Summary: CAST AIP 8.3.20 introduces a number of features and changes as listed below.

Analysis result save process has been optimized

The internal mechanism that is used to save analysis results in the CAST AIP schemas has been optimized and improved in this release of AIP. The goal of this optimization has primarily been to introduce more rigorous controls on the data that is saved to reduce inconsistencies and therefore to increase the overall accuracy of CAST AIP. In addition, performance has been stabilized. As a result of this optimization, some small changes in analysis results are to be expected when performing a new analysis/snapshot post-upgrade on unchanged source code, for example:

CAST Server Manager - CLI

The -MODIFY_COMBINED command has been optimized to improve performance when using the command to Install new extensions, upgrade existing extensions or deactivate existing extensions to an existing combined installation (Management, Analysis and Dashboard Service schemas) - equivalent to the Manage Extensions option in the GUI.

Mainframe

IMS/DC - support for links between Cobol Programs and IMS Transactions

CAST AIP 8.3.20 introduces support for links between Cobol Programs and IMS Transactions for IMS/DC (Data Communications). See Mainframe - IMS DC support.

IMS/DB - link type changes

Links between Cobol paragraphs/sections and DB/GSAM/ALT PCB when using DLI function have been updated as follows:

Rule updates

Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690)

Several fixes have been applied to the rule Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690) to reduce the number of false violations reported:

MAINFRAME-373 - Never truncate data in MOVE statements (7688)

Fixes have been applied to the rule Never truncate data in MOVE statements (7688) to reduce the number of false violations reported.

MAINFRAME-348 - CICS Return code should be checked (8162)

Fixes have been applied to the rule CICS Return code should be checked (8162) to reduce the number of false violations reported when the check statement is called via an IF statement in a variable.

JCL Symbol coverage

Improved coverage for JCL Symbol resolution:

CAST Transaction Configuration Center

GUI update for external end-points

An update has been made to the GUI of the CAST Transaction Configuration Center to allow users to see if an end point is external when checking the datafunction called by a transaction in a new column called Scope:

Click to enlarge

For all datafunctions the scope is always Application, but for end-points the scope can be External or Application.

User Input Security

AIPCORE-1239 - improved SecurityAnalyzer.log

The SecurityAnalyzer.log has been improved to list the number of distinct flaws found for each analyzed target. For example, Distinct= has been added:

2020-01-08 14:15:52,238 [1] DEBUG Analyzed target: 369/1941. Found=2, Distinct=1. Steps=128. 

AIPCORE-1492 - support for bsh.Interpreter.eval

Added support for bsh.Interpreter.eval as a target for code injection.

AIPCORE-1538 - improvement to handling of constructors of System.IO.MemoryStream

Constructors of System.IO.MemoryStream are now handled correctly avoiding false positive violations to the rule Avoid file path manipulation vulnerabilities (7752).

AIPCORE-1585 - improved coverage of database access methods from the .NET framework

Access to database methods of the .NET Framework are now handled more accurately. As a consequence, some false positives may be removed and new true positives may be found for the rule Avoid SQL injection vulnerabilities (7742).