...
CLI command are written in .NET Core, available for Windows, Linux and Linux macOS. They can be included in .bat and .sh as well as in CI/CD Pipeline.
...
Command Line Interface is provided through some basic commands:
SRCheck
To launch the a Local Scan. It provides the following arguments:
...
-P, --port Override Team Reviewer Port usually set with SRsetCNF command (see below)
-K, --apikey Override API Key usually set with SRsetCNF command (see below)
-U, --proxyuser Override Proxy User
...
-proxy=PROXYIP -proxyport=PROXYTCPPORT -user=USERNAME -pwd=PASSWORD
SRsetOPT
SRsetOPT to To set the Analysis and Language Options before scanning for locating Java JDK, COBOL copybooks folder, and Ruby executable. Please note that each argument needs “=”. It provides the following arguments:
-p -Path="MyPath"
Generic
-RootSource -RootSource="MyRootSource" Default Source code folder
-LineBefore Default="5"
-LineAfter Default="4"
-l=LANGUAGE -p=PATH
Where:
LANGUAGE can be java or cobol or ruby
PATH
For JAVA is the java executable location, for example “C:\Program Files\Java\jdk-11.0.11\bin” or “/usr/bin/”. For Ruby is the Ruby installation path, for example “C:\ruby193” (Not needed under Linux).
For COBOL is the CopyBook folder, for example “D:\_COPY” or ”/home/user1/src/copybooks”. -WarningTimeOut Default="120"
-MaxVulnerabilitiesLineCode Default="3"
-MaxVulnerabilityIssues Default="1500"
-TrustedApplication Default="false"
-ConsoleApplication Default="true"
-DBQueries Default="true"
-Environmentvariables Default="false"
-Socket Default="false"
-Servlet Default="false"
-PlainTextFilesStreams Default="false"
-InternetApplication Default="false"
-NoDeadPartialClasses Default="false"
-ApplyExclusionsList Default="true"
JAVA
-FolderJava -FolderJava="MyFolderJava"
Folder where java executable is located
RUBY
-FolderRuby Default="MyFolderRuby"
COBOL
-TargetCOBOL Default="0"
-----> 0-IBM z/OS Enterprise COBOL
-----> 1-IBM ILE COBOL (iSeries)
-----> 2-Visual COBOL (Microfocus)
-----> 3-NetCOBOL (Fujitsu/GTSoftware)
-----> 4-GnuCOBOL (formerly openCOBOL)
-----> 5-MCP (Unisys)
-----> 6-Teradata IMS COBOL
-----> 7-COBOL-IT
-----> 8-RainCode COBOL
-----> 9-Elastic COBOL
-----> 10-Veryant isCOBOL Evolve
-StatementsLength Default="0"
-----> 0-88
-----> 1-132
-----> 2-Free Format
-UntrustedWorkingStorage Default="false"
-AllowCICS Default="false"
-CopyBookFolder -CopyBookFolder="MyCopyBookFolder"
Centralized Folder on which copybooks files are located
C/C++
-Standard Default="0"
-TargetPlattform Default="0"
-----> 0-Generic
-----> 1-Embedded
-----> 2-Unix/Linux 32
-----> 3-Unix/Linux 64
-----> 4-Win32A (ASCII)
-----> 5-Win32W (UNICODE)
-----> 6-Win64
TargetPlattform: Generic -> Standard
-----> 0-Generic
-----> 1-posix
-----> 2-c89
-----> 3-c99
-----> 4-c11
-----> 5-c17
-----> 6-c++03
-----> 7-c++11
-----> 8-c++14
-----> 9-c++17
-----> 10-c++20
TargetPlattform: Embedded -> Standard
-----> 1-ARM RealView
-----> 2-ARC MQX Synopsys
-----> 3-Atmel AVR Studio
-----> 4-Atollic True Studio
-----> 5-Avocet ProTools
-----> 6-Batronix uC51
-----> 7-BiPOM Electronics
-----> 8-Byte Craft eTPU C
-----> 9-CCS PIC/dsPIC/DSC
-----> 10-Ceibo-8051C++
-----> 11-CodeWarrior
-----> 12-Cosmic Software
-----> 13-Crossware
-----> 14-ELLCC C/C++
-----> 15-GCC C/C++
-----> 16-Green Hills Multi
-----> 17-HighTec C/C++
-----> 18-IAR C/C++
-----> 19-INRIA CompCert
-----> 20-Intel C/C++
-----> 21-Introl C Compiler
-----> 22-Keil ARM C/C++
-----> 23-Mentor Graphics CodeSourcery
-----> 24-Microchip MPLAB
-----> 25-MikroC Pro
-----> 26-NXP
-----> 27-Renesas HEW
-----> 28-SDCC
-----> 29-Softools Z/Rabbit
-----> 30-Tasking ESD
-----> 31-Texas Instruments CodeComposer
-----> 32-Z World Dynamic C 32
-----> 33-WDC 8/16-bit
-----> 34-Wind River C/C++
TargetPlattform: Unix/Linux 32 or Unix/Linux 64 -> Standard
-----> 0-GCC v12.x
-----> 1-GCC v11.x
-----> 2-GCC v10.x
-----> 3-GCC v9.x
-----> 4-GCC v8.x
-----> 5-GCC v7.x
-----> 6-GCC v6.x
-----> 7-GCC v5.4
-----> 8-GCC v5.0
-----> 9-GCC v4.9.x
-----> 10-GCC v4.8.3
-----> 11-GCC v4.8
-----> 12-CC v4.7.4
-----> 13-GCC v4.4
-----> 14-GCC v3.0-4.7
-----> 15-GCC v2.2
-----> 16-IBM XL C/C++ 17.x
-----> 17-IBM XL C/C++ 16.1
-----> 18-IBM XL C/C++ 12.1-13.1.3
-----> 19-IBM AIX XL C/C++ 7.0-11.1
-----> 20-IBM AIX XL C/C++ 13.1
-----> 21-IBM AIX XL C/C++ 12.1
-----> 22-HP C/aC++ v5
-----> 23-HP C/aC++ v6
-----> 24-Sun Pro C/C++ 5.1-5.5 (Sun Workshop 6/Sun ONE/Forte Developer)
-----> 25-Sun Pro C/C++ 5.5-5.8 (Sun Studio)
-----> 26-Sun Pro C/C++ 5.9-5.13 (Oracle Solaris Studio)
-----> 27-LLVM Clang 10.x-14.x
-----> 28-LLVM Clang 9.x
-----> 29-LLVM Clang 8.x
-----> 30-LLVM Clang 7.0.x
-----> 31-LLVM Clang 4.0.0-6.0.1
-----> 32-LLVM Clang 3.4.2
-----> 33-LLVM Clang 3.x
-----> 34-LLVM Clang 2.9
TargetPlattform: Win32A (ASCII) or Win32W (UNICODE) or Win64-> Standard
-----> 0-Visual Studio 6.0
-----> 1-Visual Studio 2003
-----> 2-Visual Studio 2005
-----> 3-Visual Studio 2008
-----> 4-Visual Studio 2010
-----> 5-Visual Studio 2012
-----> 6-Visual Studio 2013
-----> 7-Visual Studio 2015
-----> 8-Visual Studio 2017
-----> 9-Visual Studio 2019
-----> 10-Visual Studio 2022
-----> 11-Embarcadero C++ Builder (Borland and RAD Studio)
-MISRA Default="false"
-CERT Default="false"
-tenant Tenant: Default="Tenant"
-h View this Usage
Remote Scan
The scan is invoked by a client (for example Jenkins, GitLab, etc.) but the analysis will be executed remotely on Static Reviewer. TRScan CLI must be located at client side.
· TRScan
-a, --application APPLICATION is the name of the App you want to scan. If contains spaces or “-“ must be double quoted
-v, --version VERSION. Version of App. If contains spaces or “-“ must be double quoted
-z --spath FOLDERTOSCAN. The pathname of the source code folder to scan. If contains spaces or “-“ must be double quoted
-m, --mobile Specify in case of Mobile App only
-t, --truri Team Reviewer url
-p, --port Team Reviewer TCP Port
-k, --apikey Team Reviewer API Key
-r, --ruleset (Mandatory) use CWE to force CWE Security Ruleset or OWASP
-u, --proxyuser
-w, --proxypasswd
-y, --proxyport
-i, --proxyuri
-c, --components pathname of an XML file describing components. See related chapter below. If the path contains spaces or “-“ must be double quoted
-s, --secfp pathname of Security False Positives CSV file, to be imported from a previous scan. If the path contains spaces or “-“ must be double quoted
-d, --deadfp pathname of Dead Code-Best Practices False Positives CSV file, to be imported from a previous scan. If the path contains spaces or “-“ must be double quoted
-e, --exclusion pathname of TXT file including the exclusion list. For the file format see the related chapter below. If the path contains spaces or “-“ must be double quoted
-r RULESET (Mandatory) use CWE to force CWE Security Ruleset or OWASP
-f CUSTOMSEC pathname of Custom Security Ruleset .rls file
-q CUSTOMDEAD pathname of Custom Dead Code-Best Practices Ruleset .rls file
-l, --srresults path on which analysis results will be stored
-h, --results path on which analysis reports will be stored
-j, --logs path on which analysis logs will be stored
-n, --skippdf to skip the report creation
-o, --onlysec to run Security analysis only, excluding Deadcode and Quality analysis
-x, --noexclusion Do not apply exclusions
-b, --verbose Verbose mode
-g, --debug Debug mode
Example:
TRScan -a "MYAPP" -v "$(date +"%Y%m%d-%H%M")" -z "SRC/MYAPP" -t https://teamreviewer.local -p 443 -k 4a5ecc953710dc021cf0dee5b80af1d35cc2d60c -r OWASP -u johndoe -w secret -y 3128 -i http://proxy.local -b -o
Software Composition Analysis
...
Team Reviewer is our default Dashboard. All features provided by the Web GUI are invokable via REST API, including Admin tasks. Team Reviewer provides a JAVA tool for invoking REST API via Command Line.
...
COPYRIGHT (C) 2014-2022 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.