Creating an AppScan® Source custom report


  1. On the Tools menu, click Generate Report.
  2. In the Generate Report dialog box, select an AppScan® Source report:
    • 2021 CWE Top 25 Most Dangerous Software Weaknesses
    • DISA Application Security and Development STIG V4R10
    • DISA Application Security and Development STIG V5R1
    • OWASP API Security Top 10 2019
    • OWASP Mobile Top 10
    • OWASP Top 10 2017
    • OWASP Top 10 2021
    • PCI Data Security Standard V3.2
    • Software Security Profile
    Click Finish to generate the report - or click Next to specify these optional settings in the Specify Destination and Style Sheet page:
    • You can specify the report destination and format. You can generate the report in HTML format, as a ZIP file that contains all HTML report components, or a PDF (you must have Adobe Acrobat Reader to view PDF reports). If you do not specify a report destination and format (or click Finish in the Select Findings Report page), HTML is chosen by default, and the report is saved to <data_dir>\reports (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations).
      Note: If you are creating a custom report (rather than a findings report) in PDF format, you can specify the level of detail to include in the report:
      • Summary: Contains counts for each report group
      • Detailed: Contains counts for each API for each vulnerability property
      • Comprehensive: Contains tables consisting of every finding for every API
      • Annotated: Contains all findings and any notes, trace data, or code snippets included with the findings
    • To include information in the report that suggest approaches to fixing issues, select How to fix.
    • To include a code snippet in the report, select Include the source code surrounding each finding and indicate the number of lines before and after the vulnerable line of code to include in the report.
      Tip: In the Reporting section of the Finding Detail view, you can also set the number of lines of code to include before and after the finding in reports.

      After the report is generated, when you expand a finding that contains notes or code snippets, the source code appears below the finding in a blue box or below the yellow note. Bold red text highlights the vulnerable line of code.

    • To include AppScan® Source trace data in the report, select one or more of the classifications (Definitive, Suspect, or Scan Coverage) under Include trace data for the following classifications.

    Click Finish to generate the report.

    Generate Findings Report dialog box