Content matrix

New templates

The following templates are new in v. 1.8.0:

• CISQ Compliance Report

The following Chinese language templates are new in v 1.8.0:

• CISQ 合规报告

• OWASP-2017-Top10 - 总结报告

• CWE -Top 25 总结报告

The following templates have been updated in v. 1.8.0:

• OWASP 2017 Top 10 Summary
• OWASP 2017 Top 10 Detailed
• OWASP 2013 Top 10 Summary
• OWASP 2013 Top 10 Detailed
• CWE Top 25 Summary
• CISQ 22 Security Summary

New features

REPORTGEN-395 - Generate reports as PDF files

It is now possible to save a report as a PDF file, rather than having to use the same file format as the chosen template. You should ensure that Microsoft Office is installed on the machine if you choose this output type.

To do so:

GUI

Change the file extension to .PDF in the save dialog box:

CLI

Use a .PDF extension in the -file command line option, for example:

CastReporting.Console.exe -webservice http://<server>:8080/<APIWAR>/rest -username cast -password cast -application eCommerce -template "1 - Powerpoint-components-library.pptx" -file "output_report.pdf"

File name prompt in GUI

When generating a report in the GUI, a name for the resulting report will be suggested for you. The default suggested name will be the same as the template file name selected to generate the report.

REPORTGEN-445 - CLI should return error codes

It is now possible to view the error code for a CLI action. Use the following command after the action has completed:

echo %ERRORLEVEL%

See Return codes for more information.

REPORTGEN-446 - CLI should accept language as an argument

It is now possible to specify a locale in the CLI - the resulting report will then use the chosen language for certain aspects of the report. The command line option is called -culture and takes the following arguments (the first two characters are also accepted):

• fr-FR
• en-US
• es-ES
• IT-it
• DE-de
• zh-CN

See Command line interface for more information.

New components added for templates

REPORTGEN-425 - RULES_LIST_STATISTICS_RATIO

This component allows you to view violation statistics (total, added, removed) and the compliance ratio of a selection of rules, which can be sorted by Total Violations from max to min or compliance report:

• Block Name = RULES_LIST_STATISTICS_RATIO
• Options:
  • METRICS= List of metric ids (Business Criterion, Technical Criterion or rule) or quality standards tags separated by '|'.
  • COMPLIANCE= true or false or not set. If true, displays a supplementary column containing the compliance ratio in percentage.
  • SORTED=  TOTAL or COMPLIANCE or not set. If TOTAL or not set, table is sorted by number of violations from max to min; if compliance, table is sorted by compliance from worst to best.
  • CRITICAL=true or false or not set. If this option is true and if you have selected BC or TC, only critical rules will be displayed, any other value (or option not set) will display all rules
  • LBL= violations or vulnerabilities (vulnerabilities by default or when not set). This changes the header title of the column from Vulnerabilities to Violations.

Notes:

• To use the quality standard tags selection with this component, the Quality Standards Mapping extension should be installed on the Dashboard Service schema where the application resides.
• When you select the metric id for a Business Criterion or Technical Criterion, all the rules belonging to this Business Criterion or Technical Criterion are added for displaying violations, except if you add the CRITICAL=true option and in this case only the critical rules will be displayed.
• The id of the metric is added to the metric name. You can refer to https://technologies.castsoftware.com/rules to view the details of the rule.

REPORTGEN-411 - QUALITY_STANDARDS_EVOLUTION

This component allows you to view violation statistics (total, added, removed) based on quality standards such as CWE, CISQ, OWASP etc.

• Block Name = QUALITY_STANDARDS_EVOLUTION
• Options:
  • STD= Name of the parent quality standard you want the details for (available standards - also known as "tags" - are listed in Quality Standards Mapping), for example, chossing "CWE-2011-Top25" will list total, added and removed violations for the following standards:
    • CWE-22
    • CWE-78
    • CWE-79
    • CWE-89
    • CWE-134
    • CWE-327
    • CWE-434
    • CWE-798
  • LBL= violations or vulnerabilities (vulnerabilities by default or when not set). This changes the header title of the column from Vulnerabilities to Violations.

Notes:

• To use this component, the Quality Standards Mapping extension should be installed on the Dashboard Service schema where the application resides, with a minimum version of 20181030.
• A list of available quality standard tags (to input as the value for STD=) is available in the Quality Standards Mapping extension.

REPORTGEN-455 - TOP_COMPONENTS_BY_PROPERTIES

This component allows you to generate reports that were available in the legacy CAST Engineering Dashboard: Top Complexity x High Fan-Out, Top Complexity x Low Documentation, and more, with all available properties.

• Block Name = TOP_COMPONENTS_BY_PROPERTIES
• Options:
  • PROP1= name of first property, cyclomaticComplexity will be used if this option does not exist
  • PROP2= name of second property, fanOut will be used if this option does not exist
  • ORDER1= ASC or DESC for PROP1, DESC by default
  • ORDER2= ASC or DESC for PROP2, DESC by default
  • COUNT= the number of lines to display, 50 by default (-1 or all is forbidden due to performance issues)
• For PROP1 and PROP2, the available values are as follows (if PROP1 and/or PROP2 are not correctly set, alist of available values is displayed instead):
  • codeLines
  • commentedCodeLines
  • commentLines
  • coupling
  • fanIn
  • fanOut
  • cyclomaticComplexity
  • ratioCommentLinesCodeLines
  • halsteadProgramLength
  • halsteadProgramVocabulary
  • halsteadVolume
  • distinctOperators
  • distinctOperands
  • integrationComplexity
  • essentialComplexity

Notes:

• This component is only relevant for a CAST Dashboard Service schema. When used against a Measurement Service schema it will not return anything.
• Note that comparisons between reports generated with the legacy CAST Engineering Dashboard and this component will show differences. This is because the legacy CAST Engineering Dashboard employs specific rules to filter objects and calculate ratios that are not used in the RestAPI (where the CAST Report Generator retrieves its data). The values produced by the CAST Report Generator will therefore be more accurate.

REPORTGEN-454 - RULES_LIST_LARGEST_VARIATION

This component provides data for generating the following reports that were previously available in the legacy CAST Engineering Dashboard:

• List of 50 rules with the largest decrease in the number of violations,
• List of 50 rules with the largest decrease in the percentage of violations
• List of 50 rules with largest Increase in the number of violations
• List of 50 rules with largest increase in percentage of violations

Block description:

• Block Name = RULES_LIST_LARGEST_VARIATION
• Options : 
  • BCID= Business Criterion to filter the list of rules, 60017 by default
  • VARIATION= INCREASE or DECREASE, DECREASE by default
  • DATA= NUMBER or PERCENTAGE, NUMBER by default
  • COUNT= the number of lines to display, 50 by default (-1 to list all rules)

Notes:

• The weight will not be similar to that displayed in the legacy CAST Engineering Dashboard since the value displayed in CED was incorrect.
• CompoundedWeight is now displayed with regard to the Business Criterion selected. In the legacy CAST Engineering Dashboard, aggregate weight was used but without specifying the technical criterion - as such this value was not accurate.
• The formula are taken from those used in the legacy CAST Engineering Dashboard:

• Some values will differ from those displayed in the legacy CAST Engineering Dashboard, because in the CAST Report Generator/RestAPI we do not count duplicate violations (same object violating the same rule several times, or shared objects).

REPORTGEN-456 - REMOVED_VIOLATIONS_LIST

This component provides data for generating the Removed Violations report that was previously available in the legacy CAST Engineering Dashboard:

• Block Name = REMOVED_VIOLATIONS_LIST
• Options :
  • BCID= Business Criterion to filter the list of rules, 60017 by default
  • COUNT= the number of lines to display, 50 by default (-1 if you want all removed violations, however this is not recommended for performance reasons)

Notes:

• This component is only relevant when used with a CAST Dashboard Service schema. When used against a Measurement Service schema it will not return anything.

New documentation

All components are now documented. See CAST Report Generator - Components documentation -1.8.0.

Resolved issues

The following bugs have been fixed in this release: