https://github.com/radareorg/r2sarif
Load, manage and create SARIF documents with radare2
https://github.com/radareorg/r2sarif
radare2 reports sarif security
Last synced: 5 months ago
JSON representation
Load, manage and create SARIF documents with radare2
- Host: GitHub
- URL: https://github.com/radareorg/r2sarif
- Owner: radareorg
- Created: 2024-03-19T14:14:50.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-03-27T03:53:36.000Z (over 1 year ago)
- Last Synced: 2026-01-26T13:52:57.889Z (5 months ago)
- Topics: radare2, reports, sarif, security
- Language: TypeScript
- Homepage: https://www.radare.org
- Size: 217 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# SARIF support for Radare2

Static Analysis Results Interchange Format (SARIF) Version 2.0
--pancake
## Description
This plugin for radare2 adds the `sarif` command to the r2 shell which allows
to import and export SARIF documents (JSON files) into the current session,
allowing the analyst to report and visualize the reported vulnerabilities in
a binary using a standard file format.
## Installation
This is the recommended way to install r2sarif nowadays, in your home and symlinked.
```
$ make && make user-symstall
```
For distro packaging reasons you may want to use make install instead.
Use the classic `user-uninstall` and `uninstall` targets to get rid of it.
## Usage
```
[0x00000000]> sarif?
sarif add [L] [id] [M] - add a new result with selected driver
sarif alias [newalias] - create an alias for the sarif command
sarif export - export added rules as sarif json
sarif help - show this help message (-h)
sarif list [help] - list drivers, rules and results
sarif load [file] - import sarif info from given file
sarif r2 - generate r2 script to import current doc results
sarif reset - unload all documents
sarif select [N] - select the nth driver
sarif unload [N] - unload the nth document
sarif version - show plugin version
[0x00000000]>
```
First you need to load the drivers with their rules, so you can load them as
flags and comments into your r2 session and use them to create your
```
[0x00000000]> sarif load rules.json
```
Those can be listed with `sarif list [what]` and use `sarif select` to pick
which document you want the rest of commands to use.
## Creating your own sarif document
* Seek to the offset where the vulnerability is spotted
* `s 0x802180490`
* Add a warning note in the current offset associated with a comment
* `sarif addw SF01010 Do not use this API`
You can now export the sarif file in json using the following command:
```
[0x00000000]> sarif dump > sarif.report.json
[0x00000000]> sarif r2 > sarif.script.r2
```
Alternatively you can combine multiple finding documents and load that info inside r2:
```
[0x00000000]> sarif load report0.json
[0x00000000]> sarif load report1.json
[0x00000000]> .sarif r2
```
You will have flags prefixed with `sarif.` to spot them in the binary. `f~^sarif`
## Reference Links
* https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
* https://github.com/microsoft/sarif-tutorials/
* https://docs.oasis-open.org/sarif/sarif/v2.0/sarif-v2.0.html
* https://sarifweb.azurewebsites.net/#Specification
* https://github.blog/2024-02-14-fixing-security-vulnerabilities-with-ai/