Summary: This page describes the new features and bugs that have been fixed in the CAST Security Dashboard 1.11.0.

Content matrix

VersionSummary of content
1.11.0
  • RestAPI APIKEY for SAML bypass

  • Parameter details now displayed for parameterized rules.
  • Ability to add custom report categories
  • New CODE_RESTRICTED role
  • Background facts tiles

New features 

RestAPI APIKey for SAML authentication

If you have enabled SAML authentication mode for your CAST Security Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST Security Dashboard/RestAPI that can be used to bypass SAML authentication.

How does this work?

You can find out more about this in RestAPI authentication using an API key.

GUI updates for Quality Standards and custom tags

It is now possible to:

Both features can be added together or separately.

If configuring Quality Standards tags, the extension Quality Standards Mapping must be installed prior to generating the snapshot, otherwise no tag data is available and neither feature will return any results.

Custom tiles

To create a custom tile, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard and add a tile or tiles using the configuration shown below in the profiles > areas > panels section alongside other tiles:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Configuration

Example

This example will display a tile showing the number of violations tagged with a custom injected tag called CUSTOM-TAG:

{
	"type": "SecurityTile",
	"parameters": {
		"business": "60016",
        "rule": "CUSTOM-TAG",
		"title": "My Top PRIORITY",
		"id": "CUSTOM-TAG",
		"description": "violations"
	},
	"color": "blue",
	"col": 1,
	"row": 12,
	"sizex": 1,
	"sizey": 1,
	"max-sizex": 2,
	"max-sizey": 1
}

Drill down behaviour

Clicking on any of these tiles navigates to the Risk investigation view with the specific tag selected in a drop down at the top of the table - therefore filtering and displaying only rules that have this tag. "All Rules" will be selected in the Technical Criteria table by default and the list of rules displayed in the right hand panel are those that correspond to the selected tag:

Click to enlarge

List of tags

To configure a list of tags that can be displayed in a drop down filter in the Risk Investigation view, modify (using a text editor - Notepad or other similar application) the following file that is part of your deployed dashboard:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Add the feature in the "configuration": { section at the start of the file:

"ruleTag": ["tag","tag"],

For example, the following configuration adds two tags (MY-CUSTOM and MY-CUSTOM2):

{
	"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
	"configuration": {
		"defaultLanguage": "English",
		"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
		"customLanguages": [],
		"requestAccess": false,
		"confirmLogout": true,
		"filterHealthFactor": true,
		"violationsCount": 5000,
		"ruleTag": ["MY-CUSTOM", "MY-CUSTOM2"],

E.g (click to enlarge)

Note that when drilling down from the Risk Investigation tile, the drop down tag list is not displayed when a Health Measure is selected, instead, you will need to select a child Technical Criteria or the All Rules option.

Injecting custom tags

If you need to use custom tags in the GUI features described above, you can manually inject them using CURL. For example:

curl -X PUT --header "Content-type: text/csv" --upload-file data.csv http://server:port/CAST-Security/rest/{Domain}/custom-quality-tags

Where data.csv contains the custom tags you wish to inject, using a rule ID and custom tag pair on each line as follows:

3626;CUSTOM-TOP-PRIORITY-RULES

See also: Health Results Resources - 1.11.x.

Easy method for locating violations added to Action Plan or Exclusions list

The icons displayed in the violation lists in the Application Investigation, Risk Investigation and Transaction Investigation views to depict violations that have been added to the Action Plan or Exclusion list are now clickable. Clicking the icons will take you direct to the Action Plan/Exclusion List and highlight the violation.

Following icons are now clickable:

Highlighted violation on clicking an icon:

Ability to view parameter names and values for parameterized rules

After selecting any "parameterized" rules (only legacy rules), it is now possible to see the Parameter Details section under the "Violation Details" section. The Parameter  Details section displays Parameter Name along with the values of the Parameter Details. 

Ability to add a Custom Report category

It is now possible to add your own Custom Report category, alongside the existing default "Custom Report" category. This custom category can then be populated with custom reports in exactly the same way as the default "Custom Reports" category. See Security Dashboard - Report Generation configuration for more information.

Improvement to Show More button

The behaviour of the Show More button has been improved in this release. Now when choosing to show additional violations using the +10, +100 or All options, the list of violations will anchor to the next set of violations instead of resetting and anchoring to the start of the list. The Show More button is available in various pages throughout the dashboard:

Basic Search results now exclude critical rules when "Only critical violations" filter is active

The Basic Search will now exclude rules flagged as critical from the search results when the Only critical violations filter is active. When searching for a non-critical rule and the Only critical violations filter is active, a message will be displayed stating No results were found to match your search. In previous releases, non-critical rules were included in the search results even when the Only critical violations filter was active.

Basic Search and Only critical violations filter are located in the top menu bar: 

Background Facts tiles

It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See Engineering Dashboard tile management for more information about configuring the tile.

New CODE_RESTRICTED role

A new role has been implemented in this release: CODE_RESTRICTED. This role can be granted to users who do not have the right to view source code in the Security Dashboard. For example:

To enable the role, see User roles. When enabled, a message is displayed in the Dashboard as follows:

Click to enlarge:

Advanced Search - Transactions ordered by TRI value and ability to filter on Business Risk driver

The Advanced Search for Transactions has been modified:

Add custom filters to Action Plan based on 'Comment', 'Priority' and 'Status' columns

In the Action Plan list it is now possible to filter the table by Priority, Status and Comment columns. The count for 'added', 'pending' and 'solved' will therefore adjust depending on the selected filter. Filter icons are now added to the column headings:

When the filter headings are clicked, a drop-list will be displayed offering various options as follows:

Export rule details to XLSX file from Application Investigation view

It is now possible to export rule details to an Excel compatible XLSX file from the Application Investigation view:

The resulting XLSX file will contain the following details: