Summary: this page describes the new features and bugs that have been fixed in the CAST Dashboard Package 1.7.0.

Content matrix

VersionSummary of contentComments
1.7.0
  • Introduction of "Advanced Search"
  • Introduction of "Snapshot Comparison"


Can be used with:

  • 8.3.3 - 8.3.15

RestAPI documentation

New features

All dashboards

DASHBOARDS-454 - SAML - handle logout if there is no Single Logout service provided in IdP

If SAML authentication is in operation, but no Single Logout service is provided in the IdP, you can now force the dashboard to handle this situation gracefully and display a message explaining what to do.

  • Edit the following file:
CATALINA_HOME\webapps\<dashboard>\WEB-INF\security.properties
  • First check that SAML is indeed enabled:
security.mode=saml
  • Now set the property security.saml.single.logout to false (the default is true which will cause a normal logout to be possible)
# is Single Logout implemented in the customer IDP ?
security.saml.single.logout=false
  • Save the security.properties file and then restart the web application server so that the changes are taken into account
  • Now when users attempt to log out of the dashboard, the following message will be displayed:

Click to enlarge

CAST Engineering Dashboard / CAST Security Dashboard

DASHBOARDS-143 - Advanced Search feature

1.7.0 introduces the Advanced Search feature for the CAST Engineering Dashboard and for the CAST Security Dashboard. This is a feature that allows you to search for an object name based on a list of violations. Filters can be enabled to limit the search scope.

Accessing the Advanced Search feature

The Advanced Search feature can be accessed using the icon in the left hand menu:

CAST Engineering DashboardCAST Security Dashboard

Enabling the Advanced Search feature

"Out of the box", the Advanced Search feature is not enabled and the following message will be displayed:

This indicates that a "violations index" (on which the feature relies) has not yet been generated. To generate the index the following methods are available:

Using the "Diagnostic" GUI


This method requires that the user has the ADMIN role.

Use the following URL to access the Diagnostic page:

http://<server>:<port>/<dashboard>/static/diagnostic.html

This provides an indication of the violations index status based on the "domain":

  • N/A - the domain is mapped to a Measurement Service schema or the Dashboard Service schema was installed with CAST AIP < 8.3.3)
  • toCreate - no index has ever been created for this domain
  • toUpdate - an index exists for this domain, but it is outdated because a new snapshot has been computed since the index creation
  • upToDate - an index exists and is up-to-date. When this status is shown, the index for the Advanced Search feature is ready and available.

In the following example the index has never been generated since the status is set to "toCreate":

Click to enlarge

To generate the index, click the Create/Update Index button. During generation the status "Indexing" will be displayed and on completion, the status will change to "upToDate":

Click to enlarge

Using the RestAPI

This method requires that the user has the ADMIN role.

Use the RestAPI client:

http://<server>:<port>/<dashboard>/static/default.html

Using the following URI with a PUT will generate the index (where <domain> is more than likely set to AED, unless you have custom domains):

<domain>/violations-index

Then use the same URI with a GET will show the index status:

Generating the index when the web application starts

This method will force the violations index to be generated if its status is toUpdate (i.e. the index exists but is out-of-date because a new snapshot has been computed since the index creation) every time the web application is started, i.e.:

  • When the web application host (e.g. Apache Tomcat) starts up or restarts
  • When the web application is restarted through the Apache Tomcat management console
CAST only recommends using this option if your Dashboard Service schema is small - since the index is generated during web application startup, this can impact performance.

Edit the following file with a text editor:

CATALINA_HOME\webapps\<dashboard>\WEB-INF\web.xml

Set the following configuration to true:

<context-param>
	<param-name>rebuildViolationsSearchIndexesOnStart</param-name>
	<param-value>true</param-value>
</context-param>

Save the file. Next time the web application is started the index will be generated.

Using a custom batch file

This method requires that the user has the ADMIN role.

This method is to be used when you have a configuration in the domains.properties file - i.e. multiple "domains". The custom batch will generate the violations index for all the domains configured in the domains.properties file.

Create the following batch files in the CATALINA_HOME\webapps\<dashboard>\WEB-INF folder an then run the launch.bat file to start the index generation:

launch.bat
@echo off
@echo Computing Violations Indexes ...

util.bat > util.log
@echo --------------------------------
util.bat
@echo off
setlocal enableDelayedExpansion
@echo Automated Violations Indexes Creation
@echo -------------------------------------
 
for /F "delims== eol=#" %%D in (domains.properties) do (
	@echo Process %%D/violations-index
	start /B titi.bat %%D
	@echo.
)

In the following file (titi.bat), you need to modify the line starting curl to match your environment:

  • Replace user:pwd with a user that has the ADMIN role and their password.
  • Replace http://localhost:8080/CAST-Health-Engineering/rest/%domain%/violations-index with the URL to your dashboard.
titi.bat
@echo off
prompt $_
setlocal enableDelayedExpansion
set "domain=%~1"
 
@echo Start  %domain% !DATE!_!TIME!
curl -s -u user:pwd -X PUT http://localhost:8080/CAST-Health-Engineering/rest/%domain%/violations-index
@echo  is the response from %domain%
@echo Finish %domain% !DATE!_!TIME!
Note that following the generation of a new snapshot, the violations index status will change to toUpdate, therefore CAST recommends regenerating the index to take into account the data available in the new snapshot.

Using the Advanced Search feature

When the feature is accessed and the violations index has been generated, the following will be displayed:

Left hand panelThe left hand panel provides a set of filters that can be used to narrow down the search cope. Filters are explained in XXXX.
Right hand panel

The right hand panel list the results of the search. Key points:

  • with no search criteria or filters enabled will show all violations available in the currently selected snapshot indicated by the following text:

  • a search field is available for you to enter the object name you are searching for. Results in will be updated in real time.

  • you can download the results to an Excel file for portability requirements:

  • 20 results are shown. Use the Show More button to display additional results:

  • the result lists uses the following columns:
Option to add/remove the violation from the Action Plan or the Scheduled Exclusion List. Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication).
Action / Exclusions

Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List:

Item has been added to the Action Plan.
Item has been added to the Scheduled Exclusion List.


Object Name LocationDisplays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.
Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

  • Added
  • Updated
  • Deleted
  • Unchanged
Clicking this icon will take you direct to the object in the Application Investigation view.

Using filters for the Advanced Search

The filters available in the left hand panel enable the search scope to be limited. The following filters can be enabled by expanding the section and selecting with a tick:

Criteria or Rules

Restrict the scope via a Health Measure, Technical Criterion or Rule (or a combination).

Displayed results are union of selected Criteria results, with duplicate violations omitted. Sorting is disabled on this section.

Weight

Restrict the scope via the weight of the rule in its parent Technical Criterion.

Criticality

Restrict the scope via the criticality of the rule (Critical or Non Critical).
Violation Status

Restrict the scope to the violation status in the current snapshot: Added, Updated, Unchanged.

Displayed results are an OR of selected violation status results and AND of other filters selected values (eg : Criteria or rules, Technologies ,Transactions , Critical ,Module) with duplicate violations omitted. Violation status remains selected even after navigating to other views and coming back to Advanced search.

Transactions

Restrict the scope to objects that are classed as transactions.

Technologies

Restrict the scope to the technologies that are present in the current snapshot.

Displayed results are an OR of selected technologies results and AND of other filters selected values (eg : Criteria or rules, Modules ,Transactions , Critical ,Violation status) with duplicate violations omitted.

Modules

Restrict the scope to a module in the current snapshot.

Displayed results are an OR of selected module results and AND of other filters selected values (eg : Criteria or rules, Technologies ,Transactions , Critical ,Violation status) with duplicate violations omitted. Module remains selected even after navigating to other views and coming back to Advanced search.


Note that an indicator will show how many filters have been selected:

CAST Health Dashboard

DASHBOARDS-217 - Add background Image and URL to external tile

It is now possible to configure a tile (not provided "out-of-the box") to show a custom external URL (for example a link to a different dashboard) and a custom background image (rather than a plain colour). The tile configuration is as follows:

{
	"id": 1002015,
	"plugin": "ExternalLinkWithImage",
	"color": "red",
	"parameters": {
	"title": "Tackle your Technical Debt",
	"url":"http://www.castsoftware.com",
	"imageUrl": "https://some_url.com/bg.jpg"
}
},


Note that the "color" parameter will display a small rectangular section under the background image. All text will be displayed in white within this rectangle.

This configuration would give you:

DASHBOARDS-319 - Add a Snapshot Comparison page

A Snapshot Comparison page has been added to provide an easy way to see "at a glance" the differences between two snapshots.

Two or more snapshots are required to use this feature.

Accessing the Snapshot Comparison page

The Snapshot Comparison page is available at Application level and can be therefore accessed from any Application level tile:

Click to enlarge

Using the Snapshot Comparison page

By default the Snapshot Comparison page will display a comparison of the two most recent snapshots, for example:

Selecting a snapshot in the top "Select a snapshot" dropdown will mean that only older snapshots will be available in the "Select an older snapshot" dropdown.

The comparison is based on various metrics:

  • Health Measures
  • Best Practices
  • Technical Size
  • Functional & Enhancement Size

For each metric, a table of data is provided:


Health Measures

Displays health measure grade values with nameolder snapshotnewer snapshot and percentage difference of selected snapshots:

({ [grade of newer snapshot - grade of older snapshot]/older snapshot} * 100)

If the older snapshot's value is zero or both older and newer snapshot's value are zero, the difference will be shown as N/A.

Rule Compliance

difference of selected snapshots:

({ [grade of newer snapshot - grade of older snapshot]/older snapshot} * 100)

Technical Size

Displays sizing metrics with difference of selected snapshots:

({ [sizing measure of newer snapshot - sizing measure of older snapshot]/older snapshot} * 100)

Functional & Enhancement Size

Displays sizing metrics with difference of selected snapshots:

({ [sizing measure of newer snapshot - sizing measure of older snapshot]/older snapshot} * 100)
  • If the older snapshot's metric and newer snapshot's metrics are different, the table displays a message "No value to display. No AFP or enhancement have been computed for this snapshots".
  • If the older snapshot's and newer snapshot's values are zero, the table displays a message "Different sizing metrics available for two different snapshots. Comparison is not applicable".

Customizing the Snapshot Comparison page

It is possible to customize the measures used in the Snapshot Comparison page by modifying the following file:

CATALINA_HOME\webapps\<dashboard>\portal\resources\internal\app-navigation.json

And then updating the following section of the file:

{
	"id": "snapshotsComparison",
	"plugin": "TechnicalSizeMeasures",
	"parameters": {
		"title": "Snapshots Comparison",
		"description": "Snapshots Comparison",
		"groups": [
			{
				"id": "HealthFactors",
				"description": "Health Measures",
				"indicators": ["60012","60013","60014","60016","60011"]
			},
			{
				"id": "RuleCompliance",
				"description": "Rule Compliance",
				"indicators": ["66033", "66031", "66032", "60017"]
			},
			{
				"id": "TechnicalSizeMeasures",
				"description": "Technical Size",
				"indicators": ["10151", "10154", "10155", "10156", "10157", "10158", "10163", "10152", "10107", "10109", "67011", "67901", "67902", "67216", "67217", "67218"]
			},
			{
				"id": "FunctionalWeight",
				"description": "Functional & Enhancement Size",
				"indicators": ["10202", "10204", "10203", "10450", "10451", "10452", "10453", "10440", "10430", "10300", "10310", "10320", "10341", "10342", "10340" ]
			}
		]
	}
}

DASHBOARDS-341 - Adjustments in AEP pages of the Health Dashboard

Various small adjustments have been made to the AEP related pages in the CAST Health Dashboard:

Functional Weight tile renamed

The Functional Weight tile has been renamed throughout the dashboard as Functional and Enhancement Size. All other screens related to this tile have also been renamed:

AFP / AEP / EFP drill down tiles renamed

The tiles available in the drill down page accessible from the renamed Functional and Enhancement Size tile have been renamed as follows:

  • AFP as "Functional Size"
  • AEP as "Enhancement Size (CISQ/OMG)"
  • EFP as "Enhancement Size (CAST)"

Help texts updated

Changed labels in sizing section:

Click to enlarge

Updated help text in Sizing section:

Click to enlarge


 Reorganized the quality section:

Click to enlarge

Updated help text in quality section:

Click to enlarge

Reorganized the complexity section:

Click to enlarge

Updated help text in complexity section:

Click to enlarge


CAST Security Dashboard

SEC-2 - update default tiles

In this release of the CAST Security Dashboard, the following tiles have been added to the default "out of the box" configuration. These tiles display the number of Violations or Critical Violations in the Application for rules that have the selected tag (i.e CISQ-SECURITY, CWE etc.):

  • CISQ-SECURITY
  • CWE
  • OWASP
  • GDPR
  • MISCONFIGURATION

Clicking on this tile navigates to the Risk investigation view with the specific tag selected at the top of the table . "All Rules" will be selected in the Technical Criteria table and the list of rules displayed will all be tagged with the selected tag:

No applicable rules

When no rules belonging to the selected tag have been triggered, the tile displays "No applicable rules":

Critical Violations / Violations

Enabling / disabling the Critical Violations filter will effect the violation count displayed in these tiles:


Notes:

  • All these tiles require that the extension "Quality Standards Mapping" is installed BEFORE a snapshot is generated.
  • The Data Configuration tile that was available in previous releases of the Security Dashboard has been removed from the default out-of-the-box configuration.

SEC-88 Limitations of rules with multi-parents in the Advanced Search results

When using the CAST Security Dashboard with a full assessment model (i.e. not with CAST AIP for Security) rules with multi-parents (i.e. rules that contribute to more than one parent business/technical criterion) may give what may seem like erroneous results in the Advanced Search;

Consider the rule Avoid using Fields (non static final) from other Classes - 4602 which contributes to the business criteria "Total Quality Index (TQI)" and "Security". In "TQI" this rule is considered "critical" and in "Security" it is "not critical". The dashboard cannot correctly display information about this rule in the Advanced Search results since when the critical violation filter is enabled it will return results, and when the filter is disabled it will also return results.