CAST HIGHLIGHT - Discovery Step - Additional files that should be excluded or included in the analysis

Follow


As CAST Highlight performs a code analysis at the file level and doesn't particularly consider the logical links or dependencies between these files, all files are considered equal and part of the application.

Files that should be excluded

  • Test classes should be excluded except if you want to scan them.
  • Generated code (e.g. *.t.ds, *.flow.js) should be excluded as well as they're automatically produced by the system and the development team can't really manage software health of this aspect of the code.
  • For more consistent results, SCM, build and deployment folders (e.g. .git, .svn, gradle, .circleci, .scannerwork, .azure, .vscode, etc.) or files (e.g. .yaml, .gitignore, .gitmodules, Makefile, .npmignore, .checkstyle, build.xml, gradlew… ) shouldn’t be part of the scope. Please refer Good practices when defining the scope of a code scan 

Files that should be included based on the scenario

  • If you want to get insights on frameworks and dependencies whose physical files are not part of the folder you're scanning, make sure that the dependency files (e.g. pom.xml, build.gradle, package.json, .vcsproj, etc.) are there too. For more details please refer Automated Dependency Discovery & Supported Package Managers
  • In order to provide accurate and consistent results, especially from a Software Composition standpoint, you'll have to take a few minutes to prepare your code scan scope by using the file/folder exclusion features of the Local Agent. If you want to identify open source or COTS packages, make sure they're included in the folders you'll scan (external libraries are generally grouped into a sub-folder named "third-party" or something similar, while the main code is often located under "src/main"). Exclude the third-party component sources (typically in “lib”, “third-party”, “3rd-party”, “COTS”, “external”, “node_modules” folders, etc) if not from a  Software Composition Analysis viewpoint or is not the main focus of the analysis. For more details please refer CAST Highlight Code Scan Best Practices

For More Information on the Best Practices for analyzing code also refer

Good practices when defining the scope of a code scan

Automated Dependency Discovery & Supported Package Managers

CAST HIGHLIGHT - Analyzer - Code Analysis focused on Software Component Analysis

CAST HIGHLIGHT - Analyzer - Code Analysis focused on Software Health and Cloud Readiness

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

Have more questions? Submit a request

Comments

Powered by Zendesk