xsharp.eu • Security Scan for X#

xsharp.eu

The XSharp Forum
https://www.xsharp.eu/phpBB3/

Security Scan for X#

https://www.xsharp.eu/phpBB3/viewtopic.php?t=2005

Page 1 of 1

Security Scan for X#

Posted: Thu Sep 10, 2020 3:37 pm
by markus.lopin
Hi,

We are considering X# for replacing some of our VFP components. We have the requirement for security scan support (e.g. like SonarCube), if we introduce a new programming language. Is there any known tool or SonarCube plug-in which can support this search for bugs, vulnerabilities and code smells for X# or maybe on MSIL/CIL level?

Thank you
Markus

Security Scan for X#

Posted: Thu Sep 10, 2020 5:31 pm
by robert
Markus,
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.

Robert

Security Scan for X#

Posted: Fri Sep 11, 2020 5:41 am
by markus.lopin
Robert,
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus

Security Scan for X#

Posted: Mon Sep 21, 2020 9:50 am
by VR
Hello,

we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.

It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.

Volkmar

Security Scan for X#

Posted: Mon Nov 23, 2020 10:30 am
by Otto
Sonarqube sounds interesting!

Security Scan for X#

Posted: Mon Dec 05, 2022 12:01 pm
by jjw
Hello,

Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.

I would be interested in how complicated it would be to extend and improve the plugin too.

Joshua

Security Scan for X#

Posted: Mon Dec 05, 2022 3:28 pm
by VR
Hello Joshua,

yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.

* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube

The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...

Volkmar
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited