Summary: CAST AIP 8.3.25 introduces a number of features and changes as listed below.

Mainframe Analyzer

Support for IMS MFS Maps

Support has been implemented for IMS MFS Maps to improve IMS/DC support so that it is possible to find out which Cobol programs use an MFS Map:

As a result, some changes have been implemented:

IMS Message Format Service

IMS Message Input Descriptor

IMS Message Output Descriptor

Improved support for JCL Dataset sub types

The Mainframe Analyzer is now able to detect the following specific types of JCL Dataset, which will now be visible in CAST Enlighten, Architecture Checker and CAST Transaction Configuration. See Mainframe - Technical notes for more details.

In addition, a new protoype link has been implemented between DBD objects and JCL Datasets (DBD).

Rule documentation updates

The documentation for the following rules has been updated

Rule IDDescriptionChange
8468

Program semantic should respect the logic of flow execution

Rationale has been updated.

SQL Analyzer embedded in AIP

The SQL Analyzer embedded in AIP now supports:

User Input Security

Improved violation type coverage

The following new rules have been implemented:

Rule IDCWE IDRule nameInput nameTarget name.NET supportJEE support
848279Cross-site scripting through API requestsNetwork.readAPINetwork.writeNOLIMITED
8484113HTTP response splitting through API requestsNetwork.readAPINetwork.httpNOLIMITED
848699Resource injection through API requestsNetwork.readAPIResource.writeNOLIMITED
848899Resource URL manipulation through API requestsNetwork.readAPIResource.writeURLNOLIMITED
849089SQL injection through API requestsNetwork.readAPIDatabase.writeNOLIMITED
849290LDAP injection through API requestsNetwork.readAPILDAP.filterNOLIMITED
849478OS command injection through API requestsNetwork.readAPIRuntime.execNOLIMITED
8496114Process control through API requestsNetwork.readAPIRuntime.loadNOLIMITED
849878Denial of service threat through API requestsNetwork.readAPIThread.sleepNOLIMITED
850094/95Code injection through API requestsNetwork.readAPIScript.evalNOLIMITED
8502470Reflection injection through API requestsNetwork.readAPIReflection.writeNOLIMITED
850491XPath injection through API requestsNetwork.readAPIXPath.writeNOLIMITED
850673Path manipulation through API requestsNetwork.readAPIFile.openNOLIMITED
8508117Log forging through API requestsNetwork.readAPILog.writeNOLIMITED
8510134Uncontrolled format string through API requestsNetwork.readAPIString.formatNOLIMITED
8512501Request parameters in session through API requestsNetwork.readAPINetwork.writeSessionNOLIMITED
851489NoSQL injection through API requestsNetwork.readAPINosql.writeNOLIMITED
8516601Open redirect through API requestsNetwork.readAPINetwork.redirectNOLIMITED

All of the above new rules are based on "injection through API requests” - the list of supported APIs is as follows:

Improvement to support for Apache Struts 2 applications

The following truncated manglings are now supported:

This is an improvement to "AIPCORE-1705 - User Input Security is now able to detect security violations in Apache Struts 2 applications" added in CAST AIP 8.3.21.

CAST Database Extractor

The CAST Database Extractor now supports:

CAST Storage Service/PostgreSQL admin

CSS Upgrade Wizard

The CSS Upgrade Wizard (CSSUpgrade.exe) used to move schemas from one CAST Storage Service/PostgreSQL instance to another is now deprecated.

CombinedTransfer.bat

A new batch file called CombinedTransfer.bat has been created as a replacement for the CSS Upgrade Wizard. It is a wrapper batch file for the CSS Backup and Restore Tools, provided as part of the CAST AIP ≥ 8.3.x, and involves a fully automated process of dumping the required schemas to file and then restoring the dumps on the new server. The CAST Storage Services/PostgreSQL do not need to be installed on the same host, and both can be remote to the machine on which you are executing the batch file.

The CombinedTransfer.bat batch file is located in the following folder and must be executed from within the context of this folder:

<CAST AIP installation>\CSSAdmin\CSSUpgrade\

See CAST Storage Service - Moving existing schemas to new hosts for more information.

Miscellaneous

CAST AIC Portal

CAST AIC Portal is now deprecated and official support for this web application will cease at the end of 2020. CAST encourages users to switch to AIP Console where possible.

CAST Management Studio - Create application option

If you need to onboard new Applications and are not yet using AIP Console or are having issues using CAST AIC Portal, then it is now possible to create new Applications directly in CAST Management Studio for all user audiences ("regular" through to "expert"). This is a "stop gap" solution until such time as you are ready to switch to AIP Console.