Validations

As part of exporting custom extensions process following validations are performed by the export tool on your customizations to ensure that they conform to the cloud deployment standards.

Note: When running the export tool on the devtoolkit_extensions.xml file, the following validations are performed. Effective shortly, if any of these validations fail, the validate target will fail and the tool will throw an exception message detailing the error and where the validation fails first. The tool creates the customization package only if all the validation errors are fixed. These validations are enforced when uploading customizations to your SaaS environment.
  • Validating custom properties
  • Class name conflicts
  • File name conflicts
  • Log4j 1.x usage (discontinued)
To test whether all customizations are valid during export, use the -Dfail flag:
./sci_ant.sh -f ../devtoolkit/devtoolkit_extensions.xml export -Dfail=class,file,log4j

Validation checks

A customization JAR might contain issues that could lead to failures or complications in the production environment. Without validation rules, these issues can result in runtime failures and security vulnerabilities. To address these issues, the following validation checks are developed to statically scan the customization package, catch issues early, and enforce safe customization practices.
Class name conflicts
Validates that there are no duplicate class files between the customization JAR and existing out-of-the-box (OOB) classes. This check ensures that class loading conflicts or unexpected overrides do not occur at runtime.
File name conflicts
Validates that all files that are located inside the /files/ directory within the JAR, comply with a predefined whitelist of allowed file paths. Any file that does not match the whitelist is flagged as a conflict.
Only the following file patterns are permitted.
extensions/**/*
properties/customer_overrides.properties
properties/action.properties
properties/*ValueMaps.xml
repository/eardata/**/extn/**/*
The following file pattern is blacklisted.
repository/eardata/**/extn/**/*.sample
Missing class imports
Validates that all the imported classes that are used in the customization code are either present in the DTK runtime or part of the approved third-party libraries. This validation prevents runtime failures due to missing dependencies.
Database extensions validations
  • LOB columns
    Checks columns to ensure that no new custom LOB columns are introduced in the entity xmls.
  • Large data types
    Checks columns to ensure that no new columns with size more than 500 are introduced in the entity xmls.
  • Excessive custom indexes
    Checks whether the number of custom indexes exceeds five in either a custom or out-of-the-box (OOB) table, which might impact insert or update performance.
Direct database connections and SQL operations
The following validations identifies risky database access patterns.
  • JDBC connections
    Checks use of getConnection() or similar methods to access the database.
  • Raw SQL execution
    Checks use of DELETE, DROP, ALTER SQL operations, which might cause unintended side effects.
  • JDBC ResultSet iteration
    Checks use of any low-level database interactions.
  • Direct SQL queries against custom LOB columns
    Checks if a custom code contains any direct SQL queries against the custom LOB columns detected in Database extensions validations - LOB columns.
Checks for non-approved logging frameworks and Sys.Out
  • Flags the use of the following console logging frameworks in custom code.
    • System.out.print*
    • System.err.print*
  • Flags the use of the following non-approved logging imports.
    • Apache Commons Logging: org.apache.commons.logging.
    • SLF4J (Simple Logging Facade for Java): org.slf4j.
    • Java Util Logging: java.util.logging.
    • Logback: ch.qos.logback.
Checks for custom web.xml against OOB web.xml
This validation ensures that the custom file retains all required configurations from the OOB web.xml shipped with DTK, while allowing additional entries. Any missing elements are reported during validation.
Note: All violations are provided in a report that can be accessed from the following locations. 
<runtime_sandbox>/tmp/report/*_details.csv
<runtime_sandbox>/tmp/report/*_summary.csv

Validating custom properties

The tool performs a series of validations on custom properties added in the customer_override.properties file to ensure that they conform to the cloud deployment standards. Following validations are performed on custom properties:

The tool validates that custom properties defined in the customer_override.properties file belong to the following services only:
  • yfs
  • xapirest
  • elasticsearch
  • logfilter
  • dbclassCache
  • jdbcService (of the pattern jdbcService.*.prop_* )
Note: For the above listed services, the tool fails the custom properties validation defined for the properties with DATABASE_SUPPORT=Y. The tool also skips the custom properties defined for properties which are in the yfs.yfs.logall* format.

Validating Log4j 1.x usage

The Log4j 1.x validation checks that the customization JAR does not include or reference Log4j 1.x libraries (log4j-1.x.jar) or APIs (org.apache.log4j.*). The Log4j 1.x has reached end of life and contains known security vulnerabilities. Usage of this logging framework is not allowed to prevent security risks and ensure compliance with supported logging standards.