非バンドル・ツールからCode Dx Enterprise への入力形式について
本項では、非バンドル・ツールで解析した結果を、Code Dx Enterprise に入力する際のファイルのフォーマットを示します。
SAST
下表は、サポート対象の Static Analysis Tools (SAST:Static Application Security Testing) について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。
| Android Lint | Source XML and ZIP output | Android Lint Source XML and ZIP output -Code Dx supports Android Lint Source outputs in .xml and .zip |
| AppScan | Source OZASMT output | Code Dx supports AppScan Source outputs in .ozasmt |
| Brakeman | JSON output | Brakeman is one of the built-in scanners, but if run externally, its .json outputs are accepted by Code Dx |
| CAT.NET | XML output | CAT.NET .xml outputs are accepted by Code Dx |
| Checkmarx | XML output | Checkmarx reports in xml format are accepted by Code Dx |
| Checkstyle | XML output | xml output from Checkstyle is accepted by Code Dx |
| Clang | HTML output | Code Dx supports HTML output from Clang but expects it in a .zip archive since Clang outputs one HTML file per checked source file. |
| CodePeer | output | CodePeer reports in .csv format are accepted by Code Dx |
| CodeSecure | XML outputs | Armorize’s Code Secure .xml outputs are processed by Code Dx |
| CodeSonar-Scrape | ZIP outputs | files generated by the CodeSonar-Scrape utility, described later in this document |
| Code Dx XML format | for cases where you have data from a custom tool or from a tool that isn’t supported by Code Dx, you can convert the output to the Code Dx .xml format and input that directly for analysis. XML schemas and examples are provided via the download icon in the Code Dx header. | |
| CppCheck | XML v2 output | Code Dx supports the v2 .xml output from CppCheck |
| Coverity | JSON output | Code Dx supports .json formatted output from Coverity using their ‘cov-commit-defect’ command line tool. For example: cov-Coverity using their ‘cov-commit-defect’ command line tool. For example: cov- |
| ErrCheck | Code Dx supports plaintext output from ErrCheck, with console output redirected to a file error-prone output – raw plain-text error-prone output is accepted by Code Dx, such as in .txt files | |
| ESLint | JSON output | Code Dx accepts raw .json formatted ESLint results |
| Fortify | FPR files | Fortify FPR files – Code Dx will process the analysis results detected by Fortify and stored in .fpr files |
| FxCop | XML output | just like with other built-in tools, raw. xml FxCop outputs are accepted by Code Dx |
| Gendarme | XML output | same as above, raw Gendarme .xml outputs are accepted by Code Dx |
| GoCyclo | output | Code Dx supports plaintext output from GoCyclo, with console output redirected to a file. The resulting file can be read if it also contains build errors. |
| GoLint | output | Code Dx supports plaintext output from GoLint, with console output redirected to a file. The resulting file can be read if it also contains build errors. |
| GoSec | output | GoSec output – Code Dx supports JSON output from GoSec by using the- fmt json flag |
| IneffAssign | output | Code Dx support plaintext output from IneffAssign, with console output redirected to a file |
| JLint | JLint output | Code Dx processes the raw output from JLint and expects it in a plain text format, such as in .txt files |
| JSHint | JSHint output | raw JSHint output is accepted by Code Dx and is expected in plain text format, such as .txt files |
| OCLint | OCLint output | Code Dx accepts .xml output files generated by OCLint |
| Parasoft JTest/C++Test/dotTest | XML output – Code Dx accepts .xml | Parasoft JTest/C++Test/dotTest XML output – Code Dx accepts .xml outputs for these three Parasoft tools; please see the Parasoft Support section for more information |
| PHP_CodeSniffer | PHP_CodeSniffer output | Code Dx accepts .xml outputs from PHP_CodeSniffer |
| PHPMD | PHPMD output | Code Dx accepts .xml outputs from PHPMD |
| Pylint | Pylint | Code Dx supports Pylint .json output |
| PMD | XML output | same as with other built-in tools, raw. xml PMD results are accepted by Code Dx |
| SafeSQL | SafeSQL output | Code Dx supports plaintext output from SafeSQL, with console output redirected to a file |
| SATE XML format | Code Dx supports the .xml format for NIST’s Static Analysis Tool Exposition V (SATE V) | |
| Scalastyle | XML format | Code Dx supports the .xml format for Scalastyle |
| SCARF | XML files | Code Dx supports the ingestion of files in SWAMP Common Assessment Result Format |
| SpotBugs/FindBugs | XML output | although Code Dx includes SpotBugs as a built-in scanner, it will accept raw .xml SpotBugs and FindBugs outputs |
| Staticcheck | JSON output | Code Dx supports JSON output from Staticcheck by using the -f json flag, with its console output redirected to a file. The resulting file is in JSON format. |
| Veracode | XML or ZIP format | Code Dx supports either the .zip files generated when exporting XML results from Veracode, or the .xml files contained within them |
| Vet | Vet output | Code Dx supports JSON output from go vet by using the -json flag, with console output redirected to a file. The resulting file is in JSON format and can be read if it also contains build errors. |
| Other | Other source zip archives | Code Dx will accept zipped source archives in order to show contextual source for findings on the Finding Details page |
DAST
下表は、サポート対象の Dynamic Analysis Tools (DAST:Dynamic Application Security Testing) について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。
| Acunetix | Acunetix XML output | Code Dx supports the .xml format of Acunetix outputs.Generate the XML output by selecting Scans, then Select Scan, then WAF Export, and then XML |
| AppSpider | AppSpider Vulnerability Summary XML | The VulnerabilitiesSummary.xml files generated by AppSpider are accepted by Code Dx; please see the AppSpider Support section for more information |
| Arachni | Arachni JSON output | Code Dx accepts .json output files from Arachni |
| Burp Suite | Burp Suite XML output | Burp outputs are supported by Code Dx in .xmlformat. Select the Base64 encoding option when outputting the XML file. |
| Cigital | Cigital output | Code Dx supports the .xml format of Cigital outputs obtained via the Cigital API |
| HP | HP WebInspect XML output | Code Dx accepts .xml outputs for WebInspect. Generate the XML output in WebInspect by selecting File, then Export and then Scan Details. In the Settings section, choose Full from the “Details:” dropdown menu and click Export. |
| IBM | IBM AppScan XML output | AppScan outputs are ingested by Code Dx in .xmlformat |
| Netsparker | Netsparker XML output | Code Dx supports Netsparker outputs in. xml |
| Netsparker Cloud | Netsparker Cloud XML output | Code Dx supports NetSparker Cloud outputs in .xml |
| OWASP ZAP | OWASP ZAP XML output | ZAP outputs are supported by Code Dx in .xmlformat |
| Veracode | Veracode XML and ZIP output | Code Dx accepts both .xml and .zip outputs from Veracode |
InfraSec
下表は、サポート対象の Infrastructure Analysis Tools について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。
| AppDetective Pro | Code Dx supports XML Check Results reports from AppDetective Pro; please see the AppDetective Pro Support section for more information on report requirements |
| Tenable Nessus | Code Dx supports the .nessus format of Nessus outputs |
| NMap | Code Dx supports the .xml format of NMap outputs that contain vulnerability information tied to scripts written using the NMap Scripting Engine |
| Qualys VM | Code Dx supports the .xml format of Qualys VM outputs generated with Scan-Based and Host-Based report templates. Before generating a report with a Host-Based report template, ensure that Vulnerability Details and at least one subsection are checked by navigating to the Display tab, in the “Edit Scan Report Template” window, and looking under “Include the following detailed results in the report” |
Threat Modeling Tools
下表は、サポート対象の Threat Modeling Tools について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。
| Microsoft Threat Modeling Tool 2016 HTML and TM7 output | Code Dx accepts .htm reports and raw .tm7 files. .htm reports will include images of the diagram and interaction for each finding |
Composition Analysis Tools
下表は、サポート対象の Composition Analysis Tools について、解析結果をインポートする際の前提となる、個々のツールのファイルの形式を示したものです。
| Black Duck | Code Dx supports Black Duck outputs |
| Dependency-Check | Code Dx supports Dependency-Check outputs in. xml |
| Protecode | Protecode outputs are supported in Code Dx for. csv and .json formats |
| Retire.js JSON output | The Retire.js repository is checked by Dependency-Check, but if run externally, its output in .json format is accepted by Code Dx |
| Sonatype | Code Dx accepts Sonatype output files in. xml format |