Code Dx 1.5.0

Code Dx 1.5.0 Released 9/15/2014

What’s different since 1.4.1



  • All Added a new property in the codedx.props file to control the behavior of the login form “Remember Me” option. Admins can now remove the option entirely, or have it just remember the user name, or stick to the default behavior of remembering the login state of users for subsequent visits from the same device.
  • All The columns in the weakness table on the Analysis Run page are now resizable and the sizing will be preserved across page loads.
  • All CSV and XML reports can now be generated via API calls
  • All A listing of the existing analysis runs for a project can now be fetched from the API
  • All Added an icon to file listing in the weakness table on the Analysis Run page to indicate whether Code Dx has the source code for that file or not
  • All Added new CWE and Tool columns to the weakness table on the Analysis Run page
  • All Added CWE and tool information to the source code gutter tooltip on the Weakness Details page. Improved the appearance of the tooltip in the process.
  • SE Added Checkstyle as a bundled tool for Java codebases
  • SE Added Brakeman as a bundled tool for Ruby on Rails codebases
  • SE Added the Tool Overlap filter to the Standard Edition (this was previously an Enterprise feature)
  • EE Added support for Brakeman JSON output files


  • All Dropped support for Java 6 but added support for Java 8, in addition to the existing support for Java 7
  • All Dropped support for IE9; starting with this release Code Dx supports IE10+
  • All Significantly improved the performance and responsiveness of interactions on the Analysis Run page
  • All Findings for disabled rules will no longer be accepted during analysis runs and will be ignored instead. This significantly improves typical analysis run ingestion speeds.
  • All When disabling rules on the Rule Config page, a button to purge matching weaknesses will appear allowing the user to remove them from the database. Removing these irrelevant weaknesses from the databases has a direct impact on the performance and responsiveness of the application and is strongly recommended.
  • All Changes have been made to the plurality and casing of the API as well as defaulting to JSON for both inputs and outputs of API calls. However, backwards compatibility is maintained in a deprecated state so existing logic that relies on the previous API should continue to work. Having said that, we strongly recommend making the minor tweaks to the new calls before the deprecated calls are removed entirely.
  • All Added a header and footer to the PDF reports to display the report title and page number on all pages.
  • All The source file name and line number display area remain visible on the Weakness Details page while scrolling the source code.
  • All Code Dx now differentiates findings based on their column location within a source line. The column data is displayed in the Weakness Details page, if available.
  • All Page titles for the Analysis Run and Weakness details will now include relevant information so that it’s easier to tell different Code Dx browser tabs/windows apart.
  • All The CWE listing is now updated for CWE 2.8
  • All To avoid potential accidental lock-outs, logged in users can no longer change their own permissions for projects
  • All For added security and to safe-guard against session hijacking, the session cookie is now set to be HTTP-only
  • All The login form fields now use the autocomplete=off HTML attribute setting
  • All Lots of cleanup to the console output and log messages Code Dx produces
  • All The triage status column in the weakness table is now sorted using the following ordering (in ascending order): Fixed, Assigned, Escalated, New, Unresolved, Ignored, False Positive.
  • SE EE The Rule Config page will now list out the Rules for the bundled tools by default. In the EE, as the user adds results from other tools, the config for these tools will be listed as well.
  • SE Updated the bundled Findbugs to version 3.0
  • EE Unrecognized CWEs originating from tool outputs will no longer be allowed defaulting instead to an unknown CWE association for relevant findings
  • EE The “Run Built-in Rules” button is now disabled once an Analysis Run is started to avoid confusion since that setting cannot be changed mid-stream during an ongoing analysis run
  • SW Findings reported in SCARF files that do not have a category or tool code are now being accepted as valid findings
  • SW Native findings exported from CodeSonar and Parasoft are now accepted by Code Dx for the SWAMP Edition


  • All Source code gutter tooltips on the Weakness Details page should now remain in view while the mouse is hovered over the relevant line number or tooltip and will no longer disappear after a short interval
  • All Fixed an issue preventing weaknesses without a line number from displaying their relevant source file on the Weakness Details page; line-less weaknesses are now highlighted in the first line of a source file on the weakness details page
  • All The MITRE link is now cased correctly on the weakness details page
  • All The full CWE name for Weakness types is now back in the PDF reports
  • All Switched the minification trap to use the file content instead of the file naming to determine if a file is minified or not
  • All Uploaded file names (including the contents of archive files) are now cleaned up by substituting underscore for problematic characters (like ?)
  • All Fixed an issue for Internet Explorer with the CWE selector for manual findings
  • All Fixed an issue that prevented proper detection of CAT.NET installation location when running Code Dx on a 32-bit JVM
  • All Fixed an issue preventing users from removing the C/C++ Source association from uploaded files when running Code Dx on Tomcat
  • EE SW Fixed a whitespace typo in the tool overlap filter
  • SW Fixed a typo in the unauthorized message when accessing Code Dx without the Authorization header


  • All Disabled a number of rules for Findbugs, PMD, JSHint, Checkstyle, CppCheck, FxCop, and Gendarme in an effort to improve the signal to noise ratio of reported weaknesses out of the box. If desired, these rules can be reenabled in the Rule Config page.
  • All Renamed one of the JSHint Unexpected rules to Unexpected Dangling _ to avoid confusion with a similarly named rule
  • EE Improved the naming of CodeSecure rules to improve understandability
  • EE SW Added mappings for 4 new Findbugs rules introduced in Findbugs 3.0

Evaluation Version Specific Changes/Fixes

  • All Evaluation versions of Code Dx will now see the default credentials on the login pages to avoid having to look for them elsewhere
  • All Evaluation versions of Code Dx come pre-packaged with a JRE and no longer require Java to be installed on the user’s system.
  • All Evaluation versions will now display an error if the port number Code Dx was going to bind to is already in use. Changing the default port number is now easier and can be done straight from the startup script.
  • All Evaluation versions will automatically open the default browser to the Code Dx homepage after starting up Code Dx
  • All Evaluation versions will now only bind to localhost to avoid the scary network access warning on Windows. This means that evaluation versions will no longer be accessible from other machines by default. If you want to change that, please see the instructions in start.bat/sh.
  • All Evaluation versions will now wait for user entry before closing the window if an unexpected error occurs while launching Code Dx
  • All Evaluation licenses are less strict when verifying hardware fingerprint

Posted on

September 15, 2014