# Convert-to-SARIF Mode

## Overview

* Convert an existing SAST report to SARIF format
* Main usage is to help trim down a large SAST report (i.e. Fortify FPR) that contains the result of multiple repositories to a smaller SARIF report that is focused on a single repository.
* Uses `--code-path-patterns` parameter to filter and perform the splitting of the report

### Convert-to-SARIF Mode - Usage

To check what options are available under the convert-to-sarif mode, run:

```
npx mobbdev@latest convert-to-sarif --help
```

Here is the output of the help file:

```bash
npx mobbdev@latest convert-to-sarif --help
cli.mjs convert-to-sarif

Convert an existing SAST report to SARIF format.

Options:
  --input-file-path     Original SAST report file path                                               [string] [required]
  --input-file-format   SAST report file type                                         [required] [choices: "FortifyFPR"]
  --output-file-path    Output SARIF report file path                                                [string] [required]
  --code-path-patterns  Glob-like patterns. Any code node with this pattern makes the issue be included.         [array]
  --help                Show help                                                                              [boolean]

Examples:
  npx mobbdev@latest convert-to-sarif --input-file-path         convert an existing SAST report to SARIF format
  /path/to/vuln-report.fpr --input-file-format FortifyFPR
  --output-file-path /path/to/vuln-report.sarif
  --code-path-patterns **/*.ts --code-path-patterns **/*.js
```

## Example

To get fixes for a pre-generated SAST report, run the **Bugsy Analyze** command. Example:

<pre class="language-bash"><code class="lang-bash"><strong>npx mobbdev@latest convert-to-sarif \
</strong>  --input-file-path /path/to/vuln-report.fpr \
<strong>  --input-file-format FortifyFPR \
</strong>  --output-file-path /path/to/vuln-report.sarif \
  --code-path-patterns **/*.ts \
  --code-path-patterns **/*.js
</code></pre>

## Use case - Chaining with Analyze Mode

The idea is to chain this command together with npx mobbdev\@latest analyze to perform the fix analysis on the target repository. I.e.

<pre class="language-bash"><code class="lang-bash"><strong>npx mobbdev@latest convert-to-sarif \
</strong><strong>  --input-file-path fortify.fpr \
</strong><strong>  --input-file-format FortifyFPR \
</strong>  --output-file-path projectABC-report.sarif \
  --code-path-patterns "projectABC/**"
  
<strong>npx mobbdev analyze \
</strong><strong>--scan-file projectABC-report.sarif \
</strong><strong>--repo https://github.com/mobb-dev/projectABC  
</strong></code></pre>