OMG Automated or Contextual Technical Debt Measure - 2.0

Extension ID

com.castsoftware.omg-atdm

What’s new?

Description

Release ≥ 2.x of this extension uses CTDM (Contextual Technical Debt Measure) to calculate Technical Debt values. CTDM is a recognized nomenclature for a customized ATDM (Automated Technical Debt Measure) as described in chapter 6.3 of the OMG ATDM specification 1.0, see: https://www.omg.org/spec/ATDM/1.0/PDF . For this extension, CTDM uses a combination of remediation effort produced by the ISO-5055 measure and remediation effort produced by CAST Imaging Core. This means that the number of rules taken in to account by this release of the extension is higher than in release 1.x of the extension (ATDM), which only considered “CISQ” Business Criteria. As a direct result, Technical Debt values will be higher for release ≥ 2.x of the extension and are therefore not comparable with release 1.x. You can see a list of Technical Criteria used by the extension below.

The technical debt values are computed for all violations which have an entry with a remediation effort at Business Criteria or Rule level. Effort is taken in to account in the following order:

Rule
CISQ index (if the com.castsoftware.cisq-index extension is installed)
ISO-5055 index
CAST Imaging Core (TQI)

Therefore:

If an effort exists at rule level, then this effort is applied for the rule
If an effort exists at CISQ level then this effort is applied
if an effort exists for the rule at ISO-5055 level then this effort is applied
otherwise effort from CAST Imaging Core is applied.

Technical Debt is calculated as follows: at the object/rule level and then aggregated at Rule, Technical Criterion, Business Criterion, Module and Application level. The details at rule level are computed on demand by default, this means the results are not stored at the object and rule level - this is to reduce the volume of generated data and to improve performance.

Note that this extension is not a replacement for the built-in Technical Debt measures included in CAST Imaging Core “out-of-the box”. Indeed both the existing Technical Debt measures and this extension can be used at the same time. In other words, the installation of this extension does not mean that the calculation of the existing Technical Debt measures will be disabled.

Compatibility and requirements


Product	Release	Required	Notes
CAST Imaging Core	≥ 8.3.34		For 8.3.34 - 8.3.36, ISO remediation efforts are not available, however, default ISO remediation efforts (as provided in 8.3.37) will be used instead.
Dashboard/RestAPI	≥ 2.3.1		-
com.castsoftware.omg-ascqm-index	Any	Recommended	If the ISO-5055 extension is not installed, only the Technical Criteria from CAST Imaging Core will be used to generate the Technical Debt values.
com.castsoftware.cisq-index	Any	Optional	Only required if you want to ALSO view ATDM values (which are based on CISQ Index) as in version 1.x.

OMG-ATDM version


Version	Supported
2.0 (October 2021)

Download and installation instructions

The extension will not be automatically downloaded and installed in CAST Imaging Console. If you need to use it, should manually install the extension.

Assessment Model

The extension calculates the following metrics as Sizing Measures:

Metric ID	Name	Description
1062010	OMG-ATDM: Number of occurrences	An occurrence (or Pattern Occurrence) designates a single instance of a Source Code Pattern (or Pattern) representing a weakness that has been implemented in the measured software. This sizing measure keeps, per snapshot, the number of occurrences per object, rule, Technical Criterion and Business Criterion. ATDM is calculated as defined with CISQ patterns: ASCMM ASCRM ASCPEM ASCSM CTDM is calculated as defined with CAST TQI patterns and ISO-5055 patterns
1062011	OMG-ATDM: Complexity	The Complexity - or Effort Complexity - of the code elements implementing an Occurrence is qualification information that is measured according to the Effort Complexity definition from the Automated Enhancement Points (AEP) specification. (AEP).
1062012	OMG-ATDM: Exposure	The Exposure of an Occurrence is qualification information that measures the level of connectedness of the Occurrence with the rest of the software, both directly and indirectly through call paths.
1062013	OMG-ATDM: Concentration	Concentration is qualification information that measures the number of Occurrences within any Code Element in the software.
1062014	OMG-ATDM: Technological Diversity	The Technological Diversity of an Occurrence is qualification information that measures the number of distinct programming languages in which the code elements included in a single occurrence of a source code pattern are written.
1062015	OMG-ATDM: Gap Size	In the context of patterns which rely on roles that model values and threshold values that are not to be exceeded, the gap between these values must be closed to remediate this weakness; the Occurrence Gap Size is the extent of the gap, measured as the difference between the values and the thresholds.
1062016	OMG-ATDM: Adjustment Factor	Adjustment Factor is computed based on qualification measures.
1062020	OMG-ATDM: Adjusted Remediation Effort	Remediation Effort designates the time required to remove an occurrence – or a set of occurrences – of a Technical Debt Item from the software. It covers the coding activity as well as unit/non-regression testing activities.
1062030	OMG-ATDM: Remediation Effort ADDED	-
1062032	OMG-ATDM: Remediation Effort DELETED	-

How are results calculated?

Predefined Un-Adjusted Remediation Effort

Configuration data is loaded to have the remediation effort for each pattern ( CISQ, ISO-5055, CAST TQI ). This is called Un-Adjusted Remediation Effort. The unit of effort is minute. The effort taken in to account by CTDM for each pattern is EFFORT_DEFAULT. E.g.:

Un-Adjusted Remediation Effort
STANDARD : CISQ
PATTERN : ASCPEM-PRF-15
EFFORT_DEFAULT: 90
EFFORT_MIN: 30
EFFORT_MAX: 210
EFFORT_UNIT: MIN 

Un-Adjusted Remediation Effort
STANDARD : ISO-5055
PATTERN : CWE-125
EFFORT : 30

For all violations of pattern ASCPEM-PRF-15, the Un-Adjusted Remediation Effort is equal to 90 minutes.

For all violations of pattern CWE-125 , the Un-Adjusted Remediation Effort is equal to 30 minutes.

Scope

For each of the violations, the number of occurrences and related objects are collected, with related technologies.
For a violation of type Bookmark, the number of occurrences corresponds to the number of bookmarks and the related object is the main object of the violation.
For a violation of type Path, the number of occurrences corresponds to the number of paths, and the related objects are the main object of the violation, plus all related objects in the path(s)

The table below lists the Technical Criteria used by this extension:


Standard	Tag	ID	Name	Effort value
AIP	NULL	61001	Architecture - Multi-Layers and Data Access	60
AIP	NULL	61013	Architecture - Object-level Dependencies	180
AIP	NULL	61004	Architecture - OS and Platform Independence	60
AIP	NULL	66009	Architecture - Reuse	180
AIP	NULL	61009	Complexity - Algorithmic and Control Structure Complexity	60
AIP	NULL	61029	Complexity - Dynamic Instantiation	30
AIP	NULL	61029	Complexity - Dynamic Instantiation	60
AIP	NULL	61031	Complexity - Empty Code	12
AIP	NULL	66008	Complexity - Functional Evolvability	120
AIP	NULL	61010	Complexity - OO Inheritance and Polymorphism	180
AIP	NULL	61011	Complexity - SQL Queries	120
AIP	NULL	61026	Complexity - Technical Complexity	60
AIP	NULL	61027	Dead code (static)	24
AIP	NULL	61008	Documentation - Automated Documentation	12
AIP	NULL	61007	Documentation - Bad Comments	12
AIP	NULL	61017	Documentation - Naming Convention Conformity	12
AIP	NULL	61006	Documentation - Style Conformity	12
AIP	NULL	61028	Documentation - Volume of Comments	24
AIP	NULL	66068	Efficiency - Expensive Calls in Loops	120
AIP	NULL	61018	Efficiency - Memory, Network and Disk Space Management	60
AIP	NULL	61019	Efficiency - SQL and Data Handling Performance	120
AIP	NULL	61014	Programming Practices - Error and Exception Handling	60
AIP	NULL	61015	Programming Practices - File Organization Conformity	60
AIP	NULL	61020	Programming Practices - Modularity and OO Encapsulation Conformity	60
AIP	NULL	61003	Programming Practices - OO Inheritance and Polymorphism	60
AIP	NULL	61024	Programming Practices - Structuredness	24
AIP	NULL	66069	Programming Practices - Unexpected Behavior	60
AIP	NULL	66063	Secure Coding - API Abuse	30
AIP	NULL	66066	Secure Coding - Encapsulation	60
AIP	NULL	66062	Secure Coding - Input Validation	60
AIP	NULL	66065	Secure Coding - Time and State	60
AIP	NULL	66064	Secure Coding - Weak Security Features	30
AIP	NULL	61022	Volume - Number of Components	60
AIP	NULL	61023	Volume - Number of LOC	60
ISO-5055	CWE-1041	1061105	CWE-1041 - Use of Redundant Code	40
ISO-5055	CWE-1042	1061106	CWE-1042 - Static Member Data Element outside of a Singleton Class Element	120
ISO-5055	CWE-1043	1061107	CWE-1043 - Data Element Aggregating an Excessively Large Number of Non-Primitive Elements	120
ISO-5055	CWE-1045	1061108	CWE-1045 - Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor	90
ISO-5055	CWE-1046	1061109	CWE-1046 - Creation of Immutable Text Using String Concatenation	30
ISO-5055	CWE-1047	1061110	CWE-1047 - Modules with Circular Dependencies	300
ISO-5055	CWE-1048	1061111	CWE-1048 - Invokable Control Element with Large Number of Outward Calls	360
ISO-5055	CWE-1049	1061112	CWE-1049 - Excessive Data Query Operations in a Large Data Table	360
ISO-5055	CWE-1050	1061113	CWE-1050 - Excessive Platform Resource Consumption within a Loop	180
ISO-5055	CWE-1051	1061114	CWE-1051 - Initialization with Hard-Coded Network Resource Configuration Data	120
ISO-5055	CWE-1052	1061115	CWE-1052 - Excessive Use of Hard-Coded Literals in Initialization	30
ISO-5055	CWE-1054	1061116	CWE-1054 - Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer	120
ISO-5055	CWE-1055	1061117	CWE-1055 - Multiple Inheritance from Concrete Classes	180
ISO-5055	CWE-1057	1061118	CWE-1057 - Data Access Operations Outside of Expected Data Manager Component	180
ISO-5055	CWE-1058	1061119	CWE-1058 - Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element	120
ISO-5055	CWE-1060	1061120	CWE-1060 - Excessive Number of Inefficient Server-Side Data Accesses	240
ISO-5055	CWE-1062	1061121	CWE-1062 - Parent Class with References to Child Class	120
ISO-5055	CWE-1064	1061122	CWE-1064 - Invokable Control Element with Signature Containing an Excessive Number of Parameters	180
ISO-5055	CWE-1066	1061123	CWE-1066 - Missing Serialization Control Element	40
ISO-5055	CWE-1067	1061124	CWE-1067 - Excessive Execution of Sequential Searches of Data Resource	150
ISO-5055	CWE-1070	1061125	CWE-1070 - Serializable Data Element Containing non-Serializable Item Elements	90
ISO-5055	CWE-1072	1061126	CWE-1072 - Data Resource Access without Use of Connection Pooling	300
ISO-5055	CWE-1073	1061127	CWE-1073 - Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses	300
ISO-5055	CWE-1074	1061128	CWE-1074 - Class with Excessively Deep Inheritance	300
ISO-5055	CWE-1075	1061129	CWE-1075 - Unconditional Control Flow Transfer outside of Switch Block	90
ISO-5055	CWE-1077	1061130	CWE-1077 - Floating Point Comparison with Incorrect Operator	40
ISO-5055	CWE-1079	1061131	CWE-1079 - Parent Class without Virtual Destructor Method	90
ISO-5055	CWE-1080	1061132	CWE-1080 - Source Code File with Excessive Number of Lines of Code	180
ISO-5055	CWE-1082	1061133	CWE-1082 - Class Instance Self Destruction Control Element	60
ISO-5055	CWE-1083	1061134	CWE-1083 - Data Access from Outside Expected Data Manager Component	90
ISO-5055	CWE-1084	1061135	CWE-1084 - Invokable Control Element with Excessive File or Data Access Operations	180
ISO-5055	CWE-1085	1061136	CWE-1085 - Invokable Control Element with Excessive Volume of Commented-out Code	30
ISO-5055	CWE-1086	1061137	CWE-1086 - Class with Excessive Number of Child Classes	300
ISO-5055	CWE-1087	1061138	CWE-1087 - Class with Virtual Method without a Virtual Destructor	50
ISO-5055	CWE-1088	1061139	CWE-1088 - Synchronous Access of Remote Resource without Timeout	90
ISO-5055	CWE-1089	1061140	CWE-1089 - Large Data Table with Excessive Number of Indices	240
ISO-5055	CWE-1090	1061141	CWE-1090 - Method Containing Access of a Member Element from Another Class	40
ISO-5055	CWE-1091	1061142	CWE-1091 - Use of Object without Invoking Destructor Method	30
ISO-5055	CWE-1094	1061144	CWE-1094 - Excessive Index Range Scan for a Data Resource	360
ISO-5055	CWE-1095	1061145	CWE-1095 - Loop Condition Value Update within the Loop	60
ISO-5055	CWE-1096	1061146	CWE-1096 - Singleton Class Instance Creation without Proper Locking or Synchronization	60
ISO-5055	CWE-1097	1061147	CWE-1097 - Persistent Storable Data Element without Associated Comparison Control Element	90
ISO-5055	CWE-1098	1061148	CWE-1098 - Data Element containing Pointer Item without Proper Copy Control Element	40
ISO-5055	CWE-1121	1061149	CWE-1121 - Excessive McCabe Cyclomatic Complexity	120
ISO-5055	CWE-119	1061021	CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer	40
ISO-5055	CWE-120	1061022	CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)	30
ISO-5055	CWE-123	1061023	CWE-123 - Write-what-where Condition	30
ISO-5055	CWE-125	1061024	CWE-125 - Out-of-bounds Read	30
ISO-5055	CWE-129	1061025	CWE-129 - Improper Validation of Array Index	50
ISO-5055	CWE-130	1061026	CWE-130 - Improper Handling of Length Parameter Inconsistency	30
ISO-5055	CWE-131	1061027	CWE-131 - Incorrect Calculation of Buffer Size	60
ISO-5055	CWE-134	1061028	CWE-134 - Use of Externally-Controlled Format String	60
ISO-5055	CWE-170	1061029	CWE-170 - Improper Null Termination	50
ISO-5055	CWE-194	1061030	CWE-194 - Unexpected Sign Extension	60
ISO-5055	CWE-195	1061031	CWE-195 - Signed to Unsigned Conversion Error	60
ISO-5055	CWE-196	1061032	CWE-196 - Unsigned to Signed Conversion Error	60
ISO-5055	CWE-197	1061033	CWE-197 - Numeric Truncation Error	60
ISO-5055	CWE-22	1061010	CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	60
ISO-5055	CWE-23	1061011	CWE-23 - Relative Path Traversal	60
ISO-5055	CWE-248	1061034	CWE-248 - Uncaught Exception	50
ISO-5055	CWE-252	1061035	CWE-252 - Unchecked Return Value	50
ISO-5055	CWE-259	1061036	CWE-259 - Use of Hard-coded Password	90
ISO-5055	CWE-321	1061037	CWE-321 - Use of Hard-coded Cryptographic Key	120
ISO-5055	CWE-36	1061012	CWE-36 - Absolute Path Traversal	60
ISO-5055	CWE-366	1061038	CWE-366 - Race Condition within a Thread	120
ISO-5055	CWE-369	1061039	CWE-369 - Divide By Zero	60
ISO-5055	CWE-390	1061040	CWE-390 - Detection of Error Condition Without Action	50
ISO-5055	CWE-391	1061041	CWE-391 - Unchecked Error Condition	50
ISO-5055	CWE-392	1061042	CWE-392 - Missing Report of Error Condition	50
ISO-5055	CWE-394	1061043	CWE-394 - Unexpected Status Code or Return Value	50
ISO-5055	CWE-401	1061044	CWE-401 - Missing Release of Memory after Effective Lifetime	180
ISO-5055	CWE-404	1061045	CWE-404 - Improper Resource Shutdown or Release	180
ISO-5055	CWE-407	1061046	CWE-407 - Inefficient Algorithmic Complexity	120
ISO-5055	CWE-415	1061047	CWE-415 - Double Free	90
ISO-5055	CWE-416	1061048	CWE-416 - Use After Free	90
ISO-5055	CWE-424	1061049	CWE-424 - Improper Protection of Alternate Path	120
ISO-5055	CWE-434	1061050	CWE-434 - Unrestricted Upload of File with Dangerous Type	90
ISO-5055	CWE-456	1061051	CWE-456 - Missing Initialization of a Variable	30
ISO-5055	CWE-457	1061052	CWE-457 - Use of Uninitialized Variable	30
ISO-5055	CWE-459	1061053	CWE-459 - Incomplete Cleanup	120
ISO-5055	CWE-476	1061054	CWE-476 - NULL Pointer Dereference	50
ISO-5055	CWE-477	1061055	CWE-477 - Use of Obsolete Function	30
ISO-5055	CWE-478	1061056	CWE-478 - Missing Default Case in Switch Statement	90
ISO-5055	CWE-480	1061057	CWE-480 - Use of Incorrect Operator	30
ISO-5055	CWE-484	1061058	CWE-484 - Omitted Break Statement in Switch	90
ISO-5055	CWE-502	1061059	CWE-502 - Deserialization of Untrusted Data	40
ISO-5055	CWE-543	1061060	CWE-543 - Use of Singleton Pattern Without Synchronization in a Multithreaded Context	60
ISO-5055	CWE-561	1061061	CWE-561 - Dead Code	30
ISO-5055	CWE-562	1061062	CWE-562 - Return of Stack Variable Address	50
ISO-5055	CWE-564	1061063	CWE-564 - SQL Injection: Hibernate	90
ISO-5055	CWE-567	1061064	CWE-567 - Unsynchronized Access to Shared Data in a Multithreaded Context	120
ISO-5055	CWE-570	1061065	CWE-570 - Expression is Always False	30
ISO-5055	CWE-571	1061066	CWE-571 - Expression is Always True	30
ISO-5055	CWE-595	1061067	CWE-595 - Comparison of Object References Instead of Object Contents	30
ISO-5055	CWE-597	1061068	CWE-597 - Use of Wrong Operator in String Comparison	30
ISO-5055	CWE-606	1061069	CWE-606 - Unchecked Input for Loop Condition	60
ISO-5055	CWE-611	1061070	CWE-611 - Improper Restriction of XML External Entity Reference	60
ISO-5055	CWE-643	1061072	CWE-643 - Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)	60
ISO-5055	CWE-652	1061073	CWE-652 - Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)	60
ISO-5055	CWE-662	1061074	CWE-662 - Improper Synchronization	120
ISO-5055	CWE-665	1061075	CWE-665 - Improper Initialization	30
ISO-5055	CWE-667	1061076	CWE-667 - Improper Locking	120
ISO-5055	CWE-672	1061077	CWE-672 - Operation on a Resource after Expiration or Release	90
ISO-5055	CWE-681	1061078	CWE-681 - Incorrect Conversion between Numeric Types	60
ISO-5055	CWE-682	1061079	CWE-682 - Incorrect Calculation	60
ISO-5055	CWE-703	1061080	CWE-703 - Improper Check or Handling of Exceptional Conditions	50
ISO-5055	CWE-704	1061081	CWE-704 - Incorrect Type Conversion or Cast	60
ISO-5055	CWE-732	1061082	CWE-732 - Incorrect Permission Assignment for Critical Resource	60
ISO-5055	CWE-758	1061083	CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior	30
ISO-5055	CWE-764	1061084	CWE-764 - Multiple Locks of a Critical Resource	120
ISO-5055	CWE-77	1061013	CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)	90
ISO-5055	CWE-772	1061085	CWE-772 - Missing Release of Resource after Effective Lifetime	120
ISO-5055	CWE-775	1061086	CWE-775 - Missing Release of File Descriptor or Handle after Effective Lifetime	120
ISO-5055	CWE-778	1061087	CWE-778 - Insufficient Logging	90
ISO-5055	CWE-78	1061014	CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)	90
ISO-5055	CWE-783	1061088	CWE-783 - Operator Precedence Logic Error	15
ISO-5055	CWE-786	1061089	CWE-786 - Access of Memory Location Before Start of Buffer	50
ISO-5055	CWE-787	1061090	CWE-787 - Out-of-bounds Write	30
ISO-5055	CWE-788	1061091	CWE-788 - Access of Memory Location After End of Buffer	50
ISO-5055	CWE-789	1061092	CWE-789 - Uncontrolled Memory Allocation	50
ISO-5055	CWE-79	1061015	CWE-79 - Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	120
ISO-5055	CWE-798	1061093	CWE-798 - Use of Hard-coded Credentials	90
ISO-5055	CWE-805	1061094	CWE-805 - Buffer Access with Incorrect Length Value	30
ISO-5055	CWE-820	1061095	CWE-820 - Missing Synchronization	90
ISO-5055	CWE-821	1061096	CWE-821 - Incorrect Synchronization	90
ISO-5055	CWE-822	1061097	CWE-822 - Untrusted Pointer Dereference	50
ISO-5055	CWE-823	1061098	CWE-823 - Use of Out-of-range Pointer Offset	50
ISO-5055	CWE-824	1061099	CWE-824 - Access of Uninitialized Pointer	50
ISO-5055	CWE-825	1061100	CWE-825 - Expired Pointer Dereference	50
ISO-5055	CWE-833	1061101	CWE-833 - Deadlock	240
ISO-5055	CWE-835	1061102	CWE-835 - Loop with Unreachable Exit Condition (‘Infinite Loop’)	90
ISO-5055	CWE-88	1061016	CWE-88 - Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)	90
ISO-5055	CWE-89	1061017	CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	90
ISO-5055	CWE-90	1061018	CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)	50
ISO-5055	CWE-908	1061103	CWE-908 - Use of Uninitialized Resource	30
ISO-5055	CWE-91	1061019	CWE-91 - XML Injection (aka Blind XPath Injection)	50
ISO-5055	CWE-917	1061104	CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)	60
ISO-5055	CWE-99	1061020	CWE-99 - Improper Control of Resource Identifiers (‘Resource Injection’)	50

Qualification information

Complexity

The Complexity - or Effort Complexity - of the code elements implementing an Occurrence is qualification information that is measured according to the Effort Complexity definition from Automated Enhancement Points:

EC/LowEffortComplexity

EC is computed by the following metrics:

10351: EC ADDED
10353: EC UPDATED
10354: EC UNCHANGED

LowEffortComplexity

The technology related Low Complexity column for ADDED artifacts ( from COST_CONFIG ). When the violation has related objects, then the average EC of all objects is taken in to account. The complexity is computed for the main object violating a rule:

Complexity = AVG ( Effort Complexity all objects of the violation )/ Low Complexity for the related technology

Concentration

Concentration is qualification information that measures the number of Occurrences within any Code Element in the software:

1/nb of time the object violates any rule

Exposure

The Exposure of an Occurrence is qualification information that measures the level of contentedness of the Occurrence with the rest of the software, both directly and indirectly through call paths:

1+log(nb paths)

Technical diversity

The Technological Diversity of an Occurrence measures the number of distinct technologies in which the code elements included in a single occurrence of a source code pattern are written. This is set to 1.

Gap size

In the context of patterns which rely on roles that model values and threshold values that are not to be exceeded, the gap between these values must be closed to re-mediate this weakness. This is set to 1.

Adjustment Factor

The adjustment factor is computed based on qualification information, as follows:

AVG(Complexity) X AVG(Exposure) X Count(Technological diversity) X AVG(Concentration) X Sum(Gap size)

Technical debt

Finally the technical debt is computed by:

Nb Of Occurrences X Adjustment Factor X Un-adjusted Remediation Effort

Result storage

Default result storage method - high level data only

By default only data aggregated at the following level is available and is stored in the Dashboard schema table DSS_METRIC_RESULTS:

Application
Module
Technical Criteria
Business Criteria

Detailed information at Object and Rule level can be generated and made available to the dashboard on demand by executing the following query against the Dashboard schema:

select OMG_ATDM_COMPUTE_DETAILS (SNAPSHOT_ID, OBJECT_ID, RULE_ID)

Where:


Item	Description
SNAPSHOT_ID	Is the ID of the snapshot you want to generate detailed object and rule level information for.
RULE_ID	The ID of the rule you want to generate detailed information for. Note that if RULE_ID = -1, detailed information will be generated for all rules.
OBJECT_ID	The ID of the object you want to generate detailed information for. Note that if OBJECT_ID = -1, detailed information will be generated for all objects.

When the next snapshot is generated, detailed object/rule level information will be saved in the table OMGTD_RESULTS.

Alternative result storage method - all data

This method is not recommended for very large Applications, since the impact on performance of generating all data for every snapshot will be significant.

It is possible to change the behaviour and choose to always save all results (including Object and Rule level information) for every snapshot that is generated. To do so, execute the following query against the Dashboard schema:

select OMG_ATDM_DETAILSALL();

This option will be taken in account when a new snapshot is generated and as a result all information is saved as follows:

Application, Module, Technical Criteria, Business Criteria - aggregated in the table DSS_METRIC_RESULTS
Details for Object and Rule levels stored in the table OMGTD_RESULTS

To disable the storage of all details, execute the following query against the Dashboard schema:

select OMG_ATDM_DETAILSONDEMAND();

What results can you expect?

Health Dashboard

When the ISO-5055 view is selected, two tiles are available out of the box in the Overview and Trends sections respectively, at Multi-Application level (the tiles will display no value if the OMG Technical Debt extension is not installed and no snapshot has been generated):

At single Application level, one tile is available out of the box in the Overview section when the ISO-5055 view is selected:

Switch between the AIP and ISO-5055 views using the drop down in the home page:

Clicking the tiles will provide more detailed information:

Multi Application level

Single Application level

In addition, at single Application level drill down, for each of the Source Code Pattern Names, it is possible to navigate to the details of the violations in the Engineering Dashboard (where this has been setup):

By default, these tiles are configured to display ISO-5055 index data (using the OMG_TECHNICAL_DEBT_ISO ID). If you want to display either TQI (CAST Imaging Core) or CISQ Index values (if the extension is installed), you will need to manually edit the configuration in the cmp-ISO.json or app-ISO.json file and change the ID used in the tile (i.e. for SizingMeasureEvolution and/or SizingMeasureResult / SizingMeasureResults) - see Health Dashboard tile management for more information:

OMG_TECHNICAL_DEBT_ISO - based on ISO-5055 index data, installed by default in CAST Imaging Console
OMG_TECHNICAL_DEBT_CISQ - based on CISQ Index data, requires that the com.castsoftware.cisq-index is installed
OMG_TECHNICAL_DEBT - based on TQI from CAST Imaging Core.

For example:

Tile drill down is tailored to the data chosen in the tile, for example:

Tile configuration examples:

SizingMeasureResult (app-ISO.json) / SizingMeasureResults (cmp-ISO.json):

        {
          "id": 208,
          "plugin": "SizingMeasureResult",
          "color": "yellow",
          "parameters": {
            "title": "Technical Debt (OMG) by ISO-5055",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT_ISO", "format": "0,0", "description": "Days"}
          }
        },
        {
          "id": 998,
          "plugin": "SizingMeasureResult",
          "color": "yellow",
          "parameters": {
            "title": "Technical Debt (OMG) by CISQ",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT_CISQ", "format": "0,0", "description": "Days"}
          }
        },
        {
          "id": 999,
          "plugin": "SizingMeasureResult",
          "color": "yellow",
          "parameters": {
            "title": "Technical Debt (OMG) by TQI",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT", "format": "0,0", "description": "Days"}
          }
        },  

SizingMeasureEvolution (app-ISO.json and cmp-ISO.json):

        {
          "id": 2103,
          "plugin": "SizingMeasureEvolution",
          "color": "yellow",
          "parameters": {
            "widget":"line",
            "title": "Technical Debt (OMG) by ISO-5055",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT_ISO", "format": "0,0"}
          }
        },
        {
          "id": 9998,
          "plugin": "SizingMeasureEvolution",
          "color": "yellow",
          "parameters": {
            "widget":"line",
            "title": "Technical Debt (OMG) by CISQ",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT_CISQ", "format": "0,0"}
          }
        },
        {
          "id": 9999,
          "plugin": "SizingMeasureEvolution",
          "color": "yellow",
          "parameters": {
            "widget":"line",
            "title": "Technical Debt (OMG) by TQI",
            "sizingMeasure": {"id": "OMG_TECHNICAL_DEBT", "format": "0,0"}
          }
        },

Engineering Dashboard

A tile is available out of the box displaying the Total Technical Debt (OMG) in days for the current Application, as well as Added and Removed OMG Technical Debt in days for the current snapshot:

You can change the specific Technical Criteria used to display the values in the tile, using the drop down option:

By default, this tile is configured to display ISO-5055 index data (using the 1061000 metric ID). If you want to display either TQI (CAST Imaging Core) or CISQ Index values (if the extension is installed), you will need to manually edit the configuration in the ed.json file and change the ID used - see Engineering Dashboard tile management for more information:

1061000 - based on ISO-5055 index data, installed by default in CAST Imaging Console
1062100 - based on CISQ Index data, requires that the com.castsoftware.cisq-index is installed
60017 (based on TQI from CAST Imaging Core)

Clicking this tile will drill down to the Risk investigation view with Technical Debt (OMG) with the ISO-5055 Assessment Model selected. If the tile has been manually edited and re-configured to show either TQI (CAST Imaging Core) or CISQ Index data, the drill down will also change as shown below:

Data	Example
ISO-5055 data (default)
TQI data (AIP Core)
CISQ Index data

You can also switch to showing Violations instead of Technical Debt (OMG) values from the drop-down list:

In the rule details section, there is a dedicated section called “Technical Debt (OMG)”, which will show the details (Total, Added, Removed, and No. of occurrences):

In the source code view, a Technical Debt (OMG) section is displayed, showing object level details on the Adjustment Factor, Unadjusted Effort (in mins) and Adjusted Efforts (in mins):

Using the RestAPI to obtain results

Total Technical Debt by Application, Module

Results can be obtained using a RestAPI query. For example, to obtain technical debt as a remediation effort use the metric #1062020 (you can replace this ID with other supported Sizing Measure IDs):

AAD/results?metrics=1062020&modules=$all&technologies=$all

Example showing the technical debt for all applications, with a breakdown by technology and by module for an example Application called “shopizer8321”:

C:>curl -H "Accept: text/csv" -u admin:cast "http://localhost:9190/CAST-RESTAPI/rest/AAD/results?metrics=1062020&modules=$all&technologies=$all"

Results:

Application Name;Module Name;Technology;Metric Name;Metric Id;Metric Type;Critical;Snapshot Date #1;Result #1
shopizer8321;null;null;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;387350.0
shopizer8321;null;HTML5;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;770.0
shopizer8321;null;JEE;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;386580.0
shopizer8321;shopizer8321 full content;null;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;387350.0
shopizer8321;shopizer8321 full content;HTML5;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;770.0
shopizer8321;shopizer8321 full content;JEE;OMG-ATDM: Remediation Effort;1062020;technical-debt-statistics;N/A;2020-03-27;386580.0

In other words, the “shopizer8321” application has a technical debt of 387350 minutes, which is equivalent to 387350 ÷ 60 ÷ 8 = 806 workload days. The remediation effort is dispatched between HTML5 code and Java Code as follows:


Technology	Remediation effort
HTML	770 minutes
JEE	386,580 minutes

Total Technical Debt by Business Criterion, Technical Criterion, Rule

With a CISQ Business Criterion ID, you can obtain the technical debt for this Quality Indicator and all related indicators (ie CISQ Measure Elements):


CISQ Business Criterion ID	Name
1062100	CISQ-Index
1062101	CISQ-Maintainability
1062102	CISQ-Performance-Efficiency
1062103	CISQ-Reliability
1062104	CISQ-Security

Example:

C:>curl -H "Accept: text/csv" -u admin:cast "http://localhost:9190/CAST-RESTAPI/rest/SHOPIZER/applications/3/results?metrics=c:1062100&select=omgTechnicalDebt"

Application Name;Technical Criterion;Metric Id;Metric Type;Critical;Snapshot Date #1;Result #1;OMG Technical Debt (Result #1);OMG Occurrences (Result #1);OMG Added Technical Debt (Result #1);OMG Removed Technical Debt (Result #1)
shopizer8321;ASCMM-MNT-1 - Control Flow Transfer Control Element outside Switch Block;1062110;technical-criteria;false;2020-05-15;4.0;0;2;0;0
shopizer8321;ASCMM-MNT-11 - Callable and Method Control Element Excessive Cyclomatic Complexity Value;1062112;technical-criteria;false;2020-05-15;3.58017346587814;null;null;null;null
shopizer8321;ASCMM-MNT-12 - Named Callable and Method Control Element with Layer-skipping Call;1062113;technical-criteria;false;2020-05-15;4.0;null;null;null;null
shopizer8321;ASCMM-MNT-13 - Callable and Method Control Element Excessive Number of Parameters;1062114;technical-criteria;false;2020-05-15;4.0;null;null;null;null
shopizer8321;ASCMM-MNT-15 - Public Member Element;1062116;technical-criteria;false;2020-05-15;4.0;40;1;0;0
...

You can get also the technical debt for a single rule, as long as this rule is identified as a CISQ rule by the CISQ Index:

C:>curl -H "Accept: application/json" -u admin:cast "http://localhost:9190/CAST-RESTAPI/rest/SHOPIZER/applications/3/results?metrics=8216&select=omgTechnicalDebt,violationRatio"


...
                "result": {
                    "grade": 4,
                    "omgTechnicalDebt": {
                        "total": 11040,
                        "numberOccurrences": 176,
                        "added": 0,
                        "removed": 0
                    },
                    "violationRatio": {
                        "totalChecks": 7411,
                        "failedChecks": 33,
                        "successfulChecks": 7378,
                        "ratio": 0.9955471596275807
                    }
                },

Detailed Technical Debt for a violation

As we refer to findings from a snapshot ID, and object ID and a rule ID with URI such as:

TINY/components/568/snapshots/8/findings/8216

We can refer technical debt details in a similar Web Service:

TINY/components/568/snapshots/8/omg-technical-debt/8216

E.g.:

C:>curl -H "Accept: application/json" -u admin:cast "http://localhost:9190/CAST-RESTAPI/rest/TINY/components/568/snapshots/8/omg-technical-debt/8216"
{
    "total": 180,
    "numberOccurrences": 3,
    "complexity": 1,
    "exposure": 1,
    "concentration": 0,
    "technologicalDiversity": 1,
    "gapSize": 1,
    "unadjustedEffort": 60,
    "added": 0,
    "removed": 0,
    "adjustmentFactor": 3
}

Querying the Dashboard schema for results

The Dashboard schema contains views and tables that provide information about the results generated by this extension:

View/Table	Description	Type
OMG_ATDM_RESULTS_OBJ_APP	Remediation effort and adjusted Factor aggregated at Application, Module, PATTERN level.	VIEW
OMG_ATDM_RESULTS_OBJ_RULE_APP	Remediation effort and adjusted Factor for Object Rule, aggregated at Application, Module, PATTERN level.	VIEW
OMG_ATDM_DETAILS_OBJ_RULE	Details all metrics computed for all violations.	VIEW
ATDM_SCOPE_OCCURENCES	Last scope taken in to account.	TABLE

Obtaining results at Application level for a snapshot

SET search_path=xxx_central;
SELECT * 
FROM   omg_atdm_results_obj_app 
WHERE  snapshot_id = <snapshot_id>

Obtaining results per CAST Rule / CISQ Pattern at the application level for a snapshot

Possible STANDARD values are ‘CISQ’ , ‘ISO-5055’, ‘AIP’. CISQ Total:

SET search_path=xxx_central;
SELECT TD.SNAPSHOT_ID,  TD.OBJECT_NAME as APPLICATION_NAME,
sum(case when TD.METRIC_ID = 1062020 then TD.METRIC_NUM_VALUE else 0 end) tech_debt,
sum(case when TD.METRIC_ID = 1062030 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_added,
sum(case when TD.METRIC_ID = 1062032 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_removed
FROM OMG_ATDM_RESULTS_OBJ_RULE_APP TD
join DSS_SNAPSHOTS S on S.SNAPSHOT_ID = TD.SNAPSHOT_ID and TD.OBJECT_ID = S.APPLICATION_ID
Where TD.METRIC_VALUE_INDEX in ( select METRIC_ID from OMG_METRIC_VIEW where STANDARD = 'CISQ')
And TD.SNAPSHOT_ID = <SNAPSHOT_ID>
And TD.METRIC_ID in ( 1062020,1062030, 1062032 ) -- Remediation Effort Total, added, deleted
Group by TD.SNAPSHOT_ID, TD.OBJECT_NAME

CISQ Technical Criteria:

SET search_path=xxx_central;
SELECT TD.SNAPSHOT_ID, TD.METRIC_VALUE_INDEX , TD.AGGREGATELEVEL , TD.OBJECT_NAME as APPLICATION_NAME, 
      sum(case when TD.METRIC_ID = 1062020 then TD.METRIC_NUM_VALUE else 0 end) tech_debt,
      sum(case when TD.METRIC_ID = 1062030 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_added,
      sum(case when TD.METRIC_ID = 1062032 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_removed 
FROM  OMG_ATDM_RESULTS_OBJ_RULE_APP TD
join DSS_SNAPSHOTS S on S.SNAPSHOT_ID = TD.SNAPSHOT_ID and TD.OBJECT_ID = S.APPLICATION_ID
Where TD.METRIC_VALUE_INDEX in ( select METRIC_ID from CTDM_REMEDIATION_EFFORTS where STANDARD = 'CISQ')
And TD.SNAPSHOT_ID = <SNAPSHOT_ID>
And TD.METRIC_ID in ( 1062020,1062030, 1062032 ) -- Remediation Effort Total, added, deleted
Group by  TD.SNAPSHOT_ID, TD.METRIC_VALUE_INDEX , TD.AGGREGATELEVEL , TD.OBJECT_NAME
Order by TD.METRIC_VALUE_INDEX

CISQ Business Criterion:

CISQ - Business Criteria

SELECT TD.SNAPSHOT_ID, TD.METRIC_VALUE_INDEX , TD.AGGREGATELEVEL , TD.OBJECT_NAME as APPLICATION_NAME,
      sum(case when TD.METRIC_ID = 1062020 then TD.METRIC_NUM_VALUE else 0 end) tech_debt,
      sum(case when TD.METRIC_ID = 1062030 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_added,
      sum(case when TD.METRIC_ID = 1062032 then TD.METRIC_NUM_VALUE else 0 end) tech_debt_removed
FROM  OMG_ATDM_RESULTS_OBJ_RULE_APP TD
join DSS_SNAPSHOTS S on S.SNAPSHOT_ID = TD.SNAPSHOT_ID and TD.OBJECT_ID = S.APPLICATION_ID
Where TD.METRIC_VALUE_INDEX in ( select BC_METRIC_ID from OMG_BC_METRIC_VIEW BC join  CTDM_REMEDIATION_EFFORTS TC on TC.STANDARD = 'CISQ' and TC.METRIC_ID =BC.PATTERN_METRIC_ID )
And TD.SNAPSHOT_ID = <SNAPSHOT_ID>
And TD.METRIC_ID in ( 1062020,1062030, 1062032 ) -- Remediation Effort Total, added, deleted
Group by  TD.SNAPSHOT_ID, TD.METRIC_VALUE_INDEX , TD.AGGREGATELEVEL , TD.OBJECT_NAME
Order by TD.METRIC_VALUE_INDEX

For example to get the results for all metrics of pattern ‘ASCPEM-PRF-8’:

SELECT * 
FROM   omg_atdm_results_obj_rule_app 
WHERE  snapshot_id = 4 
       AND ( metric_value_index IN (SELECT T.metric_id + 1 
                                    FROM   aed_metric_quality_tags T 
                                    WHERE  T.tag = 'ASCPEM-PRF-8') 
              OR aggregatelevel = 'ASCPEM-PRF-8' )

Note that to obtain the CISQ Pattern of a given CAST rule, you can adapt the following query. For example, to find the CISQ Pattern for the rule ID = 7201, the following query will return ASCPEM-PRF-8:

SELECT C.tag 
FROM   aed_quality_tags_doc C 
       join aed_metric_quality_tags T 
         ON T.tag = C.tag 
WHERE  C.standard = 'CISQ' 
       AND T.metric_id + 1 = 7201