Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

locationAIPCORE:Current known issues and vulnerabilities

This page lists all known issues in CAST AIP 8.3.5. There are 33 36 issues in the list. Note that the column "Internal ID" is used only as an internal reference ID.

TechnologyComponent/sSituationSymptomsWorkaroundAffected Version/sInternal ID

Export the list of violation via Rest API by using the Preferred Media Type: text/csv

Internal Server Error - Response Status 500


Upgrade CAST schemata from 8.2.x to 8.3.x using Server Manager 
AND the C-Family extension is installed in the 8.2.x schemata before upgrade 
AND the C-Family extension is not present in your 8.3.x extension folder 
(Note: As a consequence, the C-Family extension is removed from CAST schemata during upgrade.)
When opening CAST Management Studio (CAST-MS) and verifying the Assessment Model, you will see warnings in the Assessment Model Validation View: 

Missing name 
Missing Associated Value 
Missing Number of Associated Value 
Missing Computing Configuration 
Missing deprecated 
Missing XXL Quality Rule 

Note: These warnings have no consequence on snapshot results and can be safely ignored. 

As a workaround, you can removing all C-Family quality rules from Assessment Models before upgrading schemata. 
These are quality rules with IDs between 1050000 and 1050050 

# | Rule ID | Rule Name 
1 1050000 Avoid using the call of web service with iOS/Objective-C API inside a loop 
2 1050002 Avoid using NSString stringWithFormat on behalf of NSURL instance 
3 1050004 Avoid using NSPredicate predicateWithFormat 
4 1050006 Avoid using NSException raise:format: and raise:format:arguments: 
5 1050008 Avoid using NSMutableString appendFormat: on behalf of NSURL instance 
6 1050010 Avoid using NSURLRequest setAllowsAnyHTTPSCertificate:forHost 
7 1050012 Objective-C interface overrides the isEqual: method but not the hash method 
8 1050014 UIApplication delegate applicationDidEnterBackground: must delete sensitive data 
9 1050016 Never use strcat() function 
10 1050018 Never use strcpy() function 
11 1050020 Avoid return statement in @finally block 
12 1050022 Avoid using deprecated SSL protocol 
13 1050024 Avoid using kSecAttrAccessibleAlways attribute when storing data in the Keychain 
14 1050026 Avoid using non thread-safe Objective-C singleton pattern 
15 1050028 Always use LAContext canEvaluatePolicy: before using evaluatePolicy: 
16 1050030 Ensure the Objective-C error condition check is not fragile 
17 1050032 Ensure that LAContext evaluatePolicy: reply block success is checked 
18 1050034 Ensure that LAContext evaluatePolicy: reply block is not empty 
19 1050036 Ensure that iOS Projects are ARC enabled 
20 1050038 Avoid using NSURLRequestUseProtocolCachePolicy for NSURLRequest 
21 1050040 Avoid using SecTransform API 
22 1050042 Avoid synchronizing the credentials with iCloud 
23 1050044 Avoid weak encryption providing sufficient key size 
24 1050046 Avoid weak encryption algorithm 
25 1050048 Avoid creating file without protection 
26 1050050 Avoid using cryptography hash without salt


Using Extension Downloader to install Technology Extension For Flex (com.castsoftware.flex), version 1.0.2, 1.0.3, or 1.0.4.Installation fails with following error: 

The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.

Set your default temporary folder (as defined by Windows environment variable %TMP%) to a path of 10 characters and launch Extension Downloader from the command line. For instance: 

set TMP=c:\temp 
ExtensionDownloader.exe install com.castsoftware.flex --version 1.0.2


Delivery Manager ToolUpgrade CAST schemata from 8.2.x to 8.3.x using Server Manager 
And the schemata contain a Business Objects (BO) application
After upgrade with Server Manager, it is impossible to open Delivery Manager Tool (DMT). You get following error message: 

Invalid ////S:/DMTDelivery834/Data/{..}/{...}/0cb4f6ea-b809-4c54-89d4-0ead2f452ad5.entity.xml


Using CAST Server Manager to upgrade using Assessment Model option "default AM". 
Look at logs under %TEMP%\CAST\CAST\8.3\Servman 
The log file contains this warning message: "WRN: :- Cannot find: CAST 8.3.3 Assessment Model" 

Analyzing an application made of 2 (or more) technologies. E.g. C++ and PHP 
And source code of different technologies shares a common parent folder. E.g.: 
  -- C:\Sources\CPP 
  -- C:\Sources\PHP 
Note: For each folder in the source code path, AIP creates a "Directory" object. Directory objects have specific types, such as "C++ Directory" or "UA Directory" (PHP is analyzed with the Universal Analyzer, UA).
Following quality rules can report less violations than expected: 
  -- .NET: Consistent File full name and directory structure (DIAG_SCOPE_ASPBEST008) 
  -- .NET: Index pages and global.asa location in the root directory (DIAG_SCOPE_ASPBEST009) 
  -- C++: Count of Objects likely to use structures (DIAG_CPP_ANA_USING_STR_TOTAL) 

In Enlighten and in Development view of CAST Engineering Dashboard (CED): 
Only a single Directory object is created for the parent folder. The type of the Directory object for the parent folder depends on the analysis order of the technologies. The Directory object takes the type of the first technology analyzed within the application. 
Expected are as many Directory objects as there are different technologies underneath the parent folder, each having the type of the respective technology. 
For the example given in "Situation", 3 Directory objects are created: 
  -- A "C++ Directory" for "Sources" folder (if C++ is analyzed before PHP, otherwise it will be a "UA Directory") 
  -- A "C++ Directory" for "CPP" folder 
  -- A "UA Directory" for "PHP" folder 
Expected are: 
  -- A "C++ Directory" for "Sources" folder 
  -- A "UA Directory" for "Sources" folder 
  -- A "C++ Directory" for "CPP" folder 
  -- A "UA Directory" for "PHP" folder


When analyzing an application containing T-SQL code that includes tables with indexes.Results for all Quality Rules related to table indexes are incomplete (some violations are missing) and metrics related to table indexes (for example Line number where no index is used in a WHERE clause) are below their real value.

Application Engineering Dashboard (AED)Analyzing a JEE application 
and a module is shared between several analysis units of the application 
and shared modules are in violations,
The information displayed for quality rule "Avoid cyclical calls and inheritances between packages" are inconsistent. For instance: 
* The grades is shown as evolving while no violation is added 
* The number of object in violation is inconsistant with the number of failed checks 

Violations are not counted consistently, resulting in the issues listed above.

During a quality analysis of .ABAP, PowerBuilder, C++, C#, VB.NET or JEEViolationof rule 'Avoid Classes with a High Lack of Cohesion' is raised for classes without any member variable (function container)None. 

The standard "cohesion" metric is defined to be 1 for this kind of class, which are not really recommended in an object oriented environment. This will mark them as in violation, even though this can be considered as a valid programming pattern in some context.

when you load the CED page "Investigation - Application Drilldown" multiple times without having results displayedDepending on application size, it can takes time to display results, then if you try to reload the page, it will duplicate a dashboard job that is going to insert data in the database. As a result, you will have duplicated information in the page for "number of violated rules", "number of objects with violations", "number of violations"Don't reload the page until the page display results8.2.0SCRAIP-21320

Any analysis where the Module configuration does not use the "Full content module" option.The execution report, available in CMS at the end of the snapshot procedure, indicate one extra module, compared to what is configured and displayed elsewhere in the product (Modules tab in CMS, Dashboard)None. This is a pure display bug, without any consequence on the results.8.1.0SCRAIP-18678

Running the first analysis of an application just after upgrade from a version older that 8.0.0CMS verification view shows an error similar to "[Object ID] :Code xxx does not correspond to an active type". 

It comes from the facts that some object types linked to the legacy VB.NET analyzer (version 7.3 and older) don't have an exact matching type in recent versions. They are left in the configuration as is, but are considered invalid. 

This will happen most often for an applcation which uses C# or VB.NET, but these type be used (by mistake) in any application.
The objects indicated in the error (module definition, AU definition) must be edited in CMS, removing the legacy type, and making them use the new types as applicable.8.0.0SCRAIP-13699

Transaction Configuration Center (TCC)With the .NET technology, you can create a dependency link either directly between two projects, or between one project and an assembly that was generated by another project. In the second case, if you have several copies of the same DLL (possibly with different versions), you should always reference the same file in all projects. If several versions of the file (even identical but in different paths) are selected, they will conflict with each other.Some objects and links may be missing from the analysis results (and therefore transactions may also be missing and the Function Point count may be incorrect), with no message about unresolved calls even when looking at the log in debug mode.If you are in this situation, you can, before packaging the application with the Delivery Manager Tool, change the project files to manually ensure only one file is referenced. You can do this in Visual Studio, or manually in the .csproj files. 

Alternatively, if you reference an assembly that is built by another project in your delivery, you can also replace all assembly references to it with a project reference, which will bring more benefits.

CMS Snapshot/Analysis - Generate ModulesRe-analysis of an application, where the execution split has been changed. That is, grouping of analysis units in execution units has been updated, in order to work around memory issues, or for any other reason.In the Dashboard, some modules appear empty, or some objects are marked as deleted even though they exist in the code. When checking the module content in CAST Management Studio, the objects still appear. 

There is no easy workaround for that problem. The data used to compute final results of the analysis have been corrupted by the execution units reorganization. Please get in touch with CAST Support, they will help you fix the problem.


CMS Analysis Unit - SettingsAnalysis of a .NET web application using third party javascript libraries with the option 'Exclude stadard JavaScript libraries' set on 'yes'.The analysis raise some violations on third party javascript libraries like jquery.

CAST DashboardWhen upgrading from CAST AIP 7.0.x to CAST AIP 7.3.x and looking at the dates listed for the current and previous snapshots in the CAST Engineering Dashboard.A discrepancy is displayed regarding the dates if the snapshot that was generated at the end of the CAST migration process is deleted and re-generated. In this situation the current snapshot date is displayed correctly, but the previous snapshot date is incorrect and refers to an older snapshot.

The violations on diag 'Avoid having SQL code in Triggers named pre-record' disappear when there is no squirrel package in the version.Missing violations on the diag 'Avoid having SQL code in Triggers named pre-record'. 

CAST Update Tool (CUT)Migrating from 7.2 to 7.3 using CAST Update Tool (CUT). 
And having a delivery folder shared among mutiple Mangement Bases (MB). 
And having all MBs of the delivery folder ticked in CUT for update.
CUT displays incorrectly a "Confirmation" dialog box. The dialog box reads: 
"You must select all MBs that manage applications within a delivery folder. Refer to the documentation. 
Database(s) missing in folder <delivery folder>: 

<empty list> 

And <n> MBs not listed in the connection profiles. 

Do you want to continue? 

<OK> / <Cancel>
Note: If ALL MBs have been ticked, the message is incorrectly displayed and can be safely ignored and you can proceed by clicking "OK". Migration will succeed. 
However, if there are MBs that have not been ticked, you MUST NOT proceed but make sure that you select all MBs first.

CAST Management Studio (CMS)- Duplicate a csproj under a folder with a lot of .NET sources
in DMT, create a package containing duplicated projects 
Analyze in one way duplicated projects
Performance issue occurs in merging phase of analyzerRemove duplicated sources to restore performances7.3.0SCRAIP-2902

CMS Snapshot/Analysis - Compute SnapshotTwo Applications (A and B) exist in the CAST Management Studio and objects in Application A have links to objects in Application B. To identify and save these links, a custom dependency is created between the two Applications.When the "Take a snapshot of each Application" option is run for the first time after defining the dependency, no links between the two Applications are identified.Re-run the "Take a snapshot of each Application" option to obtain the links between the two Applications.7.3.0SCRAIP-1539

Using Cast Management Studio or the Delivery Manager Tool on Windows 8 or 10, with a High Resolution DisplayMany text fields are not correctly displayed, the text is too big and partially visible.Change the display scaling factor back to 100%. CMS/DMT do not correctly handle the recent UI scaling introduced by Windows for High DPI screens. 

In Windows 10, right click on the Desktop Background, select "Display settings". 
In that window, move the "Change the size of text (...)" slider to 100%, even if it is not the recommended value.

When using the CAST AIC PortalWhen you rename an Application in the CAST AIC Portal, the name change is not reflected when subsequently using the Delivery Manager Tool (the Application name has not been updated).

CMS Snapshot/AnalysisWhen generating a snapshot in the CAST Management Studio on one machine and having the CAST Storage Service installed on a different machine and each machine is showing different time (or is configured to a different time zone).The capture date/time of the snapshot is not consistent between the CAST Management Studio and the CAST Storage Service.

CAST DashboardOccurs on CAST Engineering Dashboard, Investigation - Quality Model Drilldown view when selecting a Distribution.Depending from which Business Criteria, list of objects selected for the distribution will be not the same if some objects exists without any violations. 

If distribution is selected through Heath Factor indicator, then list of objects are sorted by PRI and so only objects with violations are listed 
If distribution is selected through TQI or Rules Compliance indicator, then list of objects are sorted by name and contained all objects even those with no violations 

There is no impact on the grade that is similar everywhere.


CAST Management Studio (CMS)When synchronizing an Assessment Model on a Dashboard Service after some documentation updateThe synchronization fails with "Invalid language symbol 'English' in metric ID <x>Remove the 'English' translation of the default 'English' text for the indicators with External ID <x>.7.1.0SCRAIP-13532

When using the CAST Management Studio and editing an Analysis Unit that enables you to include or exclude source files/folders (C/C++ for example).If you add an exclusion/inclusion and then click the Cancel button, a blank entry is added to the list of exclusion and inclusions.

When changing the path to the Deployment folder in the CAST Management Studio.The help explanation displayed in the dialog box is truncated.

When using the CAST Delivery Manager Tool to create a remediation item.On cancelling the remediation creation window, the remediation is added anyway.

- Running analysis of an Application with Castms command line : 
      CAST-MS-cli.exe RunAnalysis -connectionProfile myConnectString -deliveryUnit myDU -system mySystem -appli myApplication 
- And there is no application "myApplication" in the Delivery Unit.
All applications are analyzed instead of only the one defined in the command line (myApplication).Make sure the application defined in command line exists in the Delivery Unit portfolio.7.0.9SCRAIP-14981

CAST DashboardWhen selecting a Business Criteria in the Investigation view and when working with Internet Explorer 7 or 8.Selecting a Business Criteria will sometimes cause a different Business Criteria to be selected and updated.Sort the Business Criterion column using the column header.7.0.7SCRAIP-13777

New User Defined Table types added after an initial analysis/snapshot are missing from the Analysis Service if they are not called by another SQL object. You take a snapshot for a database that may contain User Defined Table types. 

You then add a new User Defined Table type and execute a second snapshot. You check in CAST Enlighten to see if this User Defined Table type exists or not. The object is missing. 

You then add a new procedure that calls this User Defined Table type and then execute a third snapshot. When you check with Enlighten, the object now exists. 

If the User Defined Table type exists in the application before the first analysis/snapshot, it will be saved ; if not, it is saved in your Analysis Service only when it is referenced by another SQL object (eg. : by a stored procedure).


The Metrics Assistant wizard does not allow the use of functions and procedures defined in 'Object types'

When different languages (java, js, html ...) are present on one single line of code, the computed 'number of lines of code' is wrong.

Having an object in one database (e.g. a procedure in database A) accessing an object in another database (e.g. a table in database B) and the following conditions are met: 
- Both databases have been previously analyzed and therefore exist already in the KB. 
- The two databases are analyzed by different jobs. 
- The option 'Auto register called databases' is OFF in the job analyzing database A.
Missing link between objects in different database when both databases exist in the KB and are analyzed separately 
In the job log the following informational message is contained. The job finishes successfully. 
Information: Skipped Ref. procedure 'my_proc' -> table 'my_db..my_table' because 'my_db..my_table' is in a foreign database that not registered. 
In Enlighten, there is no link between my_proc and my_db..my_table.
Either set option 'Auto register called databases' to ON in the job analyzing database A, or analyze both databases in one single job.6.4.1SCRAIP-14769

- Analysing a JSP or ASP application. 
- In a JSP or ASP file, the last Script tag used specifies a different script language than the previous tags.
- All Script tags used in the file are considered as being of the same language as the last Script tag found in the file. 
- This can result in a syntax error during analysis when analyzing scripts using different Script Languages in the same file.
Modify the last Script tag in the file: Text replacement : Add at the end of the last tag used in the file the Script language different that the one used for this tag 

- previous tag in the page are in JavaScript, 
- the last tag in the page is in vbScript 
- Text Replacement : <tag in vbScript><script text="text/javascript"></script> 

Characters that are specified in a JavaScript file in the form '%nnn' lead to a syntax error. For example, the following line in a JavaScript file produces a syntax error during analysis: 


Please note the '%20' notation that is used for the space character.