Skip to main content

Reporting

Once the test has been run, the results are used to generate a report. This report is returned to the CI pipeline from the Corellium API and can be uploaded as an artifact to the CI provider. The report contains an overview of the app, device and report itself (app name and ID, device model and OS, test date, etc.) as well as a thorough breakdown of the security issues identified by the checks.

Report Structure

The report contains results across several check categories, such as Authentication, Cryptography, Storage, etc. Each category has several groups of checks, which address a specific security issue such as insecure data storage or insecure network communication. Each group then has a series of checks which are designed to identify specific instances of that security issue.

Each test check has a short description of the security issue it is designed to identify, as well as a severity (low, medium or high) describing the potential impact of the issue.

Check Status

Each check reports a status, which can be either:

  • Pass: The check passed, meaning no security issue was identified.
  • Fail: The check failed, meaning a security issue was identified.
  • Error: The check could not be run, meaning the check itself was inconclusive.

Artifact Status

We also produce artifacts, which are the contents of a file detected during the MATRIX scan. These files are typically found in the application's binary and can be used to identify potential security vulnerabilities. You can learn more about artifacts in our Artifacts documentation.

Artifacts have two potential statuses:

  • Error: The artifact could not be found, meaning the check itself was inconclusive.
  • Artifact: The artifact was found and identified.

When an artifact is detected and a vulnerability is identified, we return a payload of the data such as the insecure data storage location or the insecure network communication endpoint. This payload can be used to identify the exact location of the security issue in the app.

Downloading the Report

The report is generated as an html and a json file. You can download the report from the Corellium UI or API. If you're running in a CI flow, you can upload the report as an artifact to the CI provider for easy access.

HTML Report

The HTML report is a human-readable version of the report, which can be viewed in a web browser. It contains a summary of the app, device and report, as well as a breakdown of the security issues identified by the checks. View an example HTML report for our Corellium Cafe test app to see what the report looks like.

JSON Report

The JSON report is a machine-readable version of the report, which can be used to parse the report data programmatically. It contains the same information as the HTML report, but in a structured format.