Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Redirect
visiblefalse
locationAIPCORE:8.3

Panel

On this page:

Table of Contents

...

Info
Summary: CAST AIP 8.3.16 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade.

CAST Extension Downloader

Some changes have been made to switch downloads to the "next generation" CAST Extend service (https://extendng.castsoftware.com). This new CAST Extend service is a replacement for the existing CAST Extend Service which will be phased out in due course. Note that to use https://extendng.castsoftware.com, you will need to register a new account (https://extendng.castsoftware.com/register) - accounts from the existing CAST Extend service have not been transferred.

Installing CAST AIP ≥ 8.3.16 from scratch

When installing CAST AIP ≥ 8.3.16 from scratch when no previous release of CAST AIP exists, the following servers will be pre-configured for extension downloads (you will need to tick it to enable it for use):

Image Removed

Info
Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course.

Installing CAST AIP ≥ 8.3.16 when a previous release of CAST AIP already exists

When installing CAST AIP ≥ 8.3.16 and a previous release of CAST AIP already exists (more specifically if the %PROGRAMDATA%\CAST\CAST\Extensions\ServerList.xml file exists) then the following will occur:

Info
Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course

Supported Platforms - storage

Support of PostgreSQL  10 for storage

Support has been introduced for PostgreSQL 10 and 11 (64bit) as storage, i.e. AIP schemas can now be created on these versions and analyses will run as expected. Some prerequisites do apply:

  • Minimum required release of CAST AIP core: 8.3.16
  • Minimum required version of specific extensions:
JEE Analyzer extensioncom.castsoftware.jee1.0.19The required versions of these extensions are those that are delivered as "shipped extensions" in AIP 8.3.16.
.NET Analyzer extensioncom.castsoftware.dotnet1.0.13
SAP BusinessObjects Analyzer extensioncom.castsoftware.businessobject1.0.4 (LTS)
C and Cpp Analyzer extensioncom.castsoftware.cpp2.0.5-funcrel-
iOS - Objective-C Analyzer extensioncom.castsoftware.cfamily1.5.2-funcrel-


Info

Support levels are as follows:

Mainframe Analyzer - support for IBM MQSeries

In CAST AIP ≥ 8.3.16, Mainframe Analyzer supports the publisher/subscriber mode and point-to-point mode for IBM MQSeries. Publisher/Subscriber objects will be generated and Call links between Cobol objects and IBM MQ objects and between IBM MQ objects and Cobol objects will be generated by the Web Services Linker extension - you must ensure that v. ≥ 1.6.8 of this extension is installed, otherwise no links will be generated.

You can find out more information about this support in Mainframe - Technical notes.

CAST Database Extractor

The CAST Database Extractor now supports:

  • (by reference) the extraction of schemas on Oracle 18c and above in line with Oracle's updated release cycle, however the extractor will handle the schemas as Oracle 12c schemas and no new syntax or features introduced in these newer releases is supported. 
  • Case sensitive passwords (introduced in Oracle 12c R2).

User Input Security related

Rule documentation changes

Total field updated

For several User Input Security related rules, the Total field has been updated to state "Number of potentially vulnerable methods" instead of "Number of methods calling user input methods". This is to better reflect what is returned by the rule. You can see details of these changes in Assessment Model updates in the chapter AIP 8.3.15 - 8.3.16.

External reference links updated

Links to external references have been updated for several User Input Security related rules to provide more up-to-date references. You can see details of these changes in Assessment Model updates in the chapter AIP 8.3.15 - 8.3.16.

SAP / ABAP rules

"CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block (8412) 

...

  • Avoid Artifacts with High Depth of Nested Subqueries (7130)
  • Avoid using BREAK or BREAK-POINT statement (7524)
  • Never use the ON CHANGE OF statement (7528)
  • Avoid "SELECT *" or "SELECT SINGLE *" queries (7530)
  • Avoid nested SELECT ... ENDSELECT statements (7532)
  • Avoid using AT events in combination of LOOP AT .... WHERE constructs (7536)
  • Avoid using SELECT ... INTO CORRESPONDING FIELDS OF (7538)
  • Avoid using SELECT ... ENDSELECT statement (7544)
  • Avoid using "ORDER BY" in SELECTS (7592)
  • Avoid using "SELECT DISTINCT", use DELETE-ADJACENT (7594)
  • Avoid using SELECT ... ENDSELECT statement on XXL tables (7666) 
  • Avoid using EXIT statement in Include (7672)
  • Avoid empty catch blocks (7788)
  • Avoid Artifacts with Group By (7806)
  • Avoid Artifacts with SQL statement including subqueries (7808)
  • Avoid Artifacts with a Complex SELECT Clause (7810)
  • Never use SQL queries with a cartesian product (7820)
  • Avoid Artifacts with queries on more than 4 Tables (7822)
  • Avoid using Native SQL (7882)
  • Avoid SQL queries that no index can support (7902)

.NET rules

The following multi-techno rules have been disabled in 8.3.16 specifically and only for .NET technology and will no longer be triggered during an analysis. These rules often generated a large amount of false positive violations:

Dynamic Links rule files

Dynamic Links rule files now function with SAP BusinessObjects and SAP PowerBuilder analysis results.

...

Some changes have been made to the structure of the Dashboard and Analysis Service schemas to reduce the potential size of the Dashboard Service schema tables DSS_LINKS and DSS_LINK_INFO:

Note

Note that these changes mean that the following Dashboards and RestAPI deployments must be used with CAST AIP 8.3.16 schemas:

  • Version ≥ 1.11.2 of standalone dashboard WARs
  • Version ≥ 1.12.0 of AIPCONSOLE for embedded dashboards
  • The dashboard WARS delivered with CAST AIP (in the WARS folder). Note that these dashboards are set to version 1.5 and do not contain any enhancement introduced in more recent standalone dashboard package WARS.

Data (links with IDs from 11000 to 11006) related to CAST Transaction Configuration Center data functions and transactions that was previously stored in these two tables will now be stored in a new table called FP_LINK_INFO. This table now contains all object details of transactions/data functions. It has exactly the same structure as DSS_LINK_INFO:

...

If you have custom scripts that fetch data from any of the existing tables, please ensure that you update these scripts yourself.

MAINFRAME new feature.

IBM MQSeries.

From 8.3.16, Mainframe analyzer support the publisher/subsrcirber mode and point to point mode for IBM MQSeries.

Two type implementation:

  • Point to Point: MOVE MQOT-Q TO MQOD-OBJECTTYPE:

    In point-to-point, message producers are called senders and message consumers are calledreceivers. Senders produce messages to a queue, and receivers asynchronously consume messages from that queue.

    For point-to-point to work, connected applications need to know the name of the queue through which they interact.

    A queue could have a single receiver or be scaled to many, in which case each message is only consumed by one receiver, distributing the workload across them all.

    This style of messaging is built around the concept of message queues, and around the processing of messages by a single consumer.

Publisher/Subscriber MOVE MQOT-TOPIC-Q TO MQOD-OBJECTTYPE:

The producer of a message is known as a publisher, and message consumers are known as subscribers. The publishing and subscribing applications within the infrastructure agree on the name of a topic. For a consumer to signal that they want to receive messages on that topic, they create a subscription to it.

Any message published to a topic will be delivered to all the subscriptions, so every subscriber gets a copy. There could be many publishers and many subscribers to each topic, MQ handles the delivery of messages between all of them.

...

Example Publisher/Subscriber:

Publisher a topic:

...

.

...

Subscriber a topic

Code Block
01 SUB-DESCRIPTOR.
	COPY CMQSDV.
ADD MQSO-CREATE MQSO-MANAGED MQSO-FAIL-IF-QUIESCING
									GIVING MQSD-OPTIONS.
MOVE ‘Vegetal/Meal’ TO TARGET-TOPIC.
SET MQSD-OBJECTSTRING-VSPTR TO ADDRESS OF TARGET-TOPIC.
MOVE 18 TO MQSD-OBJECTSTRING-VSLENGTH.

...
CALL 'MQSUB' USING HCONN,
			SUB-DESCRIPTOR,
			Q-HANDLE,
			SUB-HANDLE,
			MQCC,
			REASON.

CALL 'MQGET' USING HCONN,
			Q-HANDLE,
			MESSAGE-DESCRIPTOR,
			GMOPTIONS,
			BUFFER-LENGTH,
			BUFFER,
			DATA-LENGTH,
			MQCC,
			REASON.




Result in enlighten:

Image Removed

The link is created by WebServiceLinker from 1.6.8-funcrel.