4 Fine Tune the Audit
You can customize the Oracle JAF configuration to narrow the focus of an audit by disabling rules, rule groups, or specific message IDs. You can also add Oracle JAF comments within source files for finer-grained control over what to audit.
Restrict Audit Rule Severity Level
Use the optional Oracle JAF configuration groups property to limit audit results to the desired rule severity level. If the property is omitted, all issues found are reported.
Note:
When your organization prefers to standardize on severity levels other then this list, you can redefine these levels using your own severity levels by editing the sevMap property in the oraclejafconfig.json
file. Additionally, rules, such as those in the built-in JET rule set, have a default severity level that you may map to an alternate severity level. See Alter the Severity Level of an Audit Rule.
Severity Level | Description |
---|---|
blocker | A bug with a high probability to impact the behavior of the application in production. The code must be immediately fixed. |
critical | Either a bug with a low probability to impact the behavior of the application in production, or an issue which represents a security flaw. The code must be immediately reviewed. |
major | A quality flaw which can highly impact developer productivity. For example, uncovered piece of code, duplicated blocks, or unused parameters. |
minor | A quality flaw which can slightly impact developer productivity. For example, lines should not be too long or switch statements should have at least three cases.
|
info | A finding that is not a bug or a quality flaw. |
Alter the Severity Level of an Audit Rule
Use the Oracle JAF configuration property ruleMods and severity rule property to remap the default severity level of audit rules or use the configuration property sevMap to replace the default severity levels with ones used by your organization.
Suppress Auditing Linked Content
Use the optional Oracle JAF configuration followLinks property to
control whether <link>
and <script>
elements
in HTML that refer to external stylesheet and JavaScript/TypeScript files are followed, and
the files are audited.
Suppress Audit Messages
Use the optional Oracle JAF configuration messages property to control which messages are emitted in the audit report. If the property is omitted, all issues found are reported.
"JET-20*"
and "JET-3[0-9]+"
are valid.
Adjust the Tab Value Used to Report Line and Column Issues
Use the optional Oracle JAF configuration tabs property to control how tab characters are handled when encountered in the audit.
By default, JAF assumes that each tab character represents 4 spaces. When you need to adjust this value for your application files, you can specify settings for specific HTML, JS, CSS, and JSON file types. Each file type can define the number of spaces to use for a tab character and a list of column values to use for individual tab stops.
"tabs" : {
"html" | "js" | "css" | "json" | "all" : {
<tab settting objects per file type>
},
}
Two configuration tab styles are available for advancing to a column when a tab character is encountered: either a tab is equated with n spaces, using the spaces sub-property or else the column advances to the next tab stop column, using the stops sub-property. If both stops and spaces are specified, the tab configuration style is tab stops, and JAF uses the spaces value to calculate the next tab stop column whenever a tab advances beyond the last stops position.
"tabs" : {
"html" | "js" | "css" | "json" | "all" : {
"spaces" : n, // declare tab spacing
"stops" : [i, j, k, ...] // declare tab stop columns
},
}
Comment Source Code for Fine-Grained Audit Control
Oracle JAF comment commands allow contextual audit suppression of specific lines or blocks of code within individual application files. Use JAF comment commands to refine audit results and to gain greater control over the reported issues.
/* <JAFcommand> [optional data]
or
// <JAFcommand> [optional data]
Note that chevrons (< >) do not appear in an actual command name and the use of square brackets ( [ ]) when specifying optional data is optional.
All JAF comment commands have the prefix jaf-
. The command name must immediately follow the opening /*
or //
and is specified as /* jaf-xxx */
or // jaf-xxx
, where a whitespace preceding the command name is permitted.
Note that no program text is permitted within a JAF comment.
The following table describes supported JAF comment commands.
Oracle JAF Comment Command | Description |
---|---|
|
Disables all JAF audit rules for the next statement. |
|
Disables the specified JAF audit rules for the next statement. |
|
Disables all JAF audit rules for the current statement.
|
|
Disables the specified JAF audit rules for the current statement. |
|
Disables all JAF audit rules until the end of file, or until the next comment. |
|
Disables the specified JAF audit rules(s) until the end of file, or until the next comment. Note that the square brackets and commas are optional. |
|
Enables all JAF audit rules. |
|
Enables the specified JAF audit rules. |