On this page:
|Summary: CAST AIP 8.3.18 introduces a number of features and changes as listed below.|
The following syntax is now supported:
The default value for the option Procedure Call Depth (which limits the number of intermediate values that the Inference Engine can resolve in order to obtain the type of the object that is being searched for) has been changed to 300 (from 3000) for all Applications newly onboarded with ≥ 8.3.18. This change has been made to improve the .NET analysis duration time. For Applications that are upgraded from a previous release of AIP to ≥ 8.3.18, the previous value for this option will be retained to avoid impacting analysis results.
Data functions / transaction functions will still contribute to values in the AFP section in the following situations:
This is because these Data functions / Transactions have already been calibrated (i.e. merged / deleted / ignored) and a Compute action will not remove these items from the values in the AFP section to prevent losing the specific calibration that has been applied. Therefore, if you need to prevent these objects contributing to values in the AFP section, you can:
In previous releases of CAST AIP, Added/Deleted objects would be visible in the following situation:
If an entry point of a valid transaction is missing in more than two consecutive snapshots, then the transaction ID is lost. As a consequence when the missing entry-point object re-appeared in a subsequent snapshot, CAST AIP was not able to recover the transaction ID and a new transaction ID was associated to the entry point. If the intermediary snapshots were then deleted, CAST AIP recorded an Added/Deleted of the transaction because CAST AIP sees that the transaction has a new ID and the previous ID is no longer present in the snapshot.
The behaviour of CAST AIP in this situation has been changed - the previous transaction ID will be re-used when the missing entry-point object re-appears in a subsequent snapshot. And so when the intermediary snapshots are deleted, the transaction will be seen as Unchanged (if there are no changes in the transaction's details ) or Modified (if there are changes in the transaction's details.
Methods from the org.owasp.encoder library have been added to the list of libraries that are automatically taken into account for Sanitzation. A list of libraries automatically taken in to account for Sanitzation is available in User Input Security - predefined methods.
The rule Avoid hard-coded credentials (8222) has been updated to include support for detecting hard-coded credentials in the PasswordDeriveBytes Class. See also Changes in results post upgrade - 8.3.18.
The CAST-DatabaseExtractionRenamingTool.exe tool that is used to mitigate the impact on analysis results when databases or schemas move from one Server to another or from one Instance to another has been enhanced to support renaming for database extractions performed on Microsoft SQL Server and Sybase ASE. You can find out more about this tool here: Dealing with databases or schemas that move from one Server to another or from one Instance to another.