Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A bug has been detected which is causing Brushes classes to wrongly violate the Quality Rule "Avoid types that own disposable fields and are not disposable - 8086". This bug has now been fixed (Brushes are no excluded from the scope of this Quality Rule) and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for this Quality Rule - you may see less violations.

JEE/SQL

Avoid using SQL queries inside a loop - 7424

Multiple User Input Security related Quality Rules

A bug has been discovered which has resulted in false negatives (i.e. violations are expected but not found) for the Quality Rule "Avoid using SQL queries inside a loop - 7424" when the analysis involves JEE (the class simpleJDBCTemplateSpring from the Framework 3.0) and SQL. This bug is due to two factors:

...

detected which is causing the value for the Total (Total Checks) in the CAST Application Engineering Dashboard to be incorrectly reported (the value is too high), for the following Quality Rules:

  • Avoid cross-site scripting DOM vulnerabilities ( CWE-79 ) - 7740
  • Avoid LDAP injection vulnerabilities ( CWE-90 ) - 7746
  • Avoid OS command injection vulnerabilities ( CWE-78 ) - 7748

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, the Total (Total Checks) value will now be reported correctly (the value will decrease).

JEE/SQL

Avoid using SQL queries inside a loop - 7424

A bug has been discovered which has resulted in false negatives (i.e. violations are expected but not found) for the Quality Rule "Avoid using SQL queries inside a loop - 7424" when the analysis involves JEE (the class simpleJDBCTemplateSpring from the Framework 3.0) and SQL. This bug is due to two factors:

  • The Spring Framework 3.0 environment profile does not have the parametrized method update for org.springframework.jdbc.core.simple.SimpleJdbcTemplate.update. So, the Inference Engine is not able to identify the SQL queries.
  • The query is defined in a static field and so, the method write is not considered as a SQL Artifact which is the scope of this Quality Rule.

...

  • The number of objects in the User Defined Module may decrease and therefore anything that is calculated on the basis of the User Defined Module can change:
    • The number of Quality Rule violations may decrease and therefore grades may slightly increase.
    • Quality Measure values may decrease (for example, Lines of Code, Backfired Function Points, Automated Function Points)

.NET / Metrics Assistant / Total Cyclomatic Complexity

...

    • )

.NET / Metrics Assistant / Total Cyclomatic Complexity

A bug has been discovered in CAST AIP 8.x which meant that the Metrics Assistant (when processing .NET source code) did not take into account as many objects as it did in CAST AIP 7.3.x. This bug will have resulted in a difference in the Total Cyclomatic Complexity value (Total CC) reported by the CAST Engineering Dashboard (lower in CAST AIP 8.x which meant that the Metrics Assistant (when processing .NET source code) did not take into account as many objects as it did than in CAST AIP 7.3.x. This bug will have resulted in a difference in the Total Cyclomatic Complexity value (Total CC) reported by the CAST Engineering Dashboard (lower in CAST AIP 8.x than in CAST AIP 7.3.x). The bug has now been fixed and after ). The bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for the Total CC value (higher than previously).

Improvements made to Oracle PL/SQL syntax support

The following syntax is now supported by CAST AIP. After an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may differ for the Total CC value (higher than previously).therefore differ:

  • PIVOT/UNPIVOT
  • LISTAGG

ABAP

Improvements made to

...

ABAP syntax support

The following syntax following syntax (which is permitted in ABAP source code) is now supported by CAST AIP. After an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ:

  • PIVOT/UNPIVOT
  • LISTAGG

ABAP

Improvements made to ABAP syntax support

The following syntax (which is permitted in ABAP source code) is now supported by CAST AIP. After an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ:

  • "ENVIRONMENT TIME FORMAT" or "ENVIRONMENT FORMAT" (options for WRITE statements)
  • "EXEC SQL" with comments between EXEC and SQL"ENVIRONMENT TIME FORMAT" or "ENVIRONMENT FORMAT" (options for WRITE statements)
  • "EXEC SQL" with comments between EXEC and SQL, for example:
Code Block
languagesql
themeDJango
EXEC "comment
SQL
SELECT ev1.vkonto ....
ENDEXEC.
  • ~ character now supported in SORT clauses, for example:
Code Block
languagesql
themeDJango
"SORT if_ex_ibssi_receive_to_dwn~bapimtcs_buffer BY tabname objkey." 
  • Preprocessing when ":" is inside parentheses, for example:
Code Block
languagesql
themeDJango
EXEC "comment
SQL
SELECT ev1.vkonto ....
ENDEXEC.

...

cucomd->reset(:
cl_iuicmd_cucomd_impl=>gc_premise_node ),
cl_iuicmd_cucomd_impl=>gc_buag_node ).
  • A full expression in the FROM clause is now supported:
Code Block
languagesql
themeDJango
"SORT if_ex_ibssi_receive_to_dwn~bapimtcs_buffer BY tabname objkey." 

...

LOOP AT p_xyt_doc_item ASSIGNING <lfs_doc_items1> FROM l_i_index1 + 1.
  • When an integer is present in a FROM clause, for example:
Code Block
languagesql
themeDJango
cucomd->reset(:
cl_iuicmd_cucomd_impl=>gc_premise_node ),
cl_iuicmd_cucomd_impl=>gc_buag_node ).

...

DELETE gi_pp_nr FROM 2
  • When a macro is called with another macro name as a parameter, for example:
Code Block
languagesql
themeDJango
LOOP AT p_xyt_doc_item ASSIGNING <lfs_doc_items1> FROM l_i_index1 + 1.
  • When an integer is present in a FROM clause, for example:
Code Block
languagesql
themeDJango
DELETE gi_pp_nr FROM 2
  • When a macro is called with another macro name as a parameter, for example:
Code Block
languagesql
themeDJango
define macro_execute.
 &1 1.
 end-of-definition.
 define lmacro_def_itab.
 types &1.
 end-of-definition.
 macro_execute lmacro_def_itab.

Improvements made to link resolution through generic transactions

Link resolution has been improved for the following generic transactions:

  • START_REPORT: a link is now created from the initial transaction to the program that is passed to the generic transaction via the parameter.

  • SE16: a link is now created from the initial transaction to the database table that is passed to the generic transaction via the parameter.

...

define macro_execute.
 &1 1.
 end-of-definition.
 define lmacro_def_itab.
 types &1.
 end-of-definition.
 macro_execute lmacro_def_itab.

Improvements made to link resolution through generic transactions

Link resolution has been improved for the following generic transactions:

  • START_REPORT: a link is now created from the initial transaction to the program that is passed to the generic transaction via the parameter.

  • SE16: a link is now created from the initial transaction to the database table that is passed to the generic transaction via the parameter.

Therefore, after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: improved link resolution (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

JEE

XML/.properties files

A bug has been identified in the JEE analyzer in CAST AIP 8.x that is causing less objects to be saved to the CAST Analysis Service database than in CAST AIP 7.3.x. This bug is seen when an XML (or .properties) file is provided twice as the input of the JEE analyzer. Two objects are created, which then leads to a duplicated guid that induces the removal of the object when it is saved to CAST Analysis Service database. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

JPA @NamedQueries

A bug has been identified in the JEE analyzer that is causing JPA @NamedQueries that are embedded in container annotations, e.g.: @NamedQueries({..}) not to be detected by the analyzer (see example code below). This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: improved link resolution (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

JEE

...

increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Example code:

Code Block
languagejava
themeDJango
@NamedQueries({

@NamedQuery(name="FirstOne", ..),
@NamedQuery("name="SecondOne"...)

})

class MyClass

Struts config files defined in web.xml rather than through a naming convention

A bug has been identified in the JEE analyzer in CAST AIP 8.x that is causing less objects to be saved to the CAST Analysis Service database than in CAST AIP 7.3.x. This bug is seen when an XML (or .properties) file is provided twice as the input of the JEE analyzer. Two objects are created, which then leads to a duplicated guid that induces the removal of the object when it is saved to CAST Analysis Service databasethat is causing only some Struts config files (and no child Struts files) to be saved to the Analysis Service database where the Struts config files are defined in the web.xml rather than through a naming convention. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Struts

A bug has been identified in the JEE analyzer that is causing links between JavaScript client side functions and Struts action mapping to be missed during an analysis. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ to give greater accuracy: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

...

JavaScript files included in JSP files with scriptlets

A bug has been identified in the JEE analyzer that is causing JPA @NamedQueries causing JavaScript method calls inside JavaScript files that are embedded in container annotations, e.g.: @NamedQueries({..}) not to included in JSP files using the scriptlet "<%=..%>" to not be detected by the analyzer (see example code below). This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ : increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Example code:

Code Block
languagejava
themeDJango
@NamedQueries({

@NamedQuery(name="FirstOne", ..),
@NamedQuery("name="SecondOne"...)

})

class MyClass

Struts config files defined in web.xml rather than through a naming convention

A bug has been identified in the JEE analyzer that is causing only some Struts config files (and no child Struts files) to be saved to the Analysis Service database where the Struts config files are defined in the web.xml rather than through a naming convention. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ: increased number of objects (more accuracy), increased number of transactional Function Points, Quality Rule differences etc.

Struts

A bug has been identified in the JEE analyzer that is causing links between JavaScript client side functions and Struts action mapping to be missed during an analysis. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ to give greater accuracy: increased number of transactional Function Points, Quality Rule differences etc.

JavaScript files included in JSP files with scriptlets

A bug has been identified in the JEE analyzer that is causing JavaScript method calls inside JavaScript files that are included in JSP files using the scriptlet "<%=..%>" to not be detected by the analyzer. This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, results may therefore differ to give greater accuracy: increased number of transactional Function Points, Quality Rule differences, improved link resolution.

Miscellaneous result changes

Function Points (Transaction Configuration Center) - DET (Data Element Types) values when upgrading from 7.3.x

When upgrading from CAST AIP 7.3.x, an automatic process will remove any datafunction/transaction whose maintable/form is out of the scope of the application. However, due to an unfixed bug (SCRAIP-23812) any of these items that has any kind of calibration flag set against it (e.g. ignored) these items will not be removed and will still be part of the datafunction/transaction list incorrectly. This fact, in combination with the difference in the way in which DET (Data Element Types) are handled in AIP 7.3.x and AIP 8.x (from AIP 8.0 onwards the DET value is initialized as 0 at the beginning of the Function Point computation), will cause these items to have their DET value set to 0, while previously (i.e. in AIP 7.3.x) they kept their DET value as 5. In addition their Function Point values will still be computed even when the DET is set to 0.

 to give greater accuracy: increased number of transactional Function Points, Quality Rule differences, improved link resolution.

Miscellaneous result changes

Function Points (Transaction Configuration Center) - DET (Data Element Types) values when upgrading from 7.3.x

When upgrading from CAST AIP 7.3.x, an automatic process will remove any datafunction/transaction whose maintable/form is out of the scope of the application. However, due to an unfixed bug (SCRAIP-23812) any of these items that has any kind of calibration flag set against it (e.g. ignored) these items will not be removed and will still be part of the datafunction/transaction list incorrectly. This fact, in combination with the difference in the way in which DET (Data Element Types) are handled in AIP 7.3.x and AIP 8.x (from AIP 8.0 onwards the DET value is initialized as 0 at the beginning of the Function Point computation), will cause these items to have their DET value set to 0, while previously (i.e. in AIP 7.3.x) they kept their DET value as 5. In addition their Function Point values will still be computed even when the DET is set to 0.

 

A bug has been detected which is causing the value for the Total (Total Checks) in the CAST Application Engineering Dashboard to be incorrectly reported (the value is too high), for the following Quality Rules:

·         Avoid cross-site scripting DOM vulnerabilities ( CWE-79 ) – 7740

·         Avoid LDAP injection vulnerabilities ( CWE-90 ) – 7746

·         Avoid OS command injection vulnerabilities ( CWE-78 ) - 7748

This bug has now been fixed and after an upgrade to CAST AIP 8.2.3 and the generation of a post upgrade snapshot, the Total (Total Checks) value will now be reported correctly (the value will decrease).