Page tree

The informational material contained in this section is provided as a courtesy for use by CAST’s clients. The material in this section is not considered part of any CAST product’s official Documentation. CAST does not warrant that the information is current or that it addresses all potential issues. Licensing details are documented on this page: https://www.gnu.org/licenses/lgpl-3.0.en.html

Skip to end of metadata
Go to start of metadata

Version 3.2

Table of Contents

Purpose

This document details CAST’s Agile Onboarding Process along with the checklist templates used. Agile process is recommended to implement in measurement program with management visibility – it helps in quick onboarding with minimal technical documents needed from the application team.

Applicability 

Iterative Agile process is recommended to implement in measurement program with management visibility – it helps in quick onboarding with minimal technical documents need from app teams and helps avoid tunnel effect. Agile onboarding will have three iterations and will not have any custom solution implemented.

Prerequisites for Onboarding

  • CAST Application Intelligence Portal (AIP) is installed and AIP console is installed
  • Supported Technologies/Frameworks
  • Extension to be used if required
  • Operator / Super Operator has access to Console and node 

Out of Scope

  • Rescan and rescan automation
  • Unsupported technologies
  • Clean-ups and retention

Target Audience

  • All Operators and Super Operators who would be onboarding an application

Process Flow With AIP Console

Agile Onboarding Process Overview

Agile onboarding process consist of three iterations -

  1. 'Discover' is applicable to all applications
  2. 'Onboard' is applicable only to those applications where the feedback is received from the application team on the gaps identified during rapid onboarding
  3. 'Integrate' is applicable only if there are customized measurement required by the application team based on the identified use case

Objective

The objective of Agile process are:

  • Minimizing initial questions to app teams
  • Avoiding tunnel effect and maintaining exchanges with app teams on progress of the analysis
  • Bringing visibility and speed in the early stages the CAST programs at customers

Approach Detail

Key inputs required

Steps in Agile Onboarding Process

1. Discover

This iteration consists of three main activities i.e.

  • Qualification of the application
  • Acceptance of the software components provided by the customer and delivering initial measurement
  • Technology and transaction understanding of CAST consultant/architect to the customer. 

As a precondition of a CAST AIP analysis and to qualify the application from a technical and value perspective, CAST recommends gathering high level technical and non-technical information to help and qualify the target application for the analysis. The technical qualification will be used to establish what level of "out of the box" support CAST has for the application, identify any showstoppers such as the use of unsupported technologies or frameworks. It describes guidelines on delivering application source code, packaging source code with CAST DMT, validating alerts, analyzing application first time, discovering application's boundaries (Entry/Endpoints), technology, and missing software components and delivering the relevant reports and initial measurement to the customer.

AIP Product Documentation

    1. Application Qualification process overview: https://doc.castsoftware.com/display/DOC83/Qualification
    2. Application Acceptance process overview: https://doc.castsoftware.com/display/DOC83/Delivery+acceptance
    3. Initial Analysis Configuration overview: https://doc.castsoftware.com/display/DOC83/Review+Technology+and+Dependency+settings

Entry Criteria

Process Steps

  1. Kickoff Meeting: A formal meeting (preferably) has to be conducted - Agenda should be application technologies, availability of software components and introduction to CAST AIP Program
  2. App Qualified: 
    1. FO has to verify whether the software components (source code, database and context diagram) are in line with the technical survey essential 
    2. Service Engagement Sheet has to be prepared to define scope of the application
  3. Add Application in AIP Console: (You can refer the documentation for configuration details @ https://doc.castsoftware.com/display/DOCCOM/CAST+AIP+Console)
    1. Go to settings and check if extensions required for your application are selected.  Ensure that only Product supported extensions & agreed extensions at account level are used – https://doc.castsoftware.com/display/DOC83/Covered+Technologies
    2. Ensure that Global DLM rule files is added in AIP console. Ensure that Automatic Links Validator(AALV) extension is installed.
    3. Ensure that FEAC and UCR extensions are installed
    4. Add the application in AIP Console
    5. Drop the application's source code zip (Below are some of the guidelines on the content of the zip which needs to be uploaded)
  4. DMT Delivery Report: An automated report is generated using tools (PRAM & PRAT)
  5. Analysis Completeness Report: An automated report is generated ( FEAC)
  6. Completeness Check: Check if we are good to proceed further based on the Analysis Completeness Report (if more than 10% of the software components are not analyzed then make go to step 4. 'Run Analysis & Snapshot') To Do
  7. Share Initial Results with customer
  8. App Boundary Definition:
    1. Validate the technologies and frameworks
      1. Validate missing software components
    2. Identify and validate the Entry and Endpoints
    3. Identify and document impact of missing software components
  9. Rapid Discovery Report:
    1. Share the Rapid Discovery Report (FERC) with the FO/Customer

Exit Criteria

    1. Initial measurement delivered to the customer
    2. Rapid discovery report delivered to the customer

Deliverable

    1. Initial Measurement
    2. Rapid Discovery Report (Template Link - Rapid Discovery Report Template)

2. Onboard

This iteration is applicable if and only if the gaps identified as part of the rapid discovery report are filled or we have the complete source code and there is no gap identified during Discover phase. Main activities in this iteration are fine-tuning of the analysis configuration, transaction configuration, review of transaction completeness and validation of dashboard results.

AIP Product Documentation

    1. Fine-tuning of Analysis Configuration - https://doc.castsoftware.com/display/DOC83/Run+and+validate+the+analysis
    2. Transaction Configuration - https://doc.castsoftware.com/display/DOC83/TCC+-+CAST+Transaction+Configuration+Center
    3. Review of transaction completeness - https://doc.castsoftware.com/display/DOC83/Transaction+management
    4. Validation of dashboard results - https://doc.castsoftware.com/display/DOC83/Engineering+Dashboard & https://doc.castsoftware.com/display/DOC83/Health+Dashboard

Entry Criteria

    • Completion of Discover iteration
    • Customer's inputs on the gaps identified as part of the rapid discovery report

Process Steps

  1. Gaps Addressed:
    1. Check whether the open questions as identified in the transaction report has been addressed by the customer?
    2. Ensure that the missing software components are delivered by the application team
    3. In case of gaps that are still open, contact the application team to receive the inputs Or take an Informed exception
    If yes, handover to AO: The Expert has to handover all the application related information along with the relevant report (Rapid Discovery Report)
  2. Upload the new zip again
    1. Reject the current version
    2. Upload the zip code again with the gaps addressed . Best Practices for zip folder:
      1. For Java

        • The folder structure should be the same as it is there in the SCM which project team is using. Including complete hierarchy of ALL .pom and parent .pom files. These files will allow the automated discovery and analysis configuration.

        • In the case of maven project: a copy of the local maven repository should be provided in the zip

        • Library files for Java technology should be present in the zip folder

      2. For .NET
        • Usually, the source code is versioned using tools like SVN or Git. 
        • The best way to deliver source code is to use the CMS and check out the source code of the version that has been selected for analysis. Make sure to NOT include the ".git" or ".svn" folders
        • Include the "bin" folders that contain binaries (debug and/or release assemblies) that are created at build time. They should also contain third-party assemblies.
      3. For Mainframe
        • PDS can not be included in case of AIP console
        • Each application must be delivered in a single folder. 1 file per object type.
        • 1 file per program, 1 file per copybook, 1 file per JCL job, etc in the folder structure as shown in the image below
  3. Modify the zip file/folder and upload, Run analysis again 
    1. Follow all the steps that identified as applicable in step-6 (Setup CMS, Run analysis and snapshot) of Discover phase
    2. Setup Environment & Analysis configuration 

      1. Source code “File Adjustments” (Optional)

      2. “Preprocess” Source Code (Optional) - In some situations, the source code cannot be parsed and must be pre processed. A study should be done first to identify the pre processing rules which must be applied to the source code. Add Pre processor batch file ‘Tools Before Analysis’ under Content Enrichment tab

    3. Verify Framework Settings if there is any issue identified during log / result validation.

      1. Ensure that correct versions of technologies and frameworks are selected

    4. Adding dependencies – add the dependencies between analysis units (if required)

    5. Fine-tune  settings

      1. Choose an Environment Profile if needed (Only Product supported profiles)

      2. Configure include/classpaths according to the technology

      3. Enable User Input Security if it is within the scope of the analysis

  4. KB Inventory Validation (FEAC):
    1. Check if all the technologies/frameworks have been analyzed properly
    2. Check if all the files have been analyzed properly ( Files in DMT vs files in KB )
    3. Validate for the check on 'Unexpected Objects Count' 
  5. Log Validation :
    1. Follow the troubleshooting process to remediate warning and errors by referring to product documentation available at https://doc.castsoftware.com/display/DOC83/Validate+analysis+based+on+log+messages
    2. Document the log validation results: Number of alerts, type of alerts, and tickets raised (if any). In case if any alert is remediated, put up the process of remediation of the alert.
  6. Review Dynamic Links: ( AALV )
    1. Create application-specific DLM rules to resolve the dynamic links
    2. Guidelines to validate the dynamic links are available in https://doc.castsoftware.com/display/DOC83/Validate+Dynamic+Links
  7. Module Configuration : 
    1. Set up the module content according to the client’s requirement
    2. Validate the check on 'Overlapping Objects count'
    3. If no recommendation, retain the Full Content
    4. Guidelines to create user-defined modules are available in https://doc.castsoftware.com/pages/viewpage.action?pageId=200409226
  8. Health Measures Configured :

    1.  In AIP Console, validate all the checks which fall under category - Quality Measures in the snapshot indicators
  9. Architecture Checker Flow:
    1. If the app team has provided the information then configure the Architecture Flows
  10. Security Configuration:
    1. Validate the security settings and results for JEE and .Net applications Dataflow onboarding process for AIP 8.3.3+ ( if it is in scope )
  11. Transaction Configuration (FERC):

    1. Entry point configuration / Data Entity configuration / End of transaction configuration

      1. Trace the transactions based on the entry and endpoints given rapid discovery report

      2. Validate the empty transactions under Incomplete transactions report which will help in the identification of missing links. Document any broken transactions and missing links in Confluence

      3. Create specific entry/endpoints for transactions which have not been identified in the Rapid Discovery Report 

    2. Review Transactions

      1. Verify if there are artefacts with high Data Element Types (DET) / Record Element Types (RET) values. If there are then check the objects with issues and remediate them - Use Snapshot indicator Large SCC count to identify large SCC group. (If the issue still exists, raise a support ticket)

      2. Check the code coverage i.e., validate that all artefacts are covered in the transactions - Use Snapshot Indicator Artefacts in transactions to validate the artefact coverage

      3. If there are a few artefacts which do not belong to any transaction, investigate if they are in scope of module definition

  12. Perform the Function Point validation checks
    1. Transaction Completeness Report: Following will help you to decide whether transaction configuration is complete . 
      1. In AIP Console, validate all the checks which fall under categories Transactions , Functional Size & Enhancement in the snapshot indicator 
    2. Transaction Complete: Verify the above checks to ensure that the transactions are configured properly and complete 
      1. If empty transactions exist, follow the steps below, 

        1. If this is a configuration issue, go back to analysis configuration

        2. If this is a standard framework supported by CAST, raise a Support ticket

        3. Add links between objects that are not recognized by AIP out of the box only if there is an approved workarounds from support and R&D (through the Reference Pattern process, Knowledge Base (KB) update queries, and supported extensions to create missing objects/links)

        4. Once the link is completed in Enlighten, compute in the Transaction Configuration Center (TCC), validate the flow, and continue with activity in Step b.

  13. If FP is enabled, then in AIP Console, validate all the checks which fall under categories - Transactions , Functional Size & Enhancement in the snapshot indicator and FEFC to validate additional transaction configurations and calibrations
  14. Run Snapshot and Validate results:
    1. Run Baseline snapshot
    2. UI validation
      1. Launch dashboard via AIP console
      2. Validate if Engineering Dashboard pages are displaying data correctly e.g., Transaction-wide Risk Index (TwRI) page, Risk Indicator pages, Critical Violation pages, Compare Version pages
      3. If there is an issue with the above step, follow the Troubleshooting Process
    3. Inventory Validation
      1. In AIP Console, validate all the checks which fall under categories - Source Code and validate with the inventory
      2. Validate the number of files, classes, tables, and artefacts per technology. If the numbers are not as expected, follow the Troubleshooting Process
      3. If this check is for maintenance, validate the variation in data from Snapshot Comparison view on HD
    4. Engineering Dashboard Metrics validation:
      1. Check the number of critical violations and validate few of them to see if there are any false positives. If there is any false positive, follow the Troubleshooting Process
      2. Check the other metrics such as Technical Debt, Cyclometric Complexity
      3. If this process is for maintenance, check the evolution
      4. FP count must match with FP count in TCC
    5. Analytics Dashboard Metrics validation:
      1. Consolidate Engineering Dashboard with Health Dashboard , if application is not visible on Health Dashboard ( In case if Integrated dashboard is used, this step will not be required )
      2. Link HD to ED if the navigation from HD to ED is not working ( In case if Integrated dashboard is used, this step will not be required )
      3. Validate that the numbers displayed on Health Dashboard must match with Engineering Dashboard
  15. Verify Analysis Completion Report: Use FEDC reports to ensure that the quality of analysis is good
  16. All Checks Passed: A list of checks are executed at this step to ensure the quality of results - if any check fails then it will lead to a exception review
  17. QA - Onboard phase:
    1. Review the Analysis results, entry and endpoints as defined in the transaction report, validate the smell test results justification, dashboards and delivery report as per the checklist
    2. QA checks to review the process followed so far and give the go-ahead to deliver the refined dashboard to the customer
  18. Consumption Report: ( PRRC and FENF)
    1. Upon the go recommendation ,  the refined measurement and Consumption Report is delivered to the application team
    2. Extensions PRRC and FENF can be used for preparing consumption report

Exit criteria

    • Consumption Report delivered to the customer
    • Refined measurement delivered to the customer

Deliverable

    1. Application Baseline Report (Sample Link - Application Baseline Report_Sample_V2.0

    2. Refined Measurement (Engineering and Health dashboard) 

3. Integrate

This phase is applicable only if there are customized measurement required by the application team based on the identified use case, after the onboard phase. If there are no customization required by the application team then the results delivered as part of onboard phase are the baseline results.

AIP Product Documentation

Entry Criteria

    1. Refined measurement delivered to the application team
    2. An additional requirement from the application team

Process steps

  1. Additional Inputs
    1. Check if there are additional inputs provided by the application team to make any adjustment in the Assessment model, Dashboard and Action Plan 
    2. Inputs for Automation of rescans
  2. Calibration
    1. Rule-based Ignore / Rule-based Deletion / Rule-based Grouping / Rule-based Splitting – manually check the transactions in TCC for further calibration opportunities

      1. Review the Entry & End Points list to avoid duplicate and redundant transactions

      2. Make sure the Data and Transaction filters are not ignoring, deleting, grouping or splitting wrong transactions. If there are such transactions, add them as exceptions by modifying the filter functions

    2. Rule-based value / Rule-based type

      1. Filter grouping rules based on naming, types, inheritance, and free definition

    3. Manual Grouping / Manual Splitting / Manual type Adjustment / Manual FP Adjustment (Optional)

      1. If the transaction configuration requires further calibration, manually make the adjustment

    4. Manual Count Alignment/Functional Reconciliation/Final Configuration on FP/Calibration based on customer’s feedback

  3. Fine-tune Assessment Model
    1. Update the default rule criticality

    2. Update the scoring weight

    3. Update parameterized rules

    4. Update rule descriptions

    5. Exclusion of rules
  4. Include Exclusions in Dashboard
    1. Exclusion of rules

    2. Exclusion of objects

    3. Exclusion of violations

  5. Customization of Action Plan

    1. Build the action plan based on the inputs received from the application

    2. Validate the action plan after creating the action plan

  6. Adjust Automation for Rescans
    1. Validate the Automation set up during the previous iterations
    2. Check the Automation Adjustment needed as per Customer's requirement and make necessary changes
  7. Run Baseline Snapshot
    1. Ensure that the Baseline snapshot is executed if any of the step (1 to 6) in Integrate phase is executed
    2. Delete the previous snapshot and execute the consolidation
  8. Report for zip content for the next release
    1. The report should be prepared in order to get the same format of zip files in the next releases also
    2. It should contain the folder structure which we have got during the onboarding phase
  9. QA - Integrate phase
    1. Review the dashboards and updated delivery report as per the checklist
    2. PQM has to review the process followed so far and give the go-ahead to deliver the refined dashboard to the customer
  10. Baseline Measurement
    1. Upon the go recommendation of PQM, delivery the baseline measurement and updated delivery report/preliminary findings report to the customer

Exit criteria

    • Application baselined in AIP and automated for future rescans

Deliverable

    1. Final Consumption Report with known gaps

    2. Updated Engineering and Health dashboard

Support Process:

  • As explained in the documentation, only approved workarounds can be applied in Agile onboarding approach and to get an approved workaround, we need to raise a Zendesk ticket and ensure that the subject of the ticket is prefixed with [AGILE]. 

Extensions Needed in Agile Approach:

  1. Extension for Analysis Configuration - FEAC

  2. Extension for Rapid Discovery Configuration - FERC

  3. Extension for FP Calibration - FEFC

  4. Extension for Data Collection - FEDC

5. Extension for Unanalyzed code report - UCR

                  Link to download - Click here 

        6. Extension to identify potential nuggets in the analysis results - FENF

                  Link to download - Click here

Product Extensions Needed in Agile Approach:       

  1. Automatic Links Validator : This extension will automatically validate DLMs

       2. Report Generation for Consumption - PRRC

Training Material:

  • No labels