| Panel | |
|---|---|
On this page:
|
| Info |
|---|
Summary: This page provides instructions for configuring and using the Report Generation feature. |
...
The Report Generation feature allows you to generate reports on the fly direct from the CAST Security Dashboard interface. Various reports can be generated, however, some require some configuration before some configuration before they will work.
| Info |
|---|
Changing the language in reports From ≥ 2.8, reports can be generated in the following languages:
To ensure that reports are generated in one of these languages, ensure that the Dashboard is localized to the chosen language using the User > Change Language |
...
menu, then generate a report. Some of the items in the generated reports will then be in the chosen language:
|
Accessing the Report Generation feature
| From the Side Menu bar, click the following icon: |
|
Available report categories
Various Following types of report categories are available:
| Category | CategoryRelease | Enabled by default? | CAST Report Generator for Dashboards required? | Additional configuration required? | Output format | Available reports | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security Reports |  | | See section below. | ≥ 2.8 |  |  | |
| ||||
| ≥ 2.7 | | | | Available reports include:
| Industry Compliance Reports | | | |||||
| ≤ 2.6 | | | | See section below. | Same format as the associated CAST Report Generator templates. | |||||||
Miscellaneous Reports | ≥ 2.8 | | | |
| |||||||
| ≤ 2.7 | | | | |||||||||
| Info |
|---|
| Note that the default list of reports can be customized. |
Miscellaneous Reports
Inline in the browser
Can be downloaded in Excel format.
Available reports include:
Custom
Reports
Security and Industry Compliance Reports
...
- CISQ
- CWE
- OWASP
- STIG (Security Technical Implementation Guide)
- PCI (Payment Card Industry)
- NIST (National Institute of Standards and Technology)
- OMG (Object Management Group)
- CISQ (not available in ≥ 2.4)
| Info |
|---|
In ≥ 2.11, chapter bookmarks have been added to the Security and Industry Compliance PDF reports:
|
Configuration process
| Anchor | ||||
|---|---|---|---|---|
|
...
≥ 2.7
When using ≥ 2.7 no additional configuration is required as all reports are generated by the dashboard in PDF format.
| Info |
|---|
Templates (in .json format) are stored in the Dashboard installation files in the "config/templates" folder within the installed "data" location:
|
≤ 2.6
...
These reports are based on templates provided with CAST Report Generator and therefore CAST Report Generator for Dashboards (v. ≥ 1.109.0) must be present on the server hosting running Apache Tomcat in hosting your Security Dashboard in order for the reports to function. Some additional configuration is also required as explained below.Assuming In addition the report.properties file in your deployed Dashboard must be modified. See Report Generation configuration and CAST Report Generator - CAST Report Generator for Dashboards is present on the host machine, the next step is to configure the dashboard. Edit the following file with a text editor:
| Code Block | ||
|---|---|---|
| ||
%CATALINA_HOME%\webapps\CAST-Security\WEB-INF\report.properties |
Find the following options and modify as explained below:
| Code Block | ||
|---|---|---|
| ||
# Set the Report Generator path
# If this variable is not set then the document generation is considered as disabled.
# The path is probably something such as (Linux/Windows):
#report.reportGenerator=dotnet /opt/report-generator/CastReporting.Console.Core.dll
#report.reportGenerator=dotnet c:\\ReportGenerator\\CastReporting.Console.Core.dll
# Set the directory of reports
#report.directory=/tmp/reports
#report.directory=c:\\temp\\reports
# Set the current Web Service URL. The current REST API called back by the Report Generator.
report.webServiceURL=http://localhost:8888/CAST-RESTAPI/rest |
...
report.reportGenerator=dotnet
Add a new line pointing to the location of the CastReporting.Console.Core.dll (part of CAST Report Generator for Dashboards) on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example:
| Code Block | ||
|---|---|---|
| ||
report.reportGenerator=dotnet c:\\ReportGeneratorforDashboards\\CastReporting.Console.Core.dll |
| Note |
|---|
| Note that the path to CastReporting.Console.Core.dll when using Microsoft Windows must always use double back slashes (\\) or single forward slashes (/) - the single back slash (\) is not valid. |
...
report.directory=
Add a new line pointing to the temporary folder where the reports will be generated on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example:
| Code Block | ||
|---|---|---|
| ||
report.directory=c:\\temp\\reports |
| Note |
|---|
Note that:
|
for more detailed instructions about the configuration process.
Generation process
Choose a report type from the Security Reports and click the Generate Report button:
| Version 2.8 |
|
| Version ≤ 2.7 |
|
The report file name should contain the:
- application name
- snapshot version
- report type
For example: MEUDON_NEW-Snapshot-2022-07-07T12-02-59-ISO-5055 Compliance Report.pdf (MEUDON is an Application name).
Behaviour in ≥ 2.8
Below screen is displayed with an option to select the REPORT CATEGORY: Security or Miscellaneous.
| Info |
|---|
Reports can be sorted and searched using the options: REPORT TYPE ^ and Search.
|
Clicking the GENERATE button will display the below screen with the following message: Report generation started in new window (allowing you to continue using Security Dashboard while the report is being generated as explained in Behaviour in ≥ 2.7 releases):
Behaviour in ≥ 2.7 releases
A new tab will be opened in your browser (allowing you to continue using Security Dashboard while the report is being generated):
The report will be generated in PDF format and auto downloaded to the default "downloads" folder used by your browser:
If the generation fails, a message is displayed:
Behaviour in ≤ 2.6 releases
...
report.webServiceURL=
Modify the existing line to point to the RestAPI in your CAST Security Dashboard deployment. This is used by the CAST Report Generator for Dashboards. For example:
| Code Block | ||
|---|---|---|
| ||
report.webServiceURL=http://<server>:<port>/<dashboard>/rest |
Generation process
Choose a report type from the Security Reports or Industry Compliance Reports category and click the Generate Report button:
...
The report will be generated and auto downloaded with to the default "downloads" folder used by your browser. Reports are generated using the same format as the associated CAST Report Generator templates. The report file name should contain the:
- application name
- snapshot version
- report type
For example: MEUDON-Computed on 201903061327-OWASP-2017-Top10 - Summary.docx (MEUDON is an Application name).
A A notification message is displayed when the report is generated:
...
If the report fails to generate, a notification is also displayed with the error message. Please refer this page about error messages handling: Report Service - 1.9.0.
This example shows that CAST Report Generator for Dashboards has not been configured:
...
This category provides reports that can easily show where the biggest changes in violations between snapshots have occurred:
In versions ≥ 2.8
| Info |
|---|
The options available for Miscellaneous Reports and their behaviour remain same for version 2.8 as in versions ≤ 2.7. |
In versions ≤ 2.7
These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration.
These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration. Reports can be downloaded in Excel format:
...
Drill down to violation source code is also possible for some reports:
Report options
The following options are available for Miscellaneous Reports:
| Category | Release | Details | |
|---|---|---|---|
| Filter on Health Measure | Version 2.8 | REPORT TYPE can be sorted using the button "^". Search option helps to find a specific report type. For some reports it is possible to filter results on a specific Health Measure. By default, the TQI measure will be active, but it is possible to choose a different measure if necessary:
| |
Versions ≤ 2.7 | For some reports it is possible to filter results on a specific Health Measure. By default, the TQI measure will be active, but it is possible to choose a different measure if necessary:
| ||
| Download reports | Version 2.8 | Report results can be downloaded in Excel format:
| |
Versions ≤ 2.7 | Report results can be downloaded in Excel format:
| ||
| Critical flag | Version 2.8 | Indicates whether the related rule is critical or not:
| |
Versions ≤ 2.7 | Indicates whether the related rule is critical or not:
| ||
| All versions | Click to drill down to violation's source code (not available in all reports). | |
| Click to drill down to the selected object and view it in the Application Investigation view. |
Custom Reports
| Info |
|---|
In ≥ 2.7, the option to generate Custom Reports using CAST Report Generator for Dashboards has been removed. |
This category enables you to define your own custom reports via CAST Report Generator templates. The category is disabled by default (i.e. it does not contain any report templates). The templates you want to generate must be present on the server hosting Apache Tomcat in the "Templates" sub folder of your CAST Report Generator for Dashboards deployment location.
| Anchor | ||||
|---|---|---|---|---|
|
...