|Summary: CAST AIP 8.3.26 introduces a number of features and changes as listed below. To view the impacts of these changes on analysis results, see: Changes in results post upgrade|
Analyzer as an extension
The Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development.
- The Mainframe Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core.
- Critical bugs will continue to be fixed on the Mainframe Analyzer embedded in AIP Core but no new features or functionality will be added.
- The new Mainframe Analyzer extension will have exactly the same features and functionality on release as the Mainframe Analyzer embedded in AIP Core, therefore analysis results will be identical.
- The new Mainframe Analyzer is compatible with AIP Core ≥ 8.3.26.
- All future development of the Mainframe Analyzer (new features, functionality etc.) will be completed in the Mainframe Analyzer extension only. Critical bug fixes will be fixed in the Mainframe Analyzer extension (as well as the analyzer embedded in AIP Core).
- The behaviour is as follows:
- Nothing is automatic - for both AIP Console and "legacy" CAST AIP deployments, the Mainframe Analyzer extension must be manually downloaded and installed in order to use it
- If the extension is installed, CAST AIP Console/CAST Management Studio will automatically detect that it exists and will use the extension rather than the analyzer embedded in AIP Core.
- Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.
Updates to Base_Mainframe.TCCSetup for transaction configuration
- IMS Transactions are now automatically considered part of "Standard Entry Point - IMS - Unknown (GS)"
- CICS Transactions called from Java methods and Java constructors are no longer considered part of "Standard End Point - CICS - Transactions called by Java (GS)"
- An error has been fixed where the opposite was true in previous releases:
- IMS FilePrototype objects are now considered part of "Standard End Point - IMS - GSAM - Not delivered"
- IMS AnalyzedFileobjects are now considered part of "Standard Data Entity - GSAM"
See also Changes in results post upgrade - 8.3.26.
Name of unresolved MQ publisher/subscriber objects has been changed to avoid false links
In previous releases of AIP, unresolved queue names lead to the creation of Publisher/Subscriber objects with the same name Unresovled:MQP2P. As a result, many false links are created skewing results. In CAST AIP 8.3.26, the name of the unresolved object has been changed from Unresolved:MQP2P to UnknownMQ:<COBOL_Parent_PROGRAM> - this identifies the Cobol program name publishing/subscribing to the message and will reduce the number of false links. See also Changes in results post upgrade - 8.3.26.
Update to ensure JCL SQL Query objects are created correctly
A change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used. See also Changes in results post upgrade - 8.3.26.
User Input Security
- User Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework. See also Changes in results post upgrade - 8.3.26.
- User Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
- User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. See also Changes in results post upgrade - 8.3.26.
The following new rules have been implemented:
|Rule ID||CWE ID||Rule name||Input name||Target name||.NET support||JEE support|
|8518||400||Regular expression injection||Network.read||Regexp.write||Partial||NO|
Regular expression injection (second order)
|8522||400||Regular expression injection through API||Network.readAPI||Regexp.write||Partial||NO|
CAST Transaction Configuration Center
Improved accuracy of AETP values
In order to provide greater accuracy, the calculation of AETP values has been modified in this release. Previously, all added/deleted/updated AETP detail values between 0 and 1 were calculated with no decimal places, effectively giving the impression in some circumstances (when all added/deleted/updated values were below 1) that total AETP = 0. This behaviour has been changed and AETP detail values are now considered to two decimal places for added/deleted/updated. In addition AETP total values will now be rounded up as follows:
|Real value||New rounded up value|