See Release Notes - 8.3.0 - 8.3.15 for older 8.3.x releases of AIP Core.

8.3.59

Resolved Issues

Customer Ticket Id Details
48598 Fixes an issue where Analysis Units for ".pbxproj" files are not created as the source code is not found in the paths discovered by the legacy Delivery Manager Tool.
46886 Fixes an issue causing simultaneous result uploads from different applications to the Measure schema to all fail.
47767 Fixes an issue where attempting to delete or consolidate snapshots via CAST Console results in a process that never ends but where there are no logs generated to indicate progress.

Other Updates

Internal Id Details
AIPCORE-5189 Fixes an issue causing extensions (with no technical content such as com.castsoftware.datacolumnaccess) to fail to install.
AIPCORE-5182 Fixes an internal regression introduced in a previous release which causes the error "'ERROR: column "session_id" does not exist'" when CI_xxx tables used by AMT_updating.sql are saved.
AIPCORE-5133 Fixes an error in CAST-ServerManager GUI where the extension panel does not handle unregistered extensions.
AIPCORE-5132 Fixes an error in CAST-ServerManager GUI extension panel does not handle alpha/beta/funcrel suffixes in selected versions.
AIPCORE-4904 Fixes a technical issue related to the CAST-AMTInjector tool: volatile properties are no filtered.

8.3.58

Resolved Issues

Customer Ticket IdDetails
47394Fixes an issue where the snapshot processing time increased by six times after adding 17 custom modules.
47142Provides a fix for various security vulnerabilities found in the "CAST-AppMarqDataCompiler.jar" file.
46029Fixes an issue causing some snapshots to fail to complete correctly.

Other Updates

Internal IdDetails
AIPCORE-5045A new option specifically for Mainframe technology has been added to the "Data to generate" section in CAST Console, called: "Save data and links to sections/paragraphs/other data". This option combines two other options in the same section - see also https://doc.castsoftware.com/technologies/mainframe/analysis-config/. Also requires com.castsoftware.mainframe ≥ 1.4.0 and CAST Console ≥ 2.11.7.
AIPCORE-5046A change has been implemented to avoid random variations in reported violations for the rules "Avoid direct or indirect remote calls inside a loop" (7962) and "Avoid indirect String concatenation inside loops" (7954). This change will cause a variation to the number of reported violations for these rules after an upgrade to AIP Core 8.3.58 and a re-analysis on unchanged source code, but subsequent analyses on unchanged source code will produce stable results.

8.3.57

Feature Improvements

SummaryDetails
Addition of two new commands to CAST-MS-cli.exeTwo new commands (ExportMetricsParameters and ImportMetricsParameters) have been added to the CAST-MS-cli.exe command line tool. These commands allow the export of Assessment Model parameters to XML file and the import of an XML file generated by the export command. See here.

Resolved Issues

Customer Ticket IdDetails
46129Fixes the error "value too long for type character varying(50)" that occurred during step "GenerateSnapshot" when the name for the version of the analyzed source code exceeded 50 characters. The version name is entered in Console.
45317Fixes the following analysis error: “Failed to Connect to Local Database”. The issue was caused by corruption of file C:\ProgramData\CAST\CAST\8.3\CWProfileConnection.INI. The corruption might have occurred because of concurrent analyses performed on the same analysis node. Corruption is now prevented by managing concurrent write access to the file.
42885Fixes several syntax error messages that were incorrectly reported when analyzing syntactically correct Oracle Forms source code.
39773Fixes a performance problem that occurred when analyzing a specific Oracle Forms application. The analysis appeared to be stuck for several days.
45735Fixes the error 'SQL Error: ERROR: duplicate key value violates unique constraint "pk_objdsc"' during a Mainframe analysis. The issue was maybe caused by a custom source code extraction that included a NULL character (\0) in the middle of a source code string.

Other Updates

Internal IdDetails
AIPCORE-5023 Fixes a crash during an ABAP analysis that occurred for a particularly packaged source code that produced 2 ABAP analysis units instead of one. With the fix, a single analysis unit is created.
AIPCORE-4987An improvement has been implemented so that application names entered in Console can be longer than 83 characters. It is available when using AIP Console 2.11.4 and higher.

8.3.56

Resolved Issues

Customer Ticket IdDetails
44205Fixes an issue where the computation of a large analysis ran for 7 days and failed with a size issue on the CAST Storage Service.
44667Fixes an issue where the analysis of PowerBuilder 2021 failed with the error "Failed to parse xml file". Note that in addition to the fix provided, when analyzing PowerBuilder 2021, 2022 or 2023, the path to the PowerBuilder runtime must be manually added to the "PATH" system environment variable.
44703Fixes an issue causing the analysis of a single Analysis Unit (i.e. not as part of a standard analysis) to fail wit the error "error while executing groovy script".
43844Fixes an issue visible in CAST Imaging Console 2.10.0-funcrel: the "measurement" schema (used for CAST Dashboards) was not created at all because of missing user "operator". This was an issue present the CSSBackup and CSSRestore tools used to create the template measurement schema that is restored by CAST Imaging Console when Dashboards are configured.
45136Fixes an issue causing JEE related extensions to fail to install with the error "category 'Java' is unknown". This fix ensures that the error will no longer occur when a JEE related extension is automatically installed by CAST Imaging Console during deep analysis and after an upgrade of CAST Imaging Core from 8.3.47 or lower to 8.3.48 or higher.
45035Fixes an issue causing the "Set As current version" step to fail with the error: "There is insufficient memory for the Java Runtime Environment to continue".
43832Fixes an issue causing the upload of data to the measurement schema for use with the Health Dashboard to fail with the error: "ERROR: integer out of range".
45284Fixes an issue causing a "Syntax error" warning to occur during the computation of the metric stage of ABAP files (MAV2).
45285Fixes an issue causing a "Syntax error" warning to occur during the computation of the metric stage of ABAP files (MAV2).

8.3.55

Other Updates

Internal IdDetails
AIPCORE-4829Fixes an issue causing the automated (via CAST Imaging Console) or manual (using the CSSBackup/CSSBackUp all tools) backup of CAST schemas to fail when the source CAST Storage Service/PostgreSQL instance is Postgres 14 or above.

Resolved Issues

Customer Ticket IdDetails
41158Fixes an issue causing the failure of the Mainframe_Extension.TCCSetup file to install correctly.
44270Fixes an issue causing an HTML5/JavaScript type Analysis Unit not to be created where the root path contains ".".
43787Fixes an issue where a snapshot fails because the table "aed_remediation_efforts" is missing (error: 'Error while executing update.. AED_REMEDIATION_EFFORT").
43863Fixes an issue causing some data functions to intermittently appear, disappear and reappear when using the CAST Transaction Configuration Center to compute function point values.
40880Fixes an issue causing an "unsupported syntax" message during the Metrics Assistant step of the analysis process specifically on "RAISE EXCEPTION NEW" ABAP syntax.
44326A documentation update has been added to explain how to set the log file when performing a silent installation of CAST Imaging Core using an answer file (setup.iss). See here.

8.3.54

Feature Improvements

SummaryDetails
Technical - MainframeUpdates have been made to prepare the analysis engine for the addition of three new Mainframe specific analysis options that will be made available with Console 2.10 and Mainframe Analyzer (com.castsoftware.mainframe) 1.2.0.

Resolved Issues

Customer Ticket IdDetails
43035Fixes an issue where the Mainframe analyzer hung during the "comparing objects" analysis step on the "kb_comparekeysparentship" function.
43035Fixes a performance issue during the "Prepare analysis data" step where the "Update sources" action was taking an excessivea amount of time to complete due to the procedure "DSSAPP_SOURCE_POS_UPDATE".
42943Fixes an issue causing an error during the analysis "Invalid Web Application Root Path". This was due to an internal issue where multiple source packages were adressing the same source code files.
40588Fixes an issue where links to third party documents in the rule 7196 "Avoid large number of String concatenation (JEE)" were obsolete and broken.
43280Fixes an issue where confusing log messages originating in the legacy CAST Management Studio were being displayed in Console. These log messages (e.g. "Missing Translation for id connection_manager_jdbc_connected") are no longer displayed.
42349The rule documentation ("Description" section) for the rule 7344 "Avoid "SELECT *" queries" has been updated to better describe how the rule functions.
42938Fixes an issue where the analysis is failing at the "Prepare analysis data" step due to empty modules, despite the fact that the "Ignore Empty Modules" option is enabled.

8.3.53

Note

CAST Management Studio (CAST-MS.exe, the graphical user interface) is now deprecated. This means that no further development nor bug fixes will be provided for this component. If you are still actively using the CAST Management Studio user interface, you should plan a move to CAST Console as soon as possible.

Resolved Issues

Customer Ticket IdDetails
42617Fixes an issue causing a Java "NullPointerException" error when attempting to use the "Check RegExp. On File" and "Check RegExp. On Directory" options in the "Edit Reference Pattern" dialog box in CAST Management Studio.
42292The CAST Imaging Core installer has been updated so that the "Visual C++ Redistributable Packages for Visual Studio 2010" is no longer installed, since it is unsupported. Instead, the "Visual C++ Redistributable Packages for Visual Studio 2015-2022" is now installed, also replacing the "Visual C++ Redistributable Packages for Visual Studio 2017". See https://doc.castsoftware.com/display/AIPCORE/Install+AIP+Core#InstallAIPCore-Installedthird-partysoftware.
42485The CAST Imaging Core installer has been updated so that the "Visual C++ Redistributable Packages for Visual Studio 2010" is no longer installed, since it is unsupported. Instead, the "Visual C++ Redistributable Packages for Visual Studio 2015-2022" is now installed, also replacing the "Visual C++ Redistributable Packages for Visual Studio 2017". See https://doc.castsoftware.com/display/AIPCORE/Install+AIP+Core#InstallAIPCore-Installedthird-partysoftware.
42977The CAST Imaging Core installer has been updated so that the "Visual C++ Redistributable Packages for Visual Studio 2010" is no longer installed, since it is unsupported. Instead, the "Visual C++ Redistributable Packages for Visual Studio 2015-2022" is now installed, also replacing the "Visual C++ Redistributable Packages for Visual Studio 2017". See https://doc.castsoftware.com/display/AIPCORE/Install+AIP+Core#InstallAIPCore-Installedthird-partysoftware.

8.3.52

Feature Improvements

SummaryDetails
Technical - Improvements for CAST Console "Analysis Reports" feature - reasons for unanalyzed filesA technical update has been implemented in this release to ensure that the "Analysis Reports" feature in CAST Console (which provides information about the number of analyzed and unanalyzed files in an analysis) provides specific information about which Project Exclusion Rules excluded the file from the analysis. Previously, no explanation was given about which Project Exclusion Rules had excluded the unanalyzed files. Now, files that are not excluded via a Project Exclusion Rule will have no explanation about why they were excluded and therefore the analysis logs should be consulted for these files - generally these files were skipped by the analyzer during the analysis. See also https://doc.castsoftware.com/display/AIPCONSOLE/Application+-+Overview+with+Fast+Scan#ApplicationOverviewwithFastScan-AnalysisReports.
Technical - Improvements to the CAST Transaction Configuration engineA technical update has been implemented to ensure that the option "Activate automatic Data Function merge (FK/PK)" (available in CAST Console under Function Points > Settings - see https://doc.castsoftware.com/display/AIPCONSOLE/Application+-+Function+Points+-+Settings - and which is enabled by default) correctly generates "typed" links between merged tables: previously the link between the merged tables was created simply as a "Refer" link. Now, more information is available from the SQL Analyzer about these links, so the link between the merged tables can be created as typed link: Refer(Delete), Refer(Update), Refer(Update,Delete) or Refer (as before) and as a result of this, some tables were not merged correctly by the CAST Transaction Configuration engine (embedded in AIP Core). The engine has therefore been updated to consider these typed links and therefore correctly merge the tables. As a direct result of this update, existing AEP, Function Point and Data Function values may be impacted if the "Activate automatic Data Function merge (FK/PK)" was enabled prior to the upgrade to this release of AIP Core. If this option was disabled prior to the upgrade, no impact to existing results will be seen.

8.3.51

Resolved Issues

Customer Ticket IdDetails
40440Updated the documentation for the com.castsoftware.datacolumnaccess extension to remove a section explaining how to manually configure data sensitivity indicators for GDPR and PCI-DSS which is not necessary because CAST Console does this automatically. See https://doc.castsoftware.com/display/TECHNOS/Data+Column+Access+-+2.2#DataColumnAccess2.2-Datasensitivityconfiguration and https://doc.castsoftware.com/display/TECHNOS/Data+Sensitivity.
41351Fixes an issue causing DMT steps to fail with the error "cast.utilities.consoleHandlerGenericLogError Unexpected application identifier" when the delivery folder is set to a network location. The -storagePath option was attempting to locate the application without a trailing "/" at the end of the path.
41635Fixes an issue causing the AED Consolidation task to fail with the error "Task message: The program AED Consolidation Tool has not ended correctly (Error code 2001)" when run through the legacy CAST Management Studio.
41337Fixes an issue causing the automatic remediation process in the legacy DMT to go into an unending loop when delivering Maven source code.
41307Fixes an issue where the "Host name" field in the legacy DMT (Package configuration tab) would not accept a long host name (the field was limited to a certain number of characters).
37847Fixes an issue where the order of the execution of analysis units changed between successive releases of AIP Core (8.3.28 and 8.3.45) impacting analysis results.
41677Fixes an issue where an error occurred during the application schema creation step when attempting to onboard a new application in CAST Console. This error was caused by the schema restore scripts used by CAST Console that did not handle special characters in the CAST Storage Service/PostgreSQL operator user password.

8.3.50

Feature Improvements

SummaryDetails
Technical - Support for SAP PowerBuilder 2021, 2022 and 2023AIP Core has been updated to support the analysis of SAP PowerBuilder 2021, 2022 and 2023. This support requires CAST Console ≥ 2.8.x. In addition, there are no changes to the requirement to install the SAP PowerBuilder IDE on the Node(s) - see https://doc.castsoftware.com/display/TECHNOS/PowerBuilder+-+Required+third-party+software.
Technical - CSS Admin tool improvementsThe four CSS Admin tools (CSSBackup.exe, CSSBackupAll.exe, CSSRestore.exe and CSSRestoreAll.exe) have been updated to include additional functionality: 1) all four tools will now automatically write an additional text based log file containing messages from the pg_dump and pg_restore tools that are used in the background to complete the actions, 2) all four tools now use an option called "-logtime" by default to ensure log messages are timestamped, 3) all four tools now have an option called "-verbose" which forces the tools to log pg_dump and pg_restore actions in verbose mode to the new text log file that is automatically generated (this option is not enabled by default), 4) CSSBackupAll now includes two new options: "-parallel" to define multi-thread action and "-schemas" to define a comma separated list of schemas that must be backed up, 5) CSSRestoreAll now includes three new options: "-parallel" as described previously, "-overwrite" to force existing identically named schemas on the target instance to be dropped when the restore action is run and "-extension" to ensure that only files with specific extensions are restored. See https://doc.castsoftware.com/display/STORAGE/Maintenance+activities+for+CAST+Storage+Service+and+PostgreSQL.

Other Updates

Internal IdDetails
AIPCORE-4569Opening a temporary dashboard from within CAST Management Studio using the "Open dashboard" option (see https://doc.castsoftware.com/display/AIPCORE/CMS+-+Dashboard+Service+editor) is no longer supported (in technical terms, the WAR file used for this functionality has been removed from AIP Core because it contained an obsolete Dashboard release). CAST Management Studio has reached end of life. Please use CAST Console and the integrated dashboard instead.
AIPCORE-4580The Java JRE embedded in AIP Core (in the "jre" folder) has been upgraded from Java 8-345 to Java 8-362 to take advantage of various security fixes provided in this newer release.
AIPCORE-4608As a result of an improvement made to the way in which JEE grammar is interpreted, some impacts to existing analysis results are expected for the metric "Number of Commented-out Code Lines" (10109) after upgrading an application to AIP Core 8.3.50 and generating a new snapshot. As a result of this, the number of violations reported by the rule "Avoid Artifacts with high Commented-out Code Lines/Code Lines ratio" (7126) may increase or decrease in comparison to results generated with an older release of AIP Core.

Resolved Issues

Customer Ticket IdDetails
40135Fixes an issue impacting snapshot generation performance, specifically during the Transaction Configuration "generated sets" step.
40255Fixes an issue where after upgrading an application to a new release of AIP Core and choosing the "Preserve Assessment Model and get new rules for information" option in CAST Console, the Assessment Model shows no critical violations and all rules set to a weight of 0.
40405Fixes an issue where the "Attaching package to version" step in the source code delivery process was stuck and would not complete.
40801Fixes an issue causing "config.dmtReport" files located in the delivery folder to become very large.
40069The Java JRE embedded in AIP Core (in the "jre" folder) has been upgraded from Java 8-345 to Java 8-362 to take advantage of various security fixes provided in this newer release.
40737An update has been implemented to ensure that useful error messages are provided in CAST Console when the wrong type of (but valid) license key is used.
37146Fixes an issue where the .NET Analyzer extension was not automatically installed when a web.config file was found in the application source code.
37878Fixes an issue where the .NET Analyzer extension was not automatically installed when a web.config file was found in the application source code.

Known Issues

Internal IdDetails
AIPCORE-4710When using network paths for source code, delivery, deploy or other folders and when specifying the paths using Universal Naming Convention (UNC), the delivery step ("Accepting version") of a deep analysis will fail with an error message in the "DmtValidate..." log file such as: "cast.utilities.consoleHandlerGenericLogError Unexpected application identifier:0b6a3d89-a7b6-4d25-9ee4-d1c2d9b0679e". A UNC path has the format \\file_server\share\folder1\... Workaround: Specify the network path using a mapped drive, such as X:\folder1\... A hotfix for 8.3.50 is available. Please contact Technical Support.

8.3.49

Feature Improvements

SummaryDetails
Analysis result save process has been optimizedThe internal mechanism that is used to save analysis results in the CAST schemas has been optimized and improved in this release of AIP Core. Starting from this release, the mode is now set by default to "OPTIMIZED" (previously set to "EMULATE" since AIP Core 8.3.22). "OPTIMZED" mode reduces the peak disk space consumption used by CAST Storage Service/PostgreSQL during an analysis and therefore should allow larger analyses to successfully complete.

Other Updates

Internal IdDetails
AIPCORE-4518A fix provided for the customer bug "39299" will have some impacts on existing analysis results for JEE applications that use lambda expressions: 1) an increase in the number of violations may be seen for the rule 7796 "Avoid Classes with a High Lack of Cohesion - variant", 2) a decrease in the number of violations may be seen for the rule 7800 "Avoid Classes with High Coupling Between Objects".

Resolved Issues

Customer Ticket IdDetails
38739Fixes an issue where Console displays a "we are lost" 404 error when a Peoplesoft analysis fails at the snapshot creation step. The Node log contains the error "com.castsoftware.webi.common.exceptions.NotFoundException: Application not found"..
39231Fixes an issue where an analysis is marked as failed in the UI in Console, but the Execution Summary log states the analysis was successful.
39362Fixes an issue where an analysis is marked as failed in the UI in Console, but the Execution Summary log states the analysis was successful.
39102Fixes an issue where adding a new version fails with an error "Java heap space: Unable to clone the given version due to an error".
39299Fixes an issue where a snapshot failed with the error "Package 'Base_Web', version '1.0.0.1' is already installed in application #10: nothing to do".
35337Fixes an issue where outdated Log4J files are still present in the Health and Engineering dashboard WAR files stored in "%PROGRAMFILES%\CAST\8.3\wars" even after an upgrade to a new release where these WAR files are no longer delivered.
39948Fixes an issue causing poor performance when CAST actions are interacting with the Measurement schema.

8.3.48

Feature Improvements

SummaryDetails
AADConsolidation and AEDConsolidation tools log improvementsThe logs produced by the tools AADConsolidation and AEDConsolidation now include a timestamp.
All remaining extensions removed from SetupTo reduce the overall size of the AIP Core distribution, the JEE Analyzer, Web Services Linker and CAST AIP Internal Extension have been removed from the "shipped_extensions" folder - see https://doc.castsoftware.com/display/AIPCORE/Shipped+extensions#Shippedextensions-8348. Those using CAST Console exclusively, or those using CAST Management Studio and upgrading to AIP Core 8.3.48 should not be impacted. Those installing AIP Core 8.3.48 for the first time on a new host and using only CAST Management Studio will need to ensure that they manually download and install their required extensions as part of the Application onboarding process.

Resolved Issues

Customer Ticket IdDetails
38373Fixes an issue where a JEE analysis was stuck at the "comparing objects on server" step.
38659Fixes an issue where the CAST-DatabaseExtractionRenamingTool.exe/CAST-DatabaseExtractionRenamingTool-CLI.exe tools failed to launch after the Java JRE on the Node was updated to Java 11. Now the tools are configured to use the Java JRE bundled with AIP Core. See also https://doc.castsoftware.com/display/TECHNOS/SQL+-+Dealing+with+databases+or+schemas+that+move+from+one+Server+to+another+or+from+one+Instance+to+another#SQLDealingwithdatabasesorschemasthatmovefromoneServertoanotherorfromoneInstancetoanother-UsingtheCASTDatabaseExtractionRenamingTool.
37895Fixes an issue where the entry point of a transaction was missing from the reduced transaction call graph in CAST Imaging.

8.3.47

Other Updates

Internal IdDetails
AIPCORE-4354A change has been made to the behaviour of the exclusion rule "Exclude Duplicate Dot Net project located inside the exactly same source folder". In previous releases of AIP Core, this rule (which is used during the source code delivery process) is always enabled, however, for new source code deliveries actioned with AIP Core ≥ 8.3.47 this rule will now be disabled by default. For existing source code that has already been delivered, there will be no change to this rule. The change has been introduced to increase the accuracy of the source code delivery, especially for situations where multiple .NET projects with the same name exist in the source code (for example where .NET projects are generated automatically with the same project name). The rule should be enabled only when there are multiple versions of the same project within the source code. See https://doc.castsoftware.com/display/TECHNOS/.NET+-+Prepare+and+deliver+the+source+code#id-.NETPrepareanddeliverthesourcecode-Projectexclusionrules and https://doc.castsoftware.com/display/AIPCONSOLE/Managing+Project+Exclusion+Rules.
AIPCORE-4325The Java JRE embedded in AIP Core (in the "jre" folder) has been upgraded from Java 8-121 to Java 8-345 to take advantage of various security fixes provided in this newer release.
AIPCORE-4334Due to the introduction of a parallel analysis system in AIP Core 8.3.43, an algorithm was developed to sort analysis jobs into analysis layers. This algorithm placed the SQL Analyzer and legacy PL/SQL Analyzers in the same layer, meaning that it was possible that the SQL Analyzer would run before the legacy PL/SQL Analyzer, which in turn could result in missing links to database objects. This issue has now been fixed and now the SQL Analyzer always runs AFTER the legacy PL/SQL Analyzer, so that the missing links will now be resolved.

Resolved Issues

Customer Ticket IdDetails
37337Fixes an issue where the delivery was failing during the discovery step with the following error: "java.util.regex.PatternSyntaxException:Illegal repetition range near index 117".
37361Fixes an issue related to packaging. When an application was set to current version it was failing during the package step with the following message: "Unable to allocate 851968KB bitmaps for parallel garbage collection for the requested 27262976KB heap."
37383Fixes an issue where snapshot was stuck while executing procedure "DSSAPP_SCOPE_INIT_ARTIFACTS".
37841Fixes an issue related to Reference Patterns. A Reference Pattern was taking 4hours on 8.3.41/Linux Postgres while the same Reference Pattern was taking 14 minutes on AIP 8.3.37/CSS4.
37847Fixes an issue where analysis order changed on upgrading from AIP Core 8.3.28 and 8.3.45. See AIPCORE-4334 under "Other Updates" above.

8.3.46

Other Updates

Internal IdDetails
AIPCORE-4234The Background Facts upload field (available in the Dashboard Service editor in CAST Management Studio - https://doc.castsoftware.com/display/AIPCORE/CMS+-+Dashboard+Service+editor) will (from now on) be ignored during an analysis. You should instead use the RestAPI to perform the upload, see https://doc.castsoftware.com/display/AIPCORE/Background+Facts+and+Business+Value+Metric+upload.
AIPCORE-4157Some Mainframe (Cobol and IMS) built-in datatypes hardcoded into AIP Core have now been removed. These types were conflicting with the same types provided by the Mainframe Analyzer extension (https://doc.castsoftware.com/display/TECHNOS/Mainframe+Analyzer) and were causing the generation of erroneous transactions and function point values. The following types have been removed: DB Definition (COBOL_DBD Cobol DB Definition), Cobol File Link (CAST_COBOL_ExternalFilePrototype), Cobol File Link (CAST_COBOL_SavedFileDescription), IMS DB Definition (CAST_IMS_DatabasePrototype), IMS DB Definition (CAST_IMS_SavedDatabase). As a result of this change, you may find that existing transaction and function point values are modified after an upgrade to 8.3.46 and a new analysis/snapshot. CAST highly recommends using the most recent Mainframe Analyzer extension (1.0.18) to ensure a correct configuration for your Mainframe applications.
AIPCORE-4240Three discoverers that are embedded in AIP Core (Visual Cpp 2010-2012 Project Discoverer, Eclipse Project Discoverer and Maven Project Discoverer) have been converted to extensions since the last release of AIP Core (8.3.45). The embedded versions of these extensions will not undergo any further updates and instead all functional changes/customer bug fixes will be actioned in the extensions. Note that only the Visual Cpp 2010-2012 Project Discoverer will be automatically downloaded an installed when using Console 2.4 (or later), other extensions must currently be installed manually (if the fixes/improvements they contain are required). See https://doc.castsoftware.com/display/TECHNOS/Visual+Cpp+2010-2012+Project+Discoverer, https://doc.castsoftware.com/display/TECHNOS/Eclipse+Project+Discoverer and https://doc.castsoftware.com/display/TECHNOS/Maven+Project+Discoverer.

Resolved Issues

Customer Ticket IdDetails
36355Fixes an error occurring when the Automatic Link Validator extension is executed: "acc_propupdated() line 3 at SQL statement', 'M': 'relation "acc" does not exist',". Fixing this issue has restored the functionality of the Automatic Link Validator extension. Automatic Link Validator was broken due to this bug in previous AIP Core service packs (possibly since 8.3.42). The consequences of fixing this bug is that now links are correctly validated and ignored again, as expected. In previous AIP Core service packs, no automatic link validation/ignoring occurred. Automatically validating/ignoring links can have an impact on transactions and thus on function point counts, therefore results may be impacted.
33029Fixes an issue where after analysis a reference pattern search string was run as a tool but links were not created.
37076Fixes an issue where running an analysis through a CLI script fails at the "Prepare analysis data" step due to an empty module, despite the "Ignore empty module" option being enabled in Console. Now, empty modules will not cause the analysis to fail when run from a CLI script.
36333Fixes an issue where running an analysis through a CLI script fails at the "Prepare analysis data" step due to an empty module, despite the "Ignore empty module" option being enabled in Console. Now, empty modules will not cause the analysis to fail when run from a CLI script, regardless of the position of the option" Ignore empty modules".
37171Fixes an issue where .NET analysis failed with the error: "Procedure call failed: ?digital_local.CACHE_PROCESSID,I_IDSESSION,I_IDUSRPRO", while comparing objects on server.

8.3.45

Feature Improvements

SummaryDetails
Technical - Changes to the KB Update SQL ToolIn this release, various changes have been implemented: 1) the existing table GUID_OBJECTS is now deprecated and should no longer be used (this table was used to define custom OBJECT_GUID values, principally for legacy technologies such as Visual Basic or PowerBuilder - scripts should be updated to use the OBJECT_ID instead) - see https://doc.castsoftware.com/display/AIPCONSOLE/KB+Update+SQL+Tool+-+CI+entry+tables#KBUpdateSQLToolCIentrytables-GUID_OBJECTS, 2) three new tables have been added to facilitate updates for link properties - CI_INT_LINK_PROPERTIES, CI_STR_LINK_PROPERTIES and CI_NO_LINK_PROPERTIES - see https://doc.castsoftware.com/display/AIPCONSOLE/KB+Update+SQL+Tool+-+CI+entry+tables.

Other Updates

Internal IdDetails
AIPCORE-4130The TFS (Team Foundation Server) extractor that is embedded in the legacy CAST Delivery Manager Tool is no longer supported. The entry will still exist in the UI (with a "not supported" label) but will fail to run if it is used.

Resolved Issues

Customer Ticket IdDetails
35431Fixed an issue where some Java objects were not present in a full subset technical module after the conclusion of the analysis - this was caused by the parent JEE project being marked as "external" and therefore being excluded from the module.
35538Fixed an issue where a JEE analysis was stuck during the "comparing objects" step.
35549After moving from CSS3 to CSS4, while upgrading the extension, the following error is displayed: "tablespace does not exist". This was caused by the use of custom tablespace. A documentation update has been provided for this situation: https://doc.castsoftware.com/display/STORAGE/Moving+existing+CAST+schemas#MovingexistingCASTschemas-Noteaboutcustomtablespaces.
32045A fix has been implemented to ensure that the default exclusion rule "Exclude ASP projects when a .NET web project also exists" (available in Console and in the legacy Delivery Manager Tool) functions correctly. In previous releases, occasionally this exclusion rule did not function correctly and did not exclude an ASP project although a corresponding .NET web project existed. This situation led to duplicated objects (ASP objects and equivalent .NET web objects) and thus, to an exaggerated Function Points count. This issue has now been fixed and ASP objects are no longer created when equivalent .NET web objects have been discovered. This leads to a drop in the number of objects, links, and Function Points in 8.3.45 when comparing analysis results with previous releases where the same source code was analyzed. In addition, the LOC (line of code) count per technology is also impacted: what was previously counted as ASP LOC is now counted as HTML5 LOC and the total number of lines of code can change slightly. There is also a possibility that quality rule violation counts may also be impacted.
34937Fixed an issue where the snapshot failed with the error "The program XMLTODB has not ended correctly (error code "1").". This was caused by the activation of the Security Analyzer (User Input Security) when the delivered source code contained no .java or .jsp files. This issue has now been resolved and the snapshot won't fail even if the Security Analyzer is activated and the project contains no .java/.jsp files.
33534Console/Config/Assessment Model displays "SEI Maintainability" James Hurrell13:33Can you rephrase this one slightly? "since years" is a bit jarring to my ears. Maybe "which has been deprecated for many years".33534AIPCORE-3811Console/Config/Assessment Model displays "SEI Maintainability" which has been deprecated since years.
32799When the mandatory tag "authors" is missing from a plugin.nuspec file of the %programdata%/CAST/CAST/Extensions, Extension downloader throws the message - "The required element 'authors' is missing from the manifest". The message does not indicate which extension is throwing the error.
33696Extension Downloader shows several messages without much description.
33784Alerts reported for Log4j scanning (Log4j vulnerability).
35088No link created after insert into ci_link with KB update tool.
35423In AIP console 1.27.0 running on AIP 8.3.35 failed in the following step: "attach package to version".
35455When packaging a pom file with the packaging type defined as - <packaging>${packaging.type}</packaging>, the analysis units are not created and the projects are ignored.
35512Discovery step during DMT fails with the error - "java.lang.NullPointerException".
35622Performance issue in Action Plan View when action plan contains. (in the 2.6.1 version it is taking around 2.2min to display the violations in action plan and for the same app in the 2.4.0 version it's taking around 6sec.).
35625There is no stop option in Architecture studio when the check validation is taking a long time to compute, which is causing lot of time to compute other models.
35869Even though the SHELL extension is installed and present physically on the machine, analysis fails with an error. The UA language 'Shell Scripts' has either not been registered through servman or its extension is not physically present.
33396There is no link created between some Oracle Forms Record Groups objects and Database because the sentence is not ending with ";".

8.3.44

Other Updates

Internal IdDetails
AIPCORE-3940The Security Analyzer (User Input Security) has been externalised as an extension to give the feature more flexibility to future development. The Security Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core, but only critical bugs will be fixed and no new features or functionality will be added. 1 new quality rule will be added in the first release of the "standalone" Security Analyzer extension (to be released after the release of AIP Core 8.3.44), but otherwise the extension will have the same features and functionality on release as the Security Analyzer embedded in AIP Core.
AIPCORE-3975As a consequence of customer bug AIPCORE-3975/34844, a change has been made to the discovery of Maven based JEE projects (this discoverer is built in to AIP Core): when these projects include a Web component, the discovery process will now check that the application root path, the application descriptor and the path to the web.xml exist in the given project code. This prevents validation errors that caused the analysis to fail in previous releases of AIP Core - in other words, this change improves reliability and reduces the risk that the analysis will fail. A secondary effect of this change to the discovery is that Web JSP projects duplicated by Maven projects are now identified much better and where found are no longer taken into account: this prevents the creation of duplicate Analysis Units.

Resolved Issues

Customer Ticket IdDetails
35037Fixed an issue where reference patterns based on a specific regular expression were not matching the expected items in CAST Management Studio (AIP Core 8.3.42). The same regular expression worked without issue in previous releases of AIP Core.
34844Fixed an issue where the analysis was consistently failing with the error "Invalid Web Application Root Path".
34363Fixed an issue where the CAST-DatabaseExtractionRenamingTool-CLI.exe fails to rename the schema name in CLI mode.

8.3.43

Feature Improvements

SummaryDetails
Technical - .NET DiscovererThe .NET Discoverer (embedded in AIP Core) has been updated to change the rules related to the selection of VB.NET/C# projects when duplicates (i.e, projects producing an assembly with the same name) are encountered. Previously, the project that was selected was the first one in alphabetical order. Now, projects are selected based on which one is used more in *.sln files. If two or more are used equally in *.sln files, then the project with the more recent Visual Studio version will be selected. This change may cause some impact in project selection, however, the discovered Analysis Units will remain the same (the content may vary, depending on the differences between the old and the new selected projects). See also https://doc.castsoftware.com/display/TECHNOS/Microsoft+Visual+Studio+.NET+Discoverer.
User Input Security - support for org.springframework.jms for JEESupport has been added for the org.springframework.jms framework: some methods are now defined as input.
User Input Security - support for org.apache.kafka for JEESupport has been added for the org.apache.kafka framework: some methods are now defined as input.
User Input Security - support for IBM.WMQ for .NETSupport has been added for the IBM.WMQ framework: some methods are now defined as input.
User Input Security - support for com.ibm.mq for JEESupport has been added for the com.ibm.mq framework: some methods are now defined as input.
User Input Security - support for system.messaging for .NETSupport has been added for the system.messaging framework: some methods are now defined as input.
User Input Security - support for com.ibm.jms for JEESupport has been added for the com.ibm.jms framework: some methods are now defined as input.
User Input Security - support for javax.jms.JMSConsumer for JEESupport has been added for the javax.jms.JMSConsumer framework: some methods are now defined as input.
User Input Security - Support for java.util.zip and java.util.jar for JEE for the rule "Avoid file path manipulation"The following targets and inputs are now supported for the rule "Avoid file path manipulation": 1) java.util.zip.ZipFile.+ctor > file target, 2) java.util.zip.ZipFile.getName > input, 3) java.util.zip.ZipEntry.getName > input, 4) java.util.jar.JarFile.+ctor > file target, 5) java.util.jar.JarFile.getRealName > input, 6) java.util.jar.JarEntry.getRealName > input. As a consequence, new violations may be discovered on existing Application source code.

Other Updates

Internal IdDetails
AIPCORE-3835The SAP ABAP Analyzer has been externalised as an extension to give the feature more flexibility to future development. The SAP ABAP Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core, but only critical bugs will be fixed and no new features or functionality will be added. 5 new quality rules will be added in the first release of the "standalone" SAP ABAP Analyzer extension, but otherwise the extension will have the same features and functionality on release as the SAP ABAP Analyzer embedded in AIP Core. See https://doc.castsoftware.com/display/TECHNOS/SAP+ABAP+Analyzer+-+1.0#SAPABAPAnalyzer1.0-Technicalinformation.
AIPCORE-3873The User Input Security Analyzer now requires .NET Framework ≥ 4.7.2 (previously ≥ 4.7.1 or greater was required). Note that the AIP Core installer (≥ 8.3.29) will automatically install the .NET Framework 4.7.2 except in an AIP Core upgrade scenario. See https://doc.castsoftware.com/display/AIPCORE/Deployment+requirements#Deploymentrequirements-.NETFramework and https://doc.castsoftware.com/display/AIPCORE/Install+AIP+Core#InstallAIPCore-Whatisinstalled?.
AIPCORE-3847The legacy Db2 Analyzer embedded in AIP Core (which has not been supported since the release of AIP Core 8.3.0) has been removed. If you still have any legacy Db2 (UDB / z/OS) packages originally created in an 8.2.x or earlier release of AIP Core and upgraded to 8.3.x, CAST highly recommends now removing them and that you transition to the SQL Analyzer version ≥ 2.0 BEFORE you start the process of upgrading to AIP Core 8.3.43.

Resolved Issues

Customer Ticket IdDetails
34177Fixed an issue that occurred while upgrading the No SQL extension: an error is displayed during the Assessment Model upgrade step.
34160Fixed an issue where the Application Extension step fails with the error "ssl.SSLError: SSL: SSLV3_ALERT_UNSUPPORTED_CERTIFICATE".
34007Fixed an issue that occurred while upgrading the No SQL extension: an error is displayed during the Assessment Model upgrade step.
33952Enlighten is stuck after performing the following steps: Select "Tools" -> "Generate reports" -> "On this Graphical View".
33199Fixed an error that occurred when delivering .NET source code using AIP Console: "DLL's not picked up from Local repository - Assembly has not been found in repository.

8.3.42

Feature Improvements

SummaryDetails
SAP/ABAP - New rule - Avoid calculated fields in WHERE-clauses and ON-clauses of CDS views (S4/HANA)A new rule called "Avoid calculated fields in WHERE-clauses and ON-clauses of CDS views (S4/HANA)" (8568) has been implemented in this release of AIP Core. Additional violations of this new rule may be evident after upgrade to this release and the generation of a new snapshot on unchanged source code. See for a list of available SAP/ABAP rules.
SAP/ABAP - New rule - Avoid cyclic references in the definition of CDS views (S4/HAHA)A new rule called "Avoid cyclic references in the definition of CDS views (S4/HAHA)" (8566) has been implemented in this release of AIP Core. Additional violations of this new rule may be evident after upgrade to this release and the generation of a new snapshot on unchanged source code. See for a list of available SAP/ABAP rules.
User Input Security - log and debug forging rule improvements - input argumentsImprovements have been implemented for the rules "Avoid log forging" (8044) , "Avoid log forging through API requests" (8508), "Avoid debug forging" (8542) and "Avoid debug forging through API requests" (8544): previously these rules were not able to correctly identify input arguments with specific types such as int / long / float / double or other specific types like java.lang.Throwable / java.time.LocalDateTime / System.DateTime. This situation has now been resolved and these input types are now handled correctly. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.
User Input Security - support for Oracle JDBC driver method sanitizationSupport has been added for Oracle JDBC driver methods - previously, methods from this driver were not automatically sanitized and were marked as potential flaws. These methods are now supported. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.
User Input Security - log and debug forging rule improvements - support for LogError, LogInfoImprovements have been implemented for the rules "Avoid log forging" (8044) , "Avoid log forging through API requests" (8508), "Avoid debug forging" (8542) and "Avoid debug forging through API requests" (8544): methods such as LogError, LogInfo, etc. are now supported. An example of such methods can be found in APIs like "Microsoft.Extensions.Logging.LoggerExtensions". As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.
User Input Security - support for org.springframework.jms frameworkSupport has been added for org.springframework.jms framework onMessage() method. Previously, it was not defined, leading to potential false negatives for the series of rules related to injection. This asynchronous read is now supported : it is defined as input (Network.readAPI). As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously not detected erroneously may now be detected.
User Input Security - support for com.google.gwt.safehtml.shared.SafeHtmlUtils methodsSupport has been added for com.google.gwt.safehtml.shared.SafeHtmlUtils methods - previously, access to resources protected by these methods were marked as potential XSS flaws. These methods are now supported. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some XSS violations that were previously detected erroneously will be skipped.

Other Updates

Internal IdDetails
SAP-262A minor cosmetic update has been implemented which changes the fullnames used for "SAP View" and "SAP CDS View" object types. In previous releases, both object type's fullname contained "SAP_TABLE", however, in this release, "SAP_VIEW" (for SAP Views) and "SAP_CDSVIEW" (for SAP CDS Views) are used instead.
AIPCORE-3727The "Sample" and "Output" documentation for the rule "Avoid HTTP response splitting through API requests" (8484) has been updated and improved.
AIPCORE-3807The "Description", "Sample" and "Remediation Sample" documentation for the rule "Avoid using insufficient random generator" (8554) has been updated and improved.
AIPCORE-3807The "Sample" and "Remediation Sample" documentation for the rule "Avoid using insufficient random values for cookies" (8242) has been updated and improved.
AIPCORE-3434The "Sample" and "Remediation Sample" documentation for the rule "Avoid OS command injection" (7748) and "Avoid OS command injection through API requests" (8494) has been updated and improved.
AIPCORE-3809Customer bug 33799 has revealed that SQL Scripts containing Data Modification Language (DML) - object type "SQL Script DML file" - were incorrectly taken into account by the following 3 quality rules: "Avoid having multiple artifacts inserting data on the same SQL Table" (7390), "Avoid having multiple artifacts deleting data on the same SQL table" (7392) and "Avoid having multiple artifacts updating data on the same SQL Table" (7394). The object type "SQL Script DML file" has therefore been removed from the scope of these quality rules and as a result of this change, after upgrade to this release and the re-analysis of unchanged source code, violations on such SQL scripts are no longer reported. Therefore, a reduction in the number of violations may be seen in existing results.

Resolved Issues

Customer Ticket IdDetails
32081Fixed an issue where the documentation for the "Avoid undocumented forms" (2616) was incomplete.
32920Fixed an issue where the rule "DataReader must be called using CommandBehaviour.CloseConnection enumeration" (7258) was being violated even though .closeConnection enumerated value was correctly used in the source code.
33799Fixed an issue where the snapshot generation process was stuck at the "compute_violation_statuses" step.
30793Corrected the remediation Sample Error in Rule: 8494.
32920Fixed the violation on rule (7258): “DataReader must be called using CommandBehaviour.CloseConnection enumeration” even though .closeConnection enumerated value is used.
33670Fixed the performance issue - ADGC_DELTA_DEBT_ADDED and ADGC_DELTA_DEBT_REMOVED.
33795Fixed an issue with vulnerable Log4j files in the embedded CAST-AED-CMS war file. Log4j files updated to 2.17.1.
33820Fixed an issue with vulnerable Log4j files in the embedded CAST-AED-CMS war file. Log4j files updated to 2.17.1.
33842Fixed false positive for rule (8044): "Avoid log forging vulnerabilities" for long and enum types.
33921Fixed the issue related to package references which were not correctly identified in .csproj files.

8.3.41

Feature Improvements

SummaryDetails
User Input Security - new rules to support the detection of 'Server-side request forgery' violationsThree new rules have been implemented for JEE and .NET technologies to support the detection of 'Server-side request forgery' violations: 1) "Avoid server-side request forgery" (8560), 2) "Avoid server-side request forgery through API requests" (8562), 3) "Avoid second order server-side request forgery" (8564).

Other Updates

Internal IdDetails
AIPCORE-3744As part of fixing the customer bug 33307, the content of the DMTDeliveryReport.xml file has been completely re-written and restructured: 1) better accuracy of the reports in the <UnSupportedExtension> tags, 2) completeness in the <UnanalyzedFile> tags and 3) results sorted alphabetically, so that when run twice, the same output is generated.
AIPCORE-3741In previous releases of AIP Core, when analyzing a new version of an existing application and source code for any technology managed by a UA framework analyzer (PHP, RPG, Shell, Kotlin, Swift, HTML5, TypeScript, Python and SQL (when the SQL Analyzer extension is used)) was no longer delivered in the new version, the existing analysis results (from the previous version) for these specific technologies were incorrectly re-used for this new version. This issue has now been fixed and existing analysis results are no longer re-used when a UA analyzer managed technology has been removed from a new version. As a result of this change, some impact to your results may be visible, however, results are now more accurate, because they now reflect the fact that source code of the given technology has been removed.

Resolved Issues

Customer Ticket IdDetails
33307Fixed an issue where the file extensions *.vlf and *.kix were not being reported in the DMTDeliveryReport.xml file produced during the source code delivery process.
30858Rule Documentation Reference for rule: "Avoid Artifacts with High Cyclomatic Complexity" not found.
32211COM Interop assembly not fetched by DMT when driven by Console.
33054Snapshot stuck in dssapp_scope_ifpug_done on CSS4.
33108The violation does not show any bookmark or source code for the rule: 'Avoid variable declared as variants'.
33250In DMT, error while performing manual remediation.
33344While packaging in DMT, data is not extracted from Nuget package and warnings are displayed in Analysis log file due to long file path.

Known Issues

Internal IdDetails
AIPCORE-3788An issue has been identified which occurs whenever an application contains both C and C++ source code, and Visual Studio is not used for its development. In this case, the analysis will fail with the error "Duplicated extension: '*.pc' is used by another extension list". This issue will be fixed in a future release of AIP Core.

8.3.40

Feature Improvements

SummaryDetails
Assessment Model - changes to rules flagged as criticalAIP Core 8.3.40 implements a feature improvement that is designed to reduce the number of rules provided by CAST (whether in AIP Core or in an official extension) that are flagged as critical. Over time, as more and more rules have been created by CAST, the list of rules that are flagged as critical has also grown. This has inevitably led to a situation where there are a large number of critical rules producing violations and it is therefore difficult to know where to focus the remediation efforts. To find out more details about this change see https://doc.castsoftware.com/display/AIPCORE/8.3.40+-+Additional+notes#id-8.3.40Additionalnotes-Changestorulesflaggedascritical.
Setup - legacy WAR files removed from the setupTo reduce the overall size of the AIP Core distribution, four legacy WAR files for the Engineering/Health Dashboards and the standalone RestAPI have been removed from the WARS folder at the root of the AIP Core installation location. These WAR files were very old releases and more up-to-date releases can be downloaded direct from CAST Extend. The WARS folder will remain in the setup and will contain one subfolder called "internal" containing a WAR used in CAST Management Studio.
Storage - ability to use a custom CAST Storage Service/PostgreSQL database (other than the default "postgres")Changes have been made to AIP Core and related tools to allow the use of a custom PostgreSQL database (other than the default "postgres"). See https://doc.castsoftware.com/display/AIPCORE/8.3.40+-+Additional+notes#id-8.3.40Additionalnotes-AbilitytouseaCASTStorageService/PostgreSQLdatabaseotherthanthedefault%22postgres%22 for more details.
User Input Security - improved support for .NET System.Web namespaceThe User Input Security feature is now able to detect more violations for the quality rules "Avoid HTTP response splitting" (7740) and "Avoid URL redirection to untrusted site" (8446) for .NET due to improved support of the namespace System.Web.
User Input Security - improved support for Debug forging for .NETThe User Input Security feature now includes improved support for Debug forging sanitizations. Violations will be detected by the rules "Avoid debug forging" (8542) and "Avoid debug forging through API requests" (8544).
User Input Security - new support for the .NET library "HtmlSanitizer"The User Input Security feature now supports the .NET library "HtmlSanitizer" (https://github.com/mganss/HtmlSanitizer). Violations will be detected by the rule "Avoid reflected cross-site scripting (non persistent)" (8408).
User Input Security - improved support for System.Security.Cryptography.RSACryptoServiceProvider.Encrypt(System.Byte[],System.Boolean)The User Input Security feature is now able to detect more violations for the quality rule "Avoid weak cryptographic algorithm" (8414) for .NET due to improved support of System.Security.Cryptography.RSACryptoServiceProvider.Encrypt(System.Byte[],System.Boolean).
User Input Security - improved support for JMS (javax.jms) onMessageThe User Input Security feature is now able to detect more violations due to improved support of JMS (javax.jms) onMessage.
User Input Security - new support for "java.util.regex.Pattern.quote(String)"The User Input Security feature now supports "java.util.regex.Pattern.quote(String)". Results will be detected by the rules "Avoid Regular expression injection" (8518), "Avoid second order regular expression injection" (8520), "Avoid regular expression injection through API requests" (8522).
Technical - improvements to the discovery engineThe AIP discovery engine has been improved in this release to better resolve references to JEE jars and .NET assemblies delivered with the application source code. This improvement may have impacts on existing analysis results if additional assemblies/jars are discovered and subsequently analyzed, which were not found using previous releases.

Other Updates

Internal IdDetails
AIPCORE-3658Fixed an issue causing false positive violations of the rule "Avoid uncontrolled format string" (8098), due to inconsistencies handling "parse/Parse" Java methods.

8.3.39

Feature Improvements

SummaryDetails
Extensions removed from SetupTo reduce the overall size of the AIP Core distribution, the "shipped_extensions" folder will now only contain three specific extensions - see https://doc.castsoftware.com/display/AIPCORE/Shipped+extensions#Shippedextensions-8339 for details. Those using AIP Console exclusively, or those using CAST Management Studio and upgrading to AIP Core 8.3.39 should not be impacted. Those installing AIP Core 8.3.39 for the first time on a new host and using only CAST Management Studio will need to ensure that they manually download and install their required extensions as part of the Application onboarding process.
SQL and Oracle Forms Extractors removed from SetupTo reduce the overall size of the AIP Core distribution, the "Extractors" folder has been removed from the setup and will no longer be installed. This folder was located at the root of the AIP Core installation location in previous releases and contained the offline extractors for SQL and Oracle Forms. These extractors can instead be downloaded from CAST Extend: https://extend.castsoftware.com/#/extension?id=com.castsoftware.aip.extractor.forms&version=latest and https://extend.castsoftware.com/#/extension?id=com.castsoftware.aip.extractor.sqldatabase&version=latest.

Resolved Issues

Customer Ticket IdDetails
31978Duplicate values were found in the ObjFilRef table after running analysis/snapshot and AIP Core 8.3.39 now includes queries designed to clean up these duplicate entries during an analysis/snapshot.
31786ABAP analysis warning: "Unsupported syntax found". This warning was raised due to the presence of the & sign in parameters for a table definition macro. This syntax is now handled correctly.
32308ABAP analysis warning: "Unsupported syntax found". This warning was raised due to the following which were not handled correctly by the analyzer: 1) the presence of a comment inside a class statement and 2) the statement "types begin of enum". This syntax is now handled correctly.

8.3.38

Feature Improvements

SummaryDetails
SAP/ABAP Analyzer - CDS ViewsThe SAP/ABAP Analyzer now supports the analysis of SAP CDS Views. The CAST SAP Extractor NG extracts these views since version 8.3.2, therefore, if you are re-analyzing an existing extraction with AIP Core 8.3.38, you may find that your results are impacted (additional objects, changed violations etc.).
Mainframe - new rulesTwo new rules have been added to the Mainframe extension 1.0.10-funcrel. Results of these rules are only visible in the CAST Dashboards when used with AIP Core ≥ 8.3.38 - when used with an older release of AIP Core, they are not visible. See https://doc.castsoftware.com/display/TECHNOS/Mainframe+Analyzer+-+1.0+-+Release+Notes#1010-funcrel.
User Input Security: improvements to the rule "Avoid hard-coded credentials" (8222) for .NET and JEEAdditional sendCredentials methods are now detected for the this rule. This improvement may impact existing results for this rule: more violations may be reported more violations may be reported that were not reported in previous releases of AIP Core.

Other Updates

Internal IdDetails
AIPCORE-3522An issue which caused a mismatch between the Version Status from the DMT and Version Status in the CAST Management Studio has been fixed. This issue was caused by a faulty comparison algorithm and caused confusion between the status "ReadyForAnalysis" and "ReadyForAnalysisAndDeployed". The consequence was that the version was recreated in the Management schema with a different Object ID and in some cases, it led to a duplicate row in the Version tab in the CAST Management Studio, i.e. two rows with the same version name were visible.
SAP-238A change has been made to the default Base_SAP.TCCSetup file which defines which object types are considered as Entry/End Points for Transaction purposes. Starting AIP Core 8.3.38, all SAP system tables (whose name does not start with Y, Z or /) are no longer considered End Points. This change may impact transaction Function Point values when comparing results generated with previous releases of AIP Core: a reduction may be seen.
AIPCORE-3561A bug has been fixed which was causing some true violations to go unreported for the rule "Avoid hard-coded credentials" (8222) for JEE. This issue was evident when multiple violations have the same origin and the same destination. This fix may impact existing results for this rule: more violations may be reported that were not reported in previous releases of AIP Core.

Resolved Issues

Customer Ticket IdDetails
29349Standard SAP Tables are now included in the FP data functions count in 8.3.33, even if the object type has unresolved Table. See also SAP-238 in the section "Other Updates" above.
28512Update extension step fails in AIP Console with an SQL Error: Syntax error at or near "CAST".
23545Set as Current Version for Siebel or Peoplesoft analysis is slow: StringCache optimization.
28779UA engine or CMS does not identify when preprocessing fails, thus giving an impression that analysis is successful. RPG preprocessor fails when triggered from analyzer but runs successfully when run independently.
31396100% false positive for rule "Avoid using multiple break statement in 'for' loops".

8.3.37

Feature Improvements

SummaryDetails
.NET Discoverer: improvements for the Nuget Resources ExtractorImprovements have been made to the .NET discoverer, embedded in AIP Core. These improvements are designed to allow additional packages to be considered by any release of the Nuget Resources Extractor (com.castsoftware.dmtdotnetnugetresourcesextractor): packages referenced in the "packages.config" file (if delivered with the source code) will now be extracted and resolved (previously packages referenced in this file were ignored). This change may impact previous analysis results if upgrading to AIP Core 8.3.37 (or future releases): additional packages may be extracted that were previously ignored.
Improve results for "Lack of Cohesion" type rulesIn an effort to improve the results and reduce the number of false positives returned by the rules "Avoid Classes with a High Lack of Cohesion" (7798)" and "Avoid Classes with a High Lack of Cohesion variant" (7796), the scope of both rules has been modified. Starting AIP Core 8.3.37, only classes with at least one field and more than one method will form the scope of objects considered for these two rules. As a result of this change to the scope, existing analysis results may be impacted when upgrading to AIP Core 8.3.37 and running a new analysis with unchanged source code. See https://doc.castsoftware.com/display/AIPCORE/Changes+in+results+post+upgrade+-+8.3.37#Changesinresultspostupgrade8.3.37-AvoidClasseswithaHighLackofCohesion(7798)andAvoidClasseswithaHighLackofCohesionvariant(7796).
User Input Security: improvements to the rule "Avoid weak cryptographic algorithm" (8414) for .NETThe rule "Avoid weak cryptographic algorithm" (8414) for .NET has been improved to detect violations for "constructor call" targets for the System.Security.Cryptography API. This improvement may impact existing results - additional violations may be detected.

Other Updates

Internal IdDetails
AIPCORE-3279Change of use for CTT_OBJECT_APPLICATIONS table in Analysis schema: if you are using this table in a "Tools after module generation" SQL Tool job in the CAST Management Studio to create a custom exclusion of objects from the Dashboard schema (and therefore from the Engineering Dashboard), then you must update your scripts. The previous method was to use "set PROPERTIES = 1" on a specific OBJECT_ID which marked the object as external, therefore excluding it from the Dashboard schema. Starting AIP Core 8.3.37 you must instead use "set PROPERTIES = PROPERTIES | 256" to exclude the object.
AIPCORE-3445Fixes have been applied to prevent the number of Total Checks (displayed in the Engineering Dashboard) for specific rules triggered by the User Input Security feature (for .NET and JEE) exceeding the total number of violations reported. See also https://doc.castsoftware.com/display/AIPCORE/Changes+in+results+post+upgrade+-+8.3.37#Changesinresultspostupgrade8.3.37-TotalChecksdiscrepancies.

Resolved Issues

Customer Ticket IdDetails
29986False positive for rule, "Avoid Open SQL SELECT queries without WHERE condition on XXL Tables".
28385Mapped drive on Linux throws error when connecting to AIP console.
30210Application name with special character such as ( ) will fail when running the upgrade batch script.
30549Analysis fails with XMLTODB error during "Run dataflow security analysis".
30844A fix has been provided in the CAST Database Extractor delivered with AIP Core for the following error reported during an extraction: "Oracle DB Extraction error: ORA-01555: snapshot too old: rollback segment number 237 with name "_SYSSMU237_676302553$" too small".
30888Right clicking on objects added to the Enlighten view causes Enlighten to crash.
28750Empty web JSP analysis units are created in AIP Console.
29859Violations are more than TOTAL checks for the rule “8240: Avoid using unsecured cookie”.
30341Object types are present in CAST Imaging even though their Analysis Units have been disabled and are not being analyzed.
30490Object types are present in CAST Imaging even though their Analysis Units have been disabled and are not being analyzed.
30445False violation for rule "Avoid Classes with a High Lack of Cohesion".
30840Analysis failed with error: Duplicate key violates unique constraint "pk_objinf".

8.3.36

Feature Improvements

SummaryDetails
User Input Security: New rule "Avoid using insufficient random generator" (8554)A new non-critical rule called "Avoid using insufficient random generator" (8554) has been implemented for both JEE and .NET technologies. This rule is triggered when the User Input Security feature is enabled and contributes to the "Secure Coding - Weak Security Features" technical criterion (66064).
User Input Security: New rule "Avoid expression language injection" (8536)A new non-critical rule called "Avoid expression language injection" (8536) has been implemented for JEE technology. This rule is triggered when the User Input Security feature is enabled and contributes to the "Secure Coding - Input Validation" technical criterion (66062).
User Input Security: improvements to the rule "Avoid weak cryptographic algorithm" (8414) for .NETThe rule "Avoid weak cryptographic algorithm" (8414) for .NET has been improved to detect violations for "create" targets on weak algorithms (such as "var md5 = MD5.Create();"). This improvement may impact existing results.
User Input Security: New rule "Avoid debug forging" (8542)A new non-critical rule called "Avoid debug forging" (8542) has been implemented for both .NET and JEE technologies to target the use of "log.debug". This rule is triggered when the User Input Security feature is enabled and contributes to the "Secure Coding - Input Validation" technical criterion (66062).
ABAP: New rule "Avoid using ABAP command OPEN DATASET with the FILTER addition" (8552)A new critical rule called "Avoid using ABAP command OPEN DATASET with the FILTER addition" (8552) has been implemented for ABAP technology. This rule contributes to the "Secure Coding - Input Validation" technical criterion (66062).
ABAP: New rule "Avoid using ABAP command INSERT REPORT" (8548)A new critical rule called "Avoid using ABAP command INSERT REPORT" (8548) has been implemented for ABAP technology. This rule contributes to the "Secure Coding - Input Validation" technical criterion (66062).
ABAP: New rule "Avoid using ABAP command GENERATE SUBROUTINE POOL" (8550)A new non-critical rule called "Avoid using ABAP command GENERATE SUBROUTINE POOL" (8550) has been implemented for ABAP technology. This rule contributes to the "Programming Practices - Structuredness" technical criterion (61024).
ABAP: New rule "Avoid using ABAP command CALL 'SYSTEM'" (8546)A new critical rule called "Avoid using ABAP command CALL 'SYSTEM'" (8546) has been implemented for ABAP technology. This rule contributes to the "Secure Coding - Input Validation" technical criterion (66062).

Other Updates

Internal IdDetails
AIPCORE-3292User Input Security: the location of XSS target violations in .NET code detected by rules triggered by the User Input Security feature are now more precisely positioned in the Engineering Dashboard. Previously, violations which cover multiple code lines were not correctly positioned because the start and end line numbers of the violation in the code were identical.
AIPCORE-3277User Input Security: As a result of the implementation of a new rule "Avoid debug forging" (8542) to specifically target the use of "log.debug", an existing rule "Avoid log forging" (8044), has been modified: this rule no longer detects the use of "log.debug". This change may impact existing results.

Resolved Issues

Customer Ticket IdDetails
29410VB analysis fails in AIP Console when the AIP Node package is running as a Windows Service using the LocalSystem account.
29568VB analysis fails in AIP Console when the AIP Node package is running as a Windows Service using the LocalSystem account.
29748Complexity Factor values for modified transactions: in previous releases of AIP Core, the Complexity Factor (CF) for a modified transaction was erroneously set to 0 when any artifact with complexity was involved in the changes. This bug resulted in an AEP value of 0 despite the fact that a transaction had been modified. This bug has now been corrected, and as per the specification (see https://doc.castsoftware.com/display/AIPCORE/CAST+Automated+Enhancement+Points+Estimation+-+AEP#CASTAutomatedEnhancementPointsEstimationAEP-ComplexityFactor) the minimum Complexity Factor value for a modified transaction will be set to 0.25 in AIP Core ≥ 8.3.36 - this ensures that the AEP value will be impacted when an existing transaction is modified. This change will also be applied to existing results during an upgrade to AIP Core ≥ 8.3.36, and as result, any modified transaction with a Complexity Factor of 0 will be changed to 0.25. This change may impact other metrics and rules that rely on these values.
30045Unable to run a CAST AIP Setup if the setup file has special characters in it.
29815While packaging, in the discovery phase, following warning is displayed – “The format may not be supported, the file may be corrupted, or it may not be a C# or VB.NET project at all”.
29693While running ABAP analysis for couple of files, following warning message is displayed: MemMngrDLL_FreeBlock(): There remain 'active' pointers on the current deleted user area of bytes.

8.3.35

Feature Improvements

SummaryDetails
Rules - Bookmarks for violations of the rule "Avoid Open SQL SELECT queries without WHERE condition on XXL Tables" (8464)Bookmarks for violations of the rule "Avoid Open SQL SELECT queries without WHERE condition on XXL Tables" (8464) are not displayed. This behaviour has now been changed and bookmarks are now available for violations raised by this rule.
User Input Security - support for org.owasp.esapi framework.The User Input Security feature now supports the JEE framework org.owasp.esapi. All "getValidate*" methods are now automatically taken into account as sanitization methods for all quality rules.
User Input Security - new rules to support the detection of XQuery InjectionsThree new rules have been implemented for JEE and .NET technologies to support the detection of XQuery Injections: 1) "Avoid XQuery injection" (8530), 2) "Avoid second order XQuery injection" (8532), 3) "Avoid XQuery injection through API requests" (8534).
User Input Security - improved support for .NET UI controls for XSS violationsImproved support for .NET UI controls as targets for XSS violations has been implemented, for example "set_Text" and "set_ImageUrl" methods of control objects.

Other Updates

Internal IdDetails
AIPCORE-3161The title of the rule "Avoid file path manipulation vulnerabilities through API requests." (8506) has been changed to "Avoid file path manipulation through API requests ". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid XPath injection vulnerabilities through API requests." (8504) has been changed to "Avoid XPath injection through API requests ". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid thread injection vulnerabilities through API requests." (8498) has been changed to " Avoid thread injection through API requests ". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid OS command injection vulnerabilities through API requests." (8494) has been changed to "Avoid OS command injection through API requests". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid SQL injection vulnerabilities through API requests." (8490) has been changed to " Avoid SQL injection through API requests". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid thread injection vulnerabilities." (8436) has been changed to "Avoid thread injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid log forging vulnerabilities." (8044) has been changed to " Avoid log forging ". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid SQL injection vulnerabilities." (7742) has been changed to " Avoid SQL injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid LDAP injection vulnerabilities." (7746) has been changed to " Avoid LDAP injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid OS command injection vulnerabilities." (7748) has been changed to " Avoid OS command injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid XPath injection vulnerabilities." (7750) has been changed to "Avoid XPath injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid file path manipulation vulnerabilities." (7752) has been changed to "Avoid file path manipulation". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid Regular expression injection through API requests." (8522) has been changed to "Avoid regular expression injection through API requests". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid Regular expression injection." (8518) has been changed to " Avoid regular expression injection". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid second order Regular expression injection." (8520) has been changed to "Avoid second order regular expression injection". There is no impact on existing results.
AIPCORE-3237A change has been made to the SAP discoverer. Previously, the discoverer would create only one single project (and therefore Analysis Unit) regardless of the number of SAP extractions provided in the source code delivery (it was assumed that only one extraction would be delivered). This behaviour has now been changed and multiple SAP extractions delivered in one go will result in one project (and therefore Analysis Unit) for each extraction. See also https://doc.castsoftware.com/display/TECHNOS/SAP+ABAP+Discoverer. This change may impact existing results.
AIPCORE-3161The title of the rule "Avoid LDAP injection vulnerabilities through API requests" (8492) has been changed to "Avoid LDAP injection through API requests". There is no impact on existing results.
AIPCORE-3161The title of the rule "Avoid log forging vulnerabilities through API requests" (8508) has been changed to "Avoid log forging through API requests". There is no impact on existing results.

Resolved Issues

Customer Ticket IdDetails
29006Incorrect violation for the rule, "Avoid unsorted data after SELECT queries - 8134".
29193Java files are not analyzed when present in the "generated sources" folder.
29298Restore_triplet step failed while adding application in Console 1.23.0, with the following error: cast combined importer.exe- unrecognized arguments
29332There are six unsupported syntax warnings for different ABAP files. (ABAP analysis warning: ABAP.04: Unsupported syntax found at line).
29362Discovery step during packaging fails with error, "java.lang.StackOverflowError"
29417The SAP discoverer is creating one single package and one single Analysis Unit regardless of the number of extractions delivered in the source code. This behaviour has now been changed and multiple SAP extractions delivered in one go will result in one project (and therefore Analysis Unit) for each extraction.
29419Warning during ABAP analysis: "processing listener CABAPFullParsingAction::processABAPFile on instance abapFile".
29080Two extensions (TIBCO and Entity) are not triggered correctly in standard AIP installation vs using the flat.
29300DMT remediation is not getting saved.
29400Incorrect violation for the rule, "Avoid unsorted data after SELECT queries - 8134".
29499All the Snapshots are getting deleted when "Stopping to Manage the Application" in CMS.
29614Missing bookmark for rule, "Avoid Open SQL SELECT queries without WHERE condition on XXL Tables".
25692Bookmarks for violations of the rule "Avoid Open SQL SELECT queries without WHERE condition on XXL Tables" (8464) are not displayed. This behaviour has now been changed and bookmarks are now available for violations raised by this rule.
29264Incorrect sample and remediation sample are displayed in the rule "Avoid log forging vulnerabilities" (8044).
29315User Input Security analysis shows no XSS rules in Engineering Dashboard.

8.3.34

Feature Improvements

SummaryDetails
User Input Security - @ModelAttribute annotation supportUser Input Security is now able to detect violations for objects using the @ModelAttribute annotation from the SpringMVC framework. This improvement requires a recent release of the Security for Java extension (1.6.3-funcrel minimum): https://extend.castsoftware.com/#/extension?id=com.castsoftware.securityforjava&version=latest.
User Input Security - rule documentation improvementThe samples and remediation samples have been improved for the following quality rules: "Avoid HTTP response splitting - 7740" and "Avoid HTTP response splitting through API requests - 8484".

Other Updates

Internal IdDetails
CAST-00000The following legacy items are no longer provided in the AIP Core setup in the WARS folder: 1) CAST-CED.war and CAST-CED.ear (legacy CAST Engineering Dashboard/Discovery Portal), 2) CAST-AICP.war and CAST-AICP-admintools.zip (legacy CAST AIC Portal and related scripts). Note that CAST-CED.war and CAST-CED.ear are deprecated but still supported, therefore, if you require them, please contact CAST Support. CAST AIC Portal is no longer supported.
AIPCORE-3134In previous releases of AIP Core, violations were erroneously being reported in the rule "Avoid use of a reversible one-way hash - 8416" instead of "Avoid weak cryptographic algorithm - 8414". This has now been corrected.

Resolved Issues

Customer Ticket IdDetails
24420Incorrect bookmark for the rule - "Avoid method invocation in a loop termination expression". The violation is a true violation, however bookmark is pointing to the whole method instead of the LOC that gets violated.
28837Error - "null value in column rulelongdescription" is displayed when running an analysis.
22764The Associated value is not generated for the QR: "Avoid using "nullable" Columns except in the last position in a Table".
28944Mismatch in ADDED and TOTAL violations due to missing total scope, for the rule "Avoid file path manipulation vulnerabilities".
28987DMT: the folders which are assigned to be ignored are not getting ignored. They are showing up in alerts even after re-packaging.
28132False violation raised for rule: "Avoid using FOR ALL ENTRIES IN without emptiness check".
28759After running the ABAP analysis, syntax errors were found for different files. ABAP analysis warning: ABAP.04: Unsupported syntax on DATA statement
28759After running the ABAP analysis, syntax errors were found for different files. BAP analysis warning: ABAP.04: Unsupported syntax found at line: several statements
28764Unsupported syntax (DATA --^ t_mkpf TYPE STANDARD TABLE OF ty_mkpf.) is found even when syntax is valid.
28766Unsupported syntax "INTO @DATA(ls_vbak) UP TO 1 ROWS. --------------^ ENDSELECT" found while syntax is valid.
28760ABAP analysis warning: ABAP.04: Unsupported syntax found at line: CASE WHEN ( ( tvfkfkart_rl = 'LG' OR vbrkinv_type LIKE 'S%' OR vbrk~inv_type = 'FAS' )
28768Unsupported syntax: "UPDATE ('BSAD') SET xblnr = wk_xblnr "1913035 ----------------------------------^ WHERE bukrs = wa_bseg-bukrs" found while syntax is valid.
28770Unsupported syntax: "MODIFY zco_fc_cp FROM @( VALUE #( prctr = ip_ua ----------------------------^ pspnr = lv_pspnr )" found while syntax is valid
27609Violation detected for the QR: 'Avoid Unreferenced Methods' for Lambda expressions.
27740False Violation for the QR: "Avoid SQL queries that no index can support"
27788The Exclusion rule: "Exclude the duplicate Dot Net project located inside the exactly same source folder" is not working and is creating AU for each project file.
27833The remediation in the documentation does not provide example on how to validate the inputs.
28227Links between Oracle Forms Triggers and Oracle Forms Procedures are missing.
28543Reference finder is not creating the links as it removes the XML tag from the first line.
29128Missing Link from Oracle Menu Item object and others like Oracle Forms Procedure.

8.3.33

Feature Improvements

SummaryDetails
User Input Security - Support of analysis Execution Units/GroupsUser Input Security analyses can now take advantage of Execution Unit grouping. This is primarily to improve analysis performance and to reduce the risk of an analysis crash.
User Input Security - improvements to the rule "Avoid HTTP response splitting - 7740" for both .NET and JEEThe User Input Security feature now has improved support for the rule "Avoid HTTP response splitting - 7740", for both .NET and JEE. Additional targets are now supported as follows: For NET: .NET, .NET Core, RestSharp. For JEE: javax.servlet, org.apache.cxf, org.apache.http, org.springframework.http, com.squareup.okhttp, okhttp3. As a result, analysis results may be impacted when re-analyzing existing unchanged source code - additional violations may be discovered.

Other Updates

Internal IdDetails
SAP-215Refactoring of part of the SAP/ABAP analyzer has been implemented. This refactoring increases the maintainability of the analyzer while also increasing accuracy. As a result of the changes, some impacts to analysis results are to be expected when re-analyzing existing unchanged source code with this release: 1) Unresolved Objects are no longer created for SUBSTRING and CONCAT clauses. 2) Less violations will be returned for the rule "Avoid Artifacts with a Complex SELECT Clause - 7810" (the select clause column number was over-evaluated when "as <alias>" was present).
AIPCORE-2947It is now possible to deliver Microsoft SQL Server .castextraction files (resulting from the CAST Database Extractor "Extract" option) via the new "Reuse existing CAST Extractor output" option for Microsoft SQL Server in the CAST Delivery Manager Tool.
AIPCORE-2948It is now possible to deliver Sybase ASE .castextraction file (resulting from the CAST Database Extractor "Extract" option) via the new "Reuse existing CAST Extractor output" option for Sybase ASE in the CAST Delivery Manager Tool.

Resolved Issues

Customer Ticket IdDetails
27881While upgrading schemas from 8.3.3 to 8.3.29, assessment model fails with an error message.
28277Opening any saved view makes Enlighten crash.
28451In CAST MS, DMT detects Java projects but analysis units (AUs) are not created post deployment.
28553After upgrading to CSS4, python related errors are displayed in the analysis logs for the "extensions before" and "extensions after" steps.
28662Snapshot is failing, at Create Architecture model, in Central schema step.
28555Warnings are shown during analysis: "Internal error: Missing item in AST expression".

8.3.32

New Features

SummaryDetails
Support for rules with 0 weightThis release introduces support for configuring rules with a weight of 0. When a rule is configured with a 0 weight, it is enabled (active) and will be triggered during an analysis, but it has no impact on any parent technical criterion, therefore it can be considered as a way to "preview" a rule without impacting the grade of the parent technical criteria and business criteria. In addition, rules with a 0 weight are never consolidated into the Measure schema, so will not appear in the Health Dashboard. See https://doc.castsoftware.com/display/AIPCORE/Grade+and+compliance+score+calculation for more information.

Feature Improvements

SummaryDetails
User Input Security - support for the .NET PostgreSQL frameworkThe User Input Security feature is now able to detect SQL injections for applications using the PostgreSQL (NpgSQL) framework for .NET.
User Input Security - change of classification of some entry pointsASP.Net MVC and Struts2 entry points were tagged internally as "Network.input" in previous releases of AIP Core, however, these entry points are now classed as "Network.inputAPI". As a direct result of this change, violations found using these entry points will be classed as "violations through API". This change may impact analysis results when re-analyzing unchanged source code with this release of AIP Core: some rules will have less violations, others will have more.
User Input Security - support for the .NET RestWrapper frameworkThe User Input Security feaure is now able to detect API injections for applications using the RestWrapper framework for .NET.
User Input Security - support for the .NET ServiceStack frameworkThe User Input Security feature is now able to detect API injections for applications using the ServiceStack framework for .NET.
User Input Security - support for the .NET RestSharp frameworkThe User Input Security feature is now able to detect API injections for applications using the RestSharp framework for .NET.
User Input Security - support for the .NET System.Net.Http.HttpClient frameworkThe User Input Security feature is now able to detect API injections for applications using System.Net.Http.HttpClient framework for .NET.
User Input Security - support for the .NET System.Net.WebClient frameworkThe User Input Security feature is now able to detect API injections for applications using System.Net.WebClient framework for .NET.
User Input Security - support for the .NET System.Net.WebRequest frameworkThe User Input Security feature is now able to detect API injections for applications using System.Net.WebRequest framework for .NET.

Other Updates

Internal IdDetails
AIPCORE-3100A recent update to McAffee's virus pattern has started to flag ExtensionDownloader.exe as malicious and is removing it from the installed location. ExtensionDownloader.exe has been updated in AIP Core 8.3.32 to resolve this issue.

Resolved Issues

Customer Ticket IdDetails
23228In the rules portal, search feature is not working for many quality rules and applications.
24358Different formats for the same text is leading to different results in rules (For example: hard-coded and hardcoded).
24734Tags are getting deleted from the static/tags.html interface, when the snapshots are deleted manually using CAST MS.
27582Compute snapshot data is taking longer (running for 20+ hours instead of finishing in 10 hours).
27761After the fix to remove empty analysis units was provided, it was observed that there were analysis units that had only WSDL files and no source files. Due to the missing source files the WSDL files were not analyzed hence there was a dip in SOAP operations.
27789Procedure objects are not created from the "Reports files". Hence, info about Procedure objects is not found in the analysis results.
27792While packaging the source in AIP 8.3.27, following fatal error message is displayed: Element type "message" must be followed by either attribute specifications, ">" or "/>".
27843While performing task "Cleanup folder", intermittent fails (with an error) in step "Importing configuration".
27908Maven AU config is not picking up the Java files in the folder "generated-entities"
27346LOC value for the JEE technology shown by CAST AIP is more than expected after comparison with cloc tool. This fix will cause a decrease in LOC values for the JEE technology when analyzing unchanged source code with this release of AIP Core: in previous releases, LOC values for anonymous classes, inner classes and enums defined in classes were incorrectly counted twice. This change will also impact the results produced by the measure "Commented-out Code Lines/Code Lines ratio (% of LOC) - 7128".

8.3.31

Feature Improvements

SummaryDetails
User Input Security - improved support for .NET uncontrolled string formatUser Input Security is now more precisely able to detect Uncontrolled string format vulnerabilities for .NET source code. As a consequence, some false positive violations reported when using previous releases of AIP Core may be removed.
User Input Security - improved support for the detection of SQL injections in applications using the Entity Framework for .NETThe methods SqlQuery and ExecuteSqlCommandAsync are now considered as database targets for SQL injection. System.Data.Find methods are no longer considered as database targets for SQL injection.
User Input Security - improved support for the detection of SQL injections in applications using the Oracle framework for .NETThe methods ExecuteNonQuery(), ExecuteReader(), ExecuteReader([System.Data]System.Data.CommandBehavior), ExecuteScalar() and ExecuteStream() are now considered as database targets for SQL injection.
User Input Security - improved support for the detection of SQL injections in applications using the Dapper framework for .NETMethods such as QueryAsync, QueryFirstAsync, QueryFirstOrDefaultAsync etc. from the Dapper framework are now considered as database targets for SQL injection.
User Input Security - improved support for the detection of Log forging injections in applications using the logging framework System.Diagnostics.Trace for .NETMethods such as TraceInformation, TraceWarning, TraceError etc. from the logging framework System.Diagnostics.Trace for .NET are now considered as database targets for Log forging injection.
User Input Security - support for the detection of deserialization injections in applications using the YAML framework for .NETThe methods Load([]System.IO.TextReader) and Load([]YamlDotNet.Core.IParser) from the YAML framework for .NET are now considered as targets for deserialization injection.
User Input Security - support for the detection of deserialization injections in applications using the XStream framework for JEE.fromXML type methods from the XStream framework for JEE are now considered as targets for deserialization injection.

Other Updates

Internal IdDetails
MAINFRAME-520The rule "Check PCB status code after DLI queries" (https://technologies.castsoftware.com/rules?s=8160&#124;qualityrules&#124;8160) has been modified to improve functionality. As a result of these changes your results may be impacted after upgrade.
MAINFRAME-544The rule "Variables defined in Working-Storage section must be initialized before to be read" (https://technologies.castsoftware.com/rules?s=8034&#124;qualityrules&#124;8034) has been modified to improve functionality. As a result of these changes your results may be impacted after upgrade.

Resolved Issues

Customer Ticket IdDetails
22833During analysis, links are missing between Oracle Forms Menu Item and Oracle Forms Module
25676During Import Assessment Model, too many client msg and CMS are blocked
26062During analysis, Java files are not analyzed (as the path is not covered in the AU though there is a reference in pom file)
27056False Violation for the QR: Avoid SQL injection vulnerabilities
27169During analysis, double links are created between two objects after UKB
27174An improvement to the PB Analyzer has been implemented in this release of AIP Core: in order to produce more consistent analysis results, the behaviour of the .pbl data extraction process has been changed. Previously, source code was extracted from .pbl files only when it was considered necessary (i.e. no previous extraction had been completed for a given .pbl file, or when the .pbl file had changed since the last extraction). In this release of AIP Core, .pbl files will always be extracted to ensure that successive analysis results are consistent over time. As a result of this change, an error message will be recorded in the analysis log when extracted source code from a previous analysis is available, but the corresponding .pbl cannot be located in the new source code delivery. This indicates an issue with the organisation of your delivered source code which will need to be resolved. Example error message: "Error while retrieving information about a PB library, bad library name : path\to\my.pbl".
27267During analysis, double links are created between two objects after UKB
27269While adding a version in CAST-MS, error message is not displayed when the version name consists of * / (:)
27274While adding a version in CAST-MS, error message is not displayed when the version name consists of * / (:)
27311While running the update cast knowledge base (UKB) tool, following error is displayed: ERROR: relation "§ctv_links" does not exist
27334During snapshot, false violation for QR: "Avoid Uncontrolled format String"
27356During snapshot, object name is truncated in Knowledge Base and Dashboard for COBOL Technology
27374Analysis fails with the ERROR: relation "§uax_import_instances" does not exist
27398Application upgrade is failing in import package step with nullpointer exception
27554Mainframe exclude copybook parameter is not active post upgrade (after migrating from 8.3.3 to 8.3.29)
26308Missing links from JCL to Cobol Program when CALL syntax is used. This is now fixed and after an upgrade your existing results may be impacted.
27285Mainframe Utilities (such as default utilities for zOS, AS400, IBM MQ etc.) are wrongly categorized as "Unknown Programs".
237583 Reference links out of 4 are invalid for QR "Call 'base.Dispose()' or 'MyBase.Finalize()' in the "finally" block of 'Dispose(bool)' methods".

8.3.30

Feature Improvements

SummaryDetails
Update AIP Core to allow custom CAST Storage Service/PostgreSQL logins without SUPERUSER permissionAIP Core has been updated to allow logins to CAST Storage Service/PostgreSQL with custom PostgreSQL logins that do not have the SUPERUSER permission. Previously, custom logins required the SUPERUSER permission. See the following documentation: 1) https://doc.castsoftware.com/display/DOCCOM/CAST+Storage+Service+-+PostgreSQL+image+for+Docker#CASTStorageServicePostgreSQLimageforDocker-CASTAIP%E2%89%A58.3.12-customusers, 2) https://doc.castsoftware.com/display/DOCCOM/CAST+Storage+Service+-+What+to+expect+after+installation#CASTStorageServiceWhattoexpectafterinstallation-Customdatabaseusers, 3) https://doc.castsoftware.com/display/DOCCOM/CAST+Storage+Service+-+PostgreSQL+10+or+above+deployment+on+Linux#CASTStorageServicePostgreSQL10orabovedeploymentonLinux-CASTAIP%E2%89%A58.3.12-customusers and 4) https://doc.castsoftware.com/display/DOCCOM/CAST+Storage+Service+-+PostgreSQL+9.6.x+deployment+on+Linux#CASTStorageServicePostgreSQL9.6.xdeploymentonLinux-CASTAIP%E2%89%A58.3.12-customusers.
Support for SAP PowerBuilder 2019This release adds analysis support for SAP PowerBuilder 2019. No support of the new features introduced by this release. However applications built with this release and which are compliant with earlier releases of PowerBuilder, can be analyzed. There are no changes to the method of support, in other words, the PowerBuilder IDE is still required on the Analysis machine (see https://doc.castsoftware.com/display/TECHNOS/PowerBuilder+-+Required+third-party+software).
Automatically discovered TF graph adjustment functions provided by Extensions or for bug-fixesIn addition to Standard and Custom adjustment functions, two new categories of adjustments are available in this release, both being enabled by default whether after a fresh AIP installation or after an upgrade: adjustments delivered by Extensions (future extension releases may take advantage of this new functionality) or adjustments delivered for bug-fixes. See https://doc.castsoftware.com/display/DOC83/TCC+-+Using+Transaction+Graph+Adjustment for more information.
User Input Security - DynamoDB for .NET supportUser Input Security is now able to detect NoSQL injections for applications using DynamoDB for .NET.
User Input Security - improved support for "org.springframework.jdbc" frameworkUser Input Security is now able to detect additional SQL injections for the org.springframework.jdbc framework.
User Input Security - support for "OWASP Java HTML Sanitizer" frameworkUser Input Security now supports the "OWASP Java HTML Sanitizer" framework as a valid sanitizer for the rule "Avoid reflected cross-site scripting".

Other Updates

Internal IdDetails
AIPCORE-2703Rules configured with 0 weight or with a 0 grade are no longer consolidated into the Measure schema, so will not appear in the Health Dashboard. Previously, rules with 0 weight were included in the grades of parent technical/business criteria provided in the Health Dashboard, therefore this change may impact your existing results if you had manually configured any rules with a 0 weight in the parent technical criteria.
MAINFRAME-515Violations located in "Unknown IMS Transaction" objects will no longer have a violation bookmark in the source code.
AIPCORE-2399The User Input Security feature was incorrectly referencing the methods "Find" and "FindOneAndUpdate" (from the type MongoDB.Driver.IMongoCollectionExtensions) as possible violations for SQL injection instead flagging them as NoSQL injection violations. This bug has been fixed and this update may impact your existing analysis results.
AIPCORE-2839An issue where end of line characters (Carriage Return Line Feed) were removed from the Sample and Remediation Sample sections in some Quality Rules when the text in the section is changed between releases of the extension or AIP Core, has been resolved. There is no impact to existing analysis results.

Resolved Issues

Customer Ticket IdDetails
26772A fix has been implemented to solve an issue where links from JCL Steps to SQL tables were not resolved due missing JCL SQL Query objects. This fix also requires SQL Analyzer 3.2.17. This issue has been fixed and this change may impact your analysis results on upgrading to 8.3.30.
26909In previous releases, when the option "Save data and links to other data" was active, links between Cobol Paragraphs and Cobol File Links are not resolved. When the option is deactivated, the links are resolved. This mechanism has been reviewed and a new behaviour has been implemented: when the "Save data links to other data" is active, no link will be resolved between Cobol Paragraphs and Cobol File Links. Instead, a link will be resolved between the Cobol File Link and the Cobol Data variable.
26875A fix has been implemented to solve an issue where links between Cobol Data and Cobol Data objects were not resolved. This issue has been fixed and this change may impact your analysis results on upgrading to 8.3.30.
26703VB analysis fails with the error: SQL Error: ERROR: "Syntax error at or near 's'".
26777There are wsdl files that have not been picked up by DMT which is causing issues in the SOAP operations objects not being identified by the analyzer.
26894While running Appmarq Data Compiler, the process is aborted with an error message.
17423The SQL Analyzer log contains many warnings of the type "GUID duplicate found".
23238Performance issue in the CAST Transaction Configuration Center Enhancement view because of duplicate transaction links for Struts objects

8.3.29

Feature Improvements

SummaryDetails
User Input Security - entry-pointsThe method javax.servlet.ServletRequest.getInputStream is now considered as an entry-point for the User Input Security. This change may impact your analysis results on upgrading to 8.3.29.
User Input Security - Avoid weak cryptographic algorithm - 8414The following cryptographic algorithms are now considered as dangerous for the quality rule "Avoid weak cryptographic algorithm - 8414": RC2 and PBEWithMD5AndDES. This change may impact your analysis results on upgrading to 8.3.29.
User Input Security - MainCounterValue parameterUser Input Security: The default MainCounterValue parameter has been changed from 15000 to 1000. This parameter governs the number of steps that are searched to find flaws. This change has been introduced to provide a value that is more suited to the vast majority of analyzed Applications. Reducing the default value to 1000 will provide a significant performance improvement (reduced analysis duration) while not adversely impacting the number of flaws that are found (a negligible number of flaws may not be found using the new parameter value). CAST recommends restoring the original value of 15000 if your analysis runtime was satisfactory - this will ensure that you get the same behaviour and results as in previous releases of AIP. If your analysis runtime with the previous default value was very long, test the new value in a new analysis to ensure that the number of flaws returned is not adversely affected.
User Input Security - new rule Avoid deserialization injection - 8524A new rule has been implemented for both JEE and .NET technologies called "Avoid deserialization injection - 8524". The following frameworks are supported: JEE - java.io.ObjectInputStream, com.esotericsoftware.kryo.Kryo and java.beans.XMLDecoder. .NET - System.Xml.Serialization.XmlSerializer. Your existing analysis results may be impacted by the addition of this new rule.
User Input Security - Avoid resource injection - 8442The rule "Avoid resource injection - 8442" has been updated to take into account violations of type "Avoid Connection String Parameter Pollution", for both JEE and .NET technologies. This change may impact your analysis results on upgrading to 8.3.29.
User Input Security - Avoid log forging vulnerabilities - 8044Methods such as "logError" or "logWarning" are now recognized and are automatically assigned as targets for the quality rule "Avoid log forging vulnerabilities - 8044". This change may impact your analysis results on upgrading to 8.3.29.

Other Updates

Internal IdDetails
AIPCORE-2504Update to fix an "out of memory" exception when using the "Open dashboard" option in CAST Management Studio. The JVM used to launch the dashboard is now opened with the options Xms1024m -Xmx2048m. Previously -Xms128m and -Xmx512m were used.
AIPCORE-2565.NET Framework 4.7.2 is now installed (if it is not already present on the target server) by the AIP Core 8.3.29 setup for new installations. If a more recent release of the .NET Framework is present on the target server already, .NET Framework 4.7.2 will not be installed. When upgrading to AIP Core 8.3.29 from a previous release, .NET Framework 4.7.2 will not be installed.
AIPCORE-2574Cosmetic update to the formula used to calculate the Effort Complexity (EC) Total value in the CAST Transaction Configuration Center. The formula displayed in the report and in the CAST Transaction Configuration Center was wrongly showing that EC Deleted values were used to calculate the EC Total value. The formula used by the CAST Transaction Configuration Center is correct, therefore there are no impacts to existing analysis results.
AIPCORE-2511User Input Security - URLs in the following rules have been updated as they were previously giving 404 responses: "Avoid log forging vulnerabilities - 8044", "Avoid using insufficient random values for cookie - 8242" and "Avoid log forging vulnerabilities through API requests - 8508"
AIPCORE-2369User Input Security - A remediation sample has been added for the rule "Avoid mixing trusted and untrusted data in HTTP requests - 8238" which was previously missing.
AIPCORE-1994User Input Security - The description provided in the rule documentation for "Avoid using unsecured cookie - 8240" has been updated to clarify that the rule only considers cookie secured in the source code, and not the cookies that are secured globally using the config file.
AIPCORE-2607User Input Security - The documentation of the rules "Avoid weak cryptographic algorithm - 8414" and "Avoid use of a reversible one-way hash - 8416" has been updated to provide greater accuracy.
AIPCORE-2624User Input Security - multiple updates to rule descriptions: the sentence "List all methods that miss calling the required input validation calls" has been changed to "List all methods that make resource calls forged by user input" wherever it occurs.
AIPCORE-2540User Input Security - the property System.Web.HttpRequest.PhysicalApplicationPath was previously incorrectly assigned as a user input. This issue has now been fixed. This change may impact your analysis results on upgrading to 8.3.29.
AIPCORE-2372User Input Security - previously some methods were incorrectly tagged as targets for the rule the rule "Avoid file path manipulation vulnerabilities - 7752" causing false violations. This issue has been fixed. This change may impact your analysis results on upgrading to 8.3.29.

Resolved Issues

Customer Ticket IdDetails
18364False positive for QR "Avoid Programs with lines of more than 80 characters"
18485False positive for the rule Avoid 'Select *' statement
21798False positive for "Avoid unreferenced Classes", due to FacesConverter annotation. Note: This rule has been removed for JEE in 8.3.29.
21825False positive for- Avoid unreferenced classes when methods of that class are called. Note: This rule has been removed for JEE in 8.3.29.
22512Error VB6 analyzer "Inference Engine has returned an unexpected error"
22600Description update for the rule id 8240 : 'Avoid using unsecured cookie'
23171CMS part - Snapshot is stuck due to a blocked query
23323Warnings in MA SQL extension analysis: [MAv2] Cannot find type of string or comment
24486False violation: Avoid file path manipulation vulnerabilities
24850Include remediation sample for the rule "Avoid mixing trusted and untrusted data in HTTP requests"
25115PowerBuilder analysis warnings: the UTF-8 sequence starting at offset 0 was invalid
25366False positive - Using SEARCH ALL only with sorted data
25367The Rule "Avoid unchecked return code (SQLCODE) after EXEC SQL query" has False positive violations shown in the AED
25463CAST AIP Upgrade Automation script is failing when there are spaces in the folders configured in CASTUpgrade_Config.txt
25693Upgrade 8.3.16 > 8.3.26 is failing with error : Inconsistency found in metamodel
25701Error during migration from CAST AIP 8.2.7 to 8.3.26 - "Invalid Field delivery.SourceFilesPackage.lastExtractionDate "
25748In technical index under Avoid log forging vulnerabilities - invalid OWASP reference URL
25866False positive violations in the rule 'Never truncate data in MOVE statements'
25906False violation “Never truncate data in MOVE statements”
25939C/C++ files did not get analyzed with C and C++ File discoverer
26072False violation “Never truncate data in MOVE statements”
26098Effort Complexity (EC) Computation is off by 1
26196Empty DMT projects are not exported to CAST-MS, resulting in associated Analysis Units being deleted and an adverse impact on analysis results. Some of these Analysis Units should not be deleted since they may have been configured manually.
26400Problem - Set as current version fails - _connection Error Set standard_conforming_strings=on
26540Snapshot fails with error: Source Server/BCD(LCB Quotes) full content.Module name: Unexpected character (.

8.3.28

Feature Improvements

SummaryDetails
Metrics Assistant - all technologiesWhen the following issues are encountered during the processing of the Metrics Assistant an error is displayed, stopping the analysis: "An ill-formed token has been encountered during scanning..." and "[MAv2] Error in function Accept...". These issues are now considered as warnings rather than errors, to prevent the analysis process from stopping.

8.3.27

Feature Improvements

SummaryDetails
CAST Storage Service backup and restore toolsA change has been made to the CSSBackup.exe and CSSBackupAll.exe tools provided with CAST AIP to provide compatibility with current CAST PG releases. As such, schema backups created with CSSBackup/CSSBackupAll included in 8.3.27 (and any higher 8.3 service pack) should only be restored with CSSRestore/CSSRestoreAll included in 8.3.27 (and any higher 8.3 service pack).

Other Updates

Internal IdDetails
AIPCORE-2364The URL used to connect to CAST Extend has been changed by default to https://extend.castsoftware.com.
AIPCORE-2420The automatic blackboxing action will now identify as database targets all methods beginning with (previously only Find or find were considered as targets): Find(, FindRow(, FindRows(, FindColumn(, FindColumns(.
AIPCORE-2194Support (predefined methods) has been added for the GWT (Google Web Kit) framework.
AIPCORE-2395Sanitization methods for the NpgSql framework for JEE are now supported.
AIPCORE-2341The rule "8518 - Avoid regular expression injection" has been implemented for JEE technologies. Previously this rule only functioned on .NET technologies.

Resolved Issues

Customer Ticket IdDetails
23232Missing links from "Java Method" to "Stored Procedure Objects", whenever there is a call with full procedure name.
23446Few QRs are missing from the Dashboard (as these QRs are not configured to take Java technology into account).
24293Central base is shown in a wrong triplet in Server Manager (though removed from the older system).
24356SQL Query objects are deleted in TFP and Transaction call graph is marked as modified.
24673Analysis units are not created when the source code consists website.publishproj, and due to this .aspx files are not analysed.
24747For any application name containing "&" (special character), the logs were blank when checked in CMS.
24841Internal exceptions were recorded in the analysis log when the analyzer attempts to parse a .MFS file.
24891ED dashboard not showing deleted violations.
24971Objects created from IMS DB files have data function names that have the object name enclosed in parantheses.
25135Source code is not displayed in Engineering Dashboard for the rule: "avoid direct or indirect remote calls inside a loop".
25174Fatal error on Merging step:duplicate key value violates unique constraint "pk_objdsc".
25434Unable to launch DMT from AIC Portal - org.apache.commons.io.IOUtils.readFully(Ljava/io/InputStream;[B)V.
25370An error message is displayed in the CAST Transaction Configuration Center log stating that the Base_Mainframe.TCCSetup delivered in AIP 8.3.26 is syntactically incorrect: Message ERR: Could not load Configuration from file \configuration\TCC\Base_Mainframe.TCCSetup Message ERR: Exception: com.castsoftware.java.InternalException: Data Set definition file XML parsing returned errors.

8.3.26

Feature Improvements

SummaryDetails
Mainframe Analyzer as an extensionThe Mainframe Analyzer has been externalised as an extension to give the feature more flexibility to future development. The Mainframe Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core. Critical bugs will continue to be fixed on the Mainframe Analyzer embedded in AIP Core but no new features or functionality will be added. The new Mainframe Analyzer extension will have exactly the same features and functionality on release as the Mainframe Analyzer embedded in AIP Core, therefore analysis results will be identical. The new Mainframe Analyzer is compatible with AIP Core ≥ 8.3.26. All future development of the Mainframe Analyzer (new features, functionality etc.) will be completed in the Mainframe Analyzer extension only. Critical bug fixes will be fixed in the Mainframe Analyzer extension (as well as the analyzer embedded in AIP Core). The behaviour is as follows: Nothing is automatic - for both AIP Console and "legacy" CAST AIP deployments, the Mainframe Analyzer extension must be manually downloaded and installed in order to use it If the extension is installed, CAST AIP Console/CAST Management Studio will automatically detect that it exists and will use the extension rather than the analyzer embedded in AIP Core. Once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.
Updates to Base_Mainframe.TCCSetup for transaction configurationIMS Transactions are now automatically considered part of "Standard Entry Point - IMS - Unknown (GS)". CICS Transactions called from Java methods and Java constructors are no longer considered part of "Standard End Point - CICS - Transactions called by Java (GS)". An error has been fixed where the opposite was true in previous releases: IMS FilePrototype objects are now considered part of "Standard End Point - IMS - GSAM - Not delivered". IMS AnalyzedFileobjects are now considered part of "Standard Data Entity - GSAM".
Name of unresolved MQ publisher/subscriber objects has been changed to avoid false linksIn previous releases of AIP, unresolved queue names lead to the creation of Publisher/Subscriber objects with the same name Unresovled:MQP2P. As a result, many false links are created skewing results. In CAST AIP 8.3.26, the name of the unresolved object has been changed from Unresolved:MQP2P to UnknownMQ:<COBOL_Parent_PROGRAM> - this identifies the Cobol program name publishing/subscribing to the message and will reduce the number of false links.
Update to ensure JCL SQL Query objects are created correctlyA change has been implemented to ensure that JCL SQL Query objects are created correctly when the DSNTIAUL program is used.
User Input SecurityUser Input Security now supports the framework Microsoft.Practices.EnterpriseLibrary, including the sanitization of this framework.
User Input SecurityUser Input Security now supports the framework apache-httpcomponents-httpclient, including the sanitization of this framework. Note that this framework was previously supported through a User Community extension: https://github.com/CAST-Extend/com.castsoftware.uc.apache.httpclient.blackboxes - this extension is no longer required if you are using AIP ≥ 8.3.26.
User Input SecurityUser Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported.
New User Input Security related rule8518 Regular expression injection. Input name = "Network.read". Target name = "Regexp.write". Partial .NET support. No support for JEE.
New User Input Security related rule8520 Regular expression injection (second order). Input name = "Network.readDatabase". Target name = "Regexp.write". Partial .NET support. No support for JEE.
New User Input Security related rule8522 Regular expression injection through API. Input name = "Network.readAPI". Target name = "Regexp.write". Partial .NET support. No support for JEE.
Improved accuracy of AETP valuesIn order to provide greater accuracy, the calculation of AETP values has been modified in this release. Previously, all added/deleted/updated AETP detail values between 0 and 1 were calculated with no decimal places, effectively giving the impression in some circumstances (when all added/deleted/updated values were below 1) that total AETP = 0. This behaviour has been changed and AETP detail values are now considered to two decimal places for added/deleted/updated. In addition AETP total values will now be rounded up as follows: 0.8=1, 0.5=1, 0.2=1, 1.8=2, 1.5=2, 1.2=2. These results can be seen in the "TCC - Enhancement node - Right hand panel".

Resolved Issues

Customer Ticket IdDetails
20225When set as current version, analysis unit is being created for a CPP Project file even with missing Source files.
23612AIP Console displays deactivated analysis units for .NET core apps.
23717False violations are displayed due to a bug where the analyzer was programmed to record that the "New System.IO.StreamReader" for the entry-point opened a file and therefore declares a path manipulation causing a violation of the rule.
23981Analysis is failing even when the DLM rule file is not present in CMS.
24122Generation of SRD files in PowerBuilder analysis is not consistent
24252Incorrect detection of Hibernate version in DMT. When Java source is packaged in DMT, the Hibernate version detected is not correct, which led to missing links in analysis result.
24423Many fatal errors are displayed in the logs that are not actually fatal.
24481AETP is displayed as 0, though there are added/removed/updated technical objects.
24531False violations are displayed.
24572JCL Batch transactions are not correctly created by the analyzer.
24578For some objects, the Mainframe analyzer has used the OBJECT_FULL_NAME value for the OBJECT_NAME in the CDT_OBJECTS table. The OBJECT_NAME value should be different to OBJECT_FULL_NAME.
24642False violations are displayed for the rule "Never truncate data in MOVE statements - 7688".

8.3.25

Note

CSS Upgrade Wizard (used to move schemas from one CAST Storage Service/PostgreSQL instance to another) is now deprecated and is replaced by the CombinedTransfer.bat file - see below. CAST AIC Portal is now deprecated and official support for this web application will cease at the end of 2020. CAST encourages users to switch to AIP Console where possible (https://doc.castsoftware.com/display/AIPCONSOLE/Import+an+Application+managed+with+CAST+Management+Studio+into+AIP+Console).

Feature Improvements

SummaryDetails
Mainframe Analyzer - Support for IMS MFS MapsSupport has been implemented for IMS MFS Maps to improve IMS/DC support so that it is possible to find out which Cobol programs use an MFS Map: MFS Maps are contained in files with the extension *.mfs. FMT macro defines the map (called "format" in IMS vocabulary). MSG macro defines MID and MOD messages. MID are those that have the INPUT type and MOD are those that have the OUTPUT type. MID and MOD identifiers are specified in the IO-PCB. In the MID/MOD structure, there is a field that contains the name of the transaction. This information allows the analyzer to create links between MFS Maps and transactions. As a result, some changes have been implemented: The Mainframe Discoverer (https://doc.castsoftware.com/display/TECHNOS/Mainframe+Discoverer) will detect a project (and therefore automatically create an Analysis Unit) for each *.mfs file discovered in a folder. .mfs files have been added to the list of files that will be automatically analyzed - see for example https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Analysis+configuration. New object types will be resolved for IMS Message Format Service, IMS Message Input Descriptor and IMS Message Output Descriptor - see https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Analysis+results.
Mainframe Analyzer - Improved support for JCL Dataset sub typesThe Mainframe Analyzer is now able to detect the following specific types of JCL Dataset, which will now be visible in CAST Enlighten, Architecture Checker and CAST Transaction Configuration. See https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Technical+notes#MainframeTechnicalnotes-dataset for more details: GDG datasets, PDS datasets, DBD datasets, GSAM datasets, VSAM datasets, Temporary datasets. In addition, a new protoype link has been implemented between DBD objects and JCL Datasets (DBD).
Rule documentation updateThe "Rationale" section for the Mainframe related rule "8468 - Program semantic should respect the logic of flow execution" has been updated.
SQL Analyzer embedded in AIPThe SQL Analyzer embedded in AIP now supports (by reference) the analysis of databases hosted on: Microsoft SQL Server 2016, 2017 and 2019, however no new syntax or features introduced in these newer releases are supported. Sybase ASE 16, however no new syntax or features introduced in this newer release are supported.
User Input Security - new rulesThe following rules have been implemented in this release, targetting the JEE technology: 8482 - 8516 (see https://technologies.castsoftware.com/rules?sec=srs_aip&ref=&#124;&#124;8.3.25_2403). All of the above new rules are based on "injection through API requests” - the list of supported APIs is as follows: javax.ws.rs-api-2.1, jersey-client-1.19.4, resteasy-client, cxf-rt-frontend-jaxrs-2.7.18, wink-client-1.4, resthub-web-client-2.2.0.
User Input Security - Improvement to support for Apache Struts 2 applicationsThe following truncated manglings are now supported: com.opensymphony.xwork2.DefaultTextProvider.getText, com.opensymphony.xwork2.ActionSupport.getText, com.opensymphony.xwork2.validator.DelegatingValidatorContext.getText, com.opensymphony.xwork2.CompositeTextProvider.getText, com.opensymphony.xwork2.TextProviderSupport.getText, com.opensymphony.xwork2.TextProvider.getText. This is an improvement to "AIPCORE-1705 - User Input Security is now able to detect security violations in Apache Struts 2 applications" added in AIP Core 8.3.21.
CAST Database ExtractorThe CAST Database Extractor now support (by reference) the extraction of databases hosted on: Microsoft SQL Server 2016, 2017 and 2019, however the extractor will handle the databases as Microsoft SQL Server 2014 databases and no new syntax or features introduced in these newer releases are supported. Sybase ASE 16, however the extractor will handle the databases as Sybase ASE 15.x databases and no new syntax or features introduced in this newer release are supported.
CombinedTransfer.batA new batch file called CombinedTransfer.bat has been created as a replacement for the CSS Upgrade Wizard (now deprecated). It is a wrapper batch file for the CSS Backup and Restore Tools (https://doc.castsoftware.com/display/STORAGE/Maintenance+activities+for+CAST+Storage+Service+and+PostgreSQL), provided as part of the AIP Core ≥ 8.3.x, and involves a fully automated process of dumping the required schemas to file and then restoring the dumps on the new server. The CAST Storage Services/PostgreSQL do not need to be installed on the same host, and both can be remote to the machine on which you are executing the batch file. The CombinedTransfer.bat batch file is located in the following folder and must be executed from within the context of this folder: <CAST AIP installation>\CSSAdmin\CSSUpgrade\ See https://doc.castsoftware.com/display/STORAGE/Moving+existing+schemas+to+a+new+CAST+Storage+Service+or+PostgreSQL+instance for more information.

Other Updates

Internal IdDetails
CAST-00000CAST Management Studio - Create application option: If you need to onboard new Applications and are not yet using AIP Console or are having issues using CAST AIC Portal, then it is now possible to create new Applications directly in CAST Management Studio for all user audiences ("regular" through to "expert"). This is a "stop gap" solution until such time as you are ready to switch to AIP Console (https://doc.castsoftware.com/display/AIPCONSOLE/Import+an+Application+managed+with+CAST+Management+Studio+into+AIP+Console).

Resolved Issues

Customer Ticket IdDetails
22135While performing Oracle 12c r2 database extraction, using DMT from AIP 8.3.20, an error is displayed.
22978CSV task takes too long (3 days).
23059In the POM project, the source code files defined under build-helper-maven-plugin are not picked by DMT under the POM project.
23309The Mainframe analysis crashes with the following error: "The analysis has not ended correctly (Error code -1073741819)."
23386The analysis is stuck processing one specific .ABAP file when the "Number of Instances" value is set to 200000 in CAST Management Studio - changing this to 400000 allows the analysis to complete.
23454While analyzing, the Universal Importer (UI) is taking uax files in the tmp folder into account.
23529When unregistering a CB/KB from the MNGT, the corresponding sync tables are not getting updated.
23530Unable to edit or select the deprecated attribute in General tab, while creating a custom rule in CMS.
23646While running the packaging for a .castextraction file, the extraction completes without any error, though there is no .castextraction file present in the location.

8.3.24

Feature Improvements

SummaryDetails
Mainframe Analyzer - Improved VSAM file supportupport introduced for VSAM commands in "SYSIN" clauses, for example: ALLOCATE, ALTER, DEFINE, DELETE, EXAMINE, LISTALC, LISTCAT, LISTDS, PRINT, REPRO, VERIFY. Support introduced for If IDCAMS utility and VSAM data-set types (for Cobol and JCL) when they call indexed, relative and sequential organisation: Entry-sequenced data set (ESDS), Key-sequenced data set (KSDS), Relative-record data set (RRDS).
Mainframe - new rules implementedThe following new rules have been implemented: 8468, 8470, 8476, 8478, 8780. See https://technologies.castsoftware.com/rules?sec=srs_aip&ref=&#124;&#124;8.3.24_2371.
SSL connection to CAST Storage Service/PostgreSQLCAST AIP 8.3.24 introduces support for connecting to CAST Storage Service/PostgreSQL instances using an SSL encrypted connection. Support for encrypted SSL connections requires some configuration for both the CAST Storage Service/PostgreSQL instances and CAST AIP itself. See https://doc.castsoftware.com/display/STORAGE/SSL+encrypted+mode+configuration+for+CAST+Storage+Service+and+PostgreSQL.
User Input Security - rule documentationThe following changes have been applied to the documentation (no impact on analysis results) for the rule "8438 Avoid code injection": The Reference section has been updated to change the CWE reference from 78 to 94 and 95.
Miscellaneous - long path supportWhen using CAST AIP, the path of some log files and other internal files may exceed the total number of characters permitted for a path in Microsoft Windows (260 characters by default). This is especially true when enabling the User Input Security feature for .NET and JEE techologies. When a path exceeds 260 characters, the analysis (or feature) would usually crash, for example the User Input Security would crash with the errors "System.IO.PathTooLongException" or "System.InvalidOperationException". To avoid crashes due to situations where the long path limitation is exceeded, two changes need to be made: Enable long path support in Microsoft Windows (Windows 10/Windows Server 2016 or above only) - see https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file#enable-long-paths-in-windows-10-version-1607-and-later for more information. Use AIP Core ≥ 8.3.13 and, where appropriate: JEE Analyzer extension ≥ 1.0.21 and Security for Java extension ≥ 1.4.5.
Miscellaneous - Change to SET_DEFINITIONS tableThe table SET_DEFINITIONS (Analysis schema) has been modified: the column "setprocedure" will now accept a procedure name up to 255 characters in CAST AIP ≥ 8.3.24. Previously this column only accepted procedure names with a maximum of 30 characters. Note that if extensions are to be compatible with older releases of CAST AIP, they must still use 30 characters max.

Resolved Issues

Customer Ticket IdDetails
22712While viewing the rule documentation for "Avoid having multiple artifacts deleting data on the same SQL table" (7392), the Remediation code and the Sample source code is not correct. (Description of the rule needs to be updated).
22938While launching snapshot in CMS GUI fails with an error, when the previous snapshot was killed at "Compute snapshot" step.
22978CSV task takes too long (3 days).
23036AAD consolidation takes longer when CLI/GUI is used. (Issue is due to the fact that there will be more number of rows in dss_date_snapshot than dss_snapshots. Both tables are expected to contain same number of rows).
23129While migrating (to the 8.3.22 version from 8.3.14) using batch file upgrade process - in the Delivery folder, if "sources.CastSourcePackage" is deleted manually, then when the batch file upgrade is run, the automatic delivery step allows the set current version step to succeed (but it is expected to fail).
23324Wrong results for analyzers, using environment profiles (mainly Java and C++).

8.3.23

Note

Starting from this release of AIP Core, CAST Architecture Checker will no longer be installed as part of the AIP Core setup, whether installing from scratch or on a server where a previous release exists. CAST Architecture Checker has evolved into a standalone component where all feature requests and bug fixes are now managed. This standalone component can be downloaded from CAST Extend (https://extendng.castsoftware.com/#/search-results?q=archichecker). Note that the AIP Core setup will create a Windows Start menu shortcut for CAST Architecture Checker - when clicked, a popup message is displayed explaining that CAST Architecture Checker can be downloaded from CAST Extend.

Feature Improvements

SummaryDetails
CAST Delivery Manager Tool - Auto selection of Maven JAR filesIn CAST AIP ≥ 8.3.23, if a JAR named after the name of the requested artifact is provided in the source code folder, it is accepted and a missing artifact alert is no longer raised. Previously, a manual remediation task was required to associate a JAR to a missing Maven project. Now, it is automatic. As a result of this change, for Maven projects, there may be no need to provide a Maven resource package if the corresponding JAR files have been provided in a sub-folder of the source package. Note that this behaviour does not apply to Gradle based projects. Any required Maven repositories must be delivered manually.
CAST Delivery Manager Tool - Change to the selection of artifacts with non-standard qualifiers in the version nameIn CAST AIP ≥ 8.3.23, the CAST Delivery Manager Tool will remove non-standard qualifiers before comparing the Maven versions, so that, even if the plain version is lower than the qualified version, it can be accepted as a suitable version.
User Input Security - Change to support of org.springframework.jdbcIn previous releases of CAST AIP, support of the API org.springframework.jdbc for the User Input Security feature relied on automatic blackboxing. In CAST AIP ≥ 8.3.23, this has now changed and static rules will be used instead. Note that this change may impact existing analysis results.
User Input Security - Error handing improvementIf the User Input Security has no file(s) to analyze this is highly likely to be due to an internal bug. In this situation, the User Input Security will now report an error instead of indicating that the analysis has succeeded.
User Input Security - Variations in the number of violations between two consecutive snapshots with the same source codeA bug has been fixed which was causing varying numbers of violations to be displayed for certain User Input Security related rules between two consecutive snapshots of the same application with unchanged source code. This was due to a bug causing different paths to be calculated for a given entrypoint.
User Input Security - Documentation updatesA new page has been added to help users improve the performance of an anlsysis that includes a User Input Security check. See https://doc.castsoftware.com/display/DOC83/User+Input+Security+-+Advanced+configuration+to+improve+performance for more information.
User Input Security - SecurityAnalyzer.log updatesA minor change has been made to change a message level from WARN to INFO: "Reached new field resolution algorithm failure count limit (10), will use default field resolution algorithm, next time."
User Input Security - Rule documentation updatesThe Sample section of the rule "8098 Avoid uncontrolled format string" has been updated since it contained an error. The Description section of the rule "8240 Avoid using unsecured cookie" has been updated to include a limitation: "Limitation: in .NET environments, this rule does not check if the key requireSSL in web.config file."
CAST Transaction Configuration Center - Change in behaviour when loading .TCCSetup configuration files (the automatic configuration refresh process)Previously when uploading a .TCCSetup file which already existed and where the package-version of the file differs with the existing package-version in the Management schema, the following behaviour was used: each rule will be loaded with status active by default, except if the rule was present in the previous version, its definition is unchanged, and it had been manually deactivated by the user, in that case, the rule will be set to inactive as well. From CAST AIP 8.3.23, this behaviour changes as follows (see also https://doc.castsoftware.com/pages/viewpage.action?pageId=264224227): Each rule which was present in the previous version will be loaded with the same status as before, whichever the definition of this rule is the same or has changed. In this latter case, a warning will be logged to inform the user of this change, as in the example below where both the definition of an active Entry Point rule and of a deactivated End Point rule have both changed in a new version of the 'Base_HTML5' package: WRN: -the rule "Standard Entry Point - HTML5 AspDotNet" (type='Transaction entry points') will remain active because although its definition has changed, it has the same name and type as the previously active rule "Standard Entry Point - HTML5 AspDotNet" (type='Transaction entry points'). WRN: -the rule "Standard End Point - HTML5" (type='Transaction end points') will remain deactivated because although its definition has changed, it has the same name and type as the previously deactivated rule "Standard End Point - HTML5 (type='Transaction end points').

Resolved Issues

Customer Ticket IdDetails
19880An error is displayed while saving an object (with external parent).
204072586: Utilization of "DoEvents" inside a loop": rule description is not insufficient (it needs to be more descriptive). After review, this rule has now been disabled in 8.3.23 out of the box.
22119CAST AIP 8.3.20 installation runs for long time, it neither gets completed nor throws any error.
22414When a qualifier is present in the version name POM is not picked up from the Maven repository (jar files were not picked by DMT).
22504DMT fails to identify presence of JAR dependencies, unless provided in Maven format. When the JAR/WAR files corresponding to Maven artifacts are provided directly in the sources, they are not recognized by the DMT, and alerts are raised.
22688Warning message (which does not have any impact) is displayed during analysis of security log file.
22771Snapshot is taking long time during the execution of procedure - DIAG_SCOPE_JEEAMDA003.

8.3.22

Feature Improvements

SummaryDetails
Mainframe Analyzer Support for links from JCL to JavaSupport has been introduced for situations where JCL batches are executing Java (a new Mainframe object has been added for this situation).:
Mainframe Analyzer - Support for links from JCL to SQLThe following methods that can be used to process SQL/access database within JCL are now supported: INZUTILB utility DSNTIAUL utility Control Card file (.ctr) A new Mainframe object has been added for this situation.
Mainframe Analyzer - JCL Symbol resolutionJCL symbolic parameter values are now correctly propagated from JCL to procedures in the call chain.
User Input SecurityUser Input Security is now able to detect security violations in Spring JDBC framework applications.
Architecture ModelsArchitecture Models attached to an application are now saved in the Dashboard schema during the snapshot computation, this is so that the graphical representation of the model can be reproduced in the CAST Engineering Dashboard along with the results of the associated rules (metrics). This is in preparation for a future release of the CAST Engineering Dashboard where this feature will be implemented.
Extension installation - more stringent checks appliedWhen an extension is installed (on its own, as part of a schema installation or as part of a schema upgrade), more stringent consistency checks are now run on the metamodel XML file included in the extension: for all numeric fields: when starting with "0", a number is now considered as decimal and no longer as octal. For the file_no field the value should be between 0 and (INT_MAX / 1000) - 1 = 214748. These checks should not cause any issues with the installation of official CAST AIP extensions however, if you are using custom extensions that do not conform to the metamodel syntax, the extension installation process may fail (schema installation/schema upgrade may also fail).

Resolved Issues

Customer Ticket IdDetails
19498DMT Packaging alerts will differ depending on whether a sub-folder (in the root path) is specified in the "Folders to extract" option. Source code extracted is identical.
20783While delivering V2 through a Delivery Manager Tool automation script. .NET framework assemblies files are getting removed automatically and no project is identified in V2.
21123Analysis is stopped, as Console fails to filter non-manageable extensions. This results in the error "Update Extensions failed".
21174When installing/upgrading a custom extension that contains syntactical errors, for example if the first line in the metamodel xml file contains "0" as the first digit. E.g.: <metaModel file_level="client" file_no="073">. The installation/upgrade of the extension fails.
21889When looking at the number of violations for a given rule in the Risk Investigation view in the Engineering Dashboard - the number of violations displayed in the left hand panel differs to the number of violations displayed in the right hand panel.
22031Error is displayed during the validation step of DMT packaging.
22064When using the Action Plan Optimizer and selecting an Application the scroll bar is missing therefore when there are many Applications some cannot be selected since they are hidden.
22065When looking at the results of the rule Never truncate data in MOVE statements - 7688, false violations were being reported where only one variable of OCCURS ... DEPENDING ON exists.
22109Snapshot generation is taking longer in compute snapshot step.
22123When looking at the results of the rule Avoid Packages with High Afferent Coupling (CA) - 7248: inconsistency in the number of reported violations.
22246While searching the rule, "never truncate data in move statement" in ED Dashboard: incorrect bookmarks displayed for violations.

8.3.21

Feature Improvements

SummaryDetails
Upgrade - delivery folder consistency check has been implementedDuring an upgrade to CAST AIP ≥ 8.3.21, a consistency check has been implemented to ensure that the index.xml file located in the folder Delivery\plugins and the plugins (i.e. sub-folders) present in the Delivery\plugins folder are consistent. This check has been added to avoid situations where, for example, the version of a plugin (e.g. discoverer or an extractor) located in the Delivery\plugins folder and the reference to that plugin version in the index.xml file, differ. If any inconsistencies are detected during the upgrade, these will be logged in a new log file called ServMan-Utils produced by CAST Server Manager, located here (if the default settings are used): %PROGRAMDATA%\CAST\CAST\Logs\ServMan\. Where possible, inconsistencies are repaired. When this is not possible, the upgrade stops with and an error is logged in the main CAST Server Manager log file, located in the same folder as above.
Mainframe Analyzer - IBM MQSeries updatesSyntax coverage has been improved when using data from JCL. The following is now supported: FROM instream data SYSIN when using DB2 utility to call PGM - ACCEPT. FROM PARAM when Exec Program
Mainframe Analyzer - CobolThe following syntax is now supported: ACCEPT verb for processing data passed as input to Cobol programs via SYSIN. Data passed as input to Cobol programs via PARM.
SAP/ABAP Analyzer - Configuration change to increase analysis performanceA change has been to the SAP/ABAP Analyzer in order to improve analysis performance (execution time) particularly for very large analyses. For those upgrading to 8.3.21 and for new "out of the box" installations, in the following file: <INSTALLDIR>/configuration/AMT/AMTJobConfig_ABAP.xml, the following line: <analyzer name = "ABAP Analyzer" showProgress = "false" maxMem = "1000" maxInstancesForFlat64bits = "200000"/> has been replaced with: <analyzer name = "ABAP Analyzer" showProgress = "false" maxInstancesForFlat64bits = "400000"/>. If you are analyzing large SAP/ABAP projects and regularly find that analysis execution time is very long or gets stuck, CAST recommends gradually increasing the value of maxInstancesForFlat64bits to a point where performance is acceptable.
CAST Delivery Manager Tool - Exclusion rule changesA change has been made in the CAST Delivery Manager Tool to the exclusion rule Exclude Eclipse project located inside the output folder of another Eclipse project. In previous releases this exclusion rule in fact addressed two different things: projects located inside the output folder of another Eclipse project projects that share the name of another Eclipse project To provide more flexibility, this rule has now been split in to two separate rules to address both exclusion scenarios handled by the original rule, as follows: "Exclude Eclipse project located inside the output folder of another Eclipse project" - Same name as in previous releases but this rule no longer excludes projects that share the name of another Eclipse project, Enabled by default, Same position as prior to the upgrade. "Exclude Eclipse project sharing the name of another Eclipse project" - New rule to address this specific scenario, enabled, same position as original rule prior to the upgrade to ensure consistency of results.
User Input Security - improved support of ASP.NETUser Input Security is now able to detect security violations in ASP.Net Core, ASP.Net MVC and ASP.Net MVC Core applications.
User Input Security - main/Main methodsUser Input Security now takes into account arguments of main/Main methods (java / C# / VB.Net) as entry-points.
User Input Security - Apache Struts 2User Input Security is now able to detect security violations in Apache Struts 2 applications.
User Input Security - NoSQL injectionsNoSQL injections for applications using MongoDB/SpringData for Java can now be detected. Results are provided via the rule 8418 - Avoid NoSQL injection.
CAST Transaction Configuration CenterSaving empty transaction objects and Assessing Function Points for empty Transactional Functions based on non-empty Transactional Functions - see https://doc.castsoftware.com/display/AIPCORE/8.3.22+-+Additional+notes.

Resolved Issues

Customer Ticket IdDetails
16341DMT will unexpectedly exclude projects which do not match the exclusion rule.
22067DMT will unexpectedly exclude projects which do not match the exclusion rule.
17599On Rules Doc site, links in section "Reference" are broken for rule "Avoid catching an exception of type Exception, RuntimeException, or Throwable".
18329While viewing Source code for database objects in the Engineering Dashboard, source code is not visible because the SQL file is too big.
20031Unable to save changes in CAST-MS until pointer is outside the text box. CAST-MS was closing without any Pop-up, due to which the user would miss to notice that the changes were not saved in CAST-MS.
20774While accepting the version in CAST MS, after having delivered a version with AIC Portal in CLI: accepting the delivery fails with an error "The program Version Report has not ended correctly" when a version is delivered through Source code automation Script.
21338While comparing the .src file generated by the extractor and .ddl generated by a Database Management Tool: Inconsistencies observed between the two files, which suggests only a display issue in the .src files.
21543When looking at the results of the rule "Never truncate data in MOVE statements - 7688: false positive violations of the rule are seen.
21545While editing simulated grade in Action Plan Optimizer (APO): not able to calculate simulated grade in Action Plan Optimizer (APO).
21583While entering the path to the CAST AIP installation folder. The CASTUpgrade_Config.txt file has a incorrect setting for the CAST_HOME Variable. (As per the documentation the variable should not end with back slash)
21604Report generation fails in Dashboard, showing corrupt data in the database.
21663When setting a delivery as the current version in the CAST Management Studio. The following error is displayed: "value too long for type character varying(255)" for the column "compilationconstants" in CMS_NET_Project table in management schema.
21698When trying to validate or ignore a link using Dynamic Link Manager in CAST-MS. An error is thrown (SQL Error: ERROR: relation ""fusacc" " does not exist) but this error is not displayed in the Dynamic Link Manager task dialog box. The error is only visible in the log.
21894In DMT, after running packaging, delivery and set as current version for a project that includes WSDL files. Two analysis units are created in the CAST Management Studio referring to the same WSDL file.
22051When the APO (Action Plan Optimizer) is launched. (And a module is accessed, the issue is observed). Mismatch in 'Original Grade' and 'Simulated Grade' column values.

8.3.20

Feature Improvements

SummaryDetails
Analysis result save process has been optimizedThe internal mechanism that is used to save analysis results in the CAST AIP schemas has been optimized and improved in this release of AIP. The goal of this optimization has primarily been to introduce more rigorous controls on the data that is saved to reduce inconsistencies and therefore to increase the overall accuracy of CAST AIP. In addition, performance has been stabilized. As a result of this optimization, some small changes in analysis results are to be expected when performing a new analysis/snapshot post-upgrade on unchanged source code, for example: Some objects, links, properties and bookmarks that flag the location of rule violations in the source code are now more rigorously checked and therefore some items may no longer be saved, notably for Universal Importer jobs, improving accuracy. Results of metrics calculated by the Metrics Assistant may be impacted (values may be higher or lower), improving accuracy. 7962 - Avoid direct or indirect remote calls inside a loop: previously some violations of this rule were not saved - these are now saved, improving accuracy.
CAST Server Manager - CLIThe -MODIFY_COMBINED command (https://doc.castsoftware.com/display/DOC83/Automating+CAST+Server+Manager+installation+tasks) has been optimized to improve performance when using the command to Install new extensions, upgrade existing extensions or deactivate existing extensions to an existing combined installation (Management, Analysis and Dashboard Service schemas) - equivalent to the Manage Extensions option in the GUI.
Mainframe IMS/DC - support for links between Cobol Programs and IMS TransactionsCAST AIP 8.3.20 introduces support for links between Cobol Programs and IMS Transactions for IMS/DC (Data Communications). See https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+IMS+DC+support.
Mainframe - IMS/DB - link type changesLinks between Cobol paragraphs/sections and DB/GSAM/ALT PCB when using DLI function have been updated as follows: OPEN/CLSE (only for GSAM): accessOpenLink, accessCloseLink. DLET: UseDeleteLink. GU/GHU, GN/GHN, GNP/GHNP, INQY: UseSelectLink. ISRT: UseInsertLink. REPL: UseUpdateLink. Other dli calls: useLink.
Mainframe - Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690)Several fixes have been applied to the rule "Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690)" to reduce the number of false violations reported: Correcting a situation where the rule is falsely violated when a paragraph contains multiple paragraphs called via IF clauses and where each of the called paragraphs contains SQL statements and where the SQL statement is checked from the parent paragraph. Correcting a situation where the rule is falsely violated when the SQL statement is contained in parentheses. Correcting a situation where the rule is falsely violated when the SQL statement is contained inside an IF statement of a PERFORM paragraph.
Mainframe - Never truncate data in MOVE statements (7688)Fixes have been applied to the rule Never truncate data in MOVE statements (7688) to reduce the number of false violations reported.
Mainframe - CICS Return code should be checked (8162)Fixes have been applied to the rule CICS Return code should be checked (8162) to reduce the number of false violations reported when the check statement is called via an IF statement in a variable.
Mainframe - JCL Symbol coverageImproved coverage for JCL Symbol resolution: Support for EXEC Procedures or PGMs containing "&" such as "NAME1&VAR2". Support for the following situation: JOBs containing VAR1 = X and PROCs containing VAR1 = DEFAULT VALUE - X will not be overridden, and the value in JOB is taken as a priority.
CAST Transaction Configuration Center - GUI update for external end-pointsAn update has been made to the GUI of the CAST Transaction Configuration Center to allow users to see if an end point is external when checking the datafunction called by a transaction in a new column called Scope. For all datafunctions the scope is always "Application", but for end-points the scope can be "External" or "Application".
User Input Security - improved SecurityAnalyzer.logThe SecurityAnalyzer.log has been improved to list the number of distinct flaws found for each analyzed target. For example, "Distinct=" has been added: 2020-01-08 14:15:52,238 [1] DEBUG Analyzed target: 369/1941. Found=2, Distinct=1. Steps=128.
User Input Security - support for bsh.Interpreter.evalAdded support for bsh.Interpreter.eval (http://www.beanshell.org/javadoc/bsh/Interpreter.html) as a target for code injection.
User Input Security - improvement to handling of constructors of System.IO.MemoryStreamConstructors of System.IO.MemoryStream are now handled correctly avoiding false positive violations to the rule "Avoid file path manipulation vulnerabilities (7752)"..
User Input Security - improved coverage of database access methods from the .NET frameworkAccess to database methods of the .NET Framework are now handled more accurately. As a consequence, some false positives may be removed and new true positives may be found for the rule "Avoid SQL injection vulnerabilities (7742)".

Resolved Issues

Customer Ticket IdDetails
18889While calculating metrics (after completion of analysis). Error during run metrics calculation.
19655False violations are being reported on constructors of the System.IO.MemoryStream class when running a User Input Security analysis.
20581While doing JEE analysis and the source code path is very long. Analysis fails during the objects comparison step.
20706While viewing the rule description: "Avoid Tables without Primary Key - 8082". The quality rule description is not accurate.
20960While using the DMT to perform an HTTP Maven extraction. The DMT fails with "java.lang.OutOfMemoryError: Java Heap space" error, due to lack of memory during the packaging phase.
21028While viewing the snapshot. Wrong AFP (Automated Function Point) number shown in Health Dashboard. After the snapshot, the number for AFP shown in Health Dashboard is different from the one in CED or TCC.
21184When looking at the results of the rule Avoid unchecked return code (SQLCODE) after EXEC SQL query (7690). False violations are seen when a paragraph contains multiple paragraphs called via IF clauses and where each of the called paragraphs contains SQL statements and where the SQL statement is checked from the parent paragraph.
21239While using CAST Transaction Configuration Center, an issue was observed due to DEDOUBLE function. Same transaction was displayed with two status (ADDED and DELETED).
21337When simulated grade is changed from 1 to 4. Negative values are displayed in Action Plan Optimizer (APO). In APO, when the simulated grade was 1, there was no issue with the simulated violation count. When the simulated grade was set to 4, it resulted in a negative simulated violation count.
21386While using the Action Plan Optimizer (after taking the snapshot). Difference in simulated and original score. In APO, original grade and simulated grade should be identical.
21412After upgrading to 8.3.15, violations were not triggered for the QR: "Persistent class method's equals() and hashCode() must access its fields through".

8.3.19

Feature Improvements

SummaryDetails
Mainframe Analyzer - IMS/DC support introducedSupport for IMS/DC (Data Communications) has been introduced. See https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+IMS+DC+support.. As a result, some changes have been implemented: the Mainframe Discoverer (https://doc.castsoftware.com/display/TECHNOS/Mainframe+Discoverer) will detect a project (and therefore automatically create an Analysis Unit) for each *.tra file discovered in a folder. See https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Application+qualification+specifics for more information about how to generate this file type using JCL. .tra files have been added to the list of files that will be automatically analyzed - see for example https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Analysis+configuration. New object types will be resolved for "IMS Transaction File" and "IMS Transaction" - see https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Analysis+results. A new option (IMS DC) has been added to the Delivery Manager Tool when delivering a PDS dump file, specifically to collect IMS DC related items.
Mainframe - JCLSupport for SQL embedded in INZUTILB and DSNTIAUL items has been added.
User Input Security - support for Ektorp Java API for CouchDBNoSQL injections for applications using Ektorp Java API for CouchDB can now be detected.
User Input Security - support for LightCouch for JavaNoSQL injections for applications using LightCouch for Java can now be detected. Results are provided via the rule "8418 - Avoid NoSQL injection".
User Input Security - improved coverage of logger methodsMethods like "logError", "logInfo", etc. used in loggers are now automatically taken into account.
User Input Security - improved logsWhere a blackbox contains a duplicated type (according to their mangling), the log of the tool will contain more detailed information about the issue (the name of the duplicated type or the name of the duplicated blackbox, etc.).
User Input Security - improved handling of duplicate pathsIn previous releases some violations were removed if other violation paths were found in other files with a similar position of the starting path and the ending path (same row and same column for both). The algorithm for detecting these duplicate paths has now been rewritten to provide more accurate results.
User Input Security - support for NoSQL - Azure Cosmos DB (.NET)NoSQL injections for applications using Azure Cosmos DB for .NET can now be detected. Results are provided via the rule "8418 - Avoid NoSQL injection".
User Input Security - support for NoSQL - Azure Cosmos DB (Java)NoSQL injections for applications using Azure Cosmos DB for Java can now be detected. Results are provided via the rule "8418 - Avoid NoSQL injection".
User Input Security - improved detection of targets of the method java.io.Console.formatThe targets of the method java.io.Console.format - String fmt, Object... args etc. - are now correctly detected.

Resolved Issues

Customer Ticket IdDetails
19530When running a snapshot, the "Run metrics calculation" step fails with the error : "Unexternalized Exception - Message is 'access violation' ".
19860When attempting to use the CAST Extension Downloader. ExtensionDownloader.exe crashes with the following error: Root element missing.
20087CAST Tranasction Configuration Center displays added and deleted objects for overloaded PowerBuilder methods even though the source code is unchanged since the previous snapshot.
20417In a JEE project discovered by the DMT, sometimes the same directory reference is shared between JARs, XML and/or Properties. In the corresponding analysis unit, a shared reference is only configured once, for the latest section amongst: 1) JARs 2) XML files 3) Properties files.
20562When looking at the results of successive snapshots with regard to Complexity Factor values. Inconsistency in Complexity Factor, AEFP and AEP values.
20687While looking at the results of .NET related rules. Inconsistency in the total number of violations reported at technical criterion level and the total number for all contributing rules. This is due to a bug where VB.NET Property Setter objects were not being included correctly in total object counts for related rules.
20744While running analysis, Universal Analyzer analysis running for a long time (2-days).

8.3.18

Feature Improvements

SummaryDetails
Technology support changes - SAP ABAPThe following syntax is now supported: CALL TRANSACTION...WITH AUTHORITY-CHECK USING.
.NET - Procedure Call DepthThe default value for the option Procedure Call Depth (which limits the number of intermediate values that the Inference Engine can resolve in order to obtain the type of the object that is being searched for) - see https://doc.castsoftware.com/display/TECHNOS/.NET+-+Analysis+configuration - has been changed to 300 (from 3000) for all Applications newly onboarded with ≥ 8.3.18. This change has been made to improve the .NET analysis duration time. For Applications that are upgraded from a previous release of AIP to ≥ 8.3.18, the previous value for this option will be retained to avoid impacting analysis results.
CAST Transaction Configuration Center - specific usage of Excluded ItemsData functions / transaction functions will still contribute to values in the AFP section in the following situations: 1) The setup configuration rule matching the(se) object(s) is no longer present. 2) The setup configuration rule has changed and no longer matches the objects. This is because these Data functions / Transactions have already been calibrated (i.e. merged / deleted / ignored) and a Compute action will not remove these items from the values in the AFP section to prevent losing the specific calibration that has been applied. Therefore, if you need to prevent these objects contributing to values in the AFP section, you can: 1) Create an excluded-item rule to exclude these items 2) Run the Compute action 3) Disable or remove the excluded-item rule you created.
CAST Transaction Configuration Center - Change in behavior with regard to loss of transaction IDsIn previous releases of CAST AIP, Added/Deleted objects would be visible in the following situation: If an entry point of a valid transaction is missing in more than two consecutive snapshots, then the transaction ID is lost. As a consequence when the missing entry-point object re-appeared in a subsequent snapshot, CAST AIP was not able to recover the transaction ID and a new transaction ID was associated to the entry point. If the intermediary snapshots were then deleted, CAST AIP recorded an Added/Deleted of the transaction because CAST AIP sees that the transaction has a new ID and the previous ID is no longer present in the snapshot. The behaviour of CAST AIP in this situation has been changed - the previous transaction ID will be re-used when the missing entry-point object re-appears in a subsequent snapshot. And so when the intermediary snapshots are deleted, the transaction will be seen as Unchanged (if there are no changes in the transaction's details ) or Modified (if there are changes in the transaction's details.
User Input Security - support of org.owasp.encoder libraryMethods from the "org.owasp.encoder" library have been added to the list of libraries that are automatically taken into account for Sanitzation.
User Input Security - Avoid hard-coded credentials (8222) for .NETThe rule Avoid hard-coded credentials (8222) has been updated to include support for detecting hard-coded credentials in the PasswordDeriveBytes Class (https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.passwordderivebytes?view=netframework-4.8).
Improvements to CAST-DatabaseExtractionRenamingTool.exeThe CAST-DatabaseExtractionRenamingTool.exe tool that is used to mitigate the impact on analysis results when databases or schemas move from one Server to another or from one Instance to another has been enhanced to support renaming for database extractions performed on Microsoft SQL Server and Sybase ASE.

Resolved Issues

Customer Ticket IdDetails
12651While running a .NET analysis with User Input Security analysis enabled. The devirtualization phase is taking a long time to complete.
18394The snapshot generation used to get stuck for 24hrs in the following step: "Transfer Sources,positions,Bookmarks into Dashboard service". After the fix, there is great improvement in the performance. Now the snapshot generation of the above step is completed in 2 seconds.
18421When renaming an application in Chinese. Incorrect application name display in CMS after renaming application in Chinese.
18617While generating snapshot using CLI. After snapshot failure on Jenkins, CMS doesn't prompt to purge the existing snapshot before taking new one.
19936The Menu bar of the Server Manager is in French language after launching.
20067When attempting to run an ABAP analysis. Unsupported syntax errors are displayed for the syntax "CALL TRANSACTION...WITH AUTHORITY-CHECK USING".
20101Error in ADDED and DELETED objects in AEP counts, when a snapshot is deleted.
20342TCC computation is getting stuck at Finalizing function Point Computation Step.
20393Inconsistency in the number of violations displayed in Engineering dashboard for the rule "Package size control (4718)".
20394Inconsistency in the number of violations displayed in Engineering dashboard for the rule "Avoid catching an exception of type Exception, RuntimeException, or Throwable (7862)".
20399Inconsistency in the number of violations displayed in Engineering dashboard for the rule "Avoid unreferenced Functions (7860)".
20400Inconsistency in the number of violations displayed in Engineering dashboard for the rule "Avoid using GOTO statement (7816)".
20444Inconsistency in the number of violations displayed in the Engineering dashboard for the rules "Avoid Namespaces with High Efferent Coupling (CE) (7262)" and " Avoid namespaces with High Afferent Coupling (CA) (7264)".

8.3.17

Feature Improvements

SummaryDetails
CAST Extension DownloaderSome changes have been made to switch extension downloads to the "next generation" CAST Extend (https://extend.castsoftware.com). This new CAST Extend is a replacement for the existing CAST Extend which will be phased out in due course. Note that to use https://extend.castsoftware.com, you will need to register a new account (https://extend.castsoftware.com/register) - however, accounts from the existing CAST Extend service will be transferred in over the coming weeks.
CAST Extension Downloader - Installing CAST AIP ≥ 8.3.17 from scratchWhen installing CAST AIP ≥ 8.3.17 from scratch when no previous release of CAST AIP exists, the "extendng.castsoftware.com" server will be pre-configured for extension downloads (the server will be ticked and enabled). Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course.
CAST Extension Downloader - Installing CAST AIP ≥ 8.3.17 when a previous release of CAST AIP already existsWhen installing CAST AIP ≥ 8.3.17 and a previous release of CAST AIP already exists (more specifically if the %PROGRAMDATA%\CAST\CAST\Extensions\ServerList.xml file exists) then the following will occur: 1) https://extendng.castsoftware.com/api will be added as CAST ExtendNG and will be ticked and enabled 2) https://extend.castsoftware.com:443/V2/api/v2 will be deleted 3) All other servers will be remain as they were previously. Note that you can manually add the URL of the existing CAST Extend service if you prefer to use it, however, you should bear in mind that this service will be phased out in due course.
CAST Transaction Configuration Center - Set/layer creation with Caller-Of and Callee-Of blocksIt is now possible to create Caller-Of and Callee-Of blocks using multiple link types. Previously, only one single link type could be selected. Configurations built with this new feature cannot be used with CAST Transaction Configuration ≤ 8.3.16 (i.e. importing a .TCCSetup file that contains this new configuration). Erroneous results will be produced.
User Input Security - support for MongoDB for JavaNoSQL injections for applications using MongoDB for Java can now be detected. Results are provided via the rule 8418 - Avoid NoSQL injection.
User Input Security - Name of rule changed - Sensitive cookie in HTTPS session without 'Secure' attribute (8240)The rule Sensitive cookie in HTTPS session without 'Secure' attribute (8240) has been renamed as Avoid using unsecured cookie (8240).
User Input Security - SpringMVC technology - total checks less than failed checks (violations)A bug causing the total number of checks to be reported as lower than the total number of failed checks (i.e. violations) for Applications containing SpringMVC technology has been fixed therefore improving accuracy.
User Input Security - Improvement to Avoid HTTP response splitting (7740) ruleThe rule Avoid HTTP response splitting (7740) computed by the User Input Security has been improved: the full path of related violations is now computed thus improving bookmark accuracy.
User Input Security - java.io.ObjectInputStream methods handledjava.io.ObjectInputStream methods are now automatically taken into account.
User Input Security - Improvement to SpringMVC regression introduced in 8.3.16During the analysis of an application using Spring MVC, a blackbox is generated by the SpringMVC extension (https://doc.castsoftware.com/display/TECHNOS/Spring+MVC), however, this blackbox was ignored during a User Input Security analysis. As a result, some violations were not found. This bug has been fixed improving accuracy.
User Input Security - Support for CWE-601: URL Redirection to Untrusted Site ('Open Redirect')Support has been introduced for CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - https://cwe.mitre.org/data/definitions/601.html
User Inout Security - Avoid log forging vulnerabilities (8044) - total checks less than failed checks (violations)A bug causing the total number of checks to be reported as lower than the total number of failed checks (i.e. violations) has been fixed therefore improving accuracy.

Resolved Issues

Customer Ticket IdDetails
19102Failed checks is greater than Total checks for CWE-117: Avoid log forging vulnerabilities.
19244The compute snapshot step is taking a very long time to complete due to the volume of rows generated for computing the differences between the two snapshots.
19281fter upgrade to 8.3.x (from 8.1.x), generation of post-upgrade snapshot and comparison of the results. Many violations that were detected in AIP 8.1.x for the rule "Avoid declaring throwing an exception and not throwing it - 4656" are no longer visible in AIP 8.3.x.
19401While viewing the results of a snapshot in the CAST dashboards. The total number of failed checks is greater than total number of checks.
19522If user has AIP build on mapped or network drive. Installing new schema gives error - "duplicate key value violates unique constraint "uidx_da_entity""
19607If user has AIP build on mapped or network drive. Getting Error while doing upgrade: "more references than expected"
19761Launch a snapshot on a Powerbuilder application. Analyzed source code is not available in Engineering Dashboard/Imaging System.
19790Snapshot generation gets stuck. (Configure snapshot step)

8.3.16

Feature Improvements

SummaryDetails
Support of PostgreSQL ≥ 10 for storageSupport has been introduced for PostgreSQL 10 and 11 (64bit) as storage, i.e. AIP schemas can now be created on these versions and analyses will run as expected.
Mainframe Analyzer - support for IBM MQSeriesIn CAST AIP ≥ 8.3.16, Mainframe Analyzer supports the publisher/subscriber mode and point-to-point mode for IBM MQSeries. Publisher/Subscriber objects will be generated and Call links between Cobol objects and IBM MQ objects and between IBM MQ objects and Cobol objects will be generated by the Web Services Linker extension (https://doc.castsoftware.com/display/TECHNOS/Web+Services+Linker) - you must ensure that v. ≥ 1.6.8 of this extension is installed, otherwise no links will be generated. You can find out more information about this support in https://doc.castsoftware.com/display/TECHNOS/Mainframe+-+Technical+notes#MainframeTechnicalnotes-IBMMQ.
CAST Database ExtractorThe CAST Database Extractor (https://doc.castsoftware.com/display/DOCCOM/CAST+Database+Extractor) now supports: (by reference) the extraction of schemas on Oracle 18c and above in line with Oracle's updated release cycle, however the extractor will handle the schemas as Oracle 12c schemas and no new syntax or features introduced in these newer releases is supported. Case sensitive passwords (introduced in Oracle 12c R2).
User Input Security - rule documentation changesFor several User Input Security related rules, the Total field has been updated to state "Number of potentially vulnerable methods" instead of "Number of methods calling user input methods". This is to better reflect what is returned by the rule. In addition, Links to external references have been updated for several User Input Security related rules to provide more up-to-date references.
SAP / ABAP - CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block (8412)For the rule "CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block (8412)", the parent technical criterion for this rule was incorrectly set to 61020: Programming Practices - Modularity and OO Encapsulation Conformity, but it has been changed to 61014: Programming Practices - Error and Exception Handling.
SAP/ABAP - source code bookmarks implementedBookmarks indicating the position of violations in the source code have been implemented for the following SAP/ABAP rules: 7130, 7524, 7528, 7530, 7532, 7536, 7538, 7544, 7592, 7594, 7666, 7672, 7788, 7806, 7808, 7810, 7820, 7822, 7882, 7902.
.NET - rule changesThe following multi-techno rules have been disabled in 8.3.16 specifically and only for .NET technology and will no longer be triggered during an analysis. These rules often generated a large amount of false positive violations: Avoid unreferenced Classes - 7832, Avoid unreferenced Data Members - 7912, Avoid unreferenced Methods - 7908.
Dynamic Links rule filesDynamic Links rule files now function with SAP BusinessObjects and SAP PowerBuilder analysis results.
Changes to the structure of the Dashboard and Analysis Services schemas - FP_LINK_INFO table (new)Data (links with IDs from 11000 to 11006) related to CAST Transaction Configuration Center data functions and transactions that was previously stored in these two tables will now be stored in a new table called FP_LINK_INFO. This table now contains all object details of transactions/data functions. It has exactly the same structure as DSS_LINK_INFO.
Changes to the structure of the Dashboard and Analysis Services schemas - Impact on Analysis Services schemaDetails of transactions and data functions are now sent to a new table called DSS_FPLINKS (previously DSS_LINKS was used).
Changes to the structure of the Dashboard and Analysis Services schemas - transfer from Analysis to Dashboard Service schemaThe links in DSS_FPLINKS in the Analysis Service schema are sent to the Dashboard Service schema via a new table called DSS_IN_FPLINKS (previously DSS_IN_LINKS was used).
Changes to the structure of the Dashboard and Analysis Services schemas - Upgrade and impactThis change is handled by the CAST upgrade process and does not require any manual steps. All occurences of link_type_id between 11000 and 11006 will be: 1) Moved from DSS_LINK_INFO to FP_LINK_INFO 2) Removed from both DSS_LINK_INFO and DSS_LINKS. If you have custom scripts that fetch data from any of the existing tables, please ensure that you update these scripts yourself.
Changes to the structure of the Dashboard and Analysis Services schemas - impact on Dashboard Services schemaThe data related to details of transactions and data functions are now stored in a new table called FP_LINK_INFO (previously DSS_LINK_INFO was used).

Resolved Issues

Customer Ticket IdDetails
14882When attempting to run a mainframe analysis. Anarun crashes while attempting to process a .cbl file.
14918While running DMT for packaging a java application. The following warning is displayed: "cast.dmt.engine.foldertree.containerScannerFailure"
15791When attempting to analyze a .NET application. The analysis is hanging during the Comparing Object step due to the duplicate objects caused by 2 .csproj pointing to the same source code.
16120When attempting to apply a DLM rule file on SAP BusinessObjects results - the DLM rule file does not review any links - i.e. all results are ignored.
16639When attempting to run a Mainframe analysis. The analysis fails with the error "Unexternalized exception - Message is 'access violation'."
17065When looking at the log files following a Mainframe analysis. Difficult to work out which copybook (when the same one has been identified more than once in the Application) has been used for the analysis.
17183When looking at the results of a Mainframe analysis, with regard to the rule "Avoid OPEN/CLOSE inside loops - 7218". A false link between two objects is causing a false violation of the rule.
17220When looking at the results of a Mainframe analysis. An incorrect Cobol program object called "TO" is created for the "MOVE PROGRAM-ID ... TO ..." syntax found in cobybook files. No object should be created at all.
17233When looking at the results of a Mainframe analysis, specifically with regard to the rule "Avoid unchecked return code (SQLCODE) after EXEC SQL query - 7690". False positive violations are reported for this rule when SQLCODE is checked outside perform statement of a paragraph.
17365When attempting to use a Dynamic Links rule file with PowerBuilder analysis results. The rules described in the Dynamic Links rule file are ignored.
17366When looking at the results of a Mainframe analysis. Many Cobol Transaction objects are created with names containing special characters such as *, / etc.
17613When creating a Reference Pattern in the CAST Management Studio and attempting to use the "Enable replacement" option. The "Enable replacement" option does not replace the words as expected. when attempting to replace a "\" (backslash).
17783The snapshot generation process is hanging during the run consolidation step.
17816When looking at the results of a Mainframe analysis, specifically with regard to the rule "Avoid unreferenced Sections and Paragraphs - 7290". The analyzer does not correctly handle the syntax FETCH / END-FETCH (it is treated as paragraph) and therefore causes a false violation of the rule.
18112The snapshot fails during the MAV2 step with the error message: Unexternalized exception - Message is 'access violation ' Failed to run service ILocalMetrics
19440The snapshot fails during the MAV2 step with the error message: Unexternalized exception - Message is 'access violation ' Failed to run service ILocalMetrics
18221False positive violations are generated for the rule "Prefer using indexes instead of subscripts - 8142" even though Indexing was used instead of Subscripts.
18236When looking at the results of the rule "Avoid "SELECT *" queries (7344)". The violations reported for this rule are duplicated by the rule "Avoid "SELECT *" or "SELECT SINGLE *" queries" (7530).
18348Module trending for an application in AAD always returns with "unexpected error" as rest-api doesn't accept special characters(/,&) in module names.
18508When using a Dynamic Link Rule file to automatically ignore specific link types during an analysis. The rules file does not automatically ignore "uselinks" links.
18570CICS Maps objects are not handled correctly - objects are displayed as "Unknown" and the same object is displayed multiple times impacting link creation.
18635When looking at the results of a Mainframe analysis specifically with regard to the rule "Never truncate data in MOVE statements - 7688". False violations are reported for this rule when the variables have subordinate items and the comparison is based on a block.
18652A different number of violations is showing in the "Risk Model" and in "Application Component" tiles. The values in both should be the same. The issue is due to the fact that CAST_DotNet_PropertyCSharp objects are marked as synthetic, whereas their associated getters/setters are not.
18660Using Server Manager CLI to install an extension and the installation fails for whatever reason. No non-zero error code is returned by Server Manager CLI.
18670When a Management Database is locked by CAST MS (after having enabled the lock) by user A. User B then opens a new CAST MS session. An error message is raised incorrectly stating that user A has CAST MS open.
18711When attempting to package Maven based JEE source code. Missing JAR files in the DMT packaging results, despite the fact that the JAR files are present in the Maven repository.
18854When generating a snapshot. The procedure DSSEXT_BUILD_OBJ_STATUS takes a long time to complete.
18873When analyzing a Mainframe application in CAST AIP 8.3.x after upgrade from 8.2.x with no change in source code. The analysis time has increased 7-fold.
18947Using the DMT and attempting to delete a package from V2 (cloned from V1). The package is deleted, but an error is displayed: "The program validation has not ended correctly (2001)"
18959When installing CAST AIP and recording the settings in a .iss file. The .iss files does not store the correct path for the CAST_DEFAULT_DELIVERY_DIR variable chosen during the installation and instead will record the path given in the CastGlobalSettings.ini file.
19041When looking at the results of a post upgrade (8.2.x > 8.3.x) consistency analysis on unchanged source code. The checksum of some objects has changed, therefore impacting the results (some objects are marked as modified even though they have not been changed).
19054When looking at the parent Technical Criterion for the rule ""CX_ROOT" should not be used in TRY .. CATCH.. ENDTRY block - 8412". This parent technical criterion for this rule is set to "61020: Programming Practices - Modularity and OO Encapsulation Conformity", but it should be changed to "61014: Programming Practices - Error and Exception Handling".
19091Snapshot is taking longer than expected to complete the procedure ADG_COMPUTE_VIOLATION_STATUSES.
19126When attempting to run a Mainframe analysis. The analyzer crashes with errors similar to: - Mainframe.14: Potential mismatch between the program and the PSB '<object_name>'. The PCB number 3 has not been found. - Job execution Internal exception occurred during processing listener <item>
19132When attempting to analyze a C++ application. The following error is displayed in the log: BuildAll.Sources: Missing Sources
19261When attempting to generate a snapshot. The snapshot runs and does not complete.
19297Snapshot is taking longer than expected to complete the procedure ADG_COMPUTE_VIOLATION_STATUSES.
19439When attempting to run a Mainframe analysis. Anarun crashes when analyzing certain Cobol files.
19472When looking at the source code delivery log in the DMT. The DMT cannot find the parent maven artifact of a specific child maven artifact when other child maven artifacts that reference the same parent artifact using a different version number.
19500When attempting to use the Search in Code tool in CAST Enlighten. CAST Enlighten crashes when running the tool.
19537When looking at the source code delivery log in the DMT. The DMT cannot find the parent maven artifact of a specific child maven artifact when other child maven artifacts that reference the same parent artifact using a different version number.