Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: sc-sast scan start --sargs scaRuntimeArguments support added #487

Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

chore: sc-sast scan start --sargs scaRuntimeArguments support added #487

wants to merge 10 commits into from

Conversation

gendry-gh
Copy link
Collaborator

#198
#449

The added fcli --sargs --sca-args option allows specify scan args along with other arguments such as -filter (see accepted arguments)

As of --targs, with current fcli support, there is no need for it.
Currently, we can only start a sast scan using package or mbs. These two options do not support/requires translation arguments (targs are passed to the scancentral package cmd, and mbs are already translated)

@rsenden
Copy link
Contributor

rsenden commented Dec 14, 2023

We'd need to double-check exact SC SAST behavior with regards to interaction between -sargs and the -filter, -rules and --project-template options on the scancentral start command. These dedicated options are used to include a local filter file, rules file or project template into the scan payload; not sure what happens if you specify something like -sargs -filter myfilter.txt without specifying the -filter option (would that expect the specified file to be available on the sensor?), or if for example -filter myfilter.txt automatically adds the corresponding scan argument.

@gendry-gh
Copy link
Collaborator Author

gendry-gh commented Dec 14, 2023
edited
Loading

The documentation lists the supported options :

image

And yes, for custom rules and filter files, they have to be available on the sensors.
For the custom rules, we can upload them in SSC, and have the sensor pull the rules from SSC

@gendry-gh
Copy link
Collaborator Author

I just checked, for -filters filter.txt scancentral client adds the filter.txt in the zip payload :
image

And it does so for both cmds :

  • scancentral start [...] -filters filter.txt
  • scancentral start [...] -sargs "-filters filter.txt"

As FCLI doesn't package right now, do we want to do the same ? or (for now) let the user insert the required filters/custom rules files in the zip, along with the right -sargs

@rsenden
Copy link
Contributor

rsenden commented Dec 14, 2023

ScanCentral expects the package.zip file inside another zip file (which is created by fcli on the fly); I guess these extra filer/template/rule files go into the outer zip file, not the zip-file created by scancentral package command.

@gendry-gh
Copy link
Collaborator Author

gendry-gh commented Dec 15, 2023
edited
Loading

indeed.

What about adding an --include-file rule.xml option to insert a file in the outer zip ?

we could also do it automatically like scancentral does, and have the 3 options --filters --rules --sargs

@rsenden rsenden force-pushed the develop branch 7 times, most recently from 77df0de to 78505cb Compare January 31, 2024 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsenden rsenden Awaiting requested review from rsenden

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gendry-gh @rsenden @psmf22