User-defined reports

You can create user-defined templates for either the Industry Standards or Regulatory Compliance reports.

About this task

AppScan® report templates have the .asreg file extension. Supplied templates are stored in the \Regulations folder of your AppScan installation directory; templates you create should be stored in your AppScan User Files folder.

You can create a new template from scratch and save it with the .asreg extension, or copy an existing file and make changes as required. (The procedure below describes creating a template based on an existing one.)

Procedure

  1. Open the [AppScan Standard installation folder]\AppScan\Regulations folder and copy an existing .asreg file.
  2. Paste the file into your AppScan User Files folder, and give it a new name.
    Note: By default the AppScan User Files folder is \My Documents\AppScan unless you specified a different location in Tools > Options > Preferences tab > File Locations > User Files folder.
  3. The root tag is Regulation, with the attribute of format_version:
    
    <Regulation format_version="2.0">
    
  4. The next tag should be the title of your template:
    
    <Title>Our Organization's web Application Requirement Compliance Report
    </Title>
    
  5. Enter a description of the regulation or standard using the Description tag:
    
    <Description>
     <Subtitle>Sub Section</Subtitle>
     <p>This regulation addresses ...</p>
     <p>It is important because...</p>
     <Subtitle>Sub Section 2</Subtitle>
     <p>This section of the regulation addresses ...</p>
    </Description>
    
  6. By default, there is a <Disclaimer> tag, which ensures that you do not take legal responsibility for the contents of the report.
  7. Create one or more requirement sections (using the <Section> tag) for your regulation template and define which AppScan issues are relevant for each section, by using the <Cause>, <Risk>, <ThreatClass>, and <CWE> tags.
    • Use the name attribute in the Section tag to define the section title for the report.
    • Between the opening and closing Section tags, add one or more of the following:
      • <Cause> from the List of causes. A cause describes an incomplete or incorrect configuration, missing validation, or similar status.
      • <Risk> from the List of risks. Each risk is a "worst case scenario".
      • <ThreatClass> from the List of threat classes. A threat class is a category of tests.
      • <CWE> by number.

    Example:

    
    <Section name="My Application login must be secured">
     <Cause>inputLengthNotChecked</Cause>
     <Risk>denialOfService</Risk>
     <Risk>siteDefacement</Risk>
     <CWE>79</CWE>
    </Section>
    
  8. Close the file with the </Regulation> closing tag.