LogoLogo
WebsiteBlog
  • OpenText Core Software Composition Analysis (SCA) Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for OpenText Core SCA tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • OpenText Core SCA CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • OpenText Core SCA APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • OpenText Core SCA CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
      • Configuring user access using API
Powered by GitBook
LogoLogo

Company

  • Blog

Support

  • Privacy Policy
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • Introduction
  • Mastering OpenText Core SCA's CLI and API - webinar recording
  • 1. Getting started
  • 2. Installation
  • 3. Testing your installation
  • 4. Scan your first project
  • 5. List of commands
  • 6. Troubleshooting and error messages

Was this helpful?

Export as PDF
  1. Tools & Integrations
  2. Command Line Interface (CLI)

OpenText Core SCA CLI

Learn all about our Command Line Interface, which enables you to run vulnerability scans on your local machine and integrate OpenText Core SCA into your pipeline.

Last updated 12 days ago

Was this helpful?

Introduction

The OpenText Core SCA CLI is OpenText Core SCA's command line interface, bringing open-source security, and license compliance to your project via the command prompt.

The OpenText Core SCA CLI is currently available for: Windows, Linux, and macOS operating systems. It might work on other operating systems but has not been thoroughly tested yet. Supported languages: Javascript, Java, C#, Ruby, PHP, and .

Supported package managers: Yarn, Npm, Bowel, Bazel, Gradle, and .

Mastering OpenText Core SCA's CLI and API - webinar recording

Check out our latest training webinar and learn the basics of working with OpenText Core SCA CLI and API:

1. Getting started

The CLI can be run:

  • locally in your terminal as an interactive shell

  • in your CI/CD pipeline

  • through docker

1.1 Authentication

2. Installation

The CLI can be installed and used through:

  1. Local installations: - Standalone - Installation using Go

  2. Adding the CLI into your CI/CD pipeline

  3. Using a docker image

2.1 Local installation

2.1.1 Standalone

Command Example for Linux:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked

Command Example for Windows:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_windows_x86_64.tar.gz | tar -xz debricked.exe

Command Example for MacOS:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_macOS_arm64.tar.gz | tar -xz debricked

2.1.2 Installation Using Go

Requirements:

Installation:

2.2 Adding CLI to your CI or CD pipeline

The CLI can be integrated into your continuous integration (CI) to run scans on the pipeline. You can integrate using:

  • Docker image

  • Binary standalone

2.2.1 Using docker OpenText Core SCA or CLI image

  1. Configure a new job in your CI pipeline::

  • debricked/cli:2-resolution-debian docker image

  • Run debricked scan

  • Add the DEBRICKED_TOKEN as a variable or (if possible) as a secret

For more details, please check our sample templates for the integration of your choice.

2.2.2 Using standalone

  1. Configure a new job in your CI pipeline::

  • Run:

    curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked

    to use the executable Debricked CLI.

  • Run debricked scan.

jobs:
  build:
    docker:
      # specify the version here
      - image: cimg/go:1.17

    steps:
      - checkout
      - run: |
          printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt
      # It is important that the generated dependency tree files are persisted and attached to the following scan step
      - persist_to_workspace:
          root: ~/repo
          paths:
            - '**.debricked-go-dependencies.txt'
            # Make sure to add all generated .debricked-go-dependencies.txt files

  scan:
    docker:
      - image: cimg/go:1.17
    working_directory: ~/repo
    steps:
      - checkout
      - run: curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked
      - run: ./debricked scan

workflows:
  debricked-scan:
    jobs:
      - build
      - scan:
          requires:
            - build

3. Testing your installation

To confirm whether the installation was successful, run the command ‘./debricked --help’. If you can see the menu as seen below, you are ready to scan your first project!

4. Scan your first project

Once you've installed the CLI, you're ready to scan your project. You can scan a local project allocated on your local machine or a project in a remote repository via a CI integration, follow the instructions below to perform your first scan:

  1. Authenticate CLI with either access token or through the debricked auth command.

  2. Run debricked scan --help to see the main menu and check if the CLI is running

  3. Scan your project locally using the command: debricked scan [path] [options]

The path is the folder that contains your project's dependency file. See this practical example, scanning a local project:

debricked auth login
debricked scan ~/Desktop/myproject/EasyApp 

The debricked auth login command authenticates directly through the UI and is therefore suitable for scanning local projects.

The path is the ~/Desktop/myproject/EasyApp. Since EasyApp is a git repository, no other flags are needed for the scan.

Include some [option]s within your scan:

debricked scan ~/Desktop/myproject/EasyApp --commit "044bdc7c22e46be010969e9360dbe679830100f1" --branch "dev"  --exclusion "**/test/**"

The commit --commit specifies the hash commit, and the branch with the command --branch. Note that --commit and --branch are only required when the target path does not contain a git repository.

Another option is to change the directory to a folder that contains your project's dependency file. So, you can use "." For example:

debricked scan . --access-token <token>

As shown above, you can also use an access token while scanning, which is recommended for CI/CD integrations.

After the scan is complete, you will see the total number of vulnerabilities found and a list of automation rules that have been evaluated.

5. List of commands

These are the main commands for the OpenText Core SCA CLI:

Command
Description

help

Display options.

scan [path] [access-token] [flags]

Upload and check your dependency files for vulnerabilities.

resolve [path] [flags]

Resolve manifest files.

files find [path] [access-token] [flags]

Search and print the dependency files.

export [command]

[access-token] [flags]

Generate an export and send it by email.

callgraph [path] [flags]

Generate a static callgraph for a project.

fingerprint [[path] [flags]]

Fingerprint files.

auth [command]

Authenticate to OpenText Core SCA service.

help

  • debricked [command] --help

Type debricked –-help to display the main menu.

To display the options on any command just execute the [command], followed by the --help option. For example, type debricked scan -–help to list the options for the scan command.

scan

  • debricked scan [path] [flags]

  • debricked scan –-help to see all the options.

The scan command uploads and check your dependency files for open-source vulnerabilities and license compliance.

Path:

  • Use the path argument to specify which directory the dependency file is in, or to exclude it. For example: debricked scan ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.

  • Use the path to specify where the dependency file is allocated, you can use "." to search the current working directory. For instance: debricked files find . -t <token> or debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>

Flags:

-t --access-token Required

Use this parameter to authenticate. Run -t, or --access-token and enter your access token created in the authentication. Example: --access-token <token>

-e, --exclusions Optional

Use this command to exclude files or folders you don't want to be scanned for some reason. The following terms are supported to exclude paths:

  • "*": matches any sequence of non-Separator characters.

  • "/**/": matches zero or multiple directories.

  • "?": matches any single non-Separator character.

  • "[class]": matches any single non-Separator character against a class of characters

  • "{alt1,...}": matches a sequence of characters if one of the comma-separated alternatives matches.

Examples: -e "*/**.lock", -e "**/node_modules/**", -e "*/**.exe, -e "**/node_modules/** You can use this command to ignore multiple terms. For example: debricked files find . -e "**/node_modules/**" -e "**/package-lock.json"

Default: in case you don’t provide this parameter will be set by default to ignore the “node_modules”, "vendor", and “.git”

-b, --branch Optional

Use this parameter to specify the branch to analyze in your project. For example: -–branch main

Default: if you don’t provide this parameter will be set by default to scan all the branches.

-c, --commit Optional

Use this parameter to specify the commit to analyze in your project. Type -–commit followed by the hash commit. Example: --commit 2609d8385125ddd2d7aa4cfb5be8fcd392e3280a.

Default: if you don’t provide this parameter, OpenText Core SCA will scan the last commit.

-i, --integration Optional

Use this parameter to specify the name of the integration used to trigger the scan. For example --integration “GitHub Actions”

Default: if you don’t provide this parameter, it will be set to “CLI” by default

-p, --pass-on-timeout Optional

Use this parameter to pass scans if there is a service access timeout

-r, --repository Optional

Use this parameter to specify the name of the repository to analyze. For example: --repository EasyApp

-u, --repository-url Optional

Use this parameter to specify the URL address of the repository to analyze. For example:--repository-url https://github.com/nordisk/myrepository

--no-resolve Optional

--sbom string Optional

Use this toggle parameter for generating and downloading SBOM report in the specified format after scan completion. Supported formats are 'CycloneDX' and 'SPDX'. Leaving the field empty results in no SBOM generation.

--sbom-output string Optional

Use this parameter to specify the output path for downloaded SBOM report (if sbom is toggled).

More Examples:

In this example, we analyze all the dependencies files in our current directory. The “.” starts the scanning in the current working directory.

debricked scan . -t "<token>"

In this example, we are going to scan a project called “EasyApp” in the local directory “~/Desktop/myproject/EasyApp”:

Debricked scan ~/Desktop/myproject/EasyApp --access-token "<token>" --commit "044bdc7c22e46be010969e9360dbe679830100f1" --branch "dev"  --exclusion "**/node_modules/**"

resolve

  • debricked resolve [path] [flags]

  • debricked resolve –help to see all the options.

Path:

  • Use the path argument to specify what manifest file to resolve or what directory to resolve manifest files in. For example: debricked resolve ~/Desktop/Coder-2022/Eccomerce2/ -t <token> or debricked resolve ~/Desktop/Coder-2022/Eccomerce2/pom.xml -t <token>.

Flags:

-t --access-token Optional

Use this parameter to authenticate to enable a higher rate limit. Run -t, or --access-token and enter your access token created in the authentication. Example: --access-token <token>

-e, --exclusions Optional

Use this command to exclude files or folders you don't want to be scanned for some reason. The following terms are supported to exclude paths:

  • "*": matches any sequence of non-Separator characters.

  • "/**/": matches zero or multiple directories.

  • "?": matches any single non-Separator character.

  • "[class]": matches any single non-Separator character against a class of characters

  • "{alt1,...}": matches a sequence of characters if one of the comma-separated alternatives matches.

Examples: -e "*/**.lock", -e "**/node_modules/**", -e "*\**.exe, -e "**\node_modules\** You can use this command to ignore multiple terms. For example: debricked files find . -e "**/node_modules/**" -e "**/package-lock.json"

Default: in case you don’t provide this parameter will be set by default to ignore the “node_modules”, "vendor", and “.git”.

--verbose Optional Use the this flag to toggle verbosity in error output for resolution, this mainly applies to the error output provided from the package managers which the OpenText Core SCA CLI calls (i.e "external" errors) when resolving. For example --verbose=false to get less verbose error messaging.

Default: If you don’t provide this parameter, it will be set to “true” by default.

--resolution-strictness int Optional Use the this flag to configure exit codes for resolution, depending on the success of the command: - 0 (default) - Always exit with code 0, even if any or all files failed to resolve - 1 - Exit with code 1 if all files failed to resolve, otherwise exit with code 0 - 2 - Exit with code 1 if any file failed to resolve, otherwise exit with code 0 - 3 - Exit with code 1 if all files failed to resolve, if any but not all files failed to resolve exit with code 3, otherwise exit with code 0

--regenerate int Optional Use the this flag to toggle regeneration of already existing lock files between 3 modes. This is useful for when you use the resolve command to generate lock files permanently in your project and would like to ensure that they are kept up to date before every scan. - 0 (default) - No regeneration - 1 - Regenerates existing non package manager native OpenText Core SCA lock files - 2 - Regenerates all existing lock files

--prefer-npm Optional This flag allows you to use npm instead of yarn (which is default) when resolving package.json files without lock files.

files find

  • debricked files find [path] [flags]

  • debricked files find –-help to see all the options.

Use this command to search all the dependencies files in your project.

Path:

  • Use the path argument to specify which directory the dependency file is in, or to exclude it. For example: debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.

  • Use the path to specify where the dependency file is allocated, you can use "." to search the current working directory. For instance: debricked files find . -t <token> or debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.

Note: If the path is inside a git repository, all the necessary flags branch, commit, etc) will be set for you automatically.

Flags:

-l, --lockfile Optional

Use this parameter to find only the lock files in your project.

-j, --json Optional

Use this parameter to print the file from the path in JSON format. Here’s an example, where we look for all the dependency files in the folder “project7” and print them in JSON format.

debricked files find  ~/Desktop/project7 -t <token> -e "**/node_modules/**" --json

Output:

[
  {
    "manifestFile": "go.mod",
    "lockFiles": [
      ".gomod.debricked.lock"
    ]
  }
]

-s, --strict int

Allows controlling which files are matched:

- 0 (default) - returns all matched manifest and lock files regardless if they're paired or not

- 1 - returns only lock files and pairs of manifest and lock-file

- 2 - returns only pairs of manifest and lock-file\

Workspaces:

Since release v2.0.7 files find support workspaces for npm and yarn. Nothing additional is needed to make workspaces work, but in addition to the official format we also support nesting the workspace patterns under a packages key. Examples:

{
  "workspaces": [
    "package/*"
  ]
}
{
  "workspaces": {
    "packages": [
      "package/*"
    ]
  }
}

export

Prior to version 2.3.0, this command was referred to as 'report'.

export license

Example for generating a license export:

debricked export license -t "<token>" --commit 044bdc7c22e46be010969e9360dbe679830100f1 --email user1@email.com

Flags:

-t --access-token Required

Use this parameter to authenticate. -t, or --access-token and enter your access token created in the authentication. For example: --access-token <token>

-c, --commit Required

Use this parameter to specify the hash commit of the repository to analyze. For example: --commit 2609d8385125ddd2d7aa4cfb5be8fcd392e3280a

-e, --email Required

Use this parameter to set the email address to which the export will be sent to. For example: --email user1@email.com

export vulnerability

Example for generating a Vulnerability export:

debricked export vulnerability-t "<token>" --commit 044bdc7c22e46be010969e9360dbe679830100f1 --email user1@email.com

Flags:

-e, --email Required

Use this parameter to set the email address to which the export will be sent to. For example: --email user1@email.com

export sbom

Example for generating sbom export:

debricked export sbom -t "<token>" --commit 1234 --repository 5678 --format SPDX

Flags:

-t --access-token Required

Use this parameter to authenticate. -t, or --access-token and enter your access token created in the authentication. For example: --access-token <token>

-b, --branch Optional

Use this parameter to specify the name of the branch that you want to generate an SBOM export for.

-c, --commit Required

Use this parameter to specify the ID of the commit that you want to generate an SBOM export for. Note that if this value is provided, the values for repository and branch will be ignored. For example: --commit 1234

-f, --format Required

Use this parameter to set the format that you want the SBOM export in. Supported options are 'CycloneDX' and 'SPDX'. For example: --format SPDX

-o, --output string Optional

Use this parameter to set the output path for downloaded SBOM json file. If no output path is set, the file is created in the format <repository_id>-<commit_id>.sbom.

-r, --repository string Required

Use this parameter to specify the ID of the repository that you want to generate an SBOM export for.

callgraph

  • debricked callgraph [[path] [flags]]

  • debricked callgraph –help to see all the options.

The callgraph command generates a static callgraph for a project. Execute command in project directory or specify project path.

Path:

  • Use the path argument to specify the project path. If nothing is provided, the current working directory will be used.

Flags:

  • e, --exclusions Optional

    • Specify which files or paths you don't want to include in the callgraph. The following terms are supported to exclude paths:

      Term
      Meaning

      *

      matches any sequence of non-Separator characters

      /**/

      matches zero or multiple directories

      ?

      matches any single non-Separator character

      [class]

      matches any single non-Separator character against a class of characters ([see "character classes"])

      {alt1,...}

      matches a sequence of characters if one of the comma-separated alternatives matches

    Examples: -e "**/target/test-classes/**", -e "*\\test.class"

    You can use this command to ignore multiple terms. For example: debricked callgraph -e "**/target/test-classes/**" -e "*\\test.class"

  • --no-build Optional

    • Do not automatically build all source code in the project. This option requires a pre-built project/available .class files.

  • --generate-timeout Optional

    • Sets a timeout (in seconds) on the call graph generation.

    • Default: If you don’t provide this parameter, it will be set by default to 3600 (1 hour).

Command Details:

The command can be divided into three main steps:

  1. Build project

    • build project based on the root pom.xml. If no root pom.xml is found, all pom.xml files will be built individually.

    $ mvn package -q -DskipTests -e
    • a successful build will generate the necessary .class files

  2. Copy external dependency files to .debrickedTmpFolder in the root pom.xml directory

    $ mvn q -B dependency:copy-dependencies -DoutputDirectory=/path/to/root/.debrickedTmpFolder -DskipTests -e
  3. Generate call graph

    • $ java -jar path/to/built/file/java/common/target/SootWrapper.jar -u path/to/root/target/classes/ -l /path/to/root/.debrickedTmpFolder  -f .debricked-call-graph
    • The generated call graph output is stored in the base64 encoded zip file .debricked-call-graph

The callgraph command requires at least java11. If your project cannot be built with java11, we would recommend you to build your project in your environment before running the command and use --no-build flag when generating the call graph.

Common Errors:

  • Build failures

    • These are likely due to local configurations. If the build step fails, it is recommended to build your project as usual in your environment and skip step 1 above, i.e. just copy external dependencies to .debrickedTmpFolder and run debricked callgraph --no-build on your built project. Make sure all .class files are available.

  • Callgraph failures

    • out of memory

    • cp dependencies

      * Critical:
      	|Command 'mvn -q -B dependency:copy-dependencies -DoutputDirectory=/path/to/root/.debrickedTmpFolder -DskipTests' executed in folder '/path/to/root/' gave the following error: 
      	|[ERROR] Failed to execute goal on project <project-name>: Could not resolve dependencies <deps>
    • mapping dependencies

      * Critical:
      	|Command 'java -jar path/to/built/file/java/common/target/SootWrapper.jar -u path/to/root/target/classes/ -l /path/to/root/.debrickedTmpFolder  -f .debricked-call-graph' executed in folder '/path/to/root' gave the following error: 
      	|
      	|Running SootWrapper version 5.0
      	|SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
      	|SLF4J: Defaulting to no-operation (NOP) logger implementation
      	|SLF4J: See <http://www.slf4j.org/codes.html#StaticLoggerBinder> for further details.
      	|Error: Found no entry points. Do path(s) to user code contain compiled user code?

      If you see the error above, make sure all .class files are available in the right path and that all external dependencies have been copied to .debrickedTmpFolder

fingerprint

  • debricked fingerprint [[path] [flags]]

  • debricked fingerprint –help to see all the options.

Fingerprint files for identification in a given path and write it to debricked.fingerprints.txt. This hashes all files to be used for matching against the OpenText Core SCA knowledge base.

Path:

  • Use the path argument to specify the project path. If nothing is provided, the current working directory will be used.

Flags:

  • e, --exclusions Optional

    Specify which files or paths you don't want to include when fingerprinting. The following terms are supported to exclude paths:

    Term
    Meaning

    *

    matches any sequence of non-Separator characters

    /**/

    matches zero or multiple directories

    ?

    matches any single non-Separator character

    [class]

    matches any single non-Separator character against a class of characters ([see "character classes"])

    {alt1,...}

    matches a sequence of characters if one of the comma-separated alternatives matches

    Examples: -e "/.pyc", -e "*\\\\test.class", -e "**/target/test-classes/**"

    You can use this command to ignore multiple terms. For example: debricked fingerprint -e "/node_modules/" -e "/.egg-info/" -e "/*venv/**"

    By default, the following are ignored: /nbproject/,/nbbuild/,/nbdist/,/node_modules/,/pycache/,/_yardoc/,/eggs/,/wheels/,/htmlcov/,/pypackages/,/.egg-info/,/venv/*

  • -fingerprint-compressed-content Optional

    Fingerprint the contents of compressed files by unpacking them in memory, Supported files: [.jar .nupkg .war] default: false

auth

You can authenticate to the OpenText Core SCA service using this command. Following are the different commands:

  • debricked auth login to authenticate with your OpenText Core SCA user.

  • debricked auth logout to log out an authenticated OpenText Core SCA user.

  • debricked auth token to retrieve access token for use in the OpenText Core SCA API.

  • debricked auth –help to see all the options.

6. Troubleshooting and error messages

Below you can find the list of some of the most common error messages. If the problem persists and you can’t solve it for yourself or have additional questions feel free to reach contact our support team.

⨯ Unauthorized. Specify access-token. 
Read more at https://debricked.com/docs/administration/access-tokens.html

This error message appears when the access-token is missing or if you provide an invalid access token. For more information, see the `-t -- access-token` command.

Error: required flag(s) "email" not set
Error: ⨯ No commit was found with the name

This error message appears when you run the `debricked export vulnerability/license` command but the CLI can’t find the commit. To resolve this, use the `--commit, -c` [options] to provide a commit hash.

Error: required flag(s) "commit" not set

This error message appears when you run the `debricked export vulnerability/license` command without any commits. To resolve this, use the `--commit, -c` [options] to provide a commit hash.

Error: invalid directory path specified: "~/Desktop/../../EasyApp"

This error message appears when the scan can't find any valid directory in the path. To resolve it, check if the path provided is correct.

Error: ⨯ failed to find repository name

This error message appears when we can't fetch the repository name. To fix this, set a name for the repository, using the -r flag.

6.1 Getting support

Uninstallation

The only thing that is needed to uninstall is to remove the binary - the file called debricked or debricked.exe depending on your operating system.

6.2 Create an issue or report a bug

Before creating an issue or reporting a bug, make sure to contact support and discuss the issue or feedback with us first.

6.3 Upgrading from version 1.X.X to version 2.0.0

The 2.0.0 release contains some breaking changes, documented below:

6.4 Contributors

Feel free to reach out to any of the maintainers or other community members if you have any questions.

To use the OpenText Core SCA CLI, you must have a and install the CLI.

You can authenticate with OpenText Core SCA either through an access token (recommended for CI/CD integrations), or by using the debricked auth command to log into the UI (recommended for scanning local projects). To create an access token, log in to OpenText Core SCA and follow the steps to . Make sure to keep the access token in a safe place for later use.

If you run into any issues during the installation process, feel free to .

.

Local compilation of OpenText Core SCA CLI requires Go to be installed on your system. In order to check whether you already have the compiler installed on your device, run the command ‘go version’ on your terminal. If there is no command available,

Install Go on your operating system following

Clone the CLI repository to your local directory:

Log in to debricked.com/app and follow the steps to

Set your access token, named DEBRICKED_TOKEN, as an environment variable within your continuous integration (CI). If you don’t know how to configure your environment variable, check our documentation for the most common .

See the example below for the GitHub actions integration (see the file):

Log in to debricked.com/app and follow the steps to .

Set your access token, named DEBRICKED_TOKEN, as an environment variable within your continuous integration (CI). If you don’t know how to configure your environment variable, visit our documentation for the most common .

Here’s an example of the Circle CI integration: . For more examples check out:

You can to the OpenText Core SCA web tool to see the scan results, by following the link with all the details.

When scanning, the High Performance resolution is enabled by default. Use this parameter to disabled it if needed. See for more details about the High Performance Scan.

The resolve command resolves manifest files to lock files. See for more details about the High Performance Scan.

For specific documentation on using workspaces with npm see the , and for yarn see the .

Note that this feature is only available for premium and enterprise users. Visit our for more info.

Note that this feature is only available for premium and enterprise users. Visit our for more info.

Note that this feature is only available for enterprise users. Visit our for more info. If you wish to generate an SBOM directly following a scan, see the --sbom flag under .

Uses a built version of the project to identify all .class files and map those to the root pom.xml, using the same path as .debrickedTmpFolder

This error message appears when you run the `debricked export vulnerability/license` command without a valid email address. To resolve this, use the `--email, -e` [options] to set an email the export should be sent to. For example: `debricked export license -t “<token>” –email ””`

For example: `debricked export license -t “<token>” –email ”” –commit 044bdc7c22e46be010969e9360dbe679830100f1`

For example: `debricked export license -t “<token>” –email ”” –commit 044bdc7c22e46be010969e9360dbe679830100f1`

If you need help, contact us via our live chat, open Monday-Friday 9 am-5 pm CET, or email .

If you want to create an issue or report a bug you can do it directly by.

If you'd like to contribute directly to the project, check out . Keep in mind that it might take us some time to answer your questions. For a better experience, we recommend joining our , where you can learn more about OpenText Core SCA, improve the way you use open source, and help others.

OpenText Core SCA account
generate an access token
contact us
Find the latest GitHub releases to download a standalone executable here
install the Go compiler.
the official documentation
https://github.com/debricked/cli
generate an access token.
CI integrations
debricked.yml
generate an access token
CI integrations
circleci
/config.yml file
https://github.com/debricked/cli/tree/main/examples/templates
log in
here
here
npm workspace documentation
yarn workspace documentation
Pricing page
Pricing page
Pricing page
https://docs.debricked.com/tools-and-integrations/cli/debricked-cli#scan
OpenText Core SCA vulnerable functionality
usuario1@gmail.com
usuario1@gmail.com
usuario1@gmail.com
support@debricked.com
submitting an issue via GitHub
our guide
Portal community
more
more
https://github.com/debricked/cli/blob/main/examples/templates/GitHub/debricked.yml
name: Debricked scan

on: [push]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: debricked/actions@v4
        env:
          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
https://github.com/debricked/cli/blob/main/UPGRADE-2.0.md
# Upgrade from 1.X.X to 2.0.0

## Changed behaviours
- Changes default strictness of resolve command to 1 (Exit with code 1 if all files failed to resolve, otherwise exit with code 0 instead of always exiting with code 0)
- File Fingerprint analysis is on by default for all repositories which starts with the letters "A-C" (starting from v2.1.4 it is default for all repos). This range will be increased in future minor/patch releases.
- Added inclusion option to commands to force include patterns which are by default ignored by the CLI
- Refactored how exclusion works for fingerprinting to align it with the rest of the CLI, this includes a breaking change for windows where Unix path separators must be used in patterns.

## Runtime upgrades

- Base Docker images have been upgraded from Go 1.21 to 1.22
- In Docker resolution images, the following runtimes have been updated:
   - Upgrade Java from OpenJDK 11 to 21
   - Upgrade Maven from 3.9.2 to 3.9.6
   - Upgrade Gradle from 8.1.1 to 8.7
   - Upgrade Node from 18 to 21
   - Upgrade dotnet from 7.0 to 8.0
   - Upgrade Go from 1.21 to 1.22
   - Upgrade PHP from 8.2 to 8.3
- Debian Docker images have been upgraded from Bullseye (11) to Bookworm (12)