We recently released version 1.8 of Code Dx and with it we addressed a major pain point that’s been on our feedback list: Code Dx now ships with an installer making the process of getting up and running with a production installation of Code Dx a breeze. The other release highlights are new support for Veracode, the addition of an export/import workflow, and litany of smaller improvements and bug fixes. In this post I’ll cover the new major features but if you’re interested in the details be sure to check out the release changelog.

The Installer

Before version 1.8, Code Dx came in two package types. The evaluation package was a self-contained environment that the user could use to evaluate the tool. It was really easy to get going with it, but it had scalability limitations mostly out of a need to keep the package light-weight enough for evaluation purposes. The other packaged format was a Java war file that users would place in the right place on their application server. On the one hand this offered full customizability of the deployment environment, but the flip-side was that the list of pre-requisites was quite long and required a working understanding of how to configure Tomcat and MySQL. We got a lot of feedback that folks loved how easy it was to use the evaluation version, but thought the production deployment process was daunting. They wanted Code Dx “to just work”, and rightly so. So we looked into creating an installer for Code Dx.

The new Code Dx installer offers the same deployment for both evaluation and production purposes. So if you evaluate Code Dx and end up adopting it, then you can just use the same environment as your production installation. All the dependencies are automatically deployed and configured during the installation process. Beyond some standard configuration prompts during the installer wizard – installation location and admin credentials – the process is quick and effortless. Once the installation is completed, Code Dx is spun up and ready to use.

codedx_setup

Some of you may already be familiar with the Bitnami folks; they create self-contained “stacks” that help users evaluate and use tools that have a complex deployment process, typically web applications. We crossed paths with them when we were searching for an installer option, and after finding out about their platform we ended up agreeing that this was a good match all around. Code Dx had a complex deployment requirement, and the Bitnami folks were experts in creating deployment packages with similar pre-requisites. What you see in the 1.8 installer is the end-result of our collaboration with Bitnami. We think it makes Code Dx deployments significantly easier.

Veracode Support

Code Dx Enterprise now has support for Veracode static analysis outputs, joining the ranks of the other 25 integrations we now support. In the next version of Code Dx we’ll be looking to add support for Veracode’s manual and dynamic analysis outputs. To push your Veracode results to Code Dx simply select the XML report option and download the provided zip file. You can then upload that zip file to the desired project and Code Dx will automatically recognize it as a Veracode output file.

codedx_newanalysis

Export/Import Workflow

For a while now, Code Dx has had three reporting options: PDF, CSV, and XML. With Code Dx version 1.8 we’ve expanded on the data we provide in the XML reports (that’s partly why we made some XML schema changes in the last release) and now include triage status and user comments in the report. We’ve also made changes to the Code Dx XML input schema to better align it with the Code Dx output schema. This means that Code Dx XML reports can now be imported right back into Code Dx opening up the possibility for some interesting workflows.

For instance, let’s say you want to share a subset of the current project data with another stakeholder, you can set a filter on the current project to focus on the data that matches your criteria and then export that data using the XML reporting mechanism. With the XML file in hand, you can create a new Code Dx project and upload the XML report right back into it, resulting in a new project that has only the findings that you want to share. You can then add the desired users to this new project and provide them with the smaller and perhaps more important portion of the detected findings.

webgoat

One thing to keep in mind is that the exported XML data is not a complete representation of all the internal data tracked by Code Dx for its projects, so we caution users against using the XML report as a project migration or data backup mechanism.

To try out the new Code Dx 1.8 features including the installer head over to our download page.