What is Patch Impact Analysis?
Patch impact analysis is a new feature in AppDNA 7.8 that determines the surface area of a Microsoft patch on your portfolio of applications. It is important to recognise that this does not tell you what the patch does or its criticality, but rather which applications *could* be affected by it. This should help you plan which applications you want to test and also help you to understand how invasive a patch might be.
For example, if you have 1000 applications for a given patch, we may be able to detect that 70 of the applications are directly affected by the patch.
What is meant by directly or indirectly affected?
Directly affected means the application directly imports an API from a file being updated by the patch. For example, if Application.exe directly imports from mydll.dll and mydll.dll is being updated by the patch, we will report it as red.
The other criterion is if the application re-distributes the same file as the one being patch. For example if any app redistributes (or installs) Flash.OCX and the patch then has an update for Flash.OCX.
This was a newer scenario than we supported at release and will require you to patch your AppDNA version with the AppDNA patch detailed at the end of this blog. You only need this patch if you’re interested in patches that generally affect re-distributables like .Net, Java, C++, etc.
Indirectly affected application are applications that have dependencies that are affected by the patch.
How to use patch impact analysis
Go to Configure->Solutions->Patch
Name your patch analysis:
Select which method of patch import (manual means I have downloaded them on to a file share):
Select which applications you would like to analyse
Select which patches you would like to analyse against
If your patch is not yet imported you can click on Browse to select a patch:
Last step is to click on Analyse which will then perform the analysis:
Wait for the analysis to complete:
And—PRESTO!—we have a report!
This is the top level report which show which applications are directly or indirectly affected on a per patch basis:
You can then click on an application and see the detailed report for the given application which will explain why we think the application will be affected by the patch:
So does this solve my patch Tuesday woes?
No, not entirely because we cannot guarantee that an application would actually use the patched APIs we just know it possibly may since it is directly linking to the affected file.
It is also hopefully useful to be able to understand which applications can be targeted for testing rather than blindly testing them all and also how invasive a patch is by seeing how much of your portfolio it potentially affects.
You can patch your AppDNA 7.8 by following the instructions in this zip file, you only need to do this if you wanted the added algorithms that detects applications that redistribute files that are being patched. I would recommend only doing this on a lab environment.