Frequently asked questions about the scanner | Fluid Attacks Help

Scanner FAQ

This section addresses common questions and issues that users might face using the Machine Standalone tool.

General information

Where can I find the latest information about the tool?

The most current information and updates can be found on this page, as the AppDefenseAlliance's documentation on our tool is outdated.

Do I need to create a Dockerfile to use the tool?

No, it is not necessary to create a Dockerfile. You only need to download the Docker image.

Running the scanner

How do I run the scanner?

Please check the getting started section

Mounting Operation not permitted error

If this message appears at the end of the error log:

error: mounting /proc: Operation not permitted

Try running the scan with the --privileged flag:

docker run --privileged -v /your/local/dir:/working-dir fluidattacks/cli:arch skims scan /working-dir/config.yaml

Invalid argument error

If the error message at the end of the error log is something like this:

[ERROR] Enter a valid argument,
the argument types are the path to a .yaml configuration file or the path to a directory.
Doc: https://docs.fluidattacks.com/tech/scanner/standalone

It means that the path to the config.yaml file or the folder to scan is incorrect, or that you are attempting to access a local path within the container's runtime.

Therefore, you should verify that the path exists and if it's the latter case, ensure that you are correctly mounting the volume inside the container along with the respective files.

Errors during execution

My apk files are being reported under CWE-377 as unverifiable

This means you are including APK files in the SAST module of the scanner. APK files are only meant to be scanned in the APK module (As the name implies). To remove those reports, simply add the exclude key to the sast section of the configuration, like so:

sast:
include:
- .
exclude:
- glob(**/*.apk)

File too large error

If you encounter this message frequently:

[WARNING] File too large

It means that the tool is ignoring large files to avoid possible memory issues.

If you wish to remove this limitation, use the file size limit key.

If you remove the limit and encounter memory errors, we recommend splitting the executions of the scanner (e.g. performing multiple executions scanning only certain folders each time)

We are actively making improvements on this topic so in the future this is not necessary.

Scan execution taking forever to complete

If your scan is taking longer than it should, we recommend:

  • Check for Included Dependency Folders: Ensure that you are not including dependency folders in the sast scan, such as node_modulesdistvendor and their equivalents.

  • Use the Recursion Limit Key: Consider using the recursion limit key to limit the depth of search within a single file. We recommend setting it to 1000.

If you encounter a different error, you can open a new issue in our open source repository.