report (rpt)

Description

Report generates an AppScan® Source report of the specified type, including findings reports and AppScan Source reports. A valid AppScan Source for Automation license is required for use of this command.

Available report output formats are HTML, PDF, and zip.

Syntax

report "<report type>" <output format> <output location>
[<assessment id>] [-includeSrcBefore:<n>] [-includeSrcAfter:<n>]
[-includeTrace:<definitive|suspect|coverage>]
  • report type: The name of the report, in double quotation marks, to generate. Specify one of the following:
    • A Findings report:
      • Findings by Bundle
      • Findings by API
      • Findings by Classification
      • Findings
      • DTS Activity
      • Findings by Type
      • Findings by CWE
      • Findings by File
    • An AppScan Source report:
      • CWE SANS Top 25 2011
      • DISA Application Security and Development STIG V4R4
      • OWASP Mobile Top 10
      • OWASP Top 10 2013
      • PCI Data Security Standard V3.2
      • Software Security Profile
    • A custom report, if available.

    When entering the report type, in double quotation marks, enter the exactly as specified in the above list - for example Findings by Classification or Software Security Profile.

  • output format : Specify one of the following formats for this report:
    • html: Generates the report as HTML and displays it online.
    • zip: Creates a ZIP file that contains all HTML report components
    • For reports in PDF format, you can specify the level of detail:
      • pdf-summary: Contains counts for each custom report group
      • pdf-detailed: Contains counts for each API for each vulnerability property
      • pdf-comprehensive: Contains tables consisting of every finding for every API
      • pdf-annotated: Contains all findings, any notes included with the findings, and designated code snippets
      • output location: The file path to write the report.
  • output location: Specify the absolute path and file name to which you want to save the report.
  • assessment id: Optional. The assessment ID, which you obtain from the listassess (la) command. If you omit assessment ID, the report is generated from the most recent scan.
  • -includeSrcBefore:<n>: Optional. The number of lines of source code to include in a report before each finding.
  • -includeSrcAfter:<n>: Optional. The number of lines of source code to include in a report after each finding.
  • -includeTrace:<definitive|suspect|coverage>: Optional. Include trace information in the report for definitive, suspect, or scan coverage findings (see Classifications to learn about findings classifications). To include trace information for more than one findings classification, specify this option multiple times. For example, to include trace information for definitive and suspect findings, specify -includeTrace:definitive -includeTrace:suspect.

Examples

  • Request a Findings by API report written to HTML. In the report, include trace information for definitive findings:
    AllApplications>> report "Findings by API" html 
    C:\reports\findings.html -includeTrace:definitive
  • Request an OWASP Top 10 AppScan Source report written to PDF with comprehensive detail using existing assessment 542:
    AllApplications>> report "OWASP Top 10 2013" pdf-comprehensive
    /reports/webgoat_OWASP_13_comp.pdf 542