Copyright © 2016 by Codiscope, LLC. All rights reserved. No part or parts of this
documentation may be reproduced, translated, stored in any electronic retrieval system,
transmitted in any form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the copyright owner. Codiscope retains the
exclusive title to all intellectual property rights relating to this documentation.
The information in this documentation is subject to change without notice and should not be
construed as a commitment by Codiscope. Codiscope makes no representations or
warranties, express or implied, with respect to the documentation and shall not be liable for
any damages, including any indirect, incidental, consequential damages (such as loss of
profit, loss of use of assets, loss of business opportunity, loss of data, or claims for or on
behalf of user’s customers) that may be suffered by the user.
Codiscope and the Codiscope logo are trademarks of Codiscope, LLC. Other brands and
products are trademarks of their respective owner(s).
Codiscope, LLC
20 Park Plaza, Suite 1400
Boston, MA 02116
Phone: + 1 (617) 804-5428
www.codiscope.com
Table of Contents
SecureAssist Enterprise Portal Setup .................................................................................... 1
Installation .................................................................................................................................... 1
Main and Reporting Databases .................................................................................................. 1
Database Setup ............................................................................................................................ 2
Initial Configuration ................................................................................................................... 10
Upgrade Instructions ................................................................................................................. 13
1 Log in to SecureAssist .................................................................................................... 21
Getting Started ........................................................................................................................... 21
Portal Navigation ........................................................................................................................ 21
2 Statistics .......................................................................................................................... 22
Project Statistics ......................................................................................................................... 22
User Statistics ............................................................................................................................. 25
Timeseries ................................................................................................................................... 26
3 Reports ............................................................................................................................ 28
Project Reports ........................................................................................................................... 28
User Reports ............................................................................................................................... 33
4 Rulepacks ........................................................................................................................ 37
5 Manage ............................................................................................................................ 40
Portal Users ................................................................................................................................ 40
Plugin User Groups .................................................................................................................... 42
Roles ............................................................................................................................................ 43
Account ........................................................................................................................................ 45
6 Settings ............................................................................................................................ 46
LDAP Configuration ................................................................................................................... 46
Feature Configuration ............................................................................................................... 48
Plugin Users ................................................................................................................................ 50
7 More Support .................................................................................................................. 51
Appendix A: Roles and Associated Permissions ................................................................. 52
Appendix B: Permission Descriptions ................................................................................. 53
Appendix C: Audit Log ........................................................................................................... 54
Appendix D: API Functionality .............................................................................................. 55
Authentication ............................................................................................................................ 56
Generate Project Report ........................................................................................................... 58
Get Project List ........................................................................................................................... 62
Number of Active Developers .................................................................................................. 64
Number of Projects Scanned.................................................................................................... 65
Number of Project Defects ....................................................................................................... 66
Top Number of Findings ........................................................................................................... 68
Most Viewed Guidance .............................................................................................................. 70
SecureAssist Enterprise Portal User Guide June 2016 — Page 1 of 71
SecureAssist Enterprise
Portal Setup The SecureAssist Enterprise Portal is a centralized portal that allows
organizations to manage SecureAssist plugin licenses, rulepacks, and
tool settings. It also provides centralized reporting on security
vulnerabilities found by users and how those change over time.
Installation
This section describes the installation of the Codiscope SecureAssist
Enterprise Portal and Codiscope SecureAssist Eclipse update site. The
Portal and update site can be deployed on the same application
server, or they can be deployed on separate servers. This document
assumes that they are installed on the same server.
Main and Reporting Databases
Starting with SecureAssist Enterprise Portal v3.0, users now have the
option to set up a separate, secondary database for reporting. This
enables better Enterprise Portal performance for larger SecureAssist
deployments. When the reporting database is configured, all
scheduled and active reporting requests will execute against it. The
main database will still handle registration, activation, rulepack
requests, and so on.
The use of a secondary reporting database is optional. If you choose
to set up only one database for the SecureAssist Enterprise Portal, all
reporting requests will be directed to the main database.
Important! The following points are critical to implementing
databases in the Portal.
If the reporting database is configured, then replication MUST
be set up between the main database and the reporting
database in order for data to be consistent between them. If
no replication is set up, the executed reports will not have
any data in them.
The main database and the reporting database MUST be set
up in two separate locations/on two different hypervisors to
ensure reporting requests do not influence the functionality
and performance of main database hypervisor/server.
SecureAssist Enterprise Portal User Guide June 2016 — Page 2 of 71
Database Setup
Configure Main Database Connection
If the reporting database is configured, the replication between the
main database and the reporting database MUST be set up prior to
the database import into the main database. The following image
displays the Database Connection screen.
SecureAssist Enterprise Portal User Guide June 2016 — Page 3 of 71
Configure Database
Database Instructions
MySQL Configure MySQL Database and User
1. Run the “mysql” command from the command prompt as a
MySQL super user: mysql -u root -p
2. Create an empty CSA Portal database schema. Replace ‘portal_csa’
with a database name of your choice: CREATE DATABASE portal_csa;
3. Create CSA Portal database user: GRANT ALL PRIVILEGES ON
portal_csa.* TO ‘csauser’@’localhost’ IDENTIFIED BY
‘csauserpassword’;
Optional: Replace ‘portal_csa’ with the name of the database that
you have created in the step above. Additionally, replace ‘csauser’
and ‘csauserpassword’ with the username and password of your
choice. If the SecureAssist Enterprise Portal is not running on the
same server as your MySQL database server, replace ‘localhost’
with the hostname or IP address of the SecureAssist server.
Running MySQL Database Import Script
If a reporting database is set up, the replication between the main
database and reporting database MUST be set up prior to database
import in the main database.
If you are using a “Production Database” ONLY, without a “Reporting
Database”, please follow these steps.
1. Create CSA Portal database schema and import the database by
running the following command from the command prompt as a
MySQL super user.
“Production Database” is portal_csa
mysql -u root -p portal_csa < path_to/portal_csa_mysql.sql
mysql -u root -p portal_csa <
path_to/portal_csa_mysql_aggregation.sql
Replace ‘portal_csa’ with database schema created in step 2
above.
Replace ‘path_to’ with path to portal_csa_mysql.sql file.
If you are using a “Production Database” WITH a “Reporting Database”,
please follow the steps below.
1. Create CSA Portal database schema and import the database by
running the following command from the command prompt as a
MySQL super user.
“Production Database” is portal_csa
“Reporting Database” is portal_csa (same name as primary
database but to be replicated to a different location)
“Production Database” command: mysql -u root -p portal_csa <
path_to/portal_csa_mysql.sql
“Reporting Database” command: mysql -u root -p portal_csa <
path_to/portal_csa_mysql_aggregation.sql
SecureAssist Enterprise Portal User Guide June 2016 — Page 4 of 71
Database Instructions
Replace ‘portal_csa’ with database schema created in step 2
above.
Replace ‘path_to’ with path to portal_csa_mysql.sql or
portal_csa_mysql_aggregation file.
Oracle Configure Database and User (Oracle 12c Only)
If operations and reporting are on different databases, then repeat
this process on both databases.
1. Open sqlplus `sqlplus / as sysdba` and run the rest of these
steps from there. (If you would like to use a different schema
identifier than portal_csa, replace portal_csa with your custom
schema name in the database scripts as well as in the commands
below.)
2. CONNECT system/manager AS sysdba;
2. ALTER SESSION SET "_oracle_script"=true
3. CREATE USER portal_csa IDENTIFIED BY Passw0rd DEFAULT
TABLESPACE USERS TEMPORARY TABLESPACE TEMP;
4. GRANT CREATE SESSION, RESOURCE, CREATE VIEW, CREATE
MATERIALIZED VIEW, CREATE SYNONYM TO portal_csa;
5. ALTER USER portal_csa2 QUOTA UNLIMITED ON USERS;
Configure Database and User (all versions EXCEPT Oracle 12c)
1. To modify database name, user, and password (password change
is required), modify the Oracle specific SQL script located at
<CSA_Portal_Package>/DatabaseScripts/portal_csa_oracle.sql.
(Please make sure to modify this script with desired username
and password prior to running the database import process.)
1. In order to modify credentials of user that will be used to connect
to CSA Portal database, modify following line in the SQL Script:
CREATE USER portal_csa IDENTIFIED BY Passw0rd DEFAULT
TABLESPACE USERS TEMPORARY TABLESPACE TEMP;
Optional: Replace ‘portal_csa’ and ‘Passw0rd’ with username and
password of your choice. Make sure to update all following lines
with updated information: connect portal_csa/Passw0rd;
Running SQL Database Import Script
1. Log in to SQL*Plus as sysdba using following command: sqlplus
/as sysdba
2. To log output of SQL script execution, turn on spool: spool
/<path>/<to>/log.txt ;
3. Execute SQL script: @/<path>/<to>/portal_csa_oracle.sql
4. Turn off spool: spool off;
5. Exit from SQL*Plus: exit;
6. Review log file with SQL script execution output to validate that
there are no errors.
SecureAssist Enterprise Portal User Guide June 2016 — Page 5 of 71
Configure Reporting Database Connection
SecureAssist Enterprise Portal currently officially supports MySQL
replication ONLY. For MySQL Database Server replication
documentation, please refer to these sites:
MySQL 5.6:
http://dev.mysql.com/doc/refman/5.6/en/replication.html
MySQL 5.7:
http://dev.mysql.com/doc/refman/5.7/en/replication.html
Database replication is needed for the reporting database to work
properly.
Replication MUST be set up prior to database connection
setup.
Database import needs to occur into the “Production
Database” and into “Reporting Database” prior to Enterprise
Portal database setup.
Configure Secure HTTP
SecureAssist Enterprise Portal supports HTTP and Secure HTTP (HTTPS).
Codiscope strongly recommends using HTTPS. For information on
configuring the Apache Tomcat web server to use HTTPS, refer to your
web server’s documentation. Prior to installation or upgrading,
Codiscope recommends configuring a minimum heap size of 1 GB.
Deploy SecureAssist Portal
These instructions are for an Apache Tomcat application server that
sets the minimum and maximum heap size to 1024 MB.
Increase Tomcat Heap Size for a Command-Line Tomcat Instance 1. Create a file named "setenv.bat" or "setenv.sh" in the
%CATALINA_HOME/bin folder and set the CATALINA_OPTS to the
memory settings.
a. On Windows: "set CATALINA_OPTS='-Xms1024 –
Xmx1024m -Xss1024k -XX:PermSize=256m -
XX:MaxPermSize=512m -XX:+UseConcMarkSweepGC -
XX:+CMSClassUnloadingEnabled'"
b. On Linux: "export CATALINA_OPTS='-Xms1024m –
Xmx1024m -Xss1024k -XX:PermSize=256m -
XX:MaxPermSize=512m -XX:+UseConcMarkSweepGC -
XX:+CMSClassUnloadingEnabled'"
SecureAssist Enterprise Portal User Guide June 2016 — Page 6 of 71
Increase Tomcat Heap Size for a Windows Service Tomcat Instance
1. Execute Tomcat<version#>w.exe in the %CATALINA_HOME%\bin\
directory and enter 1024 in the Initial memory pool and
Maximum memory pool fields.
Deploy Using Tomcat Manager
If your instance of Tomcat is running in the Tomcat Web Application
Manager, you can use its browser interface to deploy the Portal.
1. In %CATALINA_HOME%/conf/tomcat_users.xml, create a role
named manager-gui and assign a user to this role. Afterwards,
restart your Tomcat instance.
<tomcat-users><role rolename=“manager-gui”/><user
username=“USERNAME” password=“PASSWORD” roles=“manager-
gui”/></tomcat-users>
2. In your internet browser, navigate to the Tomcat home page
(by default located at http://apache_tomcat_hostname:8080/).
3. Click on the Manager App link. You will be asked to enter your
username and password (from step 1, above).
SecureAssist Enterprise Portal User Guide June 2016 — Page 7 of 71
4. Enter your username and password. The Web Application
Manager page will load.
5. Navigate to the WAR file to deploy section and click Browse.
6. Select the CSA Portal web application WAR file, click Open,
then click Deploy. After Tomcat has finished deploying the
Portal, it is listed in the Applications section and ready to use.
SecureAssist Enterprise Portal User Guide June 2016 — Page 8 of 71
Deploy on a Running Tomcat Server
To deploy the SecureAssist Enterprise Portal on a running Tomcat
server, follow these steps.
1. Set the autoDeployattribute to true in your server.xml file inside
Tomcat’s /conf/ directory. The host will deploy the web
application when the WAR file is copied to the deployment
directory. The default deployment directory is
%CATALINA_HOME%/webapps.
2. To deploy the Portal, copy CSA_Server.warfile to
%CATALINA_HOME%/webapps.
3. After Tomcat has finished deploying the Enterprise Portal, create
the CSA_Server directory under %CATALINA_HOME%/webapps.
Deploy Using WebSphere
To deploy the SecureAssist Enterprise Portal on a WebSphere (8.5.X)
application server, follow these instructions. (Prior to the application
deployment, we recommend setting the heap space to at least 1 GB.)
1. Increase Heap Space.
a. Start the WebSphere Application Server administrative
console.
b. Navigate to Servers > Application servers > server1 >
Java and Process Management > Process Definition >
Java Virtual Machine.
c. Set the initial and maximum heap sizes to at least 1024
MB.
d. Click Apply.
e. Click OK.
f. Click Save “Save directly to the master configuration.”
g. Restart WebSphere.
2. Deploy SecureAssist Enterprise Portal EAR File.
a. Start the WebSphere Application Server administrative
console.
b. On the navigation menu on the left side of the screen,
select Global Deployment Settings from the
Applications section.
c. Check the Monitor directory to automatically deploy
applications checkbox.
d. Click Apply.
e. Click Save "Save directly to the master configuration."
SecureAssist Enterprise Portal User Guide June 2016 — Page 9 of 71
f. Restart WebSphere.
g. After WebSphere restarts, copy the EAR file to
WebSphere/AppServer/profiles/AppSrv04/monitoredD
eployableApps/servers/server1.
h. After several minutes, start the WebSphere Application
Server administrative console.
i. To verify the application has been deployed and is
running, select Applications > Applications Types >
WebSphere enterprise applications from the navigation
menu.
j. Navigate to http://<server>:<port>/CSA_Server/ (e.g.
http://localhost:9080/CSA_Server/).
3. Optional. Import SSL certificate to support Secure LDAP.
a. Start the WebSphere Application Server administrative
console.
b. On the navigation menu on the left side of the screen,
select SSL certificate and key management from the
Security section.
c. In the Related Items section, click Key stores and
certificates.
d. Select NodeDefaultKeyStore and in the Additional
Properties section click Signer Certificates.
e. In the Signer Certificate table, click Retrieve from Port.
f. Provide you LDAPS server host name, port, and alias for
the key, then click Retrieve signer information.
g. Click OK.
h. Click Save "Save directly to the master configuration."
i. Navigate back to Key stores and certificates and repeat
steps (d) through (h) for NodeDefaultTrustStore.
j. Restart Websphere.
Install MySQL Database Connector
The MySQL Connector/J (official JDBC driver for MySQL database) is
required to connect the SecureAssist Enterprise Portal to a MySQL
database. This step is not necessary when using an Oracle database.
To install the MySQL connector, follow these steps.
1. Navigate to http://dev.mysql.com/downloads/connector/j/ and
download MySQL Connector/J.
2. Extract mysql-connector-java-5.x.x-bin.jar file from the archive
downloaded in previous step and copy it into the
/CSA_Server/WEB-INF/lib directory.
SecureAssist Enterprise Portal User Guide June 2016 — Page 10 of 71
Deploy Codiscope SecureAssist Eclipse
Update Site
To deploy the SecureAssist Eclipse update site, simply copy the
/update folder that came with the Portal and place it right next to
your CSA_Server folder.
Important! Place the /update folder next to the CSA_Server directory,
NOT inside it.
Initial Configuration
Configure Logging
The Log4j configuration file is stored at
/CSA_Server/WEBINF/classes/log4j.xml file.
You can edit this file to make it suitable for the deployment
environment.
In the log4j.xml there are two configurable log4j appenders that can
be customized by the portal administrator:
Appender “file”: A general purpose log. By default appends to
CSA_PORTAL.log.
Appender “audit”: A log for auditing portal user activity. By
default appends to CSA_PORTAL_AUDIT.csv. (See Appendix C
for details.)
For more information about configuring log4j, refer to the log4j
documentation.
Note: Any changes made to the logging configuration file will take
effect only after restarting the Tomcat Application Server or
WebSphere Application Server.
SecureAssist Enterprise Portal User Guide June 2016 — Page 11 of 71
Initial Configuration
After the successful deployment of the SecureAssist Enterprise Portal,
open your browser and navigate to http://<Host>:<Port>/CSA_Server to
finish the configuration of the portal. The following table describes
the items you will need to configure.
Item Description
License
Terms
Read terms and conditions and click I Agree to continue.
Product
License
The SecureAssist Enterprise Portal license is tied to a specific
server and can be used only on that single server. If re-
hosting is needed, please contact Codiscope support at
[email protected] The server license will be sent to
you as a part of the SecureAssist fulfillment email.
After receiving the server license file, click Browse and select
server license file, then click Upload on the license
activation/upload screen during the Enterprise Portal setup.
Database
Setup
Before setting up the database connection, you must set up
the database schema and create a database user as
described in the “Configure Database” section above.
Complete all fields and click Save.
Examples:
Database Type: MySQL
“Production Database”
Server: jdbc:mysql://<db_server>:3306
Database/Schema Name: portal_csa
Database User: csauser
“Reporting Database” (optional)
Server: jdbc:mysql://<db_server>:3306
Database/Schema Name: portal_csa
Database User: csauser
Database Type: Oracle
Server: jdbc:oracle:thin:@<db_server>:1521:orcl
Database/Schema Name: portal_csa
Database User: portal_csa
SecureAssist Enterprise Portal User Guide June 2016 — Page 12 of 71
Item Description
Administrator
Account
Setup
In the last step of the initial configuration, the administrator
account must be created. Select either LDAP User or Local
User in Administrator Type and then complete the
appropriate fields:
Local User. Enter Username, Password, and Password
Confirmation, then click Save.
LDAP User. Enter Authentication & Security settings,
Server settings, LDAP Login settings, and administrator
credentials (Username, Password, and Password
Confirmation), then click Save.
You can initially set up a local user account and configure an
LDAP connection of your portal later on. After LDAP is set up,
you can disable your original local user account.
Upon successful initial configuration, you will be redirected to the
Index page and will be able to log in using the administrator
credentials you created.
Configure Link on Index Page
The Index page contains a section with the link to the location from
where the SecureAssist Eclipse IDE plugin can be installed or
updated. Additionally, you can have separate links for IntelliJ and
Visual Studio, but this is not required.
In order to configure the link, navigate to /CSA_Server/WEB-
INF/jsp/includes/. Open file index.jsp and edit the following line so that
the value equals the correct URL from which the plugin can be
installed.
If you do not want the link to be displayed, leave the value as empty.
SecureAssist Enterprise Portal User Guide June 2016 — Page 13 of 71
Upgrade Instructions
This section contains the instructions for upgrading the SecureAssist
Enterprise Portal from your current version to the latest one. Please
take a look at the following sections for database and server upgrade
instructions. Both the application server and database components
must be upgraded for proper Portal function.
Note: In order to upgrade to SecureAssist 2.4 or 2.4.1 from any
previous version, you must be re-issued a new Enterprise Portal
license. Please reach out to [email protected] for a new
license for SecureAssist 2.4 or 2.4.1.
If you are performing an upgrade from version 2.5 to a later version,
you can simply use the License .jar file that was provided to you with
the installation of SecureAssist 2.5 or later.
Application Upgrade
Follow these instructions to upgrade the Portal.
Important! It is critical to stop your Apache Tomcat or WebSphere
Application Server prior to your database upgrade.
Note: If you have modified any configuration (for example, the
hibernate.cfg files) in order to resolve bugs, you must make these
same modifications in the upgrade deployment.
Note: SecureAssist 3.0 has made additions to the cron.properties file
located in %CATALINA_HOME%/webapps/CSA_Server/WEB-INF directory.
If you have made changes to your cron.properties file and plan to use
it after upgrading it, you will need to include these changes into your
restored cron.properties file.
The additions to be included are:
com.cigital.csa.cron.aggregate.enable=true
com.cigital.csa.cron.aggregate.interval=24
com.cigital.csa.cron.aggregate.hour=0
com.cigital.csa.cron.aggregate.minute=0
com.cigital.csa.cron.aggregate.second=0
SecureAssist Enterprise Portal User Guide June 2016 — Page 14 of 71
Tomcat Application Server
1. Stop Apache Tomcat.
2. Create backup directory.
3. Backup following directories/files:
a. Copy following directories and files to backup folder:
- %CATALINA_HOME%/webapps/CSA_Server/key-file
- %CATALINA_HOME%/webapps/CSA_Server/stats
- %CATALINA_HOME%/webapps/CSA_Server/rulepacks
- %CATALINA_HOME%/webapps/CSA_Server/WEB-
INF/lib/mysql-connector-java-5.x.x.jar
b. Copy following files from
%CATALINA_HOME%/webapps/CSA_Server/WEB-INF/ folder
to backup folder:
- cron.properties
- db.properties
- <company_name>-SecureAssist-PriKey.der
- SecureAssist.license
- classes/log4j.xml (optional, see step 9c )
4. Delete CSA_Server.war file from %CATALINA_HOME%/webapps
folder.
5. Delete %CATALINA_HOME%/webapps/CSA_Server folder.
6. Copy new CSA_Server.war file to %CATALINA_HOME%/webapps
folder for server deployment, or deploy .war file from Tomcat
Manager.
7. Upgrade database by following instructions in the “Database
Upgrade” section below.
8. Start Apache Tomcat.
9. Restore the following directories/files.
a. Copy following directories to
%CATALINA_HOME%/webapps/CSA_Server:
- <backup>/key-file
- <backup>/stats
- <backup>/rulepacks
b. Copy following files to
%CATALINA_HOME%/webapps/CSA_Server/WEB-INF:
- <backup>/cron.properties (please see note at the
beginning of the section regarding additions to this file)
- <backup>/db.properties
- <backup>/<company>-SecureAssist-PriKey.der
- <backup>/SecureAssist.license
c. Copy file <backup>/log4j.xml to
%CATALINA_HOME%/webapps/CSA_Server/WEBINF/ classes.
Note: If you are upgrading from a version prior to 2.3, the
Log4j configuration file in release 2.3 contains additional
loggers to improve logging configuration. We recommend
configuring new log4j.xml instead of replacing it with the
previous version of the file.
SecureAssist Enterprise Portal User Guide June 2016 — Page 15 of 71
10. Ensure that all directories and files copied from the backup
folder are readable and writable by a user running Tomcat
(e.g., chown tomcat:tomcat path/to/file).
11. Copy MySQL Connector (mysql-connector-java-5.x.x.jar) to
%CATALINA_HOME%/webapps/CSA_Server/WEB-INF/lib/.
Note: If you are not using MySQL, you do not need to obtain a
copy and install it.
12. Remove Apache Tomcat work cache (e.g.,
/var/cache/tomcat6/work/Catalina/localhost/CSA_Server/*,
<tomcat>/work/Catalina/localhost/CSA_Server/*).
13. Restart Apache Tomcat.
Websphere Application Server
1. Stop WebSphere Application Server (WAS).
2. Create backup directory.
3. Backup following directories/files:
a. Copy following directories and files to backup folder:
- /CSA_Server/key-file
- /CSA_Server/stats
- /CSA_Server/rulepacks
- /CSA_Server/WEB-INF/lib/mysql-connector-java-5.x.x.jar
b. Copy following files from /CSA_Server/WEB-INF/ folder to
backup folder:
- cron.properties
- db.properties
- <company_name>-SecureAssist-PriKey.der
- SecureAssist.license
- classes/log4j.xml (optional, see step 9c)
4. Delete CSA_Server.EAR file from WAS Server1 folder.
5. Delete CSA_Server folder.
6. Copy new CSA_Server.EAR file to WAS Server1 folder for server
deployment.
7. Upgrade database by following instructions in the “Database
Upgrade” section below.
8. Start WebSphere Application Server (WAS); New
CSA_Server.EAR file is deployed on restart.
9. Restore the following directories/files.
a. Copy following directories to /CSA_Server:
- <backup>/key-file
- <backup>/stats
- <backup>/rulepacks
b. Copy following files to /CSA_Server/WEB-INF:
- <backup>/cron.properties (please see note at the
beginning of the section regarding additions to this file)
- <backup>/db.properties
- <backup>/<company>-SecureAssist-PriKey.der
- <backup>/SecureAssist.license
SecureAssist Enterprise Portal User Guide June 2016 — Page 16 of 71
c. Copy file <backup>/log4j.xml to /CSA_Server/WEBINF/ classes.
Note: If you are upgrading from a version prior to 2.3, the
Log4j configuration file in release 2.3 contains additional
loggers to improve logging configuration. We recommend
configuring new log4j.xml instead of replacing it with the
previous version of the file.
10. Copy MySQL Connector (mysql-connector-java-5.x.x.jar) to
/CSA_Server/WEB-INF/lib/.
Note: If you are not using MySQL, you do not need to obtain a
copy and install it.
11. Restart WebSphere Application Server (WAS).
Database Upgrade
Depending on your current version of SecureAssist Portal, a few
upgrade scripts may need to be run. SecureAssist Enterprise Portal
supports the following upgrade paths (upgrade scripts can be found
at the Enterprise Portal archive/DatabaseScript/upgrade/).
Note: The aggregation scripts should be run on the reporting
database, whereas other scripts should be run on the operational
database. If your SecureAssist instance has operations and reporting
on the same database, install both on the same instance.
Important! If configuring a secondary reporting database, don’t
forget to configure replication prior to database configuration.
Versions Upgrade Paths
3.0.1 to 3.0.2 ‘3.0.1_to_3.0.2’
3.0 to 3.0.2 Run these scripts in the following order:
‘3.0_to_3.0.1’
‘3.0.1_to_3.0.2’
2.5.1 to 3.0.2 Run these scripts in the following order:
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
2.5.0 to 3.0.2 Run these scripts in the following order:
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
SecureAssist Enterprise Portal User Guide June 2016 — Page 17 of 71
Versions Upgrade Paths
2.4.1 to 3.0.2 Run these scripts in the following order:
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
2.4.0 to 3.0.2 Run these scripts in the following order:
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
2.3.7, 2.3.8 or 2.3.9
to 3.0.2
Run these scripts in the following order:
‘2.3.7_to_2.4.0’
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
2.3.6 to 3.0.2 Run these scripts in the following order:
‘2.3.6_to_2.3.7’
‘2.3.7_to_2.4.0’
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
2.3.1 to 3.0.2 Run these scripts in the following order:
‘2.3.1_to_2.3.6’
‘2.3.6 to 2.3.7’
‘2.3.7_to_2.4.0’
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either mysql
or oracle, depending on your database software.
SecureAssist Enterprise Portal User Guide June 2016 — Page 18 of 71
Versions Upgrade Paths
2.3 to 3.0.2 Run these scripts in the following order:
‘2.3_to_2.3.1’
‘2.3.1_to 2.3.6’
‘2.3.6_to_2.3.7’
‘2.3.7_to_2.4.0’
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either
mysql or oracle, depending on your database software.
2.2 to 3.0.2 Run these scripts in the following order:
‘2.2_to_2.3.1’,
‘2.3.1_to_2.3.6’
‘2.3.6_to_2.3.7’
‘2.3.7_to_2.4.0’
‘2.4.0_to_2.4.1’
‘2.4.1_to_2.5.1’
‘2.5.1_to_3.0.1’
‘3.0.1_to_3.0.2’ Skip the aggregation upgrade script.
`portal_csa_[db]_aggregation.sql`, where [db] is either
mysql or oracle, depending on your database software.
SecureAssist Enterprise Portal User Guide June 2016 — Page 19 of 71
Follow these instructions to upgrade the database.
Database Instructions
MySQL If you are upgrading from any version prior to 3.0, you only have a
single “Production Database” without replication.
If you are using a “Production Database” ONLY, without a “Reporting
Database”, please follow the steps below.
1. Run the following commands for database upgrade.
“Production Database” is portal_csa
mysql -u root -p portal_csa <
path_to/upgrade/{from_to_versions}/mysql_upgrade_{version}_to_{ver
sion}.sql
mysql -u root -p portal_csa < /portal_csa_mysql_aggregation.sql
If you are using or would like to upgrade to “Production Database”
WITH a “Reporting Database”, please follow the steps below.
1. Run the following commands for database upgrade.
“Production Database” is portal_csa
“Reporting Database” is portal_csa (replicated in the different
location)
“Production Database” command: mysql -u root -p portal_csa <
path_to/upgrade/{from_to_versions}/mysql_upgrade_{version}_to_{ver
sion}.sql
“Reporting Database” command: mysql -u root -p portal_csa <
/portal_csa_mysql_aggregation.sql
SecureAssist Enterprise Portal User Guide June 2016 — Page 20 of 71
Database Instructions
Oracle Configure Database and User
1. To modify database name, user, and password (password change
is required), modify the Oracle specific SQL script located in
<CSA_Portal_Package>/DatabaseScripts/portal_csa_oracle.sql.
(Please make sure to modify this script with desired username
and password prior to running the database import process.)
2. In order to modify credentials of user that will be used to connect
to CSA Portal database, modify following line in the SQL Script:
CREATE USER portal_csa IDENTIFIED BY Passw0rd DEFAULT
TABLESPACE USERS TEMPORARY TABLESPACE TEMP;
Optional: Replace ‘portal_csa’ and ‘Passw0rd’ with username and
password of your choice. Make sure to update all following lines
with updated information: connect portal_csa/Passw0rd;
Running SQL Database Import Script
1. Log in to SQL*Plus as sysdba using following command: sqlplus
/as sysdba
2. To log output of SQL script execution, turn on spool: spool
/<path>/<to>/log.txt ;
3. Execute SQL scripts:
@/<path>/<to>/oracle_upgrade_{version}_to_{version}.sql and
@/<path>/<to>/portal_csa_oraclel_aggregation.sql
4. Turn off spool: spool off;
5. Exit from SQL*Plus: exit;
6. Review log file with SQL script execution output to validate that
there are no errors.
SecureAssist Enterprise Portal User Guide June 2016 — Page 21 of 71
1 Log in to SecureAssist Enter your username and password on SecureAssist’s login screen at
http://<Host>:<Port>/CSA_Server. (The administrative user account
was configured in the last step of the Enterprise Server setup and
configuration.)
Getting Started
When you first log onto the Portal, it opens on the Get Started screen
by default. The screen displays these features.
Feature Description
Learn how it works Provides a link to the SecureAssist Support screen
and its related documentation.
Install the
SecureAssist Plugin
Provides links for the download of Eclipse, Visual
Studio, and IntelliJ plugins.
Activate Provides direction for activating your SecureAssist
plugin license.
Portal Navigation
The navigation menu on the left side of the application allows you to
access any of the SecureAssist functional areas at any time. Those
functional areas are:
Statistics —An instant-reporting function that displays the
number and types of issues identified and reviewed,
guidance searched, and history of vulnerabilities
remediated—by project or by individual user.
Reports — Allows administrators to produce various
predefined reports for projects or for groups of users.
Rulepacks — Lists the various rulepacks loaded in the Portal
for distribution to the licensed SecureAssist clients.
Manage —Contains screens for administering users, groups,
roles, and your personal account.
Settings — Contains various settings for configuring the
application and viewing license agreements.
Get Started — The “homepage.”
The following chapters will describe the functionality of the
SecureAssist Enterprise Portal in more detail.
SecureAssist Enterprise Portal User Guide June 2016 — Page 22 of 71
2 Statistics Statistics covering plugin functionality and user activity are
periodically sent to the Portal. This information is stored on the
Portal server in a database, and there are numerous pre-defined
charts and graphs that can be viewed and exported.
Project Statistics
The Project Statistics screen allows you to instantly view statistical
information by project.
Run Statistics for a Selected Project
1. Navigate to the Project Statistics window. The Select a Project
flyout will automatically open. (To manually open the flyout,
click the Select a Project button.)
2. Locate a project by either scrolling though the list of projects
AND/OR
Typing text into the search box to filter the selection
AND/OR
Clicking the filter icon to filter choices by Java, .Net, or PHP.
SecureAssist Enterprise Portal User Guide June 2016 — Page 23 of 71
3. Click Select next to the desired project. The dialog closes, and
the Project Statistics Options window populates with default
information. The following table describes the selection
criteria on the Project Statistics Options window.
Field/Feature Description
Project Displays the currently selected project for which statistics
will be provided. To select a different project, click Change.
File Displays the currently selected files in the project (by
default, All Files). To change the file selection, click Change.
Date Range Displays the selected range of dates for which statistics will
be provided (defaults to the current date). To update, click
in the date boxes to select a new start and/or end date.
Type Choose one of the following three types of statistics:
Top Findings — The ten most frequent findings for the
selected project.
File Scan — Allows you to choose an individual file in a
project for which you wish to see statistics. (When
selected, Sort by no longer is an option.)
Suppression — Displays issues suppressed by end
users, per project and per project file.
Sort by Choose to sort results by one of the following:
Category —Category of rules that were triggered/fired.
Title — Name of specific rule.
Show Chart Click this button to display a chart based on the selected
criteria.
Download CSV Once a chart is displayed, click this button to save the data
to a CSV file.
4. From the Project Statistics Options window, make your
criteria selections.
SecureAssist Enterprise Portal User Guide June 2016 — Page 24 of 71
5. Click Show Chart. SecureAssist displays a chart based on
your selections.
6. If desired, filter the report results by user:
a. In the Filters pane, click on one or more users to highlight
them.
b. Click Update. The report updates to display data for the
selected users only.
Note: For the file scan statistic, data is shown only for a
single a user.
7. If desired, click Download CSV to save the data to a CSV file.
SecureAssist Enterprise Portal User Guide June 2016 — Page 25 of 71
User Statistics
The User Statistics screen allows you to view statistics information for
a single user. When you access this screen, you will see a list of all
your plugin users (the list is populated by your client licenses).
Find a User
1. To quickly find a user in the user list, enter text into the Find
a User box. The list will automatically filter to show only
those user names that contain the text.
Run Statistics for a Single User
1. Locate the name of the desired user in the list, then click the
Get Statistics button next to it. The User Statistics
Options window displays default information. The following
table describes the selection criteria on this window.
Field/Feature Description
User Displays the currently selected user for which
statistics will be provided. To select a different user,
click Change.
Date Range Displays the selected range of dates for which
statistics will be provided (defaults to the current
date). To update, click in the date boxes to select a
new start and/or end date.
Type Choose one of the following types of statistics:
User Session — Displays the user’s distinct
sessions on a timeline. Hovering over a start or
end point will display a timestamp.
Scanned File Types — Pie chart that displays
scanned files by type.
Searched Guidance — Chart displays the guidance
categories and the number of times each was
searched by the user in a given timespan. Also
indicates the rulepack in which the guidance was
found.
Top Findings — The ten most-frequent findings for
the selected user.
Issues Reviewed — Chart shows the number of
issues found and reviewed by the user. Requires
the selection of a project.
Issues Suppressed — Displays issues suppressed
by the user for a given timespan, project, and file.
Requires the selection of a project.
SecureAssist Enterprise Portal User Guide June 2016 — Page 26 of 71
Field/Feature Description
Sort by
(available only when
Top Findings or
Issues Suppressed is
selected)
Choose to sort results by one of the following:
Category —Category of rules that were
triggered/fired.
Title — Name of specific rule.
Select a Project
(available only when
Issues Reviewed or
Issues Suppressed is
selected)
Click this button to select a project.
Show Chart Click this button to display the statistics based on the
selected criteria.
Download CSV Click this button to save the data to a CSV file.
2. From the User Statistics Options window, make your criteria
selections.
3. Click Show Chart. SecureAssist displays a chart based on
your selections.
4. If desired, click Download CSV to save the data to a CSV file.
Timeseries
The Timeseries screen allows you to view graphs of defect/issue data
for a selected date range and selected projects.
The Issues bar graph presents the number of issues and their
severity for selected projects during a specific time period.
SecureAssist Enterprise Portal User Guide June 2016 — Page 27 of 71
Below the Issues graph, the Issue Density line graph displays both
the total number of issues (in orange) and the number of lines of
code (LOC, in blue) over time.
Run the Issues and Issue Density Graphs
1. Navigate to the Timeseries window.
2. In the Date Range fields, enter the beginning and end dates
for the desired time period.
3. In the Project Name or Meta field, enter the desired project
or metadata in the text box.
Important! You must enter the complete, correct project or
metadata name.
4. Click Search. The Issues and Issue Density graphs display on
screen.
SecureAssist Enterprise Portal User Guide June 2016 — Page 28 of 71
3 Reports There are two types of reports: Project and User. Several reports can
be generated for each type.
Project Reports
Project reports are reports you create for one or more selected
projects. When you add a report, the application generates a ZIP
archive containing the various report types you’ve selected in the
New Report flyout. When you navigate to the Project Reports screen,
you will see a list of report packages that have already run. This will
be blank the first time you access the screen.
From this screen you will be able to run a new report from scratch,
view the details of previously run report packages, and rerun and
download previously run report packages.
Find a Report
1. To quickly find a report in the report list, enter text into the
Find a Report box. The list will automatically filter to show
only those reports whose names contain the text.
View Details of Previously Run Report
1. To view the project associated with a report, click under the
Projects column in that report’s row. The Filters flyover opens
on the right, displaying the project names selected or the
metadata used to select the project.
SecureAssist Enterprise Portal User Guide June 2016 — Page 29 of 71
2. To view all other details about a report, click anywhere in the
report’s row EXCEPT the Projects column. A flyout opens that
displays the Report Name, Date Range, Report Types, Start
Time and End Time when the report was run, Duration of the
report run, and Status.
Add a New Report
To run a report, you must select a report type, then select the
projects you wish to report on.
1. On the Project Report screen, click Add Report. The New
Report flyout opens.
2. In Name, enter a title for the report. This is how the report
results will be listed on the Project Report screen.
3. In Date Range, select one of the following options: 7 Days, 30
Days, or All.
4. Under Report Types, select one or more report types.
Types of Project Reports Description
Portfolio Summary Report Lists unique defects per project, number of files
scanned, and lines of code based on the most recent
project/solution scan date.
Project Report Lists all files scanned as a part of project/solution review
including most recent scan date, defect counts, lines of
code, and developer who performed the last scan.
Project Defect Report Lists all rules that triggered during last project/solution
review per project.
Global Defect Report Lists all rules that triggered across all files.
5. Click Next. (Next will only be available when you’ve entered a
name AND selected at least one report type.) The Filters
flyout appears, with the title of your report name at the top.
You will use this flyout to filter the projects you wish to report
on by either Project Name or Metadata. Click on each
section title to display the associated fields.
Note: Metadata is configured in and reported from the
SecureAssist plugin. Please see SecureAssist plugin
documentation for more information.
SecureAssist Enterprise Portal User Guide June 2016 — Page 30 of 71
6. On the Filters flyout, select the projects you wish to report on
by either:
In the Project Name section, select one or more projects by
clicking the Add button next to each OR click Add All to select
them all.
OR
In the Metadata section, specify metadata values to select
projects. When more than one key-value pair is specified, the
filter will search for projects that meet all key-value pairs.
a. In Key, enter the desired field you wish to use to filter.
b. In Value, enter the desired filter value.
c. Click Add. The filter criteria will be added to a list below
the Add feature.
d. Add more criteria as desired.
7. Click Save. The Filter flyout closes and you are returned to
the Project Reports screen. Your new report should be listed
at the top of the screen, with its status as Scheduled. The
status will toggle to Complete when the report is generated
(generation time varies with the size of the report).
SecureAssist Enterprise Portal User Guide June 2016 — Page 31 of 71
Download a Report
1. From the Project Reports screen, click anywhere in the row of
the desired report EXCEPT the Projects column. A flyout
opens with a list of report details and several action buttons.
2. Scroll to the bottom of the flyout and click Download Report.
A ZIP file of the report results is automatically saved to your
Downloads folder.
3. Open the ZIP file. A separate CSV file is displayed for each
report type you selected.
Note: The downloaded ZIP files will be named “ProjectReports”
with an appended run date, and CSV files will be named by report
type. The name you entered under Report Name appears ONLY
on the Project Reports screen.
Re-Run a Report
There are times you may want to run a report identical to one
you’ve previously run. Re-Run Report allows you to do this.
1. From the Project Reports screen, click anywhere in the row of
the desired report EXCEPT the Projects column. A flyout
opens with a list of report details and several action buttons.
2. Scroll to the bottom of the flyout and click Re-Run Report.
The Filter flyout closes and you are returned to the Project
Reports screen. The re-run report should be listed at the top
of the screen, with its status as Scheduled. The status will
toggle to Complete when the report is generated.
Note: The re-run report will have the identical name as the
original run of the report; in other words, you will have two
items with the same name in the Project Reports list.
Copy to New Report
The Copy to New Report function is essentially a “save as”
feature: when you copy to new report, you create a new report
using the selections of a previously created report as the default
selections. You can then edit those selections before saving the
new report, or just create a new report name.
1. From the Project Reports screen, click anywhere in the row of
the desired report EXCEPT the Projects column. A flyout
opens with a list of report details and several action buttons.
SecureAssist Enterprise Portal User Guide June 2016 — Page 32 of 71
2. Scroll to the bottom of the flyout and click Copy to New
Report. A flyout opens that displays the previously selected
date range and report types, but with a blank for report
name.
3. Enter a new report name in Name.
4. If desired, change selections in Date Range and Report
Types.
5. Click Next to proceed to the Filters flyout.
6. If desired, change the filter criteria.
7. Click Save. The Filter flyout closes and you are returned to
the Project Reports screen. Your new report should be listed
at the top of the screen, with its status as Scheduled. The
status will toggle to Complete when the report is generated.
Delete a Report
1. From the Project Reports screen, click anywhere in the row of
the desired report EXCEPT the Projects column. A flyout
opens with a list of report details and several action buttons.
2. At the top of the flyout, click Delete Report. A popup asks
you to confirm the deletion.
3. Click Yes, delete it. You are returned to the Project Reports
screen, and the report instance is deleted from the list.
SecureAssist Enterprise Portal User Guide June 2016 — Page 33 of 71
User Reports
User reports are reports you create for one or more selected user
groups. When you add a report, the application generates a ZIP
archive containing the various report types you’ve selected in the
New Report flyout.
When you navigate to the User Reports screen, you will see a list of
report packages that have already run. This will be blank the first
time you access the screen.
From this screen you will be able to run a new report from scratch,
view the details of previously run report packages, and rerun
previously run report packages.
Find a Report
1. To quickly find a report in the report list, enter text into the
Find a Report box. The list will automatically filter to show
only those reports whose names contain the text.
View Details of Previously Run Report
1. To view the user groups associated with a report, click under
the Users column in that report’s row. The Filters flyover
opens on the right, displaying the selected user groups.
2. To view all other details about a report, click anywhere in the
report’s row except the Users column. A flyout opens that
displays the Report Name, Date Range, Report Types, Start
Time and End Time when the report was run, Duration of the
report run, and Status.
SecureAssist Enterprise Portal User Guide June 2016 — Page 34 of 71
Add New Report
To run a report, you must select a report type, then select the
user groups you wish to report on.
1. On the User Reports screen, click Add Report. The New
Report flyout opens.
2. In Name, enter a title for the report.
3. In Date Range, select one of the following options: 7 Days, 30
Days, or All.
4. Under Report Types, select one or more report types.
Types of User Reports Description
Developer File Coverage
Report
Lists count of files reviewed by type by each developer.
Developer Defect Report Lists total number of issues by category for each developer.
Developer Project
Report
Lists all files scanned by each developer. Report includes the
most recent date file was scanned by a developer, defect counts,
suppression counts, and lines of code for each file.
Developer Usage Report Lists total defect counts, suppression counts as well as first
and last time tool was used by developer.
5. Click Next. (Next will only be available when you’ve entered a
name AND selected at least one report type.) The flyout is
now titled with your report name, and the Included Groups
section appears.
6. In the Included Groups section, select one or more groups
by clicking the Add button next to each OR click Add All to
select them all.
7. Click Save. The Filter flyout closes and you are returned to
the User Reports screen. Your new report should be listed at
the top of the screen, with its status as Scheduled. The status
will toggle to Complete when the report is generated.
SecureAssist Enterprise Portal User Guide June 2016 — Page 35 of 71
Download a Report
1. From the User Reports screen, click anywhere in the row of
the desired report EXCEPT the Users column. A flyout opens
with a list of report details and several action buttons.
2. Scroll to the bottom of the flyout and click Download Report.
A ZIP file of the report results is automatically saved to your
Downloads folder.
3. Open the ZIP file. A separate CSV file is displayed for each
report type you selected.
Note: The downloaded ZIP files will be named “UserReports” with
an appended run date, and CSV files will be named by report
type. The name you entered under Report Name appears ONLY
on the User Reports screen.
Re-Run an Existing Report
There are times you may want to run a report identical to one
you’ve previously run. Re-Run Report allows you to do this.
1. From the User Reports screen, click anywhere in the row of
the desired report EXCEPT the Users column. A flyout opens
with a list of report details and several action buttons.
2. Scroll to the bottom of the flyout and click Re-Run Report.
The Filter flyout closes and you are returned to the Project
Reports screen. The re-run report should be listed at the top
of the screen, with its status as Scheduled. The status will
toggle to Complete when the report is generated.
Note: The re-run report will have the identical name as the
original run of the report; in other words, you will have two
items with the same name in the User Reports list.
Copy to New Report
The Copy to New Report function is essentially a “save as”
feature: when you copy to new report, you create a new report
using the selections of a previously created report as the default
selections. You can then edit those selections before saving the
new report, or just create a new report name.
1. From the User Reports screen, click anywhere in the row of
the desired report EXCEPT the Users column. A flyout opens
with a list of report details and several action buttons.
SecureAssist Enterprise Portal User Guide June 2016 — Page 36 of 71
2. Scroll to the bottom of the flyout and click Copy to New
Report. A flyout opens that displays the previously selected
date range and report types, but with a blank for report
name.
3. Enter a new report name in Name.
4. If desired, change selections in Date Range and Report
Types.
5. Click Next. A list of the users to be included in the report is
displayed.
6. Click Save. The Filter flyout closes and you are returned to
the User Reports screen. Your new report should be listed at
the top of the screen, with its status as Scheduled. The status
will toggle to Complete when the report is generated.
Delete a Report
1. From the User Reports screen, click anywhere in the row of
the desired report EXCEPT the Users column. A flyout opens
with a list of report details and several action buttons.
2. At the top of the flyout, click Delete Report. A popup asks
you to confirm the deletion.
3. Click Yes, delete it. You are returned to the User Reports
screen, and the report instance is deleted from the list.
SecureAssist Enterprise Portal User Guide June 2016 — Page 37 of 71
4 Rulepacks A rulepack is a JAR file containing rules and guidance used by the
SecureAssist plugin to scan your projects. You can load and distribute
multiple rulepacks to your plugin users by enabling and disabling
them on the Portal. Rulepacks can also be specific and bound to a
certain group of SecureAssist plugin users.
SecureAssist provides a default rulepack, but you can also create and
edit your own custom rulepacks using the Rulepack Configurator that
comes bundled with the SecureAssist plugins. (Go to the Guides &
Documentation page on the Codiscope website and click Rules &
Rulepacks.)
Note: You can have more than one default and/or custom rulepacks
active. You can also have rulepacks assigned to specific groups by
having a user with the group manager role uploading the rulepack.
Find a Rulepack
1. To quickly find a rulepack in the rulepack list, enter text into
the Find a Rulepack box. The list will automatically filter to
show only those rulepacks whose names contain the text.
View Details of Rulepack
1. To view all details about a rulepack, click anywhere in the
rulepack’s row. A flyout displays the following details. All
fields have their values set in Rulepack Configurator and are
read-only in SecureAssist Portal EXCEPT Status.
Field Description
Name Name of uploaded rulepack.
Status
(updateable)
Enabled or Disabled; indicated by a color bar in the left
margin. More than one rulepack can be enabled at one
time. Click on this toggle to change the rulepack’s status.
Version Version number of uploaded rulepack.
Plugin Support List of plugin versions supported by this rulepack.
Type Type of rulepack (Default or Custom).
Access Level of access (Restricted or Unbounded). A restricted
rulepack is accessible only by specified plugin users.
Uploaded Date the rulepack was uploaded.
SecureAssist Enterprise Portal User Guide June 2016 — Page 38 of 71
Upload a Rulepack
1. On the Rulepacks screen, click Upload Rulepack.
2. Browse to locate the desired rulepack, then click Open to
upload it. You are returned to Rulepacks, and the new
rulepack will appear in the list with a Status of Disabled.
Enable/Disable a Rulepack
Important! It’s recommended to have the most up-to-date
rulepack enabled and all outdated versions disabled, as older
versions may contain outdated rules.
1. On the Rulepacks screen, view the list of uploaded rulepacks.
Enabled rulepacks are indicated by a green bar in the left
margin; disabled rulepacks are indicated by a brown bar.
2. Single-click the row of the desired rulepack. The editing flyout
appears on the right.
SecureAssist Enterprise Portal User Guide June 2016 — Page 39 of 71
3. Under Status, click Enabled or Disabled to select the desired
status. The flyout immediately closes, and the status of the
rulepack is updated. Changes to a rulepack become available
to users the next time they begin a session.
Download a Rulepack to Edit on Your Machine
1. On the Rulepacks screen, single-click the row of the desired
rulepack. The editing flyout appears on the right.
2. Click Download. A popup asks you to confirm the download.
3. Click Keep. The rulepack file is downloaded to your
computer. You can now edit it using Rulepack Configurator.
Delete a Rulepack
A rulepack can be deleted only if no prior project reports were
run using it. If a project report was generated involving the
rulepack, the rulepack can be disabled but not deleted. Project
reports are based on existing and active rulepacks.
1. On the Rulepacks screen, single-click the row of the desired
rulepack. The editing flyout appears on the right.
2. Click Delete Rulepack. A popup asks you to confirm the
deletion.
3. Click OK. The flyout closes, and the rulepack is removed from
the list.
SecureAssist Enterprise Portal User Guide June 2016 — Page 40 of 71
5 Manage The Manage function allows you to administer users, groups, and
roles used in SecureAssist Portal, as well as your personal account.
Portal Users
The Portal Users screen lets you manage the various SecureAssist Portal
users. These are not plugin users, but the administrators of your
SecureAssist system (portal administrators, rulepack administrators, and
users who view and generate reports based on plugin user activity).
Other than the default Portal server administrator, each user is a
local user whose credentials are either stored in the Portal database
and authenticated against it or authenticated using LDAP. The default
Portal server administrator will always be a local user. However, it
can be disabled once other portal users are created.
Find a Portal User
1. To quickly find a user in the portal user list, enter text into the
Find a Portal User box. The list will automatically filter to
show only those portal users whose names contain the text.
Add a Portal User
1. On the Portal Users screen, click Add Portal User. The New
User flyout opens.
2. Enter a user name in Name. The user name can contain
letters and numbers only, NO spaces or special characters.
3. Enter a temporary password in Password for the new user
and then confirm it. The password must contain at least six
characters, including at least one capital letter, one lowercase
letter, and one number. The user will be able to change the
password when they log into the system.
4. Click Next to continue. The Roles flyout opens.
5. Select the role or roles you wish to assign to the user by
clicking the associated slide buttons, then click Next. The
Managed Users flyout opens.
6. If desired, select one or more users to manage, then click
Next. The Managed Projects flyout opens.
SecureAssist Enterprise Portal User Guide June 2016 — Page 41 of 71
7. If desired, select one or more projects to manage, then click
Save. The flyout closes, and the new user is added to the
Portal Users list in alphabetical order with a Status of Active.
Activate/Deactivate a Portal User
1. On the Portal Users screen, single-click the name of the
desired portal user. The editing flyout appears on the right.
2. To change the user’s status, click the slide button next to the
Status, then click Save. The flyout is closed, and the user’s
new status is displayed on the Portal Users list.
Change/Reset a Portal User’s Password
1. On the Portal Users screen, single-click the name of the
desired portal user. The editing flyout appears on the right.
2. Click Change Password. The New Password and Confirm
New Password fields appear.
3. Enter and confirm a new password for the user. Passwords
must contain at least six characters, including at least one
capital letter, one lowercase letter, and one number.
4. Click Save. The flyout is closed, and you are returned to the
Portal Users list.
Edit a Portal User’s Assigned Roles
1. On the Portal Users screen, single-click in the Roles column of
the desired user’s row. The Roles flyout appears on the right.
2. Select the role or roles you wish to assign to the user by
clicking the associated slide buttons, then click Save. The
flyout closes, and the number of roles for the user is updated
in the Portal Users list.
Edit a Portal User’s Managed Users
1. On the Portal Users screen, single-click in the Users column of
the desired user’s row. The Managed Users flyout appears.
2. Select the users you wish to assign to the portal user by
clicking the Add and Remove buttons, then click Save. The
flyout closes, and the number of users for the portal user is
updated in the Portal Users list.
SecureAssist Enterprise Portal User Guide June 2016 — Page 42 of 71
Plugin User Groups
The Plugin User Groups screen is where you can create and manage
groups of client-side plugin users of SecureAssist. The groups you
create here can then be used to filter data in the User Reports
section of SecureAssist Portal. There are no default user groups, so
the Plugin User Group screen will be blank the first time you visit it.
As you add groups, they will be listed on the screen.
Note: You can assign individuals to a plugin user group here OR on
the Plugin Users screen.
Find a Plugin User Group
1. To quickly find a plugin user group in the group list, enter text
into the Find a Group box. The list will automatically filter to
show only those plugin user groups whose names contain the
text.
Add a Plugin User Group
1. On the Plugin User Group screen, click Add Group. The New
User Group flyout opens.
2. In Group Name, enter a name for the new group.
3. In Description, enter a brief description of the group.
4. Click the Add button next to each user you wish to add to the
group OR click Add All to add all users.
5. Click Save. The flyout closes, and your new group is added to
the Plugin User Groups list.
SecureAssist Enterprise Portal User Guide June 2016 — Page 43 of 71
Edit a Plugin User Group
1. On the Plugin User Group screen, click the Edit button
next to the desired group. The User Group flyout opens.
2. Make any desired edits to the user group, then click Save.
The flyout closes, and you are returned to the Plugin User
Groups list.
Delete a Plugin User Group
1. On the Plugin User Group screen, click the Edit button
next to the desired group. The User Group flyout opens.
2. Click Delete Group. A popup asks you to confirm the
deletion.
3. Click Yes, delete it. The popup closes, and the user group is
removed from the Plugin User Groups list.
Roles
The Roles screen allows the Server Administrator to create new,
custom roles to assign to portal users on the Portal Users screen. You
can assign and maintain the specific permissions you want to allow
users in each group.
There are four default roles in the SecureAssist Portal:
GROUP_ADMIN, GROUP_STATS_VIEWER, SERVER_ADMIN, AND
STATS_VIEWER. You can see the default permissions assigned to each
of these roles in the appendix. There is also a complete list of all
permissions and their descriptions.
Find a Role
1. To quickly find a role in the role list, enter text into the Find a
Role box. The list will automatically filter to show only those
roles whose names contain the text.
Add a Role
1. On the Roles screen, click Add Role. The New Role flyout
opens.
2. Enter a unique role name in Name.
SecureAssist Enterprise Portal User Guide June 2016 — Page 44 of 71
3. If desired, enter a brief description of the new role in
Description.
4. Click Next. The Permissions flyout opens.
5. Select the desired permissions, then click Save. (You must
select at least one permission in order to save the new role.)
The flyout closes and the new role is added to the Roles
screen.
Edit a Role’s Name or Description
1. On the Roles screen, click on the name of the role you wish to
edit. The editing flyout opens.
2. Make the desired edits to Name or Description, then click
Save. The flyout closes and your changes are saved.
Edit a Role’s Permissions
1. On the Roles screen, click on the permissions column in the
row of the role you wish to edit. The Permissions flyout
opens.
2. Make the desired changes to permissions, then click Save.
The flyout closes and your changes are saved.
Delete a Role
1. On the Roles screen, click on the name of the role you wish to
delete. The editing flyout opens.
2. Click the Delete Role button. A popup asks you to confirm
the deletion.
3. Click Yes, delete it. The flyout closes and the role is deleted
from the Role screen.
SecureAssist Enterprise Portal User Guide June 2016 — Page 45 of 71
Account
The Account screen is where you can update your password for the
Portal.
Update Your Password
1. On the Account screen, enter your current password in
Current Password.
2. Enter your new password in New Password.
3. Re-enter your new password in Confirm New Password.
4. Click Save.
SecureAssist Enterprise Portal User Guide June 2016 — Page 46 of 71
6 Settings
LDAP Configuration
The LDAP Configuration screen is where you configure LDAP settings
if you choose to use LDAP authentication for the Portal.
Section Feature Description
Authentication
& Security LDAP Authentication Enables LDAP authentication on the server for portal
users and plugin clients. (Note: plugin clients will only be
able to authenticate with LDAP usernames if Client LDAP
is also selected in Features Configuration.)
Secure LDAP If the checkbox is selected, the LDAP connection occurs
over an SSL connection.
Verify Server
Certificate
(Appears only when Secure LDAP is enabled.)
If off, indicates the enterprise portal does not validate
the LDAP server's certificate.
If on, indicates the enterprise portal does validate the
LDAP server's certificate.
Server Server Name The scheme and hostname of the LDAP url.
Port The port on which the LDAP server resides.
Timeout The amount of time in seconds within which LDAP
queries will time out.
Login Scope This setting is most similar to a baseDN field in LDAP.
The Enterprise Portal uses the SUBTREE_SCOPE when
running an LDAP query, and it cannot be changed.
Filter Expression The LDAP search filter expression restricts the entries
that are queried.
DN Similar to the SECURITY_PRINCIPAL setting.
SecureAssist Enterprise Portal User Guide June 2016 — Page 47 of 71
Section Feature Description
Password This is required if the "Login DN" setting is specified.
Resetting When the Administrator Is Locked Out
To update this master LDAP password when the
administrator is locked out, you must manually edit the
database:
Change the ldap_settings -> privileged_password to the
plaintext of the master account's LDAP password. When
any LDAP bind occurs on the portal (for example, the
administrator logs in) this password will be mutated to
the encrypted password in the database.
SecureAssist Enterprise Portal User Guide June 2016 — Page 48 of 71
Feature Configuration
The following table describes the various feature settings.
Section Feature Description
Portal CSA Portal Allows user to activate IDE plugin/package and retrieve
license file and rulepack from Portal.
If this feature is disabled, the IDE plugin will not activate
as Enterprise Edition.
Client
Authentication LDAP Authenticates SecureAssist users using LDAP.
To activate a SecureAssist plugin Enterprise Edition user,
the user must be present in Active Directory.
Note: This feature can be enabled only if the LDAP
connection is configured.
Email Authenticates SecureAssist users against email. Enter
one or more domains in the Domains field; separate
multiple domains with a semicolon.
To activate a SecureAssist plugin Enterprise Edition user,
the user’s email address must match the organization’s
domain name.
Client License Renewal Period Client license renewal period in days.
Support Email To Email address used to send support emails.
Subject Default subject for support emails.
Statistics CSA Enables automatic collection and uploads to the portal
of SecureAssist plugin statistics.
Anonymous Gathers statistics in anonymous mode—that is, statistics
are linked to a project but are not associated with a
particular user.
Local
Configuration Filters Allows users to locally modify filter settings (for
example, turn off filters and rules, change importance,
etc.).
Review When selected, allows users to decide when file should
be scanned (for example, when they are opened, when
they are saved, or on demand).
This setting must be “unchecked” to force a plugin user
to inherit Review Configuration settings below.
SecureAssist Enterprise Portal User Guide June 2016 — Page 49 of 71
Section Feature Description
Review
Configuration Review on File Open File review is performed on file open.
Note: To prevent users from changing this setting
ensure that Review Configuration is disabled.
Review on File Save File review is performed on file save.
Note: To prevent users from changing this setting
ensure that Review Configuration is disabled.
Project Review Review of entire project, package, or folder is performed
on demand.
Suppress Issue Allows plugin users to suppress issues for the duration
of an IDE session.
Allowed File
Types for
Eclipse-based
IDEs
java Enables SecureAssist plugin users to scan Java files.
jsp Enables SecureAssist plugin users to scan JSP files.
xml Enables SecureAssist plugin users to scan XML files.
properties Enables SecureAssist plugin users to scan Properties
files.
ftl Enables SecureAssist plugin users to scan FTL files.
php Enables SecureAssist plugin users to scan PHP files.
Additionally, the Eclipse PHP plugin must be installed.
Allowed File
Types for Visual
Studio
cs Enables SecureAssist plugin users to scan C# files.
vb Enables SecureAssist plugin users to scan VB .NET files.
aspx Enables SecureAssist plugin users to scan ASP.NET files.
config Enables SecureAssist plugin users to scan .NET
Configuration files.
SecureAssist Enterprise Portal User Guide June 2016 — Page 50 of 71
Plugin Users
The Plugin Users screen displays a list of users who have activated a
plugin or package license (including each user’s IDE and OS). To view
details of an individual user, click the user’s row. A flyout opens
displaying the information.
Find a User
1. To quickly find a user in the Plugin Users list, enter text into
the Find a User box. The list will automatically filter to show
only those users whose names contain the text.
Add a User to a Plugin User Group
Note: You can assign individuals to a plugin user group here OR
on the Plugin User Groups screen.
1. On the Plugin Users screen, select a user by clicking on its
row. A flyout opens with the details for that user.
2. Under Group Assignments, click Add next to one or more
user groups you wish to add the user to, then click Save. The
flyout closes and the user is now assigned to the selected
groups.
Delete a User
Once a plugin user is deleted, their project scan results and data
will still be in the database and appear on reports.
1. On the Plugin Users screen, select a user by clicking on its
row. A flyout opens with the details for that user.
2. Click the Delete User button. A popup asks you to confirm
the deletion.
3. Click Yes, delete it. The user is deleted, and the flyout closes.
SecureAssist Enterprise Portal User Guide June 2016 — Page 51 of 71
7 More Support We hope this document has helped you get started with
SecureAssist. You can submit a support request at
[email protected]. You will also find other manuals, release
notes, system requirements, and more.
Thanks for using Codiscope SecureAssist!
www.codiscope.com
20 Park Plaza, Suite 1400
Boston, MA 02116
Phone: + 1 (617) 804-5428
SecureAssist Enterprise Portal User Guide June 2016 — Page 52 of 71
Appendix A:
Roles and Associated
Permissions Each user must be assigned at least one role. Each possible role is
described below.
Role Name Permissions
GROUP_ADMIN PER_ADD_USER
PER_DELETE_RULEPACK
PER_DISABLE_RULEPACK
PER_ENABLE_RULEPACK
PER_UPLOAD_RULEPACK
PER_VIEW_RULEPACK
GROUP_STATS_VIEWER PER_VIEW_USER_STATS
PER_VIEW_PROJECT_STATS
SERVER_ADMIN PER_ADD_USER
PER_EDIT_USER
PER_DELETE_USER
PER_RESET_LOCAL_USER_PASSWORD
PER_ADD_ROLE
PER_EDIT_ROLE
PER_DELETE_ROLE
PER_UPLOAD_RULEPACK
PER_VIEW_ALL_RULEPACK
PER_VIEW_RULEPACK
PER_ENABLE_ALL_RULEPACK
PER_DISABLE_ALL_RULEPACK
STATS_VIEWER PER_VIEW_ALL_STATS
SecureAssist Enterprise Portal User Guide June 2016 — Page 53 of 71
Appendix B:
Permission Descriptions Each new Role is defined by the permissions selected. The Role
Name must be unique.
Permission Name Description
PER_ADD_USER Allows adding user to the system.
PER_EDIT_USER Allows editing user in the system.
PER_DELETE_USER Allows deleting user from the system.
PER_RESET_LOCAL_USER_PASSWORD Allows resetting local user password.
PER_ADD_ROLE Allows adding new role.
PER_EDIT_ROLE Allows editing existing role.
PER_DELETE_ROLE Allows deleting role.
PER_UPLOAD_RULEPACK Allows uploading rulepack.
PER_VIEW_ALL_RULEPACK Allows viewing all rulepacks uploaded to the server.
PER_VIEW_RULEPACK Allows viewing rulepacks uploaded by user.
PER_ENABLE_ALL_RULEPACK Allows enabling all rulepacks uploaded to the server.
PER_ENABLE_RULEPACK Allows enabling rulepacks uploaded to the server by user.
PER_DISABLE_ALL_RULEPACK Allows disabling all rulepacks uploaded to the server.
PER_DISABLE_RULEPACK Allows disabling rulepacks uploaded to the server by user.
PER_RESTRICT_ALL_RULEPACK Allows restricting access to all rulepacks uploaded to the
server for all users.
PER_RESTRICT_RULEPACK Allows restricting access to rulepacks uploaded to the server
by user for managed group of users.
PER_DELETE_ALL_RULEPACK Allows deleting any rulepack uploaded to the server.
PER_DELETE_RULEPACK Allows deleting rulepack uploaded to the server by user.
PER_VIEW_ALL_STATS Allows viewing all statistics.
PER_VIEW_USER_STATS Allows viewing statistics for managed users.
PER_VIEW_PROJECT_STATS Allows viewing statistics for managed projects.
PER_SYSTEM_ADMIN Allows editing server configuration.
SecureAssist Enterprise Portal User Guide June 2016 — Page 54 of 71
Appendix C:
Audit Log The following table describes the columns of the “audit” appender
log.
Column Description
Date Time of the event in coordinated universal time (UTC) with
seconds granularity.
IP IP address of the portal user that performs the event.
User Portal user's ID.
Element Type Category of elements in the portal:
LDAP_SETTINGS
PLUGIN_USER
PLUGIN_USER_GROUP
PORTAL_SETTINGS
PORTAL_USER
REPORT
ROLE
RULEPACK
Element Name The specific name of the affected element.
Event The action taken on the element.
Description A description of the event containing details regarding which
elements were impacted and how.
Success Indicates whether the user successfully completed the
attempted task (true) or did not complete it (false)
SecureAssist Enterprise Portal User Guide June 2016 — Page 55 of 71
Appendix D:
API Functionality For users who prefer to perform reporting tasks via an API, we
provide guidance on the following pages.
Important! This feature is safe to use ONLY via HTTPS. Security will
be greatly compromised if you use HTTP. No error will warn you if
you fail to take this precaution.
The following diagram shows the intended use of the reporting API.
First, a user must authenticate with the SecureAssist Enterprise Portal
to obtain a token. For each subsequent request, this authentication
token should be added to the request headers and will be verified by
the server.
SecureAssist Enterprise Portal User Guide June 2016 — Page 56 of 71
Authentication
1. The client sends its credentials (email and password) to the
server.
2. The server authenticates them and generates a fixed-length
token with an expiration date.
3. The server stores the previously generated token in map in
memory.
4. The server sends previously generated token to the client.
5. In every request, the client sends that token to the server.
6. In each request, the server extracts the token from the incoming
request, and looks up the user identifier with the token to obtain
the user information to do the authorization.
7. If the token is expired, the server generates a response with error
message (401 Unauthorized).
Resource URL Example
POST {application context}/api/auth
Request
Request Headers
Header Value
X-Username The user’s name
X-Password The plaintext password
X-Requested-By true
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length 0
Date Timestamp
X-Auth-Token String with token
SecureAssist Enterprise Portal User Guide June 2016 — Page 57 of 71
Example
Request Headers
Header Value
X-Requested-By true
X-Username testUser
X-Password 5P420D10ftZsFMj+i3X8KkXICHA=
Response Headers
Header Value
Content-Length 0
Date Thu, 08 Oct 2015 14:06:48 GMT
X-Auth-Token s64vWEL/R/Azhv53/JIHx4zbF2E1aoNYd4AVs5cWO1w=
CURL Example
curl -X POST --header "X-Requested-By: true" --header "X-Username: csauser" --header "X-Password: mypassword" -k https://myhost.com/CSA_Server/api/auth --head
SecureAssist Enterprise Portal User Guide June 2016 — Page 58 of 71
Generate Project Report
Resource URL Example
POST {host}/api/report/project/{report type id}
Request
{report type id} parameter
ID Value
PortfolioSummaryReport Portfolio Summary Report
ProjectReport Project Report
ProjectDefectReport Project Defect Report
GlobalDefectReport Global Defect Report
{report type id} parameter is case-insensitive.
(PortfolioSummaryReport and portfoliosummaryreport are equally
ignoring case).
Authentication
Token authentication.
Request Headers
Header Value
X-Requested-By true
Content-Type application/json
X-Auth-Token The string with token
Request Body
{ "startDate": "{start date YYYY-MM-DD or empty}", "endDate": "{start date YYYY-MM-DD or empty}", "projectName": "{project name}" }
SecureAssist Enterprise Portal User Guide June 2016 — Page 59 of 71
Response
1. In case of sending invalid request, the server returns status 405
(or 401) and string with error message.
Response Status Message Description
405 Method Not
Allowed
Project report type can't be empty.
Project report type value is not valid.
Start date must be less than or equal to today's
date or empty.
End date must be less than or equal to today's
date or empty.
End date must be less than or equal to start
date.
Project report name can't be empty.
Can't generate project report.
Unable to find a scan using these parameters
Unable to find a report type "<report type>".
In case of sending request
with invalid parameters
401Unauthorized This request requires HTTP authentication. In case of sending request
with invalid token
2. In case of sending valid request, the server returns status 200
and content of the report.
Response Headers
Header Value
Content-Type text/csv
Content-Length {content length}
Content-Disposition attachment; filename={file name}.csv
Date {timestamp}
Example
URL: {host}/api/report/project/projectreport
Request Headers
Header Value
X-Requested-By true
SecureAssist Enterprise Portal User Guide June 2016 — Page 60 of 71
Header Value
Content-Type application/json
X-Auth-Token e0uRmveBif3W6ipWOojU/G1/FRJt8GhYqlApu/mM3+4=
Request Body
{ "startDate": "2015-08-10", "endDate": "2015-10-05", "projectName": "WebGoat-Legacy2" }
Response Status
HTTP/1.1 200 OK
Response Header
Header Value
Content-Type text/csv
Content-Length {content length}
Content-Disposition attachment; filename=ProjectScanReport.csv
Date Thu, 08 Oct 2015 13:53:01 GMT
Response Body
Solution Name,Project Name,File Path,Last Scan Date,LOC,# High Issues,# Medium Issues,# Low Issues,Total Number of Issues,Developer,# High (Suppressed),# Medium (Suppressed),# Low (Suppressed),Total Number of Suppressed Issues,
----,WebGoat-Legacy2,src\main\webapp\lesson_solutions\ReflectedXSS_files\colorschememapping.xml,1 Oct 2015 08:32:56 GMT,2,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\BasicAuthentication.java,1 Oct 2015 08:32:49 GMT,284,0,2,0,2,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\webapp\lesson_solutions\WsSqlInjection_files\colorschememapping.xml,1 Oct 2015 08:32:56 GMT,2,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\webapp\lesson_solutions\HiddenFieldTampering_files\colorschememapping.xml,1 Oct 2015 08:32:56 GMT,2,0,0,0,0,[email protected],0,0,0,0,
SecureAssist Enterprise Portal User Guide June 2016 — Page 61 of 71
----,WebGoat-Legacy2,src\main\webapp\lesson_solutions\BlindSqlInjection_files\filelist.xml,1 Oct 2015 08:32:56 GMT,18,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\ForcedBrowsing.java,1 Oct 2015 08:32:44 GMT,151,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\service\ParameterService.java,1 Oct 2015 08:32:51 GMT,68,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\admin\SummaryReportCardScreen.java,1 Oct 2015 08:32:22 GMT,315,0,1,0,1,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\instructor\RoleBasedAccessControl\ViewProfile_i.java,1 Oct 2015 08:32:25 GMT,134,0,3,0,3,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\webapp\lesson_solutions\DOMInjection_files\filelist.xml,1 Oct 2015 08:32:56 GMT,18,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\WsSAXInjection.java,1 Oct 2015 08:32:45 GMT,228,1,2,0,3,[email protected],0,0,0,0,
----,WebGoat-Legacy2,pom.xml,1 Oct 2015 08:32:56 GMT,339,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\CsrfPromptByPass.java,1 Oct 2015 08:32:47 GMT,186,0,0,0,0,[email protected],0,0,0,0,
----,WebGoat-Legacy2,src\main\java\org\owasp\webgoat\lessons\AbstractLesson.java,1 Oct 2015 08:32:45 GMT,809,0,4,0,4,[email protected],0,0,0,0,
CURL Example
curl -X POST -d '{ "projectName": "BigApp" }' --header "X-Requested-By: true" --header "Content-Type: application/json" --header "X-Auth-Token: EKfwFtSDISG7FGVPTP7rULyWcfd4/esP9YZ13amqKlo=" -k https://myhost.com/CSA_Server/api/report/project/PortfolioSummaryReport
SecureAssist Enterprise Portal User Guide June 2016 — Page 62 of 71
Get Project List
Resource URL
GET Rulepack/Get Example
GET {host}/api/projects
Request
Authentication
Token Authentication
Request Headers
Header Required? Description
X-Requested-By Required To avoid CSRF attacks
X-Auth-Token Required The string with token
Response
In case of HTTP 200 OK, Xml responds with the following schema.
Response
{ status: "success" or "failure" (if during the preparation of the list of error occurred), count: 10, result: [ { name: projectA, description: ....., }, { name: projectB, description: ....., } ] }
SecureAssist Enterprise Portal User Guide June 2016 — Page 63 of 71
Response Headers
HTTP/1.1 200 OK
Header Value
Content-Type application/json
Content-Length {content length}
Date {timestamp}
Example
Request Headers
Header Value
X-Requested-By true
X-Auth-Token UA0om5rAOdt7ddI5YHJ3A+Nd3muRdjjPFU4QCxRpmPE=
Response Body
{ "status": "success", "count": 4, "result": [ { "name": "Project1", "description": "" }, { "name": "Project2", "description": "" }, { "name": "Project3", "description": "" }, { "name": "Project4", "description": "" } ] }
CURL Example
curl -X GET --header "X-Requested-By: true" --header "X-Auth-Token: EKfwFtSDISG7FGVPTP7rULyWcfd4/esP9YZ13amqKlo=" --header “Content-Type: application/json" -k https://myhost.com/CSA_Server/api/projects
SecureAssist Enterprise Portal User Guide June 2016 — Page 64 of 71
Number of Active Developers How many developers are using the tool? Number of active users
over period of time (active = at least one file scanned).
Resource URL Example
POST {host}/api/report/activeDevs/v1
Request
Request Headers
Header Value
Content-Type application/json
X-Auth-Token The string with token
X-Requested-By true
Request Body
{ "startDate": "{start date YYYY-MM-DD or empty}", "endDate": "{start date YYYY-MM-DD or empty}" }
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length length
Date timestamp
Content-Type application/json
Response Body
{ "userCount": {count} }
CURL Example
curl -X POST --header "X-Requested-By: true" --header "X-Auth-Token: EKfwFtSDISG7FGVPTP7rULyWcfd4/esP9YZ13amqKlo=" --header “Content-Type: application/json" -d '{ "startDate": "2015-11-04", "endDate": "2015-11-05" }' -k https://myhost.com/CSA_Server/api/report/activeDevs/v1
SecureAssist Enterprise Portal User Guide June 2016 — Page 65 of 71
Number of Projects Scanned The number of projects scanned on this Enterprise Portal.
Resource URL Example
POST {host}/api/report/projects/v1
Request
Request Headers
Header Value
Content-Type application/json
X-Auth-Token The string with token
X-Requested-By true
Request Body
{ "startDate": "{start date YYYY-MMM-DD or empty}", "endDate": "{start date YYYY-MMM-DD or empty}", "type ": "{scanned or noscanned}" }
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length length
Date timestamp
Content-Type application/json
Response Body
{ "projectCount": {count} }
CURL Example
curl -X POST --header "X-Requested-By: true" --header "X-Auth-Token: EKfwFtSDISG7FGVPTP7rULyWcfd4/esP9YZ13amqKlo=" --header "Content-Type: application/json" -d '{ "type": "scanned", "startDate": "2015-11-04", "endDate": "2015-11-05" }' -k https://myhost.com/CSA_Server/api/report/projects/v1
SecureAssist Enterprise Portal User Guide June 2016 — Page 66 of 71
Number of Project Defects The number of defects in a project.
Resource URL Example
POST {host}/api/report/v1/defects
Request
Request Headers
Header Value
Content-Type application/json
X-Auth-Token The string with token
X-Requested-By true
Request Body (Choose either 'meta' or 'project', depending on
whether you are querying based on metadata or a project name.)
{ "startDate": "{start date YYYY-MM-DD }", "endDate": "{YYYY-MM-DD or empty}", "meta": {"key1": "val1", "key2": "val2"}, "project": "Project name" }
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length length
Date timestamp
Content-Type application/json
SecureAssist Enterprise Portal User Guide June 2016 — Page 67 of 71
Response Body
{ "results": [{ "defect-hi":2, "defect-med":9, "defect-lo":22, "loc":2250, "date":"2016-02-12"}, { "defect-hi":3, "defect-med":14, "defect-lo":20, "loc":2175,"date":"2016-02-13"}, ...]}
CURL Example
curl -X POST --header "X-Requested-By: true" --header "Content-Type: application/json" --header "X-Auth-Token: yUyCkN1rCbFQK28FvWOsYW5T2yyeZCi4ijVnGdTKwBE=" -d '{"startDate":"2016-02-12","endDate":"2016-02-23","project":"SampleProject"}' -k https://myhost.com/CSA_Server/api/report/v1/defects
SecureAssist Enterprise Portal User Guide June 2016 — Page 68 of 71
Top Number of Findings Determines which rules have fired most frequently.
Resource URL Example
POST {host}/api/report/v1/defects/topn
Request
Request Headers
Header Value
Content-Type application/json
X-Auth-Token The string with token
X-Requested-By true
Request Body (Choose either 'meta' or 'project', depending on
whether you are querying based on metadata or a project name.)
{ "startDate": "{start date YYYY-MMM-DD }", "endDate": "{YYYY-MM-DD or empty}", "meta": {"key1": "val1", "key2": "val2"}, "project": "Project name", "results": { minimum 1 } }
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length length
Date timestamp
Content-Type application/json
SecureAssist Enterprise Portal User Guide June 2016 — Page 69 of 71
Response Body
{top_issues: [{ rule_id: "CSA Default Rulepack_ver_2.5.1.20151217141219-CIGITAL-SIMPLEDATEFORMAT-RACE-CONDITION", count: 142 },{ rule_id: "CSA Default Rulepack_ver_2.5.1.20151217141219-CIGITAL-QUALITY-CODE_CORRECTNESS-006", count: 133 }] }
CURL Example
curl -X POST --header "X-Requested-By: true" --header "Content-Type: application/json" --header "X-Auth-Token: yUyCkN1rCbFQK28FvWOsYW5T2yyeZCi4ijVnGdTKwBE=" -d '{"startDate":"2016-02-12","endDate":"2016-02-23","project":"SampleProject","results":2}' -k https://myhost.com/CSA_Server/api/report/v1/defects/topn
SecureAssist Enterprise Portal User Guide June 2016 — Page 70 of 71
Most Viewed Guidance Determines which rules have fired the most from a given date.
Resource URL Example
POST {host}/api/report/v1/mostviewedrules
Request
Request Headers
Header Value
Content-Type application/json
X-Auth-Token The string with token
X-Requested-By true
Request Body (Choose either 'meta' , 'project', or 'user-group'
depending on whether you are querying based on metadata , a
project name, or a group of users.)
{ "start-date": "2016-01-01", "end-date": "2016-01-02", (optional) "project: "ProjectName", "meta": {"key1": "val1", "key2": "val2"}, "user-group": "group name" }
Response
HTTP/1.1 200 OK
Response Headers
Header Value
Content-Length length
Date timestamp
Content-Type application/json
SecureAssist Enterprise Portal User Guide June 2016 — Page 71 of 71
Response Body
{results: [{
"rule_id":CSA Default Rulepack_ver_2.5.1.20151218083753-CIGITAL-DOTNET-XML-LOADXML
"guidance": CSA Default Rulepack_ver_2.5.1.20151218083753/default/standards/xml-dtd-attack.xml
"num_viewed":2
}, ...]}
CURL Example
curl -X POST --header "X-Requested-By: true" --header "Content-Type: application/json" --header "X-Auth-Token: yUyCkN1rCbFQK28FvWOsYW5T2yyeZCi4ijVnGdTKwBE=" -d '{"startDate":"2016-02-12","endDate":"2016-02-23","project":"SampleProject"}' -k https://myhost.com/CSA_Server /api/report/v1/mostviewedrules
Top Related