Product Updates

September 26, 2019

Quality Clouds for ServiceNow

New Functionality

  • New ServiceNow best practices included in this release:
DescriptionImpactActionReference URL
Creating custom tables in the global scope should be avoided.


ServiceNow recommends creating custom tables in scoped applications. Creating custom tables has licensing implications. Refer to the documentation link for details.

Avoid creating custom tables in the global scope. Use scoped applications instead.

https://docs.servicenow.com/bundle/newyork-servicenow-platform/page/administer/subscription-management/concept/allocating-custom-tables-subscr-apps.html

Changes in Behaviour

  • As of this release, access to the sys_package table is no longer required to execute a Quality Clouds Scan. Access to sys_package was somewhat problematic as it was not enabled by default, and it reverted back to "false" on upgrades, causing scans to fail. We have implemented a workaround which removes the need for accessing this table. As a result of this change, however, some changes detected on ServiceNow plugins may now be assigned to the Global Scope. This means that the total number of applications reported in the Code Monitor and Application Overview dashboards may be reduced. We have tried to minimise the number of occurrences of this, but if you feel that this causes an issue for your instances, please contact help@qualityclouds.com
  • There is a new update set available to enable scans on ServiceNow instances. This new update set removes the modification of the sys_package table, but also substitutes the creation of many ACLs for the assignment of developer admin roles, which allow access to many of the sys_ tables without requiring an additional ACL. This new approach is preferred as it avoids ACL collisions which have caused issues in some instances. 

Bug Fixes

  • Updated documentation links which had become obsolete. 

Quality Clouds for Salesforce

New Functionality

  • Added operational data metric - storage used per department

September 4, 2019

Quality Clouds for ServiceNow

New Functionality

  • New ServiceNow best practices included in this release:
DescriptionImpactActionReference URL

Client Scripts should not use unsupported
scripting APIs

A number of JQuery and Angular API calls and global variables
are not supported in client script code which runs as part of the Service Portal,
or in the Mobile UI. Trying to use them in Client Scripts where the UI Type is not
"Desktop" will result in run time errors.

Understand which Client Scripts will
run as part of the Service Portal user interface, and which APIs are available in
each case. Remove any unsupported API calls from your
code.

https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/build/service-portal/concept/unsupported_client_scripts.html
Catalog Client Scripts should not use unsupported
scripting APIs
A number of JQuery and Angular API calls and global variables
are not supported in client script code which runs as part of the Service Portal,
or in the Mobile UI. Trying to use them in Client Scripts where the UI Type is not
"Desktop" will result in run time errors.

Understand which Client Scripts will
run as part of the Service Portal user interface, and which APIs are available in
each case. Remove any unsupported API calls from your
code.

https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/build/service-portal/concept/unsupported_client_scripts.html

Changes in Behaviour

Bug Fixes

  • Fixed an issue where Update Set scans (both from the ServiceNow app, and from exported Update Sets) were raising false positives on the rules "Synchronous AJAX call in Client Scripts." and "Synchronous AJAX call in Catalog Client Scripts". The issue was being raised when a callback function was included in the parameters to g_form.getReference. In these cases, the callback function will execute asynchronously.

QC Portal

Dashboards

New dashboards:

  • Evolution of issues (Salesforce)

  • Comparison dashboard (Salesforce)

  • Team dashboard (Salesforce)


  • General Dashboard restyling (ServiceNow)
  • Tech Debt KPI improved with new metrics: Variation from previous scan, Global Technical Debt.

Bug Fixes

  • Evolution of issues timeline (day-based) added up metrics if multiple scans on the same day/instance. Now average aggregation is used.

  • Week numbered schedule type not launching under certain conditions.

August 9, 2019

Quality Clouds for ServiceNow

New Functionality

  • The Upgradeability dashboard now includes information on Out of the Box changes which will be affected in the upgrades to the New York version of ServiceNow.

Changes in Behaviour

  • The definition of the rule "Client UI Actions using GlideRecord" has been modified to exclude from the rule UI actions which, even if they have been marked for client-side execution, include code to be executed on the server side. This is in order to prevent false positives, where the GlideRecord call is included in the server side of the script. 

Quality Clouds for Salesforce

New Functionality

  • The profiling dashboard now includes the list of Open Source JavaScript frameworks included as UI scripts

Changes in Behaviour

  • Improved performance on Git based scans

Bug Fixes

  • Removed false positives in some APEX rules 
  • Removed duplicate reporting on some custom rules

Quality Clouds for Office365

New Functionality

  • Ability to customise the ruleset, ignoring some rules completely, and modifying severity and time to fix (contribution to Technical Debt) on any rule.

QC Portal

New Functionality

  • End of Scan email now includes comparison on New vs. Closed Issues since last scan

  • You can now review your Git scans from the history menu

Dashboards

  • ServiceNow and Salesforce Profiling dashboards now list detected Open Source libraries

  • New Team Dashboard for Salesforce



Bug Fixes

  • Solved 500 Error which occasionally arose in specific accounts.

July 4, 2019

Quality Clouds for ServiceNow

New Functionality

  • The profiling dashboard now includes the list of Open Source JavaScript frameworks included as UI scripts, and the breakdown of tables created in scoped applications and in the Global Scope.

  • The lines of code count is now included in the grids on the Upgradeability Dashboard.

Quality Clouds for Salesforce

New Functionality

  • Added operational data metrics about licenses assigned to inactive and frozen users.

Changes in Behaviour

  • PMD updated to version 6.15

June 18, 2019

Quality Clouds for ServiceNow

Changes in Behaviour

  • Inactive Catalog Client Scripts were being excluded from the Lines of Code count KPI. These elements are now included.

June 12, 2019

Quality Clouds for ServiceNow

New Functionality

  • Upgradeability dashboard now shows OOTB modifications which will caused a skipped record up to Madrid Patch 3

Changes in Behaviour

  • New Dashboard - compare issues between scans - now shows issues closed and opened between any two scans.

  • New features on Team Dashboard - Best Developer

Bug Fixes

  • None on this release

April 5, 2019

Quality Clouds for ServiceNow

New Functionality

  • New operational metric: logins and unique logins per department
  • New operational metric: logins and unique logins per role (admin, fulfiller, approver) 
  • New operational metric: inactive users
  • Full user-agent is captured on slow transactions  

Changes in Behaviour

  • Inactive users widget added to User Adoption dashboard

Bug Fixes

  • None on this release


Quality Clouds for Salesforce

New Functionality

  • Added operational data metric about file storage use

Changes in Behaviour

  • Performance improvements

Bug Fixes

  • None on this release

Quality Clouds for Office365

New Functionality

  • Added ability to scan git repositories
  • Added automated execution of tslinter to detect issues in SharePoint Framework TypeScript Code

Changes in Behaviour

  • Performance improvements

Bug Fixes

  • None on this release

QC Portal (Scan Website)

New Functionality

  • Last used instance and dashboard remembered when entering QC Portal
  • General security hardening
  • Git repository can be specified in Office instances for code scan
  • Enhancements to Action mail, which now links to specific portal Dashboards

Dashboards

  • New Office 365 Executive Dashboard

  • New cross-platform Governance Dashboard

  • Date range selector added to Best Practices Analysis

Bug Fixes

  • User Role Sales Representative can break DOM

  • Download issues may yield wrong Best Practice description

  • Minor Fixes in Action mail and Activation mail.

March 11, 2019

Quality Clouds for ServiceNow

New Functionality

  • Two new Configuration Element types have been included in the Quality Clouds analysis:  Inbound Email Actions and Script Actions.
    • The online check functionality is now also available for these Configuration Element types. Access the required Update Set from Update Set for Live Check
  • A new update set is available to activate the Online Check button for these two configuration element types.
  • The below new Best Practices have been implemented with this release:

Best Practice Description

Configuration Element Type

Severity

Impact Area

Impact

Remediation

Scripts should not use gs.sqlAll Server Side Script ElementsHIGHMANAGEABILITYgs.sql executes against the database directly. This risks system integrity.Do not use gs.sql in code. It interacts and alters the database directly, potentially causing significant damage to the integrity of the system. Remove all references, and use GlideRecord instead.
Avoid Global UI ScriptsUI ScriptsLOWPERFORMANCEGlobal UI scripts are loaded on every single page/form in ServiceNow even if they code within them is not called.'Make the UI Script non-global, and include the UI Script on the appropriate page by referencing the script as needed
Inbound Email Actions with hard-coded sys_idsInbound Email ActionsMEDIUMMANAGEABILITYHard coding sys_ids makes the system more difficult to manage, and less able to move functionality between instancesCreate a system property to store the name of the record (not the sys_id) for easier manageability. The script can use gs.getProperty() to retrieve the record and use the sys_id. If the named record was not found, an error can be displayed appropriately.
Inbound Email Actions using GlideRecord and getRowCountInbound Email ActionsMEDIUMSCALABILITYThe GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anywayReplace GlideRecord with GlideAggregate and a COUNT aggregate to improve performance. This could make a large impact when working on tables with a high record count.
Script Actions with hard-coded sys_idsScript ActionsMEDIUMMANAGEABILITYHard coding sys_ids makes the system more difficult to manage, and less able to move functionality between instancesCreate a system property to store the name of the record (not the sys_id) for easier manageability. The script can use gs.getProperty() to retrieve the record and use the sys_id. If the named record was not found, an error can be displayed appropriately.
Script Actions using GlideRecord and getRowCountScript ActionsMEDIUMSCALABILITYThe GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anywayReplace GlideRecord with GlideAggregate and a COUNT aggregate to improve performance. This could make a large impact when working on tables with a high record count.

SOAP Request Strict Security should be enabled

System Properties

HIGH

SECURITY

Without appropriate authorization configured on the incoming SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance

Set the system property "glide.soap.strict_security" to true.

Java Package Collection mode and Collection mode override properties should be disabledSystem PropertiesHIGHSECURITYThe "Collection Mode" property allows for the direct calling of new Java packages that have not been called before. Once enabled, this plugin manages the relationship between the server side code and Collection mode property to enforce security restrictions.It is recommended to set this property "glide.whitelist.manager.collection_mode.override" to false to close the security gap that exists when importing Java package calls into an instance.
Client Generated Scripts Sandbox should be enabledSystem PropertiesHIGHSECURITYIn some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying javascript formulas in query filters. Enabling Generated Script Sandboxing increases security by running these scripts inside a reduced rights sandbox.Set the system property "glide.script.use.sandbox" to true
Cookies – HTTP Only should be enabledSystem PropertiesHIGHSECURITYIf this property is not set to "true", javascript code can manipulate cookies set by ServiceNow. This opens up some cross-site scripting attack vectorsSet the system property "glide.cookies.http_only" to true. This reduces (but does not eliminate) the vulnerability to cross-site scripting attacks.
Escape HTML should be enabledSystem PropertiesHIGHSECURITYSetting the type of a table column to HTML allows its contents to be displayed with HTML formatting tags. However it also opens up a cross-site script attack vector since a malicious user could inject HTML code to execute unauthorised scripts when these fields are rendered.Set the system property "glide.ui.escape_html_list_field" to true.
CSV Request Authorization should be enabledSystem PropertiesHIGHSECURITYWithout appropriate authorization confgured on the incoming CSV requests, an unauthorized user can get access to sensitive content/data on the target instance.It is recommended to set this property "glide.basicauth.required.csv" to true, as without appropriate authorization confgured on the incoming CSV requests, an unauthorized user can get access to sensitive content/data on the target instance.
SSLv2/SSLv3 should be disabledSystem PropertiesHIGHSECURITYWhen active, outbound connections from an instance are forced to use TLS instead of SSL. Setting this property forces the MID Server to use TLS when making outbound connections, such as REST and SOAP requests.It is recommended to set this property "glide.outbound.sslv3.disabled" to true to enforce the use if TLS during all outbound connections from ServiceNow instance
AJAXGlideRecord ACL Checking should be enabledSystem PropertiesHIGHSECURITYFrom within client scripts, it is possible to query arbitrary data from the server via the GlideAjax API, by using a syntax similar to a server-side glide record. Unless ACLs are checked, this can cause data leaks "glide.script.secure.ajaxgliderecord"Enable AJAXGlideRecord ACL property. Any scripts using GlideAjax should be test throughly to ensure that loss of functionality does not occur.
SLA logging level should be set to "notice"System PropertiesHIGHPERFORMANCESLA logging can produce signifcant volumes of logs, and can cause performance problems.In the SLA properties module, set the property Log/trace level of TaskSLA model to notice
Basic Auth SOAP Requests setting should be enabledSystem PropertiesHIGHSECURITYWithout appropriate authorization configured on the datasource SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance.Set the system property "glide.basicauth.required.soap" to true to enforce soap requests authorization.
Old UI enabled or being usedSystem PropertiesHIGHSECURITYUI11 was deprecated in the Istanbul release, and should not be used any more.To ensure that users can use the latest User Interface set the glide.ui.doctype property to true. To move users away from UI11, update sys_user_preferences glide.ui11.use to false for all users.
Script Request Authorization should be enabledSystem PropertiesHIGHSECURITYWithout appropriate authorization configured on the incoming Script requests, an unauthorized user can get access to sensitive content/data on the target instance.Enable the Script Request Authorization property glide.basicauth.required.scriptedprocessor
Escape Jelly should be enabledSystem PropertiesHIGHSECURITYInput validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execute on user session in the logged in browser\'s context. This can be leveraged by attackers to steal session information and sensitive data.Set the system property "glide.ui.escape_text" to true.
"Allow Javascript tags in Embedded HTML" property should be disabledSystem PropertiesHIGHSECURITYJournal fields have the ability to render text enclosed within code tags as HTML. There is an associated security risk, since any malicious user can write JS code that may be executed on a different client browser after the journal fields are rendered.Set the glide.ui.security.codetag.allow_script property to false to disable support for embedding Javascript tags using the [code] tag.
Enable AJAXEvaluate should be disabledSystem PropertiesHIGHSECURITYIn some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying javascript formulas in query filters.Set the system property "glide.script.allow.ajaxevaluate" to false to disable the use of the API call AJAXEvaluate
Anti-CSRF Token setting should be enabledSystem PropertiesHIGHSECURITYCross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the application\'s trust on the instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance.Set the system property "glide.security.use_csrf_token" to true to enable an extra validation step before the instance user submits a write request to the instance.
Escape XML should be enabledSystem PropertiesHIGHSECURITYInput validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execute on user session in the logged in browser\'s context. This can be leveraged by attackers to steal session information and sensitive data.Set the system property " glide.ui.escape_text" to true.
HTML Sanitizer property should be enabledSystem PropertiesHIGHSECURITYRemove unwanted code and protect against security concerns such as cross-site scripting attacks by sanitizing HTML markup in HTML fields and translated HTML fields.Set the system property "glide.html.sanitize_all_felds" to true.
"Check UI Action Conditions check before Execution" should be enabledSystem PropertiesHIGHSECURITYAccess request should always be checked when transactions happen between two zones. This operation validates any UI actions before the form is rendered to the end user.Set the system property "glide.security.strict.actions" to true


Changes in Behaviour

  • None on this release

Bug Fixes

  • None on this release


Quality Clouds for Salesforce

New Functionality


  • The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:

Best Practice Description

Configuration Element Type

Severity

Impact Area

Impact

Remediation

The trusted IP range is too wide


Org. Config.

WARNING

SECURITY

Having an allowed IP range which is too broad makes this security technique ineffective

Use restrictive IP ranges to enforce meaningful restrictions

  • The following new Operational Metrics are available as of this release:

Metric NameDescriptionImpactAction
Administrator UsersNumber of users in the Org with administrator ProfileToo many uses with administrator access can complicate the manageability of the OrgReduce the number of administrators to the minimum
Percentage of file storage usedIndicates de percentage of usage of the storage available for files in the OrgRunning close to the limit can cause unexpected costs if the limit is exceededReduce the amount of files stored, or provision additional space
Users with logins in the last 14 daysThe number of users who have logged into the Org in the preceding 14 daysMonitor the number of users who frequently log into the OrgTrack Org usage to optimise licensing costs and to ensure platform adoption
Active users without logins in the last 14 daysThe number of active users who have not logged into the Org in the preceding 14 daysHaving a large number of active users who do not use the Org in a significant period of time may indicate that licenses are being wastedTrack Org usage to optimise licensing costs and to ensure platform adoption
Users with department / manager / division assignedThe number of users with these organisational attributes filled inDepending on your requirements it may be necessary to have all users assigned to any or multiple of these categoriesTrack any gaps in these attributes to ensure that your required coverage is achieved
Total logins by countryThe number of logins into the Org originating from a specific countryDepending on your requirements it may be necessary to track logins by countryTrack logins by country to ensure that the distribution matches your expectations
API call limitThe total number of API calls available in a 24 hour periodHaving a limit which is too low for your requirements can cause unexpected costsProvision additional capacity before the limit is breached
Number of API calls in the last 24 hoursThe total number of API calls performed in the last 24 hoursBreaching the allowed threshold can cause unexpected costsProvision additional capacity before the limit is breached


Changes in Behaviour

  • License information metrics are not considering free user licenses
  • New operational metric - Administrator users
  • Test coverage information is being captured
  • The Salesforce edition is now being captured

Bug Fixes

  • None included in this release


QC Portal (Scan Website)

New Functionality

  • New Remediation mail: Get an insight on the most common issue type from each impact area, and how to solve it!


  • End of scan email now includes detailed info on the warnings, if they were found


Dashboards

  • Rescaled Salesforce dashboards for a better screen fit
  • Added Application filter in the ServiceNow Team dashboard
  • Enhancements to the ServiceNow Code Monitor Dashboard:
    • New 'differences between scans' option
    • Added Script Actions and Inbound Email Actions configuration elements to the element breakdown
    • Added Configuration Element filter to the INFOs tables
  • ServiceNow Upgradeability  dashboard now allows multiple Configuration Element types selection
  • New Salesforce Governance dashboard for operational metrics




Bug Fixes

  • Minor issue fixed in History date ordering

February 14, 2019

Quality Clouds for ServiceNow

New Functionality

  • Out of the Box configuration elements which will be affected by the upgrade to the Madrid Release (early availability) are now included in the Upgradeability Dashboard.

Changes in Behaviour

  • Custom (client-specific) rules are applied on Update Set scans

Bug Fixes

  • None


Quality Clouds for Salesforce

New Functionality

  • PMD version updated to 6.11.0
  • The following new Best Practices which affect individual Configuration Elements have been implemented with this release:


Best Practice Definition

Applies To

Severity

Impact Area

Ruleset

Additional Reference

Avoid  the use of several variables declaration of the same type on one line.  

Apex Class  

HIGH   

Manageability

PMD - APEX

PMD Rule Definition

ApexDoc comments are present for classes, methods, and properties that are public or global, excluding overrides and test classes  

Apex Class  

 MEDIUM

Manageability

PMD - APEX

PMD Rule Definition

Missing ApexDoc @description

Apex Class  

MEDIUM

Manageability

PMD - APEX

PMD Rule Definition

  • The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:

Best Practice Description

Configuration Element Type

Severity

Impact Area

Impact

Remediation

There are free entry Custom Fields with no data restriction

Objects

MEDIUM

MANAGEABILITY

Free entry fields with no data restriction or validations are likely to result in low quality of data being stored in the Org

Add validation rules to free entry fields.

Convert Attachments to Files

Org. Config.

MEDIUM

MANAGEABILITY

The Attachments object is no longer supported and will soon be replaced with Salesforce Files

Convert Attachments to Files

Password Policy Complexity is too weak

Org. Config. And Profile Settings

HIGH

SECURITY

Potential vulnerability when accessing accounts

Modify the password complexity settings to contains special characters, an upper-lower case mixture, and numeric characters

Password Policy Expiration is too weak

Org. Config. And Profile Settings

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Modify the password expiration time to ninety days or less

Password Policy Repetition is too weak

Org. Config. And Profile Settings

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Modify the number of previous passwords saved for users to 3 or more

Password Policy Max Login Attempts too wide

Org. Config. And Profile Settings

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Limit the number of login failures allowed for a user before the user is locked out

Password Policy Minimum Password Length too weak

Org. Config. And Profile Settings

HIGH

SECURITY

Potential vulnerability when accessing accounts

Set to 8 characters or more the minimum number of characters required for a password

Password Policy: Obfuscate the Secret Answer

Org. Config. And Profile Settings

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Hides the secret answer associated with a password

Password Policy Password Hint contains password

Org. Config. And Profile Settings

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Restrict the answer to the password hint question to “DoesNotContainPassword”


Changes in Behaviour

  • REST API credentials are now mandatory to configure an Org

Bug Fixes

  • None included in this release


QC Portal (Scan Website)

New Functionality

  • QC-Bot available! Set operational alerts on your instances and get notified when the defined thresholds/ranges are reached.
  • Launch connectivity tests on instances with 'Do Not Persist Credentials' mode enabled.

Dashboards

  • Best Practices Analysis: Now includes Best Practice impact and recommended action.
  • Performance: Includes an export button for the Rowcount>=100 issue

Bug Fixes

  • QC Portal log search now works across all pages

January 30, 2019

Quality Clouds for ServiceNow

New Functionality

  • Support for Operational Scans
  • Support for Operational Alerts
  • Trend of Quality of Cloud indicator added to Executive Dashboard
  • Number of written-off issues added to Executive Dashboard

Changes in Behaviour

  • None

Bug Fixes

  • Fixed bug where some Updated On dates were reported with 0 value


Quality Clouds for Salesforce

New Functionality

  • Support for Operational Scans
  • Support for Operational Alerts
  • The following new Best Practices which affect individual Configuration Elements have been implemented with this release:
Best Practice DefinitionApplies ToSeverityImpact Area
Too many Picklist fields per ObjectObjectMEDIUMManageability
Indexed Fields / Custom Fields CreatedObjectMEDIUMPerformance
Having more than one trigger on an object can cause you to reach Apex limitsObjectMEDIUM (more than 2 triggers) LOW (2 triggers)Manageability
Too many sharing rules on objects can increase the time it takes to save and load recordsObjectMEDIUMPerformance
The object has too many active validation rulesObjectMEDIUMPerformance
Avoid hardcoded urlsApex ClassMEDIUMManageability
Avoid hardcoded urlsApex TriggerMEDIUMManageability
The object has custom Fields with Neither Description nor Help TextObjectLOWManageability
API versions that are more than nine releases—or three years—old can hinder your code's performance.Apex ClassWARNINGPerformance
API versions that are more than nine releases—or three years—old can hinder your code's performance.Apex TriggerWARNINGPerformance
New code using out-of-date API versions don't provide the latest functionality and security features.Apex ClassWARNINGPerformance
New code using out-of-date API versions don't provide the latest functionality and security features.Apex TriggerWARNINGPerformance
  • The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:
Best Practice DefinitionSeverityImpact Area
Too many branches on Role HierarchyMEDIUMMANAGEABILITY
Too many Custom Reports over used objectsMEDIUMMANAGEABILITY
Too much Dashboards over used objectsMEDIUMMANAGEABILITY
Too many Profiles and Permission SetsMEDIUMMANAGEABILITY
Too many Apex Triggers per Objects usedMEDIUMMANAGEABILITY
Too many Reports and Dashboards without folder assignedMEDIUMMANAGEABILITY
The percentage of asynchronous classes is too highLOWMANAGEABILITY
The instance has more than 5.000 lines od APEX codeWARNINGMANAGEABILITY
Coverage of Unit Tests is less than 75%WARNINGMANAGEABILITY
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabledMEDIUMSECURITY
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabledMEDIUMSECURITY
Clickjack protection for non-setup Salesforce pages is disabledMEDIUMSECURITY
Clickjack protection for customer Visualforce pages with standard headers turned on is disabledMEDIUMSECURITY
Clickjack protection for customer Visualforce pages with standard headers turned off is disabledMEDIUMSECURITY
Clickjack protection for setup pages is disabledMEDIUMSECURITY

The browser is not prevented from inferring the MIME type from the document content and from executing malicious files

MEDIUMSECURITY
Cross-domain session information is exchanged using a GET request instead of a POST requestMEDIUMSECURITY
Protection against reflected cross-site scripting attacks is disabledMEDIUMSECURITY
The IP addresses in Login IP Ranges are enforced only when a user logs inMEDIUMSECURITY
There is not sessions time out for inactive usersMEDIUMSECURITY
Visualforce, Salesforce sites, or Communities must use HTTPSMEDIUMSECURITY
Prevent Unauthorized used of session IDMEDIUMSECURITY
HTTPS is not required to log in to or access SalesforceMEDIUMSECURITY
Inactivity Time WarningWARNINGSECURITY
Session Policy - Enable Content Security PolicyMEDIUMSECURITY

Changes in Behaviour

  • None on this release

Bug Fixes

  • Fixed bug where Org Id was not being captured correctly


Scan Website

New Functionality

  • More secure activation link in user provisioning email
  • Refactored user to First + Last Name
  • Random Tip-of-the-day message in Scan results email
  • New Project User Role available, to isolate user access to a project in a customer account

Dashboards

  • New Filter by Type in Application Overview
  • Added trends to Executive dashboard main KPIs

Bug Fixes

  • Salesforce dashboards several minor bugs & fixes
  • Fixed miscalculation of Number of developers and OOTB modified CEs in mail summary


November 22, 2018

Quality Clouds for ServiceNow

New Functionality

  • Operational Scans, which extract information about the run-time usage of the instance, are included in this release.
  • A new Update Set with ACL definitions for the new required tables (sysevent, sys_scope) is available for download if you are using a non-Admin account for your Quality Clouds scans.

Changes in Behaviour

  • Scoped applications which are created as a result of plugin activations are now being included in the list of Custom Applications. Previously, only locally developed Scoped Applications were included in this list. As a result, you may see a re-distribution of Configuration Elements across applications, with Configuration Elements moving from the Global Scope or a Platform Application (plugin) to a Custom Application. This does not affect the number of issues detected or the main KPIs.

Bug Fixes

  • None

Quality Clouds for Salesforce

New Functionality

  • Added operational data about user logins per department

Changes in Behaviour

  • None on this release

Bug Fixes

  • None on this release


Scan Website

New Functionality

  • Back-end support to operational scans over customer instances.
  • Schedules now allow operational scans.
  • History display and filter by type of scan: Instance, Jenkins, Operational and Update Set.
  • Dashboard refresh launched individually depending on scan type (faster data refresh).
  • Total Write-Off elements displayed in Issues list form.
  • Redesigned login page.

Dashboards

  • Code monitor: Element list now alphabetically ordered.

Bug Fixes

  • Scan Form correctly refreshes instance list when adding new instances.



November 13, 2018

Quality Clouds for ServiceNow

New Functionality

  • Lines of code in inactive configuration elements are being reported. This new indicator is available in the Profiling dashboard.

Changes in Behaviour

Bug Fixes

  • A bug which resulted in the incorrect number of lines being counted for minified javascript files has been fixed.

Quality Clouds for Salesforce

New Functionality

  • Added operational data about users
  • Added operational data about LoggingHistory

Changes in Behaviour

  • Finer Granularity for GDPR Issues (matches the ServiceNow definitions)

    • GDPR sensitive information warnings, which were until now grouped in the Issue with code 3000.- Possible PII usage in Configuration Element have been split into the following issue types:
      • 3010.- Possible PII usage in Configuration Element - Email
      • 3011.- Possible PII usage in Configuration Element - Passport
      • 3012.- Possible PII usage in Configuration Element - Address
      • 3013.- Possible PII usage in Configuration Element - Nationality
    • GDPR extra-sensitive information issues, which were until now grouped in the Issue with code 3001.- Possible extra-sensitive PII usage in Configuration Element have been split into the following issue types:
      • 3100.- Possible  extra-sensitive PII usage in Configuration Element - Gender
      • 3101.- Possible  extra-sensitive PII usage in Configuration Element - Religion
    • The total number of issues, technical debt, and Quality of Cloud indicators are unchanged by the above change in issue classification.

  • Improved detection of custom objects

Bugs

  • Fixed bug in detection of "created on" date in role objects
  • Corrected typos in best practices


Scan Website

New Functionality

  • New SaaS Platform available: Office 365!
    • Link your O365 instances and launch Quality Clouds scans to obtain Quality and Operational metrics!
  • Performed Update Set Scans are now available in history, to allow recovering them at any time
  • Salesforce Dashboards
    • New overview tab in the Apex Class drill down: Asynchronous classes ratio, level of customisation, Ratio by type, etc.
    • New filter by best practice in the issues tab
    • Drill down by impact area, from the overview tab
    • General restyling
  • More information in the Monthly report
    • List of failed scans with cause of the failure
    • Show active schedules on each instance
    • List of Update Set scans launched in period

Bug Fixes

  • Only profiling dashboard visible in home selector if only profiling scans available for an instance
  • Salesforce dashboards. Fixed incorrect ratio - Objects with reports
  • Lines of Code graph now removed from time filtering
  • Solved issue with dashboard order in selector randomly changing




October 25, 2018

Quality Clouds for ServiceNow

Changes in Behaviour

Finer Granularity for GDPR Issues

  • GDPR sensitive information warnings, which were until now grouped in the Issue with code 3000.- Possible PII usage in Configuration Element have been split into the following issue types:
    • 3010.- Possible PII usage in Configuration Element - Email
    • 3011.- Possible PII usage in Configuration Element - Passport
    • 3012.- Possible PII usage in Configuration Element - Address
    • 3013.- Possible PII usage in Configuration Element - Nationality
  • GDPR extra-sensitive information issues, which were until now grouped in the Issue with code 3001.- Possible extra-sensitive PII usage in Configuration Element have been split into the following issue types:
    • 3100.- Possible  extra-sensitive PII usage in Configuration Element - Gender
    • 3101.- Possible  extra-sensitive PII usage in Configuration Element - Religion
  • The total number of issues, technical debt, and Quality of Cloud indicators are unchanged by the above change in issue classification.

Bug Fixes

  • Warnings of type "3012.- Possible PII usage in Configuration Element - Address" should now exclude IP Address fields.
  • Some elements modified in ServiceNow upgrades, which were being reported as customisations to OOTB elements, should now be suppressed.

Quality Clouds for Salesforce

New Functionality

  • Code duplication issues in Apex Classes and Apex Triggers are now being detected
  • 3 new best practices related to Organisation Customisation
    • Ratio of Custom Objects to Standard Objects
    • Excessive number of business Apex Classes
    • Excessive number of roles in the organisation

Changes in Behaviour

  • Issues of type  "Variables should start with a lowercase character"  are now being detected in Appex Triggers, as well as in Apex Classes


Scan Website

New Functionality


  • New SaaS Platform available: Office 365!
    • Link your O365 instances and launch Quality Clouds scans to obtain Quality and Operational metrics!
  • Performed Update Set Scans are now available in history, to allow recovering them at any time
  • Salesforce Dashboards
    • New overview tab in the Apex Class drill down: Asynchronous classes ratio, level of customisation, Ratio by type, etc.
    • New filter by best practice in the issues tab
    • Drill down by impact area, from the overview tab
    • General restyling
  • More information in the Monthly report
    • List of failed scans with cause of the failure
    • Show active schedules on each instance
    • List of Update Set scans launched in period

Bug Fixes

  • Only profiling dashboard visible in home selector if only profiling scans available for an instance
  • Salesforce dashboards. Fixed incorrect ratio - Objects with reports
  • Lines of Code graph now removed from time filtering
  • Solved issue with dashboard order in selector randomly changing










Last modified on Sep 30, 2019