Scan release notes
Scan engine and local Scan engine
Release date: November 2023
Note
Local Scan Engine 1.0.3 is currently on restricted release. As a result, we are not providing checksum information at this time.
To get access to this version, open a support ticket to request it. We apologize for this inconvenience and are working hard to address this issue as soon as possible.
New and improved:
November 29, 2023
Fixed an issue in role-based access control authentication that could trigger a 403 error when you try to assign a project to an empty resource group or when a user has access to multiple resource groups and they do not specify one.
If role-based access control is turned on, the
-r <ResourceGroupName>option in the Contrast CLI is now mandatory when you create a scan project.
November 8, 2023
The Contrast local scan engine now supports the ability to scan source code for over 25 languages. For a complete list of supported languages, see Contrast Scan supported languages.
The local scan engine can now run natively under Windows environments running a suitable JVM.
Fixed an issue where using spaces in the path for an artifact to be scanned caused a fatal scan error.
Removed an unneeded log from the local scan engine, reducing overall disk space utilization when scanning Java binary files (JAR or WAR files).
Fixed an issue that caused the local scan engine to fail when running under Alpine Linux.
Important
The new multi-language source code scan engine is now version 1.0.3. Versions 1.0.0, 1.0.1, and 1.0.2 are considered internal test and beta versions of the multi-language scan engine and are not available for download for Contrast customers.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: July 24, 2023
Bug fixes:
Fixed a bug that prevented the local scanner from reporting all vulnerabilities found across multiple JAR files. Only the last JAR file scanned in the ZIP file was reported.
Checksum:
MD5 checksum: f57f9174d0643832f9e38b95998fe280
SHA checksum: 8b2f5680111c5a4e5999a3449ee871bb822d27f6
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: May 22, 2023
New and improved:
Added the ability to specify a resource group as a parameter in the local scan engine when you scan a project for the first time.
To use this feature, your organization must have role-based access control enabled and you require sufficient permissions to create a new project (Manage Project Role or higher).
Specify the resource group name using the
-rparameter.
Checksum:
MD5 checksum: 0fa38c5c9e46e3b2c6bdb2d2ed3baa20
SHA checksum: 76fe00f7d70d45176904a2b62a9d1083f0731a03
Note
How to generate a checksum
MD5: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
SHA: Use the following command:
curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha
For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.
Application signing verification
To verify that Contrast created and signed the local scan engine that you downloaded, use this command:
jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar
Replace XX with the version of the local scan engine that you want to verify.
Release date: April 6, 2023
New and improved:
Support for multi-JAR scanning
This release adds the ability to scan multiple JAR files as one artifact. You can add multiple JAR files to a ZIP file and scan it as a single artifact.
To scan a multi-JAR ZIP file, package the JAR files at the top level in a ZIP file and scan it using the Scan local engine, as normal. For example:
multiple-jar-artifact.zip -> artifact1.jar -> artifact2.jar -> artifact3.jar
Once completed, the Contrast web interface displays the scan as a single project under the Scans tab.
Bug fixes:
Releases 0.0.57 through 0.0.59 contained internal bug fixes that had no effect on the Scan behavior or performance.
Scan web interface
Release date: November 2023
New and improved:
November 28, 2023
If role-based access control is turned on, creating a scan project now requires that you specify a resource group. The Create your scan project screen has a dropdown that displays a list of the resource groups assigned to the user who is creating the project. If users have a single resource group assigned to their role, this resource group is the default selection.
In addition, users need a role that includes the Create project action.
Create a scan project describes this new requirement.
November 8, 2023
NEW: Contrast Scan now provides two types of scans: Java binary for Java files, and source code for most other languages and technologies.
When you select a source code scan, upload a ZIP file that contains the source code you want to scan.
NEW: Source code scanning is expanded to include over 25 additional languages and technologies, as listed in Scan supported languages and technologies. To use the expanded source code scanner, select the Source code option when you create a new project.
For hosted customers: Contrast Scan now supports multi-language detection for source code scanning. When you upload a ZIP file, the scan engine determines which languages are present in the ZIP file and scans each file. Contrast displays the results in a single scan project.
Removed the need to select a language when you create a scan project. Scan can now determine the type of code artifact you are uploading. .Scan continues to support single JAR and WAR files as well as ZIP files that contain multiple JAR files or source code.
Added two fields to the CSV file you can download:
Language: Identifies the language for a specific vulnerability.
Comment: Shows the last comment made for a vulnerability.
The CSV file populates these fields after you run a new scan for an existing project.
Release date: June 2023
New and improved
June 30, 2023
Added the ability to add a comment for a vulnerability status without changing the current status. The Activity tab for a specific vulnerability lets you add comments.
June 12, 2023
Added the ability to see who created a project by displaying the project creator's name at the top of the Scans page and the Scan details page.
Added the ability to see who ran a specific scan for a project.
The Scan history in the Scans page has a new Name column that shows the name of the individual who ran a specific scan. The Summary section of the Scan details page also shows who ran the scan.
Note
Both of these features apply to new projects and new scans. Existing projects or scans do not display the new information.
Release date: May 2023
New and improved:
Added support for multi-JAR scanning in the Java binary scanner.
You can now include multiple JAR files in a single ZIP file when you use the hosted Java binary scanner (using the Contrast CLI or the Contrast web interface).
The maximum upload size limit for a ZIP file is 1 GB.
Release date: April 2023
New and improved:
Added a vulnerability activity tab that shows information on status changes made to vulnerabilities within a project.
To view this tab, select the Vulnerabilities tab for selected scan project and then, select a specific vulnerability
Added the requirement to add comments when you change the status of a vulnerability in a project.
Added the ability to delete a project and all associated data in the Contrast web interface for users with a Manage all projects role.