Ensuring the correct discovery of transactions is a multi-step process that may be complex and time consuming for applications that are not supported out-of-the-box. At the core of CAST transaction discovery algorithm is the understanding of the links between objects discovered during the source code analysis of the target application.
CAST automatically sets up default Dependency Rules (see Validate dependency configuration) when the source code is delivered and set as the current version: the source code objects are scanned for references to other objects and links are created where appropriate. Not all links generated in this fashion are valid and their validation by the AIP Super Operator is therefore required.
Missing links result from the inability to find references between objects and can also occur either because of missing dependencies (these may need to be created manually) or because of the presence of frameworks that are not supported out-of the box. In this case, new links may be added by defining new dependencies, custom association rules (using the CAST Reference Pattern tool available in the legacy CAST Management Studio) and/or new, custom environment profiles developed ad hoc to extend the out-of the box support.
For cross-technology links, External Links will identify and record a link between two objects whose validity cannot be precisely determined. These links are tagged as "dynamic". The inspection of these dynamic links is necessary to determine whether the link in question is legitimate (i.e. valid) or if instead it should be ignored and removed from the results.
Inspection of dynamic links is a mandatory step. It is a very important step because:
|
Which technologies are affected?
- JEE
- .NET
- C, C++.
COBOL and Pro*C are less affected, since embedded SQL will produce plain links. |
Step 1 - Check Automatic Links Validator extension report
If the Automatic Links Validator extension has been installed for your Application (this is usually true as the extension is automatically set to be "force installed" as part of an extension strategy) then you should first consult the results produced by this extension during the analysis. If the extension is not installed, CAST highly recommends using it. It functions as follows:
- The extension checks the dynamic link against a series of heuristics
- Each heuristic gives a score (positive or negative) to each dynamic link
- All scores are added up to give a final score = θ.
- The decision to validate as true, reject as false or skip the links is based on the value of θ:
- if θ > 0, the link is validated as true
- if θ < 0, the link is rejected as false
- if θ = 0, the link is skipped (generally this means that none of the heuristics can be applied to this link and in this case, you will need to review the links manually - see below)
Results are provided in a Microsoft Excel report (you can find out more about this report in the Automatic Links Validator extension documentation), which can be accessed directly in the LISA folder (Large Intermediate Storage Area) on the appropriate Node, which is usually set to %PROGRAMDATA%\CAST\CAST\CASTMS\LISA:
Step 2 - Manually inspect Dynamic Links
If the Automatic Links Validator extension report indicates a percentage of skipped links, or this extension has not been used for the current Application, you should now proceed with a manual inspection of the links.
Using Console
Navigate to the Config > Advanced > Summary of Dynamic Links section:
View the summary section to see the number of Dynamic Links that need to be reviewed - in the example below, only one link needs to be reviewed - and as shown in the details section, this is a Java Constructor accessing a SQL table:
To review the links, click the Manual Review button
:
This button opens a new window where you can manually review each link. By default the window will show all links that need to be reviewed - i.e. all links that are still considered to be "unverified". The first link in the list will be selected and the source code that creates the link will be displayed automatically, along with the specific object highlighted (this is known as a bookmark) - this will help you decide whether the link is correct and needs to be marked as valid, or whether the link is invalid and needs to be marked as ignored:
Sometimes, there may be more than one bookmark for a given link. If this is the case, you can move through the bookmarks using the navigation buttons as highlighted below:
Links can, however, be in one of three states, indicated in the Status column:
- Not reviewed: links displayed in this state when you open the Dynamic Link Manager after the completion of an analysis - these links must be reviewed.
- Validated: links are in this state when they have already been manually or automatically validated as correct or true. By default Validated links are not displayed in the GUI - you will need to specifically select the Validated check box to display them.
- Ignored: links are in this state they have already been manually or automatically reviewed as invalid or false. By default Ignored links are not displayed in the GUI - you will need to specifically select the Validated check box to display them.
By default Validated and Ignored links are not displayed in the GUI - you will need to specifically select the Validated / Ignored check box to display them:
|
Available options
|
Allows you to apply the review status on your links. Note that this button is not active until a specific choice has been made either in the individual settings or in the global settings:
|
---|---|
|
Filters the display of Dynamic Links. By default only To Review is selected, displaying only those links that are unverified and need to be manually reviewed. You can select a combination of any of the options to display the type of links you need. Note that the Reference Finder filter will display any links that have been created via a Reference Finder rule. |
This option is not available if at least one link is selected in the list. Instead radio buttons offering three choices are displayed - this is the action required to review the link:
|
Use this button to download the list of Dynamic Links in this section in CSV format. |
Allows you to choose the columns that are displayed in the table. By default all are displayed:
|
|
Provides options for further filtering the display of links. The filtering is based on simple text strings - therefore entering "com" in the Source Object field and applying the filter will only display objects whose name contains the word "com": Click to enlarge
|
|
|
The tick boxes enable you to perform review actions on single or multiple links at a time. You can also use the SHIFT key combined with mouse clicks to select multiple links.
|
Source Object | Lists the name of the object that contains the code for the "source" of the link. |
Source Type | Lists the type of source object - i.e. Method, Constructor, table etc. |
Target Object | Lists the name of the object that is the target of the link in the source object. |
Target Type | Lists the type of source object - i.e. Method, Constructor, table etc. |
Link | Lists the type of link between the two objects. |
Status |
Current status:
|
Validate/Ignore/To Do radio buttons |
These radio buttons allow you to choose what to do with the link after reviewing its code. Select the appropriate option for the link and then click Apply in the top right corner to confirm the choice. You can use the check boxes to review multiple links: Click to enlarge
|
Process of reviewing Dynamic Links
The process of reviewing Dynamic Links is as follows. Ensure that the filter is set to To Review:
Tick the link you want to review:
If there are multiple dynamic links that you want to Validate (as correct) or Ignore (as false) in one go, you can select multiple using the mouse or using the SHIFT key+mouse combination:
|
If necessary, check the source code to help you decided if the link is correct and needs to be marked as valid, or whether the link is invalid and needs to be marked as ignored:
Click the appropriate radio button to either Validate (as correct) or Ignore (as false) the link)
Ignore Dynamic Links when:
Validate Dynamic Links when:
|
Finally click the Apply button to confirm the change in status of the link, then close the window:
The Summary/Details screen will then update to reflect your changes.
Notes
Automating Dynamic Link review
Manually reviewing Dynamic Links (although a legitimate approach) is discouraged as it will not address the underlying cases that triggered the detection in the first place and it can be very time consuming, particularly if you have a large number of dynamic links to review. CAST therefore recommends the use of other options to automate this process as described below. If any of these options are used, they will require an additional analysis so that they are triggered.
Dynamic Link rules
Note that any custom Dynamic Link rule files can be packaged as a custom CAST AIP extension for sharing in the wider CAST user community. |
Dynamic Link Manager rule files enable you to create XML based filter rules that can be applied in the AIP Console at global (all Applications) or Application level: each time an analysis is then run, the filter rules will be applied, either validating or ignoring links as required.
Example rule
Take the following example rule file and the filters defined in it:
When this rule is used:
|
Enabling rules
To associate your rule file in the AIP Console, do as follows.
Application level |
To apply the filter rule at Application level, use the Config > Application - Config - Update Application schema option in the Application. See Application - Config - Update Application schema for more details about how to create the rules files. |
Global (all Applications) level |
To apply the filter rule at Global (all Applications) level requires a user with the Admin role and is actioned in the Administration Center. See Administration Center - Settings - Default Dynamic Links Rules for more information about this option:
|
Parametrization
You can leverage method Parametrization to automatically ignore or validate links when they are created with a parameter of a method. Parameterization rules allow you to automatically exclude Dynamics Links when you re-run the analysis. Moreover, Parametrization rules can be reused in future analyses (via an Environment Profile) thus supporting the automation of the analysis process. CAST provides some default parametrization rules and you can also create your own.
Methods are defined in custom environment profiles, and these custom profiles can be selected in the Dynamic Link Manager in the CAST Management Studio.
Technical notes
Limitation of the DLM source code viewer for C/C++
Viewing Source Code
A C++ link may possibly have several different associated pieces of code (in various files). When a server object is referenced in several files for a same Caller, CAST's Dynamic Link Manager will only display references found in one file.
For example:
<pre>file f1.h : .... void f(const CString& s = CString(" T1" ) ); ... file f2.cpp ... void f( const CString& s ) { //... LPSTR c = "T1"; //... } ...</pre> |
In this example, T1 is a server object and function f references T1. The references are spread among two files, f1.h and f2.cpp.
Although there is more than one file that contains references to T1, the Dynamic Link Manager will only display one file (either f1.h or f2.cpp) and highlight all references in it. Thus all references in the other file will not be displayed. In this example, if the file displayed by Dynamic Link Manager is f2.cpp, there will be only one reference highlighted although there is another reference in f1.h. Therefore it can be difficult to decide if links to T1 are valid or should be ignored.
To workaround this problem, you can use the Code Viewer in CAST Enlighten. It displays all bookmarks. This allows dynamic links to be evaluated based on complete information.
Macros
Dynamic links will be created to macros based on the source code that is defined in a macro. However, when examining these dynamic links in the Dynamic Link Manager, the link will appear to originate in the macro and call any corresponding object based only on the strings that are defined in the macro. This is a functional limitation of the analyzer. In order to check the validity of these links, the corresponding file where the macro is defined will need to be opened manually.
Comments