Page tree
Skip to end of metadata
Go to start of metadata

Summary: this page lists:

  • Impacts of changes made to CAST AIP 8.3.29 on Quality Model results post upgrade
  • Other impacts of changes made in CAST AIP 8.3.29

All changes in results related to extensions are now listed in the extension documentation and will not appear in this page.

Impacts of changes made in CAST AIP 8.3.29 on Quality Model results post upgrade

JEE

Avoid unreferenced Classes - 7832

This rule has been deactivated in 8.3.29 - i.e. it will no longer be triggered during analyses. This change may impact your analysis results on upgrading to 8.3.29.

Avoid unreferenced classes when methods of that class are called

This rule has been deactivated in 8.3.29 - i.e. it will no longer be triggered during analyses. This change may impact your analysis results on upgrading to 8.3.29.

Mainframe

Avoid Programs with lines of more than 80 characters - 5138

False positive violations are detected for lines with 80 or less characters due to a bug in the analyzer where code formatting incorrectly added additional lines to the source code. The issue is now fixed. This change may impact your analysis results on upgrading to 8.3.29.

Avoid "SELECT *" queries - 7344

False positive violations of the rule were detected in code resembling "*** SELECT ***". The issue is now fixed. This change may impact your analysis results on upgrading to 8.3.29.

Using SEARCH ALL only with sorted data - 5056

False positive violations of the rule rule were detected. The issue is now fixed. This change may impact your analysis results on upgrading to 8.3.29.

Avoid unchecked return code (SQLCODE) after EXEC SQL query - 7690

False positive violations of the rule rule were detected. The issue is now fixed. This change may impact your analysis results on upgrading to 8.3.29.

Never truncate data in MOVE statements - 7688

False positive violations of the rule rule were detected. The issue is now fixed. This change may impact your analysis results on upgrading to 8.3.29.

User Input Security

Avoid deserialization injection - 8524 - new rule

A new rule has been implemented for both JEE and .NET technologies called "Avoid deserialization injection - 8524". The following frameworks are supported:

  • JEE:
    • java.io.ObjectInputStream
    • com.esotericsoftware.kryo.Kryo
    • java.beans.XMLDecoder
  • .NET:
    • System.Xml.Serialization.XmlSerializer

Your existing analysis results may be impacted by the addition of this new rule.

Avoid weak cryptographic algorithm - 8414

The following cryptographic algorithms are now considered as dangerous for the quality rule "Avoid weak cryptographic algorithm":

  • RC2
  • PBEWithMD5AndDES

This change may impact your analysis results on upgrading to 8.3.29.

Avoid resource injection - 8442

The rule "Avoid resource injection - 8442" has been updated to take into account violations of type "Avoid Connection String Parameter Pollution" for both JEE and .NET technologies. This change may impact your analysis results on upgrading to 8.3.29.

Avoid file path manipulation vulnerabilities - 7752

Previously some methods were incorrectly tagged as targets for the rule the rule "Avoid file path manipulation vulnerabilities - 7752" causing false violations. This issue has been fixed. This change may impact your analysis results on upgrading to 8.3.29.

Avoid log forging vulnerabilities - 8044

Methods such as "logError" or "logWarning" are now recognized and are automatically assigned as targets for the quality rule "Avoid log forging vulnerabilities - 8044". This change may impact your analysis results on upgrading to 8.3.29.

Other impacts of changes made in CAST AIP 8.3.29

User Input Security

javax.servlet.ServletRequest.getInputStream method

The method javax.servlet.ServletRequest.getInputStream is now considered as an entry-point for the User Input Security. This change may impact your analysis results on upgrading to 8.3.29.

System.Web.HttpRequest.PhysicalApplicationPath property

The property System.Web.HttpRequest.PhysicalApplicationPath was previously incorrectly assigned as a user input. This issue has now been fixed. This change may impact your analysis results on upgrading to 8.3.29.

  • No labels