扫码分享给我的朋友
原文:https://stackoverflow.com/questions/50123510
首先,您可以检查翻译和扫描阶段的源分析程序的退出代码,如果它不为零,则出现问题。
要专门检查翻译中的问题,请运行:
sourceanalyzer -b <your_build_id> -show-build-warnings
你必须解析输出来筛选出你认为是噪声的东西,并返回非零来使构建失败。 如果没有警告或错误,则不会有任何输出。
在扫描中 :
FPRUtility -information -errors -project <your_FPR>.fpr
再一次,你必须解析出什么是感兴趣的。 如果FPR中没有存储任何错误或警告,您只需获得:
分析过程中未发生警告
最后,如果您想查找找到的特定类型的漏洞,可以使用:
FPRUtility -information -search -query "<search string>"
其中
<search string>
是您可以在Audit Workbench中使用的过滤器,例如,为了查找SQL注入漏洞,您可以指定`-query“类别:sql injection”,输出结果如下所示:1512匹配搜索查询的72期。
First, you can check the exit code of
sourceanalyzer
for both the translate and scan phases, if it's non-zero, something went wrong.To specifically check for issues in the translation, run:
sourceanalyzer -b <your_build_id> -show-build-warnings
You'll have to parse the output to filter out what you consider to be noise and return non-zero to fail the build. If there were no warnings or errors, there won't be any output from that.
In the scan:
FPRUtility -information -errors -project <your_FPR>.fpr
Again, you'll have to parse out what's of interest. If there wasn't any errors or warnings stored in the FPR, you'll just get:
No warnings occurred during analysis
Lastly, if you want to look for specific types of vulnerabilities that were found, you can use:
FPRUtility -information -search -query "<search string>"
Where
<search string>
is a filter you can use in Audit Workbench, e.g. to find SQL injection vulnerabilities, you could specify `-query "category: sql injection", and the output would be something like:72 issues of 1512 matched search query.