On this page:
|Summary: CAST AIP 8.3.16 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade.|
CAST Extension Downloader
Some changes have been made to switch downloads to the "next generation" CAST Extend service (https://extendng.castsoftware.com). This new CAST Extend service is a replacement for the existing CAST Extend Service which will be phased out in due course. Note that to use https://extendng.castsoftware.com, you will need to register a new account (https://extendng.castsoftware.com/register) - accounts from the existing CAST Extend service have not been transferred.
Installing CAST AIP ≥ 8.3.16 from scratch
When installing CAST AIP ≥ 8.3.16 from scratch when no previous release of CAST AIP exists, the following servers will be pre-configured for extension downloads (you will need to tick it to enable it for use):
|Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course.|
Installing CAST AIP ≥ 8.3.16 when a previous release of CAST AIP already exists
When installing CAST AIP ≥ 8.3.16 and a previous release of CAST AIP already exists (more specifically if the %PROGRAMDATA%\CAST\CAST\Extensions\ServerList.xml file exists) then the following will occur:
- https://extendng.castsoftware.com/api will be added as CAST Extend v3 but will not be ticked (i.e. you will need to tick it to enable it for use)
- https://extend.castsoftware.com:443/V2/api/v2 will be deleted
- All other servers will be remain as they were previously.
|Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course|
Supported Platforms - storage
Support of PostgreSQL ≥ 10 for storage
Support has been introduced for PostgreSQL 10 and 11 (64bit) as storage, i.e. AIP schemas can now be created on these versions and analyses will run as expected. Some prerequisites do apply:
- Minimum required release of CAST AIP core: 8.3.16
- Minimum required version of specific extensions:
|JEE Analyzer extension||com.castsoftware.jee||1.0.19||The required versions of these extensions are those that are delivered as "shipped extensions" in AIP 8.3.16.|
|.NET Analyzer extension||com.castsoftware.dotnet||1.0.13|
|SAP BusinessObjects Analyzer extension||com.castsoftware.businessobject||1.0.4 (LTS)|
|C and Cpp Analyzer extension||com.castsoftware.cpp||2.0.5-funcrel||-|
|iOS - Objective-C Analyzer extension||com.castsoftware.cfamily||1.5.2-funcrel||-|
Support levels are as follows:
Mainframe Analyzer - support for IBM MQSeries
In CAST AIP ≥ 8.3.16, Mainframe Analyzer supports the publisher/subscriber mode and point-to-point mode for IBM MQSeries. Publisher/Subscriber objects will be generated and Call links between Cobol objects and IBM MQ objects and between IBM MQ objects and Cobol objects will be generated by the Web Services Linker extension - you must ensure that v. ≥ 1.6.8 of this extension is installed, otherwise no links will be generated.
You can find out more information about this support in Mainframe - Technical notes.
CAST Database Extractor
The CAST Database Extractor now supports:
- (by reference) the extraction of schemas on Oracle 18c and above in line with Oracle's updated release cycle, however the extractor will handle the schemas as Oracle 12c schemas and no new syntax or features introduced in these newer releases is supported.
- Case sensitive passwords (introduced in Oracle 12c R2).
User Input Security related
Rule documentation changes
Total field updated
For several User Input Security related rules, the Total field has been updated to state "Number of potentially vulnerable methods" instead of "Number of methods calling user input methods". This is to better reflect what is returned by the rule. You can see details of these changes in Assessment Model updates in the chapter AIP 8.3.15 - 8.3.16.
External reference links updated
Links to external references have been updated for several User Input Security related rules to provide more up-to-date references. You can see details of these changes in Assessment Model updates in the chapter AIP 8.3.15 - 8.3.16.
SAP / ABAP rules
"CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block (8412)
- Avoid Artifacts with High Depth of Nested Subqueries (7130)
- Avoid using BREAK or BREAK-POINT statement (7524)
- Never use the ON CHANGE OF statement (7528)
- Avoid "SELECT *" or "SELECT SINGLE *" queries (7530)
- Avoid nested SELECT ... ENDSELECT statements (7532)
- Avoid using AT events in combination of LOOP AT .... WHERE constructs (7536)
- Avoid using SELECT ... INTO CORRESPONDING FIELDS OF (7538)
- Avoid using SELECT ... ENDSELECT statement (7544)
- Avoid using "ORDER BY" in SELECTS (7592)
- Avoid using "SELECT DISTINCT", use DELETE-ADJACENT (7594)
- Avoid using SELECT ... ENDSELECT statement on XXL tables (7666)
- Avoid using EXIT statement in Include (7672)
- Avoid empty catch blocks (7788)
- Avoid Artifacts with Group By (7806)
- Avoid Artifacts with SQL statement including subqueries (7808)
- Avoid Artifacts with a Complex SELECT Clause (7810)
- Never use SQL queries with a cartesian product (7820)
- Avoid Artifacts with queries on more than 4 Tables (7822)
- Avoid using Native SQL (7882)
- Avoid SQL queries that no index can support (7902)
The following multi-techno rules have been disabled in 8.3.16 specifically and only for .NET technology and will no longer be triggered during an analysis. These rules often generated a large amount of false positive violations:
- Avoid unreferenced Classes - 7832
- Avoid unreferenced Data Members - 7912
- Avoid unreferenced Methods - 7908
Dynamic Links rule files
Dynamic Links rule files now function with SAP BusinessObjects and SAP PowerBuilder analysis results.
Some changes have been made to the structure of the Dashboard and Analysis Service schemas to reduce the potential size of the Dashboard Service schema tables DSS_LINKS and DSS_LINK_INFO:
Note that these changes mean that the following Dashboards and RestAPI deployments must be used with CAST AIP 8.3.16 schemas:
Data (links with IDs from 11000 to 11006) related to CAST Transaction Configuration Center data functions and transactions that was previously stored in these two tables will now be stored in a new table called FP_LINK_INFO. This table now contains all object details of transactions/data functions. It has exactly the same structure as DSS_LINK_INFO:
If you have custom scripts that fetch data from any of the existing tables, please ensure that you update these scripts yourself.
MAINFRAME new feature.
From 8.3.16, Mainframe analyzer support the publisher/subsrcirber mode and point to point mode for IBM MQSeries.
Two type implementation:
Point to Point: MOVE MQOT-Q TO MQOD-OBJECTTYPE:
In point-to-point, message producers are called senders and message consumers are calledreceivers. Senders produce messages to a queue, and receivers asynchronously consume messages from that queue.
For point-to-point to work, connected applications need to know the name of the queue through which they interact.
A queue could have a single receiver or be scaled to many, in which case each message is only consumed by one receiver, distributing the workload across them all.
This style of messaging is built around the concept of message queues, and around the processing of messages by a single consumer.
Publisher/Subscriber MOVE MQOT-TOPIC-Q TO MQOD-OBJECTTYPE:
The producer of a message is known as a publisher, and message consumers are known as subscribers. The publishing and subscribing applications within the infrastructure agree on the name of a topic. For a consumer to signal that they want to receive messages on that topic, they create a subscription to it.
Any message published to a topic will be delivered to all the subscriptions, so every subscriber gets a copy. There could be many publishers and many subscribers to each topic, MQ handles the delivery of messages between all of them.
Publisher a topic:
Subscriber a topic
01 SUB-DESCRIPTOR. COPY CMQSDV. ADD MQSO-CREATE MQSO-MANAGED MQSO-FAIL-IF-QUIESCING GIVING MQSD-OPTIONS. MOVE ‘Vegetal/Meal’ TO TARGET-TOPIC. SET MQSD-OBJECTSTRING-VSPTR TO ADDRESS OF TARGET-TOPIC. MOVE 18 TO MQSD-OBJECTSTRING-VSLENGTH. ... CALL 'MQSUB' USING HCONN, SUB-DESCRIPTOR, Q-HANDLE, SUB-HANDLE, MQCC, REASON. CALL 'MQGET' USING HCONN, Q-HANDLE, MESSAGE-DESCRIPTOR, GMOPTIONS, BUFFER-LENGTH, BUFFER, DATA-LENGTH, MQCC, REASON.
Result in enlighten:
The link is created by WebServiceLinker from 1.6.8-funcrel.