Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Target Audience:

  • Consumers of the information (i.e. those that will be using the CAST Application Engineering Dashboard)
  • CAST AI Administrators
Summary: This page provides instructions for using the CAST Application Engineering Dashboard, i.e. how to login, what information is available etc.

This documentation section provides the following information:

  • How to connect and login to the CAST Application Engineering Dashboard
  • What sort of information is displayed in the dashboard
  • A simple explanation of the dashboard interface

If you need to know more about:

Connecting to the CAST Application Engineering Dashboard

To connect to the CAST Application Engineering Dashboard, browse to the URL provided to you by your CAST Administrator. This will usually be in the following format:

http://<server>:[<port>]/CAST-AED

The login page will then be displayed:

Logging in to the CAST Application Engineering Dashboard

To login to the CAST Application Engineering Dashboard, you need to enter a username and password and then click the Log In button.

Depending on the authentication mode configured by the CAST AI Administrator (see Installing and configuring the CAST Application Engineering Dashboard for more information) you need to login with a presupplied username and password, or your corporate username and password. If in doubt, contact your CAST AI Administrator.

Cannot login

This section describes some of the reasons why you may not be able to login to the dashboard:

Not authorized

If you are not authorized to view any data in the CAST Application Engineering Dashboard, then upon login a message will be displayed as follows and no further use of the dashboard is allowed:

Note that:

No license key

If you attempt to login to the CAST Application Engineering Dashboard when no license key has been configured, the following message will be displayed:

Requesting access or a password

If you need to access the CAST Application Engineering Dashboard but:

  • you do not have a presupplied username/password
  • your corporate login credentials do not allow access
  • or you have forgotten the password for a presupplied username

then you can use the Can't access link to contact the CAST AI Administrator:

You will then be prompted to choose an option - each is explained below.

Note that the email address and text for both options can be modified. Please see: CAST-AAD-AED - Lost password and request access configuration.

Password lost

If you choose this option:

  • enter your presupplied username in the USERNAME field
  • click Send

A new email will be created in your default email client requesting the password for the username you specified. Send this to your CAST AI Administrator.

Request access

If you choose this option, simply click the Send button.

A new email will be created in your default email client requesting access. Send this to your CAST AI Administrator.

Multiple Applications or single Application?

On login, depending on the number of Applications available, behavior is slightly different:

Number of ApplicationsBehavior
Single Application

You are taken direct to the Application landing page:

Multiple Applications

You are offered a choice of which Application to access:

When the Application is selected, you will be taken direct to the selected Application's landing page (as shown above). If you are not authorized to access the selected Application, a "You are not authorized to access any applications" message will be displayed.

If you would like to choose different Application, you can do so using the dropdown list box located on the menu bar:

If you cannot locate the Application you require, you can use the search field to search for the Application - the search is instant - entering a single character will start the search mechanism:

Whenever relevant, loading icons will display when data could take some time to fetch/process and/or display.

This software is subject to a limited access message

If, on login, you are presented with the following message on each page in the CAST Application Engineering Dashboard, you should contact your CAST Administrator to request that the license is updated:

You can click the link on the "CAST Project Manager" text (underlined in the image above) to contact the administrator. Doing so will open an email in your default email client requesting that the license is updated.

CAST Application Engineering Dashboard interface

This section provides a brief explanation of the interface display options that are available to you.

Note that the tiles displayed out of the box are fully configurable by the CAST AI Administrator. Please see CAST-AED - Tile management for more information.

Application landing page or home page

The Application landing or "home" page is displayed after a successful login:

It consists of multiple tiles (tiles are used extensively in the CAST Application Analytics Dashboard - CAST AAD) used to display data and information from the most recent snapshot of the selected Application:

Quality Model tile

This default tile displays "at a glance" information about the current Application status:

  • the number of Critical Violations in the Application
  • the number of CAST Quality Rules in the Application that have been triggered during an analysis/snapshot
  • the number of custom Quality Rules (i.e. those with IDs above 1,000,000) in the Application that have been triggered during an analysis/snapshot
  • the number of Critical Quality Rules in the Application that have been triggered during an analysis/snapshot

Clicking this tile will take you directly to the  Quality investigation view (this can also be accessed by clicking the button available in the sidebar).

Application Components tile

This default tile displays "at a glance" information about the Violation status for the current Application:

  • the number of Modules present in the Application (Modules can be configured during an analysis to divide the Application into meaningful groups)
  • the number of Lines of Code present in the Application
  • the total number of Objects in the current Application that contain at least one violation
  • the total number of Violations in the current Application - in other words, the total number of times a Quality Rule has been violated by an object in the Application
  • the total number of Quality Rules that have been violated in the current Application

Clicking this tile will take you directly to the Application investigation view (this can also be accessed by clicking the  button available in the sidebar.

Top Riskiest Components tiles

A "Top Riskiest Components tile" is provided "out-of-the-box" for the Security Health Factor:

This tile provide a clickable "cloud" of object names  - the larger and bolder the font used to display the name, the higher the Risk (previously known as PRI: Propagated Risk Index) value the object has within the specified Health Factor (i.e. Security or Efficiency for example). See this table for more information about how Risk is calculated.

Clicking an object name in the tile will take you directly to the object in the Application Investigation view - for example clicking the Load object will show this:

Top Modules with Critical Violations tile

One "Top Modules with Critical Violations" tile is provided "out-of-the-box" for the TQI (Total Quality Index) Health Factor:

This tile provides a listing of the modules sorted by the number of critical violations present in each module. Tile can be resized to display more or less modules. Clicking a module in the tile will take you directly to the module in the Application Investigation view. In the Application Investigation view, violated Quality Rules are listed by their number of violations, with critical rules first (by default: ordered by number of violations):

Health Factor weakness/strength tiles

Two tiles listing the Strength and Weakness of a given Health Factor, listed by Technical Criteria:

These tiles provide

  • Weaknesses: Items displayed are the Technical Criteria considered to have at least one critical violation. The Technical Criteria are sorted from worst (top) to least bad (bottom).
  • Strengths: Items displayed at the Technical Criteria that do not have any critical violations (this includes Technical Criteria that have no critical Quality Rules or Technical Criteria that have critical rules with no violations).

By default, the Robustness Health Factor is displayed, however, you can change to a different Health Factor using the drop down list in each tile:

Clicking a Technical Criterion in the tile will take you directly to the Technical Criterion in the Quality Investigation view:

Action Plan tile

A default Action Plan tile is displayed showing, initially, the total number of objects that have been added to the Action Plan list since the last snapshot was generated. Clicking the tile will take you directly to the Action Plan).

This tile can be manually re-sized (drag and drop the corners or sides of the tile) to include more information about Pending and Solved items (see the Action Plan for more information about the Pending and Solved statistics):

Top Rules with increasing violations

One "Top Rules with increasing Violations" tile is  provided "out-of-the-box" for the TQI (Total Quality Index) Health Factor (half and full height shown below):

This tile displays a list of Quality Rules and a value (in %) for each. The % value represents the difference in the number of violations for the Quality Rule between the most recent and the previous snapshot. The higher the value, the larger the difference. Note that the value displayed in the tile may be different from the value for the number of added violations for a given Quality Rule, since the value is a difference between the number of violations since the previous snapshot and takes removed violations into account.

Violation count difference is displayed on the right of a rule and a red dot is added when the rule is critical. Rules are clickable and will take you direct to the Quality Rule in the Quality Investigation view.

You can also use the Show only critical switch to toggle between:

  • OFF = critical and non-critical Quality Rules
  • ON = critical Quality Rules only

Configuring the landing or home page

As explained previously the landing page or home page contains a set number of "default" tiles that are delivered "out of the box". Your dashboard Administrator may chose to configure additional tiles or custom locations for the default set of tiles  (see CAST-AED - Tile management) but you have a certain amount of freedom to set up the home page as you require:

  • All tiles (custom and default) can be moved by dragging and dropping to the new location.
  • Some tiles can be resized larger or smaller by dragging and dropping the bottom right hand corner of the tile. When tiles are configured (whether custom or default), they contain information that specifies their maximum and minimum size on the horizontal and vertical axes - i.e. you may find that certain tiles will not resize as you wish - this is by design.

Saving changes

Changes you make to the location or size of tiles is saved via a cookie, therefore the positions and sizes of tiles will be retained over successive sessions using the same browser. Using a different browser on the same workstation will not retain the changes to the tiles.

Resetting the home page

If you would like to reset the position and size of the tiles as they are provided to you "out of the box", you can use the Reset homepage option located in the top right hand corner:

Adding tiles as bookmarks/favorites

If you would like to monitor a specific Quality Rule (perhaps a critical Quality Rule with multiple violations) in your Application via a tile in the landing/home page you can do so by adding a "bookmark" or "favorite" tile which links to the item in question. To do so:

  • Navigate to the item you would like to monitor. In this example we have a chosen a critical Quality Rule that has a high number of violations.
  • Ensure the item is selected, then click the star icon (highlighted below) to add the item as a bookmark or favorite on the landing/homepage:

  • A message will inform you that the tile has been added:

  • The tile will now be visible in the landing/home page. The number of violations will be displayed, whether the rule is critical and, where applicable, an evolution percentage will be displayed which represents how the number of violations for the Quality Rule has evolved between the current and previous snapshots:

Tips:

  • It is only possible to create a bookmark/favorite for a Quality Rule. Any other type of item (Business Criteria, Technical Criteria, Distribution and Measure) are excluded from this feature.
  • Bookmark/favorite tiles are easily recognisable in that they feature a star icon in their upper right corner.
  • These tiles can be resized and moved just like any other custom/default tile.
  • You can remove the tile by rolling your mouse over the star icon in the upper right corner of the tile - it will transform into a cross and remove the tile when clicked. A message will inform you that the tile has been removed.
  • Bookmark/favorite tiles are persistent between browser sessions, but are specific to the browser. In other words, bookmark/favorite tiles are only visible in the browser they were created in (provided the browser cache/cookies have not been emptied since the tile was created).

Top menu bar

A description of each numbered item is provided below:

ItemNameDescription
1Application selectorThis option enables you to select the Application you wish to view. A drop down list box will be displayed enabling you to pick the Application you require. Note that only the Applications you are authorized to view will be available for selection.
2Snapshot descriptionDisplays information about the current snapshot data you are viewing: Name, Version, Date.
3Share data

Clicking this icon will open a new email in your default email client, together with a link to the current location in the dashboard. You can therefore use option to share a link with colleagues. Example email shown below:

Hi, I want to share with you my CAST Application Engineering Dashboard. You can access it by clicking this url :
http://server:8080/CAST-AED/engineering/index.html#ADG/applications/101/snapshots/2/business/60017/qualityInvestigation/60013.
Regards.
4Search

Activates a search field enabling you to search for names of items in the quality model:

  • Business Criteria
  • Technical Criteria
  • Quality Rules
  • Measures
  • Distributions

Note that the search is contextual. Therefore if you are investigating at a specific Business Criterion/Technical Criterion/Quality Rule/Distribution/Measure level, only the items based on this context will be made available: e.g.: if the user is investigating a technical criteria, only the rules associated to the technical criterion will be available):

The search field also indicates that the search will take place in the current context:

5Current user

Indicates the name of the current user that is logged in to the CAST Application Engineering Dashboard. A drop down list box is also available:

This contains two options:

  • Reset homepage - see Configuring the landing or home page for more information about this option.
  • Logout - this option enables you to log out from the CAST Application Engineering Dashboard - a message will be displayed asking if you are sure you want to log out:

Side menu bar

Side menu barItemNameDescription
1HomeThis button will take you back to the initial "home" or landing page from wherever you are located in the CAST Application Engineering Dashboard.
2Quality investigationThis option focuses on application risk level from the Assessment Model perspective - moving through Business Criteria, Technical Criteria, Quality Rules/Measures/Distributions right down to the objects in violation. See Quality Investigation view for more information.
3Application investigation

This option focuses on the application's technical components (i.e. its objects) and provides violation details on those objects and their related dependencies. See Application Investigation view for more information.

4Action Plan

This option will display the Action Plan - an Action Plan is simply a list of objects (i.e. "violations") that have been selected for action in the next snapshot generation process with a priority level assigned to them. Users can then use the list to focus their re-mediation work. Think of it as a "to do list" - i.e. objects that require work to remove the violation flagged by CAST AIP.

See the section Using the Action Plan below for more information.

5Contextual help

This option provides basic help for various items in the CAST Application Engineering Dashboard. To use it:

  • Click the button in the sidebar (1) - the button will transform into a cross inside a circle
  • Any contextual help that has been configured on the current page will be highlighted with a plus sign in a blue circle (2)

  • Click the plus sign in a blue circle to view the contextual help:

  • To exit the contextual help, first click the cross in the upper left corner of the contextual help explanation to close the explanation, then click the contextual help button in the sidebar menu.

What information is available?

Note that the CAST Application Engineering Dashboard features a server cache to improve the speed of data display. This does mean, however, that very recent changes in data (i.e. a new snapshot generation) may not instantly appear in the dashboard. If this is the case, the server cache needs to be manually reloaded. See CAST-AAD-AED - Reload the cache.

The information displayed in the CAST Application Engineering Dashboard is derived from snapshots generated by the CAST AI Administrator and provides a detailed "engineering" level view of your set of Applications - this includes specific information about Quality Rules and Violations. All data that is displayed is taken from the most recent snapshot that has been generated for the Application. The data available is displayed using two different "views":

  • Quality Investigation
  • Application Investigation

Quality Investigation view

Accessible from the sidebar menu or by clicking the Quality Model tile, this view enables investigation of the application risk from the Assessment Model perspective - moving through Health Factors/Business Criteria, Technical Criteria, Quality Rules/Measures/Distributions right down to the objects in violation.

By default, only Business Criteria that are categorised as Health Factors will be displayed in the dashboard. All other Business Criteria that are NOT Health Factors will not be displayed. You can override this behaviour, to display ALL top-level Business Criteria if required - see CAST-AED - Dashboard wide configuration options in json.

Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from a Health Factor to an individual object that is in violation. Take for example the top level list of Health Factor Business Criteria:

Selecting a Business Criteria in this table will display all of the contributing Technical Criteria in the right hand section:

When a Health Factor/Business Criterion is selected, the first row in the Technical Criteria list will be titled "All quality rules...". Selecting this item will display a list of all the Quality Rules that contribute to the selected Health Factor/Business Criterion:

Selecting a Technical Criteria will move the Technical Criteria to the left hand side of the page and display all of the contributing Quality Rules, Distributions and Measures in the right hand section:

Selecting a contributing Quality Rule, Distribution or Measure will move the item to the left hand side of the page and display details about it (including the list of objects in violation, computing details, and rule/distribution/measure documentation) in the right hand section:

Finally, depending on the item (Quality Rule, Distribution, Measure), you can do as follows:

Quality Rule

For a Quality Rule the following sections are available:

Violations

Expand the list of Violations

...to view the objects violating the selected Quality Rule:

Source code

Select an object in the list of violations to view its source code. In order to focus investigation, source code displayed presents either:

  • the object in violation
  • or the violation details when available (e.g. bookmarks, paths).

Whenever a piece of code is made available, the View File button (seen in the example below) provides the ability to open the entire source code file to get the entire context. The file is opened in a separate browser window. The entire source code is presented plus some context (application name, snapshot reference, file name).

The Quality Rule name is also highlighted using colour (yellow for a standard quality rule (as shown below), and red for critical):

 

Please note that in the current release of CAST AIP, the display of source code is limited in functionality:

  • The source code does not currently show all violations for Quality Rules that reference User Input Security elements, such as:
    • The Quality Rule "Avoid direct or indirect remote calls inside a loop"

When a Quality Rule involves "cyclical calls" such as the rule "Avoid cyclical calls and inheritances between packages", then the source code display is altered slightly as follows. A cyclical call means two packages refer to each other through a call and therefore, the result of this could be a circular dependency. So in this case, the dashboard does not show the detailed source code but the list of packages involved so that we can show where these cyclical calls are located.

If a "copy/pasted" Quality Rule has been selected (for example Avoid Too Many Copy/Pasted Artifacts), a list of objects that have a high level of similarity with the selected objects will be listed (click to enlarge the image)

After clicking on the object in the Violation details table, a separate page will be opened to show the comparable code fragments (see image below - click to enlarge):

  • A tab will open split into two areas (left/right) to display selected component source code and master source code (on left by default)
  • Component Selector exists in two areas so that you can change the component source code display by selecting the item
  • File selector is under component selector (with black background) so that you can see the component source code located in each file

Bookmarks

When results include violation bookmarks in the source code, the dashboard can access more details about the actual defects in the object for the current Quality Rule. The violation bookmarks are displayed per defects found; the display follows the same pattern as the object source code viewer: each code fragment is associated to its related file and the violation bookmark is highlighted using colour (yellow for a standard quality rule, red for critical (as shown below). Multiple bookmarks may be associated to a single defect (as shown below):

A More defects button will appear when there are more than five defects in the object for the current Quality Rule:

If a defect contains multiple bookmarks, then the Primary/Secondary bookmark will appear to show the main bookmark and additional bookmarks as shown below. The display follows the same pattern as the object source code viewer, except that the secondary bookmark will be highlighted as blue:

A More bookmarks button will appear when there are more than five bookmarks in one defect for the current Quality Rule. The color depends on whether the Quality Rule is critical (red) or not (yellow). If you click "View File" button, the lines numbers are highlighted:

OWASP bookmark display

Bookmarks for defects in source code violating OWASP Quality Rules (such as Avoid SQL injection vulnerabilities ( CWE-89 ) ) are displayed slightly differently to help you follow the violation trail within the Application:

  • Call label: this label will be displayed when the object inside the source code calls another object or method
  • Return label: this label will be displayed when the object inside the source code returns to the upper level

You can use the "eye" icon to the right of the list to view the source code file in which the bookmark is located:

Why is that an issue?

You can use the Why is that an issue? option underneath the Source Code display to view the Rationale section of the Quality Rule that has been violated. Clicking the Learn More button will take you directly to a full description of the violated Quality Rule: 

Computing Details

This section displays:

  • the Total checks value which indicates the total number of objects in the Application that were checked against the current Quality Rule.
  • the number of modules in which the current Quality Rule has been checked during the snapshot generation (3 out of 7 in the example below)
  • the % compliance of the Quality Rule. In the example below, the current Quality Rule has a compliance of 18.29% - in other words 18.29% of the objects checked against this Quality Rule were found to have no violations (the higher the number, the better compliance).

  • Expanding the section (using the black arrow as explained above for the Violation list) will provide more detail. In the example below, we can see that:
    • three modules contain objects that were checked against the current Quality Rule. A compliance % is provided for each module along with the number of objects violating the current Quality Rule and the total number of objects in the module that were checked against the current Quality Rule.
    • the compliance of 18.29% for the Total is the compliance percentage for all modules in the Application against the current Quality Rule.

ColumnExplanation
ModuleShows the name of each module that has objects as defined during the snapshot configuration and generation.
Total CheckThe total number of objects in the module that were checked against the current Quality Rule.
Viol.The number of objects in the module violating the current Quality Rule.
ComplianceThe compliance rate for the module - i.e. the percentage of objects in the module that are compliant with the Quality Rule.
Note that the row containing the module name "Total" contains cumulative data for all modules displayed in the section.

Rule Documentation

  • Expand the Rule documentation section (using the black arrow as explained above for the Violation list) to view a detailed description of the current Quality Rule:

Accessing an object in the Application Investigation view

Clicking the following icon will take you directly to the object in the Application Investigation view:

Distribution

For a Distribution, you can view how objects in the current Application are distributed: objects are placed into categories depending on the criteria of the Distribution itself. Sections indicate which category the objects fall into: Low/Small (Green), Average, High/Large and Very High/Very Large (Red). A Status column displays the status of the object between the current and previous snapshot (unchanged, added, deleted etc.). So to take the example of the Size Distribution distribution:

  • View a detailed description of the current Distribution:

Measure

Quality Measures are listed in the CAST Application Engineering Dashboard, however, since Measures are never "violated" in the same way a Quality Rule is violated, little information can be displayed other than the documentation. If you require more information about a Measure, please use the CAST Application Analytics Dashboard instead:

Table key

All tables that display data in the Quality Investigation mode contain various columns. The table below lists all possible column names and provides an explanation for each:

Health Factor/Business Criterion

ColumnExplanation
#Critical

Displays the number of critical violations for the currently selected item. The #Critical column is also used as the default sorting criteria when items are first displayed.

Previous

Displays a % variation of the number of critical violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Baseline

Displays a % variation of the number of critical violations in the current snapshot for the currently selected item compared with those in the very first snapshot.

Health Factor
Name of the Health Factor/Business Criterion

Technical Criterion

ColumnExplanation
#Critical

Displays the number of critical violations for the currently selected item. The #Critical column is also used as the default sorting criteria when items are first displayed.

Previous

Displays a % variation of the number of critical violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Technical Criterion
Name of the Technical Criterion.

Weight

Displays the weight of the Technical Criterion in its parent Health Factor/Business Criterion. The higher the value, the more weight the item carries.

Quality Rules, Distributions and Measures

ColumnExplanation
#Violations

Displays the number of violations for the currently selected item. The #Violations column is also used as the default sorting criteria when items are first displayed.

Evolution

Displays a % variation of the number of violations in the current snapshot for the currently selected item compared with those in the previous snapshot.

Quality Rules...
Name of the Quality Rule/Distribution/Measure.

Weight

Displays the weight of the Quality Rule/Distribution/Measure in its parent Technical Criterion. The higher the value, the more weight the item carries.

Filtering on Critical Rules

A red dot in this column indicates that the Quality Rule has been set as critical in the Assessment Model. In addition, the column heading can be clicked to select different displays:

By default, the display is set to Show criticals only, however, you can change to Show All (critical and non-critical) or Show non-criticals only - when the session ends, the filter reverts to the default.. If you link directly to an item that is ordinarily hidden by the selected filter, a message is displayed in the bottom left hand corner to inform you that the filter has been temporarily changed:

Violation

ColumnExplanation
-Option to add/remove the object from the Action Plan (see below). Note that to interact with the Action Plan, your user login must have the role QUALITY_MANAGER. This can be assigned at user level (when using Static List authentication) or via user or group (when using Active Directory authentication). Please see CAST-AED - Configuring user authentication for more information.
Priority

Displays the priority given to the object when it was added to the Action Plan, ranging from:

  • Low (one dot)
  • Moderate (two dots)
  • High (three dots)
  • Extreme (four dots)
Object Name LocationDisplays the object name, and in the case of file based objects (as oppose to Database objects), the location on disk of the object.
Risk

This value was previously (in the CAST Engineering Dashboard) known as Propagated Risk Index (PRI): it identifies the violations that can impact the largest number of components, involving objects with the largest number of violations pertaining to the Health Factor involved. The formula used to calculate this value is as follows:

PRI = (RPF + 1) x VI

Where RPF and VI equal:

RPF

Risk Propagation Factor (RPF): identifies violations that can impact the largest number of components in the Application. The impact area is computed as follows:

  • Risk Propagation Factor for a Robustness, Performance, or Security Violation is the size of its call path
  • Risk Propagation Factor for a Changeability Violation is its Fan-In
  • Risk Propagation Factor for a Transferability Violation is zero (0).

VI

Violation Index (VI): identifies objects with the largest number of violations, taking into account the weight of the Rules and of the Technical Criteria, for the Health Factor involved. The formula used to calculate this value is as follows

For each object, identify Rules it violates that contribute to a given Health Factor through Technical Criteria. Multiply aggregate weight of the Rule within the Technical Criterion by the aggregate weight of the Technical Criterion within the Health Factor. In other words:

VI = Sum_of_all_rules_violated_by_the_object (Quality_rule_weight * technical_criteria_weight)
Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

  • Added
  • Deleted
  • Unchanged

Distribution

ColumnExplanation
Object Name LocationDisplays the object name.
Status

Displays the status of the object in comparison to the previous snapshot - e.g.:

  • Added
  • Deleted
  • Unchanged

Measure

Measures only display the documentation.

Display rules

Each table displays Business Criteria, Technical Criteria and Quality Rules/Distributions/Measures based on the following specific criteria:

  • Items are sorted by:
    • Descending (worst to best) number of Violations in current snapshot
    • If number of Critical Violations/Violations is identical, then the value in the Previous/Evolution columns is then also used to determine the display order
  • If the number of Critical Violations/Violations for an item is equal to 0 (i.e. no violations), the line is greyed out to indicate that this item has no violations and is therefore of no interest for remediation purposes. You can still consult the item by clicking it if necessary.
  • If the variation % in the Previous column is exactly 0, the variation is set to 0.00% and the item is greyed out. The variation % may be 0.00 if:
    • there is no previous snapshot available to make a comparison
    • or there has been no change between the current and previous snapshot
  • If the variation % displayed is 0.00 but has a very slight variation between the current and previous snapshots (for example 0.003), a tilde (~) is prepended to the front of the variation value to indicate the approximate value.
  • When the Previous % is identical to the Baseline %, this means that the Previous snapshot and the Baseline snapshot are one and the same (i.e. only two snapshots exist) or when only one single snapshot exists.
  • N/A is displayed for the variation if there is only one snapshot - the item cannot be consulted.

For Quality Rules only:

  • The word "new" will be displayed in the % Evolution column when a Quality Rule was not violated in the previous snapshot (the word "new" will never be displayed if there is only one snapshot).

Filtering

By default when using the Quality Investigation view, the entire Application content is displayed. However, you may be interested in investigating a subset of the Application (a specific module or a specific technology). Two filters are available for that purpose in the breadcrumb area,to the top right.

  • Module filter > When investigating any item in the quality model, you can filter results with regard to a specific module. Please note that while drilling down, a technical criteria or a quality rule may not apply to a specific module (e.g. a SQL quality rule does not apply on a module that would not contain SQL technology, hence if the quality rule is selected, filtering on the module to which it does not apply holds no meaning)
  • Technology filter > Same filtering applies to the Quality Model Investigation.

By default the filters are inactive (red text) and are only active when specifically selected (white text):


Please note that some filtering may not be relevant as you drill down. If you are investigating a JEE specific Quality Rule and try to filter on PL/SQL technology, we would get no data, hence, to make things clearer, the PL/SQL technology filter option is be disabled (lighter grey colour) in this context. This can apply at technical criteria or quality rule level and in some rare cases, even from the business criteria level:

Furthermore, if investigating a specific object, the filters are disabled (coloured red) as they are no longer relevant:


For numerous reasons (confusion, bookmarks or tiles leading to rules/objects in contexts), the filters are always reset when leaving the Quality Model Investigation pages. 

Application Investigation view

Accessible from the sidebar menu  or by clicking the Application Components tile tile, this view enables investigation of the objects in the Application. Data is presented in a series of tables on the left and right hand side of the page enabling you to drill down from an Application right down to an individual object within that Application, and view the Quality Rules that those objects have violated.

The default Health Factor used for this view is Total Quality Index, but you can change this using the drop down list box in the top right corner:

Component Browser

The Component Browser provides a hierarchical tree view of the Application, its modules and the individual projects and objects that make up the Application:

Selecting an item in the tree will do two things:

  • Update the right hand side (see below) of the screen with a list of Quality Rules that the item is violating - so for example, selecting the root Application in the tree will display ALL the Quality Rules that have been violated in the Application. Selecting an individual object will only display the Quality Rules that the selected object has violated.
  • Update the circular "at a glance" views underneath the hierarchical object tree, to display:
    • Objects: the number of objects that have violated a Quality Rule for the selected item - if you select the root Application, the total number of objects that have violated at least one Quality Rule will be displayed.
    • Violations: the number of violations of Quality Rules that the selected item has - this value will always be equal to or higher than the value for the "Rules" circle
    • Rules: the number of Quality Rules that the selected item is violating

Handling large applications contain a large number of objects

When applications are large and flat (flat project structure), the number of items can be large, leading to slow loading and page rendering. A pagination mechanism has been designed in order to improving the usability: only a subset of items are loaded (~100 by default) and, upon scroll in the browser, more content will load in a lazy fashion with the message "Loading Next Items":

Quality Rules with violations list

Selecting a an item (Application, Module, Project, Object) in the left hand section will update the right hand section. This section lists Quality Rules that the selected item is violating. Quality Rules are listed by the number of times they have been violated by the selected item (and all its constituent items in the case of an Application, Module or Project) and whether the Quality Rule is critical (flagged with a red dot):

ColumnExplanation
NameName of the Quality Rule that the selected item is violating.
#ViolationsThe number of violations that the selected Quality Rule has.
Weight

Displays the weight of the Quality Rule in the parent Technical Criterion. The higher the value, the more weight the Quality Rule carries. Clicking the Weight column header will sort the Quality Rules as follows:

  • by weight descending and highlights grey gauge when clicking for the first time
  • by weight ascending and highlights grey gauge when clicking for the second time
  • by critical Quality Rules descending and highlights red dot when clicking for the third time
  • by critical Quality Rules ascending and highlights red dot when clicking for the fourth time

Rolling your mouse over the grey gauge will display a value - this is the compounded weight, which is calculated as follows:

weight of the parent technical criterion X weight of the Quality Rule

Violations and Rule Documentation

Clicking a Quality Rule in the right hand section will move the right hand panel over to the left hand side, and display a new panel containing:

  • a list of objects that are violating the selected Quality Rule, listed in alphabetical order
  • a section containing documentation about the selected Quality Rule

Please see Violation table from the Quality Investigation view for an an explanation of the column headings Plan, Object Name Location, Risk and Status.

Source code

Selecting an object in the Violations and Rule Documentation section will move the right hand panel over to the left hand side, and display a new panel containing the source code of the selected object:

Note that analyzed source code from the following technologies is not visible in the CAST Application Engineering Dashboard:

  • PowerBuilder
  • BusinessObjects

Please also note that in the current release of CAST AIP, the display of source code is limited in functionality:

  • The source code is in fact a display of the entire file that contains the selected object, therefore display performance can be affected if the file is very large
  • Bookmarks in the source code showing the location of the violation are not displayed, instead the entire object within the parent source code file is highlighted
  • The source code does not currently show all violations for Quality Rules that reference User Input Security elements, such as:
    • OWASP security rules
    • The Quality Rule "Avoid direct or indirect remote calls inside a loop"
    • Any Quality Rule referencing copy/paste rules

Action Plan

Note that to edit the Action Plan - i.e. add/remove objects from/to it, your user login must have the QUALITY_MANAGER role. This can be assigned at user level (when using Static List authentication) or via user or group (when using Active Directory authentication). Please see CAST-AED - Configuring user authentication for more information. You can view the Action Plan in read-only mode without the QUALITY_MANAGER role.

Like its predecessor the legacy CAST Engineering Dashboard, the CAST Application Engineering Dashboard features the ability to add and remove objects to and from an "Action Plan".  An Action Plan is simply a list of objects (i.e. "violations") that have been selected for action in the next snapshot generation process with a priority level assigned to them. Users can then use the list to focus their re-mediation work. Think of it as a "to do list" - i.e. objects that require work to remove the violation flagged by CAST AIP.

Viewing objects that have been added to the Action Plan

To view objects that have been added to the Action Plan, there are two methods:

MethodImage
From the "home" or landing page, click the default Action Plan tile.
From the Side Menu bar, click the following icon:

The Action Plan list will then be displayed:

Key:

ItemDescription
Resolved: Total number of objects in the Action Plan that have been corrected and are no longer violating the rule since the last snapshot was generated - i.e. the object has been remediated.
Pending: Total number of objects in the Action Plan that are STILL violating a rule since the last snapshot was generated - i.e. the problem has not been fixed
New: Total number of objects in the Action Plan that have been added to the list since the last snapshot was generated - their status will be checked during the next snapshot generation.

This check box allows you to:

  • modify the object's priority in the Action Plan
  • remove the object from the Action Plan if the issue has been resolved or you no longer need to remediate the issue.
Note that the check box is only visible if your login has the QUALITY_MANAGER role.

Displays the priority given to the object when it was added to the action plan, ranging from:

  • Low (one dot)
  • Moderate (two dots)
  • High (three dots)
  • Extreme (four dots)
Status

Displays the status of the object in the Action Plan:

  • Resolved
  • Pending
  • New

See the sections in the table above which explain these statuses in full.

Quality RuleThe name of the Quality Rule for which the object has been added to the Action Plan (objects can appear multiple times in the Action Plan).
Object Name LocationThe name of and information about the object that has been added to the Action Plan for remediation.
Use this option to export the contents of the Action Plan to an Excel file. See Exporting data to Microsoft Excel file format for more information.

Adding objects to the Action Plan

If you would like to add an object to the Action Plan:

  • Drill down and select an item at Quality Rule, Distribution or Measure level
  • A circular checkbox will be visible in each object description row (highlighted in the image below in a red rectangle) - if you do not see this circular checkbox, then your login does not have the QUALITY_MANAGER role:

  • Place a check mark in the circular checkbox alongside the object that you want to add to the Action Plan - the Action Plan button will then become visible as shown below:

  • Now click the Action Plan button and select the level of priority you would like to assign to the object:

  • In this example, we have selected the High Priority level - the Plan column is then updated with the new Action Plan status for the object:

Note that you can add multiple objects to the Action Plan in one go by using the multi checkbox to select all objects under the Quality Rule/Distribution/Measure:

Removing objects from the Action Plan

If you would like to remove an object that has already been added to the Action Plan, you can do so as follows:

Using the Action Plan

The easiest method is to:

  • Access the Action Plan from the side menu bar, or from the Action Plan tile on the "home" page
  • Select the object or use the multi checkbox to select all objects under the Quality Rule/Distribution/Measure:

  • Then click the Action Plan button and select the Remove From Action Plan option as shown above.
  • All selected objects will now be reset and will no longer be part of the Action Plan.

Use the Quality Investigation view

  • Drill down to the Quality Rule, Distribution or Measure level that contains the violations that you have added already to the Action Plan - the Plan column should be populated with a priority level to indicate that the violation has been added to the Action Plan.
  • Select the object or use the multi checkbox to select all objects under the Quality Rule/Distribution/Measure:

  • Then click the Action Plan button and select the Remove From Action Plan option as shown above.
  • All selected objects will now be reset and will no longer be part of the Action Plan.

Updating objects that are already present in the Action Plan

If you have added specific objects to the Action Plan with a specific priority level, you can alter their priority level directly, without having to remove the object from the Action Plan and then re-add it. You can do this either from the Action Plan itself, or by drilling down to the Quality Investigation view (i.e. to the Quality Rule, Distribution or Measure level that contains the violations that you have added already to the Action Plan):

  • Locate the object either in the Action Plan or in the Quality Investigation view - the Plan column should be populated with a priority level to indicate that the violation has been added to the Action Plan.
  • Select the object or use the multi checkbox to select all objects under the Quality Rule/Distribution/Measure
  • Then click the Action Plan button and select the new Priority Level you want to assign to the object.
  • All selected objects will now be updated with the new Priority Level.

Exploiting the Action Plan via the legacy CED and beta APO

The Action Plan available in the CAST Application Engineering Dashboard is fully compatible (in other words, adding/removing objects in AED will be updated in CED and APO and vice-versa) with the existing Action Plan features available in:

Exporting data to Microsoft Excel file format

You can export data to an Excel file format if required. The export feature is only available when browsing the dashboard via Quality investigation option or when using the Action Plan:

To export to Microsoft Excel file format, use the following icon which is available at the following levels:

  • Health Factors
  • Business Criteria
  • Technical Criteria
  • Quality Rules, Distributions and Measures
  • Violations

When you click this icon, depending on your browser you will be prompted whether you would like to Save or Open the Excel file. The Excel file will contain the data you requested in column format:

 

Notes about the Excel file data:

  • Some information such as rule criticity or weight are not available.

  • Variation between snapshots as a percentage is not provided, but scores for both current and previous snapshot are provided.

  • Where a cell is blank this typically means that either the data is common to all modules (blank Module Name cell) or there are multiple Technologies (blank Technology cell).

Violation level export - Associated Value data

When you export to Excel from the Violation level, a column entitled Associated Value may also be available in the resulting Excel file:

The Associated Value refers to a specific output for the Quality Rule in question. For the Quality Rule shown above "Close the outermost stream ASAP", the Associated Value is defined simply as the the number of methods found to be violating the rule in the object in question. You can view the Associated Value configuration in the CAST Management Studio by opening the Assessment Model and locating the Quality Rule:

  • No labels

1 Comment

  1. Anonymous

    In the Quality Investigation view we don't see the Grade column coming up as in CED. Is there any specific reason that column is not present?

    The reason we are asking this is because that option helps us to concentrate on the least scoring Business Criteria.