Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Target audience:

CAST AI Administrator

Summary: this page lists:

  • impacts of changes made in CAST AIP 8.2.3 on Quality Model results
  • other impacts of changes made in CAST AIP 8.2.3
  • miscellaneous result changes

The changes listed assume that an upgrade from CAST AIP 8.2.2 to CAST AIP 8.2.3 has taken place.

Introduction

Each CAST AIP release provides new features which improve the value of the platform and justify an upgrade. However, there are a number of changes or improvements which can impact the measurement results/grades:

  • New or improved Quality Rules to perform deeper analysis
  • Updates to the Assessment Model, e.g. changes to rule weights, severity or thresholds. This can be mitigated by using the "Preserve assessment model" option during the upgrade.
  • Improvements of the language analysis, e.g. more fine-grained detection of objects or links
  • Extended automatic discovery of files included in the analysis
  • Bug fixes to improve the precision of results
  • And, unfortunately, a new release may also introduce new bugs which may impact the results until they are discovered and removed

Below is a list of changes made to the current release of CAST AIP that are known to cause impacts to results. You can also consult Case Study - Measurement changes after upgrade for selected customer applications which provides a more detailed analysis based on a few sample applications.

Analyzing the root causes of impacts to measurement results/grades

The following is a general description of the steps that should be taken in order to compare pre and post upgrade results:

  • Step 1: Take a snapshot (including a source code analysis) with the previous release of CAST AIP before upgrading to the new release of CAST AIP
    • Check the list of applications to be analyzed, the list of files per application and list of SQL objects from the Analysis Service.
  • Step 2: Compare the source code in version 1 (before upgrade) with the source code in the new version 2 (after upgrade)
    • Compare the list of analyzed files, list of files per application and list of SQL objects between the two Analysis Services
  • Step 3: Compare the results of the application analysis and snapshot post upgrade. This can be done by comparing the snapshots available in the Dashboard Service to find the differences in:
    • Quality rules
    • Violations

    • Grades at Business Criteria level

    • Function Points

    • Transactions

    • Lines of code

  • Step 4: Compare the data functions and transactions across the source Analysis Service and the target Analysis Service post upgrade.

Impacts of changes made in CAST AIP 8.2.3 on Quality Model results post upgrade

Mainframe Cobol

Check alphanumeric data before moving it into numeric data - 8030

A bug has been detected which is causing the false violation of the Quality Rule "Check alphanumeric data before moving it into numeric data - 8030". The Quality Rule was falsely being violated when the syntax "pic x(01)" is used and "x" is written in lowercase. This bug has now been fixed (the Quality Rule will correctly interpret the use of lowercase "x") and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for this Quality Rule - you may see less violations.

Microsoft SQL Server - T-SQL

Multiple Quality Rules/Metrics

A bug has been detected which is causing the false violation of the multiple Quality Rules. The Quality Rules are falsely being violated when indexes covering the queries exist. This bug has now been fixed (subqueries are handled better) and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for the Quality Rules/Metrics listed below (non-exhaustive list):

  • Avoid SQL queries that no index can support - 7902
  • Number of database access without check

  • Number of SQL queries in loops

  • Number of Subqueries

Multi-techno

Avoid direct access to Database Tables - 7914 and Data Access must be based on Stored Procedure Calls - 3616

A bug has been introduced which has caused a large increase in violations (false positives) for the following two Quality Rules:

  • Avoid direct access to Database Tables - 7914
  • Data Access must be based on Stored Procedure Calls - 3616

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for this Quality Rule - you may see less violations but the accuracy is improved.

Avoid types that own disposable fields and are not disposable - 8086

A bug has been detected which is causing Brushes classes to wrongly violate the Quality Rule "Avoid types that own disposable fields and are not disposable - 8086". This bug has now been fixed (Brushes are no excluded from the scope of this Quality Rule) and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for this Quality Rule - you may see less violations.

Multiple User Input Security related Quality Rules

A bug has been detected which is causing the value for the Total (Total Checks) in the CAST Application Engineering Dashboard to be incorrectly reported (the value is too high), for the following Quality Rules:

  • Avoid cross-site scripting DOM vulnerabilities ( CWE-79 ) - 7740
  • Avoid LDAP injection vulnerabilities ( CWE-90 ) - 7746
  • Avoid OS command injection vulnerabilities ( CWE-78 ) - 7748

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, the Total (Total Checks) value will now be reported correctly (the value will decrease).

JEE/SQL

Avoid using SQL queries inside a loop - 7424

A bug has been discovered which has resulted in false negatives (i.e. violations are expected but not found) for the Quality Rule "Avoid using SQL queries inside a loop - 7424" when the analysis involves JEE (the class simpleJDBCTemplateSpring from the Framework 3.0) and SQL. This bug is due to two factors:

  • The Spring Framework 3.0 environment profile does not have the parametrized method update for org.springframework.jdbc.core.simple.SimpleJdbcTemplate.update. So, the Inference Engine is not able to identify the SQL queries.
  • The query is defined in a static field and so, the method write is not considered as a SQL Artifact which is the scope of this Quality Rule.

The bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for this Quality Rule, i.e. there will be an increased number of violations (improved accuracy).

The fix also brings improved accuracy as follows:

  • additional client/server links between Java methods using the simpleJDBC API and SQL components (these were not previously detected)
  • increased Function Point count (higher DET/RET values for existing transactions, and increased numbers of transactions, which were not detected previously)

Other impacts of changes made in CAST AIP 8.2.3

Multi-techno

Metrics Assistant

A bug has been discovered which has been causing results from the Metrics Assistant to be deleted in specific circumstances:

  1. An Application analysis is executed and the Metrics Assistant saves results to the Analysis Service schema.
  2. A subsequent analysis of the same Application is executed and the results of the Metrics Assistant are unchanged - however the Metrics Assistant deletes the existing results instead of leaving them in place
  3. A subsequent analysis of the same Application is executed and the Metrics Assistant can once again save results to the Analysis Service schema.

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ.

User Defined Modules

A bug has been discovered which has been causing "external objects" to be incorrectly included in User Defined Modules that use an "Explicit Content" filter (i.e. a filter based on an SQL query). This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ as follows:

  • The number of objects in the User Defined Module may decrease and therefore anything that is calculated on the basis of the User Defined Module can change:
    • The number of Quality Rule violations may decrease and therefore grades may slightly increase.
    • Quality Measure values may decrease (for example, Lines of Code, Backfired Function Points, Automated Function Points)

.NET / Metrics Assistant / Total Cyclomatic Complexity

A bug has been discovered in CAST AIP 8.x which meant that the Metrics Assistant (when processing .NET source code) did not take into account as many objects as it did in CAST AIP 7.3.x. This bug will have resulted in a difference in the Total Cyclomatic Complexity value (Total CC) reported by the CAST Engineering Dashboard (lower in CAST AIP 8.x than in CAST AIP 7.3.x). The bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for the Total CC value (higher than previously).

Improvements made to Oracle PL/SQL syntax support

The following syntax is now supported by CAST AIP. After an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ:

  • PIVOT/UNPIVOT
  • LISTAGG

ABAP

Improvements made to ABAP syntax support

The following syntax (which is permitted in ABAP source code) is now supported by CAST AIP. After an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ:

  • "ENVIRONMENT TIME FORMAT" or "ENVIRONMENT FORMAT" (options for WRITE statements)
  • "EXEC SQL" with comments between EXEC and SQL, for example:
EXEC "comment
SQL
SELECT ev1.vkonto ....
ENDEXEC.
  • ~ character now supported in SORT clauses, for example:
"SORT if_ex_ibssi_receive_to_dwn~bapimtcs_buffer BY tabname objkey." 
  • Preprocessing when ":" is inside parentheses, for example:
cucomd->reset(:
cl_iuicmd_cucomd_impl=>gc_premise_node ),
cl_iuicmd_cucomd_impl=>gc_buag_node ).
  • A full expression in the FROM clause is now supported:
LOOP AT p_xyt_doc_item ASSIGNING <lfs_doc_items1> FROM l_i_index1 + 1.
  • When an integer is present in a FROM clause, for example:
DELETE gi_pp_nr FROM 2
  • When a macro is called with another macro name as a parameter, for example:
define macro_execute.
 &1 1.
 end-of-definition.
 define lmacro_def_itab.
 types &1.
 end-of-definition.
 macro_execute lmacro_def_itab.

Improvements made to link resolution through generic transactions

Link resolution has been improved for the following generic transactions:

  • START_REPORT: a link is now created from the initial transaction to the program that is passed to the generic transaction via the parameter.

  • SE16: a link is now created from the initial transaction to the database table that is passed to the generic transaction via the parameter.

Therefore, after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: improved link resolution (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

JEE

XML/.properties files

A bug has been identified in the JEE analyzer in CAST AIP 8.x that is causing less objects to be saved to the CAST Analysis Service database than in CAST AIP 7.3.x. This bug is seen when an XML (or .properties) file is provided twice as the input of the JEE analyzer. Two objects are created, which then leads to a duplicated guid that induces the removal of the object when it is saved to CAST Analysis Service database. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

JPA @NamedQueries

A bug has been identified in the JEE analyzer that is causing JPA @NamedQueries that are embedded in container annotations, e.g.: @NamedQueries({..}) not to be detected by the analyzer (see example code below). This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Example code:

@NamedQueries({

@NamedQuery(name="FirstOne", ..),
@NamedQuery("name="SecondOne"...)

})

class MyClass

Struts config files defined in web.xml rather than through a naming convention

A bug has been identified in the JEE analyzer that is causing only some Struts config files (and no child Struts files) to be saved to the Analysis Service database where the Struts config files are defined in the web.xml rather than through a naming convention. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Struts

A bug has been identified in the JEE analyzer that is causing links between JavaScript client side functions and Struts action mapping to be missed during an analysis. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ to give greater accuracy: increased number of transactional Function Points, Quality Rule differences etc.

JavaScript files included in JSP files with scriptlets

A bug has been identified in the JEE analyzer that is causing JavaScript method calls inside JavaScript files that are included in JSP files using the scriptlet "<%=..%>" to not be detected by the analyzer. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ to give greater accuracy: increased number of transactional Function Points, Quality Rule differences, improved link resolution.

Miscellaneous result changes

Function Points (Transaction Configuration Center) - DET (Data Element Types) values when upgrading from 7.3.x

When upgrading from CAST AIP 7.3.x, an automatic process will remove any datafunction/transaction whose maintable/form is out of the scope of the application. However, due to an unfixed bug (SCRAIP-23812) any of these items that has any kind of calibration flag set against it (e.g. ignored) these items will not be removed and will still be part of the datafunction/transaction list incorrectly. This fact, in combination with the difference in the way in which DET (Data Element Types) are handled in AIP 7.3.x and AIP 8.x (from AIP 8.0 onwards the DET value is initialized as 0 at the beginning of the Function Point computation), will cause these items to have their DET value set to 0, while previously (i.e. in AIP 7.3.x) they kept their DET value as 5. In addition their Function Point values will still be computed even when the DET is set to 0.

 

A bug has been detected which is causing the value for the Total (Total Checks) in the CAST Application Engineering Dashboard to be incorrectly reported (the value is too high), for the following Quality Rules:

·         Avoid cross-site scripting DOM vulnerabilities ( CWE-79 ) – 7740

·         Avoid LDAP injection vulnerabilities ( CWE-90 ) – 7746

·         Avoid OS command injection vulnerabilities ( CWE-78 ) - 7748

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, the Total (Total Checks) value will now be reported correctly (the value will decrease).

  • No labels