Using Report Generator

Overview

Report Generator is a standalone solution for automatic generation of reports based on compliance data (CWE Top Ten, ISO-5055, MIPS Reduction, NIST, OMG-ASCQM, OWASP, PCI-DSS, STIG) generated by CAST Imaging. The solution provides the opportunity (for example) to prepare and automate assessments for each new version of application analyzed with CAST Imaging. Documents are based on Microsoft Office templates and they can be modified to prepare a specific template to meet a particular use case or to comply with a company format.

Report Generator requires an install of a standalone dashboard or RestAPI to function. It cannot (currently) be configured to function with dashboards embedded directly in CAST Imaging.

Generating reports - UI

Ensure that Report Generator is installed and configured for use - see Install Report Generator, then use the UI to select an application and snapshot, and the particular report template you require:

Reports are generated and saved by default to:

%PROGRAMDATA%\CAST\ReportGenerator\version\Reports

You can save a report as a PDF file, rather than having to use the same file format as the chosen template. To do so, change the file extension to .PDF in the save dialog box:

You should ensure that Microsoft Office is installed on the machine if you choose this output type (the Microsoft Office runtime is used for this process) - if this is not the case, the report will be generated in Microsoft Office format.
This feature is not supported for outputting reports based on Microsoft Excel templates.

What about Portfolio reports?

Portfolio based reports require that you:

have configured a CAST Dashboard/RestAPI URL that connects to a Measurement schema (general_measure).
have configured some custom Categories/Tags in the Management Dashboard - see Tag and category management

Generating reports - CLI

Report Generator

The command line interface is provided by the following executable:

%PROGRAMFILES%\CAST\ReportGenerator <version>\CastReporting.Console.Core.exe

CAST recommends using a batch file to run your report generation from the command line. Note the Usage below column refers to the type of report that is being generated: Application or Portfolio. Common refers to options that are used with both report types.

Command	Usage	Mandatory?	Description
`-webservice <ws_name>`	Common	✅	URL of your CAST RestAPI installation in the form: `http://<server>:<port>/rest`.
`-username <username>`	Common	✅	The CAST Dashboard/RestAPI username that grants you access.
`-password <password>`	Common	✅	The password corresponding to the `-username`.
`-apikey true\|false`	Common	❌	If you have enabled SAML authentication mode for your CAST Dashboard/RestAPI deployment, you will need to use an API Key instead of a password. To do, so you will need to modify the command line as follows: add the `-apikey true` option (the default when the option is omitted is false) enter the API Key in the `-password` option.
`-template <template_name>`	Common	✅	Required template file name for document generation surrounded by double quotes.
`-file <output_file>`	Common	✅	Generated output file name surrounded by double quotes. If this option is omitted, the command line will generate a generic file name that includes the date and time the file was generated. Note that you can output the report to PDF by using a `.PDF` extension for the output file name. You should ensure that Microsoft Office is installed on the machine if you choose this output type. This feature is not supported for outputting reports based on Microsoft Excel templates.
`-culture`	Common	❌	Choose from one of the following locales (you can also use the first two characters (e.g.: fr for fr-FR)): fr-FR en-US es-ES IT-it >DE-de zh-CN This will force the resulting report to be generated with some aspects matching the chosen language.
`-application <app_name>`	Application	❌	Application name containing data for document generation.
`-snapshot_cur <application_name - current_snapshot_version>`	Application	❌	An optional command enabling you to specify a particular snapshot as the “current” snapshot. Ensure that you use the `<application_name - current_snapshot_version>` format for specifying the snapshot, for example:`-snapshot_cur Arizona - V2.0.1` Note that this command is optional - if you omit it, the most recent snapshot is set as the “current” snapshot.
`-snapshot_prev <application_name - prev_snapshot_version>`	Application	❌	An optional command enabling you to specify a particular snapshot as the “previous” snapshot. Ensure that you use the <`application_name - current_snapshot_version>` format for specifying the snapshot, for example: `-snapshot_prev Arizona - V1.0.0` Note that this command is optional - if you omit it, the snapshot prior to the most recent is set as the “previous” snapshot.
`-domain <domain_name>`	Application	❌	Name of the domain containing the required application (optional). This option can be used to distinguish multiple Applications that have the same name, but are stored in different domains. The domain name can be found in the `domains.properties` file for the target RestAPI installation. For example, in the following `domains.properties`, the name attribute contains the domain name “AED”: `<Resource name="jdbc/domains/AED" url="jdbc:postgresql://my_css:2284/postgres" connectionInitSqls="SET search_path TO v840_central;" username="operator" password="CastAIP" auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" validationQuery="select 1" initialSize="5" maxTotal="20" maxIdle="10" maxWaitMillis="-1" />` Note that: you can also use -database to distinguish Applications with the same name.
`-database <db_name>`	Application	❌	Name of the CAST Storage Service/Postgres schema name containing the required application (optional). This option can be used to distinguish multiple Applications that have the same name, but are stored in different database/schemas. You can also use `-domain` to distinguish Applications with the same name.
`-reporttype portfolio`	Portfolio	✅	Use this command if you want to generate a report for a Portfolio, rather than an Application. When using this option, it must be always be first. See examples below.
`-category <category name>`	Portfolio	❌	When using the `-reporttype` option, use this option to choose the category for the report.
`-tag <tag name>`	Portfolio	❌	When using the `-reporttype` option, use this option to choose the tag for the report.

Return codes

Use echo %ERRORLEVEL% at the end of the command line to generate a return code:

Code	Description
0	Report successfully generated
1	Bad arguments given to the Report Generator
2	Web service cannot be accessed or is badly configured
3	Report failed

Example - Application reports

Generate an Application based report using the “1 - Powerpoint-components-library.pptx” template for the eCommerce Application:

CastReporting.Console.Core.exe -webservice http://<server>:<port>/rest -username cast -password cast -application eCommerce -template "1 - Powerpoint-components-library.pptx" -file "output_report.pptx"

Generate an Application based report using the “1 - Powerpoint-components-library.pptx” template for the eCommerce Application using specific historic snapshots:

CastReporting.Console.Core.exe -webservice http://<server>:<port>/rest -username cast -password cast -application eCommerce -template "1 - Powerpoint-components-library.pptx" -snapshot_cur Arizona - V2.0.1 -snapshot_prev Arizona - V1.0.0 -file "output_report.pptx"

Generate an Application based report using the “1 - Powerpoint-components-library.pptx” template for the eCommerce Application using French language:

CastReporting.Console.Core.exe -webservice http://<server>:<port>/rest -username cast -password cast -application eCommerce -template "1 - Powerpoint-components-library.pptx" -file "output_report.pptx" -culture fr-FR

Example - Portfolio reports

Generate a Portfolio based report using the “1- Portfolio-Powerpoint-components-library.pptx” template:

CastReporting.Console.Core.exe -reporttype portfolio -webservice http://<server>:<port>/rest -username cast -password cast -template "1- Portfolio-Powerpoint-components-library.pptx" -file "output_report.pptx"

Generate a Portfolio based report using the “1- Portfolio-Powerpoint-components-library.pptx” template with Category and Tag options set:

CastReporting.Console.Core.exe -reporttype portfolio -webservice http://<server>:<port>/rest -username cast -password cast -template "1- Portfolio-Powerpoint-components-library.pptx" -category Business_Unit -tag Finance -file "output_report.pptx"

Generate a Portfolio based report using the “1- Portfolio-Powerpoint-components-library.pptx” template with Category and Tag options set using French language:

CastReporting.Console.Core.exe -reporttype portfolio -webservice http://<server>:<port>/rest -username cast -password cast -template "1- Portfolio-Powerpoint-components-library.pptx" -category Business_Unit -tag Finance -file "output_report.pptx" -culture fr-FR

Example - Using an API key

Generate an Application based report using the “1 - Powerpoint-components-library.pptx” template for the eCommerce Application via an API Key:

CastReporting.Console.Core.exe -webservice http://<server>:<port>/rest -username cast -password myapikey -apikey true -application eCommerce -template "1 - Powerpoint-components-library.pptx" -file "output_report.pptx"

Using the parameters.xml file

Instead of defining the parameters directly in a batch file, you can launch the CastReporting.Console.Core.exe together with the parameters.xml file. A template parameters.xml file is located in the install folder %PROGRAMFILES%\CAST\ReportGenerator <version>. The parameters.xml file can be configured to contain the commands you require. The required information is the same as listed in the table above, for example:

CastReporting.Console.Core.exe parameters.xml

Report Generator for Dashboards

You must run the Report Generator for Dashboards in a specific way when used in CLI mode, i.e. via the CastReporting.Console.Core.dll file:

dotnet %path_to_CastReporting.Console.Core.dll% -webservice %webservice% -username %username% -password %password% -application %application% -domain %domain% -template %template% -file %file%

For example:

dotnet "/home/CAST/ReportGeneratorCore/CastReporting.Console.Core.dll" -webservice "http://<server>:<port>/rest/" -username cast -password cast -application "Jurassic Park" -domain "AED" -template "Executive-summary.docx" -file "/home/CAST/temp/Core_Report.docx"

All command line parameters are identical to those listed in the table above. Return codes are also identical to those listed above.