The scanning in Docker mode is currently only suitable for exploration and is not recommended for quick experience and development use.
Make sure you have installed Docker before proceeding.
$ cd corax-community // Must be in the root directory corax-community of this project to build the Docker image
$ docker build --network=host -t corax-community .During the build, it will automatically download the corax-java-cli-community-x.x.zip from the GitHub repo release and unzip it to the /corax-community directory. After the build is complete, a shortcut will be generated as /corax-community/corax-cli.jar.
Considering that network limitations may be encountered, you can also manually download the
CoraxJava Core Engineand place it in/corax-community, ensuring that the version number matchesDockerfile CORAX_VERSION.
Usage:
$ corax_cmd='java -jar corax-cli.jar --verbosity info --enable-data-flow true --target java --config default-config.yml@./build/analysis-config --result-type sarif --auto-app-classes {Mapped project path inside the container} --output /reports/{Project name}'
$ docker run -it --rm -v {Specify the output path of the scan result on the host machine}:/reports/ -v {Specify the root path of the project to be scanned on the host machine}:{Mapped project path inside the container} corax-community ${corax_cmd}Note:
Since the scanning takes place inside the container, you need to map the code repository into the container; otherwise, the scan will not work.
Because the sarif format requires absolute paths in the description, to experience the jumping functionality of sarif related plugins, you need to follow one of the following methods:
-
Method 1: On a Linux host machine, you can keep the paths mapped to the container consistent with the real paths on the host machine.
-
Method 2: Report path mapping (e.g., for a Windows host or when Method 1 cannot map certain paths)
You need to add the
--result-type SarifCopySrcparameter to the analysis command.The generated report also needs to use the following command to replace the source code paths in batches:
- If the host machine has a shell environment (Linux or WSL on Windows)
>> sudo apt-get install jq >> srcroot_uri="file:///C:/Users/xxx/reports/corax-config-tests/sarif-copy/src_root" // Absolute path to src_root on the host machine. Note: it must be an absolute path, and file:/// has three forward slashes >> cd reports/corax-config-tests/sarif-copy // Location of report output on the host machine >> (IFS=$'\n'; for sarif in $(find . -maxdepth 1 -name "*.sarif"); do jq ".runs[].originalUriBaseIds.SRCROOT.uri = \"${srcroot_uri}\"" $sarif > $sarif.tmp ; mv $sarif.tmp $sarif ; done)
- If the host machine has Python:
>> python3 -c "import base64;exec(base64.b64decode('aW1wb3J0IG9zLGpzb24sc3lzCgpkaXJlY3RvcnkgPSBzeXMuYXJndlsxXSAgIyBTcGVjaWZ5IHRoZSBkaXJlY3RvcnkKdXJpID0gc3lzLmFyZ3ZbMl0gICMgdXJpIG9mIHNyYyByb290IAoKIyBGaW5kIGZpbGVzIHdpdGggIi5zYXJpZiIgZXh0ZW5zaW9uCnNhcmlmX2ZpbGVzID0gW2ZpbGUgZm9yIGZpbGUgaW4gb3MubGlzdGRpcihkaXJlY3RvcnkpIGlmIGZpbGUuZW5kc3dpdGgoIi5zYXJpZiIpXQoKZm9yIHNhcmlmX2ZpbGUgaW4gc2FyaWZfZmlsZXM6CiAgICBzYXJpZl9wYXRoID0gb3MucGF0aC5qb2luKGRpcmVjdG9yeSwgc2FyaWZfZmlsZSkKCiAgICB3aXRoIG9wZW4oc2FyaWZfcGF0aCwgInIiLCBlbmNvZGluZz0idXRmLTgiKSBhcyBmaWxlOgogICAgICAgIGRhdGEgPSBqc29uLmxvYWQoZmlsZSkKCiAgICAjIE1vZGlmeSB0aGUgdmFsdWVzIG9mIHVyaSBmaWVsZCBpbiB0aGUgSlNPTiBkYXRhCiAgICBmb3IgcnVuIGluIGRhdGEuZ2V0KCJydW5zIiwgW10pOgogICAgICAgIGlmICJvcmlnaW5hbFVyaUJhc2VJZHMiIGluIHJ1bjoKICAgICAgICAgICAgcnVuWyJvcmlnaW5hbFVyaUJhc2VJZHMiXVsiU1JDUk9PVCJdWyJ1cmkiXSA9IHVyaQoKICAgIHdpdGggb3BlbihzYXJpZl9wYXRoLCAidyIsIGVuY29kaW5nPSJ1dGYtOCIpIGFzIGZpbGU6CiAgICAgICAganNvbi5kdW1wKGRhdGEsIGZpbGUsIGluZGVudD00KQ=='))" reports/corax-config-tests/sarif-copy "file:///C:/Users/xxx/reports/corax-config-tests/sarif-copy/src_root"Now you can browse the sarif report normally on the host machine.