search

github / ossar-action

Run multiple open source security static analysis tools without the added complexity with OSSAR (Open Source Static Analysis Runner).
MIT License
94 stars 27 forks source link

Add MSCA RoslynAnalyzers for C# #29

Open marian-craciunescu opened 3 years ago

marian-craciunescu commented 3 years ago

Add support for https://secdevtools.azurewebsites.net/helpRoslynAnalyzers.html

davidknise commented 3 years ago

Hi @marian-craciunescu,

I wanted to let you know that we collaborated with the Roslyn team who implemented a fork of this solution to create a dotnet/code-analysis action: https://github.com/dotnet/code-analysis

For the github/ossar-action, it is backed by the Microsoft Security Code Analysis CLI which does have Roslyn Analyzers available today. This is what's being leveraged by dotnet's action.

To leverage Roslyn Analyzers within OSSAR today,

  1. Install the Microsoft.Security.CodeAnlaysis.Cli from nuget.org on your machine
  2. From your repo, run guardian init
  3. From your repo, run guardian configure -t roslynanalyzers
  4. Go through the interactive prompts
  5. A configuration file will be saved at <your repo>/.gdn/e/roslynanalyzers.gdnconfig
  6. Run using guardian run -c roslynanalyzers, or the the absolute path to that roslynanalyzers.gdnconfig file
  7. Check that file into your repository
  8. Update the github/ossar-action call in your workflow to specify config: roslynanalyzers, or the path to that file

We know this is a lot of overhead to get Roslyn to run today in w/ OSSAR. Dotnet's solution runs the same code with a better UX from a workflow itself, although with the same parameters configured in a gdnconfig file. Either way, a configuration with these values will be checked into the repository, and it will still run through the MSCA CLI.

We are also working on a feature right now to run Roslyn Analyzers automatically, which would allow it to be added to the policy. Unlike other source and artifact based static analysis tools, the difficulty of Roslyn Analyzers is that they are compile time and requiring rerunning the build with the injected analyzers. Due to the complexity, it will always be a best effort but may get added to the default GitHub policy in the near future.

Thanks, Dave

tsvss commented 2 years ago

Hi @davidknise ,

Correct me if I am wrong. As per your comment, my understanding is that the OSSAR action does support the Roslyn analysers, and can be configured as per the given steps to configure the same.

While trying to configure the Roslyn analysers, I am stuck at running the guardian init step. Can you please provide any link or reference that can help me run guardian commands? My web search has not been fruitful to proceed further. I will be grateful for any help you could provide.