Feature Focus: Re-calculate Software Health scores in real-time based on folder exclusions

This article explains how to use the CAST Highlight feature that allows users to re-calculate the Software Health scores and sizing metrics of an application in real-time based on specific folder exclusions directly in the user interface.

When to use this feature?

In some specific use cases like Technical Due Diligence, CAST Highlight users need the most accurate results possible from Software Composition Analysis and Software Health at the same time. In order to get complete visibility on Open Source risks, users typically include third-party libraries in the code scan. However, they usually don’t want to have these components affect Software Health scores since they are not proprietary code. This is particularly true for technology stacks such as JavaScript where the never-ending node_modules folder is part of the scan and contains dependencies, dependencies of dependencies, etc. All of these JavaScript files will impact Software Resiliency, Agility and Elegance scores as well as sizing metrics like lines of code.

CAST Highlight now allows users to achieve both goals by filtering the scan data in real-time directly in the user interface: 1. a comprehensive scan scope for Open Source risks and 2. an accurate selection of proprietary source code for Software Health evaluation. This enables users to see what the scores and lines of code would be if some folders and corresponding source files were suppressed from the scan.


How it works

From the Health Distribution tab of an application’s page, click on the filter icon to activate the re-calculated insights. CAST Highlight will calculate scores and metrics based on a default set of pre-filtered folder exclusions (the calculation can take some time depending on the application size):

  • Third-party: folders where OSS components have been found. Number of files and corresponding OSS components are indicated in the filtering table.
  • Tests: folders where typical test files have been detected.
  • Build & Deployment: folders where source files that are typically identified as being used for build or deployment have been found (e.g. .git, gradle, .scannerwork folders)
  • Documentation: folders where have that are typically associated to documentation or sample files have been found.
  • Generated: folders where source files that are likely generated code have been found

To change the default folder exclusions, click on the cog icon. A modal opens with a list of all folders and subfolders of the scan, indicating whether they are excluded or not, the type of file (source, build, third-party, etc.), the number of included vs. excluded files, the corresponding detected technologies and OSS components if any.
Check boxes for the folders you want to include in the calculation and finally click on the Apply button. The modal closes and re-calculated scores and lines of code are displayed. You can easily check before/after results by clicking on the filter icon.
Note that these re-calculated scores and metrics are “for your eyes only” and are not persisted (i.e. saved) on the platform.