Release Notes

Contrast 3.4.3 - August 2017

Set optimal standards for user accounts in the refreshed Security page, and create Protect policies before onboarding to any applications. Once you do, we'll give you complimentary guidance on using your applications so you see the results you want.


  • Login and check out compliance violations without errors.
  • Removed (fake) option to set Node security controls for specific rules.
  • Virtual patches display names in Attack Events and show up in the right applications.
  • Link to Ruby Agent configuration is active.
  • Servers with no UUID value are gone from the Production database for SaaS.
  • Menu options for Node applications are restored.
  • Password validation works on the registration page.
  • XML errors are things of the past.
  • Trace processing accepts trace events.
  • IP Blacklist page is back.
  • Protect events render again.


  • We no longer support instrumentation through the .NET Profiling API and now only use Duplex technology: a patented mechanism that allows us to coexist peacefully with your other favorite .NET agents.

  • Use the revamped Security page to manage password policy, session timeouts, two-step verification and IP restrictions. You can also access an audit log, where you can search for past activity in your organization by keyword and date.

  • Admins can now set Protect policies before licensing and onboarding any application. Go to the Protect Rules page to quickly configure rules for any environment.

  • Specify the application language(s) when you're creating virtual patches and Log Enhancers.

  • We'll give you some guidance on using your applications so you see results and recognize them on your servers.

  • Change the severity for an entire vulnerability type with the click of a confirmation button.

Agent Updates

  • Java Agent Summary: We added several rule accuracy improvements for Assess and Protect along with the ability to more easily deploy custom rules and better support for library detection in GlassFish. We also fixed a bug in the data flow engine that would prevent vulnerabilities from being reported in certain conditions.

  • .NET Agent Summary: We now report potential security controls and provide more reliable initialization. We also improved stability of IIS-Express instrumentation as well as Assess and Protect accuracy.

  • Node.js Agent Summary: We added more useful logging for application clustering, and support automatically adding applications to existing groups. We fixed an issue that was preventing URLs from showing up in application activity - and, yes, it’s really fixed this time.

  • Ruby Agent Summary: We've added logic for reporting the application build number, the initial SSRF rule implementation, and the ability to set or override configuration values with command line options. As we enter the final month before our general availability with Contrast version 3.4.4, our September work will be focused on increasing performance and preparing for advanced Protect rules and Assess features.

Contrast 3.4.2 - July 2017

With new agent reports for virtual patch, IP blacklist and BotBlocker events - not to mention more powerful Advanced filters - the Attacks page is more lethal than ever before. Just choose a language to start creating your own.


  • Linked the latest Release News in the User menu.
  • API documentation is ready for (re)launch.
  • Environment information is back in the Application Overview page.
  • Cookie value conforms to RFC 6265.
  • Add a payload and retest updates to your WebHook integration without leaving the page.
  • Dashboard and Library Stats show your correct Library count and grade.
  • Edit servers in bulk without enabling Syslog.
  • Deflated number of Not Seen applications in Organization Statistics.
  • No more editing other users' comments on vulnerabilities.
  • SuperAdmins can login on the first try, save and view groups, and even assign licenses to an organization.
  • Update your expired password without the added shame of page errors.
  • See the full stacktrace from .NET applications and create Security Controls in Vulnerability Details.
  • Syslog values are stored correctly in the database.
  • Send bugs to JIRA locally.
  • Application Importance, Attackers and Severity filters are revived in the Attacks page.


  • We’re making it easier to add applications to the appropriate access groups by letting Admins determine the group by name during application onboarding.

  • For our Protect users, agents now send virtual patch, IP blacklist and BotBlocker events to the Attack Events record. We also added some new Advanced filters to help you make sure that you don’t get swamped by all those bad bots.

  • We extended our exclusions technology to .NET Assess rules to help you make Contrast even more accurate within your environment.

  • Choose the right application language(s) for you when creating a virtual patch or Log Enhancer.

  • Get better visualization of vulnerability details - and more improvements to come!

Agent Updates

  • Java Agent Summary: We introduced a new CVE Shield for CVE-2017-9791, added adaptive optimization techniques to improve performance over time, improved support for various libraries and frameworks, and introduced memory usage improvements. We also fixed a few false positives and one false negative.

  • .NET Agent Summary: We improved our XXE detection in Assess mode, and added support for Assess exclusions. We also added experimental support for CLR2 under Duplex mode (which supports both Assess and Protect).

  • Node.js Agent Summary: We improved error handling when the agent is given an invalid URL for the Contrast interface, and made the autocompletion prevention missing rule less permissive. We also found a few bugs in setting apiKey arguments in the command line, reporting URL activity, and applications loading the requirejs module, but those are long gone.

  • Ruby Agent Summary: We've officially entered beta! After the confetti cleared, we updated the library and class usage code to more accurately reflect usage in the inventory reports, and implemented the Padding Oracle Protect rule. You'll also be seeing foundation work for NoSQL injection rules in MongoDB and an initial set of eight property-based Assess rules very soon.

Contrast 3.4.1 - June 2017

New application compliance policies, environment-specific defaults for servers, and a vulnerability standards filter for Vulnerability Trend reports make it easier to set your sights high and keep them there.


  • Added some stickiness to New and Total Views in Vulnerability Trend, so it's there when you come back.
  • Debugged some bugtracker integrations (and made an ironic tee to prove it).
  • Cleared the way to create Rule Exclusions from Attack Events.
  • Sorted out mail configurations in our interface.
  • Updated security standards for one-time migration.
  • Got the Applications page back up and running - load, search, add tags and export licensed (and only licensed) applications without any errors.
  • Re-empowered you (yeah, that's a word) to select Application Access Groups when adding users or poking around Organization Settings.
  • Stopped inserting vulnerabilities twice in logs.


  • Tired of surprises? Set environment-specific defaults for servers before they even come online!
  • Contrast supports x509 client certificate authentication through a Trusted HTTPS proxy.
  • Protect log events now have the application name embedded in them for easier identification with other events. If only those phone numbers from last night were so easy...
  • You should know if your IP Blacklists, Virtual Patches or BotBlockers are working. So, we're going to show you in Attack Events and record them in all your logs.
  • Watch out for noncompliant applications with new compliance policies based on rules or security standards like DISA STIG, PCI DSS or OWASP Top-10. Show them who's boss!
  • Put away the rose-colored glasses, and sort your applications by security standards with our new vulnerability standards filter in the Vulnerability Trend report.
  • A new user default for access control groups helps your roles avoid a nasty collision. (Unless, you know, you want to...)

Agent Updates

  • Java Agent Summary: We added accuracy improvements, performance enhancements, and better support for applications using javax.jws annotations and older versions of Struts 1 and JSTL. We also refactored key parts of our data flow engine to prepare for a few enhancements.

  • .NET Agent Summary: We added IIS Express support and looked into CLR2 support under Duplex instrumentation. We also added Protect bot blocking and body parsing to detect attacks in API applications, and got rid of a few bugs for overall accuracy and reliability.

  • Node.js Agent Summary: While we were nearly one-hundred percent focused on Protect, we fixed a bug that kept libraries from reporting when an applications started from a non-app-root directory.

Contrast 3.4.0 - May 2017

Our new Visual Studio Team Services and improved JIRA integrations make it even easier to keep track of your bugs. (We fixed a few of our own bugs while we were in the area, too.) Of course, you have to check out Protection coverage for applications on your way over. We'll help you stay on track!


  • Weeded out duplicate information in application security PDF report.
  • Let you change Protection policy for all rules, all at once.
  • Fixed agent directory permissions during EOP upgrade.
  • Superadmin can export trace XML for vulnerabilities in Production.
  • Straightened out new asset and new vulnerability notifications.
  • Navigate to Notes for .Net servers without fear of 403s.
  • Syslog features - like validation support for IPV6 - are up and running.
  • Disabled editing of Protection policies for child applications.
  • Save new integrations and send vulnerabilities with JIRA no matter what's in your fields.
  • Delete a licensed application and still keep the license in the organization. Win, win.
  • No more group interference when you update organization roles. You do you.
  • Restored module filter for vulnerabilities in merged applications.
  • Got rid of duplicate vulnerabilities displaying in Applications page.
  • Addressed application permissions for Access Group members.


  • With User Attribution, Contrast enriches attack data with user information so you can put a (user)name to the face...err...IP address.
  • Created a brand new integration to export vulnerabilities from Contrast directly into Visual Studio Team Services or Team Foundation Server.
  • Select two-way integration in your JIRA configuration to automatically update the status of a vulnerability (or vulnerabilities - we won’t judge) in Contrast when you close the corresponding ticket.
  • Security controls for Node are here! If you know your data is secure, go ahead and add those Input Validator or Sanitizer APIs into Contrast.
  • Use the new filter in the Vulnerability Trend chart to search for applications that are out of compliance.
  • Need to Blacklist a range of IPs? Just add them to the newly extended fields for Attacks, Events and IP management.
  • Look for the new Protection coverage for applications in Organization Statistics, Attack Monitor and, of course, the Applications page.
  • Find any empty servers and focus on libraries by language with new Advanced filters.
  • Looking to move to a distributed setup of Contrast? Use ZooKeeper!

Agent Updates

  • Java Agent Summary: We made improvements to heap usage as well as the accuracy of Assess and Protect Rules. We also added better support for applications running in Pivotal Cloud Foundry.
  • .NET Agent Summary: We added Protect Virtual Patches, Protect Path-Traversal and .NET 4.7 Support. We even improved reliability of Duplex instrumentation. You can also specify the agent environment as a configuration setting as well as control the instrumentation mode used by the agent in Contrast.
  • Node.js Agent Summary: We support level 1 rule creation as well as runtime enabling and disabling of Security Controls and Assess rules. We also send server environment information to Contrast. Library reporting errors have been a bit too verbose, so they'll be better from now on.