| Redirect | ||||
|---|---|---|---|---|
|
| Panel | |
|---|---|
|
| Info |
|---|
| Summary: CAST AIP 8.3.26 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade |
Mainframe Analyzer
Analyzer as an extension
The Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development.
...
- IMS Transactions are now automatically considered part of "Standard Entry Point - IMS - Unknown (GS)"
- CICS Transactions called from Java methods and Java constructors are no longer considered part of "Standard End Point - CICS - Transactions called by Java (GS)"
- An error has been fixed where the opposite was true in previous releases:
- IMS FilePrototype objects are now considered part of "Standard End Point - IMS - GSAM - Not delivered"
- IMS AnalyzedFileobjects are now considered part of "Standard Data Entity - GSAM"
See also Changes in results post upgrade - 8.3.26.
Name of unresolved MQ publisher/subscriber objects has been changed to avoid false links
In previous releases of AIP, unresolved queue names lead to the creation of Publisher/Subscriber objects with the same name Unresovled:MQP2P. As a result, many false links are created skewing results. In CAST AIP 8.3.26, the name of the unresolved object has been changed from Unresolved:MQP2P to UnknownMQ:<COBOL_Parent_PROGRAM> - this identifies the Cobol program name publishing/subscribing to the message and will reduce the number of false links. See also Changes in results post upgrade - 8.3.26.
Update to ensure JCL SQL Query objects are created correctly
A change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used. See also Changes in results post upgrade - 8.3.26.
User Input Security
Updates
- User Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework. See also Changes in results post upgrade - 8.3.26.
- User Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
- User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. See also Changes in results post upgrade - 8.3.26.
New rules
The following new rules have been implemented:
| Rule ID | CWE ID | Rule name | Input name | Target name | .NET support | JEE support |
|---|---|---|---|---|---|---|
| 8518 | 400 | Regular expression injection | Network.read | Regexp.write | Partial | NO |
| 8520 | 400 | Regular expression injection (second order) | Network.readDatabase | Regexp.write | Partial | NO |
| 8522 | 400 | Regular expression injection through API | Network.readAPI | Regexp.write | Partial | NO |
CAST Transaction Configuration Center
Improved accuracy of AETP values
In order to provide greater accuracy, the calculation of AETP values has been modified in this release. Previously, all added/deleted/updated AETP detail values between 0 and 1 were calculated with no decimal places, effectively giving the impression in some circumstances (when all added/deleted/updated values were below 1) that total AETP = 0. This behaviour has been changed and AETP detail values are now considered to two decimal places for added/deleted/updated. In addition AETP total values will now be rounded up as follows:
| Real value | New rounded up value |
|---|---|
| 0 | 0 |
| 0.8 | 1 |
| 0.5 | 1 |
| 0.2 | 1 |
| 1 | 1 |
| 1.8 | 2 |
| 1.5 | 2 |
| 1.2 | 2 |
These results can be seen in the TCC - Enhancement node - Right hand panel. See also Changes in results post upgrade - 8.3.26.