10 1. CLI Usage
Gabe Stocco редактировал(а) эту страницу 2023-12-12 10:35:31 -08:00

Obtaining the CLI

Initial Install

Install the .NET SDK and then run dotnet tool install --global Microsoft.CST.ApplicationInspector.CLI.

Updating

The tool does not automatically update, but you can update to the latest version of AppInspector with dotnet tool update --global Microsoft.CST.ApplicationInspector.CLI.

Binary Download:

Download an Application Inspector release from the GitHub releases. These releases are platform specific and don't require a .NET SDK install.

Basic CLI Usage

> AppInspector <command> <options>

ApplicationInspector.CLI 1.6.22+a4d4df45d0
c Microsoft Corporation. All rights reserved.

  analyze        Inspect source directory/file/compressed file (.tgz|zip)
                 against defined characteristics

  tagdiff        Compares unique tag values between two source paths

  exporttags     Export the list of tags associated with the specified rules.
                 Does not scan source code.

  verifyrules    Verify custom rules syntax is valid

  packrules      Combine multiple rule files into one file for ease in
                 distribution

  help           Display more information on a specific command.

  version        Display version information.

Examples:

Command Help

For help with an individual command run appinspector <command> --help. To see a list of available commands run appinspector --help.

Analyze Command

  Usage: AppInspector analyze [arguments] [options]

  Arguments:
    -s, --source-path                       Required. Source file or directory to
                                          inspect, comma separated

  -f, --output-file-format                (Default: html) Output format
                                          [html|json|text]

  -e, --text-format                       (Default:
                                          Tag:%T,Rule:%N,Ruleid:%R,Confidence:%X
                                          ,File:%F,Sourcetype:%t,Line:%L,Sample:
                                          %m) Match text format specifiers

  -N, --no-show-progress                  Disable progress information.

  -C, --context-lines                     Number of lines of context on each
                                          side to include in excerpt (up to a
                                          maximum of 100 * NumLines characters
                                          on each side). 0 to skip exerpt. -1 to
                                          not extract samples or excerpts
                                          (implied by -t). When outputting sarif
                                          use -1 for no snippets, all other
                                          values ignored.

  -t, --tags-only                         Only get tags (no detailed match
                                          data). Ignored if output format is
                                          sarif.

  -n, --no-file-metadata                  Don't collect metadata about each
                                          individual file.

  -A, --allow-all-tags-in-build-files     Allow all tags (not just Metadata
                                          tags) in files of type Build.

  -M, --max-num-matches-per-tag           If non-zero, and TagsOnly is not set,
                                          will ignore rules based on if all of
                                          their tags have been found the set
                                          value number of times.

  --base-path                             If set, when outputting sarif, will
                                          have paths made relative to the
                                          provided path.

  --repository-uri                        If set, when outputting sarif, include
                                          this information.

  --commit-hash                           If set, when outputting sarif, include
                                          this information.

  --disable-custom-rule-validation        By default when providing custom rules
                                          they are validated. When set,
                                          validation will be skipped.

  -i, --ignore-default-rules              (Default: false) Exclude default rules
                                          bundled with application

  -F, --file-timeout                      (Default: 60000) Maximum amount of
                                          time in milliseconds to allow for
                                          processing each file. 0 is infinity.
                                          Default: 60000.

  -p, --processing-timeout                (Default: 0) Maximum amount of time in
                                          milliseconds to allow for processing.
                                          When NoShowProgress is set this
                                          includes enumeration time. 0 is
                                          infinity. Default: 0.

  --enumeration-timeout                   (Default: 0) Maximum amount of time in
                                          milliseconds to allow for enumerating.
                                          0 is infinity. Default: 0.

  --disable-archive-crawling              Disable Archive Enumeration.

  -S, --single-threaded                   Disables parallel processing. May be
                                          helpful for debugging with higher
                                          verbosity.

  -g, --exclusion-globs                   (Default: **/bin/** **/obj/**
                                          **/.vs/** **/.git/**) Exclude source
                                          files that match glob patterns.
                                          Example: "**/.git/**,*Tests*".  Use
                                          "none" to disable.

  -u, --scan-unknown-filetypes            Scan files of unknown types.

  -c, --confidence-filters                (Default: High Medium) Output only
                                          matches with specified confidence
                                          <value>,<value>. Default: Medium,High.
                                          [High|Medium|Low]

  --severity-filters                      (Default: Critical Important Moderate
                                          BestPractice ManualReview) Output only
                                          matches with specified severity
                                          <value>,<value>. Default: All are
                                          enabled.
                                          [Critical|Important|Moderate|BestPract
                                          ice|ManualReview]

  -r, --custom-rules-path                 Custom rules file or directory path

  --custom-languages-path                 Replace the default languages set with
                                          a custom languages.json.

  --custom-comments-path                  Replace the default comment
                                          specification set with a custom
                                          comments.json.

  --disable-require-unique-ids            Allow rules with duplicate IDs.

  --success-error-code-with-no-matches    When processing is apparently
                                          successful but there are no matches
                                          return a success error code - useful
                                          for CI.

  --require-must-match                    When validating, require rules to have
                                          MustMatch self-tests.

  --require-must-not-match                When validating, require rules to have
                                          MustNotMatch self-tests.

  -o, --output-file-path                  Output file path

  -x, --console-verbosity                 (Default: Information) Console
                                          verbosity
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  --disable-console                       (Default: false) Disable console
                                          output of logging messages.

  -v, --log-file-level                    (Default: Error) Log file level
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  -l, --log-file-path                     Log file path. If not set, will not
                                          log to file.

  --help                                  Display this help screen.

  --version                               Display version information.
Scan a project directory, with output sent to "output.html" (default behavior includes launching default browser to this file)
  AppInspector analyze -s /home/user/myproject 
Scan using custom rules and ignoring default rules
  AppInspector analyze -s /home/user/myproject -r /home/user/myrules -i
Write to JSON format
  AppInspector analyze -s /home/user/myproject -f json
Write to Sarif format
  AppInspector analyze -s /home/user/myproject -f sarif

Tag Diff Command

Use to analyze and report on differences in tags (features) between two project or project versions e.g. v1, v2 to see what changed

  Usage: AppInspector tagdiff [arguments] [options]

  Arguments:
   --src1                                  Required. Source 1 to compare (commaa
                                          separated)

  --src2                                  Required. Source 2 to compare (commaa
                                          separated)

  -t, --test-type                         (Default: Equality) Type of test to
                                          run [Equality|Inequality]

  --disable-custom-rule-validation        By default when providing custom rules
                                          they are validated. When set,
                                          validation will be skipped.

  -i, --ignore-default-rules              (Default: false) Exclude default rules
                                          bundled with application

  -F, --file-timeout                      (Default: 60000) Maximum amount of
                                          time in milliseconds to allow for
                                          processing each file. 0 is infinity.
                                          Default: 60000.

  -p, --processing-timeout                (Default: 0) Maximum amount of time in
                                          milliseconds to allow for processing.
                                          When NoShowProgress is set this
                                          includes enumeration time. 0 is
                                          infinity. Default: 0.

  --enumeration-timeout                   (Default: 0) Maximum amount of time in
                                          milliseconds to allow for enumerating.
                                          0 is infinity. Default: 0.

  --disable-archive-crawling              Disable Archive Enumeration.

  -S, --single-threaded                   Disables parallel processing. May be
                                          helpful for debugging with higher
                                          verbosity.

  -g, --exclusion-globs                   (Default: **/bin/** **/obj/**
                                          **/.vs/** **/.git/**) Exclude source
                                          files that match glob patterns.
                                          Example: "**/.git/**,*Tests*".  Use
                                          "none" to disable.

  -u, --scan-unknown-filetypes            Scan files of unknown types.

  -c, --confidence-filters                (Default: High Medium) Output only
                                          matches with specified confidence
                                          <value>,<value>. Default: Medium,High.
                                          [High|Medium|Low]

  --severity-filters                      (Default: Critical Important Moderate
                                          BestPractice ManualReview) Output only
                                          matches with specified severity
                                          <value>,<value>. Default: All are
                                          enabled.
                                          [Critical|Important|Moderate|BestPract
                                          ice|ManualReview]

  -r, --custom-rules-path                 Custom rules file or directory path

  --custom-languages-path                 Replace the default languages set with
                                          a custom languages.json.

  --custom-comments-path                  Replace the default comment
                                          specification set with a custom
                                          comments.json.

  --disable-require-unique-ids            Allow rules with duplicate IDs.

  --success-error-code-with-no-matches    When processing is apparently
                                          successful but there are no matches
                                          return a success error code - useful
                                          for CI.

  --require-must-match                    When validating, require rules to have
                                          MustMatch self-tests.

  --require-must-not-match                When validating, require rules to have
                                          MustNotMatch self-tests.

  -o, --output-file-path                  Output file path

  -f, --output-file-format                (Default: text) Output format
                                          [json|text]

  -x, --console-verbosity                 (Default: Information) Console
                                          verbosity
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  --disable-console                       (Default: false) Disable console
                                          output of logging messages.

  -v, --log-file-level                    (Default: Error) Log file level
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  -l, --log-file-path                     Log file path. If not set, will not
                                          log to file.

  --help                                  Display this help screen.

  --version                               Display version information.
Simplest way to see the delta of tag features between two projects
  AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2
Basic use
  AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t equality
Basic use
  AppInspector tagdiff --src1 /home/user/project1 --src2 /home/user/project2 -t inequality

Export Tags Command

Simple export of the ruleset tags representing what features are supported for detection

  Usage: AppInspector exporttags [arguments] [options]

  Arguments:
  -r, --custom-rules-path       Custom rules file or directory path

  -i, --ignore-default-rules    (Default: false) Exclude default rules bundled
                                with application

  -o, --output-file-path        Output file path

  -f, --output-file-format      (Default: text) Output format [json|text]

  -x, --console-verbosity       (Default: Information) Console verbosity
                                [Verbose|Debug|Information|Warning|Error|Fatal]

  --disable-console             (Default: false) Disable console output of
                                logging messages.

  -v, --log-file-level          (Default: Error) Log file level
                                [Verbose|Debug|Information|Warning|Error|Fatal]

  -l, --log-file-path           Log file path. If not set, will not log to file.

  --help                        Display this help screen.

  --version                     Display version information.

Export default rule tags to console
  AppInspector exporttags
Using output file
  AppInspector exporttags -o /home/user/myproject/exportags.txt
With custom rules and output file
  AppInspector exporttags -r /home/user/myproject/customrules -o /hom/user/myproject/exportags.txt

Verify Rules Command

Verify a custom ruleset is compatible and error free for use with Application Inspector. Note the default ruleset is already verified as part of the Build process and does not normally require a separate verification.

  Usage: AppInspector verifyrules [arguments]

  Arguments:

    -d, --verify-default-rules              (Default: false) Verify the rules
                                          embedded in the binary.

  -r, --custom-rules-path                 Custom rules file or directory path

  --custom-languages-path                 Replace the default languages set with
                                          a custom languages.json.

  --custom-comments-path                  Replace the default comment
                                          specification set with a custom
                                          comments.json.

  --disable-require-unique-ids            Allow rules with duplicate IDs.

  --success-error-code-with-no-matches    When processing is apparently
                                          successful but there are no matches
                                          return a success error code - useful
                                          for CI.

  --require-must-match                    When validating, require rules to have
                                          MustMatch self-tests.

  --require-must-not-match                When validating, require rules to have
                                          MustNotMatch self-tests.

  -o, --output-file-path                  Output file path

  -f, --output-file-format                (Default: text) Output format
                                          [json|text]

  -x, --console-verbosity                 (Default: Information) Console
                                          verbosity
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  --disable-console                       (Default: false) Disable console
                                          output of logging messages.

  -v, --log-file-level                    (Default: Error) Log file level
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  -l, --log-file-path                     Log file path. If not set, will not
                                          log to file.

  --help                                  Display this help screen.

  --version                               Display version information.

Simplest case
  AppInspector verifyrules -r /home/user/mycustomrules

Pack Rules Command

Condense multiple rule files into one for ease in distribution with Application Inspector

  Usage: AppInspector packrules [arguments]

  Arguments:

  -e, --pack-embedded-rules               Pack the rules that are embedded in
                                          the application inspector binary.

  -r, --custom-rules-path                 Custom rules file or directory path

  --custom-languages-path                 Replace the default languages set with
                                          a custom languages.json.

  --custom-comments-path                  Replace the default comment
                                          specification set with a custom
                                          comments.json.

  --disable-require-unique-ids            Allow rules with duplicate IDs.

  --success-error-code-with-no-matches    When processing is apparently
                                          successful but there are no matches
                                          return a success error code - useful
                                          for CI.

  --require-must-match                    When validating, require rules to have
                                          MustMatch self-tests.

  --require-must-not-match                When validating, require rules to have
                                          MustNotMatch self-tests.

  -o, --output-file-path                  Output file path

  -f, --output-file-format                (Default: text) Output format
                                          [json|text]

  -x, --console-verbosity                 (Default: Information) Console
                                          verbosity
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  --disable-console                       (Default: false) Disable console
                                          output of logging messages.

  -v, --log-file-level                    (Default: Error) Log file level
                                          [Verbose|Debug|Information|Warning|Err
                                          or|Fatal]

  -l, --log-file-path                     Log file path. If not set, will not
                                          log to file.

  --help                                  Display this help screen.

  --version                               Display version information.

Simplist case to repack default rules into default or alternate location
  AppInspector packrules -d -o /home/user/myproject/defaultrules.json
Using custom rules only
  AppInspector packrules -r /home/user/myproject/customrules -o /home/user/mypackedcustomrules.json