diff --git a/docs/DebuggingGuide.md b/docs/DebuggingGuide.md index e45beb4f..79c122f9 100644 --- a/docs/DebuggingGuide.md +++ b/docs/DebuggingGuide.md @@ -48,10 +48,10 @@ Additional setup guidance can be found in the [Contributing.md](https://github.c 3. Create a response file (e.g., in a file named `d:\testFiles\SpamArguments.rsp`) that contains the following analysis arguments (it is fine for a response file to break its arguments across multiple lines, just as they are here). Note that in this example `d:\src\sarif-pattern-matcher\` refers to the root of the `sarif-pattern-enlistment`. Also note that the .rsp file should NOT be in a directory that contians '/n', '/t', or '/r' (a newline, tab, or carriage return character). This will cause incorrect behavior when parsing the path name and won't allow launching of the debugging session. The output location referenced here directs SARIF log file output to a special directory that the VS SARIF viewer extension watches. VS will automatically load and display any SARIF results written to this special location (i.e., a directory named `\.sarif\` that exists alongside the current VS solution file). ~~~ - --search-definitions "..\..\Security\netstandard2.1\SEC101.SecurePlaintextSecrets.json" - --output d:\src\sarif-pattern-matcher\src\.sarif\out.sarif - --force --pretty-print d:\testFiles\repro.txt + --plugin "..\..\Security\netstandard2.1\SEC101.SecurePlaintextSecrets.json" + --output d:\src\sarif-pattern-matcher\src\.sarif\out.sarif + --log ForceOverwrite --level Error;Warning;Note --dynamic-validation ~~~ diff --git a/docs/UsingClientTool.md b/docs/UsingClientTool.md index 5e1036a0..5d713f5b 100644 --- a/docs/UsingClientTool.md +++ b/docs/UsingClientTool.md @@ -53,33 +53,33 @@ If you see that structure, copy the dll files from the `lib` folder to the `cont The following command will analyze a folder using one json file, filtering some results and outputting to a file: ```bash -spam analyze c:\path-to-analyze\ --recurse --output c:\analysis.sarif --force --level "Error;Warning" --kind "Fail" --search-definitions PATH\SEC101.SecurePlaintextSecrets.json +spam analyze c:\path-to-analyze\ --recurse --output c:\analysis.sarif --log ForceOverwrite --level "Error;Warning" --kind "Fail" --plugin PATH\SEC101.SecurePlaintextSecrets.json ``` - `analyze` the path `c:\path-to-analyze\` in recursive mode, which means that it will fetch all files and folders. - `--output` the result of the analysis in the `c:"\analysis.sarif`. -- `--force` replace the file if exists. +- `--log ForceOverwrite` replace the file if exists. - `--level` filter the results using `resultLevel` with `Error` or `Warning`. - `--kind` filter the results using `resultKind` with `Fail`. -- `--search-definitions` will use the following rules to analyze. +- `--plugin` will use the following rules to analyze. The following command will analyze a folder using two json files, filtering some results, file size and path based on a regex. Also, it will execute the dynamic validation: ```bash -spam analyze c:\path-to-analyze\ --recurse --deny-regex "\\\.git\\\\" --output c:\temp\spam.sarif --force --level "Error;Note" --kind "Fail" --file-size 2048 --dynamic-validation --threads 8 --insert "RegionSnippets;ContextRegionSnippets" --search-definitions PATH\SEC101.SecurePlaintextSecrets.json;PATH\SEC101.SomeRule.json +spam analyze c:\path-to-analyze\ --recurse --deny-regex "\\\.git\\\\" --output c:\temp\spam.sarif --log ForceOverwrite --level "Error;Note" --kind "Fail" --file-size 2048 --dynamic-validation --threads 8 --insert "RegionSnippets;ContextRegionSnippets" --plugin PATH\SEC101.SecurePlaintextSecrets.json;PATH\SEC101.SomeRule.json ``` - `analyze` the path `c:\path-to-analyze\` in recursive mode, which means that it will fetch all files and folders. - `--deny-regex` filter out files that matches the regex. - `--output` the result of the analysis in the `c:"\analysis.sarif`. -- `--force` replace the file if exists. +- `--log ForceOverwrite` replace the file if exists. - `--level` filter the results using `resultLevel` with `Error` or `Note`. - `--kind` filter the results using `resultKind` with `Fail`. - `--max-file-size X` filters out files with size larger that X KB. The default value is 1024 KB. - `--dynamic-validation` if a result is found, it will trigger a second step to validate dynamically the result (if the rule implements it). - `--threads X` it will create X threads to parallelize the work. The default value is `Environment.ProcessorCount`. - `--insert` if supplied, it will add more information to the output SARIF file. -- `--search-definitions` will use the following rules to analyze. +- `--plugin` will use the following rules to analyze. Obs.: - `--level` can be `Error`, `Warning`, `Note`, or `None`. The full definition can be found in the [SARIF specification](https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317648). @@ -90,7 +90,7 @@ Obs.: The following command will analyze a database using one json file, filtering some results and outputting to a file: ```bash -spam analyze-database c:\temp\ --connection "Some connection string" --data-type SqlLite --target "SELECT * FROM some_database" --identity Id --output c:\analysis.sarif --force --level "Error;Warning" --kind "Fail" --search-definitions PATH\SEC101.SecurePlaintextSecrets.json +spam analyze-database c:\temp\ --connection "Some connection string" --data-type SqlLite --target "SELECT * FROM some_database" --identity Id --output c:\analysis.sarif --log ForceOverwrite --level "Error;Warning" --kind "Fail" --plugin PATH\SEC101.SecurePlaintextSecrets.json ``` - `analyze-database` the database from the target. @@ -99,10 +99,10 @@ spam analyze-database c:\temp\ --connection "Some connection string" --data-type - `--target` the query that will return rows to be analyze. - `--identity` the identity column. - `--output` the result of the analysis in the `c:"\analysis.sarif`. -- `--force` replace the file if exists. +- `--log ForceOverwrite` replace the file if exists. - `--level` filter the results using `resultLevel` with `Error` or `Warning`. - `--kind` filter the results using `resultKind` with `Fail`. -- `--search-definitions` will use the following rules to analyze. +- `--plugin` will use the following rules to analyze. Obs.: the first argument is a path that won't be used.