Using wi.exe
You can initiate several Fortify WebInspect functions by way of a command-line interface (CLI) using the program wi.exe. Use the following syntax when typing a command:
wi.exe -u url [-api type] [-s file] [-ws file] [-Framework name]
[-CrawlCoverage name] [-ps policyID | -pc path]
[-ab|ac|an|ad|aa|ak|at creds] [-macro path] [-o|c] [-n name]
[-e[abcdefghijklmnopst] file] [-x|xd|xa|xn] [-b filepath] [-db]
[-d filepath -m filename] [-i[erxd] scanid | -ic scanid scanname
| -im option scanid scanlist] [-r report_name -y report_type
-w report_favorite -f report_export_file -g[phacxe]
[-t compliance_template_file] [-v] [-?]
To run multiple scans from the command line, create and execute a batch file, using a format similar to the following:
c:
cd \program files\Fortify\Fortify WebInspect
wi.exe -u http://172.16.60.19 -ps 4
wi.exe -u http://www.mywebsite.com
wi.exe -u http://172.16.60.17
wi.exe -u http://172.16.60.16
Options
The options are defined in the following table. Items in italics require a value.
| Category | Options | Definition |
|---|---|---|
|
General |
|
Displays the usage help. |
|
|
Specifies the start URL or IP address. Caution! When using the If the URL contains an ampersand (&), you must enclose the URL within quotation marks. |
|
|
|
Specifies the API type to be scanned. Valid values for type are:
Important! You must provide the URL to the Swagger or OData definition file, as shown in the following example:
Important! For the
Optionally, you can create a scan configuration file with additional information, such as authentication and proxy settings, and point to the settings file in the command. For more information, see Scanning an API with wi.exe. |
|
|
|
Specifies the settings file. Settings file types are JSON and XML. Note: Command line parameters take precedence over values in a settings file. |
|
|
|
Indicates to use the database defined in settings file. If omitted, Fortify WebInspect defaults to database connection defined in application settings. | |
|
|
Identifies the Web Service Design file to use. | |
|
|
Specifies an Audit-only scan. | |
|
|
Specifies a Crawl-only scan. | |
|
|
Specifies the scan name. | |
|
|
Specifies the SecureBase file to use. For path, specify the full path and file name. | |
|
|
Moves the database to the specified filepath. | |
|
|
Moves the database to specified filename. | |
|
|
Creates verbose output. | |
|
|
Disables telemetry data collection (for this scan only). | |
-tm
|
Enables the Traffic Monitor (Traffic Viewer) for the scan. Important! The Traffic Monitor requires the traffic session file ( |
|
|
|
Starts configured scan with the specified scan ID (GUID). | |
|
|
Resumes scan with the specified scan ID (GUID). | |
|
|
Uses existing scan with the specified scan ID (GUID), but does not continue the scan. | |
|
|
Deletes scan with the specified scan ID (GUID). | |
|
|
Imports scan. Note: This parameter is not supported in Fortify WebInspect on Docker. |
|
| Restrict to Root Folder |
|
Restricts scan to directory only (self). |
|
|
Restricts scan to directory and parents (ancestors). | |
|
|
Restricts scan to directory and subdirectories (descendants). | |
|
|
Ignores “restrict to folder” rules in referenced settings file. Restrict to folder parameters ( |
|
| Framework |
|
Specifies name of framework; currently only Oracle ADF Faces (Oracle) and IBM WebSphere Portal (WebSpherePortal) are supported. Optimizes scanning of application built with either of these technologies. |
| Crawl Coverage |
|
Specifies the type of scan coverage. Values for Coveragename are:
|
| Audit Policy |
|
Identifies the non-custom policy to use. Values for policy id are as follows: Best Practices
By Type
Deprecated
Hazardous
|
|
|
Specifies a custom policy to use. For path, specify the full path and file name, such as:C:\ProgramData\hp\HP WebInspect\MyCustomPolicy. |
|
| Authentication |
|
Specifies Basic mode (user name and password). |
-ac "userid:pwd"
|
Specifies ADFS CBT mode (user name and password). | |
|
|
Specifies NTLM mode (user name and password). | |
|
|
Specifies Digest mode (user name and password). | |
|
|
Specifies Automatic mode (user name and password). | |
|
|
Specifies Kerberos mode (user name and password). | |
|
|
Deprecated; use the |
|
|
|
Specifies the authentication mode (type and token) for API scans, such as:
Authentication modes for
Note: The type and token must be enclosed in double quotation marks as shown previously. |
|
| Macro |
|
Specifies macro name and directory path for web macro authentication. |
|
|
Creates auto-generated macro for authentication. | |
| Login Macro Parameters |
|
Replaces the SmartCredentials UserName and Password with the supplied values. |
|
|
Replaces existing TruClient login parameters that match the specified names. | |
| Output |
|
Exports scan in legacy full XML format. |
|
|
Exports scan details (Full) in legacy XML format. | |
|
|
Exports scan details (Comments) in legacy XML format. | |
|
|
Exports scan details (Hidden Fields) in legacy XML format. | |
|
|
Exports scan details (Script) in legacy XML format. | |
|
|
Exports scan details (Set Cookies) in legacy XML format. | |
|
|
Exports scan details (Web Forms) in legacy XML format. | |
|
|
Exports scan details (URLs) in legacy XML format. | |
|
|
Exports scan details (Requests) in legacy XML format. | |
|
|
Exports scan details (Sessions) in legacy XML format. | |
|
|
Exports scan details (E-mails) in legacy XML format. | |
|
|
Exports scan details (Parameters) in legacy XML format. | |
|
|
Exports scan details (Web Dump) in legacy XML format. | |
|
|
Exports scan details (Offsite Links) in legacy XML format. | |
|
|
Exports scan details (Vulnerabilities) in legacy XML format. | |
|
|
Exports scan in FPR format to specified file. | |
-eq {format} {filepath}
|
Exports scan details from the Site Tree. The details include:
For single-page application (SPA) scans:
For more information, see SPA Coverage. Values for format are:
If a value being exported includes double quotation marks, escape characters (double quotation marks) will be added to the CSV output. For example, the selector "Sign in" includes double quotation marks, so it will appear as follows in the CSV file:
Tip: Use this option in conjunction with the
|
|
|
|
Exports scan in |
|
|
|
Exports scan with logs in |
|
|
|
Exports scan settings to specified file after applying all other overrides. Note: This parameter does not run the scan. It exports the settings and exits. |
|
| Reports |
For multiple reports, separate report names with a semicolon. All reports will be contained in a single file. |
Identifies the name of the report to run. Valid values for report_name are:
Note: Report names containing a space must be enclosed in quotation marks. |
|
|
Identifies the name of the report favorite to run. | |
|
|
Aggregates reports in report favorite. | |
|
|
Specifies the type of report: Standard or Custom. |
|
|
|
Specifies the file path and file name where the report will be saved. | |
|
|
Exports as Portable Document Format (PDF) file. | |
|
|
Exports as HTML file. | |
|
|
Exports as raw report file. | |
|
|
Exports as rich text format (RTF) file. | |
|
|
Exports as text file. | |
|
|
Exports as Excel file. | |
|
|
Specifies compliance template file to use. | |
| Scan Merge |
|
Creates a merge target scan. For more information, see Merging Scans in this topic. Note: This parameter is not supported in Fortify WebInspect on Docker. |
|
|
Merges scans. For more information, see Merging Scans in this topic. Choices for option are:
Important! Use the Note: This parameter is not supported in Fortify WebInspect on Docker. |
|
| Scan Reuse |
|
Creates reuse scan settings. Choices for option are:
The settings filename is the name of the modified settings file being created. Note: This parameter is not supported in Fortify WebInspect on Docker. |
| Scan Findings Retest |
|
Creates a settings file that you can use to start a scan to retest findings. You can retest findings by severity or unique sessionCheckFoundID or both. If you do not provide a severity or sessionCheckFoundID, then all findings in the base scan are retested. Parameter components are as follows:
You can provide a list consisting of severities and sessionCheckFoundIDs in any order. The following example shows a valid list:
|
| Test Login Macro |
|
Tests login macro of existing scan. |
| Selenium Macro |
|
Creates a Selenium workflow scan. For the complete process and procedures involved in using this command, see Integrating with Selenium WebDriver. |
|
|
Disables validation of Selenium commands before running the scan. Important! When using this parameter, you must specify one or more allowed hosts. For more information, see Integrating with Selenium WebDriver. |
|
-slm {SeleniumCommand object} or @"PathtoFilewithobject" |
Specifies a Selenium login macro for the scan. This option uses the Use See Selenium Login Macro Example. Important! A |
|
| Postman Scans | -pwc {filename} |
Starts a scan with a Postman Collection file. This option can accept several collection files separated by commas, such as:
For more information, see Scanning with a Postman Collection. |
-pdac
|
Disables Postman auto-configuration so that auto-configuration or analysis of the Postman collection is not performed before the scan. | |
-plc {Collection path}
|
Specifies the path to the Postman login collection. | |
-pls "logoutsignature"
|
Identifies the logout condition. This parameter accepts Regex Extensions. Important! You must replace the space character with |
|
-pec {filename}
|
Specifies the Postman environment file to be used in the scan. | |
| State Management | -rs {<ArrayOfResponse
|
Supplies a response state rule. This parameter accepts
an Important! To use a response state rule stored in a file, you must specify the file path with the For examples, see Response State Rule Example. |
| Other Settings | -ah {url} [,{url},...]
|
Lists the Allowed Hosts. The URL is the schema, host, and port number. |
Examples
The following examples illustrate command line execution as if executed from the WebInspect home directory:
wi.exe -u www.anywebsite.com -ps 1 -ab MyUsername:Mypassword
wi.exe -u https://zero.webappsecurity.com
-s c:\program files\webinspect\scans\scripted\
-r "Executive Summary";Vulnerability -y Standard
-f c:\program files\webinspect\scans\scripted\zero051105.xml -gx
If you do not specify a policy, Fortify WebInspect will crawl (but not audit) the Web site.
If you specify an invalid policy number, Fortify WebInspect will not conduct the scan.
Selenium Login Macro Example
The following is an example of the Selenium login macro option:
-slm "<SeleniumCommand><Command>"wi command\"</Command> <AllowedHosts><string>http://hostname/</string> </AllowedHosts><LogoutCondition>Access\sDenied</LogoutCondition> </SeleniumCommand>"
Response State Rule Example
The following is an example of a response state rule:
-rs "<ArrayOfResponseStateElement><ResponseStateElement><name> AutoDetect</name><ReplaceRegexes><string>Authorization:\sBearer\s (?<AutoDetect>[^\r\n]*)\r\n</string></ReplaceRegexes> <SearchRegexes><string>""en"":""(?<AutoDetect> [-a-zA-Z0-9._~+/]+?=*)""}$</string></SearchRegexes> </ResponseStateElement></ArrayOfResponseStateElement>"
Tip: You can create response state rules in Scan Settings: HTTP Parsing in the Fortify WebInspect user interface. You can then open the scan settings XML file, locate the ResponseStateElement, and copy and paste it into the -rs parameter. For more information about response state rules, see Scan Settings: HTTP Parsing.
The following code shows an example starting a Postman scan using a response state rule that is stored in a file:
wi -pwc c:\BearerWorkflow.json -pdac -plc c:\BearerLogin.json -rs @c:\BearerResponseStateRule.txt -pls
Merging Scans
Note: This feature is not supported in Fortify WebInspect on Docker.
You cannot merge into an existing scan. You must first create a merge target using the "ic" parameter.
The scans to be merged are sorted by scan date and are merged in that order. Order is important because information is lost when session IDs are the same in the two scans. When this occurs, by default the earlier session and vulnerability are overwritten with the later session and vulnerability. To prevent this when merging, you can choose another option for handling identical session IDs.
Note: Merging may work best with two scans that have few or no identical session IDs.
For all merge scan options, only sessions with an audit status of “Complete” in the source scan are merged. Session Exclusions (excluded from audit) are not merged. See Audit Settings: Attack Exclusions for more information.
Hyphens in Command Line Arguments
You can use hyphens in command line arguments (output files, etc.) only if the argument is enclosed in double quotes, as illustrated by the "export path" argument in the following command:
wi.exe -u http://zero.webappsecurity.com -ea "c:\temp\command-line-test-export.xml"
Note: The process, as it appears in the Task Manager, is WI.exe. Scan data will be cached temporarily in the Working directory and then moved to the Scans directory.
Exit Codes
The WI.exe application returns one of the exit codes described in the following table.
| Code | Description |
|---|---|
| 0 | The command completed without errors. |
| -1 or -3 | An error occurred. |