Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MSCA RoslynAnalyzers for C# #29

Open
marian-craciunescu opened this issue Mar 1, 2021 · 2 comments
Open

Add MSCA RoslynAnalyzers for C# #29

marian-craciunescu opened this issue Mar 1, 2021 · 2 comments

Comments

@marian-craciunescu
Copy link

Add support for https://secdevtools.azurewebsites.net/helpRoslynAnalyzers.html
@davidknise
Copy link
Contributor

Hi @marian-craciunescu,

I wanted to let you know that we collaborated with the Roslyn team who implemented a fork of this solution to create a dotnet/code-analysis action:
https://github.com/dotnet/code-analysis

For the github/ossar-action, it is backed by the Microsoft Security Code Analysis CLI which does have Roslyn Analyzers available today. This is what's being leveraged by dotnet's action.

To leverage Roslyn Analyzers within OSSAR today,

  1. Install the Microsoft.Security.CodeAnlaysis.Cli from nuget.org on your machine
  2. From your repo, run guardian init
  3. From your repo, run guardian configure -t roslynanalyzers
  4. Go through the interactive prompts
  5. A configuration file will be saved at <your repo>/.gdn/e/roslynanalyzers.gdnconfig
  6. Run using guardian run -c roslynanalyzers, or the the absolute path to that roslynanalyzers.gdnconfig file
  7. Check that file into your repository
  8. Update the github/ossar-action call in your workflow to specify config: roslynanalyzers, or the path to that file

We know this is a lot of overhead to get Roslyn to run today in w/ OSSAR. Dotnet's solution runs the same code with a better UX from a workflow itself, although with the same parameters configured in a gdnconfig file. Either way, a configuration with these values will be checked into the repository, and it will still run through the MSCA CLI.

We are also working on a feature right now to run Roslyn Analyzers automatically, which would allow it to be added to the policy. Unlike other source and artifact based static analysis tools, the difficulty of Roslyn Analyzers is that they are compile time and requiring rerunning the build with the injected analyzers. Due to the complexity, it will always be a best effort but may get added to the default GitHub policy in the near future.

Thanks,
Dave

@tsvss
Copy link

tsvss commented Jun 14, 2022

Hi @davidknise ,

Correct me if I am wrong. As per your comment, my understanding is that the OSSAR action does support the Roslyn analysers, and can be configured as per the given steps to configure the same.

While trying to configure the Roslyn analysers, I am stuck at running the guardian init step. Can you please provide any link or reference that can help me run guardian commands? My web search has not been fruitful to proceed further. I will be grateful for any help you could provide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marian-craciunescu @davidknise @tsvss and others