Generating a Polaris SAST Report

Introduction

This guide walks you through using the Black Duck Bridge CLI to run a Polaris SAST scan and export the results as a .sarif.json file that can be submitted to Mobb.

Pre-Requisites

A Polaris account with an active access token. See Generating a Polaris Access Token for instructions.
Access to a terminal (Linux, macOS, or Windows).
For Java projects that require compilation: the appropriate JDK and Maven or Gradle installed.

Step 1 — Download the Bridge CLI

Visit the download index to find the right binary for your operating system:

https://repo.blackduck.com/bds-integrations-release/com/blackduck/integration/bridge/binaries/bridge-cli-bundle/latest/

Linux example

wget https://repo.blackduck.com/bds-integrations-release/com/blackduck/integration/bridge/binaries/bridge-cli-bundle/latest/bridge-cli-bundle-linux64.zip

unzip bridge-cli-bundle-linux64.zip

Add the binary to your PATH so it is accessible from anywhere:

echo 'export PATH="$HOME/bridge-cli-bundle-linux64:$PATH"' >> ~/.bashrc
source ~/.bashrc

# Verify the installation
bridge-cli

Step 2 — Set your Polaris Access Token

export BRIDGE_POLARIS_ACCESSTOKEN=YOUR_TOKEN_HERE

Step 3 — Run the Scan

The key parameter to enable SARIF output is polaris.reports.sarif.create=true.

Example: Project with no compilation required (e.g. JavaScript/TypeScript)

git clone https://github.com/juice-shop/juice-shop
cd juice-shop

bridge-cli --stage polaris --diagnostics \
  polaris.project.name="juice-shop" \
  polaris.branch.name="master" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  polaris.serverurl="https://polaris.blackduck.com"

Example: Java project requiring compilation with Maven

Ensure you are using the correct JDK version required by your project before running the scan.

java --version   # verify the correct JDK is active
mvn --version    # verify Maven is installed

git clone https://github.com/webgoat/webgoat
cd webgoat

bridge-cli --stage polaris --diagnostics \
  polaris.project.name="webgoat" \
  polaris.branch.name="main" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  coverity.build.command="mvn install -DskipTests" \
  coverity.clean.command="mvn clean" \
  polaris.serverurl="https://polaris.blackduck.com"

Example: Java project requiring compilation with Gradle

java --version   # verify the correct JDK is active

git clone https://github.com/alkacon/opencms-core
cd opencms-core

bridge-cli --stage polaris \
  polaris.project.name="opencms-core" \
  polaris.branch.name="main" \
  polaris.application.name="YOUR_APPLICATION_NAME" \
  polaris.assessment.types=SAST \
  polaris.reports.sarif.create=true \
  coverity.build.command="./gradlew build -x test" \
  coverity.clean.command="./gradlew clean" \
  polaris.serverurl="https://polaris.blackduck.com"

Step 4 — Locate the SARIF Report

Once the scan completes, the .sarif.json report will be written inside your project directory under:

.bridge/Polaris SARIF Generator/report.sarif.json

For example, if you scanned webgoat:

webgoat/.bridge/Polaris SARIF Generator/report.sarif.json

This is the file you will upload to Mobb. See Polaris Integration with Mobb for next steps.

PreviousPolaris NextCI/CD Integrations

Last updated 16 days ago

hashtagIntroduction

hashtagPre-Requisites

hashtagStep 1 — Download the Bridge CLI

hashtagLinux example

hashtagStep 2 — Set your Polaris Access Token

hashtagStep 3 — Run the Scan

hashtagExample: Project with no compilation required (e.g. JavaScript/TypeScript)

hashtagExample: Java project requiring compilation with Maven

hashtagExample: Java project requiring compilation with Gradle

hashtagStep 4 — Locate the SARIF Report