Code Dx 1.5.0
What’s different since 1.4.1
####CODE DX IS NO LONGER COMPATIBLE WITH JAVA 6. STARTING WITH THIS RELEASE CODE DX IS COMPATIBLE WITH JAVA 7 AND 8.
AllAdded a new property in the codedx.props file to control the behavior of the login form “Remember Me” option. Admins can now remove the option entirely, or have it just remember the user name, or stick to the default behavior of remembering the login state of users for subsequent visits from the same device.
AllThe columns in the weakness table on the Analysis Run page are now resizable and the sizing will be preserved across page loads.
AllCSV and XML reports can now be generated via API calls
AllA listing of the existing analysis runs for a project can now be fetched from the API
AllAdded an icon to file listing in the weakness table on the Analysis Run page to indicate whether Code Dx has the source code for that file or not
AllAdded new CWE and Tool columns to the weakness table on the Analysis Run page
AllAdded CWE and tool information to the source code gutter tooltip on the Weakness Details page. Improved the appearance of the tooltip in the process.
SEAdded Checkstyle as a bundled tool for Java codebases
SEAdded Brakeman as a bundled tool for Ruby on Rails codebases
SEAdded the Tool Overlap filter to the Standard Edition (this was previously an Enterprise feature)
EEAdded support for Brakeman JSON output files
AllDropped support for Java 6 but added support for Java 8, in addition to the existing support for Java 7
AllDropped support for IE9; starting with this release Code Dx supports IE10+
AllSignificantly improved the performance and responsiveness of interactions on the Analysis Run page
AllFindings for disabled rules will no longer be accepted during analysis runs and will be ignored instead. This significantly improves typical analysis run ingestion speeds.
AllWhen disabling rules on the Rule Config page, a button to purge matching weaknesses will appear allowing the user to remove them from the database. Removing these irrelevant weaknesses from the databases has a direct impact on the performance and responsiveness of the application and is strongly recommended.
AllChanges have been made to the plurality and casing of the API as well as defaulting to JSON for both inputs and outputs of API calls. However, backwards compatibility is maintained in a deprecated state so existing logic that relies on the previous API should continue to work. Having said that, we strongly recommend making the minor tweaks to the new calls before the deprecated calls are removed entirely.
AllAdded a header and footer to the PDF reports to display the report title and page number on all pages.
AllThe source file name and line number display area remain visible on the Weakness Details page while scrolling the source code.
AllCode Dx now differentiates findings based on their column location within a source line. The column data is displayed in the Weakness Details page, if available.
AllPage titles for the Analysis Run and Weakness details will now include relevant information so that it’s easier to tell different Code Dx browser tabs/windows apart.
AllThe CWE listing is now updated for CWE 2.8
AllTo avoid potential accidental lock-outs, logged in users can no longer change their own permissions for projects
AllFor added security and to safe-guard against session hijacking, the session cookie is now set to be HTTP-only
AllThe login form fields now use the
autocomplete=offHTML attribute setting
AllLots of cleanup to the console output and log messages Code Dx produces
AllThe triage status column in the weakness table is now sorted using the following ordering (in ascending order): Fixed, Assigned, Escalated, New, Unresolved, Ignored, False Positive.
SE EEThe Rule Config page will now list out the Rules for the bundled tools by default. In the
EE, as the user adds results from other tools, the config for these tools will be listed as well.
SEUpdated the bundled Findbugs to version 3.0
EEUnrecognized CWEs originating from tool outputs will no longer be allowed defaulting instead to an unknown CWE association for relevant findings
EEThe “Run Built-in Rules” button is now disabled once an Analysis Run is started to avoid confusion since that setting cannot be changed mid-stream during an ongoing analysis run
SWFindings reported in SCARF files that do not have a category or tool code are now being accepted as valid findings
SWNative findings exported from CodeSonar and Parasoft are now accepted by Code Dx for the SWAMP Edition
AllSource code gutter tooltips on the Weakness Details page should now remain in view while the mouse is hovered over the relevant line number or tooltip and will no longer disappear after a short interval
AllFixed an issue preventing weaknesses without a line number from displaying their relevant source file on the Weakness Details page; line-less weaknesses are now highlighted in the first line of a source file on the weakness details page
AllThe MITRE link is now cased correctly on the weakness details page
AllThe full CWE name for Weakness types is now back in the PDF reports
AllSwitched the minification trap to use the file content instead of the file naming to determine if a file is minified or not
AllUploaded file names (including the contents of archive files) are now cleaned up by substituting underscore for problematic characters (like
AllFixed an issue for Internet Explorer with the CWE selector for manual findings
AllFixed an issue that prevented proper detection of CAT.NET installation location when running Code Dx on a 32-bit JVM
AllFixed an issue preventing users from removing the
C/C++ Sourceassociation from uploaded files when running Code Dx on Tomcat
EE SWFixed a whitespace typo in the tool overlap filter
SWFixed a typo in the unauthorized message when accessing Code Dx without the Authorization header
AllDisabled a number of rules for Findbugs, PMD, JSHint, Checkstyle, CppCheck, FxCop, and Gendarme in an effort to improve the signal to noise ratio of reported weaknesses out of the box. If desired, these rules can be reenabled in the Rule Config page.
AllRenamed one of the JSHint
Unexpected Dangling _to avoid confusion with a similarly named rule
EEImproved the naming of CodeSecure rules to improve understandability
EE SWAdded mappings for 4 new Findbugs rules introduced in Findbugs 3.0
Evaluation Version Specific Changes/Fixes
AllEvaluation versions of Code Dx will now see the default credentials on the login pages to avoid having to look for them elsewhere
AllEvaluation versions of Code Dx come pre-packaged with a JRE and no longer require Java to be installed on the user’s system.
AllEvaluation versions will now display an error if the port number Code Dx was going to bind to is already in use. Changing the default port number is now easier and can be done straight from the startup script.
AllEvaluation versions will automatically open the default browser to the Code Dx homepage after starting up Code Dx
AllEvaluation versions will now only bind to localhost to avoid the scary network access warning on Windows. This means that evaluation versions will no longer be accessible from other machines by default. If you want to change that, please see the instructions in start.bat/sh.
AllEvaluation versions will now wait for user entry before closing the window if an unexpected error occurs while launching Code Dx
AllEvaluation licenses are less strict when verifying hardware fingerprint