Page tree
Skip to end of metadata
Go to start of metadata

Parametrization Environment Profiles (J2EE / VB)


When creating custom Environment Profiles for the J2EE and VB technologies, it is possible to define Method Parametrization so that analyzers can correctly identify links that are defined via custom methods:

You can either import existing Java/VB methods from the CAST Analysis Service (results from previous J2EE/VB analyses that have already been run) or add new custom Java methods or VB methods that cannot be imported as they do not form part of an existing analysis stored in the CAST Analysis Service. You then need to define your parametrization - i.e. the action that the analyzer needs to undertake when the method in question is encountered during an analysis.

What is parametrization?

Parametrization helps control the behavior of the CAST J2EE (Java part) and VB Analyzers in order to match your custom dynamic programming methods. CAST Analyzers are automatically capable of detecting standard dynamic calls or object creation during a source code analysis. However, you may have defined your own functions or objects to manage object creation and dynamic calls. Parametrization enables you to tell the CAST Analyzers about your custom object creation methods so that they can correctly detect all dynamic and late binding calls automatically.

Java

Parameterization must be used in the following Java scenarios:

  • Concatenate and parse SQL code (should be done for any JDBC based application)

  • Automatically ignore false links. It is well known that our analyzer will pickup invalid links in applications that have a poor naming convention. The standard behavior of the analyzer when is to resolve dependencies from all quoted strings containing the name of an object. This can lead to false links especially with "messages" functions such as login methods and Exception handling.

  • Concatenate and find late binding dependencies when applications use the "object factory" pattern

This means it is possible to parameterize a method call made within a class, as well as those made within a scriptlet in a JSP (<% %>).

  Note that only the following Java parameter types can be parametrized:

  • java.lang.Object
  • java.lang.String
  • java.lang.StringBuffer
  • java.util.Vector

VB

When you write a VB program using ActiveX, you can choose whether to use early or late binding. When using early binding, references to the ActiveX are always found by the VB Analyzer. When using late binding, references to ActiveX are dynamic, making it sometimes very hard to find such references.

A very simple VB example that is easily found by the VB Analyzer, is the usage of CreateObject with the name of the ActiveX as a string, for example:

CreateObject("MyProject.MyClass").

From version to version, VB Analyzer has been improved to find these references more and more easily. In previous versions, it was often necessary to use a Reference Pattern or a Refined Target to complete an analysis. With recent versions, two major improvements were brought to the analyzer that make the use of these options less likely. The first improvement is the inference engine that finds the usage of an ActiveX when its name is defined in a variable or a constant for example. This enables you to find links when using code such as:

Dim Str as String Str = "MyProject.MyClass"
CreateObject( Str)

Furthermore, this allows you to find links calling methods of the ActiveX. For example:

function f() as boolean dim var1 as string if ( test ) then var1 = "A.B"
else var1 = "A.C"
end if set var = CreateObject(var1) ' Link with B & C coclasses var.method1 ' Link with methods method1 of B & C end function

On top of that, Parametrization enables you to find links to ActiveX when the call is not made using CreateObject or CreateInstance (default VB functions), but an in-house method (that is by definition not known by the analyzer such as "MyCreateObject"). Usually these functions call CreateObject.

Parametrization Rules

When you want to parametrize a method via a custom Environment Profile, you need to create a Rule. A rule is made up of the following items (these fields are displayed in the Add/Edit Rule dialog box, which is displayed below).

  • Trigger (also knows as the Signature) > defines the method you want to parametrize.
  • Indexed Parameters (also known as Extractions) > The Indexed Paremeters are a set of values that define the data that needs to be extracted from the method's parameters as entered in the Trigger field. It is possible to create as many Indexed Parameters as you want. An Indexed Parameter is composed of the following items:
    • Id > This a unique name that is used to identify each Indexed Parameter. CAST will provide a default Id, although this can be changed if necessary.
    • Index > This element is used to define the position of the method's parameter whose value you want to extract. Note that when parametrizing Java methods it is possible to extract the signature - if this is the case, enter 0 in this field.
    • Regular Expression > This element is used to extract part of the parameter value (if necessary). It is defined in Perl format - note that this field is not available when parametrizing VB methods. By default it is set to .*
  • Action > There are three types of Action that will be carried out when one of your Triggers is encountered. The action will be applied to the available data as defined by the Indexed Parameters.
    • Resolve > This action will force the creation of a link to an object whose name corresponds to the value defined in the Callee Name field. The Callee Name can be defined using variable and constant expressions. The variable expressions are the previously defined Indexed Parameters (Id field) and they can be used by placing the Id between % characters. For example, if you define an Indexed Parameter whose Id is "e1", you can reference it using the string"%e1%". You can create concatenation by placing strings one after the other. For example, if you enter the value "%e1%.run" and one of the values of the Indexed Parameter (extraction) "e1" is "mythread", then the Callee Name will take the value "mythread.run".

      It is also possible to use Macros (see below) to replace certain strings. Macros must be delimited between hashes (#), and it is possible to nest as many macros as you require. It is thus possible to use the following expression: "#if(#eq(%e1%,foo)#,%e2%)#". This expression signifies that if the Indexed Parameter "e1" takes the value "foo", then the expression will take the value f the extraction "e2", if not then the result will be an empty string. Where the resulting expression is an empty string (as in the case above), then the Resolve action will be abandoned.
    • No Link > This action will make sure that no dynamic link will be created towards an object whose name is a substring of the Callee Name.
    • Return Type > The Return Type action allows you to specify the return for the parametrized method. Thus the analyzer will then know the type of object that is retrieving the return value and thus resolve the method calls applied to this object. In this case, the Callee Name represents the name of the return type. Note that the return type action is specific to the VB analyzer.
Available macros
  • #if(<condition>,<then>[,<else>])#
    If the condition is satisfied, the resulting expression is the <then> expression, else the <else> expression.  The <else> parameter is optionnal, so the resulting expression may be the empty string.
  • #substr(<string>,<pos>,<len>)#
    Returns a sub string of the parameter <string>. The string returned is the one beginig at position
    <pos> and of lenght <len>.
  • #trim(<string>)#
    Returns a string from which whitespaces have been removed from the right and left.
  • #ltrim(<string>)#
    Returns a string from which whitespaces have been removed from the left.
  • #rtrim(<string>)#
    Returns a string from which whitespaces have been removed from the right.
  • #eq(<string>,<string>)#
    Returns 1 (true) if both strings are equal, else 0 (false).
  • #neq(<string>,<string>)#
    Returns 1 (true) if both strings are not equal, else 1 (true).
  • #and(<boolean>,<boolean>)#
    Returns 1 (true) if both parameters value are 1 (true), else 0 (false)
  • #or(<boolean>,<boolean>)#
    Returns 1 (true) if one parameter value is 1 (true), else 0 (false)
Java Examples

Concatenate and parse SQL code

In the example below, the method saveAnimal is the method performing the necessary action to execute the query specified as the third parameter into the database:

private void storeAnimals(){   String AnimalName = "Pitbull";   TableName = getTblNamePrefixe() +AnimalName + getTblNameSufixe();   saveAnimal(ClsAnimalName, "no" + "m" , "insert into " + TableName);}private String getTblNameSufixe() {   return "_Tbl";}public static String getTblNamePrefixe() {   return "The_";}

Without parametrization, the analyzer would produce the following results displayed in CAST Enlighten:

When parameterizing the method saveAnimal, the inference engine is used to reconstruct the value of the parameter, i.e. the SQL statement that will be executed on the database engine. This results in:

Parametrization details:

In this parameterization, we specified the third parameter as a Server Object and selected the type Use. The string found as a value for this parameter will be parsed by the SQL analyzer to determine the link type. In the example above, we can see that the link type is Ui for Use and Insert. The links are created from each method or field having a "piece" of the reconstructed string.

Automatically ignore false links

Ignoring links caused by a string used as parameters for System.out.println()

private void doSomething(){   System.out.println("Object should not go in this table");}

Without parametrization, the analyzer would produce the following results displayed in CAST Enlighten:

With parametrization of the System.out.println method

Parametrization details:

In this parametrization, we specified the first parameter as NO link type. This action will remove the dependencies to the table from methods with the same signature.

Concatenate and find late binding dependencies

For example:

private void storeAnimals(){   String AnimalName = "Boeuf";   String ClsAnimalName = "virtualfonctcalls.";   ClsAnimalName.concat(AnimalName);   saveAnimal(ClsAnimalName, "no" + "m" , "nothing");}

In this example, the saveAnimal method takes two parameters. The first one is the class name, and the second one corresponds to the method name. We know that this method instantiates a class defined by the first parameter and then calls the method defined by the second parameter. We will use the parametrization to mimic this behavior.

Without parametrization, the analyzer would produce the following results displayed in CAST Enlighten:

With parametrization of the saveAnimal method, the inference engine is used to reconstruct the value of both parameters, i.e. the fully qualified name of the Class and the name of the method:

Parametrization details:

This parametrization configures the two parameters of the method. The first one to tell the analyzer it is a Java Class, the second one to tell the analyzer it is a Java Method belonging to the Class specified as the first parameter.

Creating parametrization - importing existing methods

This section explains how to parametrize methods that already exist in the CAST Analysis Service.

  • Click the button to view a list of Java/VB methods that already exist in the CAST Analysis Service. The Import dialog box will be displayed:

    This dialog box lists all Java/VB projects that have already been analyzed and stored in the CAST Analysis Service. The left hand section lists the projects by job name and the right hand section displays the contents of an item selected in the left hand section. Choose the methods you want to parametrize (place a check mark next to them) and then click Import.
  • The imported methods will now be displayed in the main window. Their parameters will be displayed in brackets next to the method name:

    You can use the button to make an identical copy of a selected Method

    You can use the button to remove a selected Method

    You can use the Action column to sort the Methods you have already parametrized, from those that have not yet been parametrized.

  • To parametrize your imported methods via the creation of a rule, double click one of the methods in the list (or right click the method and select Open) - the Add/Edit Rule dialog box will be displayed (for more information about the fields in this dialog box, please see the Parametrization Rules section above):
    Trigger Name of the method you want to parametrize as selected in the Parametrization tab.
    Indexed Parameters This section enables you to define the Indexed Parameter for your trigger:
    • Click the icon to create a new entry.
    • Enter an Id. This must be unique.
    • Enter the Index you want to parametrize - the value you enter corresponds to the parameter as listed in the Trigger field. E.g. Entering 1 in the Index field for the trigger DBObject.Author.setAu_fname(java.lang.String) would correspond to the parameter java.lang.String
    • Finally enter your Regular Expression.
    • You can use the button to make an identical copy of a selected Indexed Parameter
    • You can use the button to remove a selected Indexed Parameter
    Actions The Actions section enables you to define what the analyzer will do if it encounters one of your parametrized methods. You can either create a link, specify that no link be created or define a Return Type (VB only).

    Add Link

    • Click the button to add a link for your Indexed Parameter. The Add/Edit Link dialog box will be displayed:
    • Choose the type of link you want the analyzer to create when it encounters the method (choose from a drop down list).
    • Enter the Callee Name. This field needs to be filled in according to the information you entered in the Indexed Parameters section. In the example above, there is only one parameter, thus we have entered %e1% corresponding to the entry in the Indexed Parameter section.

      If you have created two entries in the Indexed Parameters section as follows:
      e1 1 .*
      e2 2 .*

      then you need to create an entry in the Callee Name field as follows: %e2%.%e1%

    • Finally select a Callee Type. Clicking the Browse button will display a dialog box in which you can select the object type you require.

    Add No Link

    • Click the button to add no link for your Indexed Parameter.
    • A new entry will be created in the list - No Link will be displayed in the Type column. Fill in the Callee Name field.

    Add Return Type (VB only)

    • Click the button to add a return type for your Indexed Parameter. The Add/Edit Return Type dialog box will be displayed:
    • Enter the Callee Name. This field needs to be filled in according to the information you entered in the Indexed Parameters section. For example:
       

      If there is one entry in the Indexed Parameter section, simply enter it in the Callee Name field, for example %e1%.

      If you have created two entries in the Indexed Parameters section as follows:

      e1 1 .*
      e2 2 .*

      then you need to create an entry in the Callee Name field as follows: %e2%.%e1%

    • Finally select a Callee Type. Clicking the Browse button will display a dialog box in which you can select the object type you require.

    Notes

    • The link will be created from the object where the string has been found and not from the parameterized method call. This is simply because all dynamically found dependencies will otherwise be initiated from the very same object.
    • When parameterizing a method's parameter, the Inference Engine will be used to recreate the exact string passed as a parameter.
    User Comment Enter a comment in the User Comment field (not obligatory) to help distinguish your method.
  • Click Close in the Add/Edit Rule dialog box once you have created the rule.
  • The new rule will be displayed next to the method in the main window.
  • Repeat the rule creation process for all other methods you have imported.
Creating Parametrization - using new methods

This section explains how to parametrize brand new methods.

  • Click the button to create a new method rule. The Add/Edit Rule dialog box will be displayed (for more information about the fields in this dialog box, please see the Parametrization Rules section above):
    :
    Trigger Enter the name of the method you want to parametrize.
    Indexed Parameters This section enables you to define the Indexed Parameter for your trigger:
    • Click the icon to create a new entry.
    • Enter an Id. This must be unique.
    • Enter the Index you want to parametrize - the value you enter corresponds to the parameter as listed in the Trigger field. E.g. Entering 1 in the Index field for the trigger DBObject.Author.setAu_fname(java.lang.String) would correspond to the parameter java.lang.String
    • Finally enter your Regular Expression.
    • You can use the button to make an identical copy of a selected Indexed Parameter
    • You can use the button to remove a selected Indexed Parameter
    Actions The Actions section enables you to define what the analyzer will do if it encounters one of your parametrized methods. You can either create a link, specify that no link be created or define a Return Type (VB only).

    Add Link

    • Click the button to add a link for your Indexed Parameter. The Add/Edit Link dialog box will be displayed:
    • Choose the type of link you want the analyzer to create when it encounters the method (choose from a drop down list).
    • Enter the Callee Name. This field needs to be filled in according to the information you entered in the Indexed Parameters section. In the example above, there is only one parameter, thus we have entered %e1% corresponding to the entry in the Indexed Parameter section.

      If you have created two entries in the Indexed Parameters section as follows:
      e1 1 .*
      e2 2 .*

      then you need to create an entry in the Callee Name field as follows: %e2%.%e1%

    • Finally select a Callee Type. Clicking the Browse button will display a dialog box in which you can select the object type you require.

    Add No Link

    • Click the button to add no link for your Indexed Parameter.
    • A new entry will be created in the list - No Link will be displayed in the Type column. Fill in the Callee Name field.

    Add Return Type (VB only)

    • Click the button to add a return type for your Indexed Parameter. The Add/Edit Return Type dialog box will be displayed:
    • Enter the Callee Name. This field needs to be filled in according to the information you entered in the Indexed Parameters section. For example:

      If there is one entry in the Indexed Parameter section, simply enter it in the Callee Name field, for example %e1%.

      If you have created two entries in the Indexed Parameters section as follows:

      e1 1 .*
      e2 2 .*

      then you need to create an entry in the Callee Name field as follows: %e2%.%e1%

    • Finally select a Callee Type. Clicking the Browse button will display a dialog box in which you can select the object type you require.

    Notes

    • The link will be created from the object where the string has been found and not from the parameterized method call. This is simply because all dynamically found dependencies will otherwise be initiated from the very same object.
    • When parameterizing a method's parameter, the Inference Engine will be used to recreate the exact string passed as a parameter.
    User Comment Enter a comment in the User Comment field (not obligatory) to help distinguish your method.
  • Click Close in the Add/Edit Rule dialog box once you have created the rule.
  • The new rule will be displayed next to the method in the main window.
  • Repeat the process for all new methods you want to parametrize.
Removing and cloning parametrized methods

Methods that are listed in the main window as shown below can be removed or cloned for easy management:

  • Use the button to clone a selected method. You can clone multiple methods if required.
  • Use the button to remove a selected method. You can remove multiple methods if required.
Special characters

If you want to include special characters such as back slashes or spaces in your Parametrization configuration (for example a Callee Name "\%e1%\"), please note the following rules:

  • To include any of the following characters, please precede the character with a backslash "\":
    • % (percent sign)
    • # (hash)
    • ( (open round bracket)
    • ) (close round bracket)
    • , (comma)
    • \ (backslash)

    For example to represent a Callee Name \%e1%\, you need to enter \\%e1%\\

  • To include a space, simply enter a space.
See Also

J2EE Environment Profiles


CAST Website

  • No labels