|Summary: CAST AIP 8.3.26 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade|
Analyzer as an extension
The Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development.
A change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used. See also Changes in results post upgrade - 8.3.26.
User Input Security
- User Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework. See also Changes in results post upgrade - 8.3.26.
- User Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
- User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. See also Changes in results post upgrade - 8.3.26.
The following new rules have been implemented:
|Rule ID||CWE ID||Rule name||Input name||Target name||.NET support||JEE support|
|8518||400||Regular expression injection||Network.read||Regexp.write||Partial||NO|
Regular expression injection (second order)
|8522||400||Regular expression injection through API||Network.readAPI||Regexp.write||Partial||NO|
CAST Transaction Configuration Center