Feature Improvements
Technology support changes
Please see Technology coverage changes in CAST AIP 8.3.x for more detailed discussion of this subject.
Installation and deployment
Renamed WAR files
Continuing with the dashboard re-naming modifications made in CAST AIP 8.3.2 (see Release Notes - 8.3.2), the WAR files have now been renamed as follows:
| Previous name | New name |
|---|---|
| CAST-AAD.war | CAST-Health.war |
| CAST-AED.war | CAST-Engineering.war |
| CAST-AAD-AED.war | CAST-Health-Engineering.war |
Please ensure that you take note of this and modify any WAR deployment routines you may have. See also:
SAML authentication mode
The following CAST AIP web applications now support user authentication over SAML:
- CAST AIC Portal
- Health Dashboard
- Engineering Dashboard
- CAST-RestAPI
Supported Platforms
Windows Server 2016 is now supported for use with CAST AIP, CAST Delivery Manager Tool and CAST dashboards.
Windows Server 2016 is only supported by CAST when installed in Desktop Experience mode(i.e. with a GUI).
Upgrade - removal of the CAST Update Tool (CUT)
The CAST Update Tool (CUT.exe) and its command line counterpart (CUT-CLI.exe) have been removed from the CAST AIP setup and are no longer installed. All upgrade actions are to be performed with CAST Server Manager or the upgrade batch file.
CastGlobalSettings.ini
The CastGlobalSettings.ini file has been cleaned up to remove references to an obsolete environment variable "%ALLUSERSPROFILE%\Application Data\". This has been replaced with the variable "%PROGRAMDATA%". There is no impact to end users.
Engineering Dashboard
Risk Model colour
The colour used for the Risk Model view and tile has changed from red to yellow:
Critical Violation icon
The Critical Violation toggle icon has been redesigned - there is no change to the behaviour of this toggle icon.
Change Language option
Improvements have been made to the Change Language option:
- To view a new language in the Change Language option, it is now only necessary to define a new locale folder and a translation file. The dashboard will automatically detect the locale and offer the language.
- Language change is specific to the browser. Therefore if the browser cache is emptied, the language will reset to whatever the default is.
- Ability to set a default language now added to the ced.json file.
See:
Health Dashboard
New columns for drill down from tiles
The columns displayed when drilling down from Health Measure tiles, Top Critical Rules, Technologies Overview tiles have been redesigned:
It is now also possible to force the "% Compliance" column to display "% Failed". See Health Dashboard json configuration options in the app-navigation.json section.
Change Language option
The top user menu now has an additional drop down menu item called "Change Language". This allows a user to change the language of the text items in the dashboard, providing an administrator has configured the language:
- To view a new language in the Change Language option, it is only necessary to define a new locale folder and a translation file. The dashboard will automatically detect the locale and offer the language.
- Language change is specific to the browser. Therefore if the browser cache is emptied, the language will reset to whatever the default is.
- Ability to set a default language is managed in the cmp.json file.
See:
User Input Security (dataflow)
Improvements to the User Input Security feature have been added in this release.
Security for Java extension
A new extension called Security for Java is available for download and installation - this extension automatically generates JEE specific bytecode (also known as "CASTIL") for the User Input Security feature. It provides more accurate results than the bytecode that was previously generated by the analyzer and CAST highly recommends that this extension is used if you are intending to perform User Input Security checks as part of your source code analysis.
Automatic Blackboxing
The User Input Security feature will now automatically generate blackbox methods on the fly during the analysis process for all methods which do not have a body, i.e. all code that is deemed to be "external" to the application boundary. This includes the majority of assemblies for which no source code can be found (framework assemblies, third-party JARs/assemblies, internal frameworks without source code etc.). It is still possible to manually create blackbox methods if necessary.
Improved Common Weakness Enumeration support
The following CWE are now supported:
- Trust Boundary Violation (CWE-501)
- Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
- Use of hard-coded credential (java, C#, VB.Net languages) (CWE-798)
CAST Management Studio
CLI
PurgeVersion
A new option called PurgeVersion has been added to enable you to automate the deletion of a Version who's extracted source code has already been deleted, i.e. the version is present in the "Delivery without source code" section of the CAST Management Studio GUI. See Automating CAST Management Studio tasks for more information.
CAST Delivery Manager Tool
New Package Alerts tab
The CAST Delivery Manager Tool now has a new tab called Package Alerts that is present for some package types:
Click to enlarge
This tab contained three panels:
- Packaging alerts > was previously available in the Package Content tab. An ignore button has been added enabling you to ignore an alert (the ignored alert will be listed in the new panel Any alert to ignore?
- Any alert to ignore? > this is a new panel not previously available. It lists all alerts that have been manually ignored from the Packaging Alerts tab.
- Any manual remediations to apply for alerts? > was previously available in the Package Configuration tab.
CAST Architecture Checker
Checking links to objects outside the application boundary
Architecture Checker can report violations between two Layers even when objects inside the targeted Layer not only are external, but also belong to a module external to the Application being checked. The only constraint is that the objects inside the Layer from which the Dependency towards the targeted Layer is issued, must belong to a module internal to the Application. For example, it is possible to check for links which reach objects belonging to a .NET assembly outside of the Application boundary, provided these links start from objects in a module which is internal to the Application (even though these latter objects can be external).
CLI
The CAST Architecture Checker now has a CLI mode that can be used to run a check model action (equivalent to the same action in the GUI). See Automating CAST Architecture Checker tasks for more information.
CAST Transaction Configuration Center
Change to the way non-contributing End Points are handled
To avoid having empty transactions, if a transaction has non-contributing End Points then their DET value is considered as a contribution to the transaction. In previous releases of CAST AIP some of these End Points had a DET value of 0 , and as a consequence these transactions were considered as empty.
To avoid this situation, starting from CAST AIP 8.3.3, where transactions ONLY have non-contributing End Points, the minimum DET of the transaction is set to 1. The impact of this is that after upgrade to CAST AIP 8.3.3, some of the transactions which were empty before may now become valid. This can happen with the predefined list of End Points delivered in CAST AIP, when the following End Points are reached and they are the only one reached by the transaction:
Click to enlarge
CAST System Views
Two previously undocumented CAST System Views (CSV) for the Dashboard Service schema have now been documented. Please see CAST System Views - Dashboard Service for more information:
- CSV_OBJECTS_STATUSES
- CSV_VIOLATION_STATUSES
In addition, both CAST System Views listed above contained column names that had typographical errors. These typographical errors have been fixed by adding new columns spelt correctly. The existing column names containing the spelling errors will remain and are now deprecated, therefore, please update any scripts or queries that use the existing column names:
- CSV_OBJECTS_STATUSES
- SNAPHOT_ID replaced by SNAPSHOT_ID
- OBEJCT_TECHNO_TYPE_ID replaced by OBJECT_TECHNO_TYPE_ID
- CSV_VIOLATION_STATUSES
- SNAPHOT_ID replaced by SNAPSHOT_ID
Resolved Issues
The following table lists all bugs fixed in CAST AIP 8.3.3
| Call ID | Technology | Component/s | Features | Situation | Symptoms | Internal ID |
|---|---|---|---|---|---|---|
| 10112 | CMS Snapshot/Analysis | When attempting to run a .NET analysis when CAST AIP is installed on a remote network drive. | The analysis fails with the error: "Internal exception occurred during processing listener ManageDmtProjectAction::Process on instance CAST_DotNet_Job_NewAnalyze #2 : unknown exception". | SCRAIP-31270 | ||
| 10131 | Delivery Manager Tool | Attempting to extract and package a small schema using the standalone Oracle extractor. | The extraction process runs for many hours and does not complete. | SCRAIP-31279 | ||
| 10251 | Delivery Manager Tool | When using the CAST Delivery Manager Tool to remediate items following an initial packaging action. | The "Edit" button in the right click menu for a "Remediation Item" is shown twice. | SCRAIP-31277 | ||
| 10273 | Application Engineering Dashboard (AED) | When looking at the source code of an object that is violating a Quality Rule in the CAST Application Engineering Dashboard. | The source code does not correspond to the object that is in violation. | SCRAIP-31269 | ||
| 10287 | CMS Application - Reference Pattern Search String | When attempting to run a UA analysis including a Reference Pattern search string. | The Reference Pattern search string step takes a very long time to complete. | SCRAIP-30729 | ||
| 10364 | CMS Application | When attempting to run an analysis with a large number of Execution Units. | The analysis fails at the User Input Security step due the command line used to process the analysis containing more than 32,000 characters. | SCRAIP-31271 | ||
| 10426 | CMS Snapshot/Analysis | When opening the DLM and checking for Dynamic links to be validated/ignored. | Link bookmarks are not visible for Powerbuilder technology. However, the bookmarks are present in the Analysis Service schema. | SCRAIP-31274 | ||
| 10464 | CAST Engineering Dashboard | Having deleted the Architecture Models from the Application and from the View, and then generated a new snapshot. | Quality Rules associated to the Architecture Models are still visible in the snapshot results. | SCRAIP-31264 | ||
| 10594; 10595 | CMS Snapshot/Analysis - Run Copy Paste Metrics Calculation | When looking at the results of the Quality Rules "Avoid Artifacts with high Commented-out Code Lines/Code Lines ratio" and "Avoid Too Many Copy Pasted Artifacts" for versions Vn and Vn+1. | Violation counts for these Quality Rules are inconsistent even though the source code has not changed between versions Vn and Vn+1. | SCRAIP-29524 | ||
| 10648 | Delivery Manager Tool | When using the CAST Delivery Manager Tool to create remediation items for alerts that have been generated during an initial packaging action as follows: "Add remediation" option (right click on alert), not adding anything in the "Value" column and then cancelling the new remediation. | Remedidation is created and causes the alert to be resolved even though it is not correctly defined. | SCRAIP-31261 | ||
| 10695 | CMS Snapshot/Analysis | When looking at the logs of a PowerBuilder analysis. | The logs contain syntax error warnings for syntax where global structures are located inside global objects. | SCRAIP-31260 | ||
| 10746 | CMS Snapshot/Analysis | When attempting to run a VB analysis. | The analysis fails with the fatal error 'An exception occurred while processing analysis in VB6 technology' and 'Error occurred while processing analysis'. | SCRAIP-29795 | ||
| 11005 | Application Analytics Dashboard (AAD) | When comparing the number of deleted Transactions in the legacy CAST Engineering Dashboard and in the CAST Application Analytics Dashboard (Health Dashboard) with those listed in the CAST Transaction Configuration Center. | The transaction is shown as "deleted" in the legacy CAST Engineering Dashboard and in the CAST Application Analytics Dashboard (Health Dashboard) whereas the transaction is not visible at all under the Evolution node in the CAST Transaction Configuration Center (the TCC reports the correct information). | SCRAIP-31220 | ||
| 11239 | CMS Snapshot/Analysis - Generate Modules | When attempting to generate a snapshot. | The "generate modules" step takes a very long time or never finishes at all. | SCRAIP-31253 | ||
| 11245 | CMS Snapshot/Analysis - Run Analyzer | When opening the DLM and checking for Dynamic links to be validated/ignored. | Link bookmarks are not visible for Powerbuilder technology. However, the bookmarks are present in the Analysis Service schema. | SCRAIP-31254 | ||
| 11297 | When using the Extension Downloader CLI. | When using the 'list all' command at the command line, rather than returning a list of all extensions available on the remote server, the command lists only the extensions that have not yet been downloaded. The 'list all' option behaves identically to the 'list available' CLI option. | SCRAIP-31255 | |||
| 11665 | Setup | When attempting to use the CSSBackup.exe tool in CAST AIP 8.3.1 after installing 8.3.1 over CAST AIP 8.3.0. | The backup fails with error "Missing translation for id cast.java.runtime.createProcessIOException. Missing translation: cast.java.runtime.createProcessIOException. A fatal exception occurred while executing pg_dump : null. Error: 2001". | SCRAIP-31341 | ||
| 11700 | AI Center Portal | When using the CAST Delivery Manager Tool and using the "save password to server" option in a package. | When working on the same package on a different workstation the password has to be manually re-entered - i.e. the "save password to server" option is not working. | SCRAIP-31295 | ||
| 11728 | CMS Snapshot/Analysis - Run Analyzer | When looking at the results of the Quality Rule "Never truncate data in MOVE statements" (7688). | There is a false violation of the Quality Rule for a variable that cannot be resolved. | SCRAIP-31247 | ||
| 11905 | Application Analytics Dashboard (AAD) | The CAST Health and Engineering Dashboards contain an older version of jQuery. | The older version of jQuery is a security risk. | SCRAIP-31425 | ||
| 11966 | AI Center Portal - Download Delivery Manager Tool | When downloading the CAST Delivery Manager Tool from the AIC Portal. | An error message is displayed "Unable to create shortcut" and the shortcut to the DMT is not created. | SCRAIP-31105 | ||
| 11971 | CMS Snapshot/Analysis - Run Analyzer | When attempting to run a .NET analysis. | The analysis complete, however, the log contains a warning: "Warning MODULMSG ; Job execution DOTNET.0003:Unknown exception System.AggregateException: One or more errors occurred." and "System.InvalidOperationException: Sequence contains more than one element The issue occurs when a folder containing more than one *.wsdl file is encountered. | SCRAIP-31506 | ||
| When attempting to generate a snapshot. | The process hangs at the "Compute snapshot" step for many hours. | SCRAIP-31587 |
