Skip to main content

Limitations and Recommendations

This page summarizes the scope and the limitations of the CxSAST Reporting Service.

Affected Services

M&O (Management & Orchestration): Remediation tasks update very large tables used by the CxSAST Reporting Service, and these two components might conflict.

Benchmarking Environment

The environment used for performance lab testing consisted of a high-availability environment, with a large number of scans and a heavily loaded database composed of:

  • 2 managers, 4 Cores, RAM 16GB.

  • 10 engines.

  • DB on separate VMDB server:

    • Enterprise-scale populated DB with 8 Cores and RAM 32GB.

  • Session manager on a separate VM.

  • Scans load during the test:

    • 267 scans per hour.

The CxSAST Reporting Service was installed on the 2nd manager VM as a Windows service with remote access to the CxSAST database. CxSAST Reporting Service does not support HA.

To generate Scan reports, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Template

# Scan Results

PDF Size

PDF Execution Time

JSON Execution Time

Vulnerability Type

4676

~11 MB

~12 minutes

~5 seconds

10 scans of 4676 results each

~12 MB per report

~12 minutes per report

~6 seconds per report

Result State

4676

~11 MB

~10 minutes

~5 seconds

10 scans of 4676 results each

~12 MB per report

~12 minutes per report

~5 seconds per report

To generate the Project report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

Total results: 305.607

Total scans: 166

Results average per scan: 1841

~1 MB

~3 minutes

~1 minute

10 project reports

166 scans per project

Results average per scan ~ 1360

~1 MB per report

~2 minutes per report

~2 minutes per report

To generate a Team report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Template

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

Single Team

10 reports, 1 team per report, where each team has:

  • 24 projects, on average

  • 4120 scans, on average

~1.5 MB per report

Total time to generate 10 reports: ~45 minutes

Average per report: ~5 minutes

Total time to generate 10 reports: ~50 minutes

Average per report: ~5 minutes

1 report for a team having:

  • 153 Projects

  • 46 Scans

~2 MB

~51 seconds

~25 seconds

Multiple Teams

10 reports, 1 team per report, where each team has:

  • 24 projects, on average

  • 4120 scans, on average

~1 MB per report

Total time to generate 10 reports: ~43 minutes

Average per report: ~4 minutes

Total time to generate 10 reports: ~55 minutes

Average per report: ~5 minutes

1 report for a team having:

  • 153 Projects

  • 46 Scans

~1 MB

~21 seconds

~14 seconds

10 reports, 10 teams per report, where each team has:

  • 24 projects, on average

  • 4120 scans, on average

~3 MB

Total time to generate 10 reports: ~7 hours

Average per report: ~42 minutes

Total time to generate 10 reports: ~9 hours

Average per report: ~54 minutes

To generate an Application report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

10 reports, 1 project per report, where each project has:

  • 166 scans per project

  • Results average per scan ~ 1360

~1 MB per report

Total time to generate 10 reports: ~11 minutes

Average per report: ~1 minute

Total time to generate 10 reports: ~9 minutes

Average per report: ~1 minute

1 report for a project having:

  • Total results: 305.607

  • Total scans: 166

  • Results average per scan: 1841

~1 MB

~1 minute

~53 seconds

10 reports, 10 projects per report, where each project has:

  • 166 scans per project

  • Results average per scan ~ 1360

~3.5MB per report

Total time to generate 10 reports: ~1 hour and 15 minutes

Average per report: ~8 minutes

Total time to generate 10 reports: ~1 hour and 13 minutes

Average per report: ~7 minutes

To generate an Executive report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Report Characteristics

PDF Size

PDF Execution Time

JSON Execution Time

10 reports, 1 team per report, where each team has:

  • 24 projects, on average

  • 4120 scans, on average

~1.2 MB per report

Total time to generate 10 reports: ~35 minutes

Average per report: ~4 minutes

Total time to generate 10 reports: ~37 minutes

Average per report: ~4 minute

1 report for a team having:

  • 153 Projects

  • 46 Scans

~1.4 MB

~22 seconds

~8 seconds

10 reports, 10 teams per report, where each team has:

  • 24 projects, on average

  • 4120 scans, on average

~3.4 MB

Total time to generate 10 reports: ~3 hours and 40 minutes

Average per report: ~22 minutes

Total time to generate 10 reports: ~3 hours and 26 minutes

Average per report: ~21 minutes

AWS Benchmarking Environment

The AWS environment used for performance lab testing consisted of a high-availability environment, composed of:

  • 1 manager, 4 cores, RAM 16GB

  • Load Balancer

  • DB RDS

  • 6 engines

    • 2 engines with 8 cores, RAM 16GB

    • 2 engines with 8 cores, RAM 32GB

    • 2 engines with 8 cores, RAM 64GB

To generate the reports, the CxSAST Reporting Service ran with a single thread, and the results are as follows:

Scan Report

Number of Scan Results

Time

1 scan of 4868 results

~4 minutes

10 scans of 4868 results each

~40 minutes

Project Report

Report Characteristics

Time

1 Project having:

  • Total results: 77474

  • Total scans: 100

  • Results average per scan: 774

~18 seconds

10 Project reports:

  • 100 scans per project

  • Results average per scan: ~750

~3 minutes

Team Report

Template

Report Characteristics

Time

Single Team

1 report for a team having:

  • 40 projects

  • 23 scans

~3 minutes

1 report for a team having:

  • 16 projects

  • 1438 scans

~4 minutes

10 reports, 1 report per team, where each team has:

  • 20 projects, on average

  • 1700 scans, on average

~2 hours

Multiple Teams

1 report for a team having:

  • 40 projects

  • 23 scans

~15 minutes

1 report having 10 teams, where each team has:

  • 20 projects, on average

  • 1700 scans, on average

~10 minutes

10 reports, where each piece has 10 teams, and each team has:

  • 20 projects, on average

  • 1700 scans, on average

~36 minutes

Recommendations and Limitations

This section lists requirements and recommendations for hardware and configurations.

Hardware Requirements and Recommendations

The following hardware configurations are required or recommended:

Minimum Requirements

  • CxSAST Manager

    • RAM - 16 GB

    • CPU - 4 cores

  • CxSAST Database

    • RAM - 16 GB

    • CPU - 4 cores

Software Recommendation

  • It is recommended to use SQL Server with SP4.

Limitations

Performance

  • During the performance tests, we noticed that for very large scans (5000+ results), we faced an abnormal amount of CPU consumption on the DB. Therefore, using filters or increasing overall system/environment resources is recommended.

  • To reduce the CPU usage consumption, it is recommended to apply a CPU limit of 30% on the DB user. For that purpose, the following script can be executed:

  • Since there are remote requests from the CxSAST Reporting Service to the DB, the network bandwidth/latency highly impacts the system performance.

General

  • PDF reports are only available in English.

  • SSL connection might require a new certificate.

  • Private network folders are not supported.

  • Access is compliant with CxSAST Access Control.

Best Practice Tips

  • Do not use more than two (2) parallel threads (set the NumberOfReportsToGenerateInParallel property in the appsetings.json file).

  • Report files are stored in the file system and a PDF report with approximately 4800 scans averages 8MB. Take this into account to avoid disk space constraints.

  • Adjust the ReportsExecutionInterval (Data Fetching Cron Job interval) setting according to the urgency of report generation. The default is 10 seconds.

  • For PDF format, apply filters to scans with many results (>500) to decrease the number of pages in the PDF output, thereby improving readability.

Dependencies

  • CxReportingService requires .NET Core version 3.10 or higher. This should not impact any other component functionality since it is possible to have multiple .NET Core versions side by side.

  • CxReportingService execution should not impact the normal CxSAST execution.

  • CxReportingService DB is coupled as a separate schema in the CxDB.

  • CxReportingService is supported for CxSAST 9.2, 9.3, 9.4,9.5, and 9.6. See the Release Notes for more details.