A remote scan is an alternate way to scan with no UI intervention. This can be done using a continuous integration toolchain, or manually via the command line. The results are then published on the UI automatically.
For languages such as C or C++, a strict mode remote scan can help to increase the accuracy of the scan.
How to download embold-scanner from Embold?
Download embold-scanner from your Embold Account’s section > Releases tab > CLI. There will be one file with names similar to the following: ‘browserstack-codequality-scanner-archive.tar.gz’.
Remote scan using embold-scanner
- Download the Embold CLI tool from control panel. Extract that Embold CLI tool and make sure it has all the executable permissions.
- Login to Embold server. Now create a Project in Embold. Read more about creating a new project here.
- Generate the Embold Access Token (EAT) for remote scan. Read more here for generating EAT.
- Create and link a remote repository with the language you want to scan. Download the repository configuration (repository-configuration.json) for this new remote repository added.
Commands
embold-scanner– This command is applicable for Linux machines.embold-scanner.bat– This command is applicable for Windows machines.
Sub-commands
- analyse
- local-analyse
- gated-commit
Usage: embold-scanner analyse [-am <arg>] [-b <arg>] [-c <arg>] [-d <arg>] [-h] [-l <arg>] [-r <arg>] [-s <arg>] [-sh <arg>] [-si <arg>] [-sp <arg>] [-ssu] -t <arg> -u <arg> [-v]
Example
- Linux:
embold-scanner analyse -c <./repository configuration.json> -u <Embold URL> -t <Embold TOKEN> [-b <BASE_DIR>] [-d <DATA_DIR>] [-s <snapshot name>] [-r <REPO UID>] [-sh <CORONA PACKAGE PATH>] [-l <LOG_FOLDER>] - Windows :
embold-scanner.bat analyse -c <./repository configuration.json> -u <Embold URL> -t <Embold TOKEN>[-b <BASE_DIR>] [-d <DATA_DIR>][-s <snapshot name>] [-r <REPO UID>] [-sh <CORONA PACKAGE PATH>] [-l <LOG_FOLDER>]
Options
| -t,–token <arg> | Embold Token |
| -u,–url <arg> | Embold URL |
| -am,–analysis-mode <arg> | Analysis Mode |
| -b,–repository-base-dir <arg> | Scan will happen for this directory |
| -c,–scan-config-file <arg> | Scan settings YAML/JSON file path |
| -d,–data-dir <arg> | Data directory for temporary use |
| -h,–help | Help |
| -l,–scanner-logs <arg> | Embold scanner logs directory path |
| -r,–repository-uid <arg> | The Data will be published in this Repository in Embold UI |
| -s,–snapshot-label <arg> | This label identifies the snapshot which will be published on Embold UI after successful scan. The value can also be an environment variable |
| -sh,–scanner-home <arg> | Embold scanner home path |
| -si,–session-id <arg> | Session ID |
| -sp,–scan-profile <arg> | Scan profile xml file path |
| -ssu,–skip-source-upload | Skip Source Upload |
| -v,–verbose | Enable verbose mode |
After a successful remote scan, the below results will be displayed to the user.
Prerequisites
- File path use for -sh(scanner home), -l (scanner-logs) and -d(data directory) should have read write permission.
- The following linters/tools must be installed on the remote machine.
| Language | Linter | version |
| CPP | cppcheck | 2.8 |
| C_SHARP | microsoft_security_codescan | 5.6.2 |
| TYPESCRIPT | eslint | v7.32.0 |
| tslint | 5.9.1 | |
| JAVASCRIPT | jshint | 2.9.5 |
| eslint | v7.32.0 | |
| GO | staticcheck | v0.2.1 |
| gosec | 2.8.1 | |
| gometalinter | v2.0.0 | |
| PYTHON | bandit | 1.7.0 |
| pylint | 2.11.1 | |
| dlint | 0.11.0 | |
| PHP | phpcs | 3.2.3 |
| phpmd | 2.6.1 | |
| RUBY | brakeman | 5.1.1 |
| KOTLIN | detekt | 1.18.1 |
| mobsfscan | 0.1.0 | |
| SOLIDITY | solhint | 3.3.6 |
| SWIFT | swiftlint | 0.32.0 |
| APEX | pmd | 6.39.0 |
| HTML | htmlhint | 0.15.1 |
| SQL | sqlcheck | 1 |
| CSS | stylelint | 14.15.1 |
| INFRASTRUCTURE | checkov | 2.0.654 |
| YAML | kubesec | 2.11.5 |
| LUA | luacheck | 0.23.0 |
Prerequisites to run remotescan for Swift
- Install xcode on your macOS
- Run below command and the output should be similar to the below screenshot
xcode-select -p
- If your output is not as above screenshot then run the below command
sudo xcode-select -s /Applications/Xcode.app/Contents/Developer
- Reverify the output of following command
xcode-select -p
- your final output should be as below screenshot
- Now run the remotescan
Configuration for https enabled Embold
- Import the same set of certificates used for Embold in default jre keystore on standalone Corona machine.
- Default jre path: Java/jre1.8.0_171/lib/security.
- Below is the command:
“keytool -import -trustcacerts -alias gamma -file “ ”-keystore cacerts”
Additional configuration for Strict mode Embold Remote scan for C/CPP code
- For understanding EMbold strict mode analysis, refer link https://docs.embold.io/installation-and-backup-guide/#c-strict-mode
- In the above repository-configuration.json file, just add path of the compilation command json file generated by your build system under the section additionalOptions as follows
“additionalOptions” : [“–cdb=<Folder where the compilaton command json file is generated>”]
OR
Add the generated compilation_commands.json file under the baseDirectory path
embold-scanner will pick up the compilation command json file from either the path given with –cdb option or from the base directory.
Running analysis in strict mode
Set up your remote Embold instance. This is where your analysis results will be published. Follow the steps to set up remote analysis here.
- On your build machine, navigate to the base directory of your source folder. Generate the compilation database as explained here. You should be able to see a compile_commands.json file in your base directory.
- Install corona on your build machine as explained here for Ubuntu, Windows and RedHat Enterprise Linux/CentOS. For installer versions, refer this section.
- Login to Embold. Create a project. Link the repository you want to scan. Select a repository type as “remote“. Read more info creating a project and linking a repository.
- Select a repository and “Download repository configuration” from the drop down menu of a repository.
- Open and edit the repository-configuration.json file. Provide the URL of your remote machine where the Embold is running and also, set your token based authentication.
Note: Embold has deprecated the usage of username and password. Read more info. here. - In the sources section, set the value of baseDir as the base directory path of your source folder on your build machine. You can also give exclusions.
e.g. If you want to exclude folders named “build” and “test”, simply give “.*build.*” , “.*test.*” in the exclusions section.
For edting ANY settings involving paths, even if you are running Corona on Windows, you must use Unix style path seperator. E.g. forward slash and not backward slash. If you use normal Windows format, it will not work and result into an error message. - Set the dataDir to any desired location on your build machine.
- If you wish to create a separate build folder for running trace-utility (intercept-build), you should use the –cdb additional option while running the scan.
The compile_commands.json will be created inside your build directory and not in the base directory of your source folder. Since, the scanner looks for the compile_commands.json in the base directory by default, use the –cdb option to specify the directory where your compile_commands.json is located. - In “settings” section, under “additionalOptions” set the directory where compilation database resides.
Example:--cdb - Go to the bin directory inside the scanboxwrapper.
e.g. $corona_home/scanboxwrapper/bin.
Run below command:/gammascanner -c/home/user/gamma/corona/scanboxwrapper/examples/gammascan_typical.json - If the scan is successful you should see “ANALYSIS SUCCESS”. On your build machine, the last two log messages indicate that the remote analysis was successful.
- On your remote Embold instance, you will be able to see published results.
