Project
Client name
Report date
Onboarding
CodeWeTrust
Tusday, 24January,
2023
Introduction
SOURCE CODE ASSESSMENT
using C2M
by CodeWeTrust
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Intro
Contents
The c2m application layout - 3
The dashboard (a) - 3
The dashboard (b) - 4
Findings overview -5
Reports -6
How to group -7
How to connect Jira -8
How to generate a Jira ticket -9
Packages review -10
How to add a product’s code base 11 scanning from bickbucket 12-13
Retrieve historical data -14
Limit The scope of scanning -15
Exclude repositories -16
Settings - 17-19
Setting Jira 20
Setting code analysis rule 21
Automated Reports
iInstall a new version of CWT 22
“blind” audit 23-27
Qaulity benchmarks 28
Explanation-Annotation 29-31
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Select a product
Check a term definition
Search for a Product
Check a term definition
Global app settings
Single product scanning results overview
Dashboard
(a)
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
The top used programming languages
Number of Repos consist this product’s codebase
Number of code refactoring tickets opened with c2m
Total lines of code
Rescan the codebase or delete it
Number of issues
Code Defects
Duplications
Code Smells
Hardcoded
Risks
Vulnerabilities
Security Hotspots
License
Compliance
Dashboard
(b)
Green circle indicates health
Red requires attention
Green arrow indicates improvement
Red arrows indicates deterioration
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Overview
of findings
Executive report
Detailed Eng Report
Overview Eng Report
Overview Eng Report
Developer’s productivity review
Numerical Overview of findings
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Reports
Executive report
Detailed list of Finding Report
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Jira Connector
Create Jira Ticket
Static code analysis and security analysis are capable of generating Jira tickets.
1- Details
2- Create Jira Ticket
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Jira Connector
Settings
UserName (Jira Account)
Jira API Token
Project Key
Jira URL
Save
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Packages
Allows saas: True
Allows Distribution True
Allows Modification True
Allowed
Undefined
Uncertain
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Add a new product
To save the execution time, space and cost the the user can select subdirectories to be scanned individually.
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Scan code with BitBucket
1.
2.
1- Create BitBucket Password, Enable read access for repos and projects
Save the password to use later.
3.
BitBucket UserName
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Scan code with BitBucket
4.
BitBucket User Name
Product Name
BitBucket workspace URL
BitBucket Account User Name
App Password (CodeWeTrust)
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Historical Data &
Development branch for a single repository
Type the name
of development branch
Historical Data
Select Time frame and Sampling rate
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Limit the scope of scanning
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
filter the selected repositories
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Settings- Access Control
Add new entry for access control
Save
Admin (Full control)
Can only view the analysis
Can run scan analysis
Can Change Settings
Can Export Executive Report
Rules executed by the label “Order”
Edit existing set of permissions for a selected user.
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Settings- System | Code Quality
Code Quality
Settings
Docker Engine Setting
Save
Save
Adjusts business risk calculation threshold
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Settings-
Security Analysis | License Compliance
Save
Security Analysis
License Compliance
Save
Adjusts Security Risks Calculation Threshold
Adjusts License Risks calculation Threshold
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Settings-
Jira Export
Save
Choose product
Jira Account UserName
Jira API Token
Jira Project Key
Base URL
Setup a Jira connection export detected issues in one click from Analysis details table
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Settings-
Code Analysis Rules
Save
Enable or disable Code Analysis Rule- Settings will be applied immediately on click
Enable/ Disable Rule
Rule ID
Rule Name
Rule Type
Severity
Language
Internal Key
Description
Tags
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Install a new version
Step 1: Download the new version from https://www.codewetrust.com/download
Step 2: Backup the configuration(appsetting.json) file and the past analysis results
Step 3:Unzip the downloaded
Step 4: Delete the newer appsettings file and rename the older one. DONE!
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
“Blind” audit
“BLIND” AUDIT
The “Blind” Audit feature could be used
In both cases the feature facilitates the sharing of source code assessment without code sharing.
The methodology consists of four steps:
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Prerequisites on source code provider (seller)
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Steps
Suggestions
if you scan the code from local repository it is suggested to split in logical units (front-end, back-end, tests etc) as much this is possible. Setup a different folder for each part, and scan it as a different product
Select the option subdirectories as repositories
You can kickoff the scanning of several folder without waiting for completion of parsing. The jobs will be pipelined. as shown on the screen shot on the right
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
After the user has scan its code and selected the parts of the analysis, he is willing to share.
A password protected file with the extension .c2m is compile and exeported. (ie “youfilename.c2m”
“Blind” audit steps 1-2
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
“Blind” audit steps 3-4
The “consumer” received the results file through mail or file sharing and activates the import functionality
he has to provide teh correct password, wait for file loading 9it might take a while depends on the size of the file) and then after uploading completion has to select the “import”
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Quality Benchmarks Settings
c2m version 6.0+ provides a method to define your own Quality Thresholds. a) you can choose the default quality settings calculated averaging the results of a wide selection of OSS frameworks. b) You can modify the select settings c) You can choose the quality benchmark calculated analysing 20 of the Top50 most used OSS frameworks on GitHub Annual enterprise versions will provide , the functionality to implement, import and export your own benchmarks analysing user selected reference frameworks.
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022
Executive report
Overall code quality indicates caution
→ We consider the classification of the subcategories
Defects, Code smells, Duplications, Hardcoded Items, if any of these categories raises concerns, we suggest code refactoring
Overall application security indicates caution
We consider the classification of the subcategories
Vulnerabilities, Hot spots, if any of these categories raises concerns we suggest code refactoring
Overall license compliance indicates caution
We consider the classification of the subcategories
Licenses, Packages*, if any of these categories raises concerns we suggest code refactoring
Overall development team analysis does not raise concerns
We consider only the top performers. This is not shown on the portal (...and it is not planned to be visualized there)
RECOMMENDATIONS
Reliability
check the list of hardcoded tokens
<PORTAL> → <Code Risks> → <details>
Inspect the list of defects/code smells/long classes
<PORTAL> → <Static Code Analysis> → <Code Analysis details*>
Select severity: Critical & blockers
Complexity
duplicate blocks All in case that are above the threshold percentage (%)
Inspect the list of Defects/code smells/long classes.
<PORTAL> → <Static Code Analysis> → <duplicated blocks>
Security
Inspect the list of vulnerabilities under consideration at:
<PORTAL> → <Security Analysis> → <Security details*>
select Type: Vulnerability Select Severity: Critical & blockers
License Compliance
Inspect the list of incenses under consideration at:
<PORTAL> → <Licenses & packages> → <License details*>
Select Risk status: Uncertain/Risk
<PORTAL> → <Licenses & packages> → <package details*>
consider packages with red dots on license column
Package Dependencies
critical outdated packages the should be updated.
<PORTAL> → <Licenses & packages> → <package details*>
Select Severity: Critical & blockers
(*) post CodeWeTrust Ver 6.0 (the portal tags/labels will be slightly change..to the better..
–
Project
Executive reports presenation
Client name
All
Report date
Thursday, 07 April 2022
Classifications depends on Security Threshold defined on portals settings session, Check portal overview too
Check on portal:
<PORTAL> → <Licenses & packages> → <package details*> check the “message” column
Check on portal:
<PORTAL> → <Licenses & packages> → <package details*>
select severity: Critical & blocker
Check on portal:
<PORTAL> → <Licenses & packages> → <License Overview*>
Check on portal:
<PORTAL> → <Licenses & packages> → <License details*>
low:no risk, Med:Uncertain, High:Risk
Check on portal:
<PORTAL> → <Licenses & packages> → <Package details*>
Executives
&
Engineering report
–
Project
Executive reports presenation
Client name
All
Report date
Thursday, 07 April 2022
Category | Type | Details on portal’s dashboard |
Code Quality | Defects | Inspect the list of defects/code smells/long classes etc <PORTAL> → <Static Code Analysis> → <Code Analysis details*> select type Defects Select severity: Critical & blockers |
Code Quality | Code Smells | Inspect the list of defects/code smells/long classes etc <PORTAL> → <Static Code Analysis> → <Code Analysis details*> select type CodeSmells Select severity: Critical & blockers |
Code Quality | Duplications | Inspect the list of Defects/code smells/long classes. <PORTAL> → <Static Code Analysis> → <duplicated blocks> |
Code Quality | Hardcoded Items | check the list of hardcoded tokens <PORTAL> → <Code Risks> → <details> |
Security | Vulnerabilities | Inspect the list of vulnerabilities under consideration at: <PORTAL> → <Security Analysis> → <Security details*> select Type: Vulnerability Select Severity: Critical & blockers |
Security | Hotspots | Inspect the list of vulnerabilities under consideration at: <PORTAL> → <Security Analysis> → <Security details*> select Type: Hot Spots Select Severity: Critical & blockers |
License Compliance | License Risks | Inspect the list of incenses under consideration at: <PORTAL> → <Licenses & packages> → <License details*> Select Risk status: Uncertain/Risk |
Packages | Total | <PORTAL> → <Licenses & packages> → <package overview*> |
Packages | Outdated | <PORTAL> → <Licenses & packages> → <package details*> Select Severity: Critical & blocker |
Development Team | Active/contributors | not shown on portal |
Engineering report
–
Project
Executive reports presenation
Client name
All
Report date
Thursday, 07 April 2022
3 of 16
THANK YOU!
–
c2m Training
Source
Code
Inspection
Report date
Thursday, 07 April 2022