Skip to main content

Scan release notes

Scan engine and Scan local engine

Release date: June 14, 2024

New and improved:

  • The Scan local engine now creates a unique output folder for each scan. The format of the folder name is: output<Date/TIME of Scan>.

Important

The new multi-language source code scan engine is now version 1.1.1. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.

Checksum:

  • MD5 checksum: 4ad02dbb651afd65aa34540b74070460

  • SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce

  • SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7

Note

How to generate a checksum

  • MD5: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
  • SHA: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha 

For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.

Application signing verification

To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the Scan local engine that you want to verify.

Release date: April 30, 2024

New and improved:

  • Added these exclusions to the Java binary scanner: com.azure, org.apache, and com.nimbusds.

  • Added a --severity parameter for the Scan local engine to let you get a build fail status. The specified values is the minimum level of severity that returns a build fail status code that you can use to gate builds in pipelines.

    For example, if you specify --severity high, a finding of that severity or higher returns a build fail status code.

  • Added support for multi-branch scanning when using the GitHub action for the Scan local engine.

  • You can now download the Scan local engine with a reusable script.

Bug fixes:

  • Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.

Important

The new multi-language source code scan engine is now version 1.1.0. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.

Checksum:

  • MD5 checksum: 4ad02dbb651afd65aa34540b74070460

  • SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce

  • SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7

Note

How to generate a checksum

  • MD5: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
  • SHA: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha 

For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 1.1.0 version of the engine, replace X.X.XX with 1.1.0, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 10.

Application signing verification

To verify that Contrast created and signed the Scan local engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the Scan local engine that you want to verify.

Release date: March 15, 2024

Note

This version of the Scan local engine is available by request only. Contrast is not publishing checksum information at this time.

To request access to this version of the Scan local engine, follow your normal Contrast support process.

Contrast plans to make the new Scan local engine generally available in the near future.

New and improved:

  • Added a --timeout CLI option that lets you control the maximum time the multi-language source code scan engine scans the specified source code.

    The value for this option is a specified number of minutes. This option applies to each language. For example, if you set the value of this option to 120 minutes and your repo contains four languages, potentially, the scan can take up to eight hours (120 minutes x 4 languages).

    This feature is only available for the Contrast local scan engine only.

  • Added support for file and folder exclusions.

    To use this feature, add a file named .contrast-scan.json to the root folder of the source code you are going to scan. Exclude files and folders describes how to use this feature.

    This feature is only available for the Contrast local scan engine and is only supported for multi-language source code scans.

    The file format for the JSON file is:

    // File name  ".contrast-scan.json"
    {
      "excludes": [
        "**/MavenWrapperDownloader.java",
        "**/*.js"
      ]
    }
  • Scans automatically fail if the multi-language source code scan engine doesn't find any technologies in the submitted code.

Bug fixes:

  • Fixed a bug that could cause a race condition, resulting in slow performance.

  • Fixed a bug that caused incorrect date formats to be generated in the SARIF output. The incorrect formats caused which caused errors when using the SARIF output in Github.

Important

The new multi-language source code scan engine is now version 1.0.9. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: February 15, 2024

Note

This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.

To request access to this version of the local scan engine, follow your normal Contrast support process.

Contrast plans to make the new local scan engine generally available in the near future.

New and improved:

  • Added support for scanning in the repo for Github customers.

    Starting with 1.0.8, Scan supports a new Github action that supports main branch scanning in a Github repo. This feature supports failing builds based on the presence of a specified vulnerability severity (or higher). Learn more at Use Contrast Scan with GitHub repositories.

  • Increased the minimum memory requirement for the multi-language scan engine to 8 GB and the timeout setting to 60 minutes.  This does not replace the minimum memory requirement of 12 GB when scanning .JAR and .WAR files using the Java binary scanner.  We continue to recommend that all users of the local scan engine should ensure that 12 GB of memory is available when running scans.

Bug fixes:

  • Addressed a number of issues that prevented some languages from being correctly identified by the multi-language source code scan engine when scanned by the local scan engine. All languages identified by the mult- language source code scan engine should now correctly identify and be scanned.

Important

The new multi-language source code scan engine is now version 1.0.8. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.0.6 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: January 25, 2024

Note

This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.

To request access to this version of the local scan engine, follow your normal Contrast support process.

Contrast plans to make the new local scan engine generally available in the near future.

New and improved:

  • Increased the memory that the multi-language source code scan engine uses to 2G to better support larger code bases. The minimum memory requirement when using the local scan engine is still 12GB.

  • Added a --memory parameter to the CLI that you can use to override the allocated memory for the multi-language source code scan engine.

  • Added additional logging to capture the parameters used when invoking the local scan engine. This logging captures the entire invocation command for the local scan engine (for example, -r, -p and so forth) for use when troubleshooting errors.

Important

The new multi-language source code scan engine is now version 1.0.7. Versions 1.0.0, 1.0.1, and 1.0.2, 1.0.5, and 1.06 are considered internal test and beta versions of the multi-language scan engine and are not available for download by Contrast customers.

Bug fixes:

  • Addressed an issue when scanning .NET applications that resulted in source code being  incorrectly identified

  • Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: December 14, 2023

Note

This version of the local scan engine is available by request only. Contrast is not publishing checksum information at this time.

To request access to this version of the local scan engine, follow your normal Contrast support process.

Contrast plans to make the new local scan engine generally available in the near future.

Bug fixes:

  • Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.

Important

The new multi-language source code scan engine is now version 1.0.4. Versions 1.0.0, 1.0.1, and 1.0.2 are considered internal test and beta versions of the multi-language scan engine and are not available for download for Contrast customers.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: November 2023

Note

Local Scan Engine 1.0.3 is currently on restricted release. As a result, we are not providing checksum information at this time.

To get access to this version, open a support ticket to request it. We apologize for this inconvenience and are working hard to address this issue as soon as possible.

New and improved:

November 29, 2023

  • Fixed an issue in role-based access control authentication that could trigger a 403 error when you try to assign a project to an empty resource group or when a user has access to multiple resource groups and they do not specify one.

    If role-based access control is turned on, the -r <ResourceGroupName> option in the Contrast CLI is now mandatory when you create a scan project.

November 8, 2023

  • The Contrast local scan engine now supports the ability to scan source code for over 25 languages. For a complete list of supported languages, see Contrast Scan supported languages.

  • The local scan engine can now run natively under Windows environments running a suitable JVM.

  • Fixed an issue where using spaces in the path for an artifact to be scanned caused a fatal scan error.

  • Removed an unneeded log from the local scan engine, reducing overall disk space utilization when scanning Java binary files (JAR or WAR files).

  • Fixed an issue that caused the local scan engine to fail when running under Alpine Linux.

Important

The new multi-language source code scan engine is now version 1.0.3. Versions 1.0.0, 1.0.1, and 1.0.2 are considered internal test and beta versions of the multi-language scan engine and are not available for download for Contrast customers.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: July 24, 2023

Bug fixes:

  • Fixed a bug that prevented the local scanner from reporting all vulnerabilities found across multiple JAR files. Only the last JAR file scanned in the ZIP file was reported.

Checksum:

  • MD5 checksum: f57f9174d0643832f9e38b95998fe280

  • SHA checksum: 8b2f5680111c5a4e5999a3449ee871bb822d27f6

Note

How to generate a checksum

  • MD5: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
  • SHA: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha 

For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: May 22, 2023

New and improved:

  • Added the ability to specify a resource group as a parameter in the local scan engine when you scan a project for the first time.

    To use this feature, your organization must have role-based access control enabled and you require sufficient permissions to create a new project (Manage Project Role or higher).

    Specify the resource group name using the -r parameter.

Checksum:

  • MD5 checksum: 0fa38c5c9e46e3b2c6bdb2d2ed3baa20

  • SHA checksum: 76fe00f7d70d45176904a2b62a9d1083f0731a03

Note

How to generate a checksum

  • MD5: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.XX.jar.md5 -o sastXX.md5
  • SHA: Use the following command:

    curl -L -H 'Accept: application/vnd.github.v3.raw' -s https://$CONTRAST_GITHUB_PAT@maven.pkg.github.com/Contrast-Security-Inc/sast-local-scan-runner/com.contrastsecurity.sast-local-scan-runner/X.X.XX/sast-local-scan-runner-X.X.X.jar.sha1 -o sastXX.sha 

For both types of checksums, replace X.X.XX with the version of the engine you are downloading and validating with a checksum. For example, for the 0.0.60 version of the engine, replace X.X.XX with 0.0.60, and for the output (SastXX.sha or MD5), a value to represent the current version, such as 60.

Application signing verification

To verify that Contrast created and signed the local scan engine that you downloaded, use this command:

jarsigner -verify -verbose -certs sast-local-scan-runner-0.0.XX.jar 

Replace XX with the version of the local scan engine that you want to verify.

Release date: April 6, 2023

New and improved:

  • Support for multi-JAR scanning

    This release adds the ability to scan multiple JAR files as one artifact. You can add multiple JAR files to a ZIP file and scan it as a single artifact.

    To scan a multi-JAR ZIP file, package the JAR files at the top level in a ZIP file and scan it using the Scan local engine, as normal. For example:

    multiple-jar-artifact.zip 
    -> artifact1.jar 
    -> artifact2.jar 
    -> artifact3.jar

    Once completed, the Contrast web interface displays the scan as a single project under the Scans tab.

Bug fixes:

Releases 0.0.57 through 0.0.59 contained internal bug fixes that had no effect on the Scan behavior or performance.

Scan web interface

Release date: June 11, 2024

New and improved:

  • Added the ability to see the language associated with a detected vulnerability.

    To see content in the new Language column, run a new scan in the project. The Contrast web interface doesn't display the language for older scans.

    If you are using the Scan local engine, you must use version 1.1.1. Using an earlier version of the local scan engine results in the Contrast web interface displaying Composite as the language. If you see this and you are using the Scan local engine, upgrade to version 1.1.1.

  • Added the ability to filter views based on the language associated with a detected vulnerability.

Bug fixes:

  • Fixed a bug that prevented the How-to-fix information from being properly displayed in the Web interface.

  • Fixed an issue that caused C++ and C# vulnerabilities to be counted twice.  

    As a result of this change, the system remediation workflow marks duplicate vulnerabilities as remediated for C++. For C#, these vulnerabilities remain open.

Release date: May 14, 2024

Bug fixes:

  • Due to performance issues when generating the Scan attestation report, the report is now limited to generating 100 open vulnerabilities, by severity and status. Larger reports will be supported in the future.

  • Addressed an issue with file uploads to Contrast where files over 500 MB could cause out of memory (OOM) errors, especially when you used the Scan CLI commands. . This fix does not increase the file upload size beyond 1GB but provides a consistent user experience between uploads to the Contrast web interface and with the CLI. If you have repos that are larger than 1 GB, consider using the Contrast Scan local engine.

Release date: April 25, 2024

New and improved:

  • Enhanced the CSV report to include code snippets for each vulnerability.

  • Changed the CSV report so that you can see the file name and line number from the path for each vulnerability.

  • Changed the CSV report to exclude vulnerabilities with a Remediated and Not a problem status.

  • Added the ability to supply a filter to the API call when generating a CSV report programmatically.

  • To aid in timely generation of the CSV report and address performance issues, the CSV report is now limited to the first 2,000 open entries based on severity and status.

  • Added pagination to the API when generating a CSV report so it can exceed the 2,000 line limit.

Bug fixes:

  • Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.

Release date: March 2024

Bug fixes:

  • Fixed a bug that could cause a race condition, resulting in slow performance in the Contrast web interface.

  • Fixed a bug in the Contrast web interface that resulted in an error when specifying an underscore (_) as part of a search parameter when searching projects.

Release date: February 15, 2024

New and improved:

  • Added a detected language column on the vulnerabilities tab for a scan project. This value identifies the language associated with the vulnerability.

  • On the vulnerabilities tab for a scan project, added the ability to filter the view by detected language.

  • This release includes an automated Jira integration supporting SAST.

    When you configure this Jira integration, you can automatically push notifications about vulnerabilities to a Jira project. To configure this integration, specify a single Jira project and one or more severity levels. Learn more in Jira Cloud.

    Support for multiple Jira projects is planned for a future release.

Bug fixes:

  • Addressed a number of issues preventing some languages from being correctly identified by the multi-language source code scan engine.

Release date: January 2024

New and improved:

  • January 25, 2024

    New and improved;

    • On the Scan project page in the Contrast web interface, you can view the languages that the multi-language source code scan engine detected.

    • Added the ability to search for scan projects based on detected languages.

    Bug fixes:

    • Fixed a bug in the CLI that suggested a scan had failed when it invoked the multi-language source code scan engine.

    • Fixed a bug in the CLI that prevented the list of found vulnerabilities from being displayed in the CLI output once a scan completes.

    • Addressed an issue when scanning .NET applications that resulted in source code being  incorrectly identified

    • Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact

Release date: December 2023

New and improved:

  • December 14, 2023

    • NEW: You can now generate an Attestation report for your scan projects from a scan project page and from the vulnerability tab on the scan project page.

    • Removed the ability for a user to change a vulnerability status to Fixed. The Scan engine determines this status based on whether a vulnerability is still seen in the source code in subsequent scans.

    • Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.

Release date: November 2023

New and improved:

  • November 28, 2023

    • If role-based access control is turned on, creating a scan project now requires that you specify a resource group. The Create your scan project screen has a dropdown that displays a list of the resource groups assigned to the user who is creating the project. If users have a single resource group assigned to their role, this resource group is the default selection.

      In addition, users need a role that includes the Create project action.

      Create a scan project describes this new requirement.

  • November 8, 2023

    • NEW: Contrast Scan now provides two types of scans: Java binary for Java files, and source code for most other languages and technologies.

      When you select a source code scan, upload a ZIP file that contains the source code you want to scan.

    • NEW: Source code scanning is expanded to include over 25 additional languages and technologies, as listed in Scan supported languages and technologies. To use the expanded source code scanner, select the Source code option when you create a new project.

    • For hosted customers: Contrast Scan now supports multi-language detection for source code scanning. When you upload a ZIP file, the scan engine determines which languages are present in the ZIP file and scans each file. Contrast displays the results in a single scan project.

    • Removed the need to select a language when you create a scan project. Scan can now determine the type of code artifact you are uploading. .Scan continues to support single JAR and WAR files as well as ZIP files that contain multiple JAR files or source code.

    • Added two fields to the CSV file you can download:

      • Language: Identifies the language for a specific vulnerability.

      • Comment: Shows the last comment made for a vulnerability.

      The CSV file populates these fields after you run a new scan for an existing project.

Release date: June 2023

New and improved

  • June 30, 2023

    • Added the ability to add a comment for a vulnerability status without changing the current status. The Activity tab for a specific vulnerability lets you add comments.

  • June 12, 2023

    • Added the ability to see who created a project by displaying the project creator's name at the top of the Scans page and the Scan details page.

    • Added the ability to see who ran a specific scan for a project.

      The Scan history in the Scans page has a new Name column that shows the name of the individual who ran a specific scan. The Summary section of the Scan details page also shows who ran the scan.

    Note

    Both of these features apply to new projects and new scans. Existing projects or scans do not display the new information.

Release date: May 2023

New and improved:

  • Added support for multi-JAR scanning in the Java binary scanner.

    You can now include multiple JAR files in a single ZIP file when you use the hosted Java binary scanner (using the Contrast CLI or the Contrast web interface).

    The maximum upload size limit for a ZIP file is 1 GB.

Release date: April 2023

New and improved:

  • Added a vulnerability activity tab that shows information on status changes made to vulnerabilities within a project.

    To view this tab, select the Vulnerabilities tab for selected scan project and then, select a specific vulnerability

  • Added the requirement to add comments when you change the status of a vulnerability in a project.

  • Added the ability to delete a project and all associated data in the Contrast web interface for users with a Manage all projects role.