OPPIDA
diff --git a/‎README.md‎
Lines changed: 4 additions & 37 deletions b/‎README.md‎
Lines changed: 4 additions & 37 deletions
diff --git a/‎docs/assets/extra.css‎
Lines changed: 68 additions & 0 deletions b/‎docs/assets/extra.css‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎docs/home/quick_start_guide.md‎
Lines changed: 230 additions & 0 deletions b/‎docs/home/quick_start_guide.md‎
Lines changed: 230 additions & 0 deletions
diff --git a/‎docs/home/quick_start_guide/benchmark/overview.png‎
110 KB b/‎docs/home/quick_start_guide/benchmark/overview.png‎
110 KB
diff --git a/‎docs/home/quick_start_guide/benchmark/top_cwes.png‎
98.9 KB b/‎docs/home/quick_start_guide/benchmark/top_cwes.png‎
98.9 KB
@@ -12,7 +12,6 @@ A framework for code security that provides abstractions for static analysis too
 - [Overview](#overview)
 - [Features](#features)
 - [SAST Tool Integration Status](#sast-tool-integration-status)
-- [Installation](#installation)
 - [Usage](#usage)
     - [Command-line interface](#command-line-interface)
     - [Python API](#python-api)
@@ -22,12 +21,14 @@ A framework for code security that provides abstractions for static analysis too
 
 **CodeSecTools** is a collection of scripts and wrappers that abstract external resources (such as SAST tools, datasets, and codebases), providing standardized interfaces to help them interact easily.
 
-For more details on the design and integration of SAST tools and datasets in CodeSecTools, please refer to the [documentation](https://oppida.github.io/CodeSecTools). 
-
 <div align="center">
   <img src="docs/assets/overview.svg" alt="CodeSecTools Overview" style="width: 75%; height: auto;" />
 </div>
 
+For step-by-step instructions on installation, configuration, and basic usage, please refer to the [quick start guide](https://oppida.github.io/CodeSecTools/home/quick_start_guide.html).
+
+For more details on the design and integration of SAST tools and datasets in CodeSecTools, please refer to the [documentation](https://oppida.github.io/CodeSecTools). 
+
 ## Features
 
 - **Standardized SAST Tool Integration**: Provides a common abstraction layer for integrating various SAST tools. Once a tool is integrated, it automatically benefits from the framework’s core functionalities.
@@ -52,40 +53,6 @@ For more details on the design and integration of SAST tools and datasets in Cod
 |SpotBugs|Java|✅|✅|[Latest PR](https://github.com/OPPIDA/CodeSecTools/actions/workflows/ci.yaml)|
 |Cppcheck|C/C++|✅|✅|[Latest PR](https://github.com/OPPIDA/CodeSecTools/actions/workflows/ci.yaml)|
 
-## Installation
-
-- Clone the repository:
-```bash
-git clone https://github.com/OPPIDA/CodeSecTools.git
-cd CodeSecTools
-```
-
-- Install the project:
-
-    - Using [uv](https://github.com/astral-sh/uv):
-      ```bash
-      uv tool install .
-      ```
-
-    - Using [pipx](https://github.com/pypa/pipx):
-      ```bash
-      pipx install .
-      ```
-
-    - Using pip (not recommended, as it can break your system packages):
-      ```bash
-      pip install .
-      ```
-
-- Update the project:
-    
-    - Pull the latest changes:
-      ```bash
-      git pull
-      ```
-
-    - Reinstall (in case dependencies changed)
-
 ## Usage
 
 #### Command-line interface
 
@@ -6,6 +6,7 @@
 }
 
 /* Custom admonitions */
+/* Legal */
 :root {
   --md-admonition-icon--legal: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9 10a3.04 3.04 0 0 1 3-3 3.04 3.04 0 0 1 3 3 3.04 3.04 0 0 1-3 3 3.04 3.04 0 0 1-3-3m3 9 4 1v-3.08A7.54 7.54 0 0 1 12 18a7.54 7.54 0 0 1-4-1.08V20m4-16a5.78 5.78 0 0 0-4.24 1.74A5.78 5.78 0 0 0 6 10a5.78 5.78 0 0 0 1.76 4.23A5.78 5.78 0 0 0 12 16a5.78 5.78 0 0 0 4.24-1.77A5.78 5.78 0 0 0 18 10a5.78 5.78 0 0 0-1.76-4.26A5.78 5.78 0 0 0 12 4m8 6a8 8 0 0 1-.57 2.8A7.8 7.8 0 0 1 18 15.28V23l-6-2-6 2v-7.72A7.9 7.9 0 0 1 4 10a7.68 7.68 0 0 1 2.33-5.64A7.73 7.73 0 0 1 12 2a7.73 7.73 0 0 1 5.67 2.36A7.68 7.68 0 0 1 20 10"/></svg>')
 }
@@ -27,6 +28,7 @@
   mask-image: var(--md-admonition-icon--legal);
 }
 
+/* Requirements */
 :root {
   --md-admonition-icon--requirements: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M14 10H3v2h11zm0-4H3v2h11zM3 16h7v-2H3zm18.5-4.5L23 13l-7 7-4.5-4.5L13 14l3 3z"/></svg>')
 }
@@ -46,4 +48,70 @@
   background-color: rgb(59, 144, 255);
   -webkit-mask-image: var(--md-admonition-icon--requirements);
   mask-image: var(--md-admonition-icon--requirements);
+}
+
+/* Docker */
+:root {
+  --md-admonition-icon--docker: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21.81 10.25c-.06-.04-.56-.43-1.64-.43-.28 0-.56.03-.84.08-.21-1.4-1.38-2.11-1.43-2.14l-.29-.17-.18.27c-.24.36-.43.77-.51 1.19-.2.8-.08 1.56.33 2.21-.49.28-1.29.35-1.46.35H2.62c-.34 0-.62.28-.62.63 0 1.15.18 2.3.58 3.38.45 1.19 1.13 2.07 2 2.61.98.6 2.59.94 4.42.94.79 0 1.61-.07 2.42-.22 1.12-.2 2.2-.59 3.19-1.16A8.3 8.3 0 0 0 16.78 16c1.05-1.17 1.67-2.5 2.12-3.65h.19c1.14 0 1.85-.46 2.24-.85.26-.24.45-.53.59-.87l.08-.24zm-17.96.99h1.76c.08 0 .16-.07.16-.16V9.5c0-.08-.07-.16-.16-.16H3.85c-.09 0-.16.07-.16.16v1.58c.01.09.07.16.16.16m2.43 0h1.76c.08 0 .16-.07.16-.16V9.5c0-.08-.07-.16-.16-.16H6.28c-.09 0-.16.07-.16.16v1.58c.01.09.07.16.16.16m2.47 0h1.75c.1 0 .17-.07.17-.16V9.5c0-.08-.06-.16-.17-.16H8.75c-.08 0-.15.07-.15.16v1.58c0 .09.06.16.15.16m2.44 0h1.77c.08 0 .15-.07.15-.16V9.5c0-.08-.06-.16-.15-.16h-1.77c-.08 0-.15.07-.15.16v1.58c0 .09.07.16.15.16M6.28 9h1.76c.08 0 .16-.09.16-.18V7.25c0-.09-.07-.16-.16-.16H6.28c-.09 0-.16.06-.16.16v1.57c.01.09.07.18.16.18m2.47 0h1.75c.1 0 .17-.09.17-.18V7.25c0-.09-.06-.16-.17-.16H8.75c-.08 0-.15.06-.15.16v1.57c0 .09.06.18.15.18m2.44 0h1.77c.08 0 .15-.09.15-.18V7.25c0-.09-.07-.16-.15-.16h-1.77c-.08 0-.15.06-.15.16v1.57c0 .09.07.18.15.18m0-2.28h1.77c.08 0 .15-.07.15-.16V5c0-.1-.07-.17-.15-.17h-1.77c-.08 0-.15.06-.15.17v1.56c0 .08.07.16.15.16m2.46 4.52h1.76c.09 0 .16-.07.16-.16V9.5c0-.08-.07-.16-.16-.16h-1.76c-.08 0-.15.07-.15.16v1.58c0 .09.07.16.15.16"/></svg>')
+}
+
+.md-typeset .admonition.docker,
+.md-typeset details.docker {
+  border-color: rgb(59, 144, 255);
+}
+
+.md-typeset .docker>.admonition-title,
+.md-typeset .docker>summary {
+  background-color: rgba(59, 144, 255, 0.1);
+}
+
+.md-typeset .docker>.admonition-title::before,
+.md-typeset .docker>summary::before {
+  background-color: rgb(59, 144, 255);
+  -webkit-mask-image: var(--md-admonition-icon--docker);
+  mask-image: var(--md-admonition-icon--docker);
+}
+
+/* Cube */
+:root {
+  --md-admonition-icon--cube: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 16.5c0 .38-.21.71-.53.88l-7.9 4.44c-.16.12-.36.18-.57.18s-.41-.06-.57-.18l-7.9-4.44A.99.99 0 0 1 3 16.5v-9c0-.38.21-.71.53-.88l7.9-4.44c.16-.12.36-.18.57-.18s.41.06.57.18l7.9 4.44c.32.17.53.5.53.88zM12 4.15 6.04 7.5 12 10.85l5.96-3.35z"/></svg>')
+}
+
+.md-typeset .admonition.cube,
+.md-typeset details.cube {
+  border-color: rgb(59, 144, 255);
+}
+
+.md-typeset .cube>.admonition-title,
+.md-typeset .cube>summary {
+  background-color: rgba(59, 144, 255, 0.1);
+}
+
+.md-typeset .cube>.admonition-title::before,
+.md-typeset .cube>summary::before {
+  background-color: rgb(59, 144, 255);
+  -webkit-mask-image: var(--md-admonition-icon--cube);
+  mask-image: var(--md-admonition-icon--cube);
+}
+
+/* Scan */
+:root {
+  --md-admonition-icon--scan: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 22v-2h3v-3h2v3.5c0 .4-.2.7-.5 1s-.7.5-1 .5zM7 22H3.5c-.4 0-.7-.2-1-.5s-.5-.7-.5-1V17h2v3h3zM17 2h3.5c.4 0 .7.2 1 .5s.5.6.5 1V7h-2V4h-3zM7 2v2H4v3H2V3.5c0-.4.2-.7.5-1s.6-.5 1-.5zm12 9H5v2h14z"/></svg>')
+}
+
+.md-typeset .admonition.scan,
+.md-typeset details.scan {
+  border-color: rgb(63, 70, 79);
+}
+
+.md-typeset .scan>.admonition-title,
+.md-typeset .scan>summary {
+  background-color: rgba(59, 144, 255, 0.1);
+}
+
+.md-typeset .scan>.admonition-title::before,
+.md-typeset .scan>summary::before {
+  background-color: rgb(63, 70, 79);
+  -webkit-mask-image: var(--md-admonition-icon--scan);
+  mask-image: var(--md-admonition-icon--scan);
 }
@@ -0,0 +1,230 @@
+# Quick Start Guide
+
+In this section, you will learn how to use CodeSecTools.
+
+This guide mainly used the tool on Java projects, it is perfectly possible to run it on any project that language is supported.
+
+## 1. Prerequisites
+
+For this guide, there are two ways to install the tool:
+
+!!! cube "Normal installation"
+    - You will need to install the following packages:
+
+        - `git`
+        - `cloc`
+        - Java Development Kit (17)
+        - `maven`
+
+    - And the following SAST tools:
+
+        - [Bearer](/sast/supported/bearer.j2.html){:target="_blank"}
+        - [Semgrep Community Edition](/sast/supported/semgrepce.j2.html){:target="_blank"}
+        - [SpotBugs](/sast/supported/spotbugs.j2.html){:target="_blank"}
+
+!!! docker "Docker image"
+    A Docker image used to run tests is available with the prerequisites installed.
+    You can use it to test CodeSecTools without installing extra packages on your system.
+
+    ⚠️ However, this container is intended for running tests, not for normal usage.
+    Therefore, any data and results inside the container will be deleted when you exit.
+
+    Please perform a normal installation if you want to keep your results.
+
+
+## 2. Installation
+
+!!! cube "Normal installation"
+
+    - Clone the repository:
+    ```bash
+    git clone https://github.com/OPPIDA/CodeSecTools.git
+    cd CodeSecTools
+    ```
+
+      - Install the project:
+
+        - Using [uv](https://github.com/astral-sh/uv):
+          ```bash
+          uv tool install .
+          ```
+
+        - Using [pipx](https://github.com/pypa/pipx):
+          ```bash
+          pipx install .
+          ```
+
+        - Using pip (not recommended, as it can break your system packages):
+          ```bash
+          pip install .
+          ```
+
+!!! docker "Docker image"
+    To start the Docker container, run the command:
+    ```bash
+    make test-debug
+    ```
+
+    ⚠️ The container will be deleted when you exit.
+
+
+## 3. First run
+
+!!! abstract  "Install completion (optional)"
+    ```bash
+    cstools --install-completion 
+    # For bash
+    source ~/.bash_completions/cstools.sh
+    ```
+
+!!! abstract "Download external resources"
+    This command downloads datasets, rules, and plugins required for the SAST tools.
+
+    For each external resource, you will be prompted with resource information and, most importantly, its license/term.
+    ```bash
+    cstools download all
+    ```
+
+!!! abstract "Check the integration status"
+    This command allows you to check if a SAST tool or dataset is available.
+
+    If not, it will specify what is missing.
+    ```bash
+    cstools status
+    ```
+
+    For this guide, the status for Bearer, SemgrepCE, and SpotBugs should be `Full ✅`.
+
+## 4. Common Use Cases
+
+### Analysis with multiple SAST tools
+
+One important feature of CodeSecTools is the ability to run **multiple** SAST tools in order to:
+
+- **aggregate** all the results to take advantage of each SAST tool's strengths (detecting specific vulnerabilities);
+- **cross-verify** results and increase the confidence that a finding is a true positive.
+
+Here are some analyses running CodeSecTools on vulnerable projects:
+
+??? scan "cyclonedx-core-java (CVE-2025-64518)"
+    *Vulnerability details are from [Github Advisory](https://github.com/advisories/GHSA-6fhj-vr9j-g45r).*
+
+    - Weakness: [CWE-611](https://cwe.mitre.org/data/definitions/611.html) (Improper Restriction of XML External Entity Reference).
+    - Introduced in commit [162aa59](https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9#diff-fc28290f55c35403fc95b45ee2714337621f54b48caba5e01f08d5760b54139a).
+    - Patched in pull request [#737](https://github.com/CycloneDX/cyclonedx-core-java/pull/737/files#diff-fc28290f55c35403fc95b45ee2714337621f54b48caba5e01f08d5760b54139a).
+    - Vulnerable file: [`src/main/java/org/cyclonedx/CycloneDxSchema.java`](https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9#diff-fc28290f55c35403fc95b45ee2714337621f54b48caba5e01f08d5760b54139a).
+
+    Download the vulnerable version of the project:
+    ```bash
+    git clone https://github.com/CycloneDX/cyclonedx-core-java
+    cd cyclonedx-core-java
+    git checkout 162aa59
+    ```
+
+    Compile the project to generate Java bytecode for SAST tools that require it:
+    ```bash
+    mvn clean compile
+    ```
+
+    Run analysis with all SAST tools:
+    ```bash
+    cstools allsast analyze java --artifacts target/classes/
+    ```
+
+    Generate figures and report:
+    ```bash
+    cstools allsast plot cyclonedx-core-java
+    cstools allsast report cyclonedx-core-java
+    ```
+
+    Open the project report (`~/.codesectools/output/AllSAST/cyclonedx-core-java/report/home.html`). 
+
+    The report of the vulnerable file is shown here:
+
+    <iframe width="100%" height="500" style="zoom: 0.5;" src="quick_start_guide/cyclonedx-core-java/report.html"></iframe>
+
+    Some issues have been found by the tools in the vulnerable file, and the file is ranked high (high score) overall among all other files where issues were found.
+
+    SpotBugs is the only tool that detected issues and correctly identified the vulnerability (exact CWE ID).
+
+??? scan "conductor (CVE-2025-26074)"
+    *Vulnerability details are from [Github Advisory](https://github.com/advisories/GHSA-8gqp-hr9g-pg62).*
+
+    - Weakness: [CWE-78](https://cwe.mitre.org/data/definitions/78.html) (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')).
+    - Patched in commit [e981650](https://github.com/conductor-oss/conductor/commit/e9816501df1e364a3d39d7fe37d6e167c40eaa1b).
+    - Vulnerable file: [`core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java`](https://github.com/conductor-oss/conductor/blob/main/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java).
+    - *Note: the patch did not modify the vulnerable file but other files, which attenuated the vulnerability.*
+
+    Download the vulnerable version of the project:
+    ```bash
+    git clone https://github.com/conductor-oss/conductor
+    cd conductor
+    git checkout 5976cad
+    ```
+
+    Compile the project to generate Java bytecode for SAST tools that require it:
+    ```bash
+    ./gradlew compileJava
+    ```
+
+    Run analysis with all SAST tools:
+    ```bash
+    cstools allsast analyze java --artifacts .
+    ```
+
+    Generate figures and report:
+    ```bash
+    cstools allsast plot conductor
+    cstools allsast report conductor
+    ```
+
+    Open the project report (`~/.codesectools/output/AllSAST/conductor/report/home.html`). 
+
+    The report of the vulnerable file is shown here:
+
+    <iframe width="100%" height="500" style="zoom: 0.5;" src="quick_start_guide/conductor/report.html"></iframe>
+
+    Only one issue has been found by the tools in the vulnerable file, and the file is ranked low (low score) overall among all other files where issues were found.
+
+    SemgrepCE is the only tool that detected issues and partially identified the vulnerability.
+    It has detected a `code injection` that could leads to an `OS command injection`.
+
+    *Note: If we did not know that a vulnerability existed, we would have had to verify it (by attempting to exploit it) because the `eval` function is a feature.*
+
+### Benchmarking SAST tool
+
+It is possible to benchmark any SAST tool on any dataset that are integrated to CodeSecTools thanks to the prior integration:
+
+```bash
+cstools spotbugs benchmark BenchmarkJava_java 
+```
+
+If the SAST tool requires artifacts, the expected artifacts and build command are provided:
+
+```bash
+cstools spotbugs benchmark BenchmarkJava_java 
+╭──────────────────────── SpotBugs - PrebuiltSAST ────────────────────────╮
+│                                                                         │
+│ Please build BenchmarkJava before running the benchmark                 │
+│ Build command:          mvn clean compile                               │
+│ Full command:           (cd                                             │
+│ /home/michel/.codesectools/cache/BenchmarkJava && mvn clean compile)    │
+│ Expected arteficts:                                                     │
+│ /home/michel/.codesectools/cache/BenchmarkJava/target/classes/org/owasp │
+│ /benchmark/testcode/*.class                                             │
+╰─────────────────────────────────────────────────────────────────────────╯
+```
+
+Then generating figures using the analysis output:
+
+```bash
+cstools spotbugs plot BenchmarkJava_java --overwrite
+Figure overview saved at /home/michel/.codesectools/output/SpotBugs/BenchmarkJava_java/_figures/overview.png
+Figure top_cwes saved at /home/michel/.codesectools/output/SpotBugs/BenchmarkJava_java/_figures/top_cwes.png
+```
+
+Figures:
+
+![Overview](quick_start_guide/benchmark/overview.png)
+
+![Top CWEs](quick_start_guide/benchmark/top_cwes.png)