|Summary: CAST AIP 8.3.20 introduces a number of features and changes as listed below.|
The internal mechanism that is used to save analysis results in the CAST AIP schemas has been optimized and improved in this release of AIP. The goal of this optimization has primarily been to introduce more rigorous controls on the data that is saved to reduce inconsistencies and therefore to increase the overall accuracy of CAST AIP. In addition, performance has been stabilized. As a result of this optimization, some small changes in analysis results are to be expected when performing a new analysis/snapshot post-upgrade on unchanged source code, for example:
The -MODIFY_COMBINED command has been optimized to improve performance when using the command to Install new extensions, upgrade existing extensions or deactivate existing extensions to an existing combined installation (Management, Analysis and Dashboard Service schemas) - equivalent to the Manage Extensions option in the GUI.
CAST AIP 8.3.20 introduces support for links between Cobol Programs and IMS Transactions for IMS/DC (Data Communications). See Mainframe - IMS DC support.
Links between Cobol paragraphs/sections and DB/GSAM/ALT PCB when using DLI function have been updated as follows:
Several fixes have been applied to the rule Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690) to reduce the number of false violations reported:
Fixes have been applied to the rule Never truncate data in MOVE statements (7688) to reduce the number of false violations reported.
Fixes have been applied to the rule CICS Return code should be checked (8162) to reduce the number of false violations reported when the check statement is called via an IF statement in a variable.
Improved coverage for JCL Symbol resolution:
An update has been made to the GUI of the CAST Transaction Configuration Center to allow users to see if an end point is external when checking the datafunction called by a transaction in a new column called Scope:
Click to enlarge
|For all datafunctions the scope is always Application, but for end-points the scope can be External or Application.|
The SecurityAnalyzer.log has been improved to list the number of distinct flaws found for each analyzed target. For example, Distinct= has been added:
2020-01-08 14:15:52,238  DEBUG Analyzed target: 369/1941. Found=2, Distinct=1. Steps=128.
Added support for bsh.Interpreter.eval as a target for code injection.
Constructors of System.IO.MemoryStream are now handled correctly avoiding false positive violations to the rule Avoid file path manipulation vulnerabilities (7752).
Access to database methods of the .NET Framework are now handled more accurately. As a consequence, some false positives may be removed and new true positives may be found for the rule Avoid SQL injection vulnerabilities (7742).