Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


On this page:

Table of Contents

Target audience:

Users of the extension providing HTML5/JavaScript support for Web applications.


Summary: This document provides basic information about the extension providing HTML5/JavaScript support for Web applications.


What's new in 1.9.0?

  • Bugs resolution, including support of new expressions in lists.
  • Better resolution with jsp files.
  • Support of jsp pager taglib.
  • Support of struts-jquery-grid-tags taglib.
  • Resources found in <form> tags have GET as default type (not POST).
  • Files filtering enhancement (skipped files are no more sent to other extensions).
  • Issue fixed for the rule "Avoid JavaScript to block page loading"
  • Issue fixed for the rule "Avoid using unsecured cookies"
  • Issue fixed for the rule "Avoid creating cookie without setting httpOnly option"
  • New rules:
    • 1020098 Avoid creating cookie with overly broad path (Javascript)
    • 1020100 Avoid creating cookie with overly broad domain (Javascript)

What's new in 1.9.1?

  • Bugs resolution, mainly for other web extensions (angularjs and jquery).

What's new in 1.9.2?

Bug resolution : GUIDs/fullnames correction for objects inside javascript sections inside html files when several sections in one file.

Code Block
    function f1() { }
    function f2() { }

To resolve this issue, an "upgrade" process is included in this release to transform the guids. In the above example, CAST_HTML5_JavaScript_SourceCode_Fragment_2.f2 will become CAST_HTML5_JavaScript_SourceCode_Fragment.f2.

Following the first analysis after upgrade to this extension, the following warning may be present at the end of analysis:

Code Block
UNIVERSAL_CACHE : DUPLICATED OBJECTS NAME REMOVED: 144955 D:\Deploy\app\package\anchor.html/CAST_HTML5_JavaScript_SourceCode_Fragment.f1

This is expected behaviour, it is present if you have functions with same name in several sections of the same html file. In this case, the migration will produce two guids which will be the same: CAST_HTML5_JavaScript_SourceCode_Fragment.f1 for example, and the reanalysis will produce: CAST_HTML5_JavaScript_SourceCode_Fragment.f2 and CAST_HTML5_JavaScript_SourceCode_Fragment.f2_2.

Warning: This upgrade is only available for CAST AIP schemas hosts on CAST Storage Service.


In what situation should you install this extension?

The analyzer could be used if your application is a Web Application, has HTML/Javascript/CSS files and/or contains HTML/Javascript fragments embedded into JEE and .NET files (for example).

The analyzer provides the following features:

  • Automated Function Point counting.
  • Checksum, number of code lines, number of comment lines, comments are present.
  • Local and global resolution is done when function is called directly through its name (inference engine resolution is not available).
  • For global resolution, caller is searched in all .js files. If only one callee is found, a link is created. If several callees are found, the analyzer watches inclusions in html files to see if it can filter the callee. If nothing is found in html files to filter, links are created to all possible callees.

Files analyzed



*.html, *.htm, *.xhtml
  • Supports HTML/XHTML versions 1 - 5.
  • creates one "HTML5 Source Code" object that is the caller of html to js links and a transaction entry point
  • broadcasts tags and attributes/values to other CAST extensions such as AngularJS. Other extensions will not need to analyze the files themselves.

Javascript*.js, *.jsx


  • JavaScript 1 to 1.8.1.
  • JavaScript ECMA 6

See also JavaScript below for more information.

Cascading Style Sheet*.css

Supports CSS 1 - 3.

Java Server Page*.jsp, *.jspx

Supports JSP 1.1 - 2.3.

See JSP below for more information.

Active Server Page*.asp, *.aspx

See (Classic) ASP below for more information.

HTML Components*.htcHTC files contain html, javascript fragments that will be parsed. Created objects will be linked to the HTC file.

ASP.NET MVC Razor*.cshtml

See ASP.NET MVC Razor below for more information.


Note that you may find that the number of files delivered is more than then number of files reported after analysis. This is due to the following:

  • by default some files are automatically excluded from the analysis, typically third-party frameworks which are not required. Please see the filters.json file located at the root of the extension folder for a complete list of default exclusions.
  • some files that have been included in the analysis may not be saved in the CAST Analysis Service schema because they do not contain any useful information, i.e. they do not contain any technical sections such as functions which would lead to the creation of a specific object.

(Classic) ASPTechnology support notes


Excerpt Include
ASP - Technical notes and limitations
ASP - Technical notes and limitations



Include Page
.NET - ASP.NET MVC Razor support
.NET - ASP.NET MVC Razor support



CAST AIP has provided support for analyzing JavaScript via its JEE and .NET analyzers (provided out of box in CAST AIP) for some time now. The HTML5/JavaScript extension also provides support for JavaScript but with a focus on web applications. CAST highly recommends that you use this extension if your Application contains JavaScript and more specifically if you want to analyze a web application, however you should take note of the following when using the extension with CAST AIP ≤ 8.2.x

  • You should ensure that you configure the extension to NOT analyze the back end web client part of a .NET or JEE application.
  • You should ensure that you configure the extension to ONLY analyze the front end web application built with the HTML5/JavaScript that communicates with the back end web client part of a .NET or JEE application.
  • If the back end web client part of a .NET or JEE application is analyzed with the HTML5/JavaScript extension and with the native .NET/JEE analyzers, then your results will reflect this - there will be duplicate objects and links (i.e. from the analyzer and from the extension) therefore impacting results and creating erroneous Function Point data.
Note that in CAST AIP 8.3.x, support for analyzing JavaScript has been withdrawn from the JEE and .NET analyzers.

Support of JavaScript in this extension

  • JavaScript (1 to 1.8.1):
    • Javascript call(), function(), bind(), prototype and prototype inheritance are supported
    • creates Functions, Classes and Constructors
    • local call links between function calls and functions inside each JavaScript file are created



Excerpt Include
JEE - Technical notes and limitations
JEE - Technical notes and limitations

Transaction configuration information

HTML5 source code: it represents the whole HTML file content.

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
Quality and SizingSecurity

CAST AIP compatibility

This extension is compatible with:

CAST AIP release
7.3.4 and all higher 7.3.x releases(tick)

Supported DBMS servers

This extension is compatible with the following DBMS servers:

CAST AIP releaseCSSOracleMicrosoft
All supported releases(tick)(tick)(error)


(tick)An installation of any compatible release of CAST AIP (see table above)

Download and installation instructions

Please see:


The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Packaging, delivering and analyzing your source code

Once the extension is downloaded and installed, you can nowpackage your source code and run an analysis. The process of packaging, delivering and analyzing your source code is described below:


Include Page
HTML5 and JavaScript - Packaging, delivering and analyzing your source code
HTML5 and JavaScript - Packaging, delivering and analyzing your source code

What results can you expect?

Once the analysis/snapshot generation has completed, you can view the results in the normal manner:

CAST Enlighten

Javascript ECMA6 Classes and Constructors example

CAST Management Studio analysis content


The following objects are displayed in CAST Enlighten:


JavaScript file

HTML5 Source Code

HTML5 Source Code Fragment

HTML5 ASP Content

HTML5 ASPX Content


HTML5 CSS Source Code

HTML5 CSS Source Code Fragment

HTML5 HTC Content

HTML5 JavaScript Source Code

HTML5 JSX source code
HTML5 JavaScript Source Code Fragment

HTML5 JavaScript Function

HTML5 Javascript Method

HTML5 Javascript Class

HTML5 Javascript Class Constructor

HTML5 Web Socket Service

ASP.NET Any Operation

HTML5 Get XMLHttpRequest Service

HTML5 Get HttpRequest Service

ASP.NET Get Operation

HTML5 Razor Get service

HTML5 Update XMLHttpRequest Service

HTML5 Update HttpRequest Service

ASP.NET Put Operation

HTML5 Post XMLHttpRequest Service

HTML5 Post HttpRequest Service

ASP.NET Post Operation

HTML5 Razor Post service

HTML5 Delete XMLHttpRequest Service

HTML5 Delete HttpRequest Service

ASP.NET Delete Operation


The following rules are shipped with this extension:

Known Limitations

  • Creation and detection of object using "prototype" is not supported.
  • When HTML5/JavaScript source code is used as the "source" or "destination" in a Reference Pattern (configured in the CAST Management Studio) it will be ignored when the analysis is run - this is due to a limitation in the way the analyzer functions. However, when testing the Reference Pattern using the test option in the CAST Management Studio, the pattern will appear to match.