Starting an Scan from CLI

To see help, run java -jar clt.jar -help. This option requires Java 11 or later preinstalled. To start a scan from CLI, execute:

java -jar clt.jar -rest [rest URL] -token [token] sastStart [options]

• -rest (API address)
• -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

Mandatory arguments:

• -type (possible values: FILE, LINK)
• -path (used if type=FILE: path to file or directory for analysis)
• -link (used if type=LINK: App Store/Google Play URL, or repository URL)

Specify a path to the repository with project source code (Git and Subversion are supported). The machine on which DerScanner is installed must have access to the specified repository. Via the link, it should be possible to download code from the repository using the git clone or svn export command. Example links.

• https://gitlab.example.com/myproject.git (Git)
• ssh://gitlab.example.com/myproject (Git)
• https://svn.example.com/mysvnproject/trunk/ (Subversion)
• svn://svn.example.com/mysvnproject/branches/my-branch (Subversion)
• svn+ssh://svn.example.com/mysvnproject/ (Subversion)

To upload code from a private repository, specify your username and password. For more information about analysis settings see Settings.

Optional arguments:

• -preprocessing run scans with or without preprocessing. Enabled by default.

• -disableSsl

• -name (project name)

• -languages (code languages):

  ABAP, APEX, CCPP, COBOL, CS, DART, DELPHI, GO, GROOVY, HTML5, JAVA, JAVASCRIPT, LOTUSSCRIPT, OBJC, PASCAL, PHP, PLSQL, PYTHON, PERL, RUBY, RUST, SOLIDITY, SWIFT, TSQL,TYPESCRIPT, VBSCRIPT, VB, VBA, VBNET, VYPER, 1C or any set of these languages separated by a comma without spaces, for example: JAVA,CS,VB

  Default: all languages

• -analysisOptionsJava analysis option for Java projects:

  SOURCE_NO_BUILD, PREBUILD, SOURCE_WITH_BUILD, SOURCE_OWN_BUILD.

• -dastProjectId DAST project ID for results correlation.

• -osEnvironment OS environment for C/C++ projects build:

  MAC - MacOS, LINUX - Linux, WIN - Windows.

• -intermodular use intermodular analysis for C/C++ projects.

• -javaCustomBuildCommand build parameters for Java.

• -priority priority of scan execution.

• -sendReportAutoscan send report via email if scan was triggered by autoscan.

• -sendReportManual send report via email if scan was triggered manually.

• -sendReportRecipients send report via email to recipients. Specify list of emails separated by commas.

• -sendReportTemplate use specific template when sending report via email. Specify UUID of report template.

• -sendReportToAdmins send report via email to administrators.

• -vcs.branch repository branch if other than master (when analyzing an app by repository link)

• -vcs.account repository UUID.

• -vcs.login (VCS login)

• -vcs.password (VCS password)

• -vcs.token repository authentication token.

• -vcs.tokenId authentication token UUID.

• -vcs.sshKey path to the SSH key.

• -vcs.sshKeyId SSH key UUID.

• -vcs.sshDefault use the default SSH client configuration. Specify SSH client configuration if false.

• -vcs.saveCredentials (Whether to save credentials for further scans)

• -fileSelector (folders, packages and/or files to include/exclude, separated by a semicolon)

• -iconPath (path to project icon)

• -ruleSet (rule set's UUID, separated by a comma)

• -sourceEncoding (encoding of source code)

• -nameEncoding (encoding of filenames)

• -useUserPatterns use custom patterns

• -analyzelibs (specifies whether libraries and nested archives must be analyzed or not)

• -isVisualStudio (Visual Studio project)

• -saveFile (fully save the uploaded file)

• -incremental (for incremental analysis, default: false)

• -uuid (project UUID in which scan will start)

You can obtain project UUID in the interface project side menu. To copy the project UUID to the buffer, click on the icon.

Example:

java -jar clt.jar -rest http://<installation_address>/app/api/v1
-token jfghkdjghfkdjgfdkg sastStart -type LINK -link

https://play.google.com/store/apps/details?id=com.redphx.deviceid

To check the scan status, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] sastStatus [options]

• -rest (API address)
• -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

• -scanid (scan UUID)

You can obtain scan UUID in the scan information. To copy the scan UUID to the buffer, click on the icon.

Example:

java -jar clt.jar -cmd sastStatus -rest http://<installation_address>/app/api/v1
-token kijlkjlkjlkjlkjlkjgkuyhgkuyiuygtiuygiuyg
-scanid b001eab1-ba6c-4b05-9066-e84d594210e2

To check the score, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] sastScore [options]

• -rest (API address)
• -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

• -scanid (scan UUID)

You can obtain scan UUID in the scan information. To copy the scan UUID to the buffer, click on the icon.

Example:

java -jar clt.jar -rest http://<installation_address>/app/api/v1 -token
kijlkjlkjlkjlkjlkjgkuy sastScore -scanid b001eab1-ba6c-4b05-9066-e84d594210e2

To export a PDF report, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] sastExport [options]

To export a CSV report, execute the command:

java -jar clt.jar -rest [rest URL] -token [token] sastExport [options]
'-general.format' CSV

• -rest (API address)
• -token (API authorization token, which you can obtain from the User Profile section of the user interface (see Account))

Options:

Arguments are included in the report if they will take true. Other arguments will take false if not specified.

Mandatory arguments:

• -path (path to the directory where the report should be placed)
• -project (project's identifier to export)

You can obtain project UUID in the interface project side menu. To copy project UUID, click on the icon.

Optional arguments:

• -scans (identifiers of scans which should be included in report. Scans identifiers should be separated with comma)
• -filter.classFiles (include issues from .class files or not (included by default))
• -filter.critical (include critical issues or not (included by default))
• -filter.info (include info issues or not (included by default))
• -filter.low (include low level issues or not)
• -filter.medium (include medium level issues or not (included by default))
• -filter.tasks (include issues with task manager task or not (included by default))
• -filter.waf (include issues without WAF Configuration Guide or not (included by default))
• -confiAi.included apply ConfiAI filter or not. When included in the report, you need to specify:
  • -confiAi.critical (confidence for critical vulnerabilities (default: 0))
  • -confiAi.medium (confidence for medium vulnerabilities (default: 0))
  • -confiAi.low (confidence for low vulnerabilities (default: 0))
  • -confiAi.info (confidence for info vulnerabilities (default: 0))
• -general.contents (include contents or not (included by default))
• -general.correlationTags include correlation tags (included by default).
• -general.included (include report settings or not (included by default))
• -general.logo use custom logo. Specify path to the logo.
• -general.statuses vulnerability statuses.
• -languages (include languages. Languages should be separated by a comma, without spaces. Possible values: ABAP, APEX, CS, CCPP, COBOL, CONFIG, DART, DELPHI, GO, GROOVY, HTML5, JAVA, JAVASCRIPT, KOTLIN, LOTUSSCRIPT, OBJC, PASCAL, PHP, PLSQL, PYTHON, PERL, RUBY, RUST, SCALA, SOLIDITY, SWIFT, TSQL, TYPESCRIPT, VBNET, VBA, VBSCRIPT, VB, VYPER, 1C ONES.)
• -projectInfo.scanHistory (number of scans for which history will be included, default: 0):
  • -1 — don't include scans history at all
  • 0 — include all scans history
  • >0 — specified amount of scans in history
• -projectInfo.securityDynamic (include security level dynamics or not (default: true))
• -projectInfo.vulnerabilityDynamic (include security level dynamics or not (default: true))
• -results.included the detailed results section included or not (included by default). When included in the report, you need to specify:
• -results.action include vulnerability actions (included by default).
• -results.comment (include comment or not (included by default))
• -results.entryNum (number of vulnerability entries, default: 0):
  • -1 — don't include entries at all
  • 0 — include all entries
  • >0 — specified amount of entries
• -results.statuses include issues with statuses. Specify statuses as list.
• -results.sourceCodeNum (number of source code context, default: 7):
  • -1 — don't include context at all
  • all — include entire vulnerable source code file
  • >=0 — specified amount of lines of source code
• -results.taskInfo (include JIRA info or not (included by default))
• -results.traceNum (trace elements, default: 1):
  • -1 — don't include elements at all
  • 0 — include all elements
  • 1 — include first and last elements
• -scanInfo.included settings included or not (included by default). When included in the report, you need to specify:
  • -scanInfo.errorInfo (include scan error information or not (included by default))
  • -scanInfo.fileStat include file statisctics.
  • -scanInfo.foundChart (include found vulnerabilities chart or not (included by default))
  • -scanInfo.langStat (include statistics on languages or not (included by default))
  • -scanInfo.settings (include scan settings or not (included by default))
  • -scanInfo.typeChart (include vulnerability type chart or not (included by default))
• -sort (classification method. Possible values: CR, OWASP_13, OWASP_14, OWASP_16, OWASP_17, OWASP_21, ASVS L1, ASVS L2, ASVS L3, MASVS_L1, MASVS_L2, MASVS_L1_R, MASVS_L2_R, PCI_DSS, HIPAA, CWE_SANS_11, CWE_SANS_21, CWE_SANS_23 (CR by default))
• -table.included vulnerability list included or not (included by default). When included in the report, you need to specify:
  • -table.entryNum (number of vulnerability entries, default: 0):
    • -1 — don't include entries at all
    • 0 — include all entries
    • >0 — specified amount of entries
  • -table.statuses include issues with statuses. Specify statuses as list.
• -waf.included the WAF section included or not (included by default). When included in the report, you need to specify:
  • -waf.confirmed (include confirmed issues or not (included by default))
  • -waf.f5 (include F5 recommendations (included by default))
  • -waf.imperva (include Imperva SecureSphere recommendations (included by default))
  • -waf.mod (include ModSecurity recommendations (included by default))
  • -waf.notProcessed (include notProcessed issues or not (included by default))
  • -waf.rejected (include rejected issues or not)
• -comparison.included comparison settings included or not. When included in the report, you need to specify:
  • -comparison.ScanId (scan ID (required))
  • -comparison.fixed (include fixed issues or not)
  • -comparison.newIssue (include new issues or not (included by default))
  • -comparison.saved (include saved issues or not (included by default))
  • -comparison.entryNum (number of vulnerability entries, default: 0):
    • -1 — don't include entries at all
    • 0 — include all entries
    • >0 — specified amount of entries
  • -comparison.scanSettings (include scan settings (included by default))

Example:

java -jar clt.jar -rest http://<installation_address>/app/api/v1
-token kljkjljlkjljklkjk sastExport -scanid ec59395b-4372-47b1-95a2-4d48b044ff0b
-path C:\test -default

Please notice:

The Scan Information section will not be included into the report, unless you specify the scan UUID value (argument -scans). You can obtain scan UUID in the scan information. To copy the scan UUID to the buffer, click on the icon.

The functionality described above is also available via REST API.