Summary: this page describes the new features and bugs that have been fixed in the CAST Dashboard Package 1.11.0.

Content matrix

VersionSummary of contentComments
1.11.0
  • RestAPI APIKEY for SAML bypass

  • Custom tiles/filters based on Quality Standards tags and custom injected tags
  • Parameter details now displayed for parameterized rules.
  • Ability to add custom report categories
  • New CODE_RESTRICTED role
  • Background facts tiles

Can be used with:

  • 8.3.3 - 8.3.15
Note that starting from release 1.8.0, the CAST Security Dashboard related WAR files are no longer provided.

RestAPI documentation

Resolved issues

Internal IDTicket IDSummaryAffects Version/s
DASHBOARDS-106317867

Incorrect description for the rules in engineering dashboard.

8.3.6
DASHBOARDS-111318136 , 17971

Health / Engineering Dashboard Landing Page: "Unexpected Error" Pop up appears

8.3.6
DASHBOARDS-124517486

[Perm Fix]The value of too many is not defined for rule "PeopleSoft: Avoid Methods with too many parameters"


DASHBOARDS-124617485

X value should be defined in the rule description for a few PeopleSoft rules

1.9.0
DASHBOARDS-127518742

TQI value displayed as 'Unknown value' in health dashboard needs t be changed

1.10.0

New features - Health/Engineering Dashboards

Custom tiles for Quality Standards tags and custom tags

It is now possible to add one or more custom tiles to the dashboard that will display the number of violations (critical/non-critical violations according to the filter enabled) for rules tagged with a specific Quality Standards tag or manually injected custom tag.

  • For Quality Standards tags, the extension Quality Standards Mapping must be installed prior to generating the snapshot, otherwise no tag data is available and neither feature will return any results.
  • Custom tags can be manually injected at any time - results will be available immediately.

Create a custom tile for the Engineering Dashboard

To create a custom tile, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard and add a tile or tiles using the configuration shown below in the profiles > areas > panels section alongside other tiles:

CATALINA_HOME\webapps\CAST-Engineering\engineering\resources\ced.json

Configuration

  • type: tile type has to be QualityStandards
  • parameters:
    • title: Title of the tile
    • id: the Quality Standards or custom tag you wish to view
    • description: a free text field to describe what the tile shows (not shown in the dashboard)
  • color: tile color
  • other parameters for sizing and positioning of the tile - see Tile Sizing and Positioning

Example

This example will display a tile showing the number of violations from rules tagged with the CISQ-RELIABILITY tag:

{
	"type": "QualityStandards",
	"parameters": {
		"title": "CISQ Reliability",
        "id": "CISQ-RELIABILITY",
        "description": "violations"
	},
	"color": "blue",
	"col": 1,
	"row": 12,
	"sizex": 1,
	"sizey": 1,
	"max-sizex": 2,
	"max-sizey": 1
}

Drill down behaviour

Clicking on any of these tiles navigates to the Risk investigation view with the specific tag selected in a drop down at the top of the table - therefore filtering and displaying only rules that have this tag. "All Rules" will be selected in the Technical Criteria table by default and the list of rules displayed in the right hand panel are those that correspond to the selected tag:

Click to enlarge

Create a custom tile for the Health Dashboard

A custom tile can be added either at portfolio or application level. Therefore to create a custom tile, modify (using a text editor - Notepad or other similar application) the following files that are part of your deployed dashboard and add a tile or tiles using the configuration shown below in the areas > panels section alongside other tiles:

CATALINA_HOME\webapps\CAST-Health\portal\resources\cmp.json
CATALINA_HOME\webapps\CAST-Health\portal\resources\app.json

Configuration

  • id: each custom tile must have its own unique ID within cmp.json / app.json
  • plugin: must be QualityStandards
  • color: tile color
  • parameters:
    • title: Title of the tile
    • qualityStandards:
      • id: the Quality Standards or custom tag you wish to view in the tile
      • description: a free text field to describe what the tile shows (not shown in the dashboard)
      • format: the format in which the value has to be displayed, it uses the the format defined in numeral.js (see http://numeraljs.com/ for available Numbers formats)

Example

This example will display a tile showing the number of violations from rules tagged with the custom CUSTOM-TOP-PRIORITY-RULES tag:

{
	"id": 2103,
	"plugin": "QualityStandards",
	"color": "green",
	"parameters": {
		"title": "My Top Priority",
		"qualityStandards": {
			"id": "CUSTOM-TOP-PRIORITY-RULES",
			"format": "0,000",
			"description": "Violations"
			}
	}
},

Drill down behaviour

Clicking on any of these tiles will display a list of the rules that have been tagged with the specified tag:

Click to enlarge

Injecting custom tags

It is now possible to manually inject custom tags into the Engineering and Health Dashboards so that they can be exploited in Custom Tiles.

Prerequisites

(tick)

Dashboards ≥1.11.0 must be used.

(tick)

When injecting into AED (i.e. Dashboard Service schema), the Quality Standards Mapping extension MUST be installed otherwise the required column in the aed_quality_tags_doc table does not exist. However, provided that the extension is installed, a schema from any release of AIP can be used.

(tick)

When injecting into AAD (i.e. Measurement Service schema), all that is required is that a schema from AIP ≥ 8.3.15 MUST be used. The Quality Standards Mapping extension is not required.

Process

Tags are injected using CURL. For example:

curl -X PUT --header "Content-type: text/csv" --user username:password --upload-file D:\temp\data.csv http://{server}:{port}/{dashboard}/rest/{domain}/custom-quality-tags

Where:

CommandDescription
-X PUTUse this to tell CURL to use a PUT instead of a GET (default action)
--headerThis specifies that the uploaded content will be in CSV format.
--user username:passwordYou need to authenticate with the dashboard. Enter your username/password.
--upload-file

Enter the path to the CSV file containing your custom tags and corresponding rule IDs - avoid paths with white space in them. The .CSV file should be formatted with an initial header line containing the Rule ID;Tag pair and then each following line is a rule ID and your tag:

  • You can upload multiple custom tags in one CSV file
  • Multiple custom tags can be assigned to one single rule
  • Custom tags must always start with CUSTOM

For example:

Rule ID;Tag
3626;CUSTOM-TOP-PRIORITY-RULES
2236;CUSTOM-TOP-PRIORITY-RULES
7392;CUSTOM-TOP-PRIORITY-RULES
7390;CUSTOM-TOP-PRIORITY-RULES
3558;CUSTOM-MEDIUM-PRIORITY-RULES
URL to CAST dashboard

Use the following URL format:

http://{server}:{port}/{dashboard}/rest/{domain}/custom-quality-tags

Change the following to your own environment:

  • {server}:{port}
  • {dashboard}
  • {domain} either AAD (Health) or AED (Engineering)

More information

For more information about Custom tags injection and removal, see Injecting custom tags.

New features - CAST Health Dashboard

No new Health Dashboard specific features in the release.

New features - CAST Engineering Dashboard

RestAPI APIKey for SAML authentication

If you have enabled SAML authentication mode for your CAST Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST dashboards/RestAPI that can be used to bypass SAML authentication.

How does this work?

  • SAML authentication mode is enabled and configured for your CAST dashboard/RestAPI deployment
  • In addition, an API Key is defined in the security.properties file in your CAST dashboard/RestAPI deployment
  • The API Key is used instead of a password to authenticate
  • Clients must use two specific HTTP headers to ensure that the API Key is used
    • X-API-KEY: the API Key matching the key defined in the security.properties file
    • X-API-USER: a defined user name to obtain a CAST dashboard/RestAPI role and data authorization
  • When an API Key is used to bypass SAML mode, the user will be automatically granted the "ADMIN" role even if this role has not explicitly been granted to the user in question.

You can find out more about this in RestAPI authentication using an API key.

Add a custom list of tags

It is possible to configure a list of tags (Quality Standards tags or manually injected custom tags) that can be displayed in a drop down filter in the Risk Investigation view. To do so, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard:

CATALINA_HOME\webapps\CAST-Engineering\engineering\resources\ced.json

Add the feature in the "configuration": { section at the start of the file:

"ruleTag": ["tag","tag"],

For example, the following configuration adds two tags (OWASP and CWE):

{
	"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
	"configuration": {
		"defaultLanguage": "English",
		"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
		"customLanguages": [],
		"requestAccess": false,
		"confirmLogout": true,
		"filterHealthFactor": true,
		"violationsCount": 5000,
		"ruleTag": ["OWASP", "CWE"],

E.g (click to enlarge)

Note that when drilling down from the Risk Investigation tile, the drop down tag list is not displayed when a Health Measure is selected, instead, you will need to select a child Technical Criteria or the All Rules option.

DASHBOARDS-830 - Easy method for locating violations added to Action Plan or Exclusions list

The icons displayed in the violation lists in the Application Investigation, Risk Investigation and Transaction Investigation views to depict violations that have been added to the Action Plan or Exclusion list are now clickable. Clicking the icons will take you direct to the Action Plan/Exclusion List and highlight the violation.

Icons that are now clickable:

Highlighted violation on clicking an icon:

DASHBOARDS-988 - Ability to view parameter names and values for parameterized rules

After selecting any "parameterized" rules (only legacy rules), it is now possible to see the Parameter Details section under the "Violation Details" section. The Parameter  Details section displays Parameter Name along with the values of the Parameter Details. 


DASHBOARDS-1196 - Ability to add a Custom Report category

It is now possible to add your own Custom Report category, alongside the existing default "Custom Report" category. This custom category can then be populated with custom reports in exactly the same way as the default "Custom Reports" category. See Report Generation configuration for more information.

DASHBOARDS-1173 - Improvement to Show More button

The behaviour of the Show More button has been improved in this release. Now when choosing to show additional violations using the +10, +100 or All options, the list of violations will anchor to the next set of violations instead of resetting and anchoring to the start of the list. The Show More button is available in various pages throughout the dashboard:

DASHBOARDS-1212 - Basic Search results now exclude critical rules when "Only critical violations" filter is active

The Basic Search will now exclude rules flagged as critical from the search results when the Only critical violations filter is active. When searching for a non-critical rule and the Only critical violations filter is active, a message will be displayed stating No results were found to match your search. In previous releases, non-critical rules were included in the search results even when the Only critical violations filter was active.

Basic Search and Only critical violations filter are located in the top menu bar

DASHBOARDS-1215 - Background Facts tiles

It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See Engineering Dashboard tile management for more information about configuring the tile.

DASHBOARDS-1238 - New CODE_RESTRICTED role

A new role has been implemented in this release: CODE_RESTRICTED. This role can be granted to users who do not have the right to view source code in the Engineering Dashboard. For example:

  • when drilling down in the Risk Investigation view
  • when drilling down in the Action Plan and Exclusion lists
  • when clicking More Violation Paths for security based rules

To enable the role, see User roles. When enabled, a message is displayed in the dashboard as follows:

Click to enlarge:

DASHBOARDS-1250 - Advanced Search - Transactions ordered by TRI value and ability to filter on Business Risk driver

The Advanced Search for Transactions has been modified:

  • Transactions are now ordered by risk level (i.e. the Transaction Risk Index (TRI) value: TRI is an indicator of the riskiest transactions of the application. The TRI number reflects the cumulative risk of the transaction based on the risk in the individual objects contributing to the transaction. The TRI is calculated as a function of the rules violated, their weight/criticality, and the frequency of the violation across all objects in the path of the transaction. TRI is a powerful metric to identify, prioritize and ultimately remediate riskiest transactions and their objects.)
  • It is possible to filter based on a Business Risk driver such as Efficiency, Robustness, Security or None

DASHBOARDS-1288 - Add custom filters to Action Plan based on 'Comment', 'Priority' and 'Status' columns

In the Action Plan list it is now possible to filter the table by Priority, Status and Comment columns. The count for 'added', 'pending' and 'solved' will therefore adjust depending on the selected filter. Filter icons are now added to the column headings:

When the filter headings are clicked, a drop-list will be displayed offering various options as follows:

  • Priority - available options are the same as those provided when adding a violation to the Action Plan, with the addition of All tags. These tags are defined in the ced.json file under the "tag" item - see Engineering Dashboard json configuration options.
    • low
    • moderate
    • high
    • extreme
    • All tags

  • Status - options are set by default and cannot be edited: added, pending, solved.

  • Comment - type in the "SEARCH ON COMMENTS" box on the right hand side . When there is no match found for desired search it will show "No Violations found".

DASHBOARDS-1346 - Export rule details to XLSX file from Application Investigation view

It is now possible to export rule details to an Excel compatible XLSX file from the Application Investigation view:

The resulting XLSX file will contain the following details: