User Input Security
Rule documentation updates
The following changes have been applied to rule documentation (no impact on analysis results):
Avoid code injection
The Reference section has been updated to change the CWE reference from 78 to 94 and 95.
CAST Transaction Configuration Center
Change in behaviour when loading .TCCSetup configuration files (the automatic configuration refresh process)
Previously when uploading a .TCCSetup file which already existed and where the package-version of the file differs with the existing package-version in the Management schema, the following behaviour was used: each rule will be loaded with status active by default, except if the rule was present in the previous version, its definition is unchanged, and it had been manually deactivated by the user, in that case, the rule will be set to inactive as well.
From CAST AIP 8.3.23, this behaviour changes as follows (see also TCC - Working with standard configuration files (.TCCSetup)):
Each rule which was present in the previous version will be loaded with the same status as before, whichever the definition of this rule is the same or has changed. In this latter case, a warning will be logged to inform the user of this change, as in the example below where both the definition of an active Entry Point rule and of a deactivated End Point rule have both changed in a new version of the 'Base_HTML5' package: