How do I generate a report?
Select an trace from the trace box on the report homescreen, then choose which crypto profile you want to use from the profiles box, and click on the “Generate Report” button in the middle of the screen.
How long should it take?
Times vary but roughly speaking, for a trace file of 1 million crypto calls analysis will take around five minutes.
What do the crypto profiles do?
Profiles store activation and criticality choices for the key-management and crypto-usage rules, as well as cryptographic key-length and permitted algorithm policy.
What’s in the reports?
The first tab in the reports is called “Summary” and gives a summary of the cryptography that has been seen in the trace as well as a summary of where the security problems have been identified. It also contains a list of all the crypto libraries detected in the trace, and for those which are widely-used standards (Oracle Java JCE or Bouncycastle), there is also information about the known vulnerabilities present in the cryptographic primitives in the library.
To see details of the vulnerabilities in the way the application uses its libraries, click on one of the other tabs “All”, “High”, “Medium” or “Low”.
On the left you can see the rules that failed, passed and were deactivated. By default just the failed rules are expanded and sorted by criticality. We call the failed rules the findings of the report.
Clicking on a rule gives you (in the right-hand column) details on consequences, access required to make the attacks and resources required as well as links to the Cryptosense Knowledge Base to find out more.
The Knowledge Base contains both background information on the state of the art in cryptanalysis (for example, the latest results on particular crypto algorithms) as well as specific information from Cryptosense’s own vulnerability research on commonly deployed crypto (for example, on Java Keystores and default crypto credentials in frameworks).
Beneath this is a list of instances for each finding, i.e. calls or combinations of calls in the trace that triggered the rule. For each instance, you can see a stacktrace showing where the calls came from.
How do I get to the stacktrace (developer) view?
Click on an instance to get the developer view, which shows a stacktrace for all the calls in the trace associated to that instance, and details of the exact parameters that were used in the calls that triggered the rules.
How can I dismiss an instance?
Click on the dustbin icon in the instance to add it to the list of dismissed instances. Dismissed instances can be reinstated by clicking on the reinstate icon in the instance bar.
Click on the star to star an instance. Starred instances can be exported separately if desired. See more on exporting.
What’s the syntax for filtering on stacktraces?
You can blacklist or whitelist packages to filter out instances by the contents of their stacktraces. Enter
blacklist:X in the stacktrace filter box to remove all instances where
X appears in the stacktrace as a package name, a class name, or a method name. Enter
whitelist:X to only keep instances where
X appears in the stacktrace of at least one call.
X but there are still instances appearing with it in. What’s going on?
blacklist:X only removes an instance when
X appears in all its calls. If an instance contains a call that doesn’t contain
X, it won’t be removed because you could be interested in that call.
Can I combine several stacktrace filters?
Yes, you can enter several search terms separated by spaces. For example,
myfilter:a myotherfilter:b will apply both filters.
How do I export the whole report or selected findings?
In the top toolbar click on export to see the options. You can download all the results in CSV or JSON form for manipulation in another application, or get a printable view in the browser that you can paste into another web application (e.g. an issue tracker or a task manager) or print as a PDF.
How do I select and export specific instances?
Click on the star next to an instance to select it. Click the star again to deselect. If you “star” a finding this is persistent across sessions, i.e. if you logout and login again you will find the same instances are still starred.
To export the starred instances along with their stacktraces, go to “export” and then select “Only findings marked as “starred”, with associated stacktraces“.
How do I rename or delete a report?
Click on the ‘edit’ icon in the menu bar, you can change the name of your report or delete it.