Application - Overview with Fast Scan - Advanced Platform Configuration

The Overview with Fast Scan panel is part of the onboarding workflow introduced in 2.3.1. It will only be populated when this onboarding workflow is enabled and used - see Administration Center - Settings - Application Onboarding. See also Workflow - Application onboarding with Fast Scan.

This section is only displayed if you have configured more than one of either of the following:

Multiple CAST Storage Service/PostgreSQL instances for analysis or Measurement requirements - see Administration Center - Settings - CSS and Measurement settings.
Multiple Nodes (i.e. you are running the enterprise release of Console which allows for multiple Nodes to be configured) - see Administration Center - Nodes.

This allows you to select the specific target CAST Storage Service/PostgreSQL instance (for the database schemas required for the new Application) OR the target Node (for deep analysis requirements). If you do not make a selection - i.e. you leave the options set to "ANY", Console will function in "load balancing" mode and will choose the CAST Storage Service/PostgreSQL or Node automatically:

If you have ALREADY run a deep analysis, the UI will prevent you from choosing a different CAST Storage Service instance or Node for any subsequent analysis related actions to ensure stability.
Load Balancing behaviour, when ANY is selected:
- CAST Storage Service/PostgreSQL
  - For the deep analysis step (result storage), the CAST Storage Service/PostgreSQL instance with the lowest number of CAST related schemas already stored on it will be used.
- Nodes
  - For the deep analysis step, the least busy node running the same release of AIP Core as used for the initial fast scan will be selected.
Node manual selection: only nodes running the same release of AIP Core as used for the initial fast scan of the onboarding process will be made available for selection - this is to prevent analysis errors. This may mean that it is not possible to choose a specific node.

Run analysis

In ≤ 2.7, CAST Imaging MUST be configured Administration Center - Settings - Imaging Settings otherwise the action will fail. This requirement has been removed in ≥ 2.8.

This section provides the following:

Information about the state of the source code
Allows you to start an analysis
Provides an analysis estimation time in hours and minutes. In ≥ 2.6 this estimation is valid for the analysis action and the upload to CAST Imaging (no estimation is given for CAST Dashboard actions). In previous releases, the estimation is only valid for the analysis action.

Information about the state of the source code	Information about the readiness of the delivered source code for analysis is provided based on the initial fast scan: All clear If no "issues" are found then the "all clear" is given: All clear but cannot access CAST Imaging/CAST Dashboards If no "issues" are found, but CAST Imaging/CAST Dashboards are either not configured or not available, the upload to CAST Imaging/CAST Dashboards (snapshot) will not run: Issues found If issues are found, then a warning is given with an explanation. In this situation, a warning does not mean that the analysis cannot proceed, however, coherent results may not be produced. For example: Console is warning that the delivered source code has links from JSP to Java, however, no Java source has been delivered: Console is warning that the delivered source code contains files that are encoded in a format other than UTF-8. Files that do not use UTF-8 encoding can cause issues for some CAST analyzers and may even cause the analyzer to crash, as such this warning invites you to convert the non UTF-8 files into UTF-8. CAST also provides a breakdown of the technologies which contain non UTF-8 by clicking the link highlighted below (a popup is displayed containing the breakdown): Analysis complete When an analysis has been run, this panel will show: the previous analysis duration time whether any missing dependencies were detected in your source code during the analysis (i.e. code that is calling another piece of code that cannot be found): a yellow warning icon will be displayed if this is the case. This should be fully investigated and corrected because it means that results may not be coherent. Clicking the warning triangle will direct you straight to the log file to see the missing dependencies alerts. See also Validate dependency configuration. a failed analysis, suggesting log files are checked before clicking Resume Analysis:
Run Analysis	Click the Run Analysis button to start the deep analysis process. A popup will then be displayed: When an analysis is started, a full backup of the onboarding details (e.g. delivered source code and any exclusions that have been set) and is created (in ZIP format) and is stored in the following locations (see below). This is so that any manually or automatically (via a filter) excluded folders/files can be removed before the analysis is started. When the analysis action is complete, any excluded files/folders are put back in the original location (ZIP file unzip location or source code folder location): Enterprise mode > SHARED_FOLDER (common-data) location in the docker-compose.yml file - usually similar to \\shared\console\common-data\backup\source_folder_backups Standalone mode > %PROGRAMDATA%\CAST\AIP-Console-Standalone\shared\backup\source_folder_backups
Deep analysis estimation time	The deep analysis estimation time is provided in hours and minutes and is based on anonymous statistical data that has been collected by CAST using the Allow CAST to automatically collect anonymous statistical data option in the Admin Center - see Administration Center - Settings - CAST Extend. Note that this estimation is only valid for the analysis action and does not include any other actions that may have been enabled for CAST Dashboards/Imaging.
Advanced configuration	Available in ≥ 2.8. Enabled only when an initial deep analysis has been completed. This option allows you to control what steps in the analysis process are actioned and should only be used if you know what you want to achieve:

What steps are actioned when Run Analysis is clicked?

When the Run Analysis button is clicked, the following will occur automatically depending on the configuration:

CAST Imaging configured and available	Embedded CAST Dashboards configured and available	Analysis	Upload to CAST Imaging	Security Dataflow actioned	Snapshot generation	Upload to CAST Dashboards

Install, Configure, Analyze

The actions Install, Configure and Analyze are ALWAYS actioned regardless of your configuration:

The Finalizing Analysis entry will only be visible in the Analyze section when source code exclusions have been configured. This step restores the excluded files after the analysis has completed:

Upload

The Upload action differs depending on your configuration:

Configuration	Requirement	Actions
Any (Standard AIP Core, AIP Core for Imaging, AIP Core for Security)	CAST Imaging MUST be configured in Administration Center - Settings - Imaging Settings and accessible.	Upload to CAST Imaging will be actioned.
With embedded Dashboards	Embedded CAST Dashboards MUST be configured and accessible. See Embedded CAST Dashboard deployment process.	A snapshot is generated (for the Engineering Dashboard) Data is also uploaded to the Measure schema for the Health Dashboard

Additional analysis options

Depending on the configuration and license in use the following configuration will also be automatically applied when the Run Analysis button is clicked:

Option name

Target

Action

Security Dataflow

CAST Dashboards

This option focuses on user input security assessments for JEE/NET technologies. Selecting this option will:

install the following extensions (in addition to any that are discovered, set to force install or those that are automatically active / shipped extensions):
- com.castsoftware.qualitystandards
- com.castsoftware.automaticlinksvalidator
- com.castsoftware.securityforjava (JEE only)
- com.castsoftware.jeerules (JEE only)
- com.castsoftware.dotnetweb (.NET only)
enable the following options:
- Application - Security Dataflow for the discovered technologies (JEE and/or .NET)

This configuration is applied as follows:

for an initial analysis, if the CAST Dashboards are configured and available this configuration is ENABLED.
for all subsequent analyses, the configuration is enabled/disabled depending on the configuration set in the previous analysis. This behaviour is overridden when the settings in Application - Security Dataflow are manually disabled.

Function Points

CAST Dashboards

This option focuses on function points measurement. Selecting this option will currently install the following extensions (in addition to any that are discovered, set to force install or those that are automatically active / shipped extensions):

com.castsoftware.automaticlinksvalidator

If you are using a CAST global license that does not include EFP, then this option will not produce any results.

Tags for Data Access Sensitivity

CAST Imaging and CAST Dashboards

This option focuses on flow of data identification and will deliver associated results. Selecting this option will currently install the following extensions (in addition to any that are discovered, set to force install or those that are automatically active / shipped extensions):

GDPR / PCI DSS

Two additional options specifically enable a check of a set of predefined sensitive key words related to GDPR (General Data Protection Regulation) and/or PCI-DSS (Payment Card Industry Data Security Standards) data:

These options are ONLY currently taken into account for Mainframe technologies (analyzed via the com.castsoftware.mainframe, SQL technologies (analyzed via the com.castsoftware.sqlanalyzer extension) and NoSQL technologies (analyzed via the com.castsoftware.nosqljava and com.castsoftware.nosqldotnet extensions).
These options do not provide a certification for GDPR and PCI DSS. Their aim is to help identify sensitive data in particular contexts.
It is still possible to provide your own custom key word indicators, see Data Sensitivity for more information.

In other words, enabling the GDPR option (for example) will force the check using the predefined keywords. When the analysis runs, the predefined keywords defined will be checked and if any are found in the source code a flag will be added in the analysis results on the object in question. This can be seen as below in CAST Imaging:

Click to enlarge

Resuming interrupted jobs

Should your job be interrupted for whatever reason (network issue, issue on the Node etc.), CAST Console is able to resume the job from the same point or a previous point. Take for example a job that has been interrupted in the Install step:

Returning to the Application - Overview with Fast Scan page, a Resume button will be displayed in place of Run analysis:

In addition starting CAST Console 2.9, steps that were successfully completed prior to the interruption will be displayed as follows:

Log panel	Click to enlarge
Job progress screen ≥ 2.9	Click to enlarge

Technical details for resume functionality

Click here to expand...

For each step listed below, CAST Console will attempt to resume either from the same step or a previous step:

resume from the same step it failed or was stopped
resume from a previous step

E.g.:

Fast Scan
- Unzipping source
- Initialize fast scan
- Content discovery
Install
- Exclude files
- Create application schemas
- Set up Management database - resume from 'Create application schemas'
- Declare application in Management database - resume from 'Create application schemas'
- Install extensions
Configure
- Creating package from source - refresh onboarding, Prepare Version and resume from 'Content discovery'
- Attaching package to version - refresh onboarding, Prepare Version and resume from 'Content discovery'
- Delivering version - refresh onboarding, Prepare Version and resume from 'Content discovery'
- Accepting Version - refresh onboarding, Prepare Version and resume from 'Content discovery'
- Set as current version
Analysis

- Run analysis
- Prepare analysis data
Upload
- Create snapshot
- Generate snapshot indicators
- Publish to Health Dashboard
- Upload to CAST Imaging

Limitations

The resume functionality is available based on the status of the last executed job, therefore if the analysis has been stopped manually:

and a new extension is added (but not installed), in order to continue the analysis the Resume button should be used so that the "update extension" step is actioned before the analysis step is resumed.
and a new extension is installed, when the install extension action is complete the Resume button will be replaced by Run analysis.