# Introduction
Microsoft Application Inspector is a software source code analysis tool that helps identify well-known features and other interesting characteristics of code to aid in determining **what the software is** or **what it does** by conducting an inspecting scan.
Application Inspector is different from traditional static analysis tools in that it doesn't attempt to identify "good" or "bad" patterns; it will simply report what it finds against a set of over 500 rule patterns for feature detection including features that impact security such as the use of cryptography and more.
It includes a filterable confidence indicator to help minimize false positives matches as well as customizable default rules and conditional match logic.
Be sure to see our project wiki page for more help https://Github.com/Microsoft/ApplicationInspector/wiki for **illustrations** and additional help.
# Goals
Application Inspector cuts down on the time needed to determine what a component could do by quickly identifying well-known features in the code which **can inform you for choosing the best component to meet your needs with a smaller footprint of unknowns which is very important.** It enables you to avoid inclusion of features you don't want for the problem, system or context your app will run in.
Basically, we created Application Inspector to help us identify risky third party software components based on their specific features, but the tool is helpful in many non-security contexts as well. For instance, it **can also help identify feature deltas or changes between versions which can be critical for detecting injection of backdoors.**
Application Inspector v1.0 is now in GENERAL AUDIENCE release status. Your feedback is important to us. If you're interested in contributing, please review the CONTRIBUTING.md.
# Using Application Inspector
To use Application Inspector, download the relevant binary (either platform-specific or the multi-platform .NET Core release). If you use the .NET Core version, you will need to have .NET Core 3.0 or later installed.
## Tags
Tags represent features using a systematic heirarchal nomenclature e.g. Cryptography.Protocol.TLS.
## Usage
Application Inspector is a command-line tool. Run it from a command line in Windows, Linux, or MacOS.
```
> dotnet AppInspector.dll or on *Windows* simply AppInspector.exe <command> <options>
Microsoft Application Inspector 1.0.17
ApplicationInspector 1.0.17
(c) Microsoft Corporation. All rights reserved
ERROR(S):
No verb selected.
analyze Inspect source directory/file/compressed file (.tgz|zip) against defined characteristics
tagdiff Compares unique tag values between two source paths
tagtest Test presence of smaller set or custom tags in source (compare or verify modes)
exporttags Export default unique rule tags to view what features may be detected
verifyrules Verify rules syntax is valid
help Display more information on a specific command
version Display version information
```
## Examples:
### Command Help
```
Usage: dotnet AppInspector.dll [arguments] [options]
dotnet AppInspector.dll -description of available commands
dotnet AppInspectorldll <command> -options description for a given command
```
### Analyze Command
```
Usage: dotnet AppInspector.dll analyze [arguments] [options]
Arguments:
-s, --source-path Required. Path to source code to inspect (required)
-o, --output-file-path Path to output file
-f, --output-file-format (Default: html) Output format [html|json|text]
-e, --text-format (Default: Tag:%T,Rule:%N,Ruleid:%R,Confidence:%X,File:%F,Sourcetype:%t,Line:%L,Sample:%m)
-r, --custom-rules-path Custom rules path
-t, --tag-output-only (Default: false) Output only contains identified tags
-i, --ignore-default-rules (Default: false) Ignore default rules bundled with application
-d, --allow-dup-tags (Default: false) Output only contains non-unique tag matches
-c, --confidence-filters (Default: high,medium) Output only if matches rule pattern confidence [<value>,] [high|medium|low]
-k, --include-sample-paths (Default: false) Include source files with (sample,example,test,.vs,.git) in pathname in analysis
-x, --console-verbosity (Default: medium) Console verbosity [high|medium|low|none]
-l, --log-file-path Log file path
-v, --log-file-level (Default: Error) Log file level [Debug|Info|Warn|Error|Fatal|Off]
```
##### Scan a project directory, with output sent to "output.html" (default behavior includes launching default browser to this file)
```
dotnet AppInspector.dll analyze -s /home/user/myproject
```
##### Add custom rules (can be specified multiple times)
```
dotnet AppInspector.dll analyze -s /home/user/myproject -r /my/rules/directory -r /my/other/rules
```
##### Write to JSON format
```
dotnet AppInspector.dll analyze -s /home/user/myproject -f json
```
### Tagdiff Command
Use to analyze and report on differences in tags (features) between two project or project versions e.g. v1, v2 to see what changed
```
Usage: dotnet AppInspector.dll tagdiff [arguments] [options]
Arguments:
--src1 Required. Source 1 to compare (required)
--src2 Required. Source 2 to compare (required
-t, --test-type (Default: equality) Type of test to run [equality|inequality]
-r, --custom-rules-path Custom rules path
-i, --ignore-default-rules (Default: false) Ignore default rules bundled with application
-o, --output-file-path Path to output file
-x, --console-verbosity Console verbosity [high|medium|low
-l, --log-file-path Log file path
-v, --log-file-level Log file level [error|trace|debug|info]
```
##### Simplist way to see the delta in tag features between two projects
```
dotnet AppInspector.dll tagdiff /home/user/project1 /home/user/project2
```
##### Basic use
```
dotnet AppInspector.dll tagdiff /home/user/project1 /home/user/project2 -t equality
```
##### Basic use
```
dotnet AppInspector.dll tagdiff /home/user/project1 /home/user/project2 -t inequality
```
### TagTest Command
Used to verify (pass/fail) that a specified set of rule tags is present or not present in a project e.g.
user only wants to know true/false if crytography is present as expected or if personal data is not present
as expected and get a simple yes/no result rather than a full analyis report.
Note: The user is expected to use the *custom-rules-path* option rather than the default ruleset because it is
unlikely that any source package would contain all of the default rules. Instead, create a custom path and rule set
as needed or specify a path using the custom-rules-path to point only to the rule(s) needed from the default set.
Otherwise, testing for all default rules present in source will likely yield a false or fail result in most cases.
```
Usage: dotnet AppInspector.dll tagtest [arguments] [options
Arguments:
-s, --source-path Required. Source to test (required)
-t, --test-type (Default: rulespresent) Test to perform [rulespresent|rulesnotpresent]
-r, --custom-rules-path Custom rules path
-i, --ignore-default-rules (Default: true) Ignore default rules bundled with application
-o, --output-file-path Path to output file
-x, --console-verbosity Console verbosity [high|medium|low
-l, --log-file-path Log file path
-v, --log-file-level Log file level
```
#### Simplest use to see if a set of rules are all present in a project
```
dotnet AppInspector.dll tagtest /home/user/project1 -r /home/user/myrules.json
```
#### Basic use
```
dotnet AppI
没有合适的资源?快使用搜索试试~ 我知道了~
微软开源安全工具 Application Inspector.zip
共172个文件
json:71个
cs:43个
js:10个
0 下载量 99 浏览量
2023-09-12
09:15:57
上传
评论
收藏 1.71MB ZIP 举报
温馨提示
Application Inspector是一种用于分析和审计应用程序的工具。它可以帮助开发人员和安全专家发现潜在的漏洞、安全问题和数据泄露。以下是一些关于Application Inspector的信息和相关链接: Application Inspector是由微软开发的开源工具,用于分析不同编程语言的源代码。 它支持多种编程语言,包括C#、JavaScript、TypeScript、Python和Go等。 Application Inspector使用静态代码分析技术,通过检查代码中的模式、规则和潜在的安全问题来识别潜在的漏洞和安全风险。 它提供了一系列内置的规则和模式,用于检查代码中的常见问题,如潜在的XSS漏洞、SQL注入、不安全的API使用等。 Application Inspector还允许用户自定义规则和模式,以满足特定的需求和应用程序要求。 它提供了直观的用户界面,使用户能够轻松地导入代码、运行分析并查看结果。 Application Inspector生成详细的报告,其中包含关于发现问题的描述、建议的修复措施和相关的代码片段。 它可以作为命令行工具使用,也可以与CI/CD流程集成,以自动进行代码审计。 以下是一些与Application Inspector相关的链接:
资源推荐
资源详情
资源评论
收起资源包目录
微软开源安全工具 Application Inspector.zip (172个子文件)
AppMetaData.cs 32KB
AnalyzeCommand.cs 32KB
Resources.Designer.cs 16KB
RuleProcessor.cs 14KB
Program.cs 14KB
TextContainer.cs 11KB
TextContainer.cs 11KB
Ruleset.cs 11KB
TagTestCommand.cs 8KB
TagDiffCommand.cs 8KB
SimpleTextWriter.cs 8KB
VerifyCommand.cs 6KB
Suppression.cs 6KB
JsonWriter.cs 6KB
WriteOnce.cs 6KB
Utils.cs 6KB
Language.cs 5KB
TagInfo.cs 4KB
ExportTagsCommand.cs 4KB
LiquidWriter.cs 4KB
ErrorMessage.cs 3KB
Rule.cs 2KB
Severity.cs 2KB
PatternType.cs 1KB
Issue.cs 1KB
FixType.cs 1KB
PatternScope.cs 1KB
WriterFactory.cs 1KB
SearchPattern.cs 976B
CodeFix.cs 731B
Comment.cs 710B
LanguageInfo.cs 645B
SearchCondition.cs 546B
ContentTypeRecord.cs 543B
Boundary.cs 522B
MatchRecord.cs 518B
DummyWriter.cs 443B
Writer.cs 416B
SuppressedIssue.cs 398B
Location.cs 301B
ICommand.cs 247B
OpException.cs 233B
Confidence.cs 170B
AppInspector.csproj 4KB
RulesEngine.csproj 2KB
bootstrap.min.css 152KB
all.css 69KB
c3.min.css 2KB
appinspector.css 2KB
fa-solid-900.eot 188KB
fa-brands-400.eot 128KB
fa-regular-400.eot 34KB
.gitattributes 2KB
.gitignore 4KB
index.html 3KB
ace.js 366KB
d3.min.js 240KB
c3.min.js 200KB
jquery.min.js 86KB
bootstrap.min.js 57KB
popper.min.js 21KB
ext-settings_menu.js 14KB
appinspector.js 10KB
ext-modelist.js 4KB
ext-beautify.js 4KB
javascript_testing.json 22KB
java_testing.json 19KB
tagreportgroups.json 13KB
outbound_network.json 11KB
file_io.json 10KB
authentication.json 9KB
cloud_hosting.json 9KB
javascript.json 8KB
platforms.json 8KB
java.json 7KB
solutioninfo.json 7KB
extended.json 7KB
acl.json 7KB
deserialization.json 7KB
python.json 7KB
weakssl.json 6KB
microsoft.json 6KB
database.json 6KB
data_storage.json 6KB
dynamic_execution.json 5KB
dependencies.json 5KB
certificate.json 5KB
sensitive.json 5KB
build.json 5KB
protocol.json 5KB
cpp_testing.json 4KB
ciphers.json 4KB
objectiveC_testing.json 4KB
process.json 4KB
OSS_license.json 4KB
authorization.json 4KB
languages.json 4KB
xml_parsing.json 4KB
active_content.json 4KB
system_registry.json 3KB
共 172 条
- 1
- 2
资源评论
tiny丶
- 粉丝: 529
- 资源: 28
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功