How do I generate a report?
Select an trace on the Traces tab, choose which crypto profile you want to use then click on the “Generate Report” button.
How long should it take?
Times vary but roughly speaking, for a trace file of 1 million crypto calls analysis will take around five minutes.
What do the crypto profiles do?
Profiles store activation and criticality choices for the key-management and crypto-usage rules, as well as cryptographic key-length and permitted algorithm policy.
What’s in the reports?
The first tab in the reports is called “Summary” and gives a summary of the cryptography that has been seen in the trace as well as a summary of where the security problems have been identified. It also contains a list of all the crypto libraries detected in the trace, and for those which are widely-used standards (Oracle Java JCE or Bouncycastle), there is also information about the known vulnerabilities present in the cryptographic primitives in the library.
To see details of the vulnerabilities in the way the application uses its libraries, click on one of the other tabs “All”, “High”, “Medium” or “Low”.
On the left you can see the rules that failed, passed and were deactivated. By default just the failed rules are expanded and sorted by criticality. We call the failed rules the findings of the report.
Clicking on a rule gives you (in the right-hand column) details on consequences, access required to make the attacks and resources required as well as links to the Cryptosense Knowledge Base to find out more.
The Knowledge Base contains both background information on the state of the art in cryptanalysis (for example, the latest results on particular crypto algorithms) as well as specific information from Cryptosense’s own vulnerability research on commonly deployed crypto (for example, on Java Keystores and default crypto credentials in frameworks).
Beneath this is a list of instances for each finding, i.e. calls or combinations of calls in the trace that triggered the rule. For each instance, you can see a stacktrace showing where the calls came from.
How do I get to the stacktrace (developer) view?
Click on an instance to get the developer view, which shows a stacktrace for all the calls in the trace associated to that instance, and details of the exact parameters that were used in the calls that triggered the rules.
Sorting & Filtering Results
How can I dismiss an instance?
Click on the dustbin icon in the instance to add it to the list of dismissed instances. Dismissed instances can be reinstated by clicking on the reinstate icon in the instance bar.
Click on the star to star an instance. Starred instances can be exported separately if desired. See more on exporting.
Can I filter my results?
Yes, filters are set at the project level. Navigate to the project that you would like to setup filters for, then select the Filters tab in the menu bar. Filters are applied to all reports within a project.
How do I add a new filter?
When in the filters tab, use the form at the bottom of the page to add a new filter to the project. This form takes a couple of fields:
- Filter type: This can be whitelist or blacklist. Whitelist filters will only keep instances that have calls which match the filter term. Blacklists will only keep instances that have calls that do not match the filter term.
- Filter term: The filter term should be either a fully qualified method name (
package.company.Class.method), a fully qualified class name (
package.company.Class) or a parts of a package name (
package). It is important to respect capitalization of the packages, classes and method names.
- Description: (Optional) A description for the filter
Filters can be added directly in the “Filters” section of a project, or by using the “ADD FILTER” button next to the stacktrace frames displayed in the “Developer View” of every call. This button will add the fully qualified method name as a blacklist filter for your project.
How do I remove a filter?
To disable a filter temporarily, use the Disable button in the corresponding row of the filters table.
To remove a filter completely, select the bin icon in its row and confirm the prompt.
I blacklisted `X` but there are still instances appearing with it in. What’s going on?
Blacklisting `X` only removes an instance when `X` appears in all its calls. If an instance contains a call that doesn’t contain `X`, it will not be removed because you could be interested in that call.
Can I combine multiple filters?
Yes, you can combine filters by adding more in the Filters tab.
If there are multiple filters configured, then they are all applied at the same time. For more details on this, see the example below.
Example filter behaviour
Consider a project that has three filters configured:
- A whitelist filter for
- A blacklist filter for
- A blacklist filter for
Now consider how the filters interact with some instances.
Instance 1 has 2 calls:
- A call from
- A call from
This instance will be unaffected by either blacklist, but the whitelist will remove call 2 (as
company.an_interesting_package does not appear in the stacktrace).
Therefore, the instance will be kept, as some calls are left by the filters.
Instance 2 has 2 calls:
- A call from
- A call from
This instance will be unaffected by the whitelist, but call 1 will be removed by blacklist 2 and call 2 will be removed by blacklist 3.
Therefore, the instance will be filtered, as no calls are left by the filters.
How do I export the whole report or selected findings?
In the top toolbar click on export to see the options. You can download all the results in CSV or JSON form for manipulation in another application, or get a printable view in the browser that you can paste into another web application (e.g. an issue tracker or a task manager) or print as a PDF.
How do I select and export specific instances?
Click on the star next to an instance to select it. Click the star again to deselect. If you “star” a finding this is persistent across sessions, i.e. if you logout and login again you will find the same instances are still starred.
To export the starred instances along with their stacktraces, go to “export” and then select “Only findings marked as “starred”, with associated stacktraces“.
How do I rename or delete a report?
Click on the ‘edit’ icon in the menu bar, you can change the name of your report or delete it.