Security Scan for X#

This forum is meant for questions about the Visual FoxPro Language support in X#.

Post Reply
markus.lopin
Posts: 2
Joined: Thu May 09, 2019 11:13 am

Security Scan for X#

Post by markus.lopin »

Hi,

We are considering X# for replacing some of our VFP components. We have the requirement for security scan support (e.g. like SonarCube), if we introduce a new programming language. Is there any known tool or SonarCube plug-in which can support this search for bugs, vulnerabilities and code smells for X# or maybe on MSIL/CIL level?

Thank you
Markus
User avatar
robert
Posts: 4518
Joined: Fri Aug 21, 2015 10:57 am
Location: Netherlands

Security Scan for X#

Post by robert »

Markus,
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.

Robert
XSharp Development Team
The Netherlands
robert@xsharp.eu
markus.lopin
Posts: 2
Joined: Thu May 09, 2019 11:13 am

Security Scan for X#

Post by markus.lopin »

Robert,
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus
VR
Posts: 102
Joined: Sun Aug 23, 2020 3:07 pm
Location: Italy

Security Scan for X#

Post by VR »

Hello,

we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.

It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.

Volkmar
User avatar
Otto
Posts: 174
Joined: Wed Sep 30, 2015 6:22 pm

Security Scan for X#

Post by Otto »

Sonarqube sounds interesting!
jjw
Posts: 5
Joined: Fri Dec 02, 2022 2:22 pm
Location: Ireland

Security Scan for X#

Post by jjw »

Hello,

Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.

I would be interested in how complicated it would be to extend and improve the plugin too.

Joshua
VR
Posts: 102
Joined: Sun Aug 23, 2020 3:07 pm
Location: Italy

Security Scan for X#

Post by VR »

Hello Joshua,

yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.

* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube

The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...

Volkmar
swasinger
Posts: 3
Joined: Tue Oct 17, 2023 8:19 am
Location: Austria

Re: Security Scan for X#

Post by swasinger »

Hello,

as I understand, in the compilation process the (for example) VFP code will get translated into a modified C# syntax, shouldn't it be possible to scan this resulting code with existing static code analysis tools such as SonarQube?

Is it possible to retrieve the translated file (I guess it would be necessary for debugging the code generation/compiler anyway somehow) in the process?

Br,
Stefan
User avatar
robert
Posts: 4518
Joined: Fri Aug 21, 2015 10:57 am
Location: Netherlands

Re: Security Scan for X#

Post by robert »

Stefan,

The X# code is not really translated into C# code.
What happens is this:
- The X# compiler translates the source code into what's known as a parse tree. The C# compiler does something similar.
- Our compiler creates an X# parse tree and converts that to a C# parse tree, and then uses the C# backend to convert that into code.
- That backend has been slightly modified because there are some differences between things that are allowed in X# compared to C#. For example our language is case insensitive by default.

Robert
XSharp Development Team
The Netherlands
robert@xsharp.eu
swasinger
Posts: 3
Joined: Tue Oct 17, 2023 8:19 am
Location: Austria

Re: Security Scan for X#

Post by swasinger »

Hi Robert,

thank you for the clarifaction. So we will have to find a different way to get the source code scanned and verified.
We may have to find a similar solution as Volkmar did.

Thank you.

Br,
Stefan
Post Reply