Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

By default, only Business Criteria that are categorised as Health Measures will be displayed in the dashboard. All other Business Criteria that are NOT Health Measures will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see Engineering Dashboard wide json configuration options in json from the CAST AIP documentation.

...

Info

Note that when there are many violations to display, a "Show More" button will be available:

By default, only 10 violations are displayed to improve performance. You can choose to display more using the various options (+10, +100 etc.). By default an upper maximum of 5000 violations is set when the "All" option is clicked. You can change the upper maximum if required (see the violationsCount option in Dashboard wide configuration options in json from the CAST AIP documentation).

...

Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

...

  • the object in violation
  • or the violation details when available (e.g. bookmarks, paths).
  • Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

    The Rule name is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):

    ...

    If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:

    ...

    ColumnExplanation

    Option to add/remove the violation from the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information). Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication). Please see Configuring user see User authentication for more information.
    Action / Exclusions

    Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information):

    Image Added
    Item has been added to the Action Plan.
    Image Added
    Item has been added to the Scheduled Exclusion List.


    Object Name LocationDisplays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.
    Risk

    This value was previously known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Measure involved. The formula used to calculate this value is as follows:

    No Format
    PRI = (RPF + 1) x VI

    Where RPF and VI equal:

    RPF

    Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:

    • Risk Propagation Factor for a Robustness, Performance, or Security Violation is the size of its call path
    • Risk Propagation Factor for a Changeability Violation is its Fan-In
    • Risk Propagation Factor for a Transferability Violation is zero (0).

    VI

    Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Measure involved. The formula used to calculate this value is as follows

    For each object, identify Rules it violates that contribute to a given Health Measure through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words:

    No Format
    VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight)


    Status

    Displays the status of the object in comparison to the previous snapshot - e.g.:

    • Added
    • Updated
    • Deleted
    • Unchanged

    You can also filter on a status by selecting the column header and choosing the status you want to view:

    Image Added

    Image Added

    Clicking this icon will take you direct to the object in the Application Investigation view.
    Distribution
    ColumnExplanation
    Object Name LocationDisplays the object name.
    Status

    Displays the status of the object in comparison to the previous snapshot - e.g.:

    • Added
    • Updated
    • Deleted
    • Unchanged

    You can also filter on a status by selecting the column header and choosing the status you want to view:

    Image Added

    Measure

    Measures only display the documentation.

    Display rules

    Each table displays Business Criteria, Technical Criteria and Rules/Distributions/Measures based on the following specific criteria:

    • Items are sorted by:
      • Descending (worst to best) number of Violations in current snapshot
      • If number of Critical Violations/Violations is identical, then the value in the Previous/Evolution columns is then also used to determine the display order
    • If the number of Critical Violations/Violations for an item is equal to 0 (i.e. no violations), the line is greyed out to indicate that this item has no violations and is therefore of no interest for remediation purposes. You can still consult the item by clicking it if necessary.
    • If the variation % in the Previous column is exactly 0, the variation is set to 0.00% and the item is greyed out. The variation % may be 0.00 if:
      • there is no previous snapshot available to make a comparison
      • or there has been no change between the current and previous snapshot
    • If the variation % displayed is 0.00 but has a very slight variation between the current and previous snapshots (for example 0.003), a tilde (~) is prepended to the front of the variation value to indicate the approximate value.
    • When the Previous % is identical to the Baseline %, this means that the Previous snapshot and the Baseline snapshot are one and the same (i.e. only two snapshots exist) or when only one single snapshot exists.
    • N/A is displayed for the variation if there is only one snapshot - the item cannot be consulted.

    For Rules only:

    • The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

    Filtering

    By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific module or a specific technology). Two filters are available for that purpose in the breadcrumb area, to the top right.

    • Module filter > When investigating any item in the Assessment Model, you can filter results with regard to a specific module. Please note that while drilling down, a technical criteria or a Rule may not apply to a specific module (e.g. a SQL Rule does not apply on a module that would not contain SQL technology, hence if the Rule is selected, filtering on the module to which it does not apply holds no meaning).
    • Module Search> The Search feature is now available in the module selector, and this feature displays all the available modules.

    Image Added

    Technology filter > Same filtering applies to the Risk Investigation.
    By default the filters are inactive (red text) and are only active when specifically selected (white text):

    Image Added

    Some filtering may not be relevant as you drill down. If you are investigating a JEE specific Rule and try to filter on HTML5 technology (for example), we would get no data, hence, to make things clearer, the HTML5 technology filter option is be disabled (lighter grey color) in this context. This can apply at technical criteria or Rule level and in some rare cases, even from the Health Measure level:

    Info
    • When investigating a specific object, the filters are disabled as they are no longer relevant.
    • For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Risk Investigation pages. 



    Panel

    Table of Contents


    Anchor
    QualityInvestigation
    QualityInvestigation
    Risk Investigation view

    Accessible from the sidebar menu Image Added or by clicking the Risk Model tile, this view enables investigation of the application risk from the Assessment Model perspective - moving through Health Measures/Business Criteria, Technical Criteria, Rules/Measures/Distributions right down to the objects in violation.

    By default, only Business Criteria that are categorised as Health Measures will be displayed in the dashboard. All other Business Criteria that are NOT Health Measures will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see Engineering Dashboard json configuration options from the CAST AIP documentation.

    Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from a Health Measure to an individual object that is in violation. Take for example the top level list of Health Measures:

    Image Added

    Selecting a Health Measure in this table will display all of the contributing Technical Criteria in the right hand section:

    Image Added

    Info

    When a Health Measure is selected, the first row in the Technical Criteria list will be titled "All Rules...". Selecting this item will display a list of all the Rules that contribute to the selected Health Measure:

    Image Added

    Selecting a Technical Criteria will move the Technical Criteria to the left hand side of the page and display all of the contributing Rules in the right hand section:

    Image Added

    Selecting a contributing Rule will move the item to the left hand side of the page and display details about it (including the list of objects in violation, computing details, and rule/distribution/measure documentation) in the right hand section:

    Image Added


    Info

    Note that when there are many violations to display, a "Show More" button will be available:

    Image Added

    By default, only 10 violations are displayed to improve performance. You can choose to display more using the various options (+10, +100 etc.). By default an upper maximum of 5000 violations is set when the "All" option is clicked. You can change the upper maximum if required (see the violationsCount option in Engineering Dashboard json configuration options from the CAST AIP documentation).

    Finally, depending on the item (Rule, Distribution, Measure), you can do as follows:

    Technical Debt Tile

    You may create Technical Debt tile, to display Total Added and Removed OMG Tech Debt, and the total number of days.

    Image Added

    Tile can be configured as below in ed.json file (formerly ced.json). 


    Code Block
    {
                           "type":"OMGTechnicalDebt",
                           "parameters":{
                              "business":"1062100"
                           },
                           "color":"pale-blue",
                           "col":6,
                           "row":1,
                           "sizex":2,
                           "sizey":1,
                           "min-sizex":1,
                           "min-sizey":1,
                           "max-sizey":1,
                           "max-sizex":2
                        }

    Click on the AUTOMATED TECHNICAL DEBT tile. It will drill down to risk investigation page with CISQ assessment model selected, also the view will be selected as "Technical Debt (OMG)", as shown in the below screen.

    Image Added

    You can switch to the CISQ Assessment Model violation view from the drop-down list.

    Image Added

    In Rules Details, "Technical Debt (OMG)" section is added (as shown in the below screen), which shows the details about rules (Total, Added, Removed, and number of occurrences). 

    Image Added

    In the source code view, a new section list is added with icons on left, which represents the sections "Source Code" and "Technical Debt (OMG)" respectively. Clicking on the "Technical Debt (OMG)" icon, the scroll focus will be in the "Technical Debt (OMG)" section, where the object level details of Adjustment Factor, UNADJUSTED EFFORT (IN MINS) and ADJUSTED EFFORTS (IN MINS) are displayed.

    Image Added

    Rule

    For a Rule the following sections are available:

    Violations

    Expand the list of Violations

    Image Added

    ...to view the objects violating the selected Rule:

    Image Added

    Header icons

    The following icons will be available:

    Image Added

    EducateClick this icon to add the associated Rule to the Security Dashboard - Education list.
    DownloadClick this icon to export the list of violations to Excel.
    Anchor
    sourcecode
    sourcecode
    Source code
    Info
    Note that Source Code is not available when viewing data from a previous snapshot.

    Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

    • the object in violation
    • or the violation details when available (e.g. bookmarks, paths).

    Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

    The Rule name is also highlighted using colour (yellow for a standard Rule (as shown below), and red for critical):

    Image Added


    Info

    Please note that in the current release of CAST AIP, the display of source code is limited in functionality:

    • The source code does not currently show all violations for Rules that reference User Input Security elements, such as:
      • The Rule "Avoid direct or indirect remote calls inside a loop"
    Parameter values for last snapshots and when there are no violations

    Clicking on Rule displays Parameter details section (along with other sections violations, computing details & Rule documentation) in the Risk Investigation view. This section displays the parameter name, technology, and value for the selected rule.

    Image Added

    Parameter details will be displayed for the current snapshot as well as for the previous snapshot if the rule is "parameterized". The parameter detail section also displays the data for a selected rule when no violations exist. This section displays a message "No parameter details available" if the selected rule does not have parameter details:

    Image Added

    When a Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.

    Image Added

    If a "copy/pasted" Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed:

    Image Added

    After clicking on the object in the Violation details table, a separate page will be opened to show the comparable code fragments (see image below - click to enlarge):

    • A tab will open split into two areas (left/right) to display selected component source code and master source code (on left by default)
    • Component Selector exists in two areas so that you can change the component source code display by selecting the item
    • File selector is under component selector (with black background) so that you can see the component source code located in each file

    Image Added

    Bookmarks

    When results include violation bookmarks in the source code, the dashboard can access more details about the actual defects in the object for the current Rule. The violation bookmarks are displayed per defects found; the display follows the same pattern as the object source code viewer: each code fragment is associated to its related file and the violation bookmark is highlighted using colour (yellow for a standard Rule, red for critical (as shown below). Multiple bookmarks may be associated to a single defect (as shown below):

    Image Added

    A More defects button will appear when there are more than five defects in the object for the current Rule:

    Image Added

    If a defect contains multiple bookmarks, then the Primary/Secondary bookmark will appear to show the main bookmark and additional bookmarks as shown below. The display follows the same pattern as the object source code viewer, except that the secondary bookmark will be highlighted as blue:

    Image Added

    A More bookmarks button will appear when there are more than five bookmarks in one defect for the current Rule. The color depends on whether the Rule is critical (red) or not (yellow). If you click "View File" button, the lines numbers are highlighted:

    Image Added

    OWASP bookmark display

    Bookmarks for defects in source code violating OWASP Rules (such as Avoid SQL injection vulnerabilities ( CWE-89 ) ) are displayed slightly differently to help you follow the violation trail within the Application:

    • Call label: this label will be displayed when the object inside the source code calls another object or method
    • Return label: this label will be displayed when the object inside the source code returns to the upper level

    You can use the "eye" icon to the right of the list to view the source code file in which the bookmark is located:

    Image Added

    Anchor
    violationdetails
    violationdetails
    Violation details

    The Violation details section underneath the Source Code display shows the Violation Name along with the values of the Violation Details (i.e the "Associated Values"):

    Image Added

    Info
    If the Rule does not have any violation details, the message "No violation details for this Rule" will be displayed instead.
    Why is that an issue?

    You can use the Why is that an issue? option underneath the Source Code display to view the Rationale section of the Rule that has been violated. Clicking the Learn More button will take you directly to a full description of the violated Rule: 

    Image Added

    Computing Details

    This section displays:

    • the Total checks value which indicates the total number of objects in the Application that were checked against the current Rule.
    • the number of modules in which the current Rule has been checked during the snapshot generation (3 out of 7 in the example below)
    • the % compliance of the Rule. In the example below, the current Rule has a compliance of 18.29% - in other words 18.29% of the objects checked against this Rule were found to have no violations (the higher the number, the better compliance).

    Image Added

    • Expanding the section (using the black arrow as explained above for the Violation list) will provide more detail. In the example below, we can see that:
      • three modules contain objects that were checked against the current Rule. A compliance % is provided for each module along with the number of objects violating the current Rule and the total number of objects in the module that were checked against the current Rule.
      • the compliance of 18.29% for the Total is the compliance percentage for all modules in the Application against the current Rule.

    Image Added

    ColumnExplanation
    ModuleShows the name of each module that has objects as defined during the snapshot configuration and generation.
    Total CheckThe total number of objects in the module that were checked against the current Rule.
    Viol.The number of objects in the module violating the current Rule.
    ComplianceThe compliance rate for the module - i.e. the percentage of objects in the module that are compliant with the Rule.


    Info
    Note that the row containing the module name "Total" contains cumulative data for all modules displayed in the section.
    Rule Documentation
    • Expand the Rule documentation section (using the black arrow as explained above for the Violation list) to view a detailed description of the current Rule:

    Image Added

    If there are no Tags associated with the Rule, there will a "No Tag" message in the "Tags" section:

    Image Added

    Accessing an object in the Application Investigation view

    Clicking the following icon will take you directly to the object in the Application Investigation view:

    Image Added

    Distribution

    For a Distribution, you can view how objects in the current Application are distributed: objects are placed into categories depending on the criteria of the Distribution itself. Sections indicate which category the objects fall into: Low/Small (Green), Average, High/Large and Very High/Very Large (Red). A Status column displays the status of the object between the current and previous snapshot (unchanged, added, deleted etc.). So to take the example of the Size Distribution distribution:

    Image Added

    • View a detailed description of the current Distribution:

    Image Added

    Measure

    Quality Measures are listed in the Security Dashboard, however, since Measures are never "violated" in the same way a Rule is violated, little information can be displayed other than the documentation:

    Image Added

    Table key

    All tables that display data in the Risk Investigation mode contain various columns. The table below lists all possible column names and provides an explanation for each:

    Health Measure
    ColumnExplanation
    Image Added
    Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
    Image Added
    Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
    #Critical / #Violations

    Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

    Previous

    Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

    Health Measure
    Name of the Health Measure
    Technical Criterion
    ColumnExplanation
    Image Added
    Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
    Image Added
    Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
    #Critical / #Violations

    Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

    Previous

    Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

    Technical Criterion
    Name of the Technical Criterion.

    Weight

    Displays the weight of the Technical Criterion in its parent Health Measure. The higher the value, the more weight the item carries.

    Rules, Distributions and Measures
    ColumnExplanation
    Image Added
    Displays the number of Violations or Critical Violations added to the current snapshot for the currently selected item since the last snapshot.
    Image Added
    Displays the number of Violations or Critical Violations removed from the current snapshot for the currently selected item since the last snapshot.
    #Critical / #Violations

    Displays the number of Violations or Critical Violations for the currently selected item. This column is also used as the default sorting criteria when items are first displayed.

    Evolution

    Displays a % variation of the number of Violations or Critical Violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

    Rules...
    Name of the Rule/Distribution/Measure.

    Weight

    Displays the weight of the Rule/Distribution/Measure in its parent Technical Criterion. The higher the value, the more weight the item carries.

    Critical Rule

    A red dot in this column indicates that the Rule has been set as critical in the Assessment Model.

    Anchor
    ViolationTable
    ViolationTable
    Violation
    ColumnExplanation

    Image Added

    Option to add/remove the violation from the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information). Note that to interact with the Action Plan/Scheduled List, your user login must have the role QUALITY_MANAGER/EXCLUSION_MANAGER roles. These can be assigned at user level (when using Default Authentication mode) or via user or group (when using Standard LDAP authentication). Please see User authentication for more information.
    Action / Exclusions

    Indicates whether the violation has been added to the Action Plan or the Scheduled Exclusion List (see Security Dashboard - Action Plan for more information):

    Item has been added to the Action Plan.
    Item has been added to the Scheduled Exclusion List.


    Object Name LocationDisplays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.
    Risk

    This value was previously known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Measure involved. The formula used to calculate this value is as follows:

    No Format
    PRI = (RPF + 1) x VI

    Where RPF and VI equal:

    RPF

    Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:

    • Risk Propagation Factor for a Robustness, Performance, or Security Violation is the size of its call path
    • Risk Propagation Factor for a Changeability Violation is its Fan-In
    • Risk Propagation Factor for a Transferability Violation is zero (0).

    VI

    Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Measure involved. The formula used to calculate this value is as follows

    For each object, identify Rules it violates that contribute to a given Health Measure through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words:

    No Format
    VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight)


    Status

    Displays the status of the object in comparison to the previous snapshot - e.g.:

    • Added
    • Updated
    • Deleted
    • Unchanged

    You can also filter on a status by selecting the column header and choosing the status you want to view:

    Clicking this icon will take you direct to the object in the Application Investigation view.
    Distribution
    ColumnExplanation
    Object Name LocationDisplays the object name.
    Status

    Displays the status of the object in comparison to the previous snapshot - e.g.:

    • Added
    • Updated
    • Deleted
    • Unchanged

    You can also filter on a status by selecting the column header and choosing the status you want to view:

    Measure

    Measures only display the documentation.

    Display rules

    Each table displays Business Criteria, Technical Criteria and Rules/Distributions/Measures based on the following specific criteria:

    ...

    • The word "new" will be displayed in the % Evolution column when a Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

    Filtering

    By default when using the Risk Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific module or a specific technology). Two filters are available for that purpose in the breadcrumb area, to the top right.

    ...