Acunetix 360 On-Premises Changelog

Acunetix 360 On-Premises 2.1 – 19th August 2021

NEW FEATURES

  • Added support for creating Teams and Roles.
  • Added SCIM 2.0 API support for improved SSO integration which supports user and group synchronization with popular Identity Providers.
  • Added IBM ALM (Jazz Team Server).

IMPROVEMENTS

  • Improved access control by introducing new more granular permissions
  • Improved role assignment for website groups while inviting new members
  • Improved the performance of issues/allissues API endpoint.
  • Added alternate email address field (if available) to the account/me API endpoint.
  • Added email and SMS filter to the notification.
  • Added an option to fail GitLab CI/CD build for only confirmed vulnerabilities.
  • Added Organization field to GitHub issue tracking integration.
  • Added an option to fail Azure Pipelines build for only confirmed vulnerabilities.
  • Prettified the outputs printed by Azure Pipelines, GitLab, and UrbanCode deploy CI/CD integrations.
  • Added support for committing changes on the tag editors with the TAB key.
  • Updated YouTrack issue tracker integration to use the new API.
  • Improved Splunk integration by sending the issue updates without requiring a new scan.
  • Improved the performance of the Technology Dashboard.
  • Improved the performance of the scans/report endpoint.
  • Updated the look and feel of emails sent.
  • Added Known Issues information to issues while sending to Kenna.
  • Improved the performance of PCI scan reports.
  • Added links to CVE IDs on reports.
  • Issue notes are added to reports which are exported.
  • Added an option to trigger user-defined notifications even for cases in which a user who configured the notification did not launch the scan.
  • Improved the statusCode and errorMessage returned from members/deleteinvitation API endpoint on cases when the invitation is missing.
  • Changed roles/update API endpoint response status code from 201 to 200 to better comply with REST best practices.
  • Added “Override Version Vulnerability Severities” option to Scan Policy > Attacking settings.
  • Improved the error message displayed when a Website Group cannot be deleted due to it being referenced by a notification.
  • Extended the range of digits that can be entered for HOTP and TOTP configuration.
  • Improved data validation for email addresses.
  • Added the Web Storage Exclusion to Ignored Parameters in the Scan Policy.

 

Deprecated APIs

  • The following APIs have been deprecated:
Deprecated APIs What to use instead
/api/1.0/teammembers/new Renamed to /api/1.0/members/newinvitation
/api/1.0/teammembers/list Renamed to /api/1.0/members/list

The request model has not changed, but the UserListApiResult response model has been replaced with MemberApiModelListApiResult.
/api/1.0/teammembers/get Renamed to /api/1.0/members/get

The request model has not changed but UserApiModel response model has been replaced with MemberApiModel
/api/1.0/teammembers/getbyemail Renamed to /api/1.0/members/getbyemail

The request model has not changed but UserApiModel response model has been replaced with MemberApiModel
/api/1.0/teammembers/update Renamed to /api/1.0/members/update

The request model has changed slightly; the response model is different.
/api/1.0/teammembers/delete Renamed to /api/1.0/members/delete 

Only the endpoint is changed; request and response are the same.
/api/1.0/teammembers/gettimezones Renamed to /api/1.0/members/gettimezones 

Only the endpoint is changed; request and response are the same
/api/1.0/teammembers/getapitoken Renamed to /api/1.0/members/getapitoken 

Only the endpoint is changed; request and response are the same

FIXES

  • Fixed an unhandled error that occurs while deleting scans.
  • Fixed an issue where the check state is reset when the search keyword is modified on the Report Policy Editor security checklist.
  • Fixed an issue where multiple Common Weakness Enumeration values were being sent to Kenna Integration.
  • Fixed the incorrect API documentation of roles/listpermissions endpoint.
  • Fixed an issue where form authentication may fail because of credentials being modified when the scan profile is updated.
  • Fixed missing state field on the member API endpoint.
  • Fixed the incorrect email displayed on the audit log when a failed login attempt is logged.
  • Fixed a bug where a team with the same name tried to be provisioned when SCIM integration is used with SSO providers.
  • Fixed the team member APIs by adding the missing CreatedAt field.
  • Fixed an issue where some users with the default View Reports rule cannot see the global dashboard page.
  • Fixed a memory leak happens while generating PDF reports.
  • Fixed a bug preventing sending PDF and HTML reports via notifications.
  • Fixed a NullReferenceException thrown while calling the scans/new API endpoint.
  • Fixed an error occurs when a website that has tagged issue is deleted.
  • Fixed a page loading issue on the authentication verifier.
  • Fixed the clipped user interface elements on the New User Mapping page when the page widths get narrow.
  • Fixed an issue where the Exclude Authentication Page checkbox does not get updated.
  • Fixed the overlapping logo on reports.
  • Fixed an issue where incremental scans started from CI/CD integrations are using the default profile if there are no scans performed to that website previously.
  • Fixed the Not Found error displayed while testing notifications for Azure Boards integration.
  • Fixed the empty PCI report issue.
  • Fixed random HTTP 500 error thrown from scans/report API endpoint.
  • Fixed missing agent groups when queried using agentgroups/list API endpoint.
  • Fixed an issue where old VDB results are displayed on the known issues tab.
  • Fixed a NullReferenceException.
  • Fixed connection timeout issues.
  • Fixed an issue where an exception was thrown if the agent Helper Service is set to use a different port on Linux machines.
  • Fixed an issue where the issues of a custom security check are incorrectly listed under a different vulnerability on reports.
  • Fixed a scan stuck issue.
  • Fixed scans failing on some systems while scanning TLS 1.3 websites.
  • Fixed an issue where incorrect scan profiles and policies were used while performing group scans.
  • Fixed an issue where the State field of an issue is converted to a numeric value when the state of a revived issue is set to some other state through API.
  • Fixed an issue where an incorrect Affected Version value is reported for an out-of-date vulnerability.
  • Fixed an issue where editing a scheduled scan displays incorrect scan policy, report policy, and agent data.
  • Fixed an issue where a custom vulnerability profile data of a report policy is not retrieved correctly when called from vulnerability/template API endpoint.
  • Fixed the missing LastLoginDate field by adding it back to member API call responses.
  • Fixed pipeline script in Jenkins where two installed scripts do not work together.
  • Fixed notification grouping for persons that are outside of the organization.
  • Fixed integration links under the Continous Integration System in the New Integration page.
  • Fixed the Linux Auto Updater Version Checking.
  • Fixed SSO login conditions.
  • Fixed a bug that prevents editing report policies.
  • Fixed a bug that the SSO email field appears although the Alternate Email is not selected.
  • Fixed a bug that prevents some users from tagging issues.

Update to the new version

If you want to update the latest version of Acunetix 360 On-Premises, see Updating Acunetix 360 On-Premises.

Acunetix 360 On-Premises 2.0.2 – 28th June 2021

NEW FEATURES

  • Added GitHub Actions CI/CD integration.
  • Added Authentication Profile feature to be able to define shared authentication once and utilize them on many scans without explicitly configuring Form Authentication for websites utilizing the same authentication procedure.
  • Added UrbanCode Deploy
  • Added Azure Pipeline Extensions
  • Added the ability to tag issues
  • Added a new Scope option for Scan Groups of Websites while configuring notifications to be able to better scope notifications for web applications/APIs under a website.
  • Added State filter to notifications which you can use issue states like Fixed, Revived, New, etc. as filtering options.
  • Added Choose Scan Profile while scheduling from API
  • Added TLS 1.3 Support

IMPROVEMENTS

  • Removed the scan report selection from notification events that do not produce any reports.
  • Added account-based option to display authentication credentials on API responses.
  • Improved time zone calculations to handle new time zones.
  • Improved configuration validation error messages for Privileged Access Management integrations.
  • Added an option to specify a scan profile while scheduling scans through API.
  • Added support for Form Authentication Custom Scripts for cases when a Privileged Access Management integration is used.
  • Added support for 11 digit phone numbers while inviting a new member.
  • Added an option to ServiceNow integration to specify if the incident should be set to Closed when the vulnerability is fixed.
  • The Category selection for ServiceNow integration is editable.
  • Added a field to specify the user’s Single Sign-On email address while creating a new team member using the API.
  • Improved configuration options for Jenkins.
  • Added the option to fail Jenkins build for only confirmed vulnerabilities
  • The login process redirects the Single Sign-On users to their providers
  • Added NIST, DISA STIG, and ASVS classifications to Report Policy
  • Added support for importing links from multiple RAML files from a ZIP file (include directive support).
  • Improved Azure AD Single Sign-On in-app help text.
  • Removed the Current Password field for admin users (logged in with Single Sign-On) while editing a member.
  • Added “Maximum URL Rewrite Signature” Scan Policy Crawling option.
  • Improved access control by introducing new more granular permissions
  • Improved role assignment for website groups while inviting new members
  • Added IgnoreSslCertificateErrors option to Docker agent.
  • Improved GitLab CI/CD script failure conditions.

FIXES

  • Adding a title to the API field in the edit team member page
  • Fixed an issue that occurs with updating scan profile
  • Fixed an issue with Imported Links getting updated to Null while using Update ScanProfiles API
  • Fixed the validation problem
  • Fixed some bugs for the Sitemap
  • Fixed an issue that getting an error which caused by connection problem with authentication verification hub on scheduled scan
  • Fixed the problem of not being able to delete the scan with a profile
  • Fixed the forgot password issue for Single Sign-On
  • Fixed an issue where the Launch button does not get enabled on the New Scan page after you enable the IAST scanning and download the sensor files.
  • Fixed an issue where a notification that is sent to an external email address was not displayed on the audit logs.
  • Fixed an issue where starting a PCI scan via using API could not start the scan.
  • Fixed an issue where a new notification created via API does not add the specified integration(s) to the new notification.
  • Fixed an issue where a team member was not created in API if the auto-generated password is enabled.
  • Fixed an issue where the custom value of FormAuthPageLoadTimeout was being overridden by its default value.
  • Fixed validation error messages on the Email Settings page.
  • Fixed some of the swagger API validation errors reported for the REST API
  • Fixed an agent scan stuck issue while archiving
  • Fixed a retest problem where some issues could not be retested
  • Fixed an agent auto-update issue
  • Fixed an issue with the GitLab integration script where builds were not failing when they were supposed to fail
  • Fixed an issue where the “Add Attachment Report” section was missing while adding a new notification
  • Fixed a mismatching type issue on /scanprofiles/list API response model
  • Fixed an issue where a failed scan sends an excessive amount of email notifications
  • Fixed an issue where Exclude Authentication Page configuration resets when another scan is performed
  • Fixed agent auto-update issues
  • Fixed an unhandled ArgumentNullException which causes some authenticated scans to fail
  • Fixed an error that occurs while trying to mark an issue as false positive
  • Fixed an internal server error that happens while using the /api/1.0/scanprofiles/update API endpoint for some profiles
  • Fixed an issue where a deleted issue tracker integration was still keeping the old issues IDs referenced
  • Fixed an issue where the helper NHS service is unexpectedly terminated on environments with multiple agents running

Acunetix 360 On-Premises 2.0 – 1st April 2021

NEW FEATURES

IMPROVEMENTS

  • Improved the visual elements of the dashboard
  • Improved the performance of the Technology Dashboard
  • Added the ability to create new SSO users via API
  • Added the ability to get a team member’s last login timestamp via API
  • Added the Website URL filter to the Scheduled Scans page
  • Improved the performance of the Sitemap
  • Updated the Name Id Policy value for SAML as the email
  • Added the ability to delete the Website Groups with ID API Endpoint
  • Added the Next Execution Time tooltip to the scheduled scan
  • Added the Scan Profile Name information to the Scan Task Groups in the Website Dashboard
  • Added the ability to save the Privileged Access Management integrations without testing
  • Fixed the scan failed errors
  • Added the title fields for Vulnerability List items
  • The delete button is disabled for system notifications on the Notifications page
  • Added the ability to assign scans to internal agents via scheduling
  • Removed all (encrypted and cleartext) authentication credentials on the API responses
  • Minor revision changes will also trigger agent auto-updates
  • The downloaded agent log file is named agentlogs.zip
  • Improved the stabilization of the agent state transitions

FIXES

  • Added Script Engine Type to the Authentication Verifier
  • Fixed the request agent logs bug
  • Fixed handling authentication tokens while executing the form authentication
  • Fixed the issue where the wrong vulnerability database version was displayed in the agent info
  • Fixed the scan session null error
  • Fixed the bug in the scan policy optimizer wizard tree
  • Fixed the issue where users cannot create a custom script in a three-legged OAuth2 Authentication
  • Notification events require appropriate permission
  • Added Scan Profiles, Scans, and Scheduled Scans’ links while deleting the scan policy
  • Fixed XSS for Jira and Pivotal Tracker integrations
  • Fixed the responsiveness of the ServiceNow category selection drop-down
  • Fixed an issue about a scan that is not matching with the agent which is in the selected agent group
  • Fixed the scan policy cloning bug
  • Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under the Scan Permission are not saved while creating new members
  • Fixed the text problem in the information of the Technologies Dashboard User Interface
  • Fixed an issue where users cannot save an empty Excluded URL field
  • Fixed an issue where scan policy and report policy drop-down appear blank while editing the scheduled group scan
  • Fixed a bug that occurs while deleting the scan profile
  • Fixed the form authentication fields encryption
  • Fixed the loading problem of default scan profile selection
  • Fixed the Pre-Request Script Error on Scheduling Scan
  • Fixed Exclude Addressed Issues on the Export Report
  • Fixed usage report page style problem

Acunetix 360 On-Premises 1.9.4 – 15th February 2021

IMPROVEMENTS

  • Added the option to provision a new member with SSO in the New Team Member addition screen.
  • SSO Email requirement is not necessary for SSO-enabled accounts without enforcement
  • Renewed PCI Compliance Report template 
  • Added scan profile and scan profile URL to scan report.
  • Added the option to add a customized header text on the Account Settings page
  • Improved issue severity sorting. Issues will be sorted as Critical, High, Medium, Low, Best Practice, Information Alerts on all screens.
  • Redesigned Scan Time Window
  • Improved design of important information, such as email and name, in dialogs
  • Updated descriptions on edit and signup web pages
  • Changed “Enable Limitless Scan” option under the General Settings to “Allow scanning without a duration limit”
  • Redesigned Basic Authentication Form
  • Added advanced script feature for the Azure Pipelines integration
  • Updated related RegEx to let users using parentheses with the website name and profile name
  • Added silent mode installation for Web Application
  • Added phone number confirmation countdown timer. 
  • Added the document link for Linux Agent installation on the New Agent page.
  • Improved the speed of page loading on the Custom Script screen
  • Improved the agent stability to prevent scans from being stuck
  • Added the possibility to add non-registered emails in notifications
  • Added SANS Top 25 report
  • The Target URL will be displayed instead of the website URL in the scan reports

FIXES

  • Fixed JSON Serialization problem in the scan profile
  • Fixed typos in Acunetix 360 Rest API Endpoint explanation
  • Fixed the validation message on the password change page
  • Fixed the validation message for admin password on the password change page
  • Fixed the Bugzilla operating system field’s name 
  • Fixed warning message for the Website Groups Update API
  • Fixed undeleted scan files (which belong to completed scans) issue
  • Disable status error fixed for Linux Agent 
  • Resolved Chromium’s auto select certificate problem. So, the problem of not being authenticated with the client certificate was solved.
  • Fixed empty exported XML issue in F5 BIG-IP ASM Rules Report
  • Fixed the HashiCorp Vault More Information link
  • Fixed an issue where “Password Transmitted over HTTP” issues were reported for HTTPS requests.

Acunetix 360 On-Premises 1.9.3 – 7th January 2021

NEW FEATURES

  • Added the Stop the Scan if the Build fails option in GitLab CI/CD
  • Added the Fail the Build if one of the selected scan severity is detected option in GitLab CI/CD
  • Upgraded the scanning engine to version 5.9.1.27722.

NEW SECURITY CHECKS

  • Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
  • Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

IMPROVEMENTS

  • Added the Scan Group selection combo box to Trend Matrix Report
  • Added WASC Threat Classification Report
  • Added the Export Unconfirmed option in the report generation screen
  • Added the info box to Custom Scripts window for the Form Authentication 
  • Added URL Rewrite Rules while a file is being imported
  • Added Uniqueness Controls on the new integration wizard
  • Added validations of new integration wizard
  • Added Swagger JSON link to API document’s index
  • Added the Exclude Authentication Pages checkbox when the Form Authentication option is enabled
  • Improved the performance of the Discovery Page
  • Improved the performance of generating reports that contain a large number of vulnerabilities
  • Improved the custom script’s performance 
  • Improved the website preview image resolution on the Verify Login & Logout screen
  • Refactored the Report Policy Migrator 
  • Disabled auto-complete in the login page inputs.
  • Changed the data protection policy link 
  • Changed the issue email template’s website URL 
  • Admin users can now set the maximum number of websites a member can add
  • Excluded usage tracker list can now be added from the new scan page

FIXES

  • Fixed a bug when scheduled scan with an imported file is edited by a different user
  • Fixed a bug in the Custom Cookie process
  • Fixed imported file bug on scan profile saving
  • Added minimum agent selection control for Agent Group
  • Fixed Agents Scanning tooltip 
  • Fixed the auto-scaling problem that occurred while using a cloud provider in Acunetix 360 On-Premises
  • Fixed the First Seen Date parameter in the Kenna integration
  • Fixed Burp XML file import problem. Users can import Burp XML file
  • Fixed report validation export problem. Users will not get an empty file
  • Fixed the error related to exporting for customers who have many websites.
  • The websites belonging to the filtered website group can be exported.
  • Users can now add a new URL Rewrite Rule without losing the existing ones

Acunetix 360 On-Premises 1.9.2 – 28th October 2020

IMPROVEMENTS

  • Added a ‘Generate optimized CSS code path’ feature to the Authentication Verifier
  • Improved the Minimum Security Level area on the Reporting page
  • Added a detailed issue template option to the template field in the ServiceNow integration
  • HIPAA will be displayed instead of OWASP in the scan summary
  • Added the scan folder path change option for internal agents

FIXES

  • Fixed the issue where the IP addresses of websites listed on the Discovered Website page were ignored
  • Fixed the issue where SAML files failed to download on MAC devices
  • Fixed the problem that occurred during verification of the form authentication API endpoint where it returned the same result after the first request
  • Fixed the problem that occurred while configuring email notifications
  • Fixed the problem that occurred while canceling stalled scans
  • Fixed the connection problem that occurred while using a proxy in internal agents
  • Fixed the autoscale problem in internal agents

Acunetix 360 On-Premises 1.9.1 – 1st October 2020

NEW FEATURES

  • Added support for alternate email for SSO login
  • Added Form authentication Hashicorp Vault integration
  • Added technologies chart to the global dashboard and website dashboard pages
  • Added test credential API endpoint for scan profiles
  • Added Form Auth Custom Scripting feature to the New Scan page
  • Redesigned the login page
  • Redesigned the SSO help text area in the SSO settings page
  • Added an API endpoint for the Updating Issue States
  • Added Travis CI integration
  • Jira integration now supports custom Resolved statuses
  • Kenna integration now supports Asset Application Identifier
  • Agents can now be installed using Linux and a Linux Agent button has been added to the Configure New Agent page
  • Upgraded the scanning engine to version 5.9.027701.

NEW SECURITY CHECKS

  • Added Out-of-date security checks for the Liferay portal
  • Added Version Disclosure and Out-of-date security checks for Jolokia
  • Added Nested XSS security checks
  • Added an ASP.NET Razor SSTI security check
  • Added a Java Pebble SSTI security check
  • Added a Thymeleaf SSTI security check
  • Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

  • Added an Issue Update API swagger model improvement
  • New password criterion of a minimum of 15 characters has been imposed on admin and top-level users
  • Improvements have been made to the Form Authentication Test Script screen

FIXES

  • Fixed the problem of slow Vulnerable Websites per period report on the reporting
  • Fixed the file uploading problem on Imported Links
  • Fixed the Knowledge Base Report’s exporting problem
  • Fixed the Yukon time zone problem.
  • Fixed the Imported Links problem.
  • Fixed the problem where the wrong time zone was displaying in Report Templates
  • Moved the Scan Profile Test Credentials API post method fields to the body element
  • Fixed a database file error in the Report Policy Editor
  • Fixed the issue where report policy user changes were not applied when reset.
  • Fixed the Vulnerability Detail page responsiveness problem
  • Fixed the Sitemap Tree View responsiveness problem
  • Fixed the highlighted code focus problem
  • Added help text to the HashiCorp Vault integration page
  • Fixed the bug that occurred when another team member updated the shared profile
  • Fixed a bug that occurred when non-admin users updated profiles
  • The Report policy Editor CVSS scores fields now accept empty values
  • Fixed a server error that occurred while saving a cloned Scan Policy
  • Fixed the problem that occurred when reconfirming the Verify Login and Logout settings