fcli icon indicating copy to clipboard operation
fcli copied to clipboard
verified publisher icon fortify

chore: `sc-sast scan start --sargs` scaRuntimeArguments support added

Open gendry-gh opened this issue 2 years ago • 5 comments

#198 #449

The added fcli --sargs --sca-args option allows specify scan args along with other arguments such as -filter (see accepted arguments)

As of --targs, with current fcli support, there is no need for it. Currently, we can only start a sast scan using package or mbs. These two options do not support/requires translation arguments (targs are passed to the scancentral package cmd, and mbs are already translated)

gendry-gh avatar Dec 08 '23 13:12 gendry-gh

We'd need to double-check exact SC SAST behavior with regards to interaction between -sargs and the -filter, -rules and --project-template options on the scancentral start command. These dedicated options are used to include a local filter file, rules file or project template into the scan payload; not sure what happens if you specify something like -sargs -filter myfilter.txt without specifying the -filter option (would that expect the specified file to be available on the sensor?), or if for example -filter myfilter.txt automatically adds the corresponding scan argument.

rsenden avatar Dec 14 '23 17:12 rsenden

The documentation lists the supported options :

image

And yes, for custom rules and filter files, they have to be available on the sensors. For the custom rules, we can upload them in SSC, and have the sensor pull the rules from SSC

gendry-gh avatar Dec 14 '23 17:12 gendry-gh

I just checked, for -filters filter.txt scancentral client adds the filter.txt in the zip payload : image

And it does so for both cmds :

  • scancentral start [...] -filters filter.txt
  • scancentral start [...] -sargs "-filters filter.txt"

As FCLI doesn't package right now, do we want to do the same ? or (for now) let the user insert the required filters/custom rules files in the zip, along with the right -sargs

gendry-gh avatar Dec 14 '23 18:12 gendry-gh

ScanCentral expects the package.zip file inside another zip file (which is created by fcli on the fly); I guess these extra filer/template/rule files go into the outer zip file, not the zip-file created by scancentral package command.

rsenden avatar Dec 14 '23 20:12 rsenden

indeed.

What about adding an --include-file rule.xml option to insert a file in the outer zip ?

we could also do it automatically like scancentral does, and have the 3 options --filters --rules --sargs

gendry-gh avatar Dec 15 '23 13:12 gendry-gh

Superseded by #627, which adds support for including local files in scan payload.

rsenden avatar Oct 25 '24 10:10 rsenden