This guide troubleshoots the issue of missing quality rule. Below screenshots are examples to illustrate the different ways of finding out whether a Quality Rule is missing from the Dashboard.
When a Quality Rule which has not been calculated, is searched for, the Quality Rule is grayed out in the search results.
In the below screenshot you can see that the Quality rule "Method override fails due to mismatch of const/volatile qualifiers" is grayed out with no result.
When trying to access from quick access, this quality rule will not be displayed under the Metric Selection section.
In the below screenshot Quality Rule for JEE, shows 0 results when searched under list of Quality Rule for JEE
Another way of identifying that the Quality Rule is missing is in the FRAME_METRIC_DETAIL view. Note that this view is deprecated.
In the below screenshot the Quality Rule - Method override fails due to mismatch of const/volatile qualifiers is missing.
For more details on what is a quality rule refer to - Metrics and Quality Rules Documentation
Step by Step scenario
- Run analysis followed by snapshot
- Launch Cast Engineering Dashboard
- Search for a quality rule and you can see that the quality rule is greyed out in the search results
OR compare two versions of snapshots and you can see that N/A is displayed for one of the snapshots
To troubleshoot this issue, you need the following Relevant input
Perform the below actions:
- For custom quality rules refer to the section - #Custom Quality Rules
- Otherwise, check if your case is listed in the Known Cases
- Next, if the missing quality rule belongs to COE then refer to section Quality rules belongs to COE languages
- Then check if the Missing quality rule is because of the incorrect exclusion list
- Check if the metric weight is 0. As of CAST 8.3.30, AAD consolidation will filter zero weights and null grades.
- To check, run the following query: select * from dss_metric_type_trees where aggregate_weight = 0 and metric_id = XXXX
- To update, run the following query: update dss_metric_type_trees set aggregate_weight = 1 where metric_id = XXXX
- After any changes, the snapshot should be either re-generated or consolidated to take the metric tree changes into effect
- Queries are run on the central database
- Next, Check if Total and detail procedures have been executed during the snapshot generation
- If none of the procedures are executed then:
- Check if the metric has been disabled . If the Quality rule is not disabled and still you are getting the Quality rules as grayed out then contact CAST Technical Support with Relevant Input
Check if the Quality rule was detected during the snapshot generation, for that run the following on the knowledge schema
SELECT description FROM dss_history WHERE description LIKE '%PROC NOT FOUND%<metric_id>%' ORDER BY history_id
Replace <metric_id> by the Id of the Quality rule
Query result sample:
"PROC NOT FOUND SET_VantiveBasic_Function 2800002 SET_VantiveBasic_Function";"2018-04-04 16:16:59.441";34770 "PROC NOT FOUND SET_VantiveBasic_Sub 2800003 SET_VantiveBasic_Sub";"2018-04-04 16:16:59.453";34771
If the query returns no rows, then there is an issue in the implementation of the Quality rule,contact CAST Technical Support with Relevant Input
- Check if the issue is not due to the fact that the QR is present in the application but not in the union content module, for this refer to SQL Queries - CAST Central Base - Corruptions on Quality rule - How to check if a Quality rule is calculated at the application level but not at the union content module and vice versa, if yes following the steps present in the page in order to correct the corruption, else go to the next step.
- Check if the issue is due to the change in applicable technologies of assessment model for the rule between 2 snapshots.
- Check if issue is due to the fact that assessment model data is not loaded during snapshot using query - SQL Queries - CAST Management Base - How to check if an assessment model data is loaded properly during snapshot. If the query is not returning any result then you can take a snapshot skipping analysis.
- If above steps did not help then contact CAST Technical Support with Relevant Input
For CAST Technical Support only , refer to page CAST Engineering Dashboard - Missing Quality Rules - Find the component with the bug - CAST Internal
- Screenshot of the dashboard showing the name of the quality rule that is greyed out in the search box.
- CAST Support Tool (CST) - alias Sherlock export with source code of current version.
- In case the diagnostic is missing after migration then the CAST Support Tool (CST) - alias Sherlock export of previous version with Source code (If the previous environment is not available to generate Sherlock then the management and Knowledge Base backup and source file containing the object that is expected to be in scope of Quality Rule / violation but is not)
- In case the metric deals with database objects then extraction logs of both versions (This log is fetched by Sherlock if you have used DMT else if you have used standalone extractor then provide this manually).
Custom Quality Rules
To verify if the missing quality rule is a custom quality rule run the below query on central Database -
select METRIC_ID from DSS_METRIC_DESCRIPTIONS where METRIC_DESCRIPTION like '%metric_name%'and language = 'ENGLISH'
select METRIC_ID from DSS_METRIC_DESCRIPTIONS where metric_description like 'Avoid Artifacts with High Integration Complexity (IC > X)%' and language = 'ENGLISH'
How to interpret the result - Here the metric_id returned by the row is 6604 which is < 2000000 , if the result of the query is > 2000000 then the quality rule is a Custom rule.
If it is not a custom quality rule then proceed to step 2 in Action Plan
If the quality rule does not return any row it means that the rule is not created in the database. To solve this problem follow the below steps -
- Launch Servman
- Right click on mngt / CB / KB and click on Load Metamodel
- Launch the analysis + snapshot again
After loading the metamodel if you are still facing the issue then check if the DSS_METRIC_DESCRIPTIONS table is empty by running the following query -
select * from DSS_METRIC_DESCRIPTIONS where METRIC_ID > 2000000
If you are not able to find in the list the missing quality rule it means that the scope of the quality rule is empty.
Goto section Check if Total and detail procedures have been executed during the snapshot generation
If you get the case where Total count =0 and Detail count =0, then ask the author of the customized procedures to fix the issue, this is out of scope of CAST Technical Support.
In order to enable the XXL tables diagnostics it is necessary to provide the table row size information by following the below documentation page -
CMS - How to enable the XXL Quality Rules using the Table Size Folder
After following the steps mentioned in the above page, generate a new snapshot. If you are still facing the issue then go to step4 of the CAST Engineering Dashboard - Quality rule - Missing Quality Rule Action plan - check if the Missing quality rule is because of the incorrect exclusion list
The data flow diags are the ones given this list - QRL - Secure Coding - Input Validation
The User Input Security feature in the CAST Management Studio enables you to detect improper user input validation in the source code included in your Application that can lead to some security vulnerabilities.
If you would like to include User Input Security checks in his application analysis, you first needs to activate the option by selecting the Activate User Input Data Security Flow Security Analysis option within the User Input Security tab of the application Editor.
So you need to check the following:
If the anlysis has been ran. For instance, when migrating, it is required to run a snpashot with analysis. To check whether the analysis has been ran,
Look for the FINAL_JOBANA keyword in the DSS_HISTORY on the local. You should find the following two lines twice: one for the analysis job, one for snapshot preparation assistant job.
|END FINAL_JOBANA 261||9/6/2012 8:35:10 AM||82507|
|Start FINAL_JOBANA 261||9/6/2012 8:35:10 AM||82506|
Get the job ID (in the above example, the job ID is 261)
Knowing the job Id, search in the Sherlock Logs.log file the corresponding job type:
Information: Get Anaman UP & Jobs from LOCAL: idusrpro usrprojname uplogpath idjob jobname jobtype jobversion joblogpath 260 KB Information Finalization 261 Snapshot Preparation Assistant 3001 708 $(LogRootDir)\$(KBProfileName)\$(UPName)\$(JobName)-$(Date,"%Y%m%d-%H%M%S")
In the above example, the job type is Snapshot preparation assistant.
If the analysis has been run, you should see traces about analysis job. Else, the analysis job has not been run.
- If analysis and snapshot generation are made with CAST MS
- If the option 'Activate User Input Data Security Flow Security Analysis is activated within the User Input Security tab of the application Editor in CAST MS. You can check this in CAST MS Log file. You can also ask for a screenshot of the User Input Security tab of the application Editor in CAST MS.
- If analysis and snapshot generation are not made with CAST MS or If analysis and snapshot generation are made with CAST MS but the option Activate User Input Data Security Flow Security Analysis has not been activated, you should proceed as follows:
- Enable the option Activate User Input Data Security Flow Security Analysis in the User Input Security tab of the application Editor of CAST MS
- Run analysis with CAST MS
- Generate snapshot with CAST MS.
- If analysis and snapshot generation are made with CAST MS and the option Activate User Input Data Security Flow Security Analysis is activated, perform the following steps to diagnose the issue:
- Empty your LargeStorageArea folder.
- Compute snapshot in CAST MS.
- In largeStorageArea/LISA, find the file TempFlaws.xml, which is the flaw specification used by the dataflow analyzer.
- In largeStorageArea, find the folder (LISA/CASTMSApplicationXX/SourceLocationYY/ or LISA/$appuuid/SrcYY/ ) containing the following files: BuildAgent.bytecode, BuildAgent.symbols, BuildAgent.cwmmid, BuildAgent.flaw, BuildAgent.datatransfer.
- The file BuildAgent.flaw contains the results of the user input analyzer. Each flaw is represented by a “flawTrace” xml element, under “dataflowResults” section.
- If your dataflowResults section does not contain anything, it means:
- There is actually no security flaw found.
- There are resolution errors during analysis.
- Check analysis logs if there are resolution errors (ex: “could not resolve xx as a method”, etc.) and try to fix those errors first:
- Errors on namespaces specified in TempFlaws.xml. (example in Java: you must not have resolution errors on “javax.servlet.”, or “java.sql.”)
- Error on methods that refers inputs/targets specified in TempFlaws.xml. (example in Java: you must fix errors on MyClass.MyMethod because it refers directly javax.servlet.ServletRequest.getParameter)
- Errors related to assemblies like Failed to load assembly,Failed to resolve assembly and could not find load type or assembly.
These error can be resolved by excluding the files for which the error has occurred. The impact of excluding the files on analysis are missing links and those files will be absent from analysis. This issue is fixed in CAST version 7.3.4
- To diagnose more quickly, you can use flawExplorer. It just computes security analysis without running snapshot, or source code anlalysis. Ensure flawExplorer is configured correctly for your technology. Specify your bytecode folder (LISA/CASTMSApplicationXX/SourceLocationYY/) and click to “synchronize”.
- If the above steps does not resolve the issue, refer to the dedicated page for these rules CAST Engineering Dashboard - Quality Rule - Missing Quality Rule - Dataflow security diagnostics
When checking the dashboard results, you can see that PL\SQL rules (as “Avoid "SELECT * queries”) are missing when your analysis contains FORMS objects.
In 7.3.x and 8.0.x, the PL/SQL rules are not fired because it has not been implemented. This is a regression as PL/SQL quality rules were fired for FORMS objects in 7.0.
This is a limitation in the new Forms Analyzer that is missing this feature. This feature may be implemented in 8.2 CAST version.
Missing SQL diags are
Java: Track classes referencing database objects.
Java: Avoid SQL Artifacts with queries on too many Tables.
Java: Avoid SQL Artifacts with SQL statement using Group By clause.
Ask the customer if he is using external sql files in his source code. It is the case if sql is written in key value format in the .properties files.
For CAST support only, if these SQL diags are missing and SQL queries are written in some external files like in properties file. Refer to the following confidential page to see how to parametrize the J2EE job using the steps given in below link - CMS Assessment Model - Information - Managing SQL queries externalized in .properties - CAST Internal
If NA is displayed for Complexity - SQL Queries Technical Criteria and it's Quality Rules, then refer to: CAST Engineering Dashboard - Quality Rule - Missing Quality Rule - Dashboard displays NA as the grade for Complexity SQL Queries criteria and Quality Rules
If the diagnostics are still missing, go to step 4 of Action Plan - check if Missing quality rule is because of the incorrect exclusion list
Here we are considering the Quality Rule "Avoid definition of synonym as PUBLIC in PL/SQL context" as an example to demonstrate.
When there is any rule with respect to synonym and it is disabled, it is likely that the synonym has not been extracted since it belonged to another schema.
To investigate on this topic you can first check the module content overview in the CMS as shown below :
As seen in the above screenshot there are 492 object types which are unknown. Taking this into consideration you can check in the KB for the type ID of these unknown objects by executing the below query :
select * from typ where lower(typdsc) like '%unknown%';
From the result pick the type ID of the unknown object types - "CAST_Oracle_ExternalSchema" & "CAST_ANSISQL_ExternalObject" i.e. 140519 and 140539. Taking these type IDs we will find the objects belonging to these types by running the below query on KB:
select * from l730_29582_asd.keys where objtyp in (140519,140539);
From the above query we get the name of the object say TES_TYPE_ELEMENT_STRUCTURE.
In the KB for the current analysis the type is unknown. But in the CB which will have this object already stored for previous version of snapshots, the type will not be unknown but the real type. So we take the name of the object from the KB and check the object type in the CB by running the below query :
select * from <Central_Base>.dss_objects where object_name like '%TES_TYPE_ELEMENT_STRUCTURE%';
Pick the first two objectIds 140584 and 138017 & query the typ table to check their types by running the below query in KB :
select * from typ where idtyp in (140584,138017);
From the above results we can see that the object TES_TYPE_ELEMENT_STRUCTURE is a synonym and it has been extracted from different instances, make sure that if you have extracted all the schemas & that all the schemas are under one instance/machine.
Find a related page for additional information - Source Extractors - SQL PLSQL - Information - How to modify server name without generating added or deleted DB objects for the PL-SQL offline analyzer
Example of such quality rules are
• Avoid many-to-many association.
• Avoid using references to the id in the persistent class's method equals()
• Persistent class method's equals() and hashCode() must access its fields through getter methods
• Persistent classes should Implement hashCode() and equals()
If any of the above quality rules are missing from the dashboard then the reason for this is hibernate profile not being selected in the CMS for analysis.
If you see that there are new quality rules in the current version of snapshot n and absent in snapshot n-1 though the source code has not changed and if the rules are related to Hibernate, then compare the previous analysis log with the current one to see if Hibernate profile is not selected in the previous analysis and is selected in the current analysis log which will explain the reason for this behaviour.
If you have used hibernate 3.3.2 or any higher version upto 4.0 in source code, but in CMS version 7.3.4 the last available hibernate version is 3.2 then you may select it for your analysis. The hibernate objects should be analyzed and the related quality rules should also be fired.
If you observe that hibernate diags are missing after installing a new service pack, the reason could be that you were using a custom hibernate profile before installing the Service pack. You deleted the associated file to the custom profile from the flat to be able to install the service pack, then you forgot to put the file back. Because the Hibernate file is missing, JPA entities are not created leading to missing diags in the dashboard.
To check this, go through J2EEE analysis log file, you should find a warning message like this:
Warning UNKNOWN ; Job execution Failed to analyze configuration file 'I:\LargeStorageArea2\LTSA\xxxx\Scr101\JavaTemp\Hibernate 4.0-4.3 JPA2\Hibernate 3.6-4.0 Annotations.xml'\n Queries files '<CASTflat>\EnvProf\J2EE\Hibernate\cast-hib-annotations-config-3.6-4.0.xml' not found. 0 ; 0 0 jspprse32\jsperrorhandler.cpp 567 JSPPrse32 0 0 jspprse32\jsperrorhandler.cpp
In the above message, the warning is there because the '<CASTflat>\EnvProf\J2EE\Hibernate\cast-hib-annotations-config-3.6-4.0.xml' file associated to the 'Hibernate 4.0-4.3 JPA2' customer environment profile is not in the flat directory.
To solve the issue, review your configuration to include properly the environment profile. Then rerun analysis to get the JPA entities created and getting the diag in your dashboard.
When examining the dashboard when CAST AIP version 8.2.x where x < 3 and a re-analysis has been done, the metrics on a re-analysis can be seen to disappear and then reappear on the next analysis.
This has been fixed in CAST 8.2.3 and is documented here:
Quality rules that belong to COE languages
If the quality rule belongs to any of the following technologies then refer to this section - EGL , Flex, Fortran, PeopleSoft, PHP, PL1, RPG, Shell, Siebel, TIBCO
In case of these technologies the default assessment model that is already present in CMS will not contain the Quality Rules specific to these languages.
So if the snapshot is generated without importing the assessment model from Central Database then there are possibilities that none of the Quality rules are violated and as a reason there are missing technical criteria and due to missing technical criteria the Business criteria is missing.
To solve this problem assessment model needs to be imported from central database before running a full snapshot as given in the documentation - Step 3: Use the CAST Management Studio to import the Assessment Model
Even after importing the assessment model if you are unable to see the rules then apply the solution given in the page - CMS Snapshot Analysis - Run Analyser - Fatal Error - Universal Analyzer - Invalid type name xxx not declared in metamodel
If you have the rules coming from COE package plugin missing then the reason may be because the JAVA_HOME is not set in the analysis machine.
Ensure that the JAVA_HOME environment variable is set in the analysis machine and re-run the analysis to solve this problem.
Select the page depending on the technology:
CAST Engineering Dashboard - Quality Rule - Missing Quality Rules - ColdFusion technology - Archived
CAST Engineering Dashboard - Quality Rule - Missing Quality Rule - PHP technology - Archived
CAST Engineering Dashboard - Quality Rule - Missing Quality Rule - Missing diag for Perl technology
CAST Engineering Dashboard - Business criteria - Missing Business criteria - Complexity ERP customization
Missing quality rule is because of the incorrect exclusion list
The quality rules may be missing because of incorrect definition of the exclusion list/query.
The query might be containing a word in the search string, which is matching the source path/schema name which might be containing that word due to which most/all files are excluded from dashboard. As a result no QRs are visible. You need to check the exclusion query & correct it accordingly.
You can launch CMS and look in the below section -
Execute the query that you have given in the Explicit list and check if the object(s) that you are expecting to be violated falls in this list.
Check if Total and detail procedures have been executed during the snapshot generation
Get the name of total and detail procedures of theQR by running the below query on the Central database -
SELECT TT.METRIC_SCOPE_PROCEDURE_NAME AS DetailProc , T.METRIC_ID , T.METRIC_NAME , COALESCE(P.OBJECT_TYPE_ID,0) AS OBJECT_TYPE_ID, VT.METRIC_VALUE_PROCEDURE_NAME AS TotalProc FROM DSS_METRIC_TYPE_TREES TT , DSS_METRIC_VALUE_TYPES VT , DSS_METRIC_TYPES T LEFT OUTER JOIN DSS_METRIC_PARAM_TYPES P ON ( P.METRIC_ID = T.METRIC_ID AND P.PARAM_INDEX = 1 ) WHERE T.METRIC_GROUP = 1 AND TT.METRIC_ID = T.METRIC_ID + 1 AND VT.METRIC_ID = T.METRIC_ID AND VT.METRIC_VALUE_INDEX = 2 AND metric_name LIKE '%<METRIC_NAME>%' ORDER BY METRIC_NAMEExample -
SELECT TT.METRIC_SCOPE_PROCEDURE_NAME AS DetailProc , T.METRIC_ID , T.METRIC_NAME , COALESCE(P.OBJECT_TYPE_ID,0) AS OBJECT_TYPE_ID, VT.METRIC_VALUE_PROCEDURE_NAME AS TotalProc FROM DSS_METRIC_TYPE_TREES TT , DSS_METRIC_VALUE_TYPES VT , DSS_METRIC_TYPES T LEFT OUTER JOIN DSS_METRIC_PARAM_TYPES P ON ( P.METRIC_ID = T.METRIC_ID AND P.PARAM_INDEX = 1 ) WHERE T.METRIC_GROUP = 1 AND TT.METRIC_ID = T.METRIC_ID + 1 AND VT.METRIC_ID = T.METRIC_ID AND VT.METRIC_VALUE_INDEX = 2 AND metric_name LIKE '%Private Fields naming convention - case and character set control%' ORDER BY METRIC_NAME
"DIAG_SCOPE_NETNAM007";3562;"Private Fields naming convention - case and character set control";141901;"DIAG_DOTNET_ANA_PV_FIELD_TOTAL" "DIAG_SCOPE_NETNAM007";3562;"Private Fields naming convention - case and character set control";138385;"DIAG_DOTNET_ANA_PV_FIELD_TOTAL" "DIAG_SCOPE_NETNAM007";3562;"Private Fields naming convention - case and character set control";138383;"DIAG_DOTNET_ANA_PV_FIELD_TOTAL"
Execute following queries to check if procedures have been executed -
Select * from <KB_NAME>.DSS_HISTORY where description in '%<PROC_DETAIL_NAME>%'
Select * from <KB_NAME>.DSS_HISTORY where description in '%<_DETAIL_NAME>%'
If the query returns rows that means the procedure has been executed. If the queries return no rows that means the procedures have not been executed.
Check if the metric has been disabled
Check if the quality sizing factor / quality rule has been unchecked as shown below. In the below example Technical Debt has been deactivated. To activate it check the Active checkbox.
If the metric has been disabled then enable it by checking the check box Active making it to True,and generate a new snapshot to solve the issue.
Applicable technologies can be different in assessment model as shown below. For example, rule-' Avoid undocumented Classes' has JEE technology applicable in latest run and not in previous run. This causes missing rule in previous run :
Previous run :