1. Using and Extending the Oracle JET Audit Framework
  2. Use the Oracle JET Audit Framework
  3. Fine Tune the Audit

4 Fine Tune the Audit

You can customize the Oracle JAF configuration to narrow the focus of an audit by disabling rules, rule groups, or specific message IDs. You can also add Oracle JAF comments within source files for finer-grained control over what to audit.

Restrict Audit Rule Severity Level

Use the optional Oracle JAF configuration groups property to limit audit results to the desired rule severity level. If the property is omitted, all issues found are reported.

The severity property specifies the rule severity level to which audit issue reporting will be restricted. By default, the severity levels defined by Oracle JAF, in descending priority order, are blocker, critical, major, minor, and info as described below.

Note:

When your organization prefers to standardize on severity levels other then this list, you can redefine these levels using your own severity levels by editing the sevMap property in the oraclejafconfig.json file. Additionally, rules, such as those in the built-in JET rule set, have a default severity level that you may map to an alternate severity level. See Alter the Severity Level of an Audit Rule.

Severity Level Description
blocker A bug with a high probability to impact the behavior of the application in production. The code must be immediately fixed.
critical Either a bug with a low probability to impact the behavior of the application in production, or an issue which represents a security flaw. The code must be immediately reviewed.
major A quality flaw which can highly impact developer productivity. For example, uncovered piece of code, duplicated blocks, or unused parameters.
minor A quality flaw which can slightly impact developer productivity. For example, lines should not be too long or switch statements should have at least three cases.
info A finding that is not a bug or a quality flaw.
To specify a rule severity filter or map custom severity levels:
  1. To set the severity filter as a string, edit the oraclejafconfig.json file severity property:
    "severity" : "critical",

    The comparative operators >, >=, <, and <= may precede the severity level. For example, the following will display issues of severity "minor", "major", "critical", and "blocker" level. 

    "severity" : ">info",

    This could also have been written:

    "severity" : ">=minor",
  2. To set the severity filter as a list, edit the oraclejafconfig.json file severity property.
    "severity" : ["critical", "blocker"],

Alter the Severity Level of an Audit Rule

Use the Oracle JAF configuration property ruleMods and severity rule property to remap the default severity level of audit rules or use the configuration property sevMap to replace the default severity levels with ones used by your organization.

You can use the ruleMods configuration property to override the severity level assigned to an audit rule defined by configured rule packs, including any JET built-in rule. Additionally, when your organization prefers to standardize on severity levels other than those provided by Oracle JAF, you can replace the default severity levels by specifying user-defined levels in the sevMap property. For more information about severity levels, see Restrict Audit Rule Severity Level.
To customize audit rule severity levels:
  1. To redefine the severity level assigned to individual audit rules, edit the oraclejafconfig.json file ruleMods property, specify the rule pack prefix of the rule (JET is the prefix of the JET built-in rules), and set the desired value for the severity sub-property.
    "ruleMods" : {
               "JET" : {
                         "oj-html-ojattr" : {"severity": "critical"},
                         "oj-html-lib" : {"severity": "major"}
                       }
             }

    The sample reclassifies the built-in rule oj-html-ojattr as severity-level critical and reclassifies the built-in rule oj-hmtl-lib as severity level major. The default severity levels that you can specify, in ascending order of restrictiveness, are info, minor, major, critical, and blocker.

  2. To redefine the severity level of individual audit rule messages, edit the oraclejafconfig.json file sevMap property and specify the sevMsg sub-property.
    "sevMap" : {
            "sevMsg" : {
                         "JET-xxxx", "minor",
                          ...
                        }
            }

    If the severity level set is also redefined to user-defined levels (see sub-property sevSet below), then the new severity levels may be used in sevMsg. 

    "sevMap" : {
            "sevMsg" : {
                          "JET-xxxx", "sev4",
                          ...
                       },
            "sevSet" : {
                          // "sev4" defined here, see below
                       }
           }
  3. To redefine the entire default set of severity levels, edit the oraclejafconfig.json file sevMap property and specify the sevSet sub-property.
    
"sevMap" : {
             "sevSet" : {
                          "blocker" :  "sev1",
                          "critical" : "sev2" 
                          "major" :    "sev3"
                          "minor" :    "sev4"
                          "info" ;     "sev5"
                        }
           }

    sevSet can also be used to reduce the number of severity levels used. For example reduce the number of severity levels to two levels. 

    "sevMap" : {
             "sevSet" : {
                          "blocker" :  "mustfix",
                          "critical" : "mustfix" 
                          "major" :    "mustfix"
                          "minor" :    "warning"
                          "info" ;     "warning"
                        }
           }

Suppress Auditing Linked Content

Use the optional Oracle JAF configuration followLinks property to control whether <link> and <script> elements in HTML that refer to external stylesheet and JavaScript/TypeScript files are followed, and the files are audited.

By default, JAF enables auditing of externally linked files that include stylesheets and JavaScript/TypeScript files. To prevent externally linked files from being audited, you must disable the followLinks setting in the JAF configuration file.
To suppress auditing externally linked files:
  1. To suppress audit message resulting from externally linked files, edit the oraclejafconfig.json file followLinks property.
    "followLinks" : false

Suppress Audit Messages

Use the optional Oracle JAF configuration messages property to control which messages are emitted in the audit report. If the property is omitted, all issues found are reported.

The messages property takes two sub-properties reject and accept that you can use to tailor the list of audit messages emitted in a report: either to suppress particular messages, or alternatively to return only desired messages. The sub-properties are specified by a list of message IDs to filter. These sub-properties are mutually exclusive, so that the message IDs in the specified lists must not overlap. Regular expressions and wildcard characters can be used to specify the message ID. For example, "JET-20*" and "JET-3[0-9]+" are valid.
To control the list of reported audit messages:
  1. To suppress messages with particular messages IDs, edit the oraclejafconfig.json file messages property and specify the message IDs to filter out as a list in the reject sub-property.
    "messages" : {
               "reject" : ["JET-3020", "JET-20*"]
             },

    This sample specifies the audit report will exclude the message with ID JET-3020 and exclude the set of messages with IDs like JET-2000, JET-2010, JET-2020 and so on.

  2. To report only those messages with particular message IDs, edit the oraclejafconfig.json file messages property and specify the message IDs to report as a list in the accept sub-property.
    "messages" : {
               "accept" : ["JET-3020", "JET-2[1-2]+"]
             },

    This sample specifies the audit report will only include the message with ID JET-3020 and only include the set of messages with IDs like JET-2100, JET-2120, JET-21xx, JET-2200, JET-2210, JET-22xx.

Adjust the Tab Value Used to Report Line and Column Issues

Use the optional Oracle JAF configuration tabs property to control how tab characters are handled when encountered in the audit.

By default, JAF assumes that each tab character represents 4 spaces. When you need to adjust this value for your application files, you can specify settings for specific HTML, JS, CSS, and JSON file types. Each file type can define the number of spaces to use for a tab character and a list of column values to use for individual tab stops.

"tabs" : {
            "html" | "js" | "css" | "json" | "all" : {
                       <tab settting objects per file type>
                    },
         }

Two configuration tab styles are available for advancing to a column when a tab character is encountered: either a tab is equated with n spaces, using the spaces sub-property or else the column advances to the next tab stop column, using the stops sub-property. If both stops and spaces are specified, the tab configuration style is tab stops, and JAF uses the spaces value to calculate the next tab stop column whenever a tab advances beyond the last stops position. 

"tabs" : {
            "html" | "js" | "css" | "json" | "all" : {
                       "spaces" : n,              // declare tab spacing
                       "stops" : [i, j, k, ...]   // declare tab stop columns
                    },
         }
To adjust tab settings:
  1. To configure the tab style setting to use within specific application file types (including HTML, JS, CSS, or JSON), edit the oraclejafconfig.json file tabs property.
    "tabs" : {                          
           "html" : {
                       "spaces" : n                // declare tab spacing
                       "stops" : [i, j, k, ...]    // declare tab stop columns
                    },
           "js" : {
                       "spaces" : n
                       "stops" : [i, j, k, ...]
                    },
           "css" : {
                       "spaces" : n
                       "stops" : [i, j, k, ...]
                    },
           "json" : {
                       "spaces" : n
                       "stops" : [i, j, k, ...]
                    }
         }
    For example, the following tab style configuration sample generates tab stops at 8, 12, 16, 20, 24, and so on since both properties are specified.
    "tabs" : {
           "html" : {
                      "spaces" : 4, 
                      "stops" : [8, 12]  // generates tab stops at 8, 12, 16, 20, 24 ...
                    },
            ...
         }
  2. To configure the same tab settings to use within all application file types, edit the oraclejafconfig.json file tabs property.
    "tabs" : {
            "all" : {
                       "spaces" : n,              // declare tab spacing
                       "stops" : [i, j, k, ...]   // declare tab stop columns
                    },
         }

    The all sub-property can also be used in conjunction with any of the file type sub-properties (html, js, css, and json) to provide a default for other non-declared file types. For example the following entry would assume 5 spaces per tab for HTML, and 3 for all other file types. 

    "tabs" : {
           "html" : {"spaces" : 5}, // declares tab spacing for HTML files only
           "all" :  {"spaces" : 3}  // declares tab spacing for all other file types
         }

Comment Source Code for Fine-Grained Audit Control

Oracle JAF comment commands allow contextual audit suppression of specific lines or blocks of code within individual application files. Use JAF comment commands to refine audit results and to gain greater control over the reported issues.

The Oracle JAF configuration property comments set to true enables Oracle JAF to interpret comments that you insert into your source code. JAF recognizes comments with a JAF-specific command of the form:

/* <JAFcommand> [optional data]

or

// <JAFcommand> [optional data]

Note that chevrons (< >) do not appear in an actual command name and the use of square brackets ( [ ]) when specifying optional data is optional.

All JAF comment commands have the prefix jaf-. The command name must immediately follow the opening /* or // and is specified as /* jaf-xxx */ or // jaf-xxx, where a whitespace preceding the command name is permitted.

Note that no program text is permitted within a JAF comment.

The following table describes supported JAF comment commands.

Oracle JAF Comment Command Description

// jaf-disable-next-line

/* jaf-disable-next-line */

Disables all JAF audit rules for the next statement.

// jaf-disable-next-line [rule1, rule2, ...]

/* jaf-disable-next-line [rule1, rule2, ...] */

Disables the specified JAF audit rules for the next statement.

// jaf-disable-line

/* jaf-disable-line */

Disables all JAF audit rules for the current statement.

... some statement ; // jaf-disable-line

// jaf-disable-line [rule, rule2, ...]

/* jaf-disable-line [rule, rule2, ...] */

Disables the specified JAF audit rules for the current statement.

// jaf-disable

/* jaf-disable */

Disables all JAF audit rules until the end of file, or until the next comment.

/* jaf-disable [rule, rule2, ...] */

// jaf-disable [rule, rule2, ...]

Disables the specified JAF audit rules(s) until the end of file, or until the next comment. Note that the square brackets and commas are optional.

// jaf enable

/* jaf-enable */

Enables all JAF audit rules.

// jaf enable rule1, rule2, ...

/* jaf-enable rule1, rule2, ... */

Enables the specified JAF audit rules.
To comment source code to enable and disable JAF audit rules:
  1. To enable commenting support, edit the oraclejafconfig.json file comments property.
    { "comments" : true }
  2. In your target source file, use one or more jaf-disable comment commands to disable specific JAF audit rules until the end of the file, or until the next JAF comment command.
    // jaf-disable rule1
// jaf-disable rule2
// jaf-disable rule3

    Which is functionally the same as:

    // jaf-disable rule1, rule2, rule3
  3. In your source file, use one or more jaf-enable comment commands to enable specific JAF audit rules until the end of the file, or until the next JAF comment command.
    // jaf-enable rule1
// jaf-enable rule2
// jaf-enable rule3

    Which is functionally the same as:

    // jaf-enable rule1, rule2, rule3
  4. In your source file, combine JAF comment commands in an additive or subtractive manner to enable or disable all JAF audit rules, except those specified.
    // jaf-disable        all rules are disabled after this
...
// jaf-enable rule1        all rules except rule1 are disabled after this
  5. In your source file, combine JAF comment commands in an additive or subtractive manner to enable or disable all JAF audit rules, except those specified only for the current or next line.
    // jaf-disable
...
// jaf-enable rule1, rule2
...
// jaf-disable-next-line rule3
...                                <--  for this code statement, only rule3 is disabled
 
...                                <-- all rules disabled except rule1 and rule2