Attestation reports

Attestation reports provide evidence of vulnerability remediation based on the most current application information. Meet compliance and auditing requirements with PDF reports, which include details about the application's open and closed vulnerabilities, open source security status, and route coverage information.

Report content

  • Itemized list of the specific filter settings used to generate the report

  • Summary of the security posture for the application

  • Vulnerabilities assessment for both custom code and open source libraries

  • Route coverage, as a security assessment metric

  • Optionally, a compliance policy assessment, and detailed information about open vulnerabilities for the application

  • Appendix that describes methodologies and terminologies

Run a report

To run an attestation report, complete the following steps.

  1. Go to Applications and select an application.

  2. Click the Reports icon located at the top of the application's page.

  3. In the dropdown list, select Generate Attestation Report.

  4. In the dialog that appears, define the VulnerabilitiesEnvironments, and additional Security Standards that you want to include in the report.

  5. Click Generate. Once generated, a download link appears in the Notifications panel.

  6. Click the report link to download the PDF.

Filter options

Each report defaults to all vulnerabilities and environments, but you can filter them by clicking in the fields. Choose an option from Security Standards to include an additional Security Standards section in the generated report. Optionally, you can choose to include detailed information about open vulnerabilities.

The following table outlines the categories that you can use to create a custom report.

Field

Default

Filter options

Vulnerabilities

All

  • Status (Reported, Suspicious, Confirmed, Not a Problem, Remediated, Fixed, Remediated - Auto-Verified)

  • Severity (Note, Low, Medium, High Critical)

  • Assess Rules

Vulnerability details

None

Include vulnerability details

Environments

All

  • Development

  • QA

  • Production

Security Standards

None

  • DISA ASD STIG

  • OWASP 2017 Top 10

  • OWASP 2013 Top 10

  • PCI DSS - 2.0

  • PCI DSS - 3.0

EOP installation and storage configuration

A System Administrator can configure reporting storage options by adding the following properties to the general.properties file:

  • reporting.storage.mode: Value options are DB and FILE_SYS (recommended)

  • reporting.storage.path: Required when storage mode is set to FILE_SYS

The recommended setting for reporting.storage.mode is FILE_SYS. When DB is configured, files are stored in the database, adding unnecessary contention on the database.

With the FILE_SYS option, you must set up a file-sharing service where all Contrast nodes are able to access the file path. Provide this path as the value for reporting.storage.path.

Note

The path should be an absolute path, such as /Users/user1/reporting.

With the default configuration, 1,250 vulnerabilities can be exported from an attestation report. In some cases, a user may want to generate a larger report containing more than 1,250 vulnerabilities, or depending on the size of the instance, Contrast may run into heap space issues.

To decrease or increase the limit, set the reporting.generation.limit property in the general.properties file, and then restart Contrast.

Note

The report will not be generated if the application has greater than 5000 vulnerabilities.