Summary: This page provides instructions for using the Risk Investigation view in the Engineering Dashboard.
Introduction
Accessible from the sidebar menu or by clicking the Risk Model tile, this view enables investigation of the application risk from the Assessment Model perspective - moving through Health Measures/Business Criteria, Technical Criteria, Rules/Measures/Distributions right down to the objects in violation.
By default, only Business Criteria that are categorised as Health Measures will be displayed in the dashboard. All other Business Criteria that are NOT Health Measures will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see Engineering Dashboard json configuration options.
Note about changes to source code and the CAST measurement system and impacts on results
Changes to source code and to the CAST measurement system (i.e. changes made to analyzers, extensions, rules, default Assessment Model etc.) will impact the results displayed in the CAST Engineering Dashboards between successive snapshots. You should therefore be aware of this and any manual updates to the CAST measurement system or the installation of new extension releases should be performed with care as the legitimacy of trend and comparison information greatly depends on the methodology you use for the update. For example, changing a rule from critical to non-critical between snapshots will necessarily impact the cumulative results of any parent technical or business criteria even though no source code has changed.
Data presentation
Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from a Health Measure to an individual object that is in violation. Take for example the top level list of Health Measures:
Selecting a Health Measure in this table will display all of the contributing Technical Criteria in the right hand section:
When a Health Measure is selected, the first row in the Technical Criteria list will be titled "All Rules...". Selecting this item will display a list of all the Rules that contribute to the selected Health Measure:
Selecting a Technical Criteria will move the Technical Criteria to the left hand side of the page and display all of the contributing Rules in the right hand section:
Selecting a contributing Rule will move the item to the left hand side of the page and display details about it (including the list of objects in violation, computing details, and rule/distribution/measure documentation) in the right hand section:
In ≥ 2.9, when there are many violations, search button search for a specific violation (based on the object name location field).
helps toWhen there are many violations to display, a "Show More" button will be available:
By default, only 10 violations are displayed to improve performance. You can choose to display more using the various options (+10, +100 etc.). By default an upper maximum of 5000 violations is set when the "All" option is clicked. You can change the upper maximum if required (see the violationsCount option in Engineering Dashboard json configuration options).
Finally, depending on the item (Rule, Distribution, Measure), you can do as follows:
Rule
For a Rule the following sections are available:
Architecture Model
This section is an interactive graphical representation of an Architecture Model (created with CAST Architecture Checker or AIP Console) that has been included in the snapshot. The diagram displays:
- The allowed layers dependencies as green arrows
- The forbidden layers dependencies as red arrows
For each red arrow, the number of violations is displayed. The section will be selected by default instead of the violation section.
The nodes are movable, one can drag and place in the desired position. For each red arrow, the number of violations is displayed.
When the user clicks on a red arrow, a list of violations is displayed for the objects in violations between the two layers. This is a distinct list of the default view, which contains all the objects in violations irrespective of the layer dependencies.
Users can also use the red arrow (click on the red arrow) to refresh the violation table and view the count of distinct violations between the selected layers and the total violation count.
In the Architecture Model, on selecting the Red - links, user can get the violation details table between the selected layers. A status filter has been added to the table.
User can filter the table content based on status, similar to other tables.
This section display is only for the rule which has architecture model data, when there are no layers it will display a message "No layers available".
Violations
Expand the list of Violations
...to view the objects violating the selected Rule:
Header icons
The following icons will be available:
Educate | Click this icon to add the associated Rule to the Engineering Dashboard - Education list. |
Download | Click this icon to export the list of violations to Excel. |
Source code
- Source code is only displayed for the most recent generated snapshot, even if that snapshot has subsequently been deleted. In other words, deleting the most recent snapshot does not restore the source code from the previous snapshot: the source code from the deleted snapshot will be kept. This can occasionally lead to unusual results:
- a first snapshot1 is generated which leads to a violation for object1.
- the development team fix the violation by producing object1 version2
- a second snapshot2 is generated on version2 and then this snapshot2 is deleted
- The dashboard will then display object1 in violation for snapshot1 but with the source code corresponding to snapshot2. As a consequence, the violation is not present in the source code.
- Source Code is not available when the TQI Health Measure has been entirely disabled - this manifests itself with the following error during the analysis/snapshot generation: WARNING - The selected snapshot is not the latest, the code source will not be updated in the central schema.
Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:
- the object in violation
- or the violation details when available (e.g. bookmarks, paths).
Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).
The Rule name/ID is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):
Please note that in the current release of CAST AIP, the display of source code is limited in functionality:
- The source code does not currently show all violations for Rules that reference User Input Security elements, such as:
- The Rule "Avoid direct or indirect remote calls inside a loop"
- If the size of the file is more than 500KB, then the bookmark will be displayed with 500 lines above and below the bookmark.
View file option
Source code page has the VIEW FILE option which helps to view the violation details.
Clicking on the VIEW FILE option opens a new tab, displaying the violation details as highlighted in the below screen.
Display of cyclical calls
When a Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.
Display of copy/pasted type rules
If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:
After clicking on the object in the Violation details table, a separate page will be opened to show the comparable code fragments (see image below - click to enlarge):
- A tab will open split into two areas (left/right) to display selected component source code and master source code (on left by default)
- Component Selector exists in two areas so that you can change the component source code display by selecting the item
- File selector is under component selector (with black background) so that you can see the component source code located in each file
Bookmarks
When results include violation bookmarks in the source code, the dashboard can access more details about the actual occurrence in the object for the current Rule. The violation bookmarks are displayed per occurrence found; the display follows the same pattern as the object source code viewer: each code fragment is associated to its related file and the violation bookmark is highlighted using colour (yellow for a standard Rule, red for critical (as shown below). Multiple bookmarks may be associated to a single occurrence (as shown below):
A MORE OCCURENCES button will appear when there are more than five occurrences in the object for the current Rule:
If a violation occurrence contains multiple bookmarks, then the Primary/Secondary bookmark will appear to show the main bookmark and additional bookmarks as shown below. The display follows the same pattern as the object source code viewer, except that the secondary bookmark will be highlighted as blue:
A MORE BOOKMARKS button will appear when there are more than five bookmarks in one defect for the current Rule. The color depends on whether the Rule is critical (red) or not (yellow). If you click "View File" button, the lines numbers are highlighted:
If the size of the file is more than 500KB, then by default 500 lines below and above the bookmark will be displayed, as shown in the below screen:
By default 500 lines below and above the bookmark are displayed, to view more code lines use .
Injection bookmark display
Bookmarks for defects in source code violating OWASP injection rules (such as Avoid SQL injection vulnerabilities ( CWE-89 ) ) are displayed slightly differently to help you follow the violation trail within the Application:
Interpreting the Injection bookmarks display
In the screenshot above, the flaw spans two sources code files (first and third files are the same class). This type of violation report comes with two bookmarks with very specific meaning, and are displayed to show the evidence of the flaw:
- the first bookmark (line 107) stands for the unsafe data acquisition (here the javax.servlet.ServletContext.getAttribute(String) method of Servlet API)
- the second bookmark (line 129) stands for the resource access with tainted data, here with the HttpSession's setAttribute(String) method.
Additional comment for this flaw: the store variable is the culprit in first source file. It is not sanitized (cleansed) by any known sanitization method, and reused as-is as a parameter of the HttpSession resource access : this is an injection, of type CWE-501: Trust Boundary Violation.
Limitation in case of REST operation exposed
When the data acquisition is made through a Spring MVC or JAX-RS REST operation, the bookmark is not determined by the extension, and a placeholder is computed by the Security Analyzer. The placeholder is usually a few lines after the @RequestMapping annotation source code line. So the line bookmarked in the CAST Dashboard should not be considered as the data acquisition. The exact location of unsafe data acquisition is indeed a few lines above.
Tip: use the View icon to view the source code above the bookmark placeholder, and locate the @RequestMapping or assimilated (@GetMapping, @PostMapping, @PutMapping, @DeleteMapping, @PatchMapping or @Param) annotation. That's the real location of the unsafe data acquisition.
Violation details
The Violation details section underneath the Source Code display shows the Violation Name along with the values of the Violation Details (i.e the "Associated Values"):
In addition, where the rule is "parameterized" (only legacy rules), the Parameter Details section will be displayed. The Parameter Details section displays Parameter Name along with the values of the Parameter Details:
Why is that an issue?
You can use the Why is that an issue? option underneath the Source Code display to view the Rationale section of the Rule that has been violated. Clicking the Learn More button will take you directly to a full description of the violated Rule:
Computing Details
This section displays:
- the Total checks value which indicates the total number of objects in the Application that were checked against the current Rule.
- the number of modules in which the current Rule has been checked during the snapshot generation (3 out of 7 in the example below)
- the % compliance of the Rule. In the example below, the current Rule has a compliance of 18.29% - in other words 18.29% of the objects checked against this Rule were found to have no violations (the higher the number, the better compliance).
- Expanding the section (using the black arrow as explained above for the Violation list) will provide more detail. In the example below, we can see that:
- three modules contain objects that were checked against the current Rule. A compliance % is provided for each module along with the number of objects violating the current Rule and the total number of objects in the module that were checked against the current Rule.
- the compliance of 18.29% for the Total is the compliance percentage for all modules in the Application against the current Rule.
Column | Explanation |
---|---|
Module | Shows the name of each module that has objects as defined during the snapshot configuration and generation. |
Total Check | The total number of objects in the module that were checked against the current Rule. |
Viol. | The number of objects in the module violating the current Rule. |
Compliance | The compliance rate for the module - i.e. the percentage of objects in the module that are compliant with the Rule. |
Parameter Details
Click Rule, it displays parameter details section. This section displays the parameter name, technology, and value for the selected rule.
Parameter details will be displayed for the current snapshot as well as for the previous snapshot if the rule is "parameterized. The parameter detail section also displays the data for a selected rule when no violations. The parameter section displays a message "No parameter details available" if the selected rule does not have parameter details.
Rule Documentation
Expand the Rule documentation section (using the black arrow as explained above for the Violation list) to view a detailed description of the current Rule:
When you move the mouse over a Tags, the name is displayed in the tooltip for tags and a hyperlink is provided to the specific rule (in the rule portal).
To get the URL
- The application should be installed with the latest version of the quality standard extension
- Or update the AED_QUALITY_TAGS_DOC table manually with the attached SQL script update.sql
If there are no Tags associated with the Rule, there will a "No Tag" message in the "Tags" section:
Accessing an object in the Application Investigation view
Clicking the following icon will take you directly to the object in the Application Investigation view:
Distribution
For a Distribution, you can view:
- How objects in the current Application are distributed: objects are placed into categories depending on the criteria of the Distribution itself. Sections indicate which category the objects fall into: Low/Small (Green), Average, High/Large and Very High/Very Large (Red). A Status column displays the status of the object between the current and previous snapshot (unchanged, added, deleted etc.). So to take the example of the Size Distribution distribution:
- View a detailed description of the current Distribution:
- View detailed information about each Parameter that contributes to the Distribution metric. For a given Distribution in each snapshot, the contributing Parameters are listed, together with the type of technology involved (Object Type Involved) and the number of objects (Parameter Value) classed in that parameter:
Measure
Measures are listed in the Engineering Dashboard, however, since Measures are never "violated" in the same way a Rule is violated, little information can be displayed other than the documentation. If you require more information about a Measure, please use the Health Dashboard instead:
Table key
All tables that display data in the Risk Investigation mode contain various columns. The table below lists all possible column names and provides an explanation for each:
Health Measure
Column | Explanation |
---|---|
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot. | |
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot. | |
#Critical / #Violations | Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed. |
Previous | Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot. |
Health Measure | Name of the Health Measure |
Technical Criterion
Column | Explanation |
---|---|
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot. | |
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot. | |
#Critical / #Violations | Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed. |
Previous | Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot. |
Technical Criterion | Name of the Technical Criterion. |
Weight | Displays the weight of the Technical Criterion in its parent Health Measure. The higher the value, the more weight the item carries. |
Rules, Distributions and Measures
Column | Explanation |
---|---|
Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot. | |
Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot. | |
#Critical / #Violations | Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed. |
Evolution | Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot. |
Rules... | Name of the Rule/Distribution/Measure. |
Weight | Displays the weight of the Rule/Distribution/Measure in its parent Technical Criterion. The higher the value, the more weight the item carries. |
Critical Rule | A red dot in this column indicates that the Rule has been set as critical in the Assessment Model. |
When the item is a Distribution or Measure, "N/A" will be displayed since objects in violation are not applicable. See Grade and compliance calculation for more information about how grades are calculated in this instance.
Violation
Column | Explanation | ||||
---|---|---|---|---|---|
Option to add/remove the violation from the Action Plan (see Engineering Dashboard - Action Plan) or the Scheduled Exclusion List (see Engineering Dashboard - Exclusions). Selecting one or multiple violations will enable the Add / Manage menu allowing you to add/remove violations to/from the Action Plan and Scheduled Exclusion List: Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication). Please see User roles for more information. | |||||
Action / Exclusions | Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List (see Engineering Dashboard - Action Plan for more information):
| ||||
Object Name Location | Displays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object. When there are many violations, search button search for a specific violation (based on the object name location field). helps to | ||||
Risk | This value was previously (in the CAST Engineering Dashboard) known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Measure involved. The formula used to calculate this value is as follows: PRI = (RPF + 1) x VI Where RPF and VI equal: RPF Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:
VI Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Measure involved. The formula used to calculate this value is as follows For each object, identify Rules it violates that contribute to a given Health Measure through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words: VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight) | ||||
Status | Displays the status of the object in comparison to the previous snapshot - e.g.:
You can also filter on a status by selecting the column header and choosing the status you want to view: | ||||
Clicking this icon will take you direct to the object in the Application Investigation view. |
Distribution
Column | Explanation |
---|---|
Object Name Location | Displays the object name. |
Status | Displays the status of the object in comparison to the previous snapshot - e.g.:
You can also filter on a status by selecting the column header and choosing the status you want to view: |
Measure
Measures only display the documentation.
Display rules
Each table displays Business Criteria, Technical Criteria and Rules/Distributions/Measures based on the following specific criteria:
- Items are sorted by:
- Descending (worst to best) number of Violations in current snapshot
- If number of Critical Violations/Violations is identical, then the value in the Previous/Evolution columns is then also used to determine the display order
- If the number of Critical Violations/Violations for an item is equal to 0 (i.e. no violations), the line is greyed out to indicate that this item has no violations and is therefore of no interest for remediation purposes. You can still consult the item by clicking it if necessary.
- If the variation % in the Previous column is exactly 0, the variation is set to 0.00% and the item is greyed out. The variation % may be 0.00 if:
- there is no previous snapshot available to make a comparison
- or there has been no change between the current and previous snapshot
- If the variation % displayed is 0.00 but has a very slight variation between the current and previous snapshots (for example 0.003), a tilde (~) is prepended to the front of the variation value to indicate the approximate value.
- When the Previous % is identical to the Baseline %, this means that the Previous snapshot and the Baseline snapshot are one and the same (i.e. only two snapshots exist) or when only one single snapshot exists.
- N/A is displayed for two reasons:
- when consulting variation/evolution: if there is only one snapshot then no comparison can be made to determine a difference.
- when the item is a Distribution or Measure - it will not provide objects in violation but instead gives you information about how your objects are categorized. See Grade and compliance calculation for more information about how grades are calculated in this instance.
For Rules only:
- The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).
Filtering
By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific Assessment Model, a specific module or a specific technology). Various filters are available for that purpose in the breadcrumb area, to the top right:
Assessment Model filter | By default the AIP Assessment Model will be displayed, however, if any Industry-standard extensions (i.e. CISQ, MIPS Reduction, OMG-ASCQM, OWASP) have been installed, which contain dedicated Assessment Models, you can filter on them: Click to enlarge Critical filter will be disabled and noncritical violations information will be displayed in the Risk Investigation view when you switch the assessment model from AIP assessment model to industry standards assessment models (like: CISQ Assessment Model, MIPS Reduction Assessment Model, OMG and so on.) |
---|---|
Modules filter | You can filter results with regard to a specific module in your Application (created during the analysis) - by default "all modules" are displayed. Please note that while drilling down, a technical criteria or a Rule may not apply to a specific module (e.g. a SQL Rule does not apply on a module that would not contain SQL technology, hence if the Rule is selected, filtering on the module to which it does not apply holds no meaning): You can search for a specific module using the search field: |
Technology filter | You can filter on Technologies in your application. By default "all technologies" are displayed: |
Applied Filters | You may filter, Modules and Technologies using the Filtering icon/feature. Once you select a Module, the selected Module is displayed in the Applied Filters field as shown in the below screen. You may use the cross button on the filter chip to unselect the filter (Presales module in the above screen) . Filtering icon is displayed in light shade () when no filters are applied. Filtering icon is displayed in dark shade () when filters are applied. |
Note that, some filtering may not be relevant as you drill down. If you are investigating a JEE specific Rule and try to filter on HTML5 technology (for example), we would get no data, hence, to make things clearer, the HTML5 technology filter option is be disabled (lighter grey colour) in this context. This can apply at technical criteria or Rule level and in some rare cases, even from the Health Measure level:
- When investigating a specific object, the filters are disabled as they are no longer relevant.
- For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Risk Investigation pages.