Command Line Interface (CLI)

Owned by Laura Mandolini
Last updated: Apr 11, 2023 by Marco Security
7 min read

https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/196633, Software Composition Analysis, Firmware Reviewer and https://securityreviewer.atlassian.net/wiki/spaces/KC/pages/360493 provide a Command Line Interface (CLI) for easy integrating on supported and unsupported CI/CD Platform.

Static Reviewer

Using the Static Reviewer Command Line Interface, you can:

  • Include Security Reviewer in your Secure Development Life Cycle (SDLC)

  • Perform a pre-build automated Static Analysis

  • Execute a Multiple Static Analysis (Multi-Analysis) of different types on different applications

While you execute an Analysis of an application with Command Line Interface, you can do other tasks with Security Reviewer graphic interface or Jenkins plugin simultaneously.

CLI command are written in .NET Core, available for Windows, Linux and macOS. They can be included in .bat and .sh as well as in CI/CD Pipeline.

Using the Command Line Interface, you can:

  • Include Static Reviewer in your DevOps

  • Set Team Reviewer’s connection

  • Set Language Options via CLI

  • Execute a Multiple Static Analysis (Multi-Analysis) of different types on different applications, written in different languages

Command Line Interface is provided through some basic commands:

SRCheck

To launch a Local Scan. It provides the following arguments:

Mandatory Arguments

-a APPLICATION -v VERSION -p FOLDERTOSCAN -r RULESET

Where:

APPLICATION is the name of the App you want to scan. If contains spaces or “-“ must be double quoted

VERSION. Version of App. If contains spaces or “-“ must be double quoted

FOLDERTOSCAN pathname of the source code folder to scan. If contains spaces or “-“ must be double quoted

RULESET can be CWE, OWASP, OWASP2021

Additional Arguments

-c COMPONENTS -s FPS -d FPD -e EXCLUSIONS -w ALM -m -x -n -o -f CUSTOMSEC -q CUSTOMDEAD

Where:

-m, --mobile in case of Mobile App

-x, --noexclusion do Not Apply Exclusions

-n, --skippdf to skip PDF reports creation

-o, --onlysec Security Analysis only

-f, --customsec Custom Security Ruleset

-q, --customdead Custom Dead Code-Best Practices Ruleset

COMPONENTS pathname of Components XML file. If the path contains spaces or “-“must be double quoted. See related section above.  

FPS pathname of Security False Positives CSV file, to be imported from a previous scan.  If the path contains spaces or “-“ must be double quoted

FPD pathname of Dead Code-Best Practices False Positives CSV file, to be imported from a previous scan. If the path contains spaces or “-“ must be double quoted

EXCLUSIONS pathname of Exclusion txt file, to be imported from a previous scan. If the path contains spaces or “-“ must be double quoted. See related section above.

ALM pathname of Components XML file. If the path contains spaces or “-“ must be double quoted. See related section above.  

CUSTOMSEC Path of custom ruleset (.rls) for Security Analysis

CUSTOMDEAD Path of custom ruleset (.rls) for Dead Code-Best Practices Analysis

Informational Arguments

--help Display the Usage screen

--version Display version information

-l, --silent Silent Mode

-g, --debug Debug Mode

Team Reviewer Arguments

In case you purchased Team Reviewer, some additional arguments are available to SRCheck:

-t, --tenant Tenant name (Default: USER, in case of mono-tenant)

-u, --update Update Results on Team Reviewer

-b, --pType Product Type (Only with -u and if omitted = User Group)

-T, --truri Override Team Reviewer URL usually set with SRsetCNF command (see below)

-P, --port Override Team Reviewer Port usually set with SRsetCNF command

-K, --apikey Override API Key usually set with SRsetCNF command

-U, --proxyuser Override Proxy User

-W, --proxypasswd Override Proxy Password

-I, --proxyuri Override Proxy URL

-X, --proxyport Override Proxy Port

 

SRsetCNF

Sets the Team Reviewer Connection Configuration. Please note that each argument needs “=”.

Mandatory Arguments

SRsetCNF -url=TEAMREVIEWERURL -tcpport=TEAMREVIEWERPORT –api=APIKEY

Where:

-url Team Reviewer URL

-tcpport Team Reviewer TCP Port

–api Your personal API Key to connect to Team Reviewer

Additional Arguments

In case you have a multi-tenant Team Reviewer configuration:

-tenant Team Reviewer tenant name

-add Add a Team Reviewer tenant by name from your client configuration
-delete Remove a Team Reviewer tenant by name from your client configuration

In case you are connected to Team Reviewer through a Proxy, the following optional arguments are available:

-proxy=PROXYIP -proxyport=PROXYTCPPORT -user=USERNAME -pwd=PASSWORD

SRsetOPT

To set the Analysis and Language Options before scanning. It provides the following arguments:

-p -Path="MyPath"

Generic

 -RootSource -RootSource="MyRootSource"  Default Source code folder

 -LineBefore Default="5"  

 -LineAfter Default="4"

 -WarningTimeOut Default="120"

 -MaxVulnerabilitiesLineCode Default="3"

 -MaxVulnerabilityIssues Default="1500"

 -TrustedApplication Default="false"

 -ConsoleApplication Default="true"

 -DBQueries Default="true"

 -Environmentvariables Default="false"

 -Socket Default="false"

 -Servlet Default="false"

 -PlainTextFilesStreams Default="false"

 -InternetApplication Default="false"

 -NoDeadPartialClasses Default="false"

 -ApplyExclusionsList Default="true"

JAVA

 -FolderJava -FolderJava="MyFolderJava"

 Folder where java executable is located

RUBY

 -FolderRuby Default="MyFolderRuby"

COBOL

 -TargetCOBOL Default="0"

----->  0-IBM z/OS Enterprise COBOL

----->  1-IBM ILE COBOL (iSeries)

----->  2-Visual COBOL (Microfocus)

----->  3-NetCOBOL (Fujitsu/GTSoftware)

----->  4-GnuCOBOL (formerly openCOBOL)

----->  5-MCP (Unisys)

----->  6-Teradata IMS COBOL

----->  7-COBOL-IT

----->  8-RainCode COBOL

----->  9-Elastic COBOL

-----> 10-Veryant isCOBOL Evolve

 -StatementsLength Default="0"

-----> 0-88

-----> 1-132

-----> 2-Free Format

 -UntrustedWorkingStorage Default="false"

 -AllowCICS Default="false"

 -CopyBookFolder -CopyBookFolder="MyCopyBookFolder"

Centralized Folder on which copybooks files are located

C/C++

 -Standard Default="0"

 -TargetPlattform Default="0"

-----> 0-Generic

-----> 1-Embedded

-----> 2-Unix/Linux 32

-----> 3-Unix/Linux 64

-----> 4-Win32A (ASCII)

-----> 5-Win32W (UNICODE)

-----> 6-Win64

TargetPlattform: Generic -> Standard

----->  0-Generic

----->  1-posix

----->  2-c89

----->  3-c99

----->  4-c11

----->  5-c17

----->  6-c++03

----->  7-c++11

----->  8-c++14

----->  9-c++17

-----> 10-c++20

TargetPlattform: Embedded -> Standard

----->  1-ARM RealView

----->  2-ARC MQX Synopsys

----->  3-Atmel AVR Studio

----->  4-Atollic True Studio

----->  5-Avocet ProTools

----->  6-Batronix uC51

----->  7-BiPOM Electronics

----->  8-Byte Craft eTPU C

----->  9-CCS PIC/dsPIC/DSC

-----> 10-Ceibo-8051C++

-----> 11-CodeWarrior

-----> 12-Cosmic Software

-----> 13-Crossware

-----> 14-ELLCC C/C++

-----> 15-GCC C/C++

-----> 16-Green Hills Multi

-----> 17-HighTec C/C++

-----> 18-IAR C/C++

-----> 19-INRIA CompCert

-----> 20-Intel C/C++

-----> 21-Introl C Compiler

-----> 22-Keil ARM C/C++

-----> 23-Mentor Graphics CodeSourcery

-----> 24-Microchip MPLAB

-----> 25-MikroC Pro

-----> 26-NXP

-----> 27-Renesas HEW

-----> 28-SDCC

-----> 29-Softools Z/Rabbit

-----> 30-Tasking ESD

-----> 31-Texas Instruments CodeComposer

-----> 32-Z World Dynamic C 32

-----> 33-WDC 8/16-bit

-----> 34-Wind River C/C++

TargetPlattform: Unix/Linux 32 or Unix/Linux 64 -> Standard

----->   0-GCC v12.x

----->   1-GCC v11.x

----->   2-GCC v10.x

----->   3-GCC v9.x

----->   4-GCC v8.x

----->   5-GCC v7.x

----->   6-GCC v6.x

----->   7-GCC v5.4

----->   8-GCC v5.0

----->   9-GCC v4.9.x

----->  10-GCC v4.8.3

----->  11-GCC v4.8

----->  12-CC v4.7.4

----->  13-GCC v4.4

----->  14-GCC v3.0-4.7

----->  15-GCC v2.2

----->  16-IBM XL C/C++ 17.x

----->  17-IBM XL C/C++ 16.1

----->  18-IBM XL C/C++ 12.1-13.1.3

----->  19-IBM AIX XL C/C++ 7.0-11.1

----->  20-IBM AIX XL C/C++ 13.1

----->  21-IBM AIX XL C/C++ 12.1

----->  22-HP C/aC++ v5

----->  23-HP C/aC++ v6

----->  24-Sun Pro C/C++ 5.1-5.5 (Sun Workshop 6/Sun ONE/Forte Developer)

----->  25-Sun Pro C/C++ 5.5-5.8 (Sun Studio)

----->  26-Sun Pro C/C++ 5.9-5.13 (Oracle Solaris Studio)

----->  27-LLVM Clang 10.x-14.x

----->  28-LLVM Clang 9.x

----->  29-LLVM Clang 8.x

----->  30-LLVM Clang 7.0.x

----->  31-LLVM Clang 4.0.0-6.0.1

----->  32-LLVM Clang 3.4.2

----->  33-LLVM Clang 3.x

----->  34-LLVM Clang 2.9

TargetPlattform: Win32A (ASCII) or Win32W (UNICODE) or Win64-> Standard

----->   0-Visual Studio 6.0

----->   1-Visual Studio 2003

----->   2-Visual Studio 2005

----->   3-Visual Studio 2008

----->   4-Visual Studio 2010

----->   5-Visual Studio 2012

----->   6-Visual Studio 2013

----->   7-Visual Studio 2015

----->   8-Visual Studio 2017

----->   9-Visual Studio 2019

----->  10-Visual Studio 2022

----->  11-Embarcadero C++ Builder (Borland and RAD Studio)

 -MISRA Default="false"

 -CERT Default="false"

 -tenant Tenant: Default="Tenant"

 -h View this Usage

 

Remote Scan

The scan is invoked by a client (for example Jenkins, GitLab, etc.) but the analysis will be executed remotely on Static Reviewer. TRScan CLI must be located at client side.

·         TRScan

-a, --application APPLICATION is the name of the App you want to scan. If contains spaces or “-“ must be double quoted

-v, --version VERSION. Version of App. If contains spaces or “-“ must be double quoted

-z --spath FOLDERTOSCAN. The pathname of the source code folder to scan. If contains spaces or “-“ must be double quoted

-m, --mobile Specify in case of Mobile App only

-t, --truri Team Reviewer url

-p, --port Team Reviewer TCP Port

-k, --apikey Team Reviewer API Key

-r, --ruleset (Mandatory) use CWE to force CWE Security Ruleset or OWASP

-u, --proxyuser

-w, --proxypasswd

-y, --proxyport

-i, --proxyuri

-c, --components pathname of an XML file describing components. See related chapter below. If the path contains spaces or “-“ must be double quoted

-s, --secfp pathname of Security False Positives CSV file, to be imported from a previous scan.  If the path contains spaces or “-“ must be double quoted

-d, --deadfp pathname of Dead Code-Best Practices False Positives CSV file, to be imported from a previous scan. If the path contains spaces or “-“ must be double quoted

-e, --exclusion pathname of TXT file including the exclusion list. For the file format see the related chapter below. If the path contains spaces or “-“ must be double quoted

-r RULESET (Mandatory) use CWE to force CWE Security Ruleset or OWASP

-f CUSTOMSEC pathname of Custom Security Ruleset .rls file

-q CUSTOMDEAD pathname of Custom Dead Code-Best Practices Ruleset .rls file

-l, --srresults path on which analysis results will be stored

-h, --results path on which analysis reports will be stored

-j, --logs path on which analysis logs will be stored

-n, --skippdf to skip the report creation

-o, --onlysec to run Security analysis only, excluding Deadcode and Quality analysis

-x, --noexclusion Do not apply exclusions

-b, --verbose Verbose mode

-g, --debug Debug mode

 

Example:

TRScan -a "MYAPP" -v "$(date +"%Y%m%d-%H%M")" -z "SRC/MYAPP" -t https://teamreviewer.local -p 443 -k 4a5ecc953710dc021cf0dee5b80af1d35cc2d60c -r OWASP -u johndoe -w secret -y 3128 -i http://proxy.local -b -o

Software Composition Analysis

Firmware Reviewer

Team Reviewer API Client

Team Reviewer is our default Dashboard. All features provided by the Web GUI are invokable via REST API, including Admin tasks. Team Reviewer provides a JAVA tool for invoking REST API via Command Line.

 

COPYRIGHT (C) 2015-2024 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.