search

CROSSINGTUD / CryptoAnalysis

CogniCrypt_SAST: CrySL-to-Static Analysis Compiler
Eclipse Public License 2.0
63 stars 39 forks source link

CSV logs give less information than TXT Logs #370

Closed Maximilianhummel closed 1 year ago

Maximilianhummel commented 2 years ago

Running with CSV as report format does not give me the same log information as running with .TXT as report format.

This is the log with CSV:

[main] INFO crypto.HeadlessCryptoScanner - Using call graph algorithm CHA
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/home/user/uni/bp/cognicrypt/CryptoAnalysis-2.8.0-SNAPSHOT-jar-with-dependencies.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
0    [main] WARN  pes.access.impl.DeclaredTypeFactory  - --- xtext.common.types ---------------------------------------------------
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - ASM library is too old. Falling back to java.lang.reflect API.
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - Please note that no information about compile time constants is available.
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - It's recommended to use org.objectweb.asm 9.1.0 or better (Maven group id: org.ow2.asm).
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - --------------------------------------------------------------------------
[main] INFO crypto.HeadlessCryptoScanner - Analysis soot setup done in 3.797 s 
[main] INFO crypto.analysis.CryptoScanner - Searching for seeds for the analysis!
[main] INFO crypto.analysis.CryptoScanner - Discovered 0 analysis seeds within 0 seconds!
[main] INFO crypto.reporting.CSVReporter - CSV Report generated to file : /home/user/uni/bp/cognicrypt/CryptoAnalysis-Report.csv
[main] INFO crypto.analysis.CryptoScanner - Static Analysis took 0 seconds!
[main] INFO crypto.HeadlessCryptoScanner - Analysis finished in 6.418 s

I would like to have a log like this:

[main] INFO crypto.HeadlessCryptoScanner - Using call graph algorithm CHA
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/home/user/uni/bp/cognicrypt/CryptoAnalysis-2.8.0-SNAPSHOT-jar-with-dependencies.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
0    [main] WARN  pes.access.impl.DeclaredTypeFactory  - --- xtext.common.types ---------------------------------------------------
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - ASM library is too old. Falling back to java.lang.reflect API.
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - Please note that no information about compile time constants is available.
1    [main] WARN  pes.access.impl.DeclaredTypeFactory  - It's recommended to use org.objectweb.asm 9.1.0 or better (Maven group id: org.ow2.asm).
2    [main] WARN  pes.access.impl.DeclaredTypeFactory  - --------------------------------------------------------------------------
[main] INFO crypto.HeadlessCryptoScanner - Analysis soot setup done in 3.554 s 
[main] INFO crypto.analysis.CryptoScanner - Searching for seeds for the analysis!
[main] INFO crypto.analysis.CryptoScanner - Discovered 10 analysis seeds within 0 seconds!
[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 1 of 10
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.1

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 2 of 10
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.2

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 3 of 11
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.27

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 4 of 12
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.33

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 5 of 13
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.38

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 6 of 14
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.43

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 7 of 15
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.47

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 8 of 15
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.53

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 9 of 15
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.6

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 10 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.63

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 11 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.69

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 12 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.75

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 13 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.81

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 14 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.88

[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 15 of 16
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.94

Ruleset: 
        java.security.KeyPair
        javax.net.ssl.SSLContext
        java.security.MessageDigest
        javax.net.ssl.CertPathTrustManagerParameters
        javax.net.ssl.KeyStoreBuilderParameters
        javax.net.ssl.SSLParameters
        javax.crypto.spec.SecretKeySpec
        java.security.spec.RSAKeyGenParameterSpec
        javax.crypto.Cipher
        javax.crypto.KeyGenerator
        javax.net.ssl.SSLEngine
        javax.crypto.CipherInputStream
        java.security.SecureRandom
        javax.crypto.SecretKeyFactory
        javax.crypto.spec.IvParameterSpec
        javax.crypto.spec.DHGenParameterSpec
        javax.xml.crypto.dsig.spec.HMACParameterSpec
        javax.crypto.spec.PBEKeySpec
        javax.crypto.CipherOutputStream
        java.security.KeyPairGenerator
        void
        javax.net.ssl.TrustManagerFactory
        java.security.Signature
        javax.net.ssl.KeyManagerFactory
        javax.crypto.Mac
        javax.crypto.spec.PBEParameterSpec
        java.security.KeyStore
        javax.crypto.spec.DHParameterSpec
        java.security.cert.PKIXParameters
        java.security.AlgorithmParameters
        java.security.spec.DSAParameterSpec
        java.security.Key
        java.security.cert.PKIXBuilderParameters
        java.security.DigestOutputStream
        java.security.spec.DSAGenParameterSpec
        java.security.DigestInputStream
        javax.crypto.SecretKey
        javax.crypto.spec.GCMParameterSpec
        java.security.cert.TrustAnchor

Analyzed Objects: 
        Object:
                Variable: $r0
                Type: javax.crypto.KeyGenerator
                Statement: $r0 = staticinvoke <javax.crypto.KeyGenerator: javax.crypto.KeyGenerator getInstance(java.lang.String)>(varReplacer6)
                Method: <example.ImpreciseValueExtractionErrorExample: java.security.Key getKey()>
                SHA-256: 2ae261b7e3daf7d645681f4061f859ef84def21819443b404582856cd64a8cfd
                Secure: true
        Object:
                Variable: r1
                Type: java.security.KeyPair
                Statement: r1 = virtualinvoke r0.<java.security.KeyPairGenerator: java.security.KeyPair generateKeyPair()>()
                Method: <example.TypestateErrorExample: java.security.PrivateKey getPrivateKey()>
                SHA-256: 3eff50218628cce8c5ccbcfe7604bf30c991e277635ed1c320ee903cb2300cae
                Secure: false
        Object:
                Variable: r0
                Type: java.security.KeyPairGenerator
                Statement: r0 = staticinvoke <java.security.KeyPairGenerator: java.security.KeyPairGenerator getInstance(java.lang.String)>(varReplacer15)
                Method: <example.IncompleOperationErrorExample: java.security.PrivateKey getPrivateKey()>
                SHA-256: f23ab62f8884a4a1b21f8e1a35bec894eda41a163578e01b4e64578e3a531db1
                Secure: false
        Object:
                Variable: r1
                Type: javax.crypto.SecretKey
                Statement: r1 = virtualinvoke r0.<javax.crypto.KeyGenerator: javax.crypto.SecretKey generateKey()>()
                Method: <example.PredicateMissingExample: void main(java.lang.String[])>
                SHA-256: 397eab2349a84b690db5490764f66088a9e26874c97c741d552f97f956c5110
                Secure: false
        Object:
                Variable: r0
                Type: javax.crypto.Cipher
                Statement: r0 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(varReplacer0)
                Method: <example.ConstraintErrorExample: void main(java.lang.String[])>
                SHA-256: 7fbc589d2fe72a5e416355fef7c089dde608f49ae81f97879320f60de3fbfbfc
                Secure: false
        Object:
                Variable: r0
                Type: java.security.Signature
                Statement: r0 = staticinvoke <java.security.Signature: java.security.Signature getInstance(java.lang.String)>(varReplacer1)
                Method: <example.TypestateErrorExample: void main(java.lang.String[])>
                SHA-256: 1ab8ceb02f9709b7525154e705c1c1564c747594a09d2bf88c09c89a922f037f
                Secure: false
        Object:
                Variable: $r1
                Type: java.security.Signature
                Statement: $r1 = staticinvoke <java.security.Signature: java.security.Signature getInstance(java.lang.String)>(varReplacer13)
                Method: <example.IncompleOperationErrorExample: void doInit()>
                SHA-256: b2e41ee1de814dbc674eccaf714fdb573696d33ba4064901c4ca619e96e313e2
                Secure: false
        Object:
                Variable: r1
                Type: java.security.KeyPair
                Statement: r1 = virtualinvoke r0.<java.security.KeyPairGenerator: java.security.KeyPair generateKeyPair()>()
                Method: <example.IncompleOperationErrorExample: java.security.PrivateKey getPrivateKey()>
                SHA-256: dfc8cb2fa78f14f84cc964d295bfd495802b09297c29b7a9343dd2b86cc41855
                Secure: false
        Object:
                Variable: $r4
                Type: byte[]
                Statement: virtualinvoke r2.<javax.crypto.Cipher: byte[] doFinal(byte[])>($r4)
                Method: <example.PredicateMissingExample: void main(java.lang.String[])>
                SHA-256: 6d8bdb1ed5fe0e932ce63ac180d03203574e2130d4b340f33df31da976c2a8b5
                Secure: false
        Object:
                Variable: r0
                Type: javax.crypto.KeyGenerator
                Statement: r0 = staticinvoke <javax.crypto.KeyGenerator: javax.crypto.KeyGenerator getInstance(java.lang.String)>(varReplacer11)
                Method: <example.PredicateMissingExample: void main(java.lang.String[])>
                SHA-256: 5312a4bc4be39018c4f8e442367b267497ba0dfbdf180543949e0d1501292e55
                Secure: false
        Object:
                Variable: $r1
                Type: javax.crypto.SecretKey
                Statement: $r1 = virtualinvoke $r0.<javax.crypto.KeyGenerator: javax.crypto.SecretKey generateKey()>()
                Method: <example.ImpreciseValueExtractionErrorExample: java.security.Key getKey()>
                SHA-256: 70863954ef25bb7aeb2eae7c6fba6aadcbad416b7759e25fd331d264e7724831
                Secure: true
        Object:
                Variable: r2
                Type: javax.crypto.Cipher
                Statement: r2 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(varReplacer9)
                Method: <example.PredicateMissingExample: void main(java.lang.String[])>
                SHA-256: 28278c04b7d22cc93f45a19955dac3579d77cf22159c661194ff60301a689802
                Secure: false
        Object:
                Variable: r0
                Type: java.security.Signature
                Statement: r0 = staticinvoke <java.security.Signature: java.security.Signature getInstance(java.lang.String)>(varReplacer12)
                Method: <example.IncompleOperationErrorExample: void main(java.lang.String[])>
                SHA-256: 7967e8440e44c14869a53cfa484e1163af78545a012ee7682804bd80f2ba704c
                Secure: false
        Object:
                Variable: r0
                Type: java.security.KeyPairGenerator
                Statement: r0 = staticinvoke <java.security.KeyPairGenerator: java.security.KeyPairGenerator getInstance(java.lang.String)>(varReplacer2)
                Method: <example.TypestateErrorExample: java.security.PrivateKey getPrivateKey()>
                SHA-256: 89d95edf1a1dc1f1331095160d8670b69e069153fbfbc74b5b02b8cc997e26b4
                Secure: false
        Object:
                Variable: r0
                Type: javax.crypto.Cipher
                Statement: r0 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(r6)
                Method: <example.ImpreciseValueExtractionErrorExample: void main(java.lang.String[])>
                SHA-256: 140c2ded8fe9c48786d83f8be85f578db88952c246933ab7a9425d5f6f6fc669
                Secure: true
        Object:
                Variable: $r4
                Type: byte[]
                Statement: virtualinvoke r0.<javax.crypto.Cipher: byte[] doFinal(byte[])>($r4)
                Method: <example.ImpreciseValueExtractionErrorExample: void main(java.lang.String[])>
                SHA-256: 92922cfc258d5af47011499d8c10de4d30be8ec5e9b9362b71e2c6a866a22f2c
                Secure: true

Findings in Java Class: example.ConstraintErrorExample

         in Method: void main(java.lang.String[])
                ConstraintError violating CrySL rule for javax.crypto.Cipher (on Object #7fbc589d2fe72a5e416355fef7c089dde608f49ae81f97879320f60de3fbfbfc)
                        First parameter (with value "AES/ECB/PKCS5Padding") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}
                        at statement: r0 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(varReplacer0)

                IncompleteOperationError violating CrySL rule for javax.crypto.Cipher (on Object #7fbc589d2fe72a5e416355fef7c089dde608f49ae81f97879320f60de3fbfbfc)
                        Operation on object of type javax.crypto.Cipher object not completed. Expected call to init
                        at statement: r0 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(varReplacer0)

Findings in Java Class: example.TypestateErrorExample

         in Method: void main(java.lang.String[])
                TypestateError violating CrySL rule for java.security.Signature (on Object #1ab8ceb02f9709b7525154e705c1c1564c747594a09d2bf88c09c89a922f037f)
                        Unexpected call to method sign on object of type java.security.Signature. Expect a call to one of the following methods initSign,update
                        at statement: virtualinvoke r0.<java.security.Signature: byte[] sign()>()

         in Method: java.security.PrivateKey getPrivateKey()
                ConstraintError violating CrySL rule for java.security.KeyPairGenerator (on Object #89d95edf1a1dc1f1331095160d8670b69e069153fbfbc74b5b02b8cc997e26b4)
                        First parameter (with value 1024) should be any of {4096, 3072, 2048}
                        at statement: virtualinvoke r0.<java.security.KeyPairGenerator: void initialize(int)>(varReplacer3)

Findings in Java Class: example.PredicateMissingExample

         in Method: void main(java.lang.String[])
                ConstraintError violating CrySL rule for javax.crypto.KeyGenerator (on Object #5312a4bc4be39018c4f8e442367b267497ba0dfbdf180543949e0d1501292e55)
                        First parameter (with value 46) should be any of {128, 192, 256}
                        at statement: virtualinvoke r0.<javax.crypto.KeyGenerator: void init(int)>(varReplacer8)

                RequiredPredicateError violating CrySL rule for javax.crypto.Cipher
                        Second parameter was not properly generated as generated Key
                        at statement: virtualinvoke r2.<javax.crypto.Cipher: void init(int,java.security.Key)>(varReplacer10, r1)

                ConstraintError violating CrySL rule for javax.crypto.Cipher (on Object #28278c04b7d22cc93f45a19955dac3579d77cf22159c661194ff60301a689802)
                        First parameter (with value "AES/CBC/PKCS7Padding") should be any of AES/CBC/{PKCS5Padding, ISO10126Padding}
                        at statement: r2 = staticinvoke <javax.crypto.Cipher: javax.crypto.Cipher getInstance(java.lang.String)>(varReplacer9)

Findings in Java Class: example.IncompleOperationErrorExample

         in Method: void main(java.lang.String[])
                IncompleteOperationError violating CrySL rule for java.security.Signature (on Object #7967e8440e44c14869a53cfa484e1163af78545a012ee7682804bd80f2ba704c)
                        Operation on object of type java.security.Signature object not completed. Expected call to sign
                        at statement: virtualinvoke r0.<java.security.Signature: void update(byte[])>($r4)

         in Method: java.security.PrivateKey getPrivateKey()
                ConstraintError violating CrySL rule for java.security.KeyPairGenerator (on Object #f23ab62f8884a4a1b21f8e1a35bec894eda41a163578e01b4e64578e3a531db1)
                        First parameter (with value 1024) should be any of {4096, 3072, 2048}
                        at statement: virtualinvoke r0.<java.security.KeyPairGenerator: void initialize(int)>(varReplacer14)

         in Method: void doInit()
                RequiredPredicateError violating CrySL rule for java.security.Signature
                        First parameter was not properly generated as generated Privkey
                        at statement: virtualinvoke $r2.<java.security.Signature: void initSign(java.security.PrivateKey)>($r3)

======================= CryptoAnalysis Summary ==========================
        Number of CrySL rules: 39
        Number of Objects Analyzed: 16

        CryptoAnalysis found the following violations. For details see description above.
        TypestateError: 1
        ConstraintError: 5
        RequiredPredicateError: 2
        IncompleteOperationError: 2
=====================================================================

Is there any option, to get the full log with CSV as report option?

Thank you in advance!

Projucti commented 2 years ago

The expected result log is generated using CLI HeadlessCryptoScanner of CryptoAnalysis where all the results after analysis are displayed on CLI. If --reportFormat TXT is selected, it shows the result same. 

[main] INFO crypto.HeadlessCryptoScanner - Using call graph algorithm CHA
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/G:/fraunhofer/Newfolder/CryptoAnalysis/CryptoAnalysis-2.8.0-SNAPSHOT-jar-with-dependencies.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[main] WARN  pes.access.impl.DeclaredTypeFactory  - --- xtext.common.types ---------------------------------------------------
[main] WARN  pes.access.impl.DeclaredTypeFactory  - ASM library is too old. Falling back to java.lang.reflect API.
[main] WARN  pes.access.impl.DeclaredTypeFactory  - Please note that no information about compile time constants is available.
[main] WARN  pes.access.impl.DeclaredTypeFactory  - It's recommended to use org.objectweb.asm 9.0.0 or better (Maven group id: org.ow2.asm).
[main] WARN  pes.access.impl.DeclaredTypeFactory  - --------------------------------------------------------------------------
[main] INFO crypto.HeadlessCryptoScanner - Analysis soot setup done in 3.252 s
[main] INFO crypto.analysis.CryptoScanner - Searching for seeds for the analysis!
[main] INFO crypto.analysis.CryptoScanner - Discovered 1 analysis seeds within 1 seconds!
[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 1 of 2
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.5

[main] INFO crypto.reporting.TXTReporter - Text Report generated to file : G:\fraunhofer\Newfolder\CryptoAnalysis\reports\CryptoAnalysis-Report.txt
[main] INFO crypto.analysis.CryptoScanner - Static Analysis took 1 seconds!
[main] INFO crypto.HeadlessCryptoScanner - Analysis finished in 7.754 s

For --reportFormat CSV, it shows the same log. 

[main] INFO crypto.HeadlessCryptoScanner - Using call graph algorithm CHA
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/G:/fraunhofer/Newfolder/CryptoAnalysis/CryptoAnalysis-2.8.0-SNAPSHOT-jar-with-dependencies.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[main] WARN  pes.access.impl.DeclaredTypeFactory  - --- xtext.common.types ---------------------------------------------------
[main] WARN  pes.access.impl.DeclaredTypeFactory  - ASM library is too old. Falling back to java.lang.reflect API.
[main] WARN  pes.access.impl.DeclaredTypeFactory  - Please note that no information about compile time constants is available.
[main] WARN  pes.access.impl.DeclaredTypeFactory  - It's recommended to use org.objectweb.asm 9.0.0 or better (Maven group id: org.ow2.asm).
[main] WARN  pes.access.impl.DeclaredTypeFactory  - --------------------------------------------------------------------------
[main] INFO crypto.HeadlessCryptoScanner - Analysis soot setup done in 2.631 s
[main] INFO crypto.analysis.CryptoScanner - Searching for seeds for the analysis!
[main] INFO crypto.analysis.CryptoScanner - Discovered 1 analysis seeds within 1 seconds!
[main] INFO crypto.analysis.CryptoScanner - Analyzed Objects: 1 of 2
[main] INFO crypto.analysis.CryptoScanner - Percentage Completed: 0.5

[main] INFO crypto.reporting.CSVReporter - CSV Report generated to file : G:\fraunhofer\Newfolder\CryptoAnalysis\reports\CryptoAnalysis-Report.csv
[main] INFO crypto.analysis.CryptoScanner - Static Analysis took 1 seconds!
[main] INFO crypto.HeadlessCryptoScanner - Analysis finished in 7.241 s

Please use a CSV Viewer to read the results of CSV file.

Maximilianhummel commented 2 years ago

We could also reproduce this behavior with the built version 2.8. What we would like to have is the output in CSV format in a file, as well as the output under the reporttype txt as a log on stdout. Because the txt output provides even more information, in which classes e.g. constraint errors were found.

So would it be possible to save the output in a csv file and output the txt out in parallel on the console? Or do I have to call the tool twice on the same file to get the desired information?

krinara86 commented 2 years ago

So the issue is not related to how the logs compare to each other but the information that is populated into the csv file and txt files generated. The csv file contains the number of reported errors, whereas the txt contains where these issues are. And txt files are not machine-readable. So ideally, all of this information should be dumped into the csv. Without this being possible, CogniCrypt cannot be integrated into any automated pipeline. Reopening this issue.