AI HTML report requires some CDN assets

[Eldadc]

After Running scan with CLI command , Report created successfully.
Report - Feature Group Links are not been displayed , Missing image and link on the list.
Reproduced on Edge and Chrome.

Thanks

[gfs]

Hey @Eldadc,

Can you provide a screenshot of the elements that aren't displaying correctly?

Is this only with a specific set of source code or with any source code?

What version of app inspector are you using?

If a 1.4 version, Does this issue also occur with the 1.5 beta release?

Thanks

[Eldadc]

Hi,

I am working in offline network , so I have issue sending screen shots.

1. 1.4.29

Thanks

[gfs]

Understood. Sorry you're encountering an issue with the HTML report. Thanks for the version number.

I will try to reproduce tomorrow in an offline environment.

I have a theory that there is a reference to a style sheet or other resource required for the page to function properly that is a ref to an online resource and not bundled. If this is the case it should be an easy fix, just to download that resource and bundle it.

Caveat: I did not originally write the HTML format for AI, and it is relatively complex, but the design intent is that the HTML report is standalone and does not require online resources. We don't run any service or anything that is performing work - all the analysis is done locally and already compiled into the HTML file.

[gfs]

I was unable to get to this today but I should have time tomorrow, or at the latest EOW to reproduce the issue and develop a fix.

[gfs]

I have investigated this today and identified the source of the issues.

1. There are a number of js files that are loaded from cdns
2. There are a number of css files that are loaded from cdns
3. The project uses FontAwesome - so one of those js files also tries to dynamically fetch woff2 files.

I was able to refactor the code so 1 and 2 are included, but I encountered some issues with some of the javascript when embedded this way and the woff2 files cannot be directly embedded in the html from what I have been able to find, so I think it might be a dead end to make a standalone single .html file.

I'll have to look deeper into this to determine what to do next. Due to the complexity of the html report, I think it is simpler to remove the output format entirely and replace it with a reader mode in AI that run locally and parse the json or sarif result and provide a similar format to the current html output.

[Eldadc]

Hi,

Thanks so much on your determination and efforts to help us !
So basically I will set the output format to JSON or SARIF file and display i with other third party viewer.
Do you support SARIF output format ?

Thanks

[gfs]

Yes, application inspector supports both a proprietary json format and standard sarif output that can be viewed with the tool of your choice. Use the -f json or -f sarif argument to analyze.

Note: when using -f sarif and the output is printed to stdout unless you specify a -o location for the output file.

For example:

Appinspector analyze -s path/to/src -f sarif -o path/to/output.sarif

[Eldadc]

Hi,

I have managed to run application with sarif output , sarif was created successfully, but the content is missing , there only issues regrading remarks , all other issues are missing , of course the file is very small .
On the other hand the HTML output file has significantly more content if I open it with text editor.

Thanks

[gfs]

Sorry, I’m not sure what you mean.

• Are you using custom rules or default rules?

• If you’re using default rules, what rule identifiers are present in the html but not sarif?

• if you’re using custom rules, is there any pattern to the qualities of the rules that have matches and other that don’t between the two outputs?

• What is the full set of arguments you’re using for both sarif and html? I don’t need the paths to files on your system, but I do need all arguments you are using for both commands.

• What do you mean by “remarks”? The sarif output should have records for all the matches, with their associated tags. Things that are not considered matches (metadata) are not included in the sarif at this time, but some of that is used in the html report, What aspect of the HTML report are you missing or looking for in particular? The sarif format is pretty extensible - do you know what sarif field are you expecting that data in?

[Eldadc]

Hi,

Yes I am running simple CLI command with default rules.
Command:
applicationInspector.CLI.exe analyze -s -f sarif -o <path to sarif report .sarif>

The sarif have been created but with just issues regrading CodeHygiene "ToDo" remarks .
The HTML file has of course a lot of issue in their content.

Thanks

[gfs]

Thanks. I'll take a look soon - I have time set aside this week for app inspector.

One more thing, if you run the json report are the issues you expect to see present? The json report should be essentially a raw dump of the result object, which is parsed to create the html or sarif reports.

For json:

applicationInspector.CLI.exe analyze -s -f json -o output.json

[Eldadc]

Hi,

No ,Looks like same results like sarif.
Question , Sarif \ JSON should contain all data regrading coding features of first or third party software components ?

[gfs]

The json should contain all the data from which the html report is derived.

When you say coding features do
you mean the big table of icons in the html report?

[gfs]

We are looking to replace the html report with a blazor interface that can parse and display the json report (see #2).

I don't have a timeline yet for when that work will be done, but it will be designed to work without any cdn assets.