Report Generator

Overview

Report Generator is a standalone solution for automatic generation of reports based on compliance data (CWE Top Ten, ISO-5055, MIPS Reduction, NIST, OMG-ASCQM, OWASP, PCI-DSS, STIG) generated by CAST Imaging. The solution provides the opportunity (for example) to prepare and automate assessments for each new version of application analyzed with CAST Imaging. Documents are based on Microsoft Office templates and they can be modified to prepare a specific template to meet a particular use case or to comply with a company format. After generation, the resulting document can be further adapted if necessary.

Report Generator is based on the CAST Imaging RestAPI. The following video provides an overview: https://player.vimeo.com/video/85837301 .

How does it work?

Report Generator is a standalone installation which interacts with the data stored in an application’s result schemas, i.e. the Dashboard (_central) schema (and also the Measurement (general_measure) schema - see note below) via the CAST RestAPI (embedded in CAST Dashboards) to produce various Microsoft Word, Excel and PowerPoint reports from predefined or custom templates.

See Using Report Generator for more information about generating reports.

Report Generator requires an install of a standalone dashboard or RestAPI to function. It cannot (currently) be configured to function with dashboards embedded directly in CAST Imaging.

What about Measurement schemas?

Whilst it is possible to configure Report Generator to interact with a Measurement (general_measure) schema (in particular this is required if you would like to generate Portfolio (i.e. multi-application) templates), you should be aware that the following components are not currently consolidated into the Measurement schema, thus potentially rendering reports (other than Portfolio templates which are designed for Measurement schemas) incomplete. These components all function correctly when a Dashboard schema is configured:

CAST_COMPLEXITY
CAST_DISTRIBUTION
TOP_RISKIEST_TRANSACTIONS
TOP_RISKIEST_COMPONENTS
ACTION_PLANS
ACTION_PLANS_VIOLATIONS
CAST_COMPLEXITY_WITH_VIOL
IFPUG_FUNCTIONS (≥ v. 1.3.0)

Install flavors

Report Generator is provided in two different downloadable flavors, depending on your requirements:

Component	Microsoft Windows	Linux	UI	CLI	Dashboard reports support*
Report Generator	✅	❌	✅	✅	❌
Report Generator for Dashboards	✅	✅	❌	✅	✅

Therefore:

If you want to generate reports via a UI, use Report Generator.
If you need to generate reports via the command line in an automated way on either Linux or Microsoft Windows, use Report Generator for Dashboards. *Note that this component is also required to generate custom reports in Engineering Dashboard ≤ 2.6 - see Step 2 in CAST Report Generator - CAST Report Generator for Dashboards.

Installation coexistence

Report Generator can co-exist on the same machine as older releases, i.e. you can have any combination of releases installed at the same time, for example: 1.24 and 1.23, or 1.24, 1.23 and 1.22 etc.: both the installation location and the template storage location are release number dependent.

Report Generator and Report Generator for Dashboards can co-exist on the same machine (Report Generator for Dashboards does not have an installer and is simply unzipped and run from the unzipped folder).

Requirements

Report Generator is a standalone component and can therefore be installed wherever convenient in your local environment, e.g. on a dedicated machine, or on a machine already used by other CAST Imaging components. It can be installed as many times as necessary in your environment.

CAST recommends following the general hardware and software requirements but note that the component does not require:

a powerful CPU nor significant amounts of RAM
a Java JRE/JDK

Other requirements:

Standalone dashboards/RestAPI

An install of a standalone dashboard or RestAPI to function - see Standalone CAST Dashboard deployment process. It cannot (currently) be configured to function with dashboards embedded directly in CAST Imaging.

Extensions

Each release of Report Generator requires that your application source code is analyzed with a specific release of specific extensions so that all reports function correctly. See the Compatibility matrix in the release notes for more information.

License key

A specific license key configured with your CAST Dashboard installation. Contact CAST Support if you require this.

Access to CAST Dashboards/RestAPI

You must already have one of the following set up on your local network to connect to one or multiple Dashboard/Measurement schemas populated with at least one Application and snapshot.

Embedded Engineering/Health Dashboards
Standalone CAST RestAPI
Standalone Engineering Dashboard
Standalone Health Dashboard
Standalone Engineering/Health Dashboard combined

Microsoft .NET

Report Generator requires various flavors of Microsoft .NET to be present on the target machine as listed below. You can determine if the Microsoft .NET SDK is already installed and what version using the following command on either Microsoft Windows (in a Powershell session) or in Linux terminal:

dotnet --info

Report Generator release	Minimum .NET SDK release required	Download	Notes
≥ 1.24.x	.NET 6.0.x (SDK)	https://dotnet.microsoft.com/en-us/download/dotnet/6.0	The installer will offer to download and install this for you if it is not present on the machine.

For Linux installations (Report Generator for Dashboards) package manager instructions are provided for many different Linux distributions - choose the Package Manager Instructions option:

Microsoft Office

Report Generator does NOT require an installation of Microsoft Office on the same machine as Report Generator in order to generate reports in Microsoft Office format (.docx, .xlsx, .pptx). However, Microsoft Office is required (the most recent release of standalone Microsoft Office or an installation of Office 365 is highly recommended) if you want to:

open reports generated by Report Generator
edit existing or create new custom templates
generate reports in PDF format either in the UI or via the CLI (using the -fileoption) - the Microsoft Office runtime is used for this process

Folder access permissions (Report Generator for Dashboards)

If your CAST Dashboards/RestAPI is installed in standalone mode on Apache Tomcat, the user that Apache Tomcat is running as must have read/write access (in Linux environments, typically the “rw-” permission is sufficient) to the following locations:

folder into which the Report Generator for Dashboards is unzipped
logs sub-folder

What’s new?

See the release notes.

Installation

Report Generator (Microsoft Windows)

Download the latest release of Report Generator from https://extend.castsoftware.com/#/extension?id=com.castsoftware.aip.reportgenerator&version=latest - this is an .exe file.

Execute the downloaded .exe file and follow the installation wizard. You will be prompted to choose installation folders for executables and for templates. On completion, the installer will then offer to install automatically the Microsoft .NET SDK.

If you choose to install the Microsoft .NET SDK (≥ 1.15.x only), a command window will open and the SDK will be downloaded. You need to tap ENTER on your keyboard to allow the installation to proceed:

The SDK installer will then launch, click Install to proceed:

Report Generator for Dashboards

Download the latest release of Report Generator for Dashboards from https://extend.castsoftware.com/#/extension?id=com.castsoftware.aip.reportgeneratorfordashboard&version=latest - this is a .zip file.

Unzip the .zip file anywhere on your local disk (there is no installer) - the tool is run directly from the unzipped folder.

Post install configuration

Configuring access to the data

This step is only required when using the Report Generator in UI mode.

Open Report Generator and enter the URL of your CAST RestAPI installation with /rest appended to the end (for example: http://server[:port]/rest) into the Web Service field. Next, enter the login credentials for the RestAPI installation into the User and Password fields. Depending on the authentication mode configured in place, you need to login with a pre-supplied username and password or your corporate username and password. If in doubt, contact your CAST Administrator:

Click the Validate button to test the connection: validation test results will then be displayed in the right hand Messages panel. When the validation is successful, you are now connected and can generate reports.

The CAST Report Generator can also be configured to interact with multiple CAST Dashboard/Rest API installations if required. Use the WebService Configuration option to add additional URLs:

Ensure you select a URL and make it the default using the Active button:

Finally, to ensure the configuration is working correctly, ensure you can see at least one application in the drop down indicated below:

If your RestAPI deployment is configured with SAML authentication mode enabled, then ensure you tick the API Key option and enter the appropriate username and the API Key in the Password field. Note that SAML authentication is not available in standalone Dashboard/RestAPIs deployments ≥ 2.13. See also RestAPI authentication using an API key.

UI tool Settings

The Report Generator UI contains a small set of configurable options via the Settings menu:

Path template

Changes the location for the storage of templates.

Language

Provides access to GUI localization, log messages and some aspects of the generated report in English, French, German, Spanish, Italian and Chinese Simplified (zh_CN).

when Chinese (Simplified, PRC) is selected, the following also occurs:

The path to the templates will be changed to %PROGRAMDATA%\CAST\ReportGenerator\<version>\Templates\zh_CN so that Chinese language specific templates are used instead of the default English language templates. These templates have NOT been translated into Chinese, but the option is now available for manual translation.
The Report Generator will request all Assessment Model information in Chinese (Simplified, PRC), i.e. any reports that are generated will contain rule descriptions in Chinese (Simplified, PRC).

Thresholds

Defines the thresholds for the APPLICATION_SIZE_TYPE and APPLICATION_QUALITY_TYPE placeholders (see the base templates for more information).

Logs

Report Generator saves a log of all interactions in the following location (one log file per day is generated):

Report Generator (UI):
%PROGRAMDATA%\CAST\ReportGenerator\<version>\Logs\<ReportGenerator_YYYYMMDD>.log

Report Generator for Dashboards:
Logs folder (located in the folder in to which you have unzipped the CAST Report Generator for Dashboards)

By default, the log files are set to “INFO” level verbosity, but you can change this if necessary. Open the following file with a text editor:

Report Generator (UI):
%PROGRAMFILES%\CAST\ReportGenerator\<version>\log4net.config

Report Generator for Dashboards:
log4net.config (located in the folder in to which you have unzipped the CAST Report Generator for Dashboards)

Locate the following section in the file and change the <level value="INFO"> parameter to <level value="DEBUG">:

<root>
    <!--
      ALL or DEBUG : Display all messages which are typed DEBUG, INFO, WARN, ERROR or FATAL
      INFO         : Display all messages which are typed INFO, WARN, ERROR or FATAL
      WARN         : Display all messages which are typed WARN, ERROR or FATAL
      ERROR        : Display all messages which are typed ERROR or FATAL
      FATAL        : Display all messages which are typed FATAL
      OFF          : Display no messages
    -->
    <level value="DEBUG" />

Save the file and then restart the Report Generator for the new log configuration to be taken into account.