3 Run Audits on Oracle JET Applications
You can run an audit without making changes to the default Oracle JAF configuration or you can customize a variety of configuration properties to change audit behavior.
Audit the Application Using the Command Line
If you have configured Oracle JAF using the ojaf --init command, you can run an audit in the Command Prompt window.
In the JET application, open a Command Prompt window and from the root directory, use the JAF command without any arguments to run an audit based on the current JAF configuration for the entire application, against all HTML, JS, CSS, and JSON files.
ojafThe full command line syntax is, with optional flags and an optional space-separated list of directory and/or file path arguments:
ojaf [ <flags> ] [ <files>]The audit runs starting at the directory where you invoke the command in the Command-Line Interface. To audit a subset of the application files, change to the desired starting directory and invoke the audit command. Alternatively, for a simple audit, you can specify the files and file paths on the command line, relative to the current working directory:
ojaf myFile1[, myFile2, myFilex]ojaf file1 file2 ./test/**/*Note that some platforms perform wildcard expansion of command line arguments, so you may need to quote ojaf argument with wildcard characters to prevent this.
The ojaf command accepts command line flags that you can use to override corresponding property settings in the JAF configuration file. For example, you can append the --format flag when you want to override the default flattened-out text output and display standard report style output for the audit.
ojaf --format proseOther command line flags allow you to interact with the ojaf utility to return desired information. For example, if you want to confirm the Oracle JET version of your application is among the current versions supported by JAF, append the --jetlist flag.
ojaf --jetlistYou might also use the command line to get more details about a particular issue that your audit reported. This is supported by appending the --help flag and argument that provides either the ID of the message or the name of the rule that emitted the message.
ojaf --help msgIDThe complete list of command line flags can be displayed using the --help flag without arguments.
ojaf --helpThe --help command displays the command line flag options for the ojaf utility, as described in the table below. Note that Oracle JAF command line flags are case insensitive.
You can also use the --help flag to display the manual page (manpage) documentation for a command line flag by appending the flag as an argument to --help or -h, (such as ojaf -h dr).
Alternatively, you can display the manpage for a flag by ending the command with a ? (such as ojaf -rc?). Note that for *nix shells, the question mark should be escaped or the argument enclosed in quotes (ojaf -rc\? or ojaf "-rc?").
| OJAF Command Flag (long/short) | Description |
|---|---|
|
or
|
Displays the usage of the command line flags described in this table. |
|
or
|
Displays the description for a rule identified by its message ID or name, or displays the manpage for a command. For example, the following displays a description for the JAF audit message ID
The following displays the description for the JAF audit rule
The following displays the description for the JAF command line flag
|
|
|
Displays the manpage for a command, as an alternative to using -h <command>. For example, ojaf -h dr and ojaf -dr? both bring up the manpage for the command option --dryrun.
Note that for *nix shells, the question mark should be escaped or the argument enclosed in quotes ( |
|
or
|
Scaffold the |
|
or
|
Scaffolds a skeleton custom audit rule implementation file in the current directory. The argument is followed by the rule name without the For details about creating user-defined, custom audit rules, see Set up the Custom Audit Rules Test Project. |
|
or
|
Runs the audit with a specified configuration when followed by a file path to a configuration file. If omitted, the current directory is searched for the |
|
or
|
Runs the audit for a JET release version when followed by a partial or full semantic version value representing the JET release version. Use to match the Oracle JAF rule set to the version of your application. Accepts a partial semantic version definition, such that Tip: Use the commandojaf --jetlist (or ojaf -jl) to display the current JET release versions supported by the ojaf Command-Line utility.
If omitted, the rule set is based on the version specified by the jetVer configuration property in the |
|
or
|
Runs the audit with the specified rule set groups. For the list of built-in rule set groups, see Audit with Specific Rules. |
|
or
|
Formats audit output when followed by the output display format: |
|
or
|
Writes the output of the audit to a specified directory when followed by a file path. If the path is relative, the output directory is resolved relative to the current directory. If omitted, the audit output directory is the current directory. |
|
or
|
Suppresses output to the file specified in the configuration file by the outPath configuration property, and causes the audit output to be directed to the console. |
|
or
Note: If comparative operators are used, the severity condition must be enclosed by quotes. |
Restricts the severity of the issues reported by the audit when followed by a severity level. For severity level descriptions, see Restrict Audit Rule Severity Level. The optional comparative operators
If omitted, the audit reports issues of all severity levels. If these have been redefined by using the configuration property sevMap, then a redefined severity may also be used here. |
|
or
|
Audit follows the stylesheet If omitted, the audit follows the linked-to stylesheets by default. |
|
or
|
Audit does not follow the stylesheet |
|
or
|
Shows extra details in the output. For example, it includes the rule that was used to create a particular issue, and the issue message ID. |
|
or
|
When prose mode is configured, (see A custom format defined by the JAF configuration property proseFormat overrides this flag. |
|
or
|
Performs a full start-up and analysis of the configuration file. Displays the files that would have been audited, but does not fire the rules on the file set (as determined by the JAF configuration property settings files and exclude). This is useful when you want to verify that the configuration file contains no errors and particularly useful when the settings for files and exclude properties are complex. |
|
or
|
Displays the current JAF supported versions of JET. This is useful when you want to verify that the version of JET used to create your application is among the versions supported by the current JAF installation. |
|
or
|
Displays the available configuration profiles that can be inherited. If the command flag is followed by an optional profile name, the profile is displayed. |
|
or
|
Displays the namespaces known to JAF. This is useful when you want to audit the file set for references to user-defined custom Web Components and need to suppress false audit reporting of valid Web Component references. For details, see Audit JET Custom Web Component Usages. |
|
or
|
Displays a list of the rules disabled by default in the JET built-in rule packs. May be immediately followed by an optional pack prefix to limit the output to the pack declared. |
|
or
|
Displays a list of the rules that are deprecated. May be immediately followed by an optional pack prefix to limit the output to the pack declared. |
|
or
|
Displays the built-in JET rule pack groups and their associated rules. May be immediately followed by an optional pack prefix name to filter the output to the specified pack only. |
|
or
|
Displays external (non-JET) rule pack groups and their associated rules. May be immediately followed by an optional pack prefix name to filter the output to the specified pack only. Note that this command requires a configuration file with the rulePacks property set (that is, use of OJAF only refers to the rulePacks property, so no other properties need be present. |
|
or
|
Displays the availability/unavailability of rules in AMD mode in JAF built-in rulepacks. An optional rulepack prefix may be specified to restrict output to just the specified pack. |
|
or
|
Displays the loading order of rules in JAF built-in rulepacks. An optional rulepack prefix may be specified to restrict output to just the specified pack. |
|
or
|
Displays the status of rules in JAF built-in rulepacks. An optional rulepack prefix may be specified to restrict output to just the specified pack. |
|
or
|
Displays the metadata history across all JET versions known to JAF, for deleted and renamed classes, and deleted class methods and members. This is useful for diagnosing problems resulting from deprecation or name changes. Note JAF reports these in messages JET-3070 and JET-3071. |
|
or
|
Displays the active configuration file to evaluate the result of inheritance. No audit is performed. |
|
or
or
|
Displays the current JAF configuration default values for selected properties. |
|
or
|
Enables debug mode to allow very verbose output. This is useful for diagnosing problems. |
|
or
|
Displays the active rules information and their options as text, but no audit is performed. Can be used in combination with the |
|
or
|
Displays the active rules information and their options as JSON, but no audit is performed. Can be used in combination with the |
|
or
|
Displays the active rules information and their options as XML (SONAR format), but no audit is performed. Can be used in combination with the |
|
or
|
Overrides the return code behavior of the OJAF command-line interface. Specify auto for the default behavior. Specify errors if the return code should be 0, except in the case of abnormal termination, where -1 will still be returned as in the default mode. Specify a number that will be used as the return code. Requires OJAF version 2.9.11 or later. |
|
or
|
Displays the description for a rule identified by its message ID or name. For example, the following displays a description for the JAF audit message ID
The following displays the description for a JAF audit rule
|
|
or
|
Scaffolds a skeleton custom audit rule implementation file in the current directory. The argument is followed by the rule name without the For details about creating user-defined, custom audit rules, see Set up the Custom Audit Rules Test Project. |
Audit the Application with Predefined Runtime Options
Use the optional JAF configuration property options to define runtime options to use each time you run the audit from the command line.
Instead of invoking the ojaf command with command line flags, you can pre-define various runtime options by configuring the corresponding settings in the JAF configuration file options property. For example, instead of appending --extra --nocolor to an ojaf command invocation each time, you can define the configuration options debug and color.
Audit with Specific JET and ECMA Script Versions
During an audit, Oracle JAF refers to application-specific metadata to process the JAF rule set. Use the optional JAF configuration file jetVer property to set the metadata for a JET version and use the optional ecmaVer property to set the ECMA version. If the properties are omitted, then JAF processes the rule set by using metadata that is specific to the version of JET used to create the application.
The JAF built-in audit rule set works against metadata that is optimized for a specific version of JET and a specific JavaScript ECMA implementation. By default, JAF derives the rules metadata from the JET JavaScript API reference documentation that is specific to your application. However, you can customize the audit to process the built-in rule set for versions of JET and JavaScript/TypeScript other than your application.
-
Oracle JET version "5.2.0" (a quoted string) and later are valid settings for JET metadata. Note, if you happen to need to run with a JET release candidate, trailing characters are permitted, such as "9.0.0-rc3".
-
For the JavaScript ECMA, versions 5, 6, 7, 8, 9, 10, 11, 12, 13, and 14 (a number, without quotes) are valid and may be specified by the ECMA version number or ES version year, such as 2023 for ES14.
Audit with Specific Rules
The audit rule set invoked by JAF can be optionally conditioned by the use of the configuration properties groups, ruleNames, and ruleMods. These properties provide different ways to enable and disable rules in the runtime rule set to specify a list of rules that will be run, and thus indirectly disable all other rules.
All JAF rules are defined in rule packs. Some rule packs are built-in to JAF and can simply be selected by setting the configuration properties starting with builtin. For example, builtinJetRules can be set to true, and all (enabled) rules defined in it now become available to JAF. (Note that builtinJetRules is true by default if omitted, and thus nothing needs to be declared to perform a standard audit using the JET built-in rules.) For rule packs that are not among the JET built-in rule packs, the configuration property rulePacks can be used to declare which external rule packs are to be loaded.
So, by default, the built-in Oracle JAF rule pack is enabled and, optionally, external rule packs may be loaded, and all rules within these rule packs are enabled to run in an audit. It is possible to disable rules in the rule pack to prevent the rule from running, but if the requirement is to run only a few rules, you may find it easier to state which rules are to be run rather than disable all those not required.
Use the JAF configuration property ruleNames to specify a list of specific rules and rule groups to run, and thus indirectly disable all other rules. Alternatively, use the property groups to specify a list of rule groups to run, and thus indirectly disable all other rule groups. Only the named rules or rule groups will be invoked in the JAF audit.
Note that the groups and ruleNames configuration properties alone do not enable rules, they only declare rules that you intend to use. Whether these rules are run or not may depend on the audit configuration. If, for example, a group is specified, but its containing rule pack is not loaded, the group's rules will not be run. Similarly, if a rule that's declared in ruleNames is disabled by default (or is disabled elsewhere via the ruleMods property), the rule will not run.
Thus, the ruleNames and groups property give you a convenient way to temporarily override an existing configuration of loaded rule packs without resorting to editing or commenting out configuration entries. This is particularly useful during rule development or debugging. These properties are also useful sometimes to state the rules to be run, rather than disable the rules you don't want run.
Audit with Custom Rule Packs
Use the Oracle JAF configuration property rulePacks to include sets of user-defined, custom audit rules in an Oracle JAF audit.
You can optionally enable sets of user-defined, custom audit rules by using the rulePacks property. The property specifies the zip file or folder containing the rules. For details about how to use Oracle JAF to create user-defined rules, see Extend the Oracle JET Audit Framework.
"rulePacks" : [
{
"path" : "path/to/myrulepack.zip",
"enabled" : [true (default) | false]
"status" : ["all" (default), "production", "deprecated", "beta", "alpha"]
},
{
"path" : "path/to/my/rulepack/folder",
"enabled" : [true (default) | false]
"status" : ["all" (default), "production", "deprecated", "beta", "alpha"]
},
...
]The enabled property is optional and provides the ability to easily disable a complete rule pack. If omitted, the default is enabled.
The specified path can be relative. If relative, it is considered to be relative to the location of the configuration file, or the configuration file's base property, if defined.
Audit Only HTML Files That Contain Oracle JET Components
Use the optional Oracle JAF configuration file property jetPagesOnly to surpress auditing of an HTML file if the page does not contain any Oracle JET custom elements. If the property is disabled, then JAF processes and reports issues on all HTML files in the application.
Audit JET Custom Web Component Usages
Because Oracle JET Web Components are user-defined, auditing their custom HTML depends upon processing the Web Component's metadata before auditing can begin. Use the optional JAF configuration properties components and componentsUrls to enable auditing support for such custom HTML elements by informing JAF where to find and extract Web Component metadata.
Oracle JET custom Web Components in your application rely on the
component.json file to define metadata for their API, including their tag
names and supported properties, methods, and events. When you want JAF to process rules
specific to Web Components, you must set the JAF configuration components property
for local Web Components to inform JAF where to find the component.json
file.
During its pre-process phase, JAF recursively searches the specified locations to extract the component metadata. After this initial phase, the configuration properties are no longer needed and in subsequent phases of the audit, the previously extracted component metadata is used by the built-in JET rules defined by the jet-cca group to resolve Web Component references.
Although not a complete review of the JAF rules in the jet-cca group, once properly configured, JAF will enforce implementation details such as the following.
- Check that components don't use a reserved namespace prefix (such as,
oj-). - Check that
forattributes are prefixed and point to an expression. - Checks that hardcoded element IDs are not used within the component implementation.
Because user-defined Web Components are associated with a namespace to avoid naming collisions, JAF needs to be informed about the namespace to prevent reporting references in the audit file set as not valid. By convention, the prefix of the Web Component name identifies the namespace. To declare the namespace for Web Components not defined by the oj namespace, you set the JAF configuration property nameSpaces.
Audit JET Custom Web Component Projects
You can run an extended audit over the Web Component project that you created using the Oracle JET Tooling by enabling the rule set builtinJetWcRules in the JAF configuration file.
Before you share a custom Web Component that you create, you can audit the standalone JET project that implements the Web Component. The rule set builtinJetWcRules is provided specifically for component developers to use to validate best practices and other concerns that guarantee the validity of Web Component implementation details.
The builtinJetWcRules rule set is defined by a number of audit groups that you can enable individually for fine control over the rules to invoke. For example, you might enable the rule group jetwc-pre-release just before the cut to production. The rule set also contains rules that you can configure specific to your project. All rule groups and individual rules with the groups are defined by the prefix jetwc.
To run the audit on your Web Component project, the project must be a standard JET project that you created as the source for your custom components. Specifically, the rule set expects the organization of the project folders to be consistent with the organization created by Oracle JET CLI when you create a new component or pack of components, using the ojet create component and create pack commands.
The builtinJetWcRules rule set enforces implementation details such as the following.
- Checks that the folder structure and component names within the folders are as expected by the Oracle JET Tooling, and checks other such structure-related concerns.
- Checks the validity of dependency relationships between components, including semvar values, JET version values, requireJS paths, and component API implementations.
- Checks for consistency and correctness of component APIs in the namespace of your custom component, and that non-template slots are declared, events are declared, and that properties are nested only to a specified level—to identify just a few of the many API audit concerns.
- Checks for deprecated API styles, usages, and practices in JET.
- Checks for NLS support to verify the root language bundle location and that translation bundles have been provided for the specified locales.
- Checks for issues related to theme-able components, such as the presence of the ojcss! plugin.
- Checks for issues that can effect the usage of your component in Oracle Visual Builder, such as length limits for a display name that you define and the availability of a specified icon.
Audit JET Web Component Projects Containing VComponents
The builtinJetWcRules rule set supports the auditing of Web Component projects that use VComponent TSX files in addition to the JS and TS files used by conventional CCA components.
To enable the builtinJetWcRules and thus the custom component audits, you must edit the oraclejafconfig.json file and set builtinJetWcRules to true.
The builtinJetWcRules rule set expects that the web component is a standard JET project that was created as the source for your custom components. That is, the rule set expects that the context and folder organization of the project be consistent with projects created using the Oracle JET CLI tool.
In order to include TSX files in the project audit, a TypeScript compilation must first be run against the code. Therefore, there are some extra requirements for the JAF configuration oraclejafconfig.json file:
- You must be running JAF 3.3.0 or later.
- Your JAF configuration must include
.tsxfiles in the files property array to ensure that VComponents are processed. - You must set the
"typescript":{"compile":true}option in your JAF configuration. Without this,.tsxfiles will be skipped. - The project under audit needs to have populated
node_modules, which includes@oracle/oraclejet, as the JET version used by the project is also used for compiling. - Your project must compile successfully before the audit can be run.
For a mixed Typescript CCA and VComponent project, your oraclejafconfig.json file should look similar to the following:
{
"jetVer": "15.1.0",
"base": "$jafcwd",
"typescript":{
"compile":true,
},
"files": [
"./src/**/*.html",
"./src/**/*.ts",
"./src/**/*.tsx",
"./src/**/component.json"
],
"components": [
"./src/js/jet-composites"
],
"builtinJetRules": true,
"builtinJetWcRules": true,
. . .
}Audit CSS Styles and Web Components Styles
Use the optional Oracle JAF configuration property stylesets to create a whitelist of valid user-defined web component styles to enable auditing support for an undefined JET core style, a misspelled style name, or an unknown (to JAF) Web component style.
Audit for Oracle JET Deprecated Functionality
By default the Oracle JAF configuration will process all rules of the built-in JET rule pack, including rules for detecting deprecated Oracle JET functionality. Use the optional groups property of the JAF configuration file to customize the audit to process only the rules related to deprecated functionality by adding the jet-deprecated rule group to the JAF configuration.
- oj-js-ojcomp-deprecated - Deprecated JET component classes should not be instantiated.
- oj-html-ojtag-deprecated - Deprecated JET custom components should not be used.
- oj-js-comp-attr-deprecated - Deprecated JET component class attributes should not be referenced. This rule's scope is configurable by the JAF configuration file ruleMods property, as described below.
- oj-js-comp-meth-deprecated - Deprecated JET component class methods should not be invoked. This rule's scope is configurable by the JAF configuration file ruleMods property, as described below.
- oj-html-ojattr-deprecated - Deprecated JET component attributes should not be used.
- oj-html-ojslot - Deprecated JET component <oj-slot> should not be used since it is a binding-only element, and not a full custom element with properties and methods that can be accessed.
- oj-html-style-deprecated - JET component class attribute for deprecated CSS styles should not be used.
- oj-css-style-deprecated - Deprecated JET CSS class selectors should not be used.