Manual

Sensei can also be run from a headless environment, such as a build server. This will be useful when sensei has to be integrated inside the build pipeline.

Installation

Performing headless scans only requires the special scanning jar with an accompanying license. Obtaining this license can be done by sending a request to support@securecodewarrior.com

The scanner will extract some required files the first time it is ran.

Usage

Invoking the scanner

java -jar scanner.jar <args>

Mandatory

Option

Description

yes

--licensedir

Location to the directory that has the license.sensei license file.

yes

--licenseident

Identifier of the license.

yes

--project

Location to the project path that has to be scanned.

yes

--cookbook

Location to a cookbook. project:// locations are allowed.

This option can be specified more than once

no

--ignoredir

A project-relative directory to ignore when scanning.

This option can be specified more than once

no

--srcpath

Relative path from the project folder that contains source files.

Specifying this option will disable automatic source discovery

This option can be specified more than once

no

--testpath

Relative path from the project folder that contains test source files.

Specifying this option will disable automatic source discovery

This option can be specified more than once

no

--output

Location of the output, stdout when unspecified..

no

--patch

Location of the patch file that contains the changes to be scanned.

This option can be specified more than once

no

--patchrelativepath

Relative path from project path (given by --project) where the patch files refer files from.

no

--cp

Path to add to project classpath when scanning.

This option can be specified more than once

no

--nojdkdetect

Don't automatically add jdk libraries to project classpath.

no

--version

Exit after printing the version.

no

--mvncommand

Maven executable to use when resolving maven dependencies from detected POM files.

no

--mvnoutput

Write maven output to files mvn.out (stdout) and mvn.err (stderr), for debugging.

no

--mvntimeout

Amount of seconds to wait for maven to complete before aborting. Defaults to 180.

no

--nomvn

Don't try to resolve dependencies from POM files.

no

--verbose

Prints slightly more verbose output to stdout.

no

--progress

Prints progress to stdout.

no

--dontstop

Continue scanning when an error occurs.

no

--jar

Path to the scanner jarfile, only required on some platforms where it cannot be auto-detected, a message will show when this is needed.

Example

java -jar scanner.jar \
    --licensedir /opt/sensei/license \
    --licenseident AAA \
    --project /opt/proj \
    --cookbook "project://.sensei" \
    --verbose \
    --progress \
    --output "results.txt"

Warning

The project directory to scan cannot be a parent of the working directory.

Output

Before scanning, some information is printed to standard output (regardless of the --output option). Five dashes mark the end of these information lines.

Running Sensei version 3.4.0
Loaded 28 recipes from 6 cookbooks
Scan started at 12 Aug 11:57:37
-----

Note

When the --verbose option is present, more information lines will be printed before and after the five dashes. These will always be printed to standard output, so scan results output will not be affected when the --output option is being used.

Note

A progress indicator will be shown when the --progress argument is present. This is always printed to standard output so it may interfere with scan results when no --output option was given.

The headless scanner will output the results of the scan to the file given by the --output option, or to the standard output when absent. The output format is in a human-readable format.

[FILE:LINE] RECIPE_LEVEL - RECIPE_NAME (RULE_UID)
[src/java/com/scw/Main.java:20] ERROR - Use of System.out (5640-3052-2304-TKCE)

The possible recipe levels are:

  • ERROR

  • INFO

  • MARKED_INFO

  • WARNING

Exit Codes

The scanner will return different exit codes depending on the result of the analysis.

0

OK, Nothing violated

1

Highest level of marked recipes is “information”

2

Highest level of marked recipes is “marked information”

3

Highest level of marked recipes is “warning”

4

Highest level of marked recipes is “error”

100

License error

101

Sensei internal error

102

Invalid arguments supplied

103

No source files found

104

Cannot resolve given cookbook(s)

105

Failed to write output

106

Error with given patch file(s)