Summary: this page describes the new features and bugs that have been fixed in the CAST Security Dashboard 1.10.0.

Content matrix

VersionSummary of content
1.10.0
  • Generation of reports direct from the Security Dashboard
  • JIRA integration feature for the CAST Security Dashboard (in alpha release)
  • Custom reports in PPTX, XLSX and DOCX formats for the CAST Security Dashboard
  • Full Chinese translation available by default

New features

Report Generation feature

The ability to generate a range of reports direct from the CAST Security Dashboard has been introduced in this release. Various reports can be generated, however, some rely on the presence of CAST Report Generator for Dashboards (v. ≥ 1.10.0) in order to function.

Accessing the feature

From the Side Menu bar, click the following icon:

Available report categories

Various report categories are available:

CategoryEnabled by default?CAST Report Generator for Dashboards required?Additional configuration required?Output formatAvailable reports
Security Reports(tick)(tick)(tick)  See section below.Same format as the associated CAST Report Generator templates.

Available reports include:

Note that the default list of reports can be customized.


Industry Compliance Reports(tick)(tick)(tick) See section below.Same format as the associated CAST Report Generator templates.

Available reports include:

Note that the default list of reports can be customized.


Miscellaneous Reports 

(tick)(error)(error)

Inline in the browser

Can be downloaded in Excel format.

Available reports include:

Custom Reports 

(error)(tick)(tick) See section below.Same format as the associated CAST Report Generator templates.This category enables you to define your own custom reports via CAST Report Generator templates.

Security and Industry Compliance Reports

This category provides reports on various industry recognized standards such as:

Configuration process

These reports are based on templates provided with CAST Report Generator and therefore CAST Report Generator for Dashboards (v. ≥ 1.10.0) must be present on the server hosting Apache Tomcat in order for the reports to function. Some additional configuration is also required as explained below.

Assuming CAST Report Generator for Dashboards is present on the host machine, the next step is to configure the dashboard. Edit the following file with a text editor:

%CATALINA_HOME%\webapps\CAST-Security\WEB-INF\report.properties

Find the following options and modify as explained below:

# Set the Report Generator path
# If this variable is not set then the document generation is considered as disabled.
# The path is probably something such as (Linux/Windows):
#report.reportGenerator=dotnet /opt/report-generator/CastReporting.Console.Core.dll 
#report.reportGenerator=dotnet c:\\ReportGenerator\\CastReporting.Console.Core.dll

# Set the directory of reports
#report.directory=/tmp/reports
#report.directory=c:\\temp\\reports

# Set the current Web Service URL. The current REST API called back by the Report Generator.
report.webServiceURL=http://localhost:8888/CAST-RESTAPI/rest


report.reportGenerator=dotnet

Add a new line pointing to the location of the CastReporting.Console.Core.dll (part of CAST Report Generator for Dashboards) on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example:

report.reportGenerator=dotnet c:\\ReportGeneratorforDashboards\\CastReporting.Console.Core.dll

Note that the path to CastReporting.Console.Core.dll when using Microsoft Windows must always use double back slashes (\\) or single forward slashes (/) - the single back slash (\) is not valid.


report.directory=

Add a new line pointing to the temporary folder where the reports will be generated on the server hosting Apache Tomcat. You can also uncomment and modify an example line. For example:

report.directory=c:\\temp\\reports

Note that:

  • the path to the temporary folder when using Microsoft Windows, must always use double back slashes (\\) or single forward slashes (/) - the single back slash (\) is not valid.
  • The user that Apache Tomcat is running as must have read/write access to this location. In Linux environments, typically the "rw-" permission is sufficient.


report.webServiceURL=

Modify the existing line to point to the RestAPI in your CAST Security Dashboard deployment. This is used by the CAST Report Generator for Dashboards. For example:

report.webServiceURL=http://<server>:<port>/<dashboard>/rest


Generation process

Choose a report type from the Security Reports or Industry Compliance Reports category and click the Generate Report button:

The report will be generated and auto downloaded with your browser. Reports are generated using the same format as the associated CAST Report Generator templates. The report file name should contain the:

For example: MEUDON-Computed on 201903061327-OWASP-2017-Top10 - Summary.docx (MEUDON is an Application name).

A notification message is displayed when the report is generated:

If the report fails to generate, a notification is also displayed with the error message. Please refer this page about error messages handling: Report Service - 1.9.0.

This example shows that CAST Report Generator for Dashboards has not been configured:


Miscellaneous Reports

This category provides reports that can easily show where the biggest changes in violations between snapshots have occurred:

These reports are provided inline in the browser and do not require CAST Report Generator for Dashboards nor any additional configuration. Reports can be downloaded in Excel format:

Custom Reports

This category enables you to define your own custom reports via CAST Report Generator templates. The category is disabled by default (i.e. it does not contain any report templates). The templates you want to generate must be present on the server hosting Apache Tomcat in the "Templates" sub folder of your CAST Report Generator for Dashboards deployment location.

Configuration process

To enable and define the reports for the category, edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json
For v.≥ 1.18: %CATALINA_HOME%\webapps\CAST-Security\security\resources\ed.json

Find the following configuration section:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
}

To add your report for a custom template called Executive summary PPT.pptxAEP Sample Report.xlsx and My Custom Template 2019.docx change it as follows. Save the file and restart the host Apache Tomcat server for the changes to be applied:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[
		{
            "templateLabel": "Executive summary PPT",
            "templateId": "Executive+summary+PPT",
            "fileType":"pptx"
		},
		{
            "templateLabel": "AEP Sample Report",
            "templateId": "AEP+Sample+Report",
            "fileType":"xlsx"
		},
		{
			"templateLabel": "My Custom Template 2019",
			"templateId": "My+Custom+Template+2019",
			"fileType":"docx"
		}   
	]
}


  • Custom templates should be available in the Templates folder within the CAST Report Generator for Dashboards deployment folder, for example: ReportGeneratorCLIforAllOS\Templates.
  • templateLabel is a free text, this is used in the drop down list in the dashboard.

  • templateId should be the file name of the custom template name without the file extension and "+" signs in place of white space. For example, if your custom template name is My Custom Template.docx the templateId should be configured as "templateId": "My+Custom+Template+2019".

Generation process

Choose a custom report type from the Custom Reports category and click the Generate Report button:

Atlassian JIRA integration

Note that the JIRA integration:

  • has been released as an Alpha feature in 1.10 as the current version of the feature does not cater to all possible use cases and as such there is no official support provided. Going forward, we would like to test some of our hypotheses with our customers and improve on this. However, we encourage you to test the feature and see how it fits into your organizational needs. We would be extremely thankful if you kindly participate with your feedback and help us refine the feature. Thank you.

  • requires a Dashboard Service schema configured for use with the CAST Security Dashboard that has been installed with CAST AIP ≥ 8.3.12. An error will be displayed if this requirement is not met.

The 1.10.0 release of the CAST Security Dashboard introduces an Atlassian JIRA integration that allows Atlassian JIRA tickets to be created directly from the interface of the CAST Security Dashboard. More specifically, one JIRA ticket can be created per violation that has been added to the Action Plan. Multiple tickets can also be created at the same time.

By default in 1.10.0, this feature is not active and therefore requires configuration before it can be used.

Enabling JIRA integration

Edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json

Add a new parameter called "JIRAConfig": true, into the "configuration" section as shown below:

{
	"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
	"configuration": {
		"defaultLanguage": "English",
		"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
		"customLanguages": [],
		"requestAccess": false,
		"JIRAConfig": true,
		"confirmLogout": true,
		"filterHealthFactor": true,
		"violationsCount" : 5000,
		"reportCategory": [

Save the file and restart the host Apache Tomcat server for the changes to be applied. After the feature is active, the following will now be visible in the Action Plan:

Create JIRA ticket menu option

Ticket ID column

Configuring the JIRA integration

To configure the JIRA integration feature, create a new file called jira.properties in the following location (you can also download a sample jira.properties file with "dummy" data in it):

%CATALINA_HOME%\webapps\CAST-Security\WEB-INF\

Fill in the following information to connect to your own JIRA instance. Save the file and restart the host Apache Tomcat server for the changes to be applied.

jira.url=
jira.userName=
jira.userPassword=
jira.issueType=
jira.projectKey=


jira.url

Enter your JIRA instance RestAPI URL, for example:

https://jira.company.com/rest/api/2/


jira.userNameEnter the name of the JIRA user that will be used to create the JIRA tickets. You may wish to create a "service" type account specifically for this.
jira.userPasswordEnter the password that corresponds to the JIRA user you entered previously.
jira.issueType

Enter the type of JIRA ticket you would like to create. For example:

  • Task
  • Story
  • Epic

You can view the available ticket types in the JIRA project configuration settings, which can generally be found here (change the domain name and PROJECTKEY to suit your own environment):

https://jira.company.com/plugins/servlet/project-config/PROJECTKEY/summary


jira.projectKeyEnter the JIRA project key (not the name) in which you would like the JIRA tickets to be created.

Using the JIRA integration

To create a ticket for one single violation that has been added to the Action Plan, select the violation and choose Create JIRA ticket for selected violations:

The ticket will then be created and if successful a popup will be displayed:

You can create multiple tickets by selecting multiple violations and then choosing the Create JIRA ticket for selected violations. By default a maximum of 10 tickets can be created in one go - if you attempt to create more than this, a popup will be displayed:

If you attempt to create a ticket for a violation and the corresponding ticket already exists in JIRA, the following message will be displayed:

JIRA ticket fields populated by CAST

The following fields in the JIRA ticket are auto populated by CAST as follows:

Ticket title/summary

<CAST RULE NAME> - <OBJECT NAME>

E.g.:

Avoid empty catch blocks - C:\CAST\DEPLOY\APPLICATION\JEE\com\castsoftware\util\io\Recorder.java

TypeIssue type is set in the jira.properties file in jira.issueType.
StatusTo Do
ResolutionUnresolved
Assignee
Project lead as configured in JIRA. You can view the Project lead in the JIRA project configuration settings, which can generally be found here (change the domain name and PROJECTKEY to suit your own environment):
https://jira.company.com/plugins/servlet/project-config/PROJECTKEY/summary


ReporterThe user defined in the jira.properties file in jira.userName.
Priority/WorkflowSet to the default value for the ticket type.
DescriptionThis will be populated with information to help identify the violation.

Modifying the ticket creation limit

By default, a maximum of 10 tickets can be created in one go. If you would like to change this limit, edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json

Add a new parameter called violationsCountForJIRA into the configuration section and specify the limit you want to use - for example 20 has been chosen below. Save the file and restart the host Apache Tomcat server for the changes to be applied.

{
	"description": "used as a placeholder for as much as possible relevant default application parameters, please do not edit manually",
	"configuration": {
		"defaultLanguage": "English",
		"description": "To configure new language for application, define customLanguages as [{'label': 'languageName', 'value': 'localeFolderName'}]",
		"customLanguages": [],
		"requestAccess": false,
		"JIRAConfig": true,
		"confirmLogout": true,
		"filterHealthFactor": true,
		"violationsCount": 5000,
		"violationsCountForJIRA": 20
		"reportCategory": [

SAML changes

Some changes have been made to login/logout behaviour for dashboards that are using SAML authentication:

Chinese language locale now fully translated

All dashboard interface text has now been fully translated in to Chinese (zh_CN) and is available in:

%CATALINA_HOME%\webapps\CAST-Security\security\locales\zh_CN\translation.json

This means that you can select the Chinese language "out of the box" and all items will now be displayed in the target language. See also CAST Dashboard Package - Dashboard localization.

Ability to generate a specific type of custom report (Word, Excel, PowerPoint)

Custom reports can now be generated based on the presence of Report Generator templates. Up until now, no distinction was made for the type of report (Word, Excel, PowerPoint), however this has now been introduced by the addition of the filetype parameter.

To enable and define the reports for the category, edit the following file:

%CATALINA_HOME%\webapps\CAST-Security\security\resources\ced.json

Find the following configuration section:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[]
}

To add your report for a custom template called Executive summary PPT.pptxAEP Sample Report.xlsx and My Custom Template 2019.docx change it as follows. Save the file and restart the host Apache Tomcat server for the changes to be applied:

{
	"id": "custom",
	"label": "Custom Reports",
	"reportTemplates":[
		{
            "templateLabel": "Executive summary PPT",
            "templateId": "Executive+summary+PPT",
            "fileType":"pptx"
		},
		{
            "templateLabel": "AEP Sample Report",
            "templateId": "AEP+Sample+Report",
            "fileType":"xlsx"
		},
		{
			"templateLabel": "My Custom Template 2019",
			"templateId": "My+Custom+Template+2019",
			"fileType":"docx"
		}   
	]
}

Deleted module data in previous snapshot

It is now possible to view data for modules that existed in the previous snapshot but have been deleted from the current snapshot. The data is available in the All Modules drop down when looking at a previous snapshot (previously, any deleted modules were listed in this drop down but were greyed out and could not be accessed):

Improvements to Miscellaneous reports

Drill down to violation source code is also possible for some reports: