Created by BestPractices, last modified on May 25, 2023

Version 1.0

Table of Contents

Purpose

This page captures the process to be followed while analyzing and publishing applications in Highlight. 

NoteTo raise "CAST Highlight Instance request" use this link : Create Issue - CAST Issue Tracker (castsoftware.com)

           To raise "Feature Request " use this link : https://jira.castsoftware.com/projects/HLFR

Roles & Access Rights 

CAST Highlight provides access rights at three different levels.

  • Portfolio Manager: A Portfolio Manager is the administrator. This user has access to all pages in the organization’s CAST Highlight instance.
  • Application and Domain Contributor: A Contributor is the role traditionally assigned to an application owner.
  • Result Viewer: A Viewer is the role typically assigned to an executive member of the organization.

Technical requirements (Prerequisites)

CAST Highlight requirements:

  • Microsoft Windows Operating System superior or equal to Windows 8
  • Supported browsers: preferably Google Chrome recommended for better experience, Microsoft Edge, Firefox ESR. Generally, support is not guaranteed on browser versions which are no longer supported by their vendor.
  • Local Agent Install/Scan: 400MB free disk space, 4GB memory
  • Users should have administrator privileges to run the installer
  • Source code is available and stored in UTF8 encoding format, accessible from the machine from where the scan needs to be triggered.

Application management

The Portfolio Manager is responsible for registering each application in CAST Highlight, setting up the campaign and initiating the email communication that is sent to each Contributor, or application owner. 

1.Creating application records :

Note : If all the below activities are owned by Portfolio Manager, then there is no need of segregating the tasks among different roles.

  • First, the Portfolio Manager creates a record for each application by following these steps.
    • Navigate to the Manage Application tab under the Manage Portfolio section
    • Click create application button
  • Enter the following information on the next screen:
    • Application Name – This is the name that will be displayed in CAST Highlight.
    • Contributors – Who is the team member(s) who will run the analysis and/or fill in the survey
  • Attach applications to a domain:
    • Portfolio Managers can now associate multiple applications to a domain at one time, by following these easy steps.
      • From the Applications page
      • Select the applications you want to attach to domain
      • Once your selection is made, click on the “Attach applications Here” button
      • To disassociate an application from the domain, select application, then click the “x Detach Application” button 

Campaign Management

Creating and launching a campaign
The term campaign in CAST Highlight is used to describe a set of applications that will be analyzed at a specific point in time. Launching a campaign allows the Portfolio Manager to send a communication to all the registered team members through CAST Highlight. This communication notifies each user that they should start analyzing their source code.

Important note: It is required that applications are associated with a campaign for the Contributors to be able to conduct the analysis and complete the survey.

Analyzing source code in CAST Highlight

To analyze source code in CAST Highlight, follow these steps:

  1. Installing the Local Agent / CLI
    1. Download the Local Agent / CLI under the Application Scans section of the portal.
    2. Haven’t downloaded the local agent/CLI in a while? Be sure to download the latest version from the CAST Highlight portal.   
  2. Defining your code scan scope

    • As CAST Highlight performs a code analysis at the file level and doesn't particularly consider the logical links or dependencies between these files, all files are considered equal and as being part of the application. In order to provide accurate and consistent results, especially from a Software Composition standpoint, you'll have to take a few minutes to prepare your code scan scope by using the file/folder exclusion features of the Local Agent.

      • If you want to identify open source or COTS packages, make sure they're included in the folders you'll scan (external libraries are generally grouped into a sub-folder named "third-party" or something similar, while the main code is often located under "src/main").
      • Test classes should be excluded except if you want to scan them.
      • Generated code (e.g. *.t.ds, *.flow.js) should be excluded as well as they're automatically produced by the system and the development team can't really manage software health of this aspect of the code.
      • For more consistent results, SCM, build and deployment folders (e.g. .git, .svn) shouldn't be part of the scope.
      • If you want to get insights on frameworks and dependencies whose physical files are not part of the folder you're scanning, make sure that the dependency files (e.g. pom.xml, build.gradle, package.json, .vcsproj, etc.) are there too.

      Note :To the extreme opposite case, if you scan your C:\ drive and all the folders and files it contains, Highlight will systematically scan files with the 40+ technologies it supports and will try to consolidate the different insights (software health, cloud readiness, open source origin, security vulnerabilities...) from there.

       As you can easily understand, the few minutes you'll spend in defining your application scope, will be saved later when consuming the software analytics.

  3. Running Highlight Scan
    1. Running through Local Agent:
      1. Open the CAST Highlight Agent from Start menu 
      2. Select the folder containing your source code. As shown below, you can add multiple folders to be discovered and analyzed by the Agent 
      3. The Local agent will do the source code discovery first and automatically discover files in specified folders and subfolders and detect associated technologies. 
      4. Once the Discovery is finished a Scan process can be launched via the Local agent
      5. Scan process will identify the files which are correctly scanned or excluded for some reason.
      6. Once you confirm scan results Agent lists frameworks and software libraries used or referenced by your application that are identified during the code scan
      7. Click on the “Save Results” button at bottom right of the screen, specify the folder you want results to be saved in. Highlight will generate a single .zip file per scan, containing all application analysis results. Depending on the number of distinct technologies and root source folders, the Agent automatically generates one or several result files with the following naming structure:
        - FolderName.Technology.date.csv
        Eg: myappSRC.PHP.05_29_2015_11_17.csv
    2. Running through command line:
      1. Follow the steps as mentioned in the document : CAST Highlight Automated Code Scan (Command Line) - CAST Highlight
  4. Uploading the results: ( Not applicable if command line is used to upload the results )
    1. The CAST Highlight agent produces a series of .csv files which contain the analysis results. The user must upload the .csv to the CAST Highlight portal for the results to be displayed in the system. Simply follow these steps:
      1. Log in to the portal
      2. Under the Application Scans section, look for the application that you need to analyze
      3. Click on the “Upload Results” button and point to the .csv. The file has been stored in the location you chose when saving analysis results with the Local Agent.
      4. Once the file is uploaded, you will see a record of the upload on the screen.
  5. Answering surveys: ( If applicable )
    1. If the survey is activated for your organization, you will see a “Survey” button on the application. Please follow these steps to validate this and answer the survey questions.
      1. Under the Application Scans section, click on the campaign and then the application.
      2. Click on the “Survey” button and answer the questions for each section of the survey.
      3. If the survey is de-activated for your organization, please go ahead and submit the results of the source code analysis. Simply click the “Submit” button and you are finished.
        For those of you who are completing the survey, the progress of your survey will be displayed on the top of the screen. Once all mandatory information has been submitted, you will be able to submit your results. However, it is recommended you answer all questions to enrich the data in your organization’s CAST Highlight instance.
  6. Submitting the results: ( Not applicable if command line is used to upload the results )
    1. Once you have uploaded all the required .csv files for the application, and completed the survey questions (if mandatory), click “Submit” on the application under Application Scans section.
    2. This step is required to complete the process and ensure the results are populated in the portal.

Note: For complete information about Highlight Analysis please refer: Getting started guide

Useful References

  1. Getting started guide
  2. Highlight Indicators and Methodology
  3. Command line documentation
  4. REST API documentation