Convert-to-SARIF Mode
Overview
Convert an existing SAST report to SARIF format
Main usage is to help trim down a large SAST report (i.e. Fortify FPR) that contains the result of multiple repositories to a smaller SARIF report that is focused on a single repository.
Uses
--code-path-patterns
parameter to filter and perform the splitting of the report
Convert-to-SARIF Mode - Usage
To check what options are available under the convert-to-sarif mode, run:
npx mobbdev@latest convert-to-sarif --help
Here is the output of the help file:
npx mobbdev@latest convert-to-sarif --help
cli.mjs convert-to-sarif
Convert an existing SAST report to SARIF format.
Options:
--input-file-path Original SAST report file path [string] [required]
--input-file-format SAST report file type [required] [choices: "FortifyFPR"]
--output-file-path Output SARIF report file path [string] [required]
--code-path-patterns Glob-like patterns. Any code node with this pattern makes the issue be included. [array]
--help Show help [boolean]
Examples:
npx mobbdev@latest convert-to-sarif --input-file-path convert an existing SAST report to SARIF format
/path/to/vuln-report.fpr --input-file-format FortifyFPR
--output-file-path /path/to/vuln-report.sarif
--code-path-patterns **/*.ts --code-path-patterns **/*.js
Example
To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:
npx mobbdev@latest convert-to-sarif \
--input-file-path /path/to/vuln-report.fpr \
--input-file-format FortifyFPR \
--output-file-path /path/to/vuln-report.sarif \
--code-path-patterns **/*.ts \
--code-path-patterns **/*.js
Use case - Chaining with Analyze Mode
The idea is to chain this command together with npx mobbdev@latest analyze to perform the fix analysis on the target repository. I.e.
npx mobbdev@latest convert-to-sarif \
--input-file-path fortify.fpr \
--input-file-format FortifyFPR \
--output-file-path projectABC-report.sarif \
--code-path-patterns "projectABC/**"
npx mobbdev analyze \
--scan-file projectABC-report.sarif \
--repo https://github.com/mobb-dev/projectABC
Last updated
Was this helpful?