株式会社イーエルティ

非バンドル・ツールからCode Dx Enterprise への入力形式について

本項では、非バンドル・ツールで解析した結果を、Code Dx Enterprise に入力する際のファイルのフォーマットを示します。

SAST

下表は、サポート対象の Static Analysis Tools (SAST:Static Application Security Testing) について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。

 Android Lint Source XML and ZIP outputAndroid Lint Source XML and ZIP output -Code Dx supports Android Lint Source outputs in .xml and .zip
 AppScan Source OZASMT outputCode Dx supports AppScan Source outputs in .ozasmt
 Brakeman JSON outputBrakeman is one of the built-in scanners, but if run externally, its .json outputs are accepted by Code Dx
 CAT.NET XML outputCAT.NET .xml outputs are accepted by Code Dx
 Checkmarx XML outputCheckmarx reports in xml format are accepted by Code Dx
 Checkstyle XML outputxml output from Checkstyle is accepted by Code Dx
 Clang HTML outputCode Dx supports HTML output from Clang but expects it in a .zip archive since Clang outputs one HTML file per checked source file.
 CodePeer outputCodePeer reports in .csv format are accepted by Code Dx
 CodeSecure XML outputsArmorize’s Code Secure .xml outputs are processed by Code Dx
 CodeSonar-Scrape ZIP outputsfiles generated by the CodeSonar-Scrape utility, described later in this document
 Code Dx XML formatfor cases where you have data from a custom tool or from a tool that isn’t supported by Code Dx, you can convert the output to the Code Dx .xml format and input that directly for analysis. XML schemas and examples are provided via the download icon in the Code Dx header.
 CppCheck XML v2 outputCode Dx supports the v2 .xml output from CppCheck
 Coverity JSON outputCode Dx supports .json formatted output from Coverity using their ‘cov-commit-defect’ command line tool. For example: cov-Coverity using their ‘cov-commit-defect’ command line tool. For example: cov-
 ErrCheckCode Dx supports plaintext output from ErrCheck, with console output redirected to a file error-prone output – raw plain-text error-prone output is accepted by Code Dx, such as in .txt files
 ESLint JSON outputCode Dx accepts raw .json formatted ESLint results
 Fortify FPR filesFortify FPR files – Code Dx will process the analysis results detected by Fortify and stored in .fpr files
FxCop XML outputjust like with other built-in tools, raw. xml FxCop outputs are accepted by Code Dx
 Gendarme XML outputsame as above, raw Gendarme .xml outputs are accepted by Code Dx
GoCyclo outputCode Dx supports plaintext output from GoCyclo, with console output redirected to a file. The resulting file can be read if it also contains build errors.
 GoLintoutputCode Dx supports plaintext output from GoLint, with console output redirected to a file. The resulting file can be read if it also contains build errors.
GoSec outputGoSec output – Code Dx supports JSON output from GoSec by using the- fmt json flag
 IneffAssign outputCode Dx support plaintext output from IneffAssign, with console output redirected to a file
JLintJLint outputCode Dx processes the raw output from JLint and expects it in a plain text format, such as in .txt files
JSHintJSHint outputraw JSHint output is accepted by Code Dx and is expected in plain text format, such as .txt files
OCLintOCLint outputCode Dx accepts .xml output files generated by OCLint
 Parasoft JTest/C++Test/dotTest XML output – Code Dx accepts .xmlParasoft JTest/C++Test/dotTest XML output – Code Dx accepts .xml outputs for these three Parasoft tools; please see the Parasoft Support section for more information
PHP_CodeSnifferPHP_CodeSniffer outputCode Dx accepts .xml outputs from PHP_CodeSniffer
PHPMDPHPMD outputCode Dx accepts .xml outputs from PHPMD
PylintPylintCode Dx supports Pylint .json output
PMD XML outputsame as with other built-in tools, raw. xml PMD results are accepted by Code Dx
SafeSQLSafeSQL outputCode Dx supports plaintext output from SafeSQL, with console output redirected to a file
 SATE XML formatCode Dx supports the .xml format for NIST’s Static Analysis Tool Exposition V (SATE V)
Scalastyle XML formatCode Dx supports the .xml format for Scalastyle
SCARF XML filesCode Dx supports the ingestion of files in SWAMP Common Assessment Result Format
SpotBugs/FindBugs XML outputalthough Code Dx includes SpotBugs as a built-in scanner, it will accept raw .xml SpotBugs and FindBugs outputs
Staticcheck JSON outputCode Dx supports JSON output from Staticcheck by using the -f json flag, with its console output redirected to a file. The resulting file is in JSON format.
Veracode XML or ZIP formatCode Dx supports either the .zip files generated when exporting XML results from Veracode, or the .xml files contained within them
VetVet outputCode Dx supports JSON output from go vet by using the -json flag, with console output redirected to a file. The resulting file is in JSON format and can be read if it also contains build errors.
OtherOther source zip archivesCode Dx will accept zipped source archives in order to show contextual source for findings on the Finding Details page

DAST

下表は、サポート対象の Dynamic Analysis Tools (DAST:Dynamic Application Security Testing) について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。

AcunetixAcunetix XML outputCode Dx supports the .xml format of Acunetix outputs.Generate the XML output by selecting Scans, then Select Scan, then WAF Export, and then XML
AppSpiderAppSpider Vulnerability Summary XMLThe VulnerabilitiesSummary.xml files generated by AppSpider are accepted by Code Dx; please see the AppSpider Support section for more information
ArachniArachni JSON outputCode Dx accepts .json output files from Arachni
Burp SuiteBurp Suite XML outputBurp outputs are supported by Code Dx in .xmlformat. Select the Base64 encoding option when outputting the XML file.
CigitalCigital outputCode Dx supports the .xml format of Cigital outputs obtained via the Cigital API
HPHP WebInspect XML outputCode Dx accepts .xml outputs for WebInspect. Generate the XML output in WebInspect by selecting File, then Export and then Scan Details. In the Settings section, choose Full from the “Details:” dropdown menu and click Export.
IBMIBM AppScan XML outputAppScan outputs are ingested by Code Dx in .xmlformat
NetsparkerNetsparker XML outputCode Dx supports Netsparker outputs in. xml
Netsparker CloudNetsparker Cloud XML outputCode Dx supports NetSparker Cloud outputs in .xml
OWASP ZAPOWASP ZAP XML outputZAP outputs are supported by Code Dx in .xmlformat
VeracodeVeracode XML and ZIP outputCode Dx accepts both .xml and .zip outputs from Veracode

InfraSec

下表は、サポート対象の Infrastructure Analysis Tools について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。

AppDetective ProCode Dx supports XML Check Results reports from AppDetective Pro; please see the AppDetective Pro Support section for more information on report requirements
Tenable NessusCode Dx supports the .nessus format of Nessus outputs
NMapCode Dx supports the .xml format of NMap outputs that contain vulnerability information tied to scripts written using the NMap Scripting Engine
Qualys VMCode Dx supports the .xml format of Qualys VM outputs generated with Scan-Based and Host-Based report templates. Before generating a report with a Host-Based report template, ensure that Vulnerability Details and at least one subsection are checked by navigating to the Display tab, in the “Edit Scan Report Template” window, and looking under “Include the following detailed results in the report”

Threat Modeling Tools

下表は、サポート対象の Threat Modeling Tools について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。

Microsoft Threat Modeling Tool 2016 HTML and TM7 outputCode Dx accepts .htm reports and raw .tm7 files. .htm reports will include images of the diagram and interaction for each finding

 

Composition Analysis Tools

下表は、サポート対象の Composition Analysis Tools  について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。

Black DuckCode Dx supports Black Duck outputs
Dependency-CheckCode Dx supports Dependency-Check outputs in. xml
ProtecodeProtecode outputs are supported in Code Dx for. csv and .json formats
Retire.js JSON outputThe Retire.js repository is checked by Dependency-Check, but if run externally, its output in .json format is accepted by Code Dx 
SonatypeCode Dx accepts Sonatype output files in. xml format