Document SARIF defails in man page

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
This commit is contained in:
David A. Wheeler 2021-05-30 18:46:50 -04:00
parent c99529852a
commit bcb5e652ef
1 changed files with 32 additions and 1 deletions

View File

@ -52,6 +52,7 @@ flawfinder \- lexically find potential security flaws ("hits") in source code
.RB [ \-\-dataonly | \-D ] .RB [ \-\-dataonly | \-D ]
.RB [ \-\-html | \-H ] .RB [ \-\-html | \-H ]
.RB [ \-\-immediate | -i ] .RB [ \-\-immediate | -i ]
.RB [ \-\-sarif ]
.RB [ \-\-singleline | \-S ] .RB [ \-\-singleline | \-S ]
.RB [ \-\-omittime ] .RB [ \-\-omittime ]
.RB [ \-\-quiet | \-Q ] .RB [ \-\-quiet | \-Q ]
@ -300,7 +301,8 @@ integrated development environments; see the examples for
more information. more information.
.PP .PP
Flawfinder includes many other options, including ones to Flawfinder includes many other options, including ones to
create HTML versions of the output (useful for prettier displays). create HTML versions of the output (useful for prettier displays) and
Static Analysis Results Interchange Format (SARIF) output.
The next section describes those options in more detail. The next section describes those options in more detail.
.SH OPTIONS .SH OPTIONS
@ -534,6 +536,35 @@ Format the output as HTML instead of as simple text.
.BI -i .BI -i
Immediately display hits (don't just wait until the end). Immediately display hits (don't just wait until the end).
.TP
.BI \-\-sarif
Produce output in the OASIS
Static Analysis Results Interchange Format (SARIF) format (a JSON-based format).
The goals of the SARIF format, as explained in
version 2.1.0 (27 March 2020) of its specification, include being able to
"comprehensively capture the range of data produced by commonly
used static analysis tools."
SARIF output identifies the tool name as "Flawfinder".
The flawfinder levels 0 through 5 are mapped to SARIF rank (by dividing by 5),
SARIF level, and the default viewer action as follows:
Flawfinder 0: SARIF rank 0.0, SARIF level notei, Does not display by default
Flawfinder 1: SARIF rank 0.2, SARIF level note,Does not display by default
Flawfinder 2: SARIF rank 0.4, SARIF level note, Does not display by default
Flawfinder 3: SARIF rank 0.6, SARIF level warning, Displays by default, does not break build / other processes
Flawfinder 4: SARIF rank 0.8, SARIF level error,Displays by default, breaks build/ other processes
Flawfinder 5: SARIF rank 1.0, SAIRF level error, Displays by default, breaks build/ other processes
A big thanks to Yong Yan implementing SARIF output generation for flawfinder!
For more about the SARIF format, see:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif
.TP .TP
.BI "\-\-singleline" .BI "\-\-singleline"
.TP .TP