Page tree
Skip to end of metadata
Go to start of metadata

Summary: This page provides instructions for using the Risk Investigation view in the Engineering Dashboard.

Introduction

Accessible from the sidebar menu  or by clicking the Risk Model tile, this view enables investigation of the application risk from the Assessment Model perspective - moving through Health Measures/Business Criteria, Technical Criteria, Rules/Measures/Distributions right down to the objects in violation.

By default, only Business Criteria that are categorised as Health Measures will be displayed in the dashboard. All other Business Criteria that are NOT Health Measures will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see Engineering Dashboard json configuration options.

Note about changes to source code and the CAST measurement system and impacts on results 

Changes to source code and to the CAST measurement system (i.e. changes made to analyzers, extensions, rules, default Assessment Model etc.) will impact the results displayed in the CAST Engineering Dashboards between successive snapshots. You should therefore be aware of this and any manual updates to the CAST measurement system or the installation of new extension releases should be performed with care as the legitimacy of trend and comparison information greatly depends on the methodology you use for the update. For example, changing a rule from critical to non-critical between snapshots will necessarily impact the cumulative results of any parent technical or business criteria even though no source code has changed.

Data presentation

Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from a Health Measure to an individual object that is in violation. Take for example the top level list of Health Measures:

Selecting a Health Measure in this table will display all of the contributing Technical Criteria in the right hand section:

When a Health Measure is selected, the first row in the Technical Criteria list will be titled "All Rules...". Selecting this item will display a list of all the Rules that contribute to the selected Health Measure:

Selecting a Technical Criteria will move the Technical Criteria to the left hand side of the page and display all of the contributing Rules in the right hand section:

A Technical Criterion with a score of 0 will never be displayed. A score of 0 can occur when the weight of all the contributing rules have been manually set to 0.

Selecting a contributing Rule will move the item to the left hand side of the page and display details about it (including the list of objects in violation, computing details, and rule/distribution/measure documentation) in the right hand section:

When there are many violations to display, a "Show More" button will be available:

By default, only 10 violations are displayed to improve performance. You can choose to display more using the various options (+10, +100 etc.). By default an upper maximum of 5000 violations is set when the "All" option is clicked. You can change the upper maximum if required (see the violationsCount option in Engineering Dashboard json configuration options).

Finally, depending on the item (Rule, Distribution, Measure), you can do as follows:

Rule

For a Rule the following sections are available:

Architecture Model

To use this feature, your dashboard must be configured with CAST schemas installed with CAST AIP ≥ 8.3.22.

This section is an interactive graphical representation of an Architecture Model (created with CAST Architecture Checker or AIP Console) that has been included in the snapshot. The diagram displays:

  • The allowed layers dependencies as green arrows 
  • The forbidden layers dependencies as red arrows

For each red arrow, the number of violations is displayed. The section will be selected by default instead of the violation section.

The nodes are movable, one can drag and place in the desired position. For each red arrow, the number of violations is displayed. 

When the user clicks on a red arrow, a list of violations is displayed for the objects in violations between the two layers. This is a distinct list of the default view, which contains all the objects in violations irrespective of the layer dependencies.

Users can also use the red arrow (click on the red arrow) to refresh the violation table and view the count of distinct violations between the selected layers and the total violation count.

In the Architecture Model, on selecting the Red - links, user can get the violation details table between the selected layers. A status filter has been added to the table.

User can filter the table content based on status, similar to other tables.

This section display is only for the rule which has architecture model data, when there are no layers it will display a message "No layers available".

Violations

Expand the list of Violations

...to view the objects violating the selected Rule:

Header icons

The following icons will be available:

EducateClick this icon to add the associated Rule to the Engineering Dashboard - Education list.
DownloadClick this icon to export the list of violations to Excel.

Source code

Note that Source Code is not available when viewing data from a previous snapshot.

Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

  • the object in violation
  • or the violation details when available (e.g. bookmarks, paths).

Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

The Rule name/ID is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):

Please note that in the current release of CAST AIP, the display of source code is limited in functionality:

  • The source code does not currently show all violations for Rules that reference User Input Security elements, such as:
    • The Rule "Avoid direct or indirect remote calls inside a loop"

When a Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.

If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:

After clicking on the object in the Violation details table, a separate page will be opened to show the comparable code fragments (see image below - click to enlarge):

  • A tab will open split into two areas (left/right) to display selected component source code and master source code (on left by default)
  • Component Selector exists in two areas so that you can change the component source code display by selecting the item
  • File selector is under component selector (with black background) so that you can see the component source code located in each file

Bookmarks

When results include violation bookmarks in the source code, the dashboard can access more details about the actual occurrence in the object for the current Rule. The violation bookmarks are displayed per occurrence found; the display follows the same pattern as the object source code viewer: each code fragment is associated to its related file and the violation bookmark is highlighted using colour (yellow for a standard Rule, red for critical (as shown below). Multiple bookmarks may be associated to a single occurrence (as shown below):

MORE OCCURENCES button will appear when there are more than five occurrences in the object for the current Rule:

If a violation occurrence contains multiple bookmarks, then the Primary/Secondary bookmark will appear to show the main bookmark and additional bookmarks as shown below. The display follows the same pattern as the object source code viewer, except that the secondary bookmark will be highlighted as blue:

MORE BOOKMARKS button will appear when there are more than five bookmarks in one defect for the current Rule. The color depends on whether the Rule is critical (red) or not (yellow). If you click "View File" button, the lines numbers are highlighted:

OWASP bookmark display

Bookmarks for defects in source code violating OWASP Rules (such as Avoid SQL injection vulnerabilities ( CWE-89 ) ) are displayed slightly differently to help you follow the violation trail within the Application:

  • Call label: this label will be displayed when the object inside the source code calls another object or method
  • Return label: this label will be displayed when the object inside the source code returns to the upper level

You can use the "eye" icon to the right of the list to view the source code file in which the bookmark is located:

Violation details

The Violation details section underneath the Source Code display shows the Violation Name along with the values of the Violation Details (i.e the "Associated Values"):

In addition, where the rule is "parameterized" (only legacy rules), the Parameter Details section will be displayed. The Parameter  Details section displays Parameter Name along with the values of the Parameter Details:

If the Rule does not have any violation details, the message "No violation details for this Rule" will be displayed instead.

Why is that an issue?

You can use the Why is that an issue? option underneath the Source Code display to view the Rationale section of the Rule that has been violated. Clicking the Learn More button will take you directly to a full description of the violated Rule: 

Computing Details

This section displays:

  • the Total checks value which indicates the total number of objects in the Application that were checked against the current Rule.
  • the number of modules in which the current Rule has been checked during the snapshot generation (3 out of 7 in the example below)
  • the % compliance of the Rule. In the example below, the current Rule has a compliance of 18.29% - in other words 18.29% of the objects checked against this Rule were found to have no violations (the higher the number, the better compliance).

  • Expanding the section (using the black arrow as explained above for the Violation list) will provide more detail. In the example below, we can see that:
    • three modules contain objects that were checked against the current Rule. A compliance % is provided for each module along with the number of objects violating the current Rule and the total number of objects in the module that were checked against the current Rule.
    • the compliance of 18.29% for the Total is the compliance percentage for all modules in the Application against the current Rule.

ColumnExplanation
ModuleShows the name of each module that has objects as defined during the snapshot configuration and generation.
Total CheckThe total number of objects in the module that were checked against the current Rule.
Viol.The number of objects in the module violating the current Rule.
ComplianceThe compliance rate for the module - i.e. the percentage of objects in the module that are compliant with the Rule.
The row containing the module name "Total" contains cumulative data for all modules displayed in the section.

Parameter Details

Click Rule, it displays parameter details section. This section displays the parameter name, technology, and value for the selected rule.

Parameter details will be displayed for the current snapshot as well as for the previous snapshot if the rule is "parameterized. The parameter detail section also displays the data for a selected rule when no violations. The parameter section displays a message "No parameter details available" if the selected rule does not have parameter details.

Rule Documentation

Expand the Rule documentation section (using the black arrow as explained above for the Violation list) to view a detailed description of the current Rule:

If there are no Tags associated with the Rule, there will a "No Tag" message in the "Tags" section:

Accessing an object in the Application Investigation view

Clicking the following icon will take you directly to the object in the Application Investigation view:

Distribution

For a Distribution, you can view:

  • How objects in the current Application are distributed: objects are placed into categories depending on the criteria of the Distribution itself. Sections indicate which category the objects fall into: Low/Small (Green)AverageHigh/Large and Very High/Very Large (Red). A Status column displays the status of the object between the current and previous snapshot (unchanged, added, deleted etc.). So to take the example of the Size Distribution distribution:

  • View a detailed description of the current Distribution:

  • View detailed information about each Parameter that contributes to the Distribution metric. For a given Distribution in each snapshot, the contributing Parameters are listed, together with the type of technology involved (Object Type Involved) and the number of objects (Parameter Value) classed in that parameter:

Measure

Measures are listed in the Engineering Dashboard, however, since Measures are never "violated" in the same way a Rule is violated, little information can be displayed other than the documentation. If you require more information about a Measure, please use the Health Dashboard instead:

Table key

All tables that display data in the Risk Investigation mode contain various columns. The table below lists all possible column names and provides an explanation for each:

Health Measure

ColumnExplanation
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations

Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

Previous

Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Health Measure
Name of the Health Measure

Technical Criterion

ColumnExplanation
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations

Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

Previous

Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Technical Criterion
Name of the Technical Criterion.

Weight

Displays the weight of the Technical Criterion in its parent Health Measure. The higher the value, the more weight the item carries.

Rules, Distributions and Measures

ColumnExplanation
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
#Critical / #Violations

Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

Evolution

Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Rules...
Name of the Rule/Distribution/Measure.

Weight

Displays the weight of the Rule/Distribution/Measure in its parent Technical Criterion. The higher the value, the more weight the item carries.

Critical Rule

A red dot in this column indicates that the Rule has been set as critical in the Assessment Model.

Violation

ColumnExplanation

Option to add/remove the violation from the Action Plan or the Scheduled Exclusion List (see Engineering Dashboard - Action Plan for more information). Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication). Please see User roles for more information.
Action / Exclusions

Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List (see Engineering Dashboard - Action Plan for more information):

Item has been added to the Action Plan.

Clicking this icon will take you direct to the violation in the Action Plan - the violation will also be highlighted.

Item has been added to the Scheduled Exclusion List.

Clicking this icon will take you direct to the violation in the Action Plan - the violation will also be highlighted.

Object Name LocationDisplays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.
Risk

This value was previously (in the CAST Engineering Dashboard) known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Measure involved. The formula used to calculate this value is as follows:

PRI = (RPF + 1) x VI

Where RPF and VI equal:

RPF

Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:

  • Risk Propagation Factor for a Robustness, Performance, or Security Violation is the size of its call path
  • Risk Propagation Factor for a Changeability Violation is its Fan-In
  • Risk Propagation Factor for a Transferability Violation is zero (0).

VI

Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Measure involved. The formula used to calculate this value is as follows

For each object, identify Rules it violates that contribute to a given Health Measure through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words:

VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight)
Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

  • Added
  • Updated
  • Deleted
  • Unchanged

You can also filter on a status by selecting the column header and choosing the status you want to view:

Clicking this icon will take you direct to the object in the Application Investigation view.

Distribution

ColumnExplanation
Object Name LocationDisplays the object name.
Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

  • Added
  • Updated
  • Deleted
  • Unchanged

You can also filter on a status by selecting the column header and choosing the status you want to view:

Measure

Measures only display the documentation.

Display rules

Each table displays Business Criteria, Technical Criteria and Rules/Distributions/Measures based on the following specific criteria:

  • Items are sorted by:
    • Descending (worst to best) number of Violations in current snapshot
    • If number of Critical Violations/Violations is identical, then the value in the Previous/Evolution columns is then also used to determine the display order
  • If the number of Critical Violations/Violations for an item is equal to 0 (i.e. no violations), the line is greyed out to indicate that this item has no violations and is therefore of no interest for remediation purposes. You can still consult the item by clicking it if necessary.
  • If the variation % in the Previous column is exactly 0, the variation is set to 0.00% and the item is greyed out. The variation % may be 0.00 if:
    • there is no previous snapshot available to make a comparison
    • or there has been no change between the current and previous snapshot
  • If the variation % displayed is 0.00 but has a very slight variation between the current and previous snapshots (for example 0.003), a tilde (~) is prepended to the front of the variation value to indicate the approximate value.
  • When the Previous % is identical to the Baseline %, this means that the Previous snapshot and the Baseline snapshot are one and the same (i.e. only two snapshots exist) or when only one single snapshot exists.
  • N/A is displayed for the variation if there is only one snapshot - the item cannot be consulted.

For Rules only:

  • The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

Filtering

By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific Assessment Model, a specific module or a specific technology). Various filters are available for that purpose in the breadcrumb area, to the top right:

Assessment Model filter

By default the AIP Assessment Model will be displayed, however, if any Industry-standard extensions (i.e. CISQMIPS ReductionOMG-ASCQMOWASP) have been installed, which contain dedicated Assessment Models, you can filter on them:

Click to enlarge


Critical filter will be disabled and noncritical violations information will be displayed in the Risk Investigation view when you switch the assessment model from AIP assessment model to industry standards assessment models (like: CISQ Assessment Model, MIPS Reduction Assessment Model, OMG and so on.)

Modules filter

You can filter results with regard to a specific module in your Application (created during the analysis) - by default "all modules" are displayed. Please note that while drilling down, a technical criteria or a Rule may not apply to a specific module (e.g. a SQL Rule does not apply on a module that would not contain SQL technology, hence if the Rule is selected, filtering on the module to which it does not apply holds no meaning):

You can search for a specific module using the search field:

Technology filter

You can filter on Technologies in your application. By default "all technologies" are displayed:


Applied Filters

You may filter, Modules and Technologies using the Filtering icon/feature. 

Once you select a Module, the selected Module is displayed in the Applied Filters field as shown in the below screen.

You may use the cross button on the filter chip to unselect the filter (Presales module in the above screen) .

Filtering icon is displayed in light shade () when no filters are applied. 

Filtering icon is displayed in dark shade () when filters are applied. 

Note that, some filtering may not be relevant as you drill down. If you are investigating a JEE specific Rule and try to filter on HTML5 technology (for example), we would get no data, hence, to make things clearer, the HTML5 technology filter option is be disabled (lighter grey colour) in this context. This can apply at technical criteria or Rule level and in some rare cases, even from the Health Measure level:


  • When investigating a specific object, the filters are disabled as they are no longer relevant.
  • For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Risk Investigation pages. 
  • No labels