Skip to main content

Limitations and Recommendations

This page summarizes the scope and the limitations of the CxSAST Reporting Service.

Affected Services

M&O (Management & Orchestration): Remediation tasks update very large tables that are used by the CxSAST Reporting Service, and these two components might conflict with each other.

Benchmarking Environment

The environment used for performance lab testing consisted of a high-availability environment, with a large number of scans and heavily loaded database composed of:

  • 2 managers, 4 Cores, RAM 16GB.

  • 10 engines.

  • DB on separate VMDB server:

    • Enterprise-scale populated DB with 8 Cores and RAM 32GB.

  • Session manager on a separate VM.

  • Scans load during the test:

    • 267 scans per hour.

The CxSAST Reporting Service was installed on the 2nd manager VM, as a Windows service with remote access to the CxSAST database.

To generate Scan reports, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Template

# Scan Results

PDF Size

PDF Execution Time

JSON Execution Time

Vulnerability Type

4676

~11 MB

~12 minutes

~5 seconds

10 scans of 4676 results each

~12 MB per report

~12 minutes per report

~6 seconds per report

Result State

4676

~11 MB

~10 minutes

~5 seconds

10 scans of 4676 results each

~12 MB per report

~12 minutes per report

~5 seconds per report

To generate Project report, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

Total results: 305.607

Total scans: 166

Results average per scan: 1841

~1 MB

~3 minutes

~1 minute

10 project reports

166 scans per project

Results average per scan ~ 1360

~1 MB per report

~2 minutes per report

~2 minutes per report

To generate Team report, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Template

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

Single Team

10 reports, 1 team per report where each team has:

  • 24 projects, in average

  • 4120 scans, in average

~1.5 MB per report

Total time to generate 10 reports: ~45 minutes

Average per report: ~5 minutes

Total time to generate 10 reports: ~50 minutes

Average per report: ~5 minutes

1 report for a team having:

  • 153 Projects

  • 46 Scans

~2 MB

~51 seconds

~25 seconds

Multiple Teams

10 reports, 1 team per report where each team has:

  • 24 projects, in average

  • 4120 scans, in average

~1 MB per report

Total time to generate 10 reports: ~43 minutes

Average per report: ~4 minutes

Total time to generate 10 reports: ~55 minutes

Average per report: ~5 minutes

1 report for a team having:

  • 153 Projects

  • 46 Scans

~1 MB

~21 seconds

~14 seconds

10 report, 10 teams per report where each team has:

  • 24 projects, in average

  • 4120 scans, in average

~3 MB

Total time to generate 10 reports: ~7 hours

Average per report: ~42 minutes

Total time to generate 10 reports: ~9 hours

Average per report: ~54 minutes

To generate Application report, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

10 reports, 1 project per report where each project has:

  • 166 scans per project

  • Results average per scan ~ 1360

~1 MB per report

Total time to generate 10 reports: ~11 minutes

Average per report: ~1 minute

Total time to generate 10 reports: ~9 minutes

Average per report: ~1 minute

1 report for a project having:

  • Total results: 305.607

  • Total scans: 166

  • Results average per scan: 1841

~1 MB

~1 minute

~53 seconds

10 reports, 10 projects per report where each project has:

  • 166 scans per project

  • Results average per scan ~ 1360

~3.5MB per report

Total time to generate 10 reports: ~1 hour and 15 minutes

Average per report: ~8 minutes

Total time to generate 10 reports: ~1 hour and 13 minutes

Average per report: ~7 minutes

To generate Executive report, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

10 reports, 1 team per report where each team has:

  • 24 projects, in average

  • 4120 scans, in average

~1.2 MB per report

Total time to generate 10 reports: ~35 minutes

Average per report: ~4 minutes

Total time to generate 10 reports: ~37 minutes

Average per report: ~4 minute

1 report for a team having:

  • 153 Projects

  • 46 Scans

~1.4 MB

~22 seconds

~8 seconds

10 report, 10 teams per report where each team has:

  • 24 projects, in average

  • 4120 scans, in average

~3.4 MB

Total time to generate 10 reports: ~3 hours and 40 minutes

Average per report: ~22 minutes

Total time to generate 10 reports: ~3 hours and 26 minutes

Average per report: ~21 minutes

AWS Benchmarking Environment

The AWS environment used for performance lab testing consisted of a high-availability environment, composed of:

  • 1 manager, 4 cores, RAM 16GB

  • Load Balancer

  • DB RDS

  • 6 engines

    • 2 engines with 8 cores, RAM 16GB

    • 2 engines with 8 cores, RAM 32GB

    • 2 engines with 8 cores, RAM 64GB

To generate the reports, the CxSAST Reporting Service ran with a single thread and the results are as follows:

Scan Report

Number of Scan Results

Time

1 scan of 4868 results

~4 minutes

10 scans of 4868 results each

~40 minutes

Project Report

Report Characteristics

Time

1 Project having:

  • Total results: 77474

  • Total scans: 100

  • Results average per scan: 774

~18 seconds

10 Project reports:

  • 100 scans per project

  • Results average per scan: ~750

~3 minutes

Team Report

Template

Report Characteristics

Time

Single Team

1 report for a team having:

  • 40 projects

  • 23 scans

~3 minutes

1 report for a team having:

  • 16 projects

  • 1438 scans

~4 minutes

10 reports, 1 report per team where each team has:

  • 20 projects, in average

  • 1700 scans, in average

~2 hours

Multiple Teams

1 report for a team having:

  • 40 projects

  • 23 scans

~15 minutes

1 report having 10 teams, where each team has:

  • 20 projects, in average

  • 1700 scans, in average

~10 minutes

10 reports, where each report has 10 teams and each team has:

  • 20 projects, in average

  • 1700 scans, in average

~36 minutes

Recommendations and Limitations

This section lists requirements and recommendations for hardware and configurations

Hardware Requirements and Recommendations

The following hardware configurations are required or recommended:

Minimum Requirements

  • CxSAST Manager

    • RAM - 16 GB

    • CPU - 4 cores

  • CxSAST Database

    • RAM - 16 GB

    • CPU - 4 cores

Software Recommendation

  • It is recommended to use SQL Server with SP4.

Limitations

Performance

  • During the performance tests, we noticed that for very large scans (5000+ results) we faced an abnormal amount of CPU consumption on the DB. Therefore it is recommended to use filters or increase overall system/environment resources.

  • To reduce the CPU usage consumption, it is recommended to apply a CPU limit of 30% on the DB user. For that purpose, the following script can be executed:

  • Since there are remote requests from CxSAST Reporting Service to the DB, the network bandwidth/latency highly impacts the system performance.

General

  • PDF reports are only available in English.

  • SSL connection might requires a new certificate.

  • Private network folders are not supported.

  • Access is compliant with CxSAST Access Control.

Best Practice Tips

  • Do not use more than two (2) parallel threads (set the NumberOfReportsToGenerateInParallel property in the appsetings.json file,).

  • Report files are stored in the file system and a PDF report with approximately 4800 scans averages 8MB in size. Take this into account to avoid disk space constraints.

  • Adjust the ReportsExecutionInterval (Data Fetching Cron Job interval) setting accordingly to the urgency of report generation. The default is 10 seconds.

  • For PDF format, apply filters to scans with a large amount of results (>500) in order to decrease the number of pages in the PDF output, thereby improving readability.

Dependencies

  • CxReportingService requires .NET Core version 3.10 or higher. This should not impact any other component functionality, since it is possible to have multiple .NET Core versions side by side.

  • CxReportingService execution should not impact the normal CxSAST execution.

  • CxReportingService DB is coupled as a separate schema in the CxDB.

  • CxReportingService is supported for CxSAST 9.2, 9.3, 9.4, and 9.5. See the Release Notes for more details.