Limitations and Recommendations
This page summarizes the scope and the limitations of the CxSAST Reporting Service.
Affected Services
M&O (Management & Orchestration): Remediation tasks update very large tables used by the CxSAST Reporting Service, and these two components might conflict.
Benchmarking Environment
The environment used for performance lab testing consisted of a high-availability environment, with a large number of scans and a heavily loaded database composed of:
2 managers, 4 Cores, RAM 16GB.
10 engines.
DB on separate VMDB server:
Enterprise-scale populated DB with 8 Cores and RAM 32GB.
Session manager on a separate VM.
Scans load during the test:
267 scans per hour.
The CxSAST Reporting Service was installed on the 2nd manager VM as a Windows service with remote access to the CxSAST database. CxSAST Reporting Service does not support HA.
To generate Scan reports, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Template | # Scan Results | PDF Size | PDF Execution Time | JSON Execution Time |
---|---|---|---|---|
Vulnerability Type | 4676 | ~11 MB | ~12 minutes | ~5 seconds |
10 scans of 4676 results each | ~12 MB per report | ~12 minutes per report | ~6 seconds per report | |
Result State | 4676 | ~11 MB | ~10 minutes | ~5 seconds |
10 scans of 4676 results each | ~12 MB per report | ~12 minutes per report | ~5 seconds per report |
To generate the Project report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Report Characteristics | PDF Size | PDF Execution Time | JSON Execution Time |
---|---|---|---|
Total results: 305.607 Total scans: 166 Results average per scan: 1841 | ~1 MB | ~3 minutes | ~1 minute |
10 project reports 166 scans per project Results average per scan ~ 1360 | ~1 MB per report | ~2 minutes per report | ~2 minutes per report |
To generate a Team report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Template | Report Characteristics | PDF Size | PDF Execution Time | JSON Execution Time |
---|---|---|---|---|
Single Team | 10 reports, 1 team per report, where each team has:
| ~1.5 MB per report | Total time to generate 10 reports: ~45 minutes Average per report: ~5 minutes | Total time to generate 10 reports: ~50 minutes Average per report: ~5 minutes |
1 report for a team having:
| ~2 MB | ~51 seconds | ~25 seconds | |
Multiple Teams | 10 reports, 1 team per report, where each team has:
| ~1 MB per report | Total time to generate 10 reports: ~43 minutes Average per report: ~4 minutes | Total time to generate 10 reports: ~55 minutes Average per report: ~5 minutes |
1 report for a team having:
| ~1 MB | ~21 seconds | ~14 seconds | |
10 reports, 10 teams per report, where each team has:
| ~3 MB | Total time to generate 10 reports: ~7 hours Average per report: ~42 minutes | Total time to generate 10 reports: ~9 hours Average per report: ~54 minutes |
To generate an Application report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Report Characteristics | PDF Size | PDF Execution Time | JSON Execution Time |
---|---|---|---|
10 reports, 1 project per report, where each project has:
| ~1 MB per report | Total time to generate 10 reports: ~11 minutes Average per report: ~1 minute | Total time to generate 10 reports: ~9 minutes Average per report: ~1 minute |
1 report for a project having:
| ~1 MB | ~1 minute | ~53 seconds |
10 reports, 10 projects per report, where each project has:
| ~3.5MB per report | Total time to generate 10 reports: ~1 hour and 15 minutes Average per report: ~8 minutes | Total time to generate 10 reports: ~1 hour and 13 minutes Average per report: ~7 minutes |
To generate an Executive report, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Report Characteristics | PDF Size | PDF Execution Time | JSON Execution Time |
---|---|---|---|
10 reports, 1 team per report, where each team has:
| ~1.2 MB per report | Total time to generate 10 reports: ~35 minutes Average per report: ~4 minutes | Total time to generate 10 reports: ~37 minutes Average per report: ~4 minute |
1 report for a team having:
| ~1.4 MB | ~22 seconds | ~8 seconds |
10 reports, 10 teams per report, where each team has:
| ~3.4 MB | Total time to generate 10 reports: ~3 hours and 40 minutes Average per report: ~22 minutes | Total time to generate 10 reports: ~3 hours and 26 minutes Average per report: ~21 minutes |
AWS Benchmarking Environment
The AWS environment used for performance lab testing consisted of a high-availability environment, composed of:
1 manager, 4 cores, RAM 16GB
Load Balancer
DB RDS
6 engines
2 engines with 8 cores, RAM 16GB
2 engines with 8 cores, RAM 32GB
2 engines with 8 cores, RAM 64GB
To generate the reports, the CxSAST Reporting Service ran with a single thread, and the results are as follows:
Scan Report
Number of Scan Results | Time |
---|---|
1 scan of 4868 results | ~4 minutes |
10 scans of 4868 results each | ~40 minutes |
Project Report
Report Characteristics | Time |
---|---|
1 Project having:
| ~18 seconds |
10 Project reports:
| ~3 minutes |
Team Report
Template | Report Characteristics | Time |
---|---|---|
Single Team | 1 report for a team having:
| ~3 minutes |
1 report for a team having:
| ~4 minutes | |
10 reports, 1 report per team, where each team has:
| ~2 hours | |
Multiple Teams | 1 report for a team having:
| ~15 minutes |
1 report having 10 teams, where each team has:
| ~10 minutes | |
10 reports, where each piece has 10 teams, and each team has:
| ~36 minutes |
Recommendations and Limitations
This section lists requirements and recommendations for hardware and configurations.
Hardware Requirements and Recommendations
The following hardware configurations are required or recommended:
Minimum Requirements
CxSAST Manager
RAM - 16 GB
CPU - 4 cores
CxSAST Database
RAM - 16 GB
CPU - 4 cores
Software Recommendation
It is recommended to use SQL Server with SP4.
Limitations
Performance
During the performance tests, we noticed that for very large scans (5000+ results), we faced an abnormal amount of CPU consumption on the DB. Therefore, using filters or increasing overall system/environment resources is recommended.
To reduce the CPU usage consumption, it is recommended to apply a CPU limit of 30% on the DB user. For that purpose, the following script can be executed:
Since there are remote requests from the CxSAST Reporting Service to the DB, the network bandwidth/latency highly impacts the system performance.
General
PDF reports are only available in English.
SSL connection might require a new certificate.
Private network folders are not supported.
Access is compliant with CxSAST Access Control.
Best Practice Tips
Do not use more than two (2) parallel threads (set the NumberOfReportsToGenerateInParallel property in the appsetings.json file).
Report files are stored in the file system and a PDF report with approximately 4800 scans averages 8MB. Take this into account to avoid disk space constraints.
Adjust the ReportsExecutionInterval (Data Fetching Cron Job interval) setting according to the urgency of report generation. The default is 10 seconds.
For PDF format, apply filters to scans with many results (>500) to decrease the number of pages in the PDF output, thereby improving readability.
Dependencies
CxReportingService requires .NET Core version 3.10 or higher. This should not impact any other component functionality since it is possible to have multiple .NET Core versions side by side.
CxReportingService execution should not impact the normal CxSAST execution.
CxReportingService DB is coupled as a separate schema in the CxDB.
CxReportingService is supported for CxSAST 9.2, 9.3, 9.4,9.5, and 9.6. See the Release Notes for more details.