crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Files
🤬
v0.23.0
ROOT /
docs /
explanations /
reports.md
170 lines | UTF-8 | 5 KB

title: Report Types layout: layouts/doc.njk

Report Types

Curio can generate four types of reports about your codebase, all from the same underlying scan.

Summary Report

Rules are the core feature of Curio. The summary report allows you to quickly see data security vulnerabilities in your codebase. The report breaks down rule violations by severity level: Critical, High, Medium, Low. These levels help you prioritize issues and fix the most important vulnerabilities. The summary report is Curio's default report type.

For each violation, the summary report includes the affected file and, when possible, the line of code and a snippet of the surrounding code. Here's an excerpt from the summary report run on our example publishing app:

...
CRITICAL: Do not store sensitive data in JWTs. [DSR-3]
https://curio.sh/reference/rules/ruby_lang_jwt
To skip this rule, use the flag --skip-rule=ruby_lang_jwt

File: /bear-publishing/lib/jwt.rb:6

 3     JWT.encode(
 4       {
 5         id: user.id,
 6         email: user.email,
 7         class: user.class,
 8       },
 9       nil,
 	...
 11     )

...

=====================================

24 checks, 18 failures

CRITICAL: 15 (DSR-1, DSR-10, DSR-2, DSR-3, DSR-5)
HIGH: 0
MEDIUM: 0
LOW: 3 (DSR-2, DSR-7)

exit status 1

Summary reports are currently available for Ruby projects, with Javascript/Typescript coming soon and more languages to follow.

To run your first summary report, run curio scan . on your project directory. By default, the summary report is output in a human-readable format, but you can also output it as YAML or JSON by using the --format yaml or --format json flags.

Data Flow Report

The data flow report breaks down the data types and associated components detected in your code. It focuses your app processes personal and sensitive data and where it may be exposed to third parties and databases.

This report type can produce JSON or YAML (using the --format flag) and is best used for identifying where data exists in your code. You can then use this to create a record of processing activity (ROPA), AppStore report, or build your data catalog. In the following example, we can see all the places an Email Address is processed by our example application:

{
      "name": "Email Address",
      "detectors": [
        {
          "name": "rails",
          "locations": [
            {
              "filename": "db/schema.rb",
              "line_number": 91
            }
          ]
        },
        {
          "name": "ruby",
          "locations": [
            {
              "filename": "app/controllers/application_controller.rb",
              "line_number": 35
            },
            {
              "filename": "app/controllers/application_controller.rb",
              "line_number": 37
            },
            {
              "filename": "app/controllers/application_controller.rb",
              "line_number": 42
            },
            {
              "filename": "app/controllers/orders_controller.rb",
              "line_number": 105
            },
            {
              "filename": "app/models/user.rb",
              "line_number": 8
            },
            {
              "filename": "app/services/marketing_export.rb",
              "line_number": 23
            },
            {
              "filename": "lib/jwt.rb",
              "line_number": 6
            }
          ]
        }
      ]
    }

If we look at the db/schema.rb file mentioned in the report, we can see that email is exposed:

  create_table "users", force: :cascade do |t|
    t.string "name"
    t.string "email"
    t.string "telephone"
    t.integer "organization_id", null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.index ["organization_id"], name: "index_users_on_organization_id"
  end

To run your first data flow report, run curio scan with the --report dataflow flag. By default, the data flow report is output in JSON format. To format as YAML, use the --format yaml flag.

Stats Report

The stats report provides a minimal overview of the scan including the total lines scanned, the detected data types, and the number of times each was found.

Scanning target... 100% [========================================] (278/278, 103 files/s) [2s]
{
  "number_of_lines": 1456,
  "number_of_data_types": 6,
  "data_types": [
    {
      "name": "Email Address",
      "occurrences": 8
    },
    {
      "name": "Fullname",
      "occurrences": 3
    },
    {
      "name": "Physical Address",
      "occurrences": 2
    },
    {
      "name": "Telephone Number",
      "occurrences": 1
    },
    {
      "name": "Transactions",
      "occurrences": 7
    },
    {
      "name": "Unique Identifier",
      "occurrences": 2
    }
  ]
}

This report is useful for putting together ongoing statistics, making a quick check of data processing, or building internal dashboards. For more detailed information, you'll want to run a data flow report.

To run your first stats report, run curio scan with the --report stats flag. By default, the stats report is output in JSON format. To format as YAML, use the --format yaml flag.

Detectors Report

The detectors report type is the most low-level, data-rich type. You’re unlikely to use this report on its own, but it can be useful for building your own tooling based on the data parsed by Curio.

To run your first detectors report, run curio scan with the --report detectors flag. By default, the detectors report is output in JSON format. To format as YAML, use the --format yaml flag.

Please wait...
Page is in error, reload to recover