...

This rule has been updated to raise a violation when the use of Triple DES (3DES or TDES) is detected (previously the use of Triple DES would not raise a violation. Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

AIPCORE-571 - False violations on JEE source code

Various false violations have been discovered in User Input Security related rules, therefore the following changes have been made in an effort to reduce the number of false violations:

• java.util.Scanner is no longer considered as an input method

• Some constructors of types with Exception in their name are incorrectly blackboxed as target "files" therefore improvements have been made. Examples:

  • Blackbox on the fly: [classpath]java.io.IOException.+ctor(ref [classpath]java.lang.String) with target file
  • Blackbox on the fly: [classpath]java.io.FileNotFoundException.+ctor() with target file
  • Blackbox on the fly: [mscorlib]System.IO.FileNotFoundException.+ctor([mscorlib]System.String) with target file
  • Blackbox on the fly: [mscorlib]System.IO.DirectoryNotFoundException.+ctor([mscorlib]System.String) with target file
• The definition of class java.io.ObjectInputStream was missing and this has now been corrected
• The target web (XSS) for the javax.servlet.http.HttpServletResponse.sendError class was missing and this has now been corrected

Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may no longer have violations where previously violations existed.

Other impacts of changes made in CAST AIP 8.3.16

...