This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

On this page:

Summary: This document provides information about changes and new features introduced in this release.

CAST AIP Service Packs 8.3.20 - 8.3.23 are compatible only with the latest releases of the JEE Analyzer extension, i.e. 1.0.28 and 1.2.10-funcrel. Using older releases of the extension with these CAST AIP Service Packs risks incomplete analysis results (missing objects, links, violations, erroneous FP values) for JEE and C++ analyses.

Therefore, when using CAST AIP Service Packs 8.3.20 - 8.3.23, please either:

  • Upgrade your JEE extension to a compatible release (i.e. ≥ 1.0.28 or ≥ 1.2.10-funcrel) OR
  • Upgrade CAST AIP to a more recent Service Pack (≥ 8.3.24) which are compatible with older releases of the JEE Analyzer extension

If upgrading the JEE Analyzer extension or CAST AIP is not possible, please contact CAST Technical Support

New features

Default Activation of new Environment Profiles

A set of environment profiles (mainly for Logging Frameworks and which were introduced in JEE Anlyzer 1.0.3) are now active by default in JEE Analyzer 1.0.4 and no manual configuration is required. These environment profiles provide the following improvements:

  • they reduce the number of links reported by the Dynamic Link Manager i.e. preventing (through parametrization) links from being created to database objects whose names are found in an argument's string
  • they allow the creation (through parametrization) of the correct Use link between Java objects and database objects for Applications that use the the Spring IoC framework simpleJdbcTemplate methods. Note that Applications can use both the JdbcTemplate and simpleJdbcTemplate classes.
  • they reduce the number of warning messages in the analysis log related to annotations (these annotations will be ignored - this will have no impact on analysis results).

The table below lists environment profiles which are now active by default "out of the box:

Environment Profile nameContent Comment
JEE - MokitoMockito related annotations to be ignored.Like org.mockito.Mock, org.mockito.Spy and org.mockito.InjectMocks
JEE - Jackson 2.0 annotations to ignoreJackson Fasterxml related annotations to be ignoredLike com.fasterxml.jackson.annotation.JsonView
JEE - Guava 18.0 annotations to ignoregoogle common related annotations to be ignoredLike com.google.common.annotations.GwtCompatible
Log4j 2.xLog4j related annotations to be ignoredLike org.apache.logging.log4j.core.config.Order
JEE - Logger JBOSSParametrization rules for JBOSS
JEE - Logger WeblogicParametrization rules for Weblogic
JEE - Logger SLF4JParametrization rules for SLF4J
JEE - Logger java.util.loggingParametrization rules for Logger java.util.logging
JEE - Logger MonologParametrization rules for Monolog
JEE - Logger MortbayParametrization rules for Mortbay
JEE - Logger Avalon EscaliburParametrization rules for Logger Avalon Escalibur
JEE - Logger Apache commons loggingParametrization rules for Logger Apache commons logging
JEE - Logger KrysalisParametrization rules for Logger Krysalis
JEE - Logger ATGParametrization rules for Logger ATG
JEE - Logger SpringParametrization rules for Logger Spring
JEE - Logger EclipseParametrization rules for Logger Eclipse
JEE - Logger PlexusParametrization rules for Logger Plexus
JEE - Logger CamelParametrization rules for Logger Camel
JEE - Logger jnlpParametrization rules for Logger jnlp
JEE - Logger xwork2Parametrization rules for Logger xwork2
JEE - XStreamXStream related annotations to be ignoredLike com.thoughtworks.xstream.annotations.XStreamAlias.value
JEE - TestNGTestNG related annotations to be ignoredLike org.testng.annotations.AfterClass
Spring Framework 3.x add-on for simpleJDBCSpring 3.x related additions add on annotations to be ignored

Like Spring test related org.springframework.test.annotation.DirtiesContext

and Spring Data related org.springframework.data.jpa.repository.Modifying

JEE - PowerMockPowerMock related annotations to be ignoredLike org.powermock.core.classloader.annotations.Mock
JEE - JSE org.w3c.domParametrization rules for JSE org.w3c.dom
JEE - Logger JBOSS Seam 2.2.2Parametrization rules for Logger JBOSS Seam 2.2.2
JEE - EasyMockEasyMock related annotations to be ignoredLike org.easymock.Mock
JEE - Unit Test UnitilsUnitils related annotations to be ignoredLike org.unitils.dbunit.annotation.DataSet
JEE - jBehavejBehave related annotations to be ignoredLike org.jbehave.core.annotations.When
JEE - JAX-WSJAX-WS related annotations to be ignoredLike javax.xml.ws.soap.MTOM
JEE - MeltingPotSome miscellaneous annotations to be ignoredLike edu.umd.cs.findbugs.annotations.SuppressFBWarnings

New Quality Rules

Two new Quality Rules have been added in this release to reinforce security checks:

Avoid using RSA Cryptographic algorithms without OAEP (Optimal Asymmetric Encryption Padding)

  • Parent Technical Criterion: Secure Coding - Weak Security Features 
  • Critical Contribution: Yes 
  • Quality Rule weight: 9

References:  

  • CWE-326 - Inadequate Encryption Strength 
  • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm 
  • OWASP: A3:2017-Sensitive Data Exposure 

Avoid using weak encryption algorithm as DES and triple DES

  • Parent Technical Criterion: Secure Coding - Weak Security Features
  • Critical Contribution: Yes 
  • Quality Rule weight: 9

References:

  • CWE-780 - Use of RSA Algorithm without OAEP 
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm 
  • OWASP: A3:2017-Sensitive Data Exposure 

Resolved issues in this release

The following issues have been fixed in this release of the JEE Analyzer extension:

Internal IDCall IDSummary
JFAMILY-485
JEE QR "Pages should use error handling page" should not be critical
JFAMILY-601
Documentation : Details about the Quality Rule "Avoid Artifacts with lines longer than X characters" needs to be updated
JFAMILY-616
Documentation : QR description metric "Avoid using native Methods (JNI)" to be reviewed
JFAMILY-621
TCCConfig - eFile free definition should be more accurate. Images should not be viewed as a starting point
JFAMILY-622
TCCConfig - run methods should not be viewed as a starting point if they are called by another run method
JFAMILY-652
TCC - Java.lang.process should be viewed as an endpoint
JFAMILY-653
TCC - main methods selection as starting point should be only the main not called or executed
JFAMILY-655 

New environment profiles transferred from Analysis configuration SME kit should be better integrated

JFAMILY-658
We should ignore the annotation sun.reflect.CallerSensitive
JFAMILY-666
JAVA142: unable to find or to use archive: jce.jar.blackbox.xml
JFAMILY-713
analysis failing with error: The process Jeecmd.exe has stopped working exited with code -1073741819