CAST HIGHLIGHT - Analyzer - Can Zip files or other archive files be used for Analysis ?

Follow

Source code available in zip files can be analysed with  the --includeArchiveContent command of the command line.

--includeArchiveContent {levelOfDepth} (optional) extracts content of archives and add it as part of the scan.

 

Details

The --includeArchiveContent of the command line supports .jar, .tar, .zip, .war files only. Please refer Highlight Automated Code Scan (Command Line)

  • When using the --includeArchiveContent flag user should have sufficient permission to write to the sourceDir so as to add the content of the zip files to the source directory, 

  • While using the includeArchivedContent option in the scan, files in archives found will not be listed with an absolute path but with a path including "archivedContent" that is dependent on how CAST Highlight processes the archived files

  • The level of depth that can be analysed in the zip can be decided based on the depth argument parameter passed on to --includeArchiveContent. {levelOfDepth} is the level of depth within archives you want to apply (e.g., "includeArchiveContent 2" will recursively look into 2 level of archive files).  

  • Although it is not recommended, you can use higher level of depth (max 99). 

  • The recommended Level of depth value is 3  ie --includeArchiveContent=3
  • Highlight do not know in advance the level of depth inside the zip. 
  • The depth argument is about zip files inside zip files. 
  • If Linux files are included in the zip, check if symbolic links exist in the zip.   Highlight command line do not support symbolic links.
  • Scan of password-encrypted archives are not supported. Corrupted archives cannot be scanned.

 

For JARs, the command line extracts the content and scans it. There is no decompilation from .jar to .java to do the analysis.

 

NB: *.tar is not the same as .tar.gz or .tgz and .tar.gz or tgz are tar files which have been gzipped, gzip format is not supported. Only .jar, .tar, .zip, .war files are supported. So .tar.gz files should be gunzipped  before Highlight can analyze them.

 

 

Related Articles

Highlight Automated Code Scan (Command Line)

CAST HIGHLIGHT - CLI - Error code 9 - Command Line unziping jars or zip error

 

Additional Resources

CAST Highlight Troubleshooting Guides

CAST Highlight Product Documentation

 

Ticket

38750, 43544, 44352, 45897, 47147, 48403, 49271

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk