Security Dashboard - Report Generation


Summary: This page provides instructions for configuring and using the Report Generation feature.

Introduction

The Report Generation feature allows you to generate reports on the fly direct from the CAST Security Dashboard interface. Various reports can be generated, however, some require some configuration before they will work. 

Changing the language in reports

From ≥ 2.8, reports can be generated in the following languages:

  • German
  • Italian
  • Spanish
  • French
  • Chinese

To ensure that reports are generated in one of these languages, ensure that the Dashboard is localized to the chosen language using the User > Change Language menu, then generate a report. Some of the items in the generated reports will then be in the chosen language:

 

Accessing the Report Generation feature

From the Side Menu bar, click the following icon:

Available report categories

Following types of report categories are available:

CategoryReleaseEnabled by default?CAST Report Generator for Dashboards required?Additional configuration required?Output formatAvailable reports
Security Reports≥ 2.8(tick) (error)(error) PDF

≥ 2.7(tick)(error)(error)PDF

Available reports include:

Note that the default list of reports can be customized.
≤ 2.6(tick)(tick)(tick) See section below.Same format as the associated CAST Report Generator templates.

Miscellaneous Reports 

≥ 2.8(tick)(error)(error)

PDF

≤ 2.7(tick)(error)(error)

Inline in the browser

Can be downloaded in Excel format.

Available reports include:

Custom Reports

≥ 2.7Not available.
≤ 2.6(error)(tick)(tick) See section below.Same format as the associated CAST Report Generator templates.This category enables you to define your own custom reports via CAST Report Generator templates.

Security and Industry Compliance Reports

This category provides reports on various industry recognized standards such as:

  • CISQ
  • CWE
  • OWASP
  • STIG (Security Technical Implementation Guide)
  • PCI (Payment Card Industry)
  • NIST (National Institute of Standards and Technology)
  • OMG (Object Management Group)
  • CISQ (not available in ≥ 2.4)

In ≥ 2.11, chapter bookmarks have been added to the Security and Industry Compliance PDF reports:

Configuration process

≥ 2.7

When using ≥ 2.7 no additional configuration is required as all reports are generated by the dashboard in PDF format.

Templates (in .json format) are stored in the Dashboard installation files in the "config/templates" folder within the installed "data" location:

≤ 2.6

These reports are based on templates provided with CAST Report Generator and therefore CAST Report Generator for Dashboards (v. ≥ 1.9.0) must be present on the server running Apache Tomcat hosting your Security Dashboard in order for the reports to function. In addition the report.properties file in your deployed Dashboard must be modified. See Report Generation configuration and CAST Report Generator - CAST Report Generator for Dashboards for more detailed instructions about the configuration process.

Generation process

Choose a report type from the  Security Reports and click the Generate Report button:

Version 2.8

Version ≤ 2.7

The report file name should contain the:

  • application name
  • snapshot version
  • report type

For example: MEUDON_NEW-Snapshot-2022-07-07T12-02-59-ISO-5055 Compliance Report.pdf (MEUDON is an Application name).

Behaviour in ≥ 2.8 

Below screen is displayed with an option to select the REPORT CATEGORY: Security or Miscellaneous.

Reports can be sorted and searched using the options: REPORT TYPE ^ and Search.

Clicking the GENERATE button will display the below screen with the following message: Report generation started in new window (allowing you to continue using Security Dashboard while the report is being generated as explained in Behaviour in ≥ 2.7 releases):

Behaviour in ≥ 2.7 releases

A new tab will be opened in your browser (allowing you to continue using Security Dashboard while the report is being generated):

The report will be generated in PDF format and auto downloaded to the default "downloads" folder used by your browser:

If the generation fails, a message is displayed:

Behaviour in ≤ 2.6 releases

The report will be generated and auto downloaded to the default "downloads" folder used by your browser. Reports are generated using the same format as the associated CAST Report Generator templates. A notification message is displayed when the report is generated:

If the report fails to generate, a notification is also displayed with the error message.

This example shows that CAST Report Generator for Dashboards has not been configured:


Miscellaneous Reports

This category provides reports that can easily show where the biggest changes in violations between snapshots have occurred:

In versions ≥ 2.8 

The options available for Miscellaneous Reports and their behaviour remain same for version 2.8 as in versions ≤ 2.7.

In versions ≤ 2.7 

These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration

These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration. Reports can be downloaded in Excel format:

Drill down to violation source code is also possible for some reports:

Report options

The following options are available for Miscellaneous Reports:

CategoryReleaseDetails
Filter on Health Measure

Version 2.8

REPORT TYPE can be sorted using the button "^". Search option helps to find a specific report type. For some reports it is possible to filter results on a specific Health Measure. By default, the TQI measure will be active, but it is possible to choose a different measure if necessary:

Versions ≤ 2.7

For some reports it is possible to filter results on a specific Health Measure. By default, the TQI measure will be active, but it is possible to choose a different measure if necessary:

Note that not all reports can be filtered in this way.
Download reports

Version 2.8

Report results can be downloaded in Excel format:

Versions ≤ 2.7

Report results can be downloaded in Excel format:

Critical flag

Version 2.8

Indicates whether the related rule is critical or not:

Versions ≤ 2.7

Indicates whether the related rule is critical or not:

All versions

Click to drill down to violation's source code (not available in all reports).

Click to drill down to the selected object and view it in the Application Investigation view.

Custom Reports

In ≥ 2.7, the option to generate Custom Reports using CAST Report Generator for Dashboards has been removed.

This category enables you to define your own custom reports via CAST Report Generator templates. The category is disabled by default (i.e. it does not contain any report templates). The templates you want to generate must be present on the server hosting Apache Tomcat in the "Templates" sub folder of your CAST Report Generator for Dashboards deployment location.

Adding custom reports

To enable and define the reports for the category, edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: CATALINA_HOME\webapps\CAST-Security\security\resources\ed.json

Find the following configuration section:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
}

To add your report for a custom template called Executive summary PPT.pptxAEP Sample Report.xlsx and My Custom Template 2019.docx change it as follows. Save the file and restart the host Apache Tomcat server for the changes to be applied:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[
		{
            "templateLabel": "Executive summary PPT",
            "templateId": "Executive+summary+PPT",
            "fileType":"pptx"
		},
		{
            "templateLabel": "AEP Sample Report",
            "templateId": "AEP+Sample+Report",
            "fileType":"xlsx"
		},
		{
			"templateLabel": "My Custom Template 2019",
			"templateId": "My+Custom+Template+2019",
			"fileType":"docx"
		}   
	]
}


  • Custom templates should be available in the Templates folder within the CAST Report Generator for Dashboards deployment folder, for example: ReportGeneratorCLIforAllOS\Templates.
  • templateLabel is a free text, this is used in the drop down list in the dashboard.

  • templateId should be the file name of the custom template name without the file extension and "+" signs in place of white space. For example, if your custom template name is My Custom Template.docx the templateId should be configured as "templateId": "My+Custom+Template+2019".

Adding custom report categories

Note that custom report categories are available in version ≥ 1.11.0.

Multiple Custom Report categories can be added, alongside the existing default "Custom Report" category. These custom categories can then be populated with custom reports in exactly the same way as the default "Custom Reports" category (see Adding custom reports above):

To add a custom report category, edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\engineering\resources\ced.json
For v.≥ 1.18: CATALINA_HOME\webapps\CAST-Engineering\engineering\resources\ed.json

Find the following configuration section:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
}

First add a comma immediately at the end of the preceding section:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
},

Now add a new section for your category and give it a unique "label" (example shown below). Populate it with your custom templates - the custom report category and custom templates will then be available for generation.

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
},
{
	"id": "CustomReport",
	"label": "Custom Reports_Category1",
	"reportTemplates":[
		{
			"templateLabel": "Custom report type1",
			"templateId": "CISQ+-+custom-+Summary",
			"fileType":"docx"
		},
		{
			"templateLabel": "Custom report type2",
			"templateId": "OWASP+-+custom-+Summary" ,
			"fileType":"docx"
		}
	]
}

Generation process

Choose a custom report type from the Custom Reports category and click the Generate Report button: