Product Updates
September 26, 2019
Quality Clouds for ServiceNow
New Functionality
- New ServiceNow best practices included in this release:
Description | Impact | Action | Reference URL |
---|---|---|---|
Creating custom tables in the global scope should be avoided. | ServiceNow recommends creating custom tables in scoped applications. Creating custom tables has licensing implications. Refer to the documentation link for details. | Avoid creating custom tables in the global scope. Use scoped applications instead. |
Changes in Behaviour
- As of this release, access to the sys_package table is no longer required to execute a Quality Clouds Scan. Access to sys_package was somewhat problematic as it was not enabled by default, and it reverted back to "false" on upgrades, causing scans to fail. We have implemented a workaround which removes the need for accessing this table. As a result of this change, however, some changes detected on ServiceNow plugins may now be assigned to the Global Scope. This means that the total number of applications reported in the Code Monitor and Application Overview dashboards may be reduced. We have tried to minimise the number of occurrences of this, but if you feel that this causes an issue for your instances, please contact help@qualityclouds.com
- There is a new update set available to enable scans on ServiceNow instances. This new update set removes the modification of the sys_package table, but also substitutes the creation of many ACLs for the assignment of developer admin roles, which allow access to many of the sys_ tables without requiring an additional ACL. This new approach is preferred as it avoids ACL collisions which have caused issues in some instances.
Bug Fixes
- Updated documentation links which had become obsolete.
Quality Clouds for Salesforce
New Functionality
- Added operational data metric - storage used per department
September 4, 2019
Quality Clouds for ServiceNow
New Functionality
- New ServiceNow best practices included in this release:
Description | Impact | Action | Reference URL |
---|---|---|---|
Client Scripts should not use unsupported | A number of JQuery and Angular API calls and global variables | Understand which Client Scripts will | https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/build/service-portal/concept/unsupported_client_scripts.html |
Catalog Client Scripts should not use unsupported scripting APIs | A number of JQuery and Angular API calls and global variables are not supported in client script code which runs as part of the Service Portal, or in the Mobile UI. Trying to use them in Client Scripts where the UI Type is not "Desktop" will result in run time errors. | Understand which Client Scripts will | https://docs.servicenow.com/bundle/madrid-servicenow-platform/page/build/service-portal/concept/unsupported_client_scripts.html |
Changes in Behaviour
Bug Fixes
- Fixed an issue where Update Set scans (both from the ServiceNow app, and from exported Update Sets) were raising false positives on the rules "Synchronous AJAX call in Client Scripts." and "Synchronous AJAX call in Catalog Client Scripts". The issue was being raised when a callback function was included in the parameters to g_form.getReference. In these cases, the callback function will execute asynchronously.
QC Portal
Dashboards
New dashboards:
- Evolution of issues (Salesforce)
- Comparison dashboard (Salesforce)
- Team dashboard (Salesforce)
- General Dashboard restyling (ServiceNow)
- Tech Debt KPI improved with new metrics: Variation from previous scan, Global Technical Debt.
Bug Fixes
Evolution of issues timeline (day-based) added up metrics if multiple scans on the same day/instance. Now average aggregation is used.
- Week numbered schedule type not launching under certain conditions.
August 9, 2019
Quality Clouds for ServiceNow
New Functionality
- The Upgradeability dashboard now includes information on Out of the Box changes which will be affected in the upgrades to the New York version of ServiceNow.
Changes in Behaviour
- The definition of the rule "Client UI Actions using GlideRecord" has been modified to exclude from the rule UI actions which, even if they have been marked for client-side execution, include code to be executed on the server side. This is in order to prevent false positives, where the GlideRecord call is included in the server side of the script.
Quality Clouds for Salesforce
New Functionality
- The profiling dashboard now includes the list of Open Source JavaScript frameworks included as UI scripts
Changes in Behaviour
- Improved performance on Git based scans
Bug Fixes
- Removed false positives in some APEX rules
- Removed duplicate reporting on some custom rules
Quality Clouds for Office365
New Functionality
- Ability to customise the ruleset, ignoring some rules completely, and modifying severity and time to fix (contribution to Technical Debt) on any rule.
QC Portal
New Functionality
- End of Scan email now includes comparison on New vs. Closed Issues since last scan
- You can now review your Git scans from the history menu
Dashboards
ServiceNow and Salesforce Profiling dashboards now list detected Open Source libraries
New Team Dashboard for Salesforce
Bug Fixes
Solved 500 Error which occasionally arose in specific accounts.
July 4, 2019
Quality Clouds for ServiceNow
New Functionality
- The profiling dashboard now includes the list of Open Source JavaScript frameworks included as UI scripts, and the breakdown of tables created in scoped applications and in the Global Scope.
- The lines of code count is now included in the grids on the Upgradeability Dashboard.
Quality Clouds for Salesforce
New Functionality
- Added operational data metrics about licenses assigned to inactive and frozen users.
Changes in Behaviour
- PMD updated to version 6.15
June 18, 2019
Quality Clouds for ServiceNow
Changes in Behaviour
- Inactive Catalog Client Scripts were being excluded from the Lines of Code count KPI. These elements are now included.
June 12, 2019
Quality Clouds for ServiceNow
New Functionality
- Upgradeability dashboard now shows OOTB modifications which will caused a skipped record up to Madrid Patch 3
Changes in Behaviour
- New Dashboard - compare issues between scans - now shows issues closed and opened between any two scans.
- New features on Team Dashboard - Best Developer
Bug Fixes
- None on this release
April 5, 2019
Quality Clouds for ServiceNow
New Functionality
- New operational metric: logins and unique logins per department
- New operational metric: logins and unique logins per role (admin, fulfiller, approver)
- New operational metric: inactive users
- Full user-agent is captured on slow transactions
Changes in Behaviour
- Inactive users widget added to User Adoption dashboard
Bug Fixes
- None on this release
Quality Clouds for Salesforce
New Functionality
- Added operational data metric about file storage use
Changes in Behaviour
- Performance improvements
Bug Fixes
- None on this release
Quality Clouds for Office365
New Functionality
- Added ability to scan git repositories
- Added automated execution of tslinter to detect issues in SharePoint Framework TypeScript Code
Changes in Behaviour
- Performance improvements
Bug Fixes
- None on this release
QC Portal (Scan Website)
New Functionality
- Last used instance and dashboard remembered when entering QC Portal
- General security hardening
- Git repository can be specified in Office instances for code scan
- Enhancements to Action mail, which now links to specific portal Dashboards
Dashboards
New Office 365 Executive Dashboard
New cross-platform Governance Dashboard
Date range selector added to Best Practices Analysis
Bug Fixes
User Role Sales Representative can break DOM
Download issues may yield wrong Best Practice description
Minor Fixes in Action mail and Activation mail.
March 11, 2019
Quality Clouds for ServiceNow
New Functionality
- Two new Configuration Element types have been included in the Quality Clouds analysis: Inbound Email Actions and Script Actions.
- The online check functionality is now also available for these Configuration Element types. Access the required Update Set from Update Set for Live Check
- A new update set is available to activate the Online Check button for these two configuration element types.
- The below new Best Practices have been implemented with this release:
Best Practice Description | Configuration Element Type | Severity | Impact Area | Impact | Remediation |
---|---|---|---|---|---|
Scripts should not use gs.sql | All Server Side Script Elements | HIGH | MANAGEABILITY | gs.sql executes against the database directly. This risks system integrity. | Do not use gs.sql in code. It interacts and alters the database directly, potentially causing significant damage to the integrity of the system. Remove all references, and use GlideRecord instead. |
Avoid Global UI Scripts | UI Scripts | LOW | PERFORMANCE | Global UI scripts are loaded on every single page/form in ServiceNow even if they code within them is not called. | 'Make the UI Script non-global, and include the UI Script on the appropriate page by referencing the script as needed |
Inbound Email Actions with hard-coded sys_ids | Inbound Email Actions | MEDIUM | MANAGEABILITY | Hard coding sys_ids makes the system more difficult to manage, and less able to move functionality between instances | Create a system property to store the name of the record (not the sys_id) for easier manageability. The script can use gs.getProperty() to retrieve the record and use the sys_id. If the named record was not found, an error can be displayed appropriately. |
Inbound Email Actions using GlideRecord and getRowCount | Inbound Email Actions | MEDIUM | SCALABILITY | The GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anyway | Replace GlideRecord with GlideAggregate and a COUNT aggregate to improve performance. This could make a large impact when working on tables with a high record count. |
Script Actions with hard-coded sys_ids | Script Actions | MEDIUM | MANAGEABILITY | Hard coding sys_ids makes the system more difficult to manage, and less able to move functionality between instances | Create a system property to store the name of the record (not the sys_id) for easier manageability. The script can use gs.getProperty() to retrieve the record and use the sys_id. If the named record was not found, an error can be displayed appropriately. |
Script Actions using GlideRecord and getRowCount | Script Actions | MEDIUM | SCALABILITY | The GlideRecord.getRowCount() works by getting the whole result set without using the build-in arithmetic functions of the database. GlideAggregate does use the database, therefore is often drastically faster. The exception to this recommendation is if you intend to loop through the records and process them anyway | Replace GlideRecord with GlideAggregate and a COUNT aggregate to improve performance. This could make a large impact when working on tables with a high record count. |
SOAP Request Strict Security should be enabled | System Properties | HIGH | SECURITY | Without appropriate authorization configured on the incoming SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance | Set the system property "glide.soap.strict_security" to true. |
Java Package Collection mode and Collection mode override properties should be disabled | System Properties | HIGH | SECURITY | The "Collection Mode" property allows for the direct calling of new Java packages that have not been called before. Once enabled, this plugin manages the relationship between the server side code and Collection mode property to enforce security restrictions. | It is recommended to set this property "glide.whitelist.manager.collection_mode.override" to false to close the security gap that exists when importing Java package calls into an instance. |
Client Generated Scripts Sandbox should be enabled | System Properties | HIGH | SECURITY | In some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying javascript formulas in query filters. Enabling Generated Script Sandboxing increases security by running these scripts inside a reduced rights sandbox. | Set the system property "glide.script.use.sandbox" to true |
Cookies – HTTP Only should be enabled | System Properties | HIGH | SECURITY | If this property is not set to "true", javascript code can manipulate cookies set by ServiceNow. This opens up some cross-site scripting attack vectors | Set the system property "glide.cookies.http_only" to true. This reduces (but does not eliminate) the vulnerability to cross-site scripting attacks. |
Escape HTML should be enabled | System Properties | HIGH | SECURITY | Setting the type of a table column to HTML allows its contents to be displayed with HTML formatting tags. However it also opens up a cross-site script attack vector since a malicious user could inject HTML code to execute unauthorised scripts when these fields are rendered. | Set the system property "glide.ui.escape_html_list_field" to true. |
CSV Request Authorization should be enabled | System Properties | HIGH | SECURITY | Without appropriate authorization confgured on the incoming CSV requests, an unauthorized user can get access to sensitive content/data on the target instance. | It is recommended to set this property "glide.basicauth.required.csv" to true, as without appropriate authorization confgured on the incoming CSV requests, an unauthorized user can get access to sensitive content/data on the target instance. |
SSLv2/SSLv3 should be disabled | System Properties | HIGH | SECURITY | When active, outbound connections from an instance are forced to use TLS instead of SSL. Setting this property forces the MID Server to use TLS when making outbound connections, such as REST and SOAP requests. | It is recommended to set this property "glide.outbound.sslv3.disabled" to true to enforce the use if TLS during all outbound connections from ServiceNow instance |
AJAXGlideRecord ACL Checking should be enabled | System Properties | HIGH | SECURITY | From within client scripts, it is possible to query arbitrary data from the server via the GlideAjax API, by using a syntax similar to a server-side glide record. Unless ACLs are checked, this can cause data leaks "glide.script.secure.ajaxgliderecord" | Enable AJAXGlideRecord ACL property. Any scripts using GlideAjax should be test throughly to ensure that loss of functionality does not occur. |
SLA logging level should be set to "notice" | System Properties | HIGH | PERFORMANCE | SLA logging can produce signifcant volumes of logs, and can cause performance problems. | In the SLA properties module, set the property Log/trace level of TaskSLA model to notice |
Basic Auth SOAP Requests setting should be enabled | System Properties | HIGH | SECURITY | Without appropriate authorization configured on the datasource SOAP requests, an unauthorized user can get access to sensitive content/data on the target instance. | Set the system property "glide.basicauth.required.soap" to true to enforce soap requests authorization. |
Old UI enabled or being used | System Properties | HIGH | SECURITY | UI11 was deprecated in the Istanbul release, and should not be used any more. | To ensure that users can use the latest User Interface set the glide.ui.doctype property to true. To move users away from UI11, update sys_user_preferences glide.ui11.use to false for all users. |
Script Request Authorization should be enabled | System Properties | HIGH | SECURITY | Without appropriate authorization configured on the incoming Script requests, an unauthorized user can get access to sensitive content/data on the target instance. | Enable the Script Request Authorization property glide.basicauth.required.scriptedprocessor |
Escape Jelly should be enabled | System Properties | HIGH | SECURITY | Input validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execute on user session in the logged in browser\'s context. This can be leveraged by attackers to steal session information and sensitive data. | Set the system property "glide.ui.escape_text" to true. |
"Allow Javascript tags in Embedded HTML" property should be disabled | System Properties | HIGH | SECURITY | Journal fields have the ability to render text enclosed within code tags as HTML. There is an associated security risk, since any malicious user can write JS code that may be executed on a different client browser after the journal fields are rendered. | Set the glide.ui.security.codetag.allow_script property to false to disable support for embedding Javascript tags using the [code] tag. |
Enable AJAXEvaluate should be disabled | System Properties | HIGH | SECURITY | In some circumstances it is possible for the client to generate arbitrary script code and send it for evaluation to the server. For instance, by using the API call AJAXEvaluate, and by specifying javascript formulas in query filters. | Set the system property "glide.script.allow.ajaxevaluate" to false to disable the use of the API call AJAXEvaluate |
Anti-CSRF Token setting should be enabled | System Properties | HIGH | SECURITY | Cross site Request Forgery is a significant security risk that violates the integrity of the instance data. An attacker can launch the CSRF attack on any instance user by abusing the application\'s trust on the instance user. With the help of social engineering attacks, a user can submit a malformed request on behalf of the attacker on the instance. | Set the system property "glide.security.use_csrf_token" to true to enable an extra validation step before the instance user submits a write request to the instance. |
Escape XML should be enabled | System Properties | HIGH | SECURITY | Input validation has to occur on the application to defend against cross-site scripting attacks which would allow foreign scripts to execute on user session in the logged in browser\'s context. This can be leveraged by attackers to steal session information and sensitive data. | Set the system property " glide.ui.escape_text" to true. |
HTML Sanitizer property should be enabled | System Properties | HIGH | SECURITY | Remove unwanted code and protect against security concerns such as cross-site scripting attacks by sanitizing HTML markup in HTML fields and translated HTML fields. | Set the system property "glide.html.sanitize_all_felds" to true. |
"Check UI Action Conditions check before Execution" should be enabled | System Properties | HIGH | SECURITY | Access request should always be checked when transactions happen between two zones. This operation validates any UI actions before the form is rendered to the end user. | Set the system property "glide.security.strict.actions" to true |
Changes in Behaviour
- None on this release
Bug Fixes
- None on this release
Quality Clouds for Salesforce
New Functionality
- The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:
Best Practice Description | Configuration Element Type | Severity | Impact Area | Impact | Remediation |
---|---|---|---|---|---|
The trusted IP range is too wide | Org. Config. | WARNING | SECURITY | Having an allowed IP range which is too broad makes this security technique ineffective | Use restrictive IP ranges to enforce meaningful restrictions |
The following new Operational Metrics are available as of this release:
Metric Name | Description | Impact | Action |
---|---|---|---|
Administrator Users | Number of users in the Org with administrator Profile | Too many uses with administrator access can complicate the manageability of the Org | Reduce the number of administrators to the minimum |
Percentage of file storage used | Indicates de percentage of usage of the storage available for files in the Org | Running close to the limit can cause unexpected costs if the limit is exceeded | Reduce the amount of files stored, or provision additional space |
Users with logins in the last 14 days | The number of users who have logged into the Org in the preceding 14 days | Monitor the number of users who frequently log into the Org | Track Org usage to optimise licensing costs and to ensure platform adoption |
Active users without logins in the last 14 days | The number of active users who have not logged into the Org in the preceding 14 days | Having a large number of active users who do not use the Org in a significant period of time may indicate that licenses are being wasted | Track Org usage to optimise licensing costs and to ensure platform adoption |
Users with department / manager / division assigned | The number of users with these organisational attributes filled in | Depending on your requirements it may be necessary to have all users assigned to any or multiple of these categories | Track any gaps in these attributes to ensure that your required coverage is achieved |
Total logins by country | The number of logins into the Org originating from a specific country | Depending on your requirements it may be necessary to track logins by country | Track logins by country to ensure that the distribution matches your expectations |
API call limit | The total number of API calls available in a 24 hour period | Having a limit which is too low for your requirements can cause unexpected costs | Provision additional capacity before the limit is breached |
Number of API calls in the last 24 hours | The total number of API calls performed in the last 24 hours | Breaching the allowed threshold can cause unexpected costs | Provision additional capacity before the limit is breached |
Changes in Behaviour
- License information metrics are not considering free user licenses
- New operational metric - Administrator users
- Test coverage information is being captured
- The Salesforce edition is now being captured
Bug Fixes
- None included in this release
QC Portal (Scan Website)
New Functionality
- New Remediation mail: Get an insight on the most common issue type from each impact area, and how to solve it!
- End of scan email now includes detailed info on the warnings, if they were found
Dashboards
- Rescaled Salesforce dashboards for a better screen fit
- Added Application filter in the ServiceNow Team dashboard
- Enhancements to the ServiceNow Code Monitor Dashboard:
- New 'differences between scans' option
- Added Script Actions and Inbound Email Actions configuration elements to the element breakdown
- Added Configuration Element filter to the INFOs tables
- ServiceNow Upgradeability dashboard now allows multiple Configuration Element types selection
- New Salesforce Governance dashboard for operational metrics
Bug Fixes
- Minor issue fixed in History date ordering
February 14, 2019
Quality Clouds for ServiceNow
New Functionality
- Out of the Box configuration elements which will be affected by the upgrade to the Madrid Release (early availability) are now included in the Upgradeability Dashboard.
Changes in Behaviour
- Custom (client-specific) rules are applied on Update Set scans
Bug Fixes
- None
Quality Clouds for Salesforce
New Functionality
- PMD version updated to 6.11.0
- The following new Best Practices which affect individual Configuration Elements have been implemented with this release:
Best Practice Definition | Applies To | Severity | Impact Area | Ruleset | Additional Reference |
---|---|---|---|---|---|
Avoid the use of several variables declaration of the same type on one line. | Apex Class | HIGH | Manageability | PMD - APEX | |
ApexDoc comments are present for classes, methods, and properties that are public or global, excluding overrides and test classes | Apex Class | MEDIUM | Manageability | PMD - APEX | |
Missing ApexDoc @description | Apex Class | MEDIUM | Manageability | PMD - APEX |
- The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:
Best Practice Description | Configuration Element Type | Severity | Impact Area | Impact | Remediation |
---|---|---|---|---|---|
There are free entry Custom Fields with no data restriction | Objects | MEDIUM | MANAGEABILITY | Free entry fields with no data restriction or validations are likely to result in low quality of data being stored in the Org | Add validation rules to free entry fields. |
Convert Attachments to Files | Org. Config. | MEDIUM | MANAGEABILITY | The Attachments object is no longer supported and will soon be replaced with Salesforce Files | Convert Attachments to Files |
Password Policy Complexity is too weak | Org. Config. And Profile Settings | HIGH | SECURITY | Potential vulnerability when accessing accounts | Modify the password complexity settings to contains special characters, an upper-lower case mixture, and numeric characters |
Password Policy Expiration is too weak | Org. Config. And Profile Settings | MEDIUM | SECURITY | Potential vulnerability when accessing accounts | Modify the password expiration time to ninety days or less |
Password Policy Repetition is too weak | Org. Config. And Profile Settings | MEDIUM | SECURITY | Potential vulnerability when accessing accounts | Modify the number of previous passwords saved for users to 3 or more |
Password Policy Max Login Attempts too wide | Org. Config. And Profile Settings | MEDIUM | SECURITY | Potential vulnerability when accessing accounts | Limit the number of login failures allowed for a user before the user is locked out |
Password Policy Minimum Password Length too weak | Org. Config. And Profile Settings | HIGH | SECURITY | Potential vulnerability when accessing accounts | Set to 8 characters or more the minimum number of characters required for a password |
Password Policy: Obfuscate the Secret Answer | Org. Config. And Profile Settings | MEDIUM | SECURITY | Potential vulnerability when accessing accounts | Hides the secret answer associated with a password |
Password Policy Password Hint contains password | Org. Config. And Profile Settings | MEDIUM | SECURITY | Potential vulnerability when accessing accounts | Restrict the answer to the password hint question to “DoesNotContainPassword” |
Changes in Behaviour
- REST API credentials are now mandatory to configure an Org
Bug Fixes
- None included in this release
QC Portal (Scan Website)
New Functionality
- QC-Bot available! Set operational alerts on your instances and get notified when the defined thresholds/ranges are reached.
- Launch connectivity tests on instances with 'Do Not Persist Credentials' mode enabled.
Dashboards
- Best Practices Analysis: Now includes Best Practice impact and recommended action.
- Performance: Includes an export button for the Rowcount>=100 issue
Bug Fixes
- QC Portal log search now works across all pages
January 30, 2019
Quality Clouds for ServiceNow
New Functionality
- Support for Operational Scans
- Support for Operational Alerts
- Trend of Quality of Cloud indicator added to Executive Dashboard
- Number of written-off issues added to Executive Dashboard
Changes in Behaviour
- None
Bug Fixes
- Fixed bug where some Updated On dates were reported with 0 value
Quality Clouds for Salesforce
New Functionality
- Support for Operational Scans
- Support for Operational Alerts
- The following new Best Practices which affect individual Configuration Elements have been implemented with this release:
Best Practice Definition | Applies To | Severity | Impact Area |
---|---|---|---|
Too many Picklist fields per Object | Object | MEDIUM | Manageability |
Indexed Fields / Custom Fields Created | Object | MEDIUM | Performance |
Having more than one trigger on an object can cause you to reach Apex limits | Object | MEDIUM (more than 2 triggers) LOW (2 triggers) | Manageability |
Too many sharing rules on objects can increase the time it takes to save and load records | Object | MEDIUM | Performance |
The object has too many active validation rules | Object | MEDIUM | Performance |
Avoid hardcoded urls | Apex Class | MEDIUM | Manageability |
Avoid hardcoded urls | Apex Trigger | MEDIUM | Manageability |
The object has custom Fields with Neither Description nor Help Text | Object | LOW | Manageability |
API versions that are more than nine releases—or three years—old can hinder your code's performance. | Apex Class | WARNING | Performance |
API versions that are more than nine releases—or three years—old can hinder your code's performance. | Apex Trigger | WARNING | Performance |
New code using out-of-date API versions don't provide the latest functionality and security features. | Apex Class | WARNING | Performance |
New code using out-of-date API versions don't provide the latest functionality and security features. | Apex Trigger | WARNING | Performance |
- The following new Best Practices which affect the Org Configuration as a whole have been implemented with this release:
Best Practice Definition | Severity | Impact Area |
---|---|---|
Too many branches on Role Hierarchy | MEDIUM | MANAGEABILITY |
Too many Custom Reports over used objects | MEDIUM | MANAGEABILITY |
Too much Dashboards over used objects | MEDIUM | MANAGEABILITY |
Too many Profiles and Permission Sets | MEDIUM | MANAGEABILITY |
Too many Apex Triggers per Objects used | MEDIUM | MANAGEABILITY |
Too many Reports and Dashboards without folder assigned | MEDIUM | MANAGEABILITY |
The percentage of asynchronous classes is too high | LOW | MANAGEABILITY |
The instance has more than 5.000 lines od APEX code | WARNING | MANAGEABILITY |
Coverage of Unit Tests is less than 75% | WARNING | MANAGEABILITY |
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled | MEDIUM | SECURITY |
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled | MEDIUM | SECURITY |
Clickjack protection for non-setup Salesforce pages is disabled | MEDIUM | SECURITY |
Clickjack protection for customer Visualforce pages with standard headers turned on is disabled | MEDIUM | SECURITY |
Clickjack protection for customer Visualforce pages with standard headers turned off is disabled | MEDIUM | SECURITY |
Clickjack protection for setup pages is disabled | MEDIUM | SECURITY |
The browser is not prevented from inferring the MIME type from the document content and from executing malicious files | MEDIUM | SECURITY |
Cross-domain session information is exchanged using a GET request instead of a POST request | MEDIUM | SECURITY |
Protection against reflected cross-site scripting attacks is disabled | MEDIUM | SECURITY |
The IP addresses in Login IP Ranges are enforced only when a user logs in | MEDIUM | SECURITY |
There is not sessions time out for inactive users | MEDIUM | SECURITY |
Visualforce, Salesforce sites, or Communities must use HTTPS | MEDIUM | SECURITY |
Prevent Unauthorized used of session ID | MEDIUM | SECURITY |
HTTPS is not required to log in to or access Salesforce | MEDIUM | SECURITY |
Inactivity Time Warning | WARNING | SECURITY |
Session Policy - Enable Content Security Policy | MEDIUM | SECURITY |
Changes in Behaviour
- None on this release
Bug Fixes
- Fixed bug where Org Id was not being captured correctly
Scan Website
New Functionality
- More secure activation link in user provisioning email
- Refactored user to First + Last Name
- Random Tip-of-the-day message in Scan results email
- New Project User Role available, to isolate user access to a project in a customer account
Dashboards
- New Filter by Type in Application Overview
- Added trends to Executive dashboard main KPIs
Bug Fixes
- Salesforce dashboards several minor bugs & fixes
- Fixed miscalculation of Number of developers and OOTB modified CEs in mail summary
November 22, 2018
Quality Clouds for ServiceNow
New Functionality
- Operational Scans, which extract information about the run-time usage of the instance, are included in this release.
- A new Update Set with ACL definitions for the new required tables (sysevent, sys_scope) is available for download if you are using a non-Admin account for your Quality Clouds scans.
Changes in Behaviour
- Scoped applications which are created as a result of plugin activations are now being included in the list of Custom Applications. Previously, only locally developed Scoped Applications were included in this list. As a result, you may see a re-distribution of Configuration Elements across applications, with Configuration Elements moving from the Global Scope or a Platform Application (plugin) to a Custom Application. This does not affect the number of issues detected or the main KPIs.
Bug Fixes
- None
Quality Clouds for Salesforce
New Functionality
- Added operational data about user logins per department
Changes in Behaviour
None on this release
Bug Fixes
- None on this release
Scan Website
New Functionality
- Back-end support to operational scans over customer instances.
- Schedules now allow operational scans.
- History display and filter by type of scan: Instance, Jenkins, Operational and Update Set.
- Dashboard refresh launched individually depending on scan type (faster data refresh).
- Total Write-Off elements displayed in Issues list form.
- Redesigned login page.
Dashboards
- Code monitor: Element list now alphabetically ordered.
Bug Fixes
- Scan Form correctly refreshes instance list when adding new instances.
November 13, 2018
Quality Clouds for ServiceNow
New Functionality
- Lines of code in inactive configuration elements are being reported. This new indicator is available in the Profiling dashboard.
Changes in Behaviour
Bug Fixes
- A bug which resulted in the incorrect number of lines being counted for minified javascript files has been fixed.
Quality Clouds for Salesforce
New Functionality
- Added operational data about users
- Added operational data about LoggingHistory
Changes in Behaviour
Finer Granularity for GDPR Issues (matches the ServiceNow definitions)
- GDPR sensitive information warnings, which were until now grouped in the Issue with code 3000.- Possible PII usage in Configuration Element have been split into the following issue types:
- 3010.- Possible PII usage in Configuration Element - Email
- 3011.- Possible PII usage in Configuration Element - Passport
- 3012.- Possible PII usage in Configuration Element - Address
- 3013.- Possible PII usage in Configuration Element - Nationality
- GDPR extra-sensitive information issues, which were until now grouped in the Issue with code 3001.- Possible extra-sensitive PII usage in Configuration Element have been split into the following issue types:
- 3100.- Possible extra-sensitive PII usage in Configuration Element - Gender
- 3101.- Possible extra-sensitive PII usage in Configuration Element - Religion
- The total number of issues, technical debt, and Quality of Cloud indicators are unchanged by the above change in issue classification.
- GDPR sensitive information warnings, which were until now grouped in the Issue with code 3000.- Possible PII usage in Configuration Element have been split into the following issue types:
Improved detection of custom objects
Bugs
- Fixed bug in detection of "created on" date in role objects
- Corrected typos in best practices
Scan Website
New Functionality
- New SaaS Platform available: Office 365!
- Link your O365 instances and launch Quality Clouds scans to obtain Quality and Operational metrics!
- Performed Update Set Scans are now available in history, to allow recovering them at any time
- Salesforce Dashboards
- New overview tab in the Apex Class drill down: Asynchronous classes ratio, level of customisation, Ratio by type, etc.
- New filter by best practice in the issues tab
- Drill down by impact area, from the overview tab
- General restyling
- More information in the Monthly report
- List of failed scans with cause of the failure
- Show active schedules on each instance
- List of Update Set scans launched in period
Bug Fixes
- Only profiling dashboard visible in home selector if only profiling scans available for an instance
- Salesforce dashboards. Fixed incorrect ratio - Objects with reports
- Lines of Code graph now removed from time filtering
- Solved issue with dashboard order in selector randomly changing
October 25, 2018
Quality Clouds for ServiceNow
Changes in Behaviour
Finer Granularity for GDPR Issues
- GDPR sensitive information warnings, which were until now grouped in the Issue with code 3000.- Possible PII usage in Configuration Element have been split into the following issue types:
- 3010.- Possible PII usage in Configuration Element - Email
- 3011.- Possible PII usage in Configuration Element - Passport
- 3012.- Possible PII usage in Configuration Element - Address
- 3013.- Possible PII usage in Configuration Element - Nationality
- GDPR extra-sensitive information issues, which were until now grouped in the Issue with code 3001.- Possible extra-sensitive PII usage in Configuration Element have been split into the following issue types:
- 3100.- Possible extra-sensitive PII usage in Configuration Element - Gender
- 3101.- Possible extra-sensitive PII usage in Configuration Element - Religion
- The total number of issues, technical debt, and Quality of Cloud indicators are unchanged by the above change in issue classification.
Bug Fixes
- Warnings of type "3012.- Possible PII usage in Configuration Element - Address" should now exclude IP Address fields.
- Some elements modified in ServiceNow upgrades, which were being reported as customisations to OOTB elements, should now be suppressed.
Quality Clouds for Salesforce
New Functionality
- Code duplication issues in Apex Classes and Apex Triggers are now being detected
- 3 new best practices related to Organisation Customisation
- Ratio of Custom Objects to Standard Objects
- Excessive number of business Apex Classes
- Excessive number of roles in the organisation
Changes in Behaviour
- Issues of type "Variables should start with a lowercase character" are now being detected in Appex Triggers, as well as in Apex Classes
Scan Website
New Functionality
- New SaaS Platform available: Office 365!
- Link your O365 instances and launch Quality Clouds scans to obtain Quality and Operational metrics!
- Performed Update Set Scans are now available in history, to allow recovering them at any time
- Salesforce Dashboards
- New overview tab in the Apex Class drill down: Asynchronous classes ratio, level of customisation, Ratio by type, etc.
- New filter by best practice in the issues tab
- Drill down by impact area, from the overview tab
- General restyling
- More information in the Monthly report
- List of failed scans with cause of the failure
- Show active schedules on each instance
- List of Update Set scans launched in period
Bug Fixes
- Only profiling dashboard visible in home selector if only profiling scans available for an instance
- Salesforce dashboards. Fixed incorrect ratio - Objects with reports
- Lines of Code graph now removed from time filtering
- Solved issue with dashboard order in selector randomly changing