sf scanner run dfa

Scans codebase with all DFA rules by default. Specify the format of output and print results directly or as contents of a file that you provide with --outfile flag.

The scanner run dfa command runs for a longer time than scanner run, and it requires a target code context path. If your codebase is complex, increase the Java heap space to avoid OutOfMemory errors. See Understand LimitReached Errors.

Modify SFGE_RULE_THREAD_COUNT to adjust how long DFA-based rules execute before timing out (default: 900,000 ms or 15 minutes). Use this control when you want Graph Engine to run longer and analyze more complex code. The equivalent flag on the scanner run dfa command is --rule-thread-timeout.

These examples follow Graph Engine syntax.

  • The paths for all files in --projectdir are specified through --target.
  • Globs, when in use, are wrapped in quotes.
  • ./myproject/main/default/classes/*.cls, ./dir1/file1.cls,./dir2/file2.cls: Example source code locations.
  • ./myproject/, ./dir1/,./dir2/: The root project directory.

These two examples evaluate rules against all .cls files below the current directory, except for IgnoreMe.cls.

  • {./**/*.cls,!./**/IgnoreMe.cls}: The source code location.
  • {./**/*.cls,!./**/IgnoreMe.cls}: The source code location.

This example targets individual methods within a file. It uses a suffix of the file's path plus a hash (#) and a semicolon-delimited list of method names. This syntax is incompatible with globs and directories. This example also evaluates rules against all methods named Method1 or Method2 in File1.cls, and all methods named Method3 in File2.cls.

  • ./File1.cls#Method1;Method2,./File2.cls#Method3: The source code location.

This example uses --normalize-severity to output a normalized severity across all engines in addition to the engine-specific severity. Values are 1 (high), 2 (moderate), and 3 (low).

  • /some-project/: The source code location.
  • csv: The results output format.

This example uses --severity-threshold to throw a non-zero exit code when rule violations of a specific normalized severity or greater are found. When there are rule violations with moderate (1) or high (2) severity, the exit code equals the severity of the most severe violation.

  • /some-project/: The source code location.
  • 2: A severity value. Possible values are: 1 (high), 2 (moderate), and 3 (low).

This example uses --rule-thread-count so more or fewer entry points can be evaluated concurrently.

  • 6: The number of rule evaluation threads.

This example uses --rule-thread-timeout to increase or decrease the maximum runtime for a single entry point evaluation. You can increase the timeout from 15 minutes (default) up to 150 minutes.

  • 9000000: A time limit in milliseconds for evaluating a single entrypoint.

This example uses --sfgejvmargs to pass JVM args to override system defaults while executing the Graph Engine rules. It overrides the system's default heapspace allocation to 2 GB and decreases the likelihood of encountering an OutOfMemory error.

  • -Xmx2g: The Java Virtual Machine arguments.

sf scanner run dfa

   [-c CATEGORY_LIST]

   [-f FORMAT]

   [-o OUTFILE]

   [-p PROJECTDIR_LIST]

   [-s SEVERITY-THRESHOLD]

   [-t TARGET_LIST]

   [--json]

   [--normalize-severity]

   [--pathexplimit PATHEXPLIMIT]

   [--rule-disable-warning-violation]

   [--rule-thread-count RULE-THREAD-COUNT]

   [--rule-thread-timeout RULE-THREAD-TIMEOUT]

   [--sfgejvmargs SFGEJVMARGS]

   [--verbose]

   [--with-pilot]

-c | --category CATEGORY_LIST

Optional

One or more categories of rules to run. Specify multiple values as a comma-separated list.

Type: option

-f | --format FORMAT

Optional

Specifies the output format for results written directly to the console.

Type: option

Possible Values: csv | html | json | junit | sarif | table | xml

-o | --outfile OUTFILE

Optional

Writes output to a file.

Type: option

-p | --projectdir PROJECTDIR_LIST

Optional

Provides the relative or absolute root project directories used to set the context for Graph Engine's analysis. Specify multiple values as a comma-separated list. Each project directory must be a path, not a glob. If --projectdir isn’t specified, a default value is calculated. The default value is a directory that contains all the target files.

Type: option

-s | --severity-threshold SEVERITY-THRESHOLD

Optional

Throws an error when violations are found with equal or greater severity than the provided value. Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag.

Type: option

-t | --target TARGET_LIST

Optional

Specifies the source code location. Use glob patterns or specify individual methods with #-syntax. Multiple values are specified as a comma-separated list. Default is ".".

Type: option

--json

Optional

Format output as JSON.

Type: boolean

--normalize-severity

Optional

Returns normalized severity 1 (high), 2 (moderate), and 3 (low), and the engine-specific severity. For the html option, the normalized severity is displayed instead of the engine severity.

Type: boolean

--pathexplimit PATHEXPLIMIT

Optional

Specifies a path expansion upper boundary to limit the complexity of code Graph Engine analyzes before failing fast. Set the value to -1 to remove any upper boundary. --pathexplimit inherits value from SFGE_PATH_EXPANSION_LIMIT env-var, if set. Its default value is derived from JVM heap space allocation.

Type: option

--rule-disable-warning-violation

Optional

Disables warning violations, such as those on StripInaccessible READ access, to get only high-severity violations (default: false). Inherits value from SFGE_RULE_DISABLE_WARNING_VIOLATION env-var if set.

Type: boolean

--rule-thread-count RULE-THREAD-COUNT

Optional

Specifies the number of rule-evaluation threads or how many entry points can be evaluated concurrently. Inherits its value from the SFGE_RULE_THREAD_COUNT environment variable, if set. The default is 4.

Type: option

--rule-thread-timeout RULE-THREAD-TIMEOUT

Optional

Specifies the time limit for evaluating a single entry point in milliseconds. Inherits its value from the SFGE_RULE_THREAD_TIMEOUT environment variable, if set. The default is 900,000 ms or 15 minutes.

Type: option

--sfgejvmargs SFGEJVMARGS

Optional

Specifies Java Virtual Machine arguments to override system defaults while executing Salesforce Graph Engine. For multiple arguments, add them to the same string separated by space.

Type: option

--verbose

Optional

Emit additional command output to stdout.

Type: boolean

--with-pilot

Optional

Allows pilot rules to execute.

Type: boolean

Salesforce Graph Engine has these environment variable-based controls.

Set SFGE_JVM_ARGS to work around Understand LimitReached Errors and other JVM issues while executing the scanner run dfa command. Refer to the JVM documentation for more info. The equivalent flag on the scanner run dfa command is --sfgejvmargs.

Set to true to suppress warning violations, such as those related to StripInaccessable READ access (default: false). The equivalent flag on the scanner run dfa command is --rule-disable-warning-violation.

Modify SFGE_RULE_THREAD_COUNT to adjust the number of threads that each execute DFA-based rules (default: 4). The equivalent flag on the scanner run dfa command is --rule-thread-count.

Modify SFGE_RULE_THREAD_TIMEOUT to adjust how long DFA-based rules execute before timing out (default: 900,000 ms or 15 minutes). Use this control when you want Graph Engine to run longer and analyze more complex code. The equivalent flag on the scanner run dfa command is --rule-thread-timeout.