Generating Scan Result Reports (v9.0.0 to v9.2.0)

Owned by David P (Deactivated)
Last updated: Oct 26, 2021 by Eliezer Basner (Unlicensed)
5 min read

You can generate a report containing detailed scan results, in any of the following formats: PDF (default), RTF, CSV or XML.

To generate a scan results report:

In the All Scans table (for all projects or for an individual project), click Create Report . The report settings are displayed.

Filter results for the generated report and select the report file format.

By default, all categories are selected to be included in the report.

To customize categories:

Go to the relevant group under the Categories section, click the group to expand it and clear the vulnerabilities that you do not want to display in the report, as shown below.

If these changes are only relevant for a specific need and do not need to be saved as a different template, click Generate to generate the report. Otherwise, follow the procedure below to save the modifications you make as an updated report template.

To change the report template:

Select Change template. The template setting are displayed.

Select which details should be presented on the report cover page, in the report itself and what details to show for each result.

Select the Save as default check-box to save the modified template as the default report template.

Click Back and review all settings you defined. 

Click Generate Report. The report starts generating.

The details about the scan are displayed on the Scan Report section at the beginning of the PDF file, as shown below.

In cases where the project's source location is defined as Git, the Git branch information will also be included in the PDF report underneath the Source Origin field.

The exclusions that were made are displayed on the Filter Setting section, as shown below. 

Parameters that were selected to be displayed will appear in the report even if none of these parameters (for example, OWASP A-6 category) were detected in the scan, in which case they will appear with the count "0". 

The OWASP (2017, 2013 & Mobile 2016), PCI, FISMA and NIST summary sections in the scan report include a column named Best Fix Locations, which indicates the number of locations in the flow map that have been found as the best locations to fix the issues that belong to the selected category (for example, A1-Injection). 

The Best Fixed Location is an absolute number that cannot be filtered and always displays all of the values. As a result, it is quite probable that while in effect the number of vulnerabilities far exceeds the number of best fix locations for a specified category (for example, 8000 and 600 respectively), the filtered report may display 350 issues and 300 best fix locations.

.CSV Report Results

The following is a basic description of the fields provided in the .csv report result, which is generated by the create report feature if the selected format is .csv:

  • SrcFileName – file name of the first node of the result
  • Line – line of the first node of the result
  • Column – column of the first node of the result
  • NodeId – internal id to be able to identify the query in the first node
  • Name – text of the first node of the result
  • DestFileName – file name of the last node of the result
  • DestLine – line of the last node of the result
  • DestColumn – column of the last node of the result
  • DestNodeId – internal id to be able to identify the query in the last node
  • DestName – text of the last node of the result

Reports in XML Format

Reports in XML Format contain the following additional details:

Queries Details with the following information:

  • Risk: What might happen?
  • Cause: How does it happen?
  • General Recommendations: How to avoid it?
  • Source Code Examples.

The source code is displayed in the code element. The number of lines of code that are displayed is determined by the value in XmlReportSourceLinesRange. The value defines the range (or maximum number of lines) preceding the vulnerable line of code and range (or maximum number of lines) following the vulnerable line of code. For example, if there are 100 lines of code and the vulnerable line is in the middle of the block of code, when the value is set to 5, the 5 lines before and the 5 lines after the vulnerable line are added, with a result that a total of 11 lines of codes are displayed. However, if the vulnerable line is at the end of this code block and there are only 2 lines available after the vulnerable line, then the 5 lines before and the 2 lines after the vulnerable line are added, so a total of 8 lines of codes are displayed.

Although neither method scope nor file scope are supported, but if the XmlReportSourceLinesRange is large enough it will bring the entire file.

To activate these features, using the configuration keys in the CxComponentConfiguration table in the CxSAST database, do the following:

  • For the Queries Details feature, set the AddQueryMetaDataToXmlReport configuration key to “true”. 
  • For the Source Code feature, set the XmlReportSourceLinesRange configuration key to a number larger than 0. Default is 0.


See more: