SAP/ABAP

New rules

Two new rules have been implemented in this release of AIP Core:

• Avoid cyclic references in the definition of CDS views (S4/HAHA) (8566)
• Avoid calculated fields in WHERE-clauses and ON-clauses of CDS views (S4/HANA) (8568)

Additional violations of these new rules may be evident after upgrade to this release and the generation of a new snapshot on unchanged source code. See https://technologies.castsoftware.com/rules?sec=t_-15&ref=|| for a list of available SAP/ABAP rules.

SQL Analyzer

Change to scope of rules

Customer bug 33799 has revealed that SQL Scripts containing Data Modification Language (DML) - object type "SQL Script DML file" - were incorrectly taken into account by the following 3 quality rules:

• Avoid having multiple artifacts inserting data on the same SQL Table (7390)
• Avoid having multiple artifacts deleting data on the same SQL table (7392)
• Avoid having multiple artifacts updating data on the same SQL Table (7394)

The object type "SQL Script DML file" has therefore been removed from the scope of these quality rules and as a result of this change, after upgrade to this release and the re-analysis of unchanged source code, violations on such SQL scripts are no longer reported. Therefore, a reduction in the number of violations may be seen in existing results.

.NET Analyzer

Change to the rule "DataReader must be called using CommandBehaviour.CloseConnection enumeration" (7258)

A change has been made to the rule "DataReader must be called using CommandBehaviour.CloseConnection enumeration" (7258) - previously this rule would return a violation even though .closeConnection enumerated value was correctly used in the source code. As a result of this change, after upgrade to this release and the re-analysis of unchanged source code, a reduction in the number of violations may be seen in existing results.

User Input Security

Changes to Avoid log forging / Avoid debug forging rules

Improvements have been implemented for the following rules:

• Avoid log forging (8044)
• Avoid log forging through API requests (8508)
• Avoid debug forging (8542)
• Avoid debug forging through API requests (8544)

Previously these rules were not able to correctly identify input arguments with specific types such as int / long / float / double or other specific types like java.lang.Throwable / java.time.LocalDateTime / System.DateTime. This situation has now been resolved and these input types are now handled correctly. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.

Support for Oracle JDBC driver methods

Support has been added for Oracle JDBC driver methods - previously, methods from this driver were not automatically sanitized and were marked as potential flaws. These methods are now supported. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.

Support for methods such as LogError, LogInfo

Improvements have been implemented for the following rules:

• Avoid log forging (8044)
• Avoid log forging through API requests (8508)
• Avoid debug forging (8542)
• Avoid debug forging through API requests (8544)

Methods such as LogError, LogInfo, etc. are now supported. An example of such methods can be found in APIs like "Microsoft.Extensions.Logging.LoggerExtensions". As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.

Support for org.springframework.jms framework methods

Support has been added for org.springframework.jms framework methods - previously, methods from this framework were not automatically sanitized and were marked as potential flaws. These methods are now supported. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.

Support for com.google.gwt.safehtml.shared.SafeHtmlUtils methods

Support has been added for com.google.gwt.safehtml.shared.SafeHtmlUtils methods - previously, methods from this package were not automatically sanitized and were marked as potential flaws. These methods are now supported. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.