Awesome
SARIF support for Radare2
Static Analysis Results Interchange Format (SARIF) Version 2.0
--pancake
Description
This plugin for radare2 adds the sarif
command to the r2 shell which allows
to import and export SARIF documents (JSON files) into the current session,
allowing the analyst to report and visualize the reported vulnerabilities in
a binary using a standard file format.
Installation
This is the recommended way to install r2sarif nowadays, in your home and symlinked.
$ make && make user-symstall
For distro packaging reasons you may want to use make install instead.
Use the classic user-uninstall
and uninstall
targets to get rid of it.
Usage
[0x00000000]> sarif?
sarif add [L] [id] [M] - add a new result with selected driver
sarif alias [newalias] - create an alias for the sarif command
sarif export - export added rules as sarif json
sarif help - show this help message (-h)
sarif list [help] - list drivers, rules and results
sarif load [file] - import sarif info from given file
sarif r2 - generate r2 script to import current doc results
sarif reset - unload all documents
sarif select [N] - select the nth driver
sarif unload [N] - unload the nth document
sarif version - show plugin version
[0x00000000]>
First you need to load the drivers with their rules, so you can load them as flags and comments into your r2 session and use them to create your
[0x00000000]> sarif load rules.json
Those can be listed with sarif list [what]
and use sarif select
to pick
which document you want the rest of commands to use.
Creating your own sarif document
- Seek to the offset where the vulnerability is spotted
s 0x802180490
- Add a warning note in the current offset associated with a comment
sarif addw SF01010 Do not use this API
You can now export the sarif file in json using the following command:
[0x00000000]> sarif dump > sarif.report.json
[0x00000000]> sarif r2 > sarif.script.r2
Alternatively you can combine multiple finding documents and load that info inside r2:
[0x00000000]> sarif load report0.json
[0x00000000]> sarif load report1.json
[0x00000000]> .sarif r2
You will have flags prefixed with sarif.
to spot them in the binary. f~^sarif
Reference Links
- https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
- https://github.com/microsoft/sarif-tutorials/
- https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html
- https://sarifweb.azurewebsites.net/#Specification
- https://github.blog/2024-02-14-fixing-security-vulnerabilities-with-ai/