...

Impacts of changes made in CAST AIP 8.3.16 on Quality Model results post upgrade

.NET

Various rules

The following multi-techno rules have been disabled in 8.3.16 specifically and only for .NET technology and will no longer be triggered during an analysis. These rules often generated a large amount of false positive violations. As a result of this change, results may be impacted - no violations will be triggered for any of these rules, therefore potentially impacting grades and existing results:

• Avoid unreferenced Classes - 7832
• Avoid unreferenced Data Members - 7912
• Avoid unreferenced Methods - 7908

Mainframe

MAINFRAME-283 - Prefer using indexes instead of subscripts - 8142

...

This rule has been updated to add specific target methods for both .NET and JEE. The methods listed below are now take into account, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

.NET

• System.Net.HttpListenerResponse.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpResponseBase.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpResponse.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpCookieCollection.Add(System.Web.HttpCookie) // Arg 1
• System.Web.HttpCookieCollection.Set(System.Web.HttpCookie) // Arg 1

...

This rule has been updated to raise a violation when the use of Triple DES (3DES or TDES) is detected (previously the use of Triple DES would not raise a violation. Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

AIPCORE-93 - Avoid hard-coded credentials - 8222

Improvements have been made to improve the detection of signatures for the DBCP and SSH libraries' sendcredential methods. Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

AIPCORE-777 - Total number of violations is higher than the total number of checks for certain rules

A bug has been discovered that is causing the values for Total Checks and Number of Violations to be erroneous (the total Number of Violations is higher than the total number of checks performed, which then generated an erroneous Compliance value) for the following User Input Security related rules:

• Avoid using insufficient random values for cookies - 8242
• Avoid weak cryptographic algorithm - 8414
• Avoid use of a reversible one-way hash - 8416
• Avoid using hard-coded HMAC keys - 8424

This bug has now been fixed therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. Number of violations should be equal to or less than the Total checks, generating a coherent Compliance value.

AIPCORE-571 - False violations on JEE source code

...

• java.util.Scanner is no longer considered as an input method

• Some constructors of types with Exception in their name are incorrectly blackboxed as target "files" therefore improvements have been made. Examples:

  • Blackbox on the fly: [classpath]java.io.IOException.+ctor(ref [classpath]java.lang.String) with target file
  • Blackbox on the fly: [classpath]java.io.FileNotFoundException.+ctor() with target file
  • Blackbox on the fly: [mscorlib]System.IO.FileNotFoundException.+ctor([mscorlib]System.String) with target file
  • Blackbox on the fly: [mscorlib]System.IO.DirectoryNotFoundException.+ctor([mscorlib]System.String) with target file
• The definition of class java.io.ObjectInputStream was missing and this has now been corrected
• The target web (XSS) for the javax.servlet.http.HttpServletResponse.sendError class was missing and this has now been corrected

...