CAST takes security seriously, as such this section provides detailed information about all known security vulnerabilities that are present in CAST AIP. If you think you may have found a vulnerability that is not listed in this page, please contact us.
Currently impacted CAST software/versions
|Zorba 1.4 (CAST AIP 7.3.x, 8.0.x, 8.1.x, 8.2.x)|
There is currently no standalone patch available for Heartbleed vulnerable DLLs present in Zorba 1.4.
This page lists all known issues in CAST AIP 8.2.0. There are 45 issues in the list. Note that the column "Internal ID" is used only as an internal reference ID.
|Technology||Component/s||Situation||Symptoms||Workaround||Affected Version/s||Internal ID|
|C C++ JEE - Java Mainframe - Cobol Mainframe - JCL||when you load the CED page "Investigation - Application Drilldown" multiple times without having results displayed||Depending on application size, it can takes time to display results, then if you try to reload the page, it will duplicate a dashboard job that is going to insert data in the database. As a result, you will have duplicated information in the page for "number of violated rules", "number of objects with violations", "number of violations"||Don't reload the page until the page display results||8.2.0||SCRAIP-21320|
|All Technologies||On AAD, when loading AEP detailed page.||if multiple snapshots have been calculated the same day (only hour is different) as functional date, then when trying to load AEP results for any of these snapshots, it will load the last snapshot result||don't calculate snapshots with the same functional date (at least, each snapshot should be done with 1 day different)||8.2.0||SCRAIP-21391|
|N/A||Application Engineering Dashboard (AED)||Analyzing a JEE application |
and a module is shared between several analysis units of the application
and shared modules are in violations,
|The information displayed for quality rule "Avoid cyclical calls and inheritances between packages" are inconsistent. For instance: |
* The grades is shown as evolving while no violation is added
* The number of object in violation is inconsistant with the number of failed checks
Violations are not counted consistently, resulting in the issues listed above.
|N/A||Using Servman on Windows 10||Opening any of the menus of the main window and typing any key crashes the application. |
It can also happen when the key is typed outside the window (like after a Win+R)
|None, restart Servman||8.2.0||SCRAIP-22429|
|.NET - C#||For some applications the quality rule 'Avoid unreferenced classes' is missing results' can miss some of the violations.||Some of the violation can not be found for this quality rule.||8.2.0||SCRAIP-22443|
|.NET - C#||In some cases the quality rule 'Avoid Classes with a High Lack of Cohesion' can find false violations.||In some cases the quality rule 'Avoid Classes with a High Lack of Cohesion' can find false violations.||8.2.0||SCRAIP-22438|
|N/A||In the case of upgrade of an .net application from CAST 7.3.5 to CAST AIP 8.2.0, some GUIDs can be duplicated.||In the case of upgrade of an .net application from CAST 7.3.5 to CAST AIP 8.2.0, some GUIDs can be duplicated and the upgrade will faill.||8.2.0||SCRAIP-22441|
|N/A||Any analysis where the Module configuration does not use the "Full content module" option.||The execution report, available in CMS at the end of the snapshot procedure, indicate one extra module, compared to what is configured and displayed elsewhere in the product (Modules tab in CMS, Dashboard)||None. This is a pure display bug, without any consequence on the results.||8.1.0||SCRAIP-18678|
|All Technologies||CAST Engineering Dashboard||issue identified in AED in the Quality model drill-down view when listing quality rules for a technical criteria||a non critical quality Rule that is having a number of violations in the columns critical violations. |
This is due to the fact the quality rule is linked to a technical criteria as critical and also linked to another technical criteria as non critical.
|JEE - Java||JEE Application analysis||Some violations of quality rule "Good use of Interfaces with collections as Method return types" (4578) are not reported.||8.1.0||SCRAIP-18236|
|Mainframe - Cobol Mainframe - JCL||Customer is looking at AFP counts, or Transactions, for an application containing objects which type are "JCL Job", "VB Form", or "Oracle Forms Module" (for only naming the 3 types for which this bug has been reported to our knowledge)||Without any code change, some Transactions suddenly appear and/or some other disappear; consequently, the AFP value (or number of Transactions) can increase or decrease. |
If such a phenomenon is observed, one can verify that it may be caused by this bug by doing the following:
-open the TCC
-go to the "Transaction entry points - by type" setup panel of the affected application
-sort entry point types by Description
-for each of them having an identical description, run the "Generate set" contextual menu item command. If at least one of these generated sets shows a non empty list of objects, then this bug may have arisen, hence the more and/or less Transactions, thus the bigger/smaller counts of Function Points for the application.
|1-Perform the following steps in the TCC: |
-go to the "Transaction entry points - by type" setup panel of the affected application
-sort entry point types by Description
-for every group of types having an identical description, rename each so that all Description strings will be different in the group
2-Save changes and ask the TCC to recompute the Function Points of the Application: if the expected Transactions are visible, the workaround has worked.
|.NET - ASP.NET .NET - C# .NET - VB.NET||Running the first analysis of an application just after upgrade from a version older that 8.0.0||CMS verification view shows an error similar to "[Object ID] :Code xxx does not correspond to an active type". |
It comes from the facts that some object types linked to the legacy VB.NET analyzer (version 7.3 and older) don't have an exact matching type in recent versions. They are left in the configuration as is, but are considered invalid.
This will happen most often for an applcation which uses C# or VB.NET, but these type be used (by mistake) in any application.
|The objects indicated in the error (module definition, AU definition) must be edited in CMS, removing the legacy type, and making them use the new types as applicable.||8.0.0||SCRAIP-13699|
|.NET - C#||Transaction Configuration Center (TCC)||With the .NET technology, you can create a dependency link either directly between two projects, or between one project and an assembly that was generated by another project. In the second case, if you have several copies of the same DLL (possibly with different versions), you should always reference the same file in all projects. If several versions of the file (even identical but in different paths) are selected, they will conflict with each other.||Some objects and links may be missing from the analysis results (and therefore transactions may also be missing and the Function Point count may be incorrect), with no message about unresolved calls even when looking at the log in debug mode.||If you are in this situation, you can, before packaging the application with the Delivery Manager Tool, change the project files to manually ensure only one file is referenced. You can do this in Visual Studio, or manually in the .csproj files. |
Alternatively, if you reference an assembly that is built by another project in your delivery, you can also replace all assembly references to it with a project reference, which will bring more benefits.
|.NET - C#||CMS Snapshot/Analysis - Generate Modules||Re-analysis of an application, where the execution split has been changed. That is, grouping of analysis units in execution units has been updated, in order to work around memory issues, or for any other reason.||In the Dashboard, some modules appear empty, or some objects are marked as deleted even though they exist in the code. When checking the module content in CAST Management Studio, the objects still appear. |
There is no easy workaround for that problem. The data used to compute final results of the analysis have been corrupted by the execution units reorganization. Please get in touch with CAST Support, they will help you fix the problem.
|JEE - JSP N/A SQL - PL/SQL Universal||CAST Dashboard||When upgrading from CAST AIP 7.0.x to CAST AIP 7.3.x and looking at the dates listed for the current and previous snapshots in the CAST Engineering Dashboard.||A discrepancy is displayed regarding the dates if the snapshot that was generated at the end of the CAST migration process is deleted and re-generated. In this situation the current snapshot date is displayed correctly, but the previous snapshot date is incorrect and refers to an older snapshot.||7.3.4||SCRAIP-7119|
|N/A||CMS Snapshot/Analysis - Compute Snapshot||Two Applications (A and B) exist in the CAST Management Studio and objects in Application A have links to objects in Application B. To identify and save these links, a custom dependency is created between the two Applications.||When the "Take a snapshot of each Application" option is run for the first time after defining the dependency, no links between the two Applications are identified.||Re-run the "Take a snapshot of each Application" option to obtain the links between the two Applications.||7.3.0||SCRAIP-1539|
|Oracle Forms||The violations on diag 'Avoid having SQL code in Triggers named pre-record' disappear when there is no squirrel package in the version.||Missing violations on the diag 'Avoid having SQL code in Triggers named pre-record'.||7.3.0||SCRAIP-3057|
|.NET - ASP.NET||CAST Management Studio (CMS)||- Duplicate a csproj under a folder with a lot of .NET sources |
in DMT, create a package containing duplicated projects
Analyze in one way duplicated projects
|Performance issue occurs in merging phase of analyzer||Remove duplicated sources to restore performances||7.3.0||SCRAIP-2902|
|N/A||CAST Update Tool (CUT)||Migrating from 7.2 to 7.3 using CAST Update Tool (CUT). |
And having a delivery folder shared among mutiple Mangement Bases (MB).
And having all MBs of the delivery folder ticked in CUT for update.
|CUT displays incorrectly a "Confirmation" dialog box. The dialog box reads: |
"You must select all MBs that manage applications within a delivery folder. Refer to the documentation.
Database(s) missing in folder <delivery folder>:
And <n> MBs not listed in the connection profiles.
Do you want to continue?
<OK> / <Cancel>
|Note: If ALL MBs have been ticked, the message is incorrectly displayed and can be safely ignored and you can proceed by clicking "OK". Migration will succeed. |
However, if there are MBs that have not been ticked, you MUST NOT proceed but make sure that you select all MBs first.
|N/A||Using Cast Management Studio or the Delivery Manager Tool on Windows 8 or 10, with a High Resolution Display||Many text fields are not correctly displayed, the text is too big and partially visible.||Change the display scaling factor back to 100%. CMS/DMT do not correctly handle the recent UI scaling introduced by Windows for High DPI screens. |
In Windows 10, right click on the Desktop Background, select "Display settings".
In that window, move the "Change the size of text (...)" slider to 100%, even if it is not the recommended value.
|N/A||When using the CAST AIC Portal||When you rename an Application in the CAST AIC Portal, the name change is not reflected when subsequently using the Delivery Manager Tool (the Application name has not been updated).||7.2.3||SCRAIP-14968|
|C++ SQL - PL/SQL||CMS Snapshot/Analysis||When generating a snapshot in the CAST Management Studio on one machine and having the CAST Storage Service installed on a different machine and each machine is showing different time (or is configured to a different time zone).||The capture date/time of the snapshot is not consistent between the CAST Management Studio and the CAST Storage Service.||7.2.0||SCRAIP-949|
|All Technologies||CAST Dashboard||Occurs on CAST Engineering Dashboard, Investigation - Quality Model Drilldown view when selecting a Distribution.||Depending from which Business Criteria, list of objects selected for the distribution will be not the same if some objects exists without any violations. |
If distribution is selected through Heath Factor indicator, then list of objects are sorted by PRI and so only objects with violations are listed
If distribution is selected through TQI or Rules Compliance indicator, then list of objects are sorted by name and contained all objects even those with no violations
There is no impact on the grade that is similar everywhere.
|All Technologies||CAST Management Studio (CMS)||When synchronizing an Assessment Model on a Dashboard Service after some documentation update||The synchronization fails with "Invalid language symbol 'English' in metric ID <x>||Remove the 'English' translation of the default 'English' text for the indicators with External ID <x>.||7.1.0||SCRAIP-13532|
|All Technologies||When using the CAST Management Studio and editing an Analysis Unit that enables you to include or exclude source files/folders (C/C++ for example).||If you add an exclusion/inclusion and then click the Cancel button, a blank entry is added to the list of exclusion and inclusions.||7.1.0||SCRAIP-14969|
|All Technologies||When changing the path to the Deployment folder in the CAST Management Studio.||The help explanation displayed in the dialog box is truncated.||7.1.0||SCRAIP-14970|
|JEE - Java||When using the CAST Delivery Manager Tool to create a remediation item.||On cancelling the remediation creation window, the remediation is added anyway.||7.1.0||SCRAIP-14971|
|SQL - PL/SQL||When looking at the results of the "Avoid SQL queries with implicit conversions in the WHERE clause" Quality Rule.||No violations are flagged despite the fact that an implicit conversion is located in a WHERE clause. |
This is due to the fact that cursor parameters are not resolved by the SQL Analyzer for Oracle and therefore any implicit conversion that contains a cursor parameter will be ignored.
|All Technologies||- Running analysis of an Application with Castms command line : |
CAST-MS-cli.exe RunAnalysis -connectionProfile myConnectString -deliveryUnit myDU -system mySystem -appli myApplication
- And there is no application "myApplication" in the Delivery Unit.
|All applications are analyzed instead of only the one defined in the command line (myApplication).||Make sure the application defined in command line exists in the Delivery Unit portfolio.||7.0.9||SCRAIP-14981|
|SQL - T-SQL MS||New User Defined Table types added after an initial analysis/snapshot are missing from the Analysis Service if they are not called by another SQL object.||You take a snapshot for a database that may contain User Defined Table types. |
You then add a new User Defined Table type and execute a second snapshot. You check in CAST Enlighten to see if this User Defined Table type exists or not. The object is missing.
You then add a new procedure that calls this User Defined Table type and then execute a third snapshot. When you check with Enlighten, the object now exists.
If the User Defined Table type exists in the application before the first analysis/snapshot, it will be saved ; if not, it is saved in your Analysis Service only when it is referenced by another SQL object (eg. : by a stored procedure).
|All Technologies||CAST Dashboard||When selecting a Business Criteria in the Investigation view and when working with Internet Explorer 7 or 8.||Selecting a Business Criteria will sometimes cause a different Business Criteria to be selected and updated.||Sort the Business Criterion column using the column header.||7.0.7||SCRAIP-13777|
|JEE - JSP||When analyzing source code that uses the Struts2 framework.||The Struts2 syntax "ActionMapper" is not supported.||7.0.7||SCRAIP-15002|
|ABAP||When looking at the results of the Avoid unchecked return code (SY-SUBRC) after OPEN SQL or READ statement Quality Rule (no. 7520)||False positives (i.e. incorrectly reported violations) are reported when several violation patterns overlap on different IF blocks.||7.0.7||SCRAIP-13739|
|.NET - ASP.NET ASP JEE - JSP||- Analysing a JSP or ASP application. |
- In a JSP or ASP file, the last Script tag used specifies a different script language than the previous tags.
|- All Script tags used in the file are considered as being of the same language as the last Script tag found in the file. |
- This can result in a syntax error during analysis when analyzing scripts using different Script Languages in the same file.
|Modify the last Script tag in the file: Text replacement : Add at the end of the last tag used in the file the Script language different that the one used for this tag |
- the last tag in the page is in vbScript
|- Viewing bookmarks in Enlighten's Code Viewer on PL/SQL objects. |
- Select a link from a PL/SQL Object Type to any other PL/SQL object
- Click F12 to see link bookmarks in the Code Viewer pane.
|The following warning is displayed in Enlighten's Errors and Messages pane: |
Warning:Invalid position(object 204129) in bookmark (8,44) (8,60) :
The bookmarks displayed in the Code Viewer pane do not correspond to the location of the reference in the code.
Please note the '%20' notation that is used for the space character.
|JEE - EJB JEE - Java JEE - JDO JEE - JSP JEE - Web Services||- JEE application using a Java Persistence API (JPA, e.g. Hibernate) and orm.xml for overloading. |
- Check diagnostic 7508 "Collection-typed attributes getter must be defined with the right interface"
|- The list of Very High Risk Objects of diagnostic 7508 "Collection-typed attributes getter must be defined with the right interface" contains only attributes set in orm.xml for this entity. No attribute set through an annotation is listed, including those, which are not overridden.||6.4.1||SCRAIP-15000|
|JEE - Java||- Results for all Java diagnostics related to JavaDoc comments. |
- A method M2 overrides a method M1
- and M1 contains javadoc comments but not M2
|The diagnostics list incorrectly M2 as Very High Risk Object.||6.4.1||SCRAIP-14994|
|JEE - Java JEE - JSP||If a package is declared after using an annotation, the analyser will throw the following error message: 'syntax error'.||6.4.1||SCRAIP-14997|
|When different languages (java, js, html ...) are present on one single line of code, the computed 'number of lines of code' is wrong.||6.4.1||SCRAIP-14998|
|Parameterization of generic Java methods: Importing a generic method (such as public <T> List <T> update (String query)) will generate an invalid trigger (e.g. update <T> (java.lang.String)). This trigger does not create links with objects passed in the parameter. |
Workaround: Manually remove '<T>' from the trigger specification (so that it becomes update (java.lang.String)).
|SQL - T-SQL ASE SQL - T-SQL MS||Having an object in one database (e.g. a procedure in database A) accessing an object in another database (e.g. a table in database B) and the following conditions are met: |
- Both databases have been previously analyzed and therefore exist already in the KB.
- The two databases are analyzed by different jobs.
- The option 'Auto register called databases' is OFF in the job analyzing database A.
|Missing link between objects in different database when both databases exist in the KB and are analyzed separately |
In the job log the following informational message is contained. The job finishes successfully.
Information: Skipped Ref. procedure 'my_proc' -> table 'my_db..my_table' because 'my_db..my_table' is in a foreign database that not registered.
In Enlighten, there is no link between my_proc and my_db..my_table.
|Either set option 'Auto register called databases' to ON in the job analyzing database A, or analyze both databases in one single job.||6.4.1||SCRAIP-14769|
|SQL - PL/SQL||The Metrics Assistant wizard does not allow the use of functions and procedures defined in 'Object types'||6.4.1||SCRAIP-14984|
|SQL - SQL-PSM UDB||Analyzing a DB2 UDB database and generating snapshot. |
Looking at results for diagnostics:
- Never use SQL queries with a cartesian join
- Never use SQL queries with a cartesian product on XXL tables
|Both diagnostics do not detect violations in DB2 database for the following situations: |
1. There is a SELECT statement with a table in a nested query in the FROM clause
2. There is a procedure having an UPDATE statement with a cartesian join inside a nested query in the SET clause