Report template XML files

Report templates are saved as XML files. You can edit the XML files to make changes or to create new report template files. When you edit the XML files, you can choose the sections and the contents of each section to include in the report template.

The default location for folder that contains report template XML files is:

<tools_install_dir>/Core/config/reports/

To customize the logos used in the reports, you can replace header.png and footer.png in this directory.

Adding legacy report sections

You can add report sections by editing the XML files. In the XLM structure, the ReportSection element defines a new section. It includes a Title element for the section name, and it must include at least one Subsection element to define the contents of the section in the report. The following XML is the Results Outline section of the Fortify Security Report:

    <ReportSection enabled="true" optionalSubsections="true">
  <Title>Results Outline</Title>
  <SubSection enabled="true">
    <Title>Overall number of results</Title>
    <Description>Results count</Description>
    <Text>The scan found $TOTAL_FINDINGS$ issues.</Text>
  </SubSection>
  <SubSection enabled="true">
    <Title>Vulnerability Examples by Category</Title>
    <Description>Results summary for critical and high priority issues.
      Vulnerability examples are provided by category.
    </Description>
    <IssueListing limit="1" listing="true">
      <Refinement>[fortify priority order]:critical OR
        [fortify priority order]:high</Refinement>
      <Chart chartType="list">
        <Axis>Category</Axis>
      </Chart>
    </IssueListing>
  </SubSection>
</ReportSection>

In the previous example, the Results Outline section contains two subsections. The first subsection is a text subsection named Overall number of results. The second subsection is a results list named Vulnerability Examples by Category. A section can contain multiple subsections.

Adding report subsections

In the report sections, you can add subsections or edit subsection content. Subsections can generate text, results lists, or charts.

Adding text subsections

In a text subsection, you can include the Title element, the Description element, and the Text element. In the Text element, you can provide the default content, although you can edit the content before you generate a report. For a description of the text variables available to use in text subsections, see Editing Report Subsections. The following XML is the Overall number of results subsection in the Results Outline section:

    <SubSection enabled="true"> 
  <Title>Overall number of results</Title> 
  <Description>Results count</Description> 
  <Text>The scan found $TOTAL_FINDINGS$ issues.</Text> 
</SubSection>

In this example, the text subsection is titled Overall number of results. The text to describe the purpose of the text is Results count. The text in the text field that the user can edit before running a report uses one variable named $TOTAL_FINDINGS$ .

Adding results list subsections

In a results list subsection, you can include the Title element, the Description element, and the IssueListing element. In the IssueListing element, you can define the default content for the limit and set listing to true. You can include the Refinement element either with or without a default statement, although you can edit the content before you generate a report. To generate a results list, the Chart element attribute chartType is set to list. You can also define the Axis element. The following XML is the Vulnerability Examples by Category subsection in the Results Outline section:

    <SubSection enabled="true"> 
  <Title>Vulnerability Examples by Category</Title> 
  <Description>Results summary of the highest severity issues. 
    Vulnerability examples are provided by category.</Description> 
  <IssueListing limit="1" listing="true"> 
    <Refinement>[fortify priority order]:critical OR
      [fortify priority order]:high</Refinement>
    <Chart chartType="list">
      <Axis>Category</Axis>
    </Chart> 
  </IssueListing> 
</SubSection>

In this example, the results list subsection is titled Vulnerability Examples by Category. The text to describe the purpose of the subsection is Results summary of the highest severity issues. Vulnerability examples are provided by category. This subsection lists (listing=true) one issue (limit="1") per Category (the Axis element value) where there are issues that match the statement [fortify priority order]:critical OR [fortify priority order]:high (the value of the Refinement element).

Adding charts subsections

In a chart subsection, you can include the Title element, the Description element, and the IssueListing element. In the IssueListing element, you can define the default content for the limit and set listing to false. You can include the Refinement element either with or without a default statement, although you can edit the content before generating a report. To generate a pie chart, the Chart element's attribute chartType is set to pie. The options are table, pie, and bar. You can change this setting before you generate the report. You can also define the Axis element.

The following code shows an example of a chart subsection:

    <SubSection enabled="true"> 
  <Title>New Issues</Title> 
  <Description>A list of issues discovered since the previous
   analysis.</Description>
  <Text>The following issues have been discovered since the 
   last scan.</Text>
  <IssueListing limit="-1" listing="false"> 
    <Refinement /> 
    <Chart chartType="pie"> 
      <Axis>New Issue</Axis> 
    </Chart> 
  </IssueListing> 
</SubSection>

In this subsection, a chart (limit="-1" listing="false") has the title New Issues and a text section that contains the text The following issues have been discovered since the last scan. This chart includes all issues (the Refinement element is empty) and groups the issues on the value of New Issues (the value of the Axis element). This chart is displayed as a pie chart (chartType="pie").