Dynamic Action Plans

The easiest way to instruct Squore to build a dynamic action plan for your model based on the findings generated during an analysis is to ensure that your model folder contains no Decision/Bundle.xml file. A list of the Top 40 valuable actions will be created for the project. This list is shown to all users in the Action Items tab of the Explorer.

CFG top40AI
Figure 1. Part of the Top 40 valuable actions dynamically generated for a source code project

By default, action items are created based on findings in the project using these criteria:

  • Findings with the lowest remediation cost

  • Findings with the highest severity

  • Findings with the lowest number of occurrences

This can be specified in your configuration/MyModelFolder/Decision/Bundle.xml as follows:

<Bundle>
	<FindingsActionPlan limit="40">
		<CategoryCriterion type="COST" scaleId="SCALE_REMEDIATION" preferenceLevel="MEDIUM" excludeLevels="NONE" />
		<CategoryCriterion type="BENEFIT" scaleId="SCALE_SEVERITY" preferenceLevel="MEDIUM" excludeLevels="INFORMATION" />
		<OccurrencesCriterion type="COST" preferenceLevel="MEDIUM" />
	</FindingsActionPlan>
</Bundle>

Syntax

The FindingsActionPlan element accepts the following attributes:

  • limit (optional, default: 40) defines how many action items to generate

  • priorityScaleId (optional, default: SC_DEFAULT_PLANNER_PRIORITY) defines the priority scale used in the Action Items tab to distribute the action items. The default scale uses 20 levels to spread all the possible combinations of remediation costs, severities and number of occurrences evenly. You can define your own scale with more or less levels and even or uneven levels to distribute the combinations of possible action items.

There are three types of criteria that you can use to prioritise findings:

  • A CategoryCriterion to generate action items for findings of a certain category

  • An OccurrencesCriterion to prioritise generated action items according to the number of occurrences of corresponding findings

  • A VariableCriterion to prioritise action items according to a specific indicator

Each type of criterion accepts the following attributes:

  • scaleId (mandatory, not supported for VariableCriterion) is the scale to look up to build the criterion on.

  • indicatorId (mandatory, only supported in VariableCriterion) is the indicator to specify a VariableCriterion

  • type (optional, default: COST) defines which end of the scale to pull findings from in priority. Supported values are:

    • COST to get findings with the lowest rank on the scale turned into action items first. This makes sense on a remediation cost scale, where you want to fix findings with the lowest remediation cost first.

    • BENEFIT to get findings with the highest rank on the scale turned into action items first. This makes sense on a severity scale, where you want to fix findings with the highest severity first.

  • excludeLevels (optional, default: none) allows excluding scale levels from the criterion. This attribute allows a list of scale levels, as shown in the example above.

  • preferenceLevel (optional, default: MEDIUM) is used to weigh the criterion against the other criteria in the overall calculation of the action item’s priority. Supported values are:

    • VERY_LOW

    • LOW

    • MEDIUM

    • HIGH

    • VERY_HIGH

Example

Here is an example that expands on the default shown earlier to take into account the test coverage of artefacts and make sure that action items are generated mostly for artefacts with a high test coverage ratio. The scale used as well only contains five levels from P1 to P5 and will single out very high and very log priority items (the relevancy of an action item is a number between 0 and 100 that is measured against this scale to define the priority):

<Bundle>
	<FindingsActionPlan limit="40" priorityScaleId="SCALE_LEVEL_FIVE">
		<CategoryCriterion type="COST" scaleId="SCALE_REMEDIATION" preferenceLevel="MEDIUM" excludeLevels="NONE" />
		<CategoryCriterion type="BENEFIT" scaleId="SCALE_SEVERITY" preferenceLevel="MEDIUM" excludeLevels="INFORMATION" />
		<OccurrencesCriterion type="COST" preferenceLevel="MEDIUM" />
		<VariableCriterion type="BENEFIT" preferenceLevel="VERY_HIGH" indicatorId="TEST_COVERAGE" />
  </FindingsActionPlan>
<Bundle>

Where SCALE_LEVEL_FIVE is defined as follows in your analysis model:

<Scale scaleId="SCALE_LEVEL_FIVE">
	<ScaleLevel levelId="P0" bounds="[0;0.05]" rank="0" />
	<ScaleLevel levelId="P1" bounds="]0.05;0.15]" rank="1" />
	<ScaleLevel levelId="P2" bounds="]0.15;0.65]" rank="2" />
	<ScaleLevel levelId="P3" bounds="]0.65;0.85]" rank="3" />
	<ScaleLevel levelId="P4" bounds="]0.85;0.95]" rank="4" />
	<ScaleLevel levelId="P5" bounds="]0.95;1]" rank="5" />
</Scale>