Scan release notes

Made a significant number of improvements across languages to reduce false positives.

Improved parsing of Natural source code to reduce false positives and improve scan performance.

Improved parsing of COBOL source code to reduce false positives and improve scan performance.

Updated the supported version of Kotlin to 1.6.0.

Added support for scanning of Java 16 and 17 files.

Improved support for Vue.JS.

Fixed a bug that caused the source code scan engine to fail for all scans.

Added new options to only fail a scan on a branch if it would introduce new vulnerabilities.

Multiple fixes to improve Scan local engine behavior and performance.

MD5 checksum: fa99a209ba3662a198df735fa4c795eb

SHA1 checksum: 1c78f9570e20c18b01c4b609904f4bdf9cfe8eff

SHA256 checksum: e4316485cba75bf032cfcd4537d1c9281bf8813bac03d84004e55b5bf415ec99

Added these rules:

Updated Log4j libraries throughout codebase.

Added the ability to identify and upload total lines of code and files scanned.

Fixed a stack overflow error resulting from PHP scans under specific circumstances.

Fixed an issue where the engine failed to parse some C# extension methods properly.

Added a new --metadata option for the Scan local engine that lets you specify metadata when you create a scan project.

Added optional support for Rust and Terraform using the Semgrep open source engine.

If you want to scan code in these languages and send the results to the Contrast web interface, you must download the Semgrep engine. If the Scan local engine identifies the presence of either of these languages, it sends the relevant files to Semgrep and combines the SARIF results with the file that Contrast creates.

Scan languages with the Semgrep engine provides additional details about this feature.

The --memory option now works with the binary scan engine.

Recommendation: Keep your memory allocation for the binary scan engine at 12GB or higher. A lower memory allocation can adversely affect the binary scan engine's performance and accuracy.

To reduce noise and potential false positives, .h files are no longer implicitly scanned for C, C++, or ObjectiveC languages.

If, during the course of scanning these languages, the source code calls a .h file, then that file is scanned as part of the overall code analysis.

MD5 checksum: fa99a209ba3662a198df735fa4c795eb

SHA1 checksum: 1c78f9570e20c18b01c4b609904f4bdf9cfe8eff

SHA256 checksum: e4316485cba75bf032cfcd4537d1c9281bf8813bac03d84004e55b5bf415ec99

Added a --level command option that provides better logging from the multi-language scan engine. To turn on logging for a specific log level, use one of these values: ERROR, WARN, INFO, DEBUG, or TRACE.

Use this option only when the Contrast Support team instructs you to do so rather than using it with all scans

Changed the maximum log size to 20MB before creating a new log file.

Due to a bug that caused the source code scan engine to fail, all customers should upgrade their local scanner to version 1.1.2 to resume operations.

All previous versions are now considered end of life.

To help you understand the Contrast version control policy, Scan local engine releases and versions describes the policy that applies to all future releases.

MD5 checksum: 7be87ce1ab990c45e91c7060e5300ce2

SHA1 checksum: e55d9fa9323dc93bc29d4f68e927763c6e5fb12b

SHA256 checksum: ef8c84c1ad4549ab4e22a638dbf5d5d4d5700f6209ddcabfe66a20639880e0be

The Scan local engine now creates a unique output folder for each scan. The location of the folder name is: .contrast-scan/<CURRENT_TIMESTAMP>. where <CURRENT_TIMESTAMP> is the date and time when the scan ran.

Updated configuration for C/C++ languages to avoid duplication of results.

In previous versions of the Scan local engine, scans analyzed .h and .c files using C++ and C rules. This behavior generated duplicate vulnerabilities. The latest version of the scan engine no longer generates duplicate vulnerabilities. If you had this issue previously, when you run the new version of the scan engine, it will change the status of the duplicates to Remediated.

MD5 checksum: 4ad02dbb651afd65aa34540b74070460

SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce

SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7

Added these exclusions to the Java binary scanner: com.azure, org.apache, and com.nimbusds.

Added a --severity parameter for the Scan local engine to let you get a build fail status. The specified values is the minimum level of severity that returns a build fail status code that you can use to gate builds in pipelines.

For example, if you specify --severity high, a finding of that severity or higher returns a build fail status code.

Added support for multi-branch scanning when using the GitHub action for the Scan local engine.

You can now download the Scan local engine with a reusable script.

Improved the Scan architecture to allow scanning of larger source code repos and faster processing of a large amount of findings.

MD5 checksum: 4ad02dbb651afd65aa34540b74070460

SHA1 checksum: 31fe66afb757422aab0cb9f59fc4f1d858146bce

SHA256 checksum: 3f7fe7b9940c78b98721fdd865a058e0e3b61b65e45cd905615b91a828128ff7

Added a --timeout CLI option that lets you control the maximum time the multi-language source code scan engine scans the specified source code.

The value for this option is a specified number of minutes. This option applies to each language. For example, if you set the value of this option to 120 minutes and your repo contains four languages, potentially, the scan can take up to eight hours (120 minutes x 4 languages).

This feature is only available for the Contrast local scan engine only.

Added support for file and folder exclusions.

To use this feature, add a file named .contrast-scan.json to the root folder of the source code you are going to scan. Exclude files and folders describes how to use this feature.

This feature is only available for the Contrast local scan engine and is only supported for multi-language source code scans.

The file format for the JSON file is:

// File name  ".contrast-scan.json"
{
  "excludes": [
    "**/MavenWrapperDownloader.java",
    "**/*.js"
  ]
}

Scans automatically fail if the multi-language source code scan engine doesn't find any technologies in the submitted code.

Fixed a bug that could cause a race condition, resulting in slow performance.

Fixed a bug that caused incorrect date formats to be generated in the SARIF output. The incorrect formats caused which caused errors when using the SARIF output in Github.

Added support for scanning in the repo for Github customers.

Starting with 1.0.8, Scan supports a new Github action that supports main branch scanning in a Github repo. This feature supports failing builds based on the presence of a specified vulnerability severity (or higher). Learn more at Use Contrast Scan with GitHub repositories.

Increased the minimum memory requirement for the multi-language scan engine to 8 GB and the timeout setting to 60 minutes.  This does not replace the minimum memory requirement of 12 GB when scanning .JAR and .WAR files using the Java binary scanner.  We continue to recommend that all users of the local scan engine should ensure that 12 GB of memory is available when running scans.

Addressed a number of issues that prevented some languages from being correctly identified by the multi-language source code scan engine when scanned by the local scan engine. All languages identified by the mult- language source code scan engine should now correctly identify and be scanned.

Increased the memory that the multi-language source code scan engine uses to 2G to better support larger code bases. The minimum memory requirement when using the local scan engine is still 12GB.

Added a --memory parameter to the CLI that you can use to override the allocated memory for the multi-language source code scan engine.

Added additional logging to capture the parameters used when invoking the local scan engine. This logging captures the entire invocation command for the local scan engine (for example, -r, -p and so forth) for use when troubleshooting errors.

Addressed an issue when scanning .NET applications that resulted in source code being  incorrectly identified

Addressed an issue that caused the multi-language scan engine to ignore ABAP code when presented in a code artifact

Fixed a bug that prevented VB.NET and Scala source code from being correctly identified and scanned by the multi-language engine.

Fixed an issue in role-based access control authentication that could trigger a 403 error when you try to assign a project to an empty resource group or when a user has access to multiple resource groups and they do not specify one.

If role-based access control is turned on, the -r <ResourceGroupName> option in the Contrast CLI is now mandatory when you create a scan project.

The Contrast local scan engine now supports the ability to scan source code for over 25 languages. For a complete list of supported languages, see Contrast Scan supported languages.

The local scan engine can now run natively under Windows environments running a suitable JVM.

Fixed an issue where using spaces in the path for an artifact to be scanned caused a fatal scan error.

Removed an unneeded log from the local scan engine, reducing overall disk space utilization when scanning Java binary files (JAR or WAR files).

Fixed an issue that caused the local scan engine to fail when running under Alpine Linux.

Fixed a bug that prevented the local scanner from reporting all vulnerabilities found across multiple JAR files. Only the last JAR file scanned in the ZIP file was reported.

MD5 checksum: f57f9174d0643832f9e38b95998fe280

SHA checksum: 8b2f5680111c5a4e5999a3449ee871bb822d27f6

Added the ability to specify a resource group as a parameter in the local scan engine when you scan a project for the first time.

To use this feature, your organization must have role-based access control enabled and you require sufficient permissions to create a new project (Manage Project Role or higher).

Specify the resource group name using the -r parameter.

MD5 checksum: 0fa38c5c9e46e3b2c6bdb2d2ed3baa20

SHA checksum: 76fe00f7d70d45176904a2b62a9d1083f0731a03

Support for multi-JAR scanning

This release adds the ability to scan multiple JAR files as one artifact. You can add multiple JAR files to a ZIP file and scan it as a single artifact.

To scan a multi-JAR ZIP file, package the JAR files at the top level in a ZIP file and scan it using the Scan local engine, as normal. For example:

multiple-jar-artifact.zip 
-> artifact1.jar 
-> artifact2.jar 
-> artifact3.jar

Once completed, the Contrast web interface displays the scan as a single project under the Scans tab.

Added the ability to archive multiple scan projects at the same time.

Added the ability to exclude files and folders with scan you run in the Contrast web interface.

Added the ability to configure dynamic scoring for scan projects at the organization level.

Added a Created time column to the Scan project list that shows the date and time when you created a scan project.

This feature applies to new scans only.

Added a new tab on the Scan project page that shows files and rule that were excluded based on file exclusions and policies.

This tab is available only for scans with the Contrast Scan local engine.

The Contrast web interface now shows a warning message when you upload a code artifact to be scanned that navigating away before the upload completes cancels the upload operation.

Added support to configure notifications for failed scans in the Contrast web interface.

Added the ability to see the total number of lines of code scanned during a particular scan.

Added the ability to see the total number of files scanned during a particular scan.

Added the ability to see the version of the local scanner used during a scan.

Adjusted the default sorting of projects.

By default, projects are now automatically sorted by last scan date in ascending order (the newest project is at the top, the oldest is at the bottom).

Added a 90 day option to the Last Scan filter on the Scan project page.

For organizations with role-based access control enabled, the Scan project page now shows the resource groups with which the project is associated.

The displayed resource groups are based on the role for the logged-in user. Different users could see different resource groups. For example, a standard user could see different resource groups than a user with administrator permissions.

Added a Branch tab to the Scan project page.

This tab is visible only when you run scans using the branch command with the Scan local engine.

Added more details about the source of a vulnerability.

Where relevant, the vulnerability overview displays the source file name, line number and code snippet as well as the sink file name, line number and code snippet.

Added more details for the reason a scan failure.

In the Scan history, you can hover over a scan fail message to see a tool tip that displays information on the reason for a scan failure.