)

Users will now be able to view a dependency tree for merged applications to help locate how vulnerable libraries were introduced for the merged application. (PROD-953)

Users can now search libraries by CVE number while using the library search bar. (PROD-765)

The performance of the Send Vulnerability window, which is part of the Jira integration, has been improved with a type-ahead solution for the Reporter field and Default Assignee selection. (CUST-3292)

Change to the method of string concatenation for feature keys (for example vulnerability_uuid) to prevent heap exhaustion experienced by on-premises customers. (TS-19909)

Additional style options available when creating custom footers in on-premise installations to provide more control over sizing. (TS-19891)

Add entry to audit log when severity of a vulnerability is changed in the vulnerabilities grid - previously only logged when changed via the Policy Management options. (TS-19129)

“How to fix” for Clickjacking vulnerability updated for clarity. (TS-18828)

Fix to on-premises installer to carry over existing JRE and Memory settings when upgrading. (TS-19726)

Fix to prevent Protect from being re-enabled if config setting to enable is subsequently removed from the agent configuration file. (TS-17755)

For library remediation, users without Administrator permissions will now require Administrator approval when closing vulnerabilities. (PROD-1939)

Library results can now be filtered by environment to easily find any vulnerable libraries in Production. (PROD-1884)

A flag is now available at the organization level to enable and disable Impersonation access. This feature can be modified via the System Administrator or Organization Administrator API. Impersonation is turned off by default. (PROD-1807)

Library export now contains policy violation indications in the CSV/XML file. (PROD-1771)

Created a diagnostic tool in the Go agent to help users easily gather and send diagnostics information when submitting a troubleshooting ticket. (PROD-1765)

Added filters to select vulnerability burndown data across any custom time range up to 12 months to help users view data trends for a set of applications, including details about vulnerabilities and remediations over time. (PROD-1700)

The PHP agent now supports Drupal versions 8 and 9 for Assess and SCA. (PROD-1527)

Added a new data visualization module to help users view important data on the number of vulnerabilities closed versus the number of vulnerabilities open over time. This module can be feature flagged ON upon request. Please note that the vulnerability status reflected in the UI will be the same as the data in Contrast, so please ensure that vulnerability management practices (such as manual vulnerability closure or a 2-way bugtracker integration) or auto-verification policies have been adopted. (PROD-897)

Improved de-duplication for .NET libraries. (OSS-2156)

API Endpoint / api/ng/<ORGID>/orgtraces/filter?status=CONFIRMED returning a 400 status code. (TS-18720)

Deletion of merged applications sometimes results in a failure. (TS-18490)

Missing navigation between vulnerabilities (for example “< 3 of 29 >“). (TS-13528)

“Error executing request” when bulk deleting vulnerabilities in some cases. (TS-17928)

Incorrect vulnerability count when filtering by environment. (TS-14346)

Some Node library details not populated due to a timeout retrieving data from back end. (OSS-3158)

.NET libraries not included in export. (OSS-3153)

Enhanced logging available for organization audits on system or super admin level activity.

Parent applications now show which vulnerabilities and routes are associated with which child application with a filter in the respective grid. This will enable easier triage and analysis of vulnerability and route data associated with child applications.

New diagnostics tool for .NET that allows you to easily gather and send information from your yaml configuration or environment variables to receive faster support.

Users now have increased visibility into vulnerability, library, and route details for children of a merged application. Vulnerability and Route Coverage grids add an application filter. (TS-12586, TS-12587, TS-12588)

Improvements to performance of Application Vulnerabilities tab when vulnerabilities have many sessions with metadata. (TS-17228)

Resolved an issue where multifactor-authentication could be bypassed. (TS-17065)

Resolved IDOR where any user can check the progress of a job if job ID is guessed/known. (TS-17303)

Creating new users failed with “Invalid Form” errors when LDAP or AD is in use, due to a regression.  (TS-18612)

When a server dropped offline, users were notified hourly as opposed to just once. (TS-18094)

Closing all open vulnerabilities results in the inability to subsequently display them due to a missing drop down option. (TS-17883)

“Send to Bugtracker” does not work for child applications not configured in connection. (TS-17715)

Contrast can now create Jira tickets in an optional epic when Contrast is auto-creating tickets.

Vulnerability statuses are now reported in the correct sequence when route-based auto verification is enabled.

The Contrast .NET Azure Site Extension now supports Azure Functions.

Developers can now access Contrast API documentation from https://api.contrastsecurity.com.

The Contrast GitHub Action for Scan is now available as a starter workflow.

Removed logging of LDAP configuration (sensitive information). (TS-17304)

Added stricter validation to user first/last name. (TS-17357)

Updated authorization check for several APIs to check for org-level authorization. (TS-17462)

Updated X-XSS-Protection response header value. (TS-17305)

Updated dependency Okio to 3.1.0. (TS-16064)

Updating users failed with "Invalid Form" errors due to special characters. (TS-17494)

Jira integration won't save when assignee field is configured for a user. (TS-17716)

Attack events are slow to load on some applications. (TS-17565)

Contrast web interface freezes experienced when selecting libraries from search results. (TS-17405)

Allow URL exclusions to accept more than three escaping slashes \. (TS-17064)

EOP installer on Windows fails when setting non-default database directory. (TS-16954)

/route/filter endpoint not returning expected results for session_metadata. (TS-16610)

Add Security Control form not allowing some valid API signatures. (TS-15919)

Vulnerabilities not accurately filtered by environments in the Contrast web interface. (TS-15470)

"New Server" notifications were sent for applications not configured in the notifications system. (TS-1415)

The Server tab is slow to load when there is excessive tagging in the Contrast web interface. (TS-17442)

Totals in Attack overview are incorrect in the Contrast web interface. (TS-16058)

The Contrast GitHub action for Scan can now scan .NET and Javascript projects automatically on every code push or pull request.

The standalone_app_name setting is no longer required to install the Java agent.

Contrast now checks for any new or updated CVEs every 30 minutes.

SBOM reports now support SPDX format.

A cleaner view of route coverage in the web interface shows fewer servers and no longer displays deleted servers in the list of servers.

Updated dependency Okio. (TS-16476)

Resolved session fixation issues. (TS-16447, TS-16684).

Application dashboard's vulnerability tab fails to open. (SUP-3764, SUP-3787)

Inconsistency in the number of vulnerabilities between application's overview and vulnerability pages. (SUP-3776)

Error licensing an application with large amounts of vulnerability instances. (SUP-3799)

Receiving 400 bad response errors using the Contrast Python SDK. (SUP-3721)

Intermittent 403 errors when logging into Contrast (on-premises). (SUP-3696)

New vulnerability notifications not being sent in some hosted (SaaS) environments. (SUP-3813)

On-premises Contrast service crashing due to open file limits. (TS-16887)

Route deletion appears to function for users with limited permissions. (SUP-3742)

Microsoft Teams integration not filtering properly by environment. (SUP-3730)

Score not showing for unlicensed applications. (SUP-3675)

API documentation not available with on-premises WAR deployments. (SUP-3575)

On-premises Windows users can upgrade to the 3.9.3 version Contrast which also includes embedded MySQL 8.

You can now configure whether library data should be retained when server clean up runs. On server clean up, if you want to retain the library data, opt in.

When using the endpoint that allows an exclusion by route ID, or the one that excludes by filtering for multiple routes, you no longer have to close a vulnerability during route exclusions.

Added a new Assess rule to identify JNDI Injection vulnerability. This gives Assess even more complete coverage to detect Log4j vulnerabilities.

Triage and analysis of parent and child apps is now easier and more efficient:

CVSS is used to report the severity of CVEs. CVSS 3.1 is the latest standard. Contrast is now compatible with CVSS 3.1. Contact support to request CVSS 3 scoring be enabled and this will immediately update all CVEs.

Updated various out-of-date Bouncy Castle crypto libraries. (TS-11188)

Excluded routes shown in API response with quickFilter parameter. (SUP-3739)

Java agent fails to start if the server is deleted and re-enabled. (SUP-3703)

Unable to send vulnerability to Jira project with a create screen without assignee. (SUP-3553)

Jira configurations with application importance showing up for non-applicable applications. (SUP-3603)

YAML file bundled with .NET Framework agent from Windows on-premises has bad linefeeds. (SUP-3689)

Servers and Applications filter in the web interface does not sort alphabetically with merged apps. (SUP-3449)

API endpoint discovered could sometimes be less than exercised. (SUP-3439)

Renamed server name does not show up In vulnerability filter. (SUP-3048)

Contrast now has a PHP agent.

Go agent users can now configure the agent to report directly to Contrast, removing the need to install the Contrast service. In addition to simplifying installation and maintenance of the Contrast agent, this allows support for vulnerability detection for gRPC APIs written with the google.golang.org/grpc module.

The Java agent added a new Protect rule, Class Loader Manipulation, to provide additional hardening against exploits like Spring4Shell and others.

When a LDAP or Active Directory identity store is unavailable due to connectivity issues, SuperAdmin users whose accounts reside in the local Contrast database will now be able to log onto the system.

Contrast Serverless now has a native Jira integration so that you can can more consistently remediate vulnerabilities across development teams.

Now when you run a report, you can more easily see which vulnerabilities align with the latest OWASP API compliance standards. Additionally, the compliance policy and security standard for the OWASP Top 10 2021 is now visible in the attestation report generator.

Jira integration fails to load when fields are left empty. (TS-15606)

Excluding all routes for an application in the Contrast web interface removes the ability re-add them. (TS-15299)

Security standards and attestation reports failing to generate. (TS-15680)

Some vulnerabilities failing to load in the Contrast web interface due to 500 error codes. (TS-13242)

Exporting libraries from one application in the Contrast web interface would result and exporting all libraries. (OSS-2632)

Unable to render application page in Contrast web interface after enabling compliance policies. (TS-13677)

Two-way integration with Jira not syncing status changes from Jira. (INT-1136)

Updated various out-of-date libraries including: common-compress, aws-java-sdk-s3, xmlsec, jQuery, bootstrap, tomcat, Spring and more.

Updated authentication error message to be more vague.

Removed Elastic Search Library and usage.

Replaced MySQL Connector.

You can now create a full SBOM report for merged applications.

Contrast now supports GraphQL APIs when instrumenting your .NET Core application.

Contrast Verify is a GitHub action that makes sure no new vulnerabilities are introduced with a pull request. It checks against a Job Outcome Policy or an open-vulnerability threshold that you define through an input parameter. Available on the GitHub Marketplace.

Upgraded common-compress library. (TS-14042)

Upgraded mysql-connector-java library. (TS-13173)

Upgraded aws-java-sdk-s3 library. (TS-13174)

Removed unauthorized user system message. (TS-12979)

Upgraded Tomcat to 9.0.55 for on-premises. (TS-12930)

ContrastHub upgrades to jQuery, jQuery-UI, and bootstrap libraries (TS-11370)

When the New Asset notification was enabled for specific applications, notifications were being sent for newly onboarded apps outside of that scope. (TS-14150)

When making API calls with an API-Only user, the Last Login timestamp for that user was not being populated. (TS-13290)

If the global search field is left populated and specific navigation occurs, the “X” to clear the search field will no longer work. (TS-13519)

A new tool to make installing and configuring agents easier is here in Beta. The Contrast agent configuration editor helps you create a YAML configuration file from scratch, by checking YAML and recommending the proper settings based on agent type. You can also upload, edit and validate existing YAML or download new files for local use. Learn more.

The workflow for installing the .NET Core agent from the Contrast web interface has been updated to clarify language and allow for use of custom fields.

Only the .NET Framework and .NET Core agent for IIS installers will be available for download from Contrast. For all other agents, please refer to each agents' instructions to learn how to install them with their respective package managers.

Upgraded aws-java-sdk-s3 in Contrast Hub to remediate CVE-2020-28491 in the sub-dependency jackson-dataformat-cbor 2.6.7. (TS-13174)

Upgraded jquery, jquery-ui, and Bootstrap libraries on Contrast Hub to avoid reflected XSS vulnerabilities. (TS-11370)

Upgraded commons-compress.jar. (TS-11190)

Disabled ability to write to a server’s agent log file without restriction. (TS-10262)

Deprecation of TLS 1.0 on Community Edition and hosted (SaaS) servers. (PROD-341, PROD-1591)

The reflected XSS rule is incorrectly classified as Critical instead of Moderate. (PROD-1350)

When authenticating a request to Jira, a 401 error is returned. (SUP-3374)

When hovering over a server in the servers tab, the container may be shown as "unknown". (TS-11544)

When an organization has a compliance policy enabled, the Application page fails to load. (TS-12607)

Using the quick_filter parameter to filter vulnerabilities returned by the Contrast Python SDK results in a 500 error. (INT-1049)

When exporting a subset of vulnerabilities to CSV, an incorrect selection of findings are included in the resultant file. (TS-13567, TS-13635)

When filtering vulnerabilities in an application by environment, vulnerabilities tied to deleted servers are shown incorrectly. (TS-13203)

Rules have been updated for Node.js exclusions.

Ruby, Python and Go installation process has been simplified in the Contrast web interface. Find the latest agent versions in their respective package managers.

Improved performance for the Contrast Node.js agent with more efficient native functions and dead-zoning.

Vulnerability option "Send to bugtracker" fails to open dialog. (TS-12455)

Cannot edit groups incorrectly throws error "Group name is already taken." (TS-12428)

Application page fails to load when organization has compliance policies set. (TS-12718)

Server activity graph is not being populated. (TS-12572)

Vulnerability tab is not accurately filtering by environment. (TS-12542)

Edit user page could time-out when user is associated with a large amount of applications. (TS-12456)

Attestation reports sometimes fail to generate. (TS-11769)

Protect licenses not applied automatically to servers after automatic server cleanup. (TS-11375)

Server page loads and searches taking inordinate amount of time with large server counts. (TS-10249)

The .NET Core agent now discovers and reports trust boundary violation vulnerability types. This new rule is of medium severity.

Contrast now offers a default configuration more optimized for performance. For the default, medium severity hard-coded password and hard-coded cryptographic key rules are turned off. You can still enable all rules for more comprehensive security testing when needed.

The Contrast Node.js agent now supports applications running Node 16 LTS.

The web interface for adding a Java agent is now improved, making it easier to get and install the Java agent.

In our September (3.8.8) release we announced the move to eight designated IP addresses. We are happy to announce those changes are live, but we are extending support for our previous IP addresses while customers update to our new certificate authority, GlobalSign. A certificate authority update may be required to fully implement the fixed IP solution. Please reach out to support@contrastsecurity.com if you have any questions.

Java: 3.8.9.22387 | 3.8.9.22663

.NET Framework: 21.10.1

.NET Core: 2.0.2

Node.js: 3.11.10 | 3.11.11 | 3.11.12 | 4.3.0 | 4.4.1

Python: 4.13.0

Ruby: 4.12.0

Go: 2.0.0

Security library upgrades. (TS-11185, TS-11190, TS-11191, TS-11189)

Limited brute-force login issue. (TS-11142)

Attestation reports fail to generate or include custom code vulnerabilities. (TS-12126)

Resetting application may fail in the Contrast web interface when there are active agents. (TS-11553)

Vulnerability merge button not selectable. (TS-11571)

Users experiencing poor performance in vulnerabilities page with large number of items. (TS-10374, TS-9839)

YAML download failing for Java agent when application metadata is preset. (TS-10132)

URL count remains zero even when application is exercised. (TS-11939)

Selecting vulnerability count on an archived application generates a 403 error. (TS-10767)

You can now download a Software Bill of Materials (SBOM) for your applications from the reports menu.

You can now scan Java applications and automate scanning in a CI pipeline directly from the CLI.

Just like the .NET Framework agent, the .NET Core agent now also discovers and reports stored XSS vulnerability types in instrumented applications.

If your Contrast instance is on-premises in an airgap environment, or if you prefer alternate access to documentation, you can now access a versioned PDF of Contrast Documentation from the Release News (above).

Added support for Go 1.17.

Beginning September 17th, organization administrators using a hosted instance of Contrast must add the eight designated IP addresses, otherwise agent and user traffic will be interrupted until the required IP addresses are allowed.

By October 31st all traffic will be going to these address and you will no longer need to allowlist the Amazon IP space.

The move to bundling MySQL 8 with the Contrast on-premises installer is being further tested to improve transition quality. Previously this was announced as part of 3.8.8. It is being delayed to a future release.

Java: 3.8.8.22125

.NET Framework: 21.9.2

.NET Core: 2.0.1

Node.js: 4.2.0

Python: 4.12.0

Ruby: 4.11.0

Go: 1.10.0 | 1.11.0

Failed login attempts that occur in rapid succession are not counted. (COMP-60)

Teamserver is utilizing outdated and vulnerable libraries: spring-web-5.2.9.release.jar and velocity-engine-core-2.0.jar. (COMP-54)

Including the Apache Tomcat version number in error messages provides potential attackers with this information. (COMP-53)

The application is vulnerable to user enumeration during the login process. (COMP-38)

Changing master to primary impacts downstream integrations causing breaking changes. (Changes were reverted back to master).

The buildNumbers filter is not included in the filter list causing the filter to fail. (TS-11484, 6618)

Using a version picker custom field when logging tickets from Contrast in Jira results in error message. (INT-853)

ServerEnvironment filter causes a 500 error. (INT-805)

Error saving settings, when updating sampling for server in Contrast web interface. (TS-10765)

Rules defaulted to ON cause performance degradation. (TS-7939)

Attempting to select Attacks causes a 504 error when there is a large number of attacks. (TS-10691)