If it is necessary to fine tune elements of the configuration without running an entire snapshot or if it is necessary to browse the User Input Security results without using the CAST Engineering Dashboard, it is possible to use an unsupported CAST tool called the FlawExplorer to visualize the flaws. It takes in input “.flaw” files, and lets you browse the flaws. In addition, since the FlawExplorer is an "offline" tool, you can browse flaw files without having to connect to a CAST Management Service.
You can also use it during the snapshot generation, if the “Dataflow Security” task has been completed successfully.
flawExplorer.exe is located in the CAST installation folder - double click the file to run it:
Use the Load a flaw file option (located in the top lefthand corner of the GUI) to load up a flaw file. You can obtain a .flaw file by finding its path as displayed in the SecurityAnalyzer.log file, which can be found under the task “Run Data Flow Security”, during the snapshot computation:
- In the Flaws box: select a flaw in the list. The Trace box will be refreshed and contains the corresponding execution trace.
- In the Trace box: select a line in the execution trace. The Code viewer will be refreshed and contains the bookmark (highlighted in yellow) of the corresponding executed statement.
- In the Flaws box: You can use keyboard arrows to switch between flaws
- In the Trace box: You can use keyboard arrows to play the execution trace.