User-defined reports
You can create user-defined templates for either the Industry Standards or Regulatory Compliance reports.
About this task
AppScan® report templates have the .asreg file extension. Supplied templates are stored in the \Regulations folder of your AppScan® installation directory; templates you create must be stored in your AppScan® Template and scan file folder.
You can create a new template from scratch and save it with the .asreg extension, or copy an existing file and make changes as required. The procedure below describes creating a template based on an existing one.
Procedure
- Open the [AppScan Standard installation folder]\AppScan\Regulations folder and copy an existing .asreg file.
-
Paste the file into your AppScan® Template and
scan file folder, and give it a new name.
Note: By default the AppScan® Template and scan file folder is
\My Documents\AppScan
unless you specified a different location in Tools > Options > General tab > File and folder locations > Template and scan file folder. -
The root tag is Regulation, with the attribute of
format_version:
<Regulation format_version="2.0">
-
The next tag should be the title of your template:
<Title>Our Organization's web Application Requirement Compliance Report </Title>
-
Enter a description of the regulation or standard using the Description tag:
<Description> <Subtitle>Sub Section</Subtitle> <p>This regulation addresses ...</p> <p>It is important because...</p> <Subtitle>Sub Section 2</Subtitle> <p>This section of the regulation addresses ...</p> </Description>
-
By default, there is a
<Disclaimer>
tag, which ensures that you do not take legal responsibility for the contents of the report. -
Create one or more requirement sections (using the
<Section>
tag) for your regulation template and define which AppScan issues are relevant for each section, by using the<Cause>, <Risk>, <ThreatClass>,
and<CWE>
tags.- Use the
name
attribute in theSection
tag to define the section title for the report. - Between the opening and closing
Section
tags, add one or more of the following:<Cause>
from the List of causes. A cause describes an incomplete or incorrect configuration, missing validation, or similar status.<Risk>
from the List of risks. Each risk is a "worst case scenario".<ThreatClass>
from the List of threat classes. A threat class is a category of tests.<CWE>
by number.
Example:
<Section name="My Application login must be secured"> <Cause>inputLengthNotChecked</Cause> <Risk>denialOfService</Risk> <Risk>siteDefacement</Risk> <CWE>79</CWE> </Section>
- Use the
-
Close the file with the </Regulation> closing tag.
You can now use this file and create the report.