What is the crypting algorithm and typology used for password in CAST dashboard ?
  • It is an internal encryption algorithm. If you wish to have extra security then you can use the LDAP.
  • For more details please refer to the documentation under "Active Directory LDAP and Kerberos integration" at:
    • CAST AIP 7.2 Documentation > Cookbooks > Platform Administration > Portal Administration > CAST Engineering Platform and CAST Discovery Portal > Advanced web.xml configuration 
Does object exclusions in the dashboard affect the LOC of the application ?
If the files are excluded at the metric level on the dashboard then those objects will not appear under that metric in the next snapshot. But if you have excluded them from analysis only then the LOC will decrease.  
Why does the var column shows - / hyphen in Investigation - Drilldown view on the dashboard ?
Only two digits after the decimal will be taken into account so if your variation is said, for instance, .005 or.001 (three digits after the decimal) or so on then the value is displayed as - 
How exactly is the metric “Avoid Packages with High Efferent Coupling (CE) “ calculated? In which tables I can find what exactly was counted as High Efferent Coupling (CE) (from which packages the indicated class/ interface depend on)?

CE (also known as Outgoing Dependencies or the Number of Types outside a Package that Types of the Package Depend on) indicates the number of other packages that classes and interfaces in the analyzed package depend upon.

This would most easily be seen in Enlighten where you can see the relationship between the violated object and other packages that the violated object depends upon. 

Can you please explain the number of artifacts used in the dashboard?

Artifacts depend on the specific languages being analyzed. They are low-level programming elements used to measure application size and complexity.

You can see a list of artifacts for each language in the documentation for the release. 

Why does Quality rule Avoid many-to-many association belong to health factor Security ?
This Quality Rule is included in the Security Index because it is part of the "Architecture - Multi-Layers and Data Access" Technical criterion. This is the structure of our Assessment model: mapping of Quality Rule to Technical Criteria and mapping of Technical Criteria to Business Criteria is independent. It's a mesh, not a tree.

As such, each rule contributing (indirectly) to the Security index must not be considered as a security hole. We rather have a global assessment of the app on a Technical aspect (here, how well architectured is the way the app accesses its data). We then estimate that this Technical assessment contributes with a given importance to the global Security score, together with the assessments done on other aspects. However,if in your particular application, this particular rule is not relevant or should not be considered so critical, it is always possible for you to customize the assessment model locally.

Why am I not seeing the rule "Avoid instantiation inside loops" for my .NET code?
The rule "Avoid instantiation inside loops" is applicable only for C# and not for VB.NET  It is expected behavior that the rule is not getting violated for VB.NET code. 
 Is there a way to display a Charge Ratio rather than the value in Currency to be able to compare all applications regardless of the currency ?
The "Charge ratio" must be managed as a background fact as we don't have by default in our Assessment model
Why only AFP (Automated Function Points) are calculated and displayed in the dashboard after generating a snpashot but not EFP (Enhancement Function Points)?

As explained in the below documentation, EFP is the evolution of function point compared to the baseline value. To get the EFP computed, you should first run analysis and snapshot on baselines source code and then run and generate a snapshot on the second release to get the EFP of this second release compared to baseline.

The EFP values will be then visible under the Size and evolution view of the CED dashboard

Can the LDAP web.xml settings for AAD be used for CED?

The LDAP implementation for AAD (Application Analytics Dashboard) is completely separate from the LDAP implementation for CED (CAST Engineering Dashboard).

You need completely different parameters so cannot use the same web.xml settings between AAD and CED for LDAP.

 Why are there violations for sprintf() for "Avoid using snprintf() function family" C rule?

If CAST AIP finds any function which comes under or is a part of the snprintf() function family, then that would be raised as a violation for this rule. We consider the following functions as part of the "snprintf() family": sprintf, snprintf, _snprintf, _snprintf_l, _snwprintf, _snwprintf_l, vsnprintf.

And as sprintf() is part of the family, this is an expected behaviour. 

Is there any functionality to deal with the impact of changing source path leading to added deleted artifacts in CAST AIP 8.0?
No, there is no functionality in the CAST AIP 8.0 to deal with the impact of changing the source path leading to Added-Deleted artefacts 
Is there any threshold value of Propagated Risk Index (PRI) on dashboard for object violations to identify when an object is risky?
 There is no scale and threshold for this index. Because the calculation of PRI is based on number of calls of an object and this information can be exponential. So at the end, depending on the application (and technologies), this number is totally different between two applications. PRI is an index which shows the risk factor on dashboard and also sorts the violated objects in decreasing order on the dashboard for a QR.
Can you please explain how the results for "Avoid Artifacts with High Fan-Out" were exactly computed?

High Fan-out is based on the number of references to other artifacts, so can't be computed based on examination of a single artifact. You need to look broader scope of all the analyzed artifacts to see the links to other artifacts. You can see this visually in Enlighten when looking at linked objects for a particular artifact.

You can also see the metric documentation and this TKB page for further reference: