| Redirect | ||||
|---|---|---|---|---|
|
| Panel | |
|---|---|
|
| Info |
|---|
| Summary: CAST AIP 8.3.26 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade |
Mainframe Analyzer
Analyzer as an extension
The Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development.
...
A change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used. See also Changes in results post upgrade - 8.3.26.
User Input Security
Updates
- User Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework. See also Changes in results post upgrade - 8.3.26.
- User Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
- User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. See also Changes in results post upgrade - 8.3.26.
New rules
The following new rules have been implemented:
| Rule ID | CWE ID | Rule name | Input name | Target name | .NET support | JEE support |
|---|---|---|---|---|---|---|
| 8518 | 400 | Regular expression injection | Network.read | Regexp.write | Partial | NO |
| 8520 | 400 | Regular expression injection (second order) | Network.readDatabase | Regexp.write | Partial | NO |
| 8522 | 400 | Regular expression injection through API | Network.readAPI | Regexp.write | Partial | NO |
CAST Transaction Configuration Center
...