Impacts of changes made in CAST AIP 8.3.16 on Quality Model results post upgrade

Mainframe

MAINFRAME-283 - Prefer using indexes instead of subscripts - 8142

A bug has been discovered which is causing false positive violations of this rule (when indexes are used, violations are still reported). This bug has now been fixed, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change: less false positives, more accuracy.

MAINFRAME-251 - Avoid OPEN/CLOSE inside loops - 7218

A bug has been discovered which is causing false positive violations of this rule (a false link between two objects). This bug has now been fixed, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change: less false positives, more accuracy.

MAINFRAME-314 - Avoid unreferenced Sections and Paragraphs - 7290

A bug has been discovered which is causing false positive violations of this rule (incorrect handling of the syntax FETCH / END-FETCH). This bug has now been fixed, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change: less false positives, more accuracy.

MAINFRAME-300 - Never truncate data in MOVE statements - 7688

A bug has been discovered which is causing false positive violations of this rule when the variables have subordinate items and the comparison is based on a block. This bug has now been fixed, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change: less false positives, more accuracy.

MAINFRAME-252 - Avoid unchecked return code (SQLCODE) after EXEC SQL query - 7690

A bug has been discovered which is causing false positive violations of this rule when SQLCODE is checked outside perform statement of a paragraph. This bug has now been fixed, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change: less false positives, more accuracy.

SAP / ABAP

SAP-172 - "CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block (8412)

The parent technical criterion for this rule was incorrectly set to 61020: Programming Practices - Modularity and OO Encapsulation Conformity, and this has now been changed to 61014: Programming Practices - Error and Exception Handling. Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. Grades for the new and previous parent technical criteria and Health Factors will change.

Multiple changes

Disabled rules

The following rules have been disabled in CAST AIP 8.3.16, therefore after upgrade to this release and the generation of a post upgrade consistency snapshot on unchanged source code, results may differ:

• Avoid using literals in assignments (hardcoded values) (7522)
• Avoid "SELECT *" queries (7344)

Bug correction

Various bugs have been fixed in this release, therefore after upgrade to this release and the generation of a post upgrade consistency snapshot on unchanged source code, results may differ:

CATCH SYSTEM-EXCEPTIONS.

ENDCATCH.

DATA d TYPE char22 VALUE 'c:/mypath'.

User Input Security related

AIPCORE-571 - Avoid HTTP response splitting - 7740

This rule has been updated to add specific sanitization targets for both .NET and JEE. The following are now take into account, therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

.NET

• System.Net.HttpListenerResponse.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpResponseBase.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpResponse.AddHeader([mscorlib]System.String,[mscorlib]System.String) // Arg 2
• System.Web.HttpCookieCollection.Add(System.Web.HttpCookie) // Arg 1
• System.Web.HttpCookieCollection.Set(System.Web.HttpCookie) // Arg 1

Java

• javax.servlet.http.HttpServletResponse.addCookie(javax.servlet.http.Cookie) // Arg 1
• javax.servlet.http.HttpServletResponse.addHeader([ext]java.lang.String,[ext]java.lang.String) // Arg 2
• javax.servlet.http.HttpServletResponse.setHeader([ext]java.lang.String,[ext]java.lang.String) // Arg 2
• org.apache.http.impl.client.BasicCookieStore.addCookie(org.apache.http.cookie.Cookie) // Arg 1
• org.apache.http.client.CookieStore.addCookie(org.apache.http.cookie.Cookie) // Arg 1
• javax.servlet.http.HttpServletResponseWrapper.setHeader([ext]java.lang.String,[ext]java.lang.String) // Arg 2
• javax.servlet.http.HttpServletResponseWrapper.addHeader([ext]java.lang.String,[ext]java.lang.String) // Arg 2

AIPCORE-873 - Avoid NoSql injection - 8418

This rule existed for .NET technologies, however there was no support for JEE. This has now been fixed and therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change if you have JEE / NoSQL source code. You may have violations where previously there were none.

AIPCORE-875 - Avoid log forging vulnerabilities - 8044

This rule has been updated to take into account the following targets in the namespace System.Diagnostics.Debug, methods:

• Write
• WriteIf
• WriteLineIf

Therefore, after an upgrade to CAST AIP 8.3.16 and the generation of a post-upgrade consistency snapshot on unchanged source code, results may change. You may have violations where previously there were none.

Other impacts of changes made in CAST AIP 8.3.16

Oracle PL/SQL (embedded analyzer)

A change has been made to the way in which the analyzer handles the XMLROOT syntax (use of an "identifier" instead of "VERSION"). As a result of this change, after an upgrade to CAST AIP ≥ 8.3.16 and the generation of a post upgrade consistency snapshot on unchanged source code, you should expect many Oracle PL/SQL objects to be marked as modified.

Mainframe

MAINFRAME-254 - MOVE PROGRAM-ID ... TO ... syntax

A bug has been discovered which is causing the creation of an incorrect Cobol program object called "TO" for the "MOVE PROGRAM-ID ... TO ..." syntax found in cobybook files. This bug has now been fixed (the syntax is correctly handled) therefore, as a result of this change, after an upgrade to CAST AIP ≥ 8.3.16 and the generation of a post upgrade consistency snapshot on unchanged source code, results may change - less invalid objects providing more accuracy.

MAINFRAME-248 - Cobol Transaction objects

When running a Mainframe analysis, Cobol Transaction objects may be created with object names that contain only special characters such as * or /. This is due to the way the Inference Engine functions. A fix has been provided to avoid creating objects via the Inference Engine which contain only special characters (in other words, objects must contain at least one alphabetical character), therefore, as a result of this change, after an upgrade to CAST AIP ≥ 8.3.16 and the generation of a post upgrade consistency snapshot on unchanged source code, results may change - less invalid objects providing more accuracy.

MAINFRAME-298 - CICS Maps objects

A bug has been discovered which is causing the creation of CICS Maps objects as "unknown" and the same objects are created multiple times causing issues with link resolution. This bug has now been fixed therefore, as a result of this change, after an upgrade to CAST AIP ≥ 8.3.16 and the generation of a post upgrade consistency snapshot on unchanged source code, results may change - CICS Maps objects are handled correctly.