Changes in results post upgrade - 8.3.35

Summary:

  • Impacts of changes made to AIP Core 8.3.35 on Quality Model results post upgrade
  • Other impacts of changes made in AIP Core 8.3.35

All changes in results related to extensions are listed in the extension documentation and will not appear in this page.

SAP/ABAP

Avoid unsorted data after SELECT queries - 8134

A bug in the ABAP analyzer has been found to cause false violations when the syntax "sort" uses "[]": e.g. "sort X[] by Y". This bug has now been fixed. This change may impact existing results: you may find that the number of violations decreases.

SAP/ABAP discoverer update

A change has been made to the SAP discoverer. Previously, the discoverer would create only one single project (and therefore Analysis Unit) regardless of the number of SAP extractions provided in the source code delivery (it was assumed that only one extraction would be delivered). This behaviour has now been changed and multiple SAP extractions delivered in one go will result in one project (and therefore Analysis Unit) for each extraction. See also SAP ABAP DiscovererThis change may impact existing results.

Syntax updates

Some changes have been made to the ABAP Analyzer to removed unsupported syntax warnings in the analysis log. This change may impact existing results.

User Input Security

Support for org.owasp.esapi framework

The User Input Security feature now supports the JEE framework org.owasp.esapi. All "getValidate*" methods are now automatically taken into account as sanitization methods for all quality rules. This change may impact existing results.

New rules to support the detection of XQuery Injections

Three new rules have been implemented for JEE and .NET technologies to support the detection of XQuery Injections: 1) "Avoid XQuery injection" (8530), 2) "Avoid second order XQuery injection" (8532), 3) "Avoid XQuery injection through API requests" (8534). This change may impact existing results.

Improved support for .NET UI controls for XSS violations

Improved support for .NET UI controls as targets for XSS violations has been implemented, for example "set_Text" and "set_ImageUrl" methods of control objects. This change may impact existing results.