Nota
Capaian ke halaman ini memerlukan kebenaran. Anda boleh cuba mendaftar masuk atau menukar direktori.
Capaian ke halaman ini memerlukan kebenaran. Anda boleh cuba menukar direktori.
This article describes what the app assessment feature of GitHub Copilot modernization can detect. The assessment covers two key capabilities:
Issue detection across three domains critical to your modernization journey:
- Cloud readiness: Identifies 16 categories of concerns, including file system usage, credential management, messaging services, database connections, containerization gaps, session handling, remote communication patterns, and more.
- Java upgrade: Flags outdated Java versions, end-of-OSS-support frameworks (Spring Boot, Spring Cloud, Jakarta EE), hundreds of removed or deprecated APIs, and legacy build tools such as Ant.
- Security: Detects 42 security weaknesses drawn from the ISO/IEC 5055 standard, covering injection vulnerabilities (SQL, LDAP, XPath, OS command), hard-coded credentials and cryptographic keys, synchronization problems, resource-lifecycle problems, and other high-impact CWEs.
Application understanding: for legacy codebases, the assessment surfaces dependencies and technologies in use, so you get a clear picture of what your application relies on before you begin migrating.
The following sections describe the issue coverage for each domain in detail.
Domain: cloud-readiness
| Domain | Category | Detection Summary | Why It Matters |
|---|---|---|---|
cloud-readiness |
credential-migration |
Detects hardcoded AWS credentials (aws_access_key_id, aws_secret_access_key), AWS Secrets Manager usage, and embedded secret management libraries like Spring Cloud Vault. |
Security: Hardcoded credentials and vendor-specific secret stores are highly vulnerable. Cloud-native applications require centralized, identity-based security to prevent credential theft. |
cloud-readiness |
region-configuration |
Identifies hardcoded AWS region identifiers (aws.region, AWS_REGION) in code or configuration files. |
Portability: Hardcoding geographies ties the application to a specific vendor's physical infrastructure, hindering global deployment and resilience. |
cloud-readiness |
storage-migration |
Detects AWS S3 SDK usage (buckets, objects, pre-signed URLs), S3 TransferManager, and Google Cloud Storage client libraries. | Reliability & Alignment: These dependencies lock you into a vendor's object storage and don't work with the target platform's native storage services. |
cloud-readiness |
messaging-service-migration |
Flags dependencies and connection strings for Amazon SQS/SNS, Kafka, RabbitMQ (AMQP), ActiveMQ (Artemis), IBM MQ, TIBCO EMS, Solace PubSub+, Amazon Kinesis, Apache Pulsar, and Google Cloud Pub/Sub. | Scalability & Reliability: Legacy messaging brokers often rely on fixed endpoints and disk-based persistence that hinder horizontal scaling and high availability in cloud environments. |
cloud-readiness |
database-migration |
Detects connection strings, drivers, and timeout settings for MongoDB, MySQL, PostgreSQL, MSSQL, Cassandra, MariaDB, Oracle, Db2, Sybase ASE, Firebird, SQLite, Google Firestore, and Google Cloud Spanner. | Reliability: Self-managed or non-native databases lack automated cloud scaling. Hardcoded timeouts and fixed retry intervals can cause blocking and "retry storms" during partial outages. |
cloud-readiness |
file-system-management |
Identifies use of relative/absolute paths, home paths (/home/), file:// schemes, and standard Java IO/NIO or Apache Commons IO calls for local storage access. |
Statelessness: Cloud containers are ephemeral. Writing to a local file system leads to data loss upon instance restarts or scaling operations; persistent data must be externalized. |
cloud-readiness |
local-credential |
Flags Java KeyStore (.jks) files, KeyStore.load method calls, and clear-text passwords (password, pwd) in property or XML files. |
Security Risk: Sensitive material stored in clear text or local files can be easily compromised if unauthorized individuals access the application environment or configuration files. |
cloud-readiness |
configuration-management |
Detects System.getenv, System.getProperty, external .properties/.xml/.ini files, and Windows Registry access for application settings. |
Externalization: OS-specific storage or local files aren't manageable at scale and can't be updated dynamically without code changes across all instances. |
cloud-readiness |
session-management |
Identifies data storage in HttpSession objects and the use of the "distributable" tag in web descriptors. |
Scalability: Standard HTTP sessions are unsuitable for cloud scaling; state must be externalized to a distributed cache to prevent data loss during traffic shifts between instances. |
cloud-readiness |
remote-communication |
Detects tightly coupled protocols (CORBA, RMI, JCA), unsecured HTTP/FTP protocols, Java Mail API, direct Socket/NIO channel usage, and hardcoded URLs. | Cloud Compatibility & Security: Tightly coupled interactions hinder scalability. Unsecured protocols and hardcoded URLs are vulnerable and brittle in dynamic cloud network environments. |
cloud-readiness |
jakarta-migration |
Detects usage of Jakarta/Java EE specific APIs for NoSQL, JPA, Data, WebSockets, and JAX-RS, and server-specific artifacts from JBoss EAP, WebLogic, or WebSphere. | Supportability: Migrating to a cloud-native runtime requires aligning with modern Jakarta namespaces and removing proprietary application server dependencies to ensure portability. |
cloud-readiness |
containerization |
Flags the absence of a Dockerfile or problematic Dockerfile instructions like apt-get upgrade, lowercase syntax, and syntax spacing issues. |
Reliability: Standardization in container builds is required for stable, reproducible deployments and to ensure images behave predictably across different environments. |
cloud-readiness |
scheduled-job-migration |
Identifies AWS Lambda handlers, Google Cloud Functions, Quartz Scheduler dependencies, and Spring Batch processing workflows. | Cloud Compute Alignment: Scheduled jobs and serverless functions must be refactored to use the target cloud's event-driven and serverless compute models to reduce infrastructure overhead. |
cloud-readiness |
apm-migration |
Identifies embedded APM agents and libraries for New Relic, Elastic APM, and Dynatrace. | Observability: These tools require specific cloud-platform integration to properly capture telemetry, latency, and health data in a managed environment. |
cloud-readiness |
auth-migration |
Detects SAML/OpenSAML, OAuth 2.0, OpenID, Spring Security, LDAP usage, and legacy webform authentication patterns. | Modern Identity: Legacy webform and LDAP auth lack the flexibility and security features (MFA, SSO) of modern claims-based cloud identity providers. |
cloud-readiness |
os-compatibility |
Identifies project dependencies on Windows-specific Dynamic-Link Libraries (.dll files). | Portability: DLLs are OS-specific and don't run in standard Linux-based cloud container environments. You need to replace them with cross-platform shared libraries. |
Domain: java-upgrade
| Domain | Category | Detection Summary | Why It Matters |
|---|---|---|---|
java-upgrade |
java-version-upgrade |
Identifies usage of non-LTS Java versions (9, 10, 12-16, 19, 20) and legacy versions (1.x through 8, and 11). | Security & Support: Older and non-LTS versions contain known vulnerabilities and lack long-term maintenance updates, leaving the infrastructure exposed to attacks. |
java-upgrade |
framework-upgrade |
Detects Spring Boot, Spring Cloud, Spring Framework, and Jakarta EE versions that reached end of OSS support. | Supportability: Out-of-date frameworks stop receiving security fixes, making the application a security risk and incompatible with modern cloud-native tools. |
java-upgrade |
deprecated-apis |
Catalogs hundreds of removed or deprecated APIs, including sun.misc.BASE64, Thread.stop, SecurityManager methods, and proprietary hooks from JBoss, Seam 2, WebLogic, and WebSphere. |
Stability & Portability: Using removed APIs causes runtime crashes on modern JVMs. Proprietary vendor hooks (like WebLogic/JBoss internals) prevent the application from being portable across standard runtimes. |
java-upgrade |
build-tool |
Identifies legacy build systems like Ant (build.xml) or Eclipse-specific project configurations (WTP/JEM natures). |
Automation: Legacy tools lack the standard conventions and dependency management needed for efficient integration into modern CI/CD pipelines. |
Domain: Security (ISO 5055 guided)
ISO/IEC 5055 is an ISO standard for measuring the internal structure of a software product on four business-critical factors: Security, Reliability, Performance Efficiency, and Maintainability. These factors determine how trustworthy, dependable, and resilient a software system is. In essence, ISO 5055 is meant to "find and prevent the 8% of flaws that cause 90% of production issues". ISO 5055 identifies the most critical and impactful CWEs under each quality characteristic: Reliability, Performance Efficiency, Security, and Maintainability. For GitHub Copilot modernization, you detect against the curated CWEs on security defined in ISO 5055, as the following table reveals.
| CWE_ID | Title | Description |
|---|---|---|
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | The product uses external input to construct a pathname intended to identify a file or directory underneath a restricted parent directory. But, it doesn't properly neutralize special elements that can cause the pathname to resolve outside the restricted directory. |
CWE-23 |
Relative Path Traversal | The product uses external input to construct a pathname within a restricted directory but fails to neutralize sequences like .., which can resolve outside that directory. |
CWE-36 |
Absolute Path Traversal | The product uses external input to construct a pathname within a restricted directory but fails to neutralize absolute path sequences like /abs/path, which can resolve outside that directory. |
CWE-77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') | The product constructs a command by using externally influenced input but doesn't neutralize special elements that could modify the intended command sent to a downstream component. |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | The product constructs an OS command by using externally influenced input but fails to neutralize special elements that could modify the intended OS command sent to a downstream component. |
CWE-88 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | The product constructs a command string for a separate component but doesn't properly delimit arguments, options, or switches within that string. |
CWE-79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product fails to neutralize user-controllable input before placing it in output used as a web page served to other users. |
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | The product constructs an SQL command by using externally influenced input but fails to neutralize elements that could modify the command, allowing inputs to be interpreted as SQL syntax instead of ordinary data. |
CWE-564 |
SQL Injection: Hibernate | Using Hibernate to execute dynamic SQL statements built with user-controlled input can allow an attacker to modify the statement's meaning or execute arbitrary SQL commands. |
CWE-90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | The product constructs an LDAP query by using externally influenced input but fails to neutralize elements that could modify the intended query sent to a downstream component. |
CWE-91 |
XML Injection (also known as Blind XPath Injection) | The product doesn't properly neutralize special elements used in XML, allowing attackers to modify the syntax, content, or commands before processing. |
CWE-99 |
Improper Control of Resource Identifiers ('Resource Injection') | The product receives input but doesn't correctly restrict it before using it as an identifier for a resource outside the intended sphere of control. |
CWE-130 |
Improper Handling of Length Parameter Inconsistency | The product parses a formatted message or structure but incorrectly handles a length field that's inconsistent with the actual length of the associated data. |
CWE-259 |
Use of Hard-coded Password | The product contains a hard-coded password used for its own inbound authentication or outbound communication to external components. |
CWE-321 |
Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
CWE-434 |
Unrestricted Upload of File with Dangerous Type | The product allows the upload of dangerous file types that are automatically processed within its environment. |
CWE-456 |
Missing Initialization of a Variable | The product doesn't initialize critical variables, causing the execution environment to use unexpected values. |
CWE-457 |
Use of Uninitialized Variable | The code uses a variable that isn't initialized, leading to unpredictable or unintended results. |
CWE-477 |
Use of Obsolete Function | The code uses deprecated or obsolete functions, suggesting it isn't actively reviewed or maintained. |
CWE-502 |
Deserialization of Untrusted Data | The product deserializes untrusted data without sufficiently ensuring the resulting data is valid. |
CWE-543 |
Use of Singleton Pattern Without Synchronization in a Multithreaded Context | The product uses the singleton pattern when creating a resource within a multithreaded environment without proper synchronization. |
CWE-567 |
Unsynchronized Access to Shared Data in a Multithreaded Context | The product fails to properly synchronize shared data, such as static variables, across threads, leading to undefined behavior. |
CWE-570 |
Expression is Always False | The product contains an expression that always evaluates to false. |
CWE-571 |
Expression is Always True | The product contains an expression that always evaluates to true. |
CWE-606 |
Unchecked Input for Loop Condition | The product doesn't properly check inputs used for loop conditions, potentially leading to denial of service from excessive looping. |
CWE-643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') | The product uses external input to dynamically construct an XPath expression for an XML database but fails to neutralize that input. |
CWE-652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | The product uses external input to dynamically construct an XQuery expression but fails to correctly neutralize that input. |
CWE-662 |
Improper Synchronization | The product allows multiple threads or systems access to a shared resource without proper synchronization, potentially causing simultaneous access issues. |
CWE-665 |
Improper Initialization | The product doesn't initialize or incorrectly initializes a resource, potentially leaving it in an unexpected state when accessed. |
CWE-667 |
Improper Locking | The product doesn't properly acquire or release a lock on a resource, leading to unexpected state changes. |
CWE-672 |
Operation on a Resource after Expiration or Release | The product accesses or operates on a resource after it expired, was released, or was revoked. |
CWE-681 |
Incorrect Conversion between Numeric Types | Data can be omitted or translated into unexpected values during type conversion, which can be dangerous if used in sensitive contexts. |
CWE-682 |
Incorrect Calculation | The product performs a calculation that generates incorrect results later used in security-critical decisions or resource management. |
CWE-732 |
Incorrect Permission Assignment for Critical Resource | Permissions for a security-critical resource are specified in a way that allows unintended actors to read or modify it. |
CWE-772 |
Missing Release of Resource after Effective Lifetime | The product doesn't release a resource after its effective lifetime ended and it's no longer needed. |
CWE-775 |
Missing Release of File Descriptor or Handle after Effective Lifetime | The product fails to release a file descriptor or handle after it's no longer needed. |
CWE-778 |
Insufficient Logging | The product fails to record a security-critical event or omits important details when logging it. |
CWE-783 |
Operator Precedence Logic Error | An expression uses incorrect logic caused by operator precedence. |
CWE-789 |
Memory Allocation with Excessive Size Value | The product allocates memory based on an untrusted, large size value without ensuring it's within expected limits. |
CWE-798 |
Use of Hard-coded Credentials | The product contains hard-coded credentials, such as a password or cryptographic key. |
CWE-820 |
Missing Synchronization | The product utilizes a shared resource concurrently without attempting to synchronize access. |
CWE-821 |
Incorrect Synchronization | The product utilizes a shared resource concurrently but doesn't correctly synchronize access. |
CWE-835 |
Loop with Unreachable Exit Condition ('Infinite Loop') | The product contains an iteration or loop with an exit condition that can't be reached. |
CWE-611 |
Improper Restriction of XML External Entity Reference | The product processes XML documents containing entities with URIs that resolve outside the intended sphere of control. |
CWE-1057 |
Data Access Operations Outside of Expected Data Manager Component | The product performs data-access operations that bypass a dedicated, central data manager component required by design. |