Using the bestfix script to obtain remediation and scan improvement suggestions

The bestfix script provides remediation and scan improvement suggestions for your application's key ShiftLeft CORE findings.

Requirements

Before proceeding, please ensure that:

  • You have Python 3.9 (or later) installed on your workstation
  • You have scanned your application at least once using ShiftLeft CORE

How to run the bestfix script

  1. Clone ShiftLeft's field integrations repo to your local machine.

  2. Navigate into the repo's shiftleft-utils directory.

  3. Run pip3 install -r requirements.txt to install the dependencies required by bestfix.

  4. Run bestfix by providing the following in the terminal:

    python3 bestfix.py --all-rating -a <yourApp> -s <pathToSourceCode>`

    Note that all parameters are optional. If you provide no parameters, the script will, by default, generate information about reachable OSS findings and critical- and high-severity vulnerabilities.

    Parameters:

    FlagDescription
    -s <pathToApp>The path to the application's directory; provide if the source code is available on the local workstation
    -a <appName>The name of the application whose findings you'd like fix/remediation suggestions for; if omitted, bestfix runs for all apps in your ShiftLeft organization
    o <path>The location where you would like bestfix to save the HTML copy of your results; if omitted, bestfix saves the report to the directory from which you ran bestfix
    --all-ratingInclude vulnerabilities of all severities in the results

Sample usage

python3 bestfix.py -a HelloShiftLeft -o /Users/janesmith/reports -s /Users/janesmith/demoApp

Reviewing results

bestfix prints your results to the terminal, but you can also access an HTML copy saved to the location where you executed bestfix.py (optionally, you can provide an alternative directory using -o <directory/where/report/should/be/saved>).

In the results, you'll find the following information:

  • Fix suggestions for OSS vulnerabilities: a list of the reachable OSS findings present in your application, and the suggested upgrades to those packages that will remediate the findings
  • Fix suggestions for vulnerabilities: a list of suggested fixes for findings present in your application
  • Findings similarity analysis: groups of like vulnerabilities (i.e., bestfix groups together all directory traversal/deserialization/etc. vulnerabilities); applying remediation to any one of these findings in a given group should correct all of the issues that are grouped with it
  • Suggestions for scan improvements: a list of improvements that you can make to improve the performance or the usability of your results (e.g., tagging your results with the branch name for easy cross-referencing)