Content matrix
| Version | Summary of content |
|---|---|
| 1.10.0 |
|
New features
Report Generation feature
The ability to generate a range of reports direct from the CAST Security Dashboard has been introduced in this release. Various reports can be generated, however, some rely on the presence of CAST Report Generator for Dashboards (v. ≥ 1.10.0) in order to function.
Accessing the feature
| From the Side Menu bar, click the following icon: |
|
Available report categories
Various report categories are available:
| Category | Enabled by default? | CAST Report Generator for Dashboards required? | Additional configuration required? | Output format | Available reports |
|---|---|---|---|---|---|
| Security Reports |  | | See section below. | Same format as the associated CAST Report Generator templates. | Available reports include:
Note that the default list of reports can be customized. |
| Industry Compliance Reports | | | See section below. | Same format as the associated CAST Report Generator templates. | Available reports include:
Note that the default list of reports can be customized. |
|  | | Inline in the browser Can be downloaded in Excel format. | Available reports include:
| |
| | See section below. | Same format as the associated CAST Report Generator templates. | This category enables you to define your own custom reports via CAST Report Generator templates. |
Security and Industry Compliance Reports
This category provides reports on various industry recognized standards such as:
- CISQ
- CWE
- OWASP
- STIG (Security Technical Implementation Guide)
- PCI (Payment Card Industry)
- NIST (National Institute of Standards and Technology)
Configuration process
These reports are based on templates provided with CAST Report Generator and therefore CAST Report Generator for Dashboards (v. ≥ 1.10.0) must be present on the server hosting Apache Tomcat in order for the reports to function. Some additional configuration is also required as explained below.
Assuming CAST Report Generator for Dashboards is present on the host machine, the next step is to configure the dashboard. Edit the following file with a text editor:
%CATALINA_HOME%\webapps\CAST-Security\WEB-INF\report.properties
Find the following options and modify as explained below:
# Set the Report Generator path # If this variable is not set then the document generation is considered as disabled. # The path is probably something such as (Linux/Windows): #report.reportGenerator=dotnet /opt/report-generator/CastReporting.Console.Core.dll #report.reportGenerator=dotnet c:\\ReportGenerator\\CastReporting.Console.Core.dll # Set the directory of reports #report.directory=/tmp/reports #report.directory=c:\\temp\\reports # Set the current Web Service URL. The current REST API called back by the Report Generator. report.webServiceURL=http://localhost:8888/CAST-RESTAPI/rest
report.reportGenerator=dotnet | Add a new line pointing to the location of the CastReporting.Console.Core.dll (part of CAST Report Generator for Dashboards) on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example: report.reportGenerator=dotnet c:\\ReportGeneratorforDashboards\\CastReporting.Console.Core.dll Note that the path to CastReporting.Console.Core.dll when using Microsoft Windows must always use double back slashes (\\) or single forward slashes (/) - the single back slash (\) is not valid. |
|---|---|
report.directory= | Add a new line pointing to the temporary folder where the reports will be generated on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example: report.directory=c:\\temp\\reports Note that:
|
report.webServiceURL= | Modify the existing line to point to the RestAPI in your CAST Security Dashboard deployment. This is used by the CAST Report Generator for Dashboards. For example: report.webServiceURL=http://<server>:<port>/<dashboard>/rest |
Generation process
Choose a report type from the Security Reports or Industry Compliance Reports category and click the Generate Report button:
The report will be generated and auto downloaded with your browser. Reports are generated using the same format as the associated CAST Report Generator templates. The report file name should contain the:
- application name
- snapshot version
- report type
For example: MEUDON-Computed on 201903061327-OWASP-2017-Top10 - Summary.docx (MEUDON is an Application name).
A notification message is displayed when the report is generated:
If the report fails to generate, a notification is also displayed with the error message. Please refer this page about error messages handling: Report Service - 1.9.0.
This example shows that CAST Report Generator for Dashboards has not been configured:
Miscellaneous Reports
This category provides reports that can easily show where the biggest changes in violations between snapshots have occurred:
These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration. Reports can be downloaded in Excel format:
Custom Reports
This category enables you to define your own custom reports via CAST Report Generator templates. The category is disabled by default (i.e. it does not contain any report templates). The templates you want to generate must be present on the server hosting Apache Tomcat in the "Templates" sub folder of your CAST Report Generator for Dashboards deployment location.
Configuration process
To enable and define the reports for the category, edit the following file:
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json
Find the following configuration section:
{
"id": "custom",
"label": "Custom Reports",
"reportTemplates":[]
}
To add your report for a custom template called Executive summary PPT.pptx, AEP Sample Report.xlsx and My Custom Template 2019.docx change it as follows. Save the file and restart the host Apache Tomcat server for the changes to be applied:
{
"id": "custom",
"label": "Custom Reports",
"reportTemplates":[
{
"templateLabel": "Executive summary PPT",
"templateId": "Executive+summary+PPT",
"fileType":"pptx"
},
{
"templateLabel": "AEP Sample Report",
"templateId": "AEP+Sample+Report",
"fileType":"xlsx"
},
{
"templateLabel": "My Custom Template 2019",
"templateId": "My+Custom+Template+2019",
"fileType":"docx"
}
]
}
- Custom templates should be available in the Templates folder within the CAST Report Generator for Dashboards deployment folder, for example: ReportGeneratorCLIforAllOS\Templates.
templateLabel is a free text, this is used in the drop down list in the dashboard.
templateId should be the file name of the custom template name without the file extension and "+" signs in place of white space. For example, if your custom template name is My Custom Template.docx the templateId should be configured as "templateId": "My+Custom+Template+2019".
Generation process
Choose a custom report type from the Custom Reports category and click the Generate Report button:
Atlassian JIRA integration
Note that the JIRA integration:
has been released as an Alpha feature in 1.10 as the current version of the feature does not cater to all possible use cases and as such there is no official support provided. Going forward, we would like to test some of our hypotheses with our customers and improve on this. However, we encourage you to test the feature and see how it fits into your organizational needs. We would be extremely thankful if you kindly participate with your feedback and help us refine the feature. Thank you.
- requires a Dashboard Service schema configured for use with the CAST Security Dashboard that has been installed with CAST AIP ≥ 8.3.12. An error will be displayed if this requirement is not met.
The 1.10.0 release of the CAST Security Dashboard introduces an Atlassian JIRA integration that allows Atlassian JIRA tickets to be created directly from the interface of the CAST Security Dashboard. More specifically, one JIRA ticket can be created per violation that has been added to the Action Plan. Multiple tickets can also be created at the same time.
By default in 1.10.0, this feature is not active and therefore requires configuration before it can be used.
Enabling JIRA integration
Edit the following file:
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
Add a new parameter called "JIRAConfig": true, into the "configuration" section as shown below:
{
"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
"configuration": {
"defaultLanguage": "English",
"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
"customLanguages": [],
"requestAccess": false,
"JIRAConfig": true,
"confirmLogout": true,
"filterHealthFactor": true,
"violationsCount" : 5000,
"reportCategory": [
Save the file and restart the host Apache Tomcat server for the changes to be applied. After the feature is active, the following will now be visible in the Action Plan:
| Create JIRA ticket menu option |
|
|---|---|
| Ticket ID column |
|
Configuring the JIRA integration
To configure the JIRA integration feature, create a new file called jira.properties in the following location (you can also download a sample jira.properties file with "dummy" data in it):
%CATALINA_HOME%\webapps\CAST-Security\WEB-INF\
Fill in the following information to connect to your own JIRA instance. Save the file and restart the host Apache Tomcat server for the changes to be applied.
jira.url= jira.userName= jira.userPassword= jira.issueType= jira.projectKey=
| jira.url | Enter your JIRA instance RestAPI URL, for example: https://jira.company.com/rest/api/2/ |
|---|---|
| jira.userName | Enter the name of the JIRA user that will be used to create the JIRA tickets. You may wish to create a "service" type account specifically for this. |
| jira.userPassword | Enter the password that corresponds to the JIRA user you entered previously. |
| jira.issueType | Enter the type of JIRA ticket you would like to create. For example:
You can view the available ticket types in the JIRA project configuration settings, which can generally be found here (change the domain name and PROJECTKEY to suit your own environment): https://jira.company.com/plugins/servlet/project-config/PROJECTKEY/summary |
| jira.projectKey | Enter the JIRA project key (not the name) in which you would like the JIRA tickets to be created. |
Using the JIRA integration
To create a ticket for one single violation that has been added to the Action Plan, select the violation and choose Create JIRA ticket for selected violations:
The ticket will then be created and if successful a popup will be displayed:
You can create multiple tickets by selecting multiple violations and then choosing the Create JIRA ticket for selected violations. By default a maximum of 10 tickets can be created in one go - if you attempt to create more than this, a popup will be displayed:
If you attempt to create a ticket for a violation and the corresponding ticket already exists in JIRA, the following message will be displayed:
JIRA ticket fields populated by CAST
The following fields in the JIRA ticket are auto populated by CAST as follows:
| Ticket title/summary | <CAST RULE NAME> - <OBJECT NAME> E.g.: Avoid empty catch blocks - C:\CAST\DEPLOY\APPLICATION\JEE\com\castsoftware\util\io\Recorder.java |
|---|---|
| Type | Issue type is set in the jira.properties file in jira.issueType. |
| Status | To Do |
| Resolution | Unresolved |
| Assignee | Project lead as configured in JIRA. You can view the Project lead in the JIRA project configuration settings, which can generally be found here (change the domain name and PROJECTKEY to suit your own environment): https://jira.company.com/plugins/servlet/project-config/PROJECTKEY/summary |
| Reporter | The user defined in the jira.properties file in jira.userName. |
| Priority/Workflow | Set to the default value for the ticket type. |
| Description | This will be populated with information to help identify the violation. |
Modifying the ticket creation limit
By default, a maximum of 10 tickets can be created in one go. If you would like to change this limit, edit the following file:
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
Add a new parameter called violationsCountForJIRA into the configuration section and specify the limit you want to use - for example 20 has been chosen below. Save the file and restart the host Apache Tomcat server for the changes to be applied.
{
"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
"configuration": {
"defaultLanguage": "English",
"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
"customLanguages": [],
"requestAccess": false,
"JIRAConfig": true,
"confirmLogout": true,
"filterHealthFactor": true,
"violationsCount": 5000,
"violationsCountForJIRA": 20
"reportCategory": [
SAML changes
Some changes have been made to login/logout behaviour for dashboards that are using SAML authentication:
- If the combined "Security-Engineering" Dashboard is in use, clicking on Re-login navigates to the Welcome page.
- If the single Security Dashboard is in use, clicking on Re-login navigates to the Application selection page.
Chinese language locale now fully translated
All dashboard interface text has now been fully translated in to Chinese (zh_CN) and is available in:
%CATALINA_HOME%\webapps\CAST-Security\security\locales\zh_CN\translation.json
This means that you can select the Chinese language "out of the box" and all items will now be displayed in the target language. See also CAST Dashboard Package - Dashboard localization.
Ability to generate a specific type of custom report (Word, Excel, PowerPoint)
Custom reports can now be generated based on the presence of Report Generator templates. Up until now, no distinction was made for the type of report (Word, Excel, PowerPoint), however this has now been introduced by the addition of the filetype parameter.
To enable and define the reports for the category, edit the following file:
%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
Find the following configuration section:
{
"id": "custom",
"label": "Custom Reports",
"reportTemplates":[]
}
To add your report for a custom template called Executive summary PPT.pptx, AEP Sample Report.xlsx and My Custom Template 2019.docx change it as follows. Save the file and restart the host Apache Tomcat server for the changes to be applied:
{
"id": "custom",
"label": "Custom Reports",
"reportTemplates":[
{
"templateLabel": "Executive summary PPT",
"templateId": "Executive+summary+PPT",
"fileType":"pptx"
},
{
"templateLabel": "AEP Sample Report",
"templateId": "AEP+Sample+Report",
"fileType":"xlsx"
},
{
"templateLabel": "My Custom Template 2019",
"templateId": "My+Custom+Template+2019",
"fileType":"docx"
}
]
}
Deleted module data in previous snapshot
It is now possible to view data for modules that existed in the previous snapshot but have been deleted from the current snapshot. The data is available in the All Modules drop down when looking at a previous snapshot (previously, any deleted modules were listed in this drop down but were greyed out and could not be accessed):
Improvements to Miscellaneous reports
Drill down to violation source code is also possible for some reports:
