Current known vulnerabilities
CAST takes security seriously, as such this section provides detailed information about all known security vulnerabilities that are present in AIP Core. If you think you may have found a vulnerability that is not listed in this page, please contact us.
Vulnerability reference | Currently impacted CAST AIP software/versions | Fixed in | Description/Notes |
|---|---|---|---|
CVE-2014-0160 | Zorba 1.4 | Not fixed | There is currently no standalone patch available for Heartbleed vulnerable DLLs present in the third-party Zorba 1.4. |
Current known issues
This section lists all current known issues in AIP Core. There are 32 issues in the list.
| Component(S) | Situation | Symptoms | Workaround | Known since | Internal ID |
|---|---|---|---|---|---|
| Upgrading a PeopleSoft or Siebel application to 8.3.6 | Objects of type SRC (Target Source File) will be dropped and recreated during post-upgrade consistency snapshot. This is due to a change of the internal identifier (GUID) of these objects. The change was necessary to fix a mismatch between violations and their associated source files (SCRAIP-33138). | At the time of 8.3.6 shipping, the exact impact of dropping / recreating SRC objects was still under investigation. Please contact Technical Support in case you need to know more about this issue or in case you would like a workaround. | 8.3.5 | AIPCORE-115 | |
| Using CAST Server Manager to upgrade using Assessment Model option "default AM". Look at logs under %TEMP%\CAST\CAST\8.3\Servman | The log file contains this warning message: "WRN: :- Cannot find: CAST 8.3.3 Assessment Model" | 8.3.3 | AIPCORE-353 | ||
| Analyzing an application made of 2 (or more) technologies. E.g. C++ and PHP And source code of different technologies shares a common parent folder. E.g.: -- C:\Sources\CPP -- C:\Sources\PHP Note: For each folder in the source code path, AIP creates a "Directory" object. Directory objects have specific types, such as "C++ Directory" or "UA Directory" (PHP is analyzed with the Universal Analyzer, UA). | Following quality rules can report less violations than expected: -- .NET: Consistent File full name and directory structure (DIAG_SCOPE_ASPBEST008) -- .NET: Index pages and global.asa location in the root directory (DIAG_SCOPE_ASPBEST009) -- C++: Count of Objects likely to use structures (DIAG_CPP_ANA_USING_STR_TOTAL) In Enlighten and in Development view of CAST Engineering Dashboard (CED): Only a single Directory object is created for the parent folder. The type of the Directory object for the parent folder depends on the analysis order of the technologies. The Directory object takes the type of the first technology analyzed within the application. Expected are as many Directory objects as there are different technologies underneath the parent folder, each having the type of the respective technology. For the example given in "Situation", 3 Directory objects are created: -- A "C++ Directory" for "Sources" folder (if C++ is analyzed before PHP, otherwise it will be a "UA Directory") -- A "C++ Directory" for "CPP" folder -- A "UA Directory" for "PHP" folder Expected are: -- A "C++ Directory" for "Sources" folder -- A "UA Directory" for "Sources" folder -- A "C++ Directory" for "CPP" folder -- A "UA Directory" for "PHP" folder | 8.2.5 | SCRAIP-28587 | ||
| When analyzing an application containing T-SQL code that includes tables with indexes. | Results for all Quality Rules related to table indexes are incomplete (some violations are missing) and metrics related to table indexes (for example Line number where no index is used in a WHERE clause) are below their real value. | 8.2.3 | SCRAIP-24977 | ||
| Application Engineering Dashboard (AED) | Analyzing a JEE application and a module is shared between several analysis units of the application and shared modules are in violations, | The information displayed for quality rule "Avoid cyclical calls and inheritances between packages" are inconsistent. For instance: * The grades is shown as evolving while no violation is added * The number of object in violation is inconsistant with the number of failed checks Violations are not counted consistently, resulting in the issues listed above. | None. | 8.2.0 | SCRAIP-21928 |
| During a quality analysis of .ABAP, PowerBuilder, C++, C#, VB.NET or JEE | Violationof rule 'Avoid Classes with a High Lack of Cohesion' is raised for classes without any member variable (function container) | None. The standard "cohesion" metric is defined to be 1 for this kind of class, which are not really recommended in an object oriented environment. This will mark them as in violation, even though this can be considered as a valid programming pattern in some context. | 8.2.0 | SCRAIP-22438 | |
| when you load the CED page "Investigation - Application Drilldown" multiple times without having results displayed | Depending on application size, it can takes time to display results, then if you try to reload the page, it will duplicate a dashboard job that is going to insert data in the database. As a result, you will have duplicated information in the page for "number of violated rules", "number of objects with violations", "number of violations" | Do not reload the page until the page display results | 8.2.0 | SCRAIP-21320 | |
| Any analysis where the Module configuration does not use the "Full content module" option. | The execution report, available in CMS at the end of the snapshot procedure, indicate one extra module, compared to what is configured and displayed elsewhere in the product (Modules tab in CMS, Dashboard) | None. This is a pure display bug, without any consequence on the results. | 8.1.0 | SCRAIP-18678 | |
| Transaction Configuration Center (TCC) | With the .NET technology, you can create a dependency link either directly between two projects, or between one project and an assembly that was generated by another project. In the second case, if you have several copies of the same DLL (possibly with different versions), you should always reference the same file in all projects. If several versions of the file (even identical but in different paths) are selected, they will conflict with each other. | Some objects and links may be missing from the analysis results (and therefore transactions may also be missing and the Function Point count may be incorrect), with no message about unresolved calls even when looking at the log in debug mode. | If you are in this situation, you can, before packaging the application with the Delivery Manager Tool, change the project files to manually ensure only one file is referenced. You can do this in Visual Studio, or manually in the .csproj files. Alternatively, if you reference an assembly that is built by another project in your delivery, you can also replace all assembly references to it with a project reference, which will bring more benefits. | 8.0.0 | SCRAIP-14745 |
| Running the first analysis of an application just after upgrade from a version older that 8.0.0 | CMS verification view shows an error similar to "[Object ID] :Code xxx does not correspond to an active type". It comes from the facts that some object types linked to the legacy VB.NET analyzer (version 7.3 and older) don't have an exact matching type in recent versions. They are left in the configuration as is, but are considered invalid. This will happen most often for an application which uses C# or VB.NET, but these type be used (by mistake) in any application. | The objects indicated in the error (module definition, AU definition) must be edited in CMS, removing the legacy type, and making them use the new types as applicable. | 8.0.0 | SCRAIP-13699 | |
| CMS Snapshot/Analysis - Generate Modules | Re-analysis of an application, where the execution split has been changed. That is, grouping of analysis units in execution units has been updated, in order to work around memory issues, or for any other reason. | In the Dashboard, some modules appear empty, or some objects are marked as deleted even though they exist in the code. When checking the module content in CAST Management Studio, the objects still appear. Workaround: There is no easy workaround for that problem. The data used to compute final results of the analysis have been corrupted by the execution units reorganization. Please get in touch with CAST Support, they will help you fix the problem. | 7.3.7 | SCRAIP-18323 | |
| CAST Dashboard | When upgrading from CAST AIP 7.0.x to CAST AIP 7.3.x and looking at the dates listed for the current and previous snapshots in the CAST Engineering Dashboard. | A discrepancy is displayed regarding the dates if the snapshot that was generated at the end of the CAST migration process is deleted and re-generated. In this situation the current snapshot date is displayed correctly, but the previous snapshot date is incorrect and refers to an older snapshot. | 7.3.4 | SCRAIP-7119 | |
| Using Cast Management Studio or the Delivery Manager Tool on Windows 8 or 10, with a High Resolution Display | Many text fields are not correctly displayed, the text is too big and partially visible. | Change the display scaling factor back to 100%. CMS/DMT do not correctly handle the recent UI scaling introduced by Windows for High DPI screens. In Windows 10, right click on the Desktop Background, select "Display settings". In that window, move the "Change the size of text (...)" slider to 100%, even if it is not the recommended value. | 7.3.0 | SCRAIP-21477 | |
| CAST Update Tool (CUT) | Migrating from 7.2 to 7.3 using CAST Update Tool (CUT). And having a delivery folder shared among mutiple Mangement Bases (MB). And having all MBs of the delivery folder ticked in CUT for update. | CUT displays incorrectly a "Confirmation" dialog box. The dialog box reads: "You must select all MBs that manage applications within a delivery folder. Refer to the documentation. Database(s) missing in folder <delivery folder>: <empty list> And <n> MBs not listed in the connection profiles. Do you want to continue? <OK> / <Cancel> | Note: If ALL MBs have been ticked, the message is incorrectly displayed and can be safely ignored and you can proceed by clicking "OK". Migration will succeed. However, if there are MBs that have not been ticked, you MUST NOT proceed but make sure that you select all MBs first. | 7.3.0 | SCRAIP-2666 |
| The violations on diag 'Avoid having SQL code in Triggers named pre-record' disappear when there is no squirrel package in the version. | Missing violations on the diag 'Avoid having SQL code in Triggers named pre-record'. | 7.3.0 | SCRAIP-3057 | ||
| CAST Management Studio (CMS) | - Duplicate a csproj under a folder with a lot of .NET sources in DMT, create a package containing duplicated projects Analyze in one way duplicated projects | Performance issue occurs in merging phase of analyzer | Remove duplicated sources to restore performances | 7.3.0 | SCRAIP-2902 |
| CMS Snapshot/Analysis - Compute Snapshot | Two Applications (A and B) exist in the CAST Management Studio and objects in Application A have links to objects in Application B. To identify and save these links, a custom dependency is created between the two Applications. | When the "Take a snapshot of each Application" option is run for the first time after defining the dependency, no links between the two Applications are identified. | Re-run the "Take a snapshot of each Application" option to obtain the links between the two Applications. | 7.3.0 | SCRAIP-1539 |
| When using the CAST AIC Portal | When you rename an Application in the CAST AIC Portal, the name change is not reflected when subsequently using the Delivery Manager Tool (the Application name has not been updated). | 7.2.3 | SCRAIP-14968 | ||
| CAST Dashboard | Occurs on CAST Engineering Dashboard, Investigation - Quality Model Drilldown view when selecting a Distribution. | Depending from which Business Criteria, list of objects selected for the distribution will be not the same if some objects exists without any violations. If distribution is selected through Heath Factor indicator, then list of objects are sorted by PRI and so only objects with violations are listed If distribution is selected through TQI or Rules Compliance indicator, then list of objects are sorted by name and contained all objects even those with no violations There is no impact on the grade that is similar everywhere. | 7.2.0 | SCRAIP-13652 | |
| CMS Snapshot/Analysis | When generating a snapshot in the CAST Management Studio on one machine and having the CAST Storage Service installed on a different machine and each machine is showing different time (or is configured to a different time zone). | The capture date/time of the snapshot is not consistent between the CAST Management Studio and the CAST Storage Service. | 7.2.0 | SCRAIP-949 | |
| When using the CAST Delivery Manager Tool to create a remediation item. | On cancelling the remediation creation window, the remediation is added anyway. | 7.1.0 | SCRAIP-14971 | ||
| When changing the path to the Deployment folder in the CAST Management Studio. | The help explanation displayed in the dialog box is truncated. | 7.1.0 | SCRAIP-14970 | ||
| CAST Management Studio (CMS) | When synchronizing an Assessment Model on a Dashboard Service after some documentation update | The synchronization fails with "Invalid language symbol 'English' in metric ID <x> | Remove the 'English' translation of the default 'English' text for the indicators with External ID <x>. | 7.1.0 | SCRAIP-13532 |
| When using the CAST Management Studio and editing an Analysis Unit that enables you to include or exclude source files/folders (C/C++ for example). | If you add an exclusion/inclusion and then click the Cancel button, a blank entry is added to the list of exclusion and inclusions. | 7.1.0 | SCRAIP-14969 | ||
| - Running analysis of an Application with Castms command line : CAST-MS-cli.exe RunAnalysis -connectionProfile myConnectString -deliveryUnit myDU -system mySystem -appli myApplication - And there is no application "myApplication" in the Delivery Unit. | All applications are analyzed instead of only the one defined in the command line (myApplication). | Make sure the application defined in command line exists in the Delivery Unit portfolio. | 7.0.9 | SCRAIP-14981 | |
| CAST Dashboard | When selecting a Business Criteria in the Investigation view and when working with Internet Explorer 7 or 8. | Selecting a Business Criteria will sometimes cause a different Business Criteria to be selected and updated. | Sort the Business Criterion column using the column header. | 7.0.7 | SCRAIP-13777 |
| New User Defined Table types added after an initial analysis/snapshot are missing from the Analysis Service if they are not called by another SQL object. | You take a snapshot for a database that may contain User Defined Table types. You then add a new User Defined Table type and execute a second snapshot. You check in CAST Enlighten to see if this User Defined Table type exists or not. The object is missing. You then add a new procedure that calls this User Defined Table type and then execute a third snapshot. When you check with Enlighten, the object now exists. If the User Defined Table type exists in the application before the first analysis/snapshot, it will be saved ; if not, it is saved in your Analysis Service only when it is referenced by another SQL object (eg. : by a stored procedure). | 7.0.7 | SCRAIP-14768 | ||
| - Analysing a JSP or ASP application. - In a JSP or ASP file, the last Script tag used specifies a different script language than the previous tags. | - All Script tags used in the file are considered as being of the same language as the last Script tag found in the file. - This can result in a syntax error during analysis when analyzing scripts using different Script Languages in the same file. | Modify the last Script tag in the file: Text replacement : Add at the end of the last tag used in the file the Script language different that the one used for this tag Example: - previous tag in the page are in JavaScript, - the last tag in the page is in vbScript - Text Replacement : <tag in vbScript><script text="text/javascript"></script> | 6.4.1 | SCRAIP-14707 | |
| Having an object in one database (e.g. a procedure in database A) accessing an object in another database (e.g. a table in database B) and the following conditions are met: - Both databases have been previously analyzed and therefore exist already in the KB. - The two databases are analyzed by different jobs. - The option 'Auto register called databases' is OFF in the job analyzing database A. | Missing link between objects in different database when both databases exist in the KB and are analyzed separately In the job log the following informational message is contained. The job finishes successfully. Information: Skipped Ref. procedure 'my_proc' -> table 'my_db..my_table' because 'my_db..my_table' is in a foreign database that not registered. In Enlighten, there is no link between my_proc and my_db..my_table. | Either set option 'Auto register called databases' to ON in the job analyzing database A, or analyze both databases in one single job. | 6.4.1 | SCRAIP-14769 | |
| Characters that are specified in a JavaScript file in the form '%nnn' lead to a syntax error. For example, the following line in a JavaScript file produces a syntax error during analysis: MM_openBrWindow ('http://static.com/images/offerterms.html', %20'thepopup','width=450,height=500,scrollbars=yes,menubar=yes'); Please note the '%20' notation that is used for the space character. | 6.4.1 | SCRAIP-15001 | |||
| The Metrics Assistant wizard does not allow the use of functions and procedures defined in 'Object types' | 6.4.1 | SCRAIP-14984 | |||
| When different languages (java, js, html ...) are present on one single line of code, the computed 'number of lines of code' is wrong. | 6.4.1 | SCRAIP-14998 |
