1

I'd like to run a findsecbugs scan (CLI version) against multiple jar and I only want it to check for issues related to bad usage of crypto functions (like using md5). How can I tell findsecbugs to only use detectors defined by me?

Thank you!

pinas
  • 2,708
  • 4
  • 21
  • 33

1 Answers1

0

The CLI is wrapping SpotBugs official CLI. All SpotBugs options will be available in the FindSecurityBugs CLI. You can use the -include parameter to define a filter file. Filter files can be used to define which detector or class should be considered.

findsecbugs.sh -include include.xml [...]

Other references:

  1. https://github.com/find-sec-bugs/find-sec-bugs/wiki/CLI-Tutorial
  2. https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration
h3xStream
  • 6,293
  • 2
  • 47
  • 57