Mainframe Analyzer
Improved VSAM file support
- Support introduced for VSAM commands in "SYSIN" clauses, for example:
- ALLOCATE
- ALTER
- DEFINE
- DELETE
- EXAMINE
- LISTALC
- LISTCAT
- LISTDS
- REPRO
- VERIFY
- Support introduced for If IDCAMS utility and VSAM data-set types (for Cobol and JCL) when they call indexed, relative and sequential organisation:
Entry-sequenced data set (ESDS)
- Key-sequenced data set (KSDS)
- Relative-record data set (RRDS)
New rules enabled
The following new rules have been enabled in CAST AIP 8.3.24:
8468 | Program semantic should respect the logic of flow execution |
---|---|
8470 | Avoid using STRING without overflow check |
8476 | Avoid calling unsafe C library functions from COBOL |
8478 | Avoid Buffer Overruns when using ADD, SUBTRACT, MULTIPLY, DIVIDE & COMPUTE statement inside a loop |
8480 | Avoid using PREPARE STMT statement (Dynamic SQL) with STRING containing HOST variables |
SSL connection to CAST Storage Service/PostgreSQL
CAST AIP 8.3.24 introduces support for connecting to CAST Storage Service/PostgreSQL instances using an SSL encrypted connection. Support for encrypted SSL connections requires some configuration for both the CAST Storage Service/PostgreSQL instances and CAST AIP itself. More details can be found in CAST Storage Service - SSL encrypted mode configuration.
Note that some CAST applications cannot currently connect to CAST Storage Service/PostgreSQL instances using an SSL encrypted connection:
CAST AIP (any application provided with the CAST AIP "core" setup) | ≥ 8.3.24 | |
---|---|---|
CAST Architecture Checker (standalone) | - | |
CAST Dashboards | Will be supported in future releases of this application. | |
CAST Imaging System | ||
CAST AIP Console | ||
Sherlock (CAST Support tool) |
User Input Security
Rule documentation updates
The following changes have been applied to rule documentation (no impact on analysis results):
8438 | Avoid code injection | The Reference section has been updated to change the CWE reference from 78 to 94 and 95. |
---|
Miscellaneous
Long path support
When using CAST AIP, the path of some log files and other internal files may exceed the total number of characters permitted for a path in Microsoft Windows (260 characters by default). This is especially true when enabling the User Input Security feature for .NET and JEE techologies. When a path exceeds 260 characters, the analysis (or feature) would usually crash, for example the User Input Security would crash with the errors "System.IO.PathTooLongException" or "System.InvalidOperationException".
To avoid crashes due to situations where the long path limitation is exceeded, two changes need to be made:
- Enable long path support in Microsoft Windows (Windows 10/Windows Server 2016 or above only) - see https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#enable-long-paths-in-windows-10-version-1607-and-later for more information.
- Use CAST AIP ≥ 8.3.13 and, where appropriate:
- JEE Analyzer extension ≥ 1.0.21
- Security for Java extension ≥ 1.4.5
Change to SET_DEFINITIONS table
The table SET_DEFINITIONS (Analysis schema) has been modified: the column "setprocedure" will now accept a procedure name up to 255 characters in CAST AIP ≥ 8.3.24. Previously this column only accepted procedure names with a maximum of 30 characters. Note that if extensions are to be compatible with older releases of CAST AIP, they must still use 30 characters max.