Migrating custom applications from .NET Framework to .NET Core is can deliver several benefits including: cost efficiency, higher performance, improved security and better maintainability. Due to its cross-platform compatibility, .NET Core applications can run on different operating systems, including Linux, providing greater flexibility and reducing infrastructure costs.

CAST Highlight has a new way to aggregate application insights that gives users significant flexibility. The Application Grouping capability enables users to group multiple scanned applications into a new application group and view consolidated data. Learn how it works in this article.

This product post provides guidance and requirements for preparing source code and configuring scans of your application to take full advantage of the OSS Dependency Map feature.

We’re very proud to announce the next major release of CAST Highlight, the software intelligence product that enables you to take command of your software portfolio. This version introduces new innovations including: OSS Dependency Map, Application Grouping, Git repository scanning, and many other new capabilities.

We’re very proud to announce the next major release of CAST Highlight, the software intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: Role-based Dashboards, Monthly Digest Emails, Portfolio Advisor for VMware Departure, and many other new capabilities.

We’re very proud to announce the next major release of CAST Highlight, the software intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: CAST SBOM Manager, SPDX SBOM support, Gitlab integration, Github Security Advisories support, and many other new capabilities.

Definition Cloud Maturity Index measures the software & organizational characteristics that make applications more or less optimized for the cloud (or “cloud native”). This index from 0 (low maturity) to 100 (high maturity) is an average of the two main scores for measuring Cloud Maturity: Cloud Scan: This score from 0 to 100 is calculated [...]

We’re very proud to announce the next major release of CAST Highlight, the software intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: an AI Advisor, CAST Highlight Extensions Marketplace, CO2 Emission Estimator enhancements, and many other new capabilities.

The CAST Highlight product team is always striving to make the user experience seamless and productive. Today, we’re excited to announce the launch of a new capability that will deeply impact the way you interact with the product: the AI Advisor. See in this article how to set it up and use it.

CAST Highlight helps users determine the ideal sequence of applications to move to the cloud by automatically segmenting a portfolio based on multiple dimensions. Learn in this article how the Cloud Migration Wave Advisor works.

We’re very proud to announce the next major release of CAST Highlight, the software intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: CO2 Emission Estimator (beta), Cloud Migration Wave Advisor, a brand new UI for the Code Reader, and many other new capabilities.

{{ vc_btn:title=SOFTWARE+RESILIENCY&style=flat&color=black&i_icon_fontawesome=fa+fa-shield&add_icon=true&link=url%3Ahttp%253A%252F%252Fdoc.casthighlight.com%252Fsoftware-resiliency%252F%7C%7C%7C }} {{ vc_btn:title=BEST+PRACTICES&style=outline&color=black&i_icon_fontawesome=fa+fa-code&add_icon=true&link=url%3Ahttp%253A%252F%252Fdoc.casthighlight.com%252Fcategory%252Fproduct%252Findicators-methodology%252Fcode-insights%252Fsoftware-resiliency%252Fbest-practices%252F%7C%7C%7C }} Why you should care Specifically in Scala, use of return statement could interfer with the expected result. It's recommended to use an implicit return which is a native feature in scala language. How we detect This Code Insight counts one occurrence each time 'return' statement is encountered:   Noncompliant [...]

{{ vc_btn:title=SOFTWARE+RESILIENCY&style=flat&color=black&i_icon_fontawesome=fa+fa-shield&add_icon=true&link=url%3Ahttp%253A%252F%252Fdoc.casthighlight.com%252Fsoftware-resiliency%252F%7C%7C%7C }} {{ vc_btn:title=BEST+PRACTICES&style=outline&color=black&i_icon_fontawesome=fa+fa-code&add_icon=true&link=url%3Ahttp%253A%252F%252Fdoc.casthighlight.com%252Fcategory%252Fproduct%252Findicators-methodology%252Fcode-insights%252Fsoftware-resiliency%252Fbest-practices%252F%7C%7C%7C }} Why you should care Whenever null seems like a good idea, use Option instead. As far as types are concerned, null is a bit of a lie: val s: String = null The compiler believes s to be a String and will accept it wherever one is required. The compiler is, obviously, wrong: s.toLowerCase // [...]

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: Cloud Maturity Insights, Oracle Cloud Service Recommendations, SCA Extension for the IntelliJ, and many other new capabilities.

CAST Highlight now incorporates CISA’s KEV (Known Exploited Vulnerabilities) database to complement CVE information and help organizations prioritize vulnerability remediation efforts. See in this article how to access and use this new software intelligence.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: OSS Component Lifespan insights, Docker Image Scanning, Personalized User Home Pages, and many other new capabilities.

CAST Highlight enables you to define the content of your home page by adding widgets that display the insights that matter the most to you. Learn how to use the feature in this article.

CAST Highlight automatically calculates a lifespan status on open-source software (OSS) components. This status identifies whether a component is active, possibly deprecated, or immature. See in this article how the feature works and how to leverage this new SCA insight for more informed decisions.

In the realm of software development, harnessing the power of the Cloud has become a cornerstone for modern applications. CAST Highlight has released a new capability giving users more flexibility to define Cloud native service recommendations for their applications. With the introduction of Custom Cloud Service Recommendations, you now can manually pick and add platform-specific Cloud native services to the list of automatically recommended services for an application. Let’s see how the feature works.

By importing SBOMs in CycloneDX format, CAST Highlight can instantly analyze every component, check for known vulnerabilities, identify any licensing issues, and highlight any outdated components. It’s like having a super-powered microscope that can instantly see all the tiny details that you might miss, without even having to scan the source code or binaries. And that’s the interesting part of this SBOM importing capability. Let’s see how it works.

Containerization has become increasingly popular in modern applications, with Docker images providing a lightweight and portable way of packaging and deploying software. However, scanning source code of custom applications is not enough to guarantee the security of a containerized application. CAST Highlight has developed a new capability that allows users to scan the contents of a Docker image to identify potential risks and vulnerabilities. See how the capability works.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product that acts as a control tower for your application portfolio. This version introduces new innovations including: Portfolio Advisor for Software Maintenance, Proprietary Component Governance, SBOM Importing, and many other new capabilities.

Managing an application portfolio is like leading a 🏀 basketball team. Just like a coach needs to carefully balance their team’s offense and defense to win games (and hopefully the playoffs), a technology leader needs to manage their application portfolio to ensure applications are performing at their best. Our new capability, the Portfolio Advisor for Software Maintenance, acts like a coach’s playbook, helping you identify which areas of your team need attention and which applications are performing well. See how the feature works.

Are you tired of feeling lost in a maze when it comes to governing your application portfolio? Like a person wandering through a labyrinth, you navigate through complex systems without a clear sense of direction or progress. You have a general idea of where you want to go, but you lack a tangible roadmap and a way to measure your progress. CAST Highlight’s new capability, the Continuous Improvement Tracker, creates a clear path through your portfolio governance journey. Learn how the capability works in this article.

Are you tired of feeling lost in a maze when it comes to governing your application portfolio? Like a person wandering through a labyrinth, you navigate through complex systems without a clear sense of direction or progress. You have a general idea of where you want to go, but you lack a tangible roadmap and a way to measure your progress. CAST Highlight’s new capability, the Continuous Improvement Tracker, creates a clear path through your portfolio governance journey. Learn how the capability works in this article.

Software Composition Analysis (SCA) has become an essential part of modern software development, with a primary focus on analyzing and managing the risks associated with open-source software (OSS) components. However, the importance of proprietary components in software applications cannot be overlooked. These homegrown components are the backbone of many software systems and contribute significantly to a business as they are not open-source and publicly available, by definition. In this tutorial, we will explain the significance of governing proprietary components and how CAST Highlight’s SCA capabilities help you address this requirement.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including: a new Green Impact index, a Cloud Migration Advisor for scenario-based Cloud migration insights, an SCA extension for Visual Studio Code, and many other new capabilities.

CAST Highlight can perform a fine-grain comparison two snapshots of a scanned application and automatically identify which open-source software (OSS) components have been added, removed or upgraded. See in this article how the feature works and how it can help you better understand changes to the Open Source Safety scores over time.

This article explains how Green Effort estimate is calculated and how to customize the effort profile.

CAST Highlight introduced a new indicator for estimating the green impact of a software application. This article explains how the Green Impact score is calculated in CAST Highlight.

The Cloud Application Migration Advisor provides automated Cloud migration insights and recommendations based on a specific migration scenario in just a few clicks. See in this article how the feature works.

As a Portfolio Manager of CAST Highlight, you may need to know and understand the different actions which occurred in the portfolio. The Audit Logs feature allows you to list main user events such as application creation, change in the User Token configuration, etc. See in this article how this feature works.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including: Analysis Snapshot Comparisons, Custom Report Builder, and many other new capabilities.

To simplify use of the CAST Highlight command line and scale code scan deployments across CI/CD pipelines, you can use the .properties files. This tutorial explains how.

Understand the present of your applications by looking through the lens of the past. CAST Highlight now allows users to compare key metrics and KPIs between different analysis snapshots of a scanned application. See how to use the feature in this article.

CAST Highlight’s product team has entirely revisited the Portfolio Management screen to increase performance and allow portfolio managers to do more faster. This article explains how the new screen works.

CAST Highlight enables you to easily search, filter and delete application snapshots across your application portfolio. See how the feature works in this article.

CAST Highlight automatically recommends quick and ideal component upgrade scenarios to remove vulnerabilities. See in this article how the Safe OSS Component Version Recommender feature works.

When dealing with Open Source license compatibility, verifying legal term compatibility between third-party components and their respective dependencies could turn into a never-ending nightmare when done manually, increasing the legal risk of a license conflict. CAST Highlight allows users to define license compatibility rules between licenses and automatically detect and report possible license conflicts in […]

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including OSS component license compatibility checks and safe version reporting, Scala support for Software Health, application discussion threads, a new default OSS license risk profile, and many other new capabilities.

The recent security vulnerabilities reported in the Log4J and Spring4Shell open source components reminded us of an important reality — security is often a critical race from the time of a vulnerability disclosure to its remediation. CAST Highlight has added a new capability that automatically sends email notifications as soon as a new vulnerability impacting one of your applications is published, without having to re-scan them. This article explains how it works.

CAST Highlight now allows you to add comments about application results, organized by insight category (Cloud readiness, score and size trends, Open Source risks, etc.) with the application-level discussion thread feature. Learn in this article how to use this new product capability.

Now that CAST Highlight enables users to leverage license rulebooks for automatically building their license risk profiles , the default license risk profile in the product will follow this same model going forward. This change updates the accuracy of the default license risk template that comes out of the box with CAST Highlight to be more aligned with current open source licensing practices while still providing flexibility to fully customize the template for any scenario. As a result, some licenses may experience a change in risk levels which will impact some of the CAST Highlight scores related to open source license risk. However, it is possible to keep the current default license risk profile if desired. This change will be effective as of June 25, 2022. This post describes all of the details.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including Open Source license rulebook, OSS component copyright detection, new SBOM exports, C/C++ CloudReady support, and many other new capabilities.

In CAST Highlight, you can manually or automatically create custom License Risk profiles that will specify the level of risk of licenses detected in the Open Source components your applications use. This article explains how to define a License Risk profile that can be automatically generated based on the license terms (rulebook).

CAST Highlight now displays open source licenses terms, permissions, and constraints in a user-friendly manner: the license rulebooks. This article explains how to access this information from the dashboard to quickly understand the legal implications of OSS component licenses.

{{ vc_btn:title=Data+Encryption+Key&style=flat&color=sky&i_icon_fontawesome=fa+fa-cloud&add_icon=true&link=%7C%7C%7C }} Using a Cloud-based Blockchain technology These patterns verify the use of cloud-based Blockchain technology. Criticality {{ vc_btn:title=BOOSTER&style=flat&color=vista-blue&i_icon_fontawesome=fa+fa-exclamation-triangle&add_icon=true&link=url%3Ahttp%253A%252F%252Fdoc.casthighlight.com%252Fcategory%252Fproduct%252Findicators-methodology%252Fcloudready%252Fbooster%252F%7C%7C%7C }} {{ vc_btn:title=LOW&style=outline&color=black&i_icon_fontawesome=fa+fa-bolt&add_icon=true&link=%7C%7C%7C }} The criticality level impacts the application Cloud Maturity score, whether it is a blocker (a negative pattern found during the code scan) or a booster (a pattern that makes your app more Cloud-ready) and the [...]

In some specific contexts, CAST Highlight will identify CloudReady Blockers in the code of an application that are not actually cloud migration blockers if they are addressed through some other method (e.g., infrastructure configuration). This article explains how to exclude Blockers from the results of an application and how this impacts the CloudReady scores.

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including the Visual Studio Code extension for CloudReady, Cloud Service Recommendations for Google Cloud, SCA browser extension, and many other new capabilities.

Get Open Source component information (vulnerabilities, license risk, allow/deny status, available versions, etc.) directly in Chromium-based browsers when visiting repository pages on npmjs, nuget, github, packagist websites. This article explains how to install and use our SCA browser extension.

Get Open Source component information (vulnerabilities, license risk, allow/deny status, available versions, etc.) directly in Chromium-based browsers when visiting repository pages on npmjs, nuget, github, packagist websites. This article explains how to install and use our SCA browser extension.

In order to use CAST Highlight API, command line and other tools, you need to know what is your company identifier. This article explains how to retrieve it from the CAST Highlight dashboard.

In order to improve performance of the API, we’re slightly changing the default returned result of the following endpoint: GET WS2/domains/{domainId}/applications/{applicationId} Instead of returning the last 10 snapshot results of an application by default, the API will now return the last snapshot only. This change will be effective as of November 6th 2021. To fetch […]

We’re very proud to announce the next major release of CAST Highlight, the Software Intelligence product for performing rapid application portfolio analysis. This version introduces new innovations including the Portfolio Advisor for Open Source, Software Health support for Clojure, automated GitHub Actions for CAST Highlight scans and many other new capabilities.

We are very proud to present the Portfolio Advisor for Open Source which joins the growing family of Portfolio Advisors that have already been released for Cloud and Technical Debt. This capability automatically segments a portfolio of applications and identifies Open Source risk priorities for each application by combining unique Software Intelligence insights. Learn more about how the capability works in this article.

Similar to the recent Portfolio Advisors for Cloud and Open Source, this capability allows portfolio managers to create their own custom portfolio segmentations based on a combination of Software Intelligence insights available in CAST Highlight. This article describes how it works and how to use this capability.

Github Actions are workflows that you can use on your repositories based on specific triggers. This is the perfect place to run CAST Highlight scans in an automated fashion. This article explains how to get a CAST Highlight action from Github Action marketplace and customize it to your needs.

For code readability purpose, prefer using switch if there are three or more options in a if.

For security purpose, developers should not leave phpinfo() in production code, as it displays information which can be used to compromise the server that your site is running on.

Overring methods is a very powerfull way of factoring the code and produce complete fonctionnalities. However useless overriding methods can be a problem for the simplicity of the source code.

THE CODE CONTAINS TOO MANY UPPERCASE CONTROL STRUCTURE KEYWORDS

Developers should avoid using deprecated constructors. Since PHP5, constructor should be named __construct.

For better code maintainability, functions, interfaces and classes should end with a comment.

Every function that throws exceptions must have a throw tag.

Complying with naming conventions make the source code easier to ready and so to maintain. Function names should start with an upper case and should not contain underscores OR should start with a lower case (but can contain underscores).

Unnecessary final modifiers inside final classes should be avoided. Final modifier prevents child classes from overriding a method by prefixing the definition with final. If the class itself is being defined final then it cannot be extended and the modifier is useless.

When __get() are declared, __set() shoud be declared as well.

Complying with naming conventions make the source code easier to ready and so to maintain. Class names should start with an upper case.

Because force casting (as!) does not perform any type safety validations, it is capable of performing dangerous conversions between unrelated types. When the types are truly unrelated, the cast will cause a system crash.

Prefer using an expression body for functions with the body consisting of a single expression.

Abstract classes can have public constructors, and this is required in some particular cases. But a public constructor means that the class can be instantiated directly while, by design, abstract classes are aimed to not be instantiable.

Short variable declarations (:=) should be used if a variable is being set to some value explicitly.

If the receiver of a method is unused, do not give it a name. It’s more readable because it’s clear that the receiver is not used in method.

Use &T{} instead of new(T) when initializing struct references so that it is consistent with the struct initialization.

When switch statements have large sets of case clauses, it is usually an attempt to map two sets of data. A real map structure would be more readable and maintainable, and should be used instead.

Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code. Further, it could lead maintainers to introduce bugs because they think they’re using one variable but are really using another.

The distinction between the variable types created by var and by let is significant, and a switch to let will help alleviate many of the variable scope issues which have caused confusion in the past.
This code insight will trigger when var is used instead of const or let.

Continuing a string across a linebreak is supported in most script engines, but it is not a part of ECMAScript. Additionally, the whitespace at the beginning of each line can’t be safely stripped at compile time, and any whitespace after the slash will result in tricky errors.

The logical OR operator (||) will not work in a switch case as one might think, only the first argument will be considered at execution time.

Switch can contain a default clause for various reasons: to handle unexpected values, to show that all the cases were properly considered.
For code readability purpose, to help a developer to quickly find the default behavior of a switch statement, it is recommended to put the default clause at the end of the switch statement. This rule raises an issue if the default clause is not the last one of the switch’s cases.

Since object members may contain other members, it’s not uncommon to see patterns such as window.location.href in JavaScript code. These nested members cause the JavaScript engine to go through the object member resolution process each time a dot is encountered.
Reducing the dotation usage can win 50% of the time consumed by this function.

Hard coding a URI makes it difficult to test a program: path literals are not always portable across operating systems, a given absolute path may not exist on a specific test environment, a specified Internet URL may not be available when executing the tests, production environment filesystems usually differ from the development environment, …etc. For all those reasons, a URI should never be hard coded. Instead, it should be replaced by customizable parameter.
Further even if the elements of a URI are obtained dynamically, portability can still be limited if the path-delimiters are hard-coded.

This code insight triggers only when URL or path delimiters are hard coded. URL security aspect is checked through CloudReady patterns.

The use of Swift 2.0’s try! lets you execute code that might throw an exception without using the do and catch syntax normally required for such code. By using it, you’re guaranteeing that the executed code will never fail. But there might be some exceptions… And when it does fail, the program will exit abruptly, probably without cleaning up after itself.

It can be confusing to have a class member with the same name (case differences aside) as its enclosing class, especialy when considering the common practice of naming a class instance for the class itself.
Best practice dictates that any field or member with the same name as the enclosing class be renamed to be more descriptive of the particular aspect of the class it represents or holds.

USE == INSTEAD OF ?: WHEN DEALING WITH NULLABLE BOOLEAN

Private methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code decreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.

In Kotlin, “if” and “when” returns a value, and so can be used as expression. When possible, prefer using the expression form.

The return keyword is relative to the nearest enclosing function (or anonymous function). So for returning from lambda, a labeled return is needed. But as recommended by official Kotlin coding convention, do not use a labeled return for the last statement in a lambda. Prefer lambda mechanism based on implicit return of the last expression used. If you need explicit return, then for a lambda you would have to use a heavy labeled return syntax. So in this case, prefer converting the lambda into anonymous function that use a simple return syntax.

is needlessly complex to invert the result of a boolean comparison. The opposite comparison should be made instead. This is furthermore the case in compound conditions.

The return keyword is relative to the nearest enclosing function (or anonymous function). So for returning from lambda, a labeled return is needed. But as recommended by official Kotlin coding convention, avoid using multiple labeled returns in a lambda. Consider restructuring the lambda so that it will have a single exit point. If that’s not possible or not clear enough, consider converting the lambda into an anonymous function.

You should not ignore exceptions. It can be tempting to be lazy when catching exceptions and do something like this: (see example below).

Elvis operator ?: is an syntactic sugar for if (!x) { x=something }. Prefer Elvis notation for readability considerations.

Groovy support dynamic types, that is declarations where the type is def or unspecified.

Correctly updating a static field from a non-static method is tricky to get right and could easily lead to bugs if there are multiple class instances and/or multiple threads in play. Ideally, static fields are only updated from synchronized static methods.

Reassigning parameter of function to a new value within the body of the method/closure, is a confusing and questionable practice. Use a temporary variable instead.

Nested for loops are not a good practice because for loops are using an increment to cover a range, and nested for loops are meant to cover a two dimensional range, leading to a O(n2) algorithm. Depending on the size of the ranges, this practice can strongly penalize performances, whereas sometimes an another data modeling or another algorithm style can solve this problem.

A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access. If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

Destructuring assignment are a practical sugar syntax, but due to dynamic typing, ommitting the parentheses lead to a syntactically correct, but however functionnally incorrect, implementation.

If a method is called and the last parameter is an inline closure then it can be declared outside of the method call parentheses, to comply with Groovy style programming.

The number of files declared in the FILE-CONTROL should not be excessive.