Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel

On this page:

Table of Contents
maxLevel34


Info
Summary: This page provides instructions for using the Security Dashboard, i.e. how to login, what information is available etc.

...

Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

...

  • the object in violation
  • or the violation details when available (e.g. bookmarks, paths).
  • Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

    The Rule name is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):

    ...

    Info

    Please note that in the current release of CAST AIP, the display of source code is limited in functionality:

    • The source code does not currently show all violations for Rules that reference User Input Security elements, such as:
      • The Rule "Avoid direct or indirect remote calls inside a loop"

    Parameter values for last snapshots and when there are no violations

    Parameter details

    Clicking on Rule displays Parameter details section (along with other sections violations, computing details & Rule documentation) in the Risk Investigation view. This section displays the parameter name, technology, and value for the selected rule.

    Image Added

    Parameter details will be displayed for the current snapshot as well as for the previous snapshot if the rule is "parameterized". The parameter detail section also displays the data for a selected rule when no violations exist. This section displays a message "No parameter details available" if the selected rule does not have parameter details:

    Image Added

    When a Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.

    ...

    If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:

    ...

    • The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

    Filtering

    By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific module or a specific technology). Two filters are available for that purpose in the breadcrumb area, to the top right.

    • All Modules Module filter > When investigating any item in the Assessment Model, you can filter results with regard to a specific module. Please note that while drilling down, a technical criteria or a Rule may not apply to a specific module (e.g. a SQL Rule does not apply on a module that would not contain SQL technology, hence if the Rule is selected, filtering on the module to which it does not apply holds no meaning)All Technologies .
    • Module Search> The Search feature is now available in the module selector, and this feature displays all the available modules.

    Image Added

    Technology filter > Same filtering applies to the

    ...

    Image RemovedRisk Investigation.
    By default the filters are inactive (red text) and are only active when specifically selected (white text):

    Image Added

    Some filtering may not be relevant as you drill down. If you are investigating a SQL JEE specific rule Rule and try to filter on others technologies HTML5 technology (for example), we would get no data, hence, to make things clearer, the other technology filters are HTML5 technology filter option is be disabled (lighter grey colourcolor) in this context. This can apply at technical criteria or Rule level and in some rare cases, even from the Health Measure level:Image Removed

    Info
    • When investigating a specific object, the filters are disabled as they are no longer relevant.
    • For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Risk Investigation pages. 

    ...