|Summary: CAST AIP 8.3.26 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade|
Analyzer as an extension
The Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development.
- IMS Transactions are now automatically considered part of "Standard Entry Point - IMS - Unknown (GS)"
- CICS Transactions called from Java methods and Java constructors are no longer considered part of "Standard End Point - CICS - Transactions called by Java (GS)"
- An error has been fixed where the opposite was true in previous releases:
- IMS FilePrototype objects are now considered part of "Standard End Point - IMS - GSAM - Not delivered"
- IMS AnalyzedFileobjects are now considered part of "Standard Data Entity - GSAM"
See also Changes in results post upgrade - 8.3.26.
Name of unresolved MQ publisher/subscriber objects has been changed to avoid false links
In previous releases of AIP, unresolved queue names lead to the creation of Publisher/Subscriber objects with the same name Unresovled:MQP2P. As a result, many false links are created skewing results. In CAST AIP 8.3.26, the name of the unresolved object has been changed from Unresolved:MQP2P to UnknownMQ:<COBOL_Parent_PROGRAM> - this identifies the Cobol program name publishing/subscribing to the message and will reduce the number of false links. See also Changes in results post upgrade - 8.3.26.
Update to ensure JCL SQL Query objects are created correctly
A change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used. See also Changes in results post upgrade - 8.3.26.
User Input Security
- User Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework. See also Changes in results post upgrade - 8.3.26.
- User Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
- User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. See also Changes in results post upgrade - 8.3.26.
The following new rules have been implemented:
|Rule ID||CWE ID||Rule name||Input name||Target name||.NET support||JEE support|
|8518||400||Regular expression injection||Network.read||Regexp.write||Partial||NO|
Regular expression injection (second order)
|8522||400||Regular expression injection through API||Network.readAPI||Regexp.write||Partial||NO|
CAST Transaction Configuration Center
Improved accuracy of AETP values
In order to provide greater accuracy, the calculation of AETP values has been modified in this release. Previously, all added/deleted/updated AETP detail values between 0 and 1 were calculated with no decimal places, effectively giving the impression in some circumstances (when all added/deleted/updated values were below 1) that total AETP = 0. This behaviour has been changed and AETP detail values are now considered to two decimal places for added/deleted/updated. In addition AETP total values will now be rounded up as follows:
|Real value||New rounded up value|