crash.software
Projects
Pull Requests
Issues
Builds
bearer
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY bearer Commits 41f19376
🤬
  • ■ ■ ■ ■
    docs/_data/bearer_scan.yaml
    skipped 49 lines
    50 50   usage: Suppress non-essential messages
    51 51   - name: report
    52 52   default_value: security
    53  - usage: Specify the type of report (security, privacy).
     53 + usage: Specify the type of report (security, privacy, dataflow).
    54 54   - name: scanner
    55 55   default_value: '[sast]'
    56 56   usage: |
    skipped 19 lines
  • ■ ■ ■ ■ ■ ■
    docs/explanations/reports.md
    skipped 3 lines
    4 4   
    5 5  # Report Types
    6 6   
    7  -Bearer can generate two types of reports about your codebase, all from the same underlying scan.
     7 +Bearer can generate various types of reports about your codebase, all from the same underlying scan.
    8 8   
    9 9  ## Security Report
    10 10   
    skipped 109 lines
    120 120   
    121 121  The custom map file should follow the format used by [subject_mapping.json]({{meta.sourcePath}}/blob/main/pkg/classification/db/subject_mapping.json). Replace a key’s value with the higher-level subject you’d like to associate it with. Some examples might include Customer, Employee, Client, Patient, etc. Bearer will use your replacement file instead of the default, so make sure to include any and all subjects you want reported.
    122 122   
     123 +## Data Flow Report
     124 + 
     125 +The data flow report breaks down the data types and associated components detected in your code. It highlights areas in your code that process personal and sensitive data and where this data may be exposed to third parties and databases.
     126 + 
     127 +You can use this to gain more detailed insights beyond what the Privacy report offers, and build additional documentation like data catalogs. In the following example, we can see all the places an `Email Address` is processed by our [example application](https://github.com/Bearer/bear-publishing):
     128 + 
     129 +```json
     130 +{
     131 + "data_types": [
     132 + {
     133 + "name": "Email Address",
     134 + "detectors": [
     135 + {
     136 + "name": "ruby",
     137 + "locations": [
     138 + {
     139 + "filename": "app/controllers/application_controller.rb",
     140 + "line_number": 35,
     141 + "field_name": "email",
     142 + "object_name": "current_user",
     143 + "subject_name": "User"
     144 + },
     145 + {
     146 + "filename": "app/controllers/application_controller.rb",
     147 + "line_number": 37,
     148 + "field_name": "email",
     149 + "object_name": "current_user",
     150 + "subject_name": "User"
     151 + },
     152 + ...
     153 + ]
     154 + },
     155 + {
     156 + "name": "schema_rb",
     157 + "locations": [
     158 + {
     159 + "filename": "db/schema.rb",
     160 + "line_number": 91,
     161 + "stored": true,
     162 + "parent": {
     163 + ...
     164 + },
     165 + "field_name": "email",
     166 + "object_name": "users",
     167 + "subject_name": "User"
     168 + }
     169 + ]
     170 + }
     171 + ]
     172 + },
     173 + ]
     174 +}
     175 +```
     176 + 
     177 +If we look at the `db/schema.rb` file mentioned in the report, we can see that email is exposed:
     178 +```ruby
     179 + create_table "users", force: :cascade do |t|
     180 + t.string "name"
     181 + t.string "email"
     182 + t.string "telephone"
     183 + t.integer "organization_id", null: false
     184 + t.datetime "created_at", null: false
     185 + t.datetime "updated_at", null: false
     186 + t.index ["organization_id"], name: "index_users_on_organization_id"
     187 + end
     188 +```
     189 + 
     190 +To run your first data flow report, run `curio scan` with the `--report dataflow` flag. By default, the data flow report is output in JSON format. To format as YAML, use the `--format yaml` flag.
  • ■ ■ ■ ■
    e2e/flags/.snapshots/TestMetadataFlags-help-scan
    skipped 11 lines
    12 12  Report Flags
    13 13   -f, --format string Specify report format (json, yaml)
    14 14   --output string Specify the output path for the report.
    15  - --report string Specify the type of report (security, privacy). (default "security")
     15 + --report string Specify the type of report (security, privacy, dataflow). (default "security")
    16 16   --severity string Specify which severities are included in the report. (default "critical,high,medium,low,warning")
    17 17   
    18 18  Rule Flags
    skipped 23 lines
  • ■ ■ ■ ■
    e2e/flags/.snapshots/TestMetadataFlags-scan-help
    skipped 11 lines
    12 12  Report Flags
    13 13   -f, --format string Specify report format (json, yaml)
    14 14   --output string Specify the output path for the report.
    15  - --report string Specify the type of report (security, privacy). (default "security")
     15 + --report string Specify the type of report (security, privacy, dataflow). (default "security")
    16 16   --severity string Specify which severities are included in the report. (default "critical,high,medium,low,warning")
    17 17   
    18 18  Rule Flags
    skipped 23 lines
  • ■ ■ ■ ■
    e2e/flags/.snapshots/TestReportFlagsShouldFail-invalid-context-flag
    skipped 12 lines
    13 13  Report Flags
    14 14   -f, --format string Specify report format (json, yaml)
    15 15   --output string Specify the output path for the report.
    16  - --report string Specify the type of report (security, privacy). (default "security")
     16 + --report string Specify the type of report (security, privacy, dataflow). (default "security")
    17 17   --severity string Specify which severities are included in the report. (default "critical,high,medium,low,warning")
    18 18   
    19 19  Rule Flags
    skipped 23 lines
  • ■ ■ ■ ■
    e2e/flags/.snapshots/TestReportFlagsShouldFail-invalid-format-flag
    skipped 12 lines
    13 13  Report Flags
    14 14   -f, --format string Specify report format (json, yaml)
    15 15   --output string Specify the output path for the report.
    16  - --report string Specify the type of report (security, privacy). (default "security")
     16 + --report string Specify the type of report (security, privacy, dataflow). (default "security")
    17 17   --severity string Specify which severities are included in the report. (default "critical,high,medium,low,warning")
    18 18   
    19 19  Rule Flags
    skipped 23 lines
  • ■ ■ ■ ■
    e2e/flags/.snapshots/TestReportFlagsShouldFail-invalid-report-flag
    skipped 12 lines
    13 13  Report Flags
    14 14   -f, --format string Specify report format (json, yaml)
    15 15   --output string Specify the output path for the report.
    16  - --report string Specify the type of report (security, privacy). (default "security")
     16 + --report string Specify the type of report (security, privacy, dataflow). (default "security")
    17 17   --severity string Specify which severities are included in the report. (default "critical,high,medium,low,warning")
    18 18   
    19 19  Rule Flags
    skipped 23 lines
  • ■ ■ ■ ■ ■ ■
    pkg/flag/report_flags.go
    skipped 13 lines
    14 14   ReportPrivacy = "privacy"
    15 15   ReportSecurity = "security"
    16 16   ReportDetectors = "detectors" // nodoc: internal report type
    17  - ReportDataFlow = "dataflow" // nodoc: internal report type
     17 + ReportDataFlow = "dataflow"
    18 18   ReportStats = "stats" // nodoc: internal report type
    19 19   
    20 20   DefaultSeverity = "critical,high,medium,low,warning"
    skipped 15 lines
    36 36   Name: "report",
    37 37   ConfigName: "report.report",
    38 38   Value: ReportSecurity,
    39  - Usage: "Specify the type of report (security, privacy).",
     39 + Usage: "Specify the type of report (security, privacy, dataflow).",
    40 40   }
    41 41   OutputFlag = Flag{
    42 42   Name: "output",
    skipped 98 lines
Please wait...
Page is in error, reload to recover