Technology support changes

SAP ABAP

The following syntax is now supported:

• CALL TRANSACTION...WITH AUTHORITY-CHECK USING

.NET

Procedure Call Depth

The default value for the option Procedure Call Depth (which limits the number of intermediate values that the Inference Engine can resolve in order to obtain the type of the object that is being searched for) has been changed to 300 (from 3000) for all Applications newly onboarded with ≥ 8.3.18. This change has been made to improve the .NET analysis duration time. For Applications that are upgraded from a previous release of AIP to ≥ 8.3.18, the previous value for this option will be retained to avoid impacting analysis results.

CAST Transaction Configuration Center

Specific usage of Excluded Items

Data functions/transaction contributing to values in the AFP section

Data functions / transaction functions will still contribute to values in the AFP section in the following situations:

• The setup configuration rule matching the(se) object(s) is no longer present
• The setup configuration rule has changed and no longer matches the objects

This is because these Data functions / Transactions have already been calibrated (i.e. merged / deleted / ignored) and a Compute action will not remove these items from the values in the AFP section to prevent losing the specific calibration that has been applied. Therefore, if you need to prevent these objects contributing to values in the AFP section, you can:

• Create an excluded-item rule to exclude these items
• Run the Compute action
• Disable or remove the excluded-item rule you created

Change in behavior with regard to loss of transaction IDs

In previous releases of CAST AIP, Added/Deleted objects would be visible in the following situation:

If an entry point of a valid transaction is missing in more than two consecutive snapshots, then the transaction ID is lost. As a consequence when the missing entry-point object re-appeared in a subsequent snapshot, CAST AIP was not able to recover the transaction ID and a new transaction ID was associated to the entry point. If the  intermediary snapshots were then deleted, CAST AIP recorded an Added/Deleted of the transaction because CAST AIP sees that the transaction has a new ID and the previous ID is no longer present in the snapshot. 

The behaviour of CAST AIP in this situation has been changed - the previous transaction ID will be re-used when the missing entry-point object re-appears in a subsequent snapshot. And so when the intermediary snapshots are deleted, the transaction will be seen as Unchanged (if there are no changes in the transaction's details ) or Modified (if there are changes in the transaction's details.

User Input Security related

Support of org.owasp.encoder library

Methods from the org.owasp.encoder library have been added to the list of libraries that are automatically taken into account for Sanitzation. A list of libraries automatically taken in to account for Sanitzation is available in User Input Security - predefined methods.

Update to the rule Avoid hard-coded credentials (8222) for .NET

The rule Avoid hard-coded credentials (8222) has been updated to include support for detecting hard-coded credentials in the PasswordDeriveBytes Class. See also Changes in results post upgrade - 8.3.18.

Improvements to CAST-DatabaseExtractionRenamingTool.exe

The CAST-DatabaseExtractionRenamingTool.exe tool that is used to mitigate the impact on analysis results when databases or schemas move from one Server to another or from one Instance to another has been enhanced to support renaming for database extractions performed on Microsoft SQL Server and Sybase ASE. You can find out more about this tool here: Dealing with databases or schemas that move from one Server to another or from one Instance to another.