fortify / fcli

fcli is a command-line utility for interacting with various Fortify products

https://fortify.github.io/fcli/

Other

27 stars 16 forks source link

chore: `sc-sast scan start --sargs` scaRuntimeArguments support added #487

Open gendry-gh opened 7 months ago

gendry-gh commented 7 months ago

198

449

The added fcli --sargs --sca-args option allows specify scan args along with other arguments such as -filter (see accepted arguments)

As of --targs, with current fcli support, there is no need for it. Currently, we can only start a sast scan using package or mbs. These two options do not support/requires translation arguments (targs are passed to the scancentral package cmd, and mbs are already translated)

rsenden commented 6 months ago

We'd need to double-check exact SC SAST behavior with regards to interaction between -sargs and the -filter, -rules and --project-template options on the scancentral start command. These dedicated options are used to include a local filter file, rules file or project template into the scan payload; not sure what happens if you specify something like -sargs -filter myfilter.txt without specifying the -filter option (would that expect the specified file to be available on the sensor?), or if for example -filter myfilter.txt automatically adds the corresponding scan argument.

gendry-gh commented 6 months ago

The documentation lists the supported options :

And yes, for custom rules and filter files, they have to be available on the sensors. For the custom rules, we can upload them in SSC, and have the sensor pull the rules from SSC

gendry-gh commented 6 months ago

I just checked, for -filters filter.txt scancentral client adds the filter.txt in the zip payload :

And it does so for both cmds :

scancentral start [...] -filters filter.txt
scancentral start [...] -sargs "-filters filter.txt"

As FCLI doesn't package right now, do we want to do the same ? or (for now) let the user insert the required filters/custom rules files in the zip, along with the right -sargs

rsenden commented 6 months ago

ScanCentral expects the package.zip file inside another zip file (which is created by fcli on the fly); I guess these extra filer/template/rule files go into the outer zip file, not the zip-file created by scancentral package command.

gendry-gh commented 6 months ago

indeed.

What about adding an --include-file rule.xml option to insert a file in the outer zip ?

we could also do it automatically like scancentral does, and have the 3 options --filters --rules --sargs