Summary: This document provides information about changes and new features introduced in this release.
CAST AIP Service Packs 8.3.20 - 8.3.23 are compatible only with the latest releases of the JEE Analyzer extension, i.e. 1.0.28 and 1.2.10-funcrel. Using older releases of the extension with these CAST AIP Service Packs risks incomplete analysis results (missing objects, links, violations, erroneous FP values) for JEE and C++ analyses.
Therefore, when using CAST AIP Service Packs 8.3.20 - 8.3.23, please either:
- Upgrade your JEE extension to a compatible release (i.e. ≥ 1.0.28 or ≥ 1.2.10-funcrel) OR
- Upgrade CAST AIP to a more recent Service Pack (≥ 8.3.24) which are compatible with older releases of the JEE Analyzer extension
If upgrading the JEE Analyzer extension or CAST AIP is not possible, please contact CAST Technical Support.
New features
Default Activation of new Environment Profiles
A set of environment profiles (mainly for Logging Frameworks and which were introduced in JEE Anlyzer 1.0.3) are now active by default in JEE Analyzer 1.0.4 and no manual configuration is required. These environment profiles provide the following improvements:
- they reduce the number of links reported by the Dynamic Link Manager i.e. preventing (through parametrization) links from being created to database objects whose names are found in an argument's string
- they allow the creation (through parametrization) of the correct Use link between Java objects and database objects for Applications that use the the Spring IoC framework simpleJdbcTemplate methods. Note that Applications can use both the JdbcTemplate and simpleJdbcTemplate classes.
- they reduce the number of warning messages in the analysis log related to annotations (these annotations will be ignored - this will have no impact on analysis results).
The table below lists environment profiles which are now active by default "out of the box:
| Environment Profile name | Content | Comment |
|---|---|---|
| JEE - Mokito | Mockito related annotations to be ignored. | Like org.mockito.Mock, org.mockito.Spy and org.mockito.InjectMocks |
| JEE - Jackson 2.0 annotations to ignore | Jackson Fasterxml related annotations to be ignored | Like com.fasterxml.jackson.annotation.JsonView |
| JEE - Guava 18.0 annotations to ignore | google common related annotations to be ignored | Like com.google.common.annotations.GwtCompatible |
| Log4j 2.x | Log4j related annotations to be ignored | Like org.apache.logging.log4j.core.config.Order |
| JEE - Logger JBOSS | Parametrization rules for JBOSS | |
| JEE - Logger Weblogic | Parametrization rules for Weblogic | |
| JEE - Logger SLF4J | Parametrization rules for SLF4J | |
| JEE - Logger java.util.logging | Parametrization rules for Logger java.util.logging | |
| JEE - Logger Monolog | Parametrization rules for Monolog | |
| JEE - Logger Mortbay | Parametrization rules for Mortbay | |
| JEE - Logger Avalon Escalibur | Parametrization rules for Logger Avalon Escalibur | |
| JEE - Logger Apache commons logging | Parametrization rules for Logger Apache commons logging | |
| JEE - Logger Krysalis | Parametrization rules for Logger Krysalis | |
| JEE - Logger ATG | Parametrization rules for Logger ATG | |
| JEE - Logger Spring | Parametrization rules for Logger Spring | |
| JEE - Logger Eclipse | Parametrization rules for Logger Eclipse | |
| JEE - Logger Plexus | Parametrization rules for Logger Plexus | |
| JEE - Logger Camel | Parametrization rules for Logger Camel | |
| JEE - Logger jnlp | Parametrization rules for Logger jnlp | |
| JEE - Logger xwork2 | Parametrization rules for Logger xwork2 | |
| JEE - XStream | XStream related annotations to be ignored | Like com.thoughtworks.xstream.annotations.XStreamAlias.value |
| JEE - TestNG | TestNG related annotations to be ignored | Like org.testng.annotations.AfterClass |
| Spring Framework 3.x add-on for simpleJDBC | Spring 3.x related additions add on annotations to be ignored | Like Spring test related org.springframework.test.annotation.DirtiesContext and Spring Data related org.springframework.data.jpa.repository.Modifying |
| JEE - PowerMock | PowerMock related annotations to be ignored | Like org.powermock.core.classloader.annotations.Mock |
| JEE - JSE org.w3c.dom | Parametrization rules for JSE org.w3c.dom | |
| JEE - Logger JBOSS Seam 2.2.2 | Parametrization rules for Logger JBOSS Seam 2.2.2 | |
| JEE - EasyMock | EasyMock related annotations to be ignored | Like org.easymock.Mock |
| JEE - Unit Test Unitils | Unitils related annotations to be ignored | Like org.unitils.dbunit.annotation.DataSet |
| JEE - jBehave | jBehave related annotations to be ignored | Like org.jbehave.core.annotations.When |
| JEE - JAX-WS | JAX-WS related annotations to be ignored | Like javax.xml.ws.soap.MTOM |
| JEE - MeltingPot | Some miscellaneous annotations to be ignored | Like edu.umd.cs.findbugs.annotations.SuppressFBWarnings |
New Quality Rules
Two new Quality Rules have been added in this release to reinforce security checks:
Avoid using RSA Cryptographic algorithms without OAEP (Optimal Asymmetric Encryption Padding)
- Parent Technical Criterion: Secure Coding - Weak Security Features
- Critical Contribution: Yes
- Quality Rule weight: 9
References:
- CWE-326 - Inadequate Encryption Strength
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
- OWASP: A3:2017-Sensitive Data Exposure
Avoid using weak encryption algorithm as DES and triple DES
- Parent Technical Criterion: Secure Coding - Weak Security Features
- Critical Contribution: Yes
- Quality Rule weight: 9
References:
- CWE-780 - Use of RSA Algorithm without OAEP
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- OWASP: A3:2017-Sensitive Data Exposure
Resolved issues in this release
The following issues have been fixed in this release of the JEE Analyzer extension:
| Internal ID | Call ID | Summary |
|---|---|---|
| JFAMILY-485 | JEE QR "Pages should use error handling page" should not be critical | |
| JFAMILY-601 | Documentation : Details about the Quality Rule "Avoid Artifacts with lines longer than X characters" needs to be updated | |
| JFAMILY-616 | Documentation : QR description metric "Avoid using native Methods (JNI)" to be reviewed | |
| JFAMILY-621 | TCCConfig - eFile free definition should be more accurate. Images should not be viewed as a starting point | |
| JFAMILY-622 | TCCConfig - run methods should not be viewed as a starting point if they are called by another run method | |
| JFAMILY-652 | TCC - Java.lang.process should be viewed as an endpoint | |
| JFAMILY-653 | TCC - main methods selection as starting point should be only the main not called or executed | |
| JFAMILY-655 | New environment profiles transferred from Analysis configuration SME kit should be better integrated | |
| JFAMILY-658 | We should ignore the annotation sun.reflect.CallerSensitive | |
| JFAMILY-666 | JAVA142: unable to find or to use archive: jce.jar.blackbox.xml | |
| JFAMILY-713 | analysis failing with error: The process Jeecmd.exe has stopped working exited with code -1073741819 |
