Convert-to-SARIF Mode

Overview

  • Convert an existing SAST report to SARIF format

  • Main usage is to help trim down a large SAST report (i.e. Fortify FPR) that contains the result of multiple repositories to a smaller SARIF report that is focused on a single repository.

  • Uses --code-path-patterns parameter to filter and perform the splitting of the report

Convert-to-SARIF Mode - Usage

To check what options are available under the convert-to-sarif mode, run:

npx mobbdev@latest convert-to-sarif --help

Here is the output of the help file:

npx mobbdev@latest convert-to-sarif --help
cli.mjs convert-to-sarif

Convert an existing SAST report to SARIF format.

Options:
  --input-file-path     Original SAST report file path                                               [string] [required]
  --input-file-format   SAST report file type                                         [required] [choices: "FortifyFPR"]
  --output-file-path    Output SARIF report file path                                                [string] [required]
  --code-path-patterns  Glob-like patterns. Any code node with this pattern makes the issue be included.         [array]
  --help                Show help                                                                              [boolean]

Examples:
  npx mobbdev@latest convert-to-sarif --input-file-path         convert an existing SAST report to SARIF format
  /path/to/vuln-report.fpr --input-file-format FortifyFPR
  --output-file-path /path/to/vuln-report.sarif
  --code-path-patterns **/*.ts --code-path-patterns **/*.js

Example

To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example:

npx mobbdev@latest convert-to-sarif \
  --input-file-path /path/to/vuln-report.fpr \
  --input-file-format FortifyFPR \
  --output-file-path /path/to/vuln-report.sarif \
  --code-path-patterns **/*.ts \
  --code-path-patterns **/*.js

Use case - Chaining with Analyze Mode

The idea is to chain this command together with npx mobbdev@latest analyze to perform the fix analysis on the target repository. I.e.

npx mobbdev@latest convert-to-sarif \
  --input-file-path fortify.fpr \
  --input-file-format FortifyFPR \
  --output-file-path projectABC-report.sarif \
  --code-path-patterns "projectABC/**"
  
npx mobbdev analyze \
--scan-file projectABC-report.sarif \
--repo https://github.com/mobb-dev/projectABC  

Last updated

Was this helpful?