Hi,
We are considering X# for replacing some of our VFP components. We have the requirement for security scan support (e.g. like SonarCube), if we introduce a new programming language. Is there any known tool or SonarCube plug-in which can support this search for bugs, vulnerabilities and code smells for X# or maybe on MSIL/CIL level?
Thank you
Markus
Security Scan for X#
Security Scan for X#
Markus,
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.
Robert
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.
Robert
XSharp Development Team
The Netherlands
robert@xsharp.eu
The Netherlands
robert@xsharp.eu
-
- Posts: 2
- Joined: Thu May 09, 2019 11:13 am
Security Scan for X#
Robert,
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus
Security Scan for X#
Hello,
we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.
It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.
Volkmar
we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.
It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.
Volkmar
Security Scan for X#
Sonarqube sounds interesting!
Security Scan for X#
Hello,
Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.
I would be interested in how complicated it would be to extend and improve the plugin too.
Joshua
Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.
I would be interested in how complicated it would be to extend and improve the plugin too.
Joshua
Security Scan for X#
Hello Joshua,
yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.
* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube
The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...
Volkmar
yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.
* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube
The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...
Volkmar
Re: Security Scan for X#
Hello,
as I understand, in the compilation process the (for example) VFP code will get translated into a modified C# syntax, shouldn't it be possible to scan this resulting code with existing static code analysis tools such as SonarQube?
Is it possible to retrieve the translated file (I guess it would be necessary for debugging the code generation/compiler anyway somehow) in the process?
Br,
Stefan
as I understand, in the compilation process the (for example) VFP code will get translated into a modified C# syntax, shouldn't it be possible to scan this resulting code with existing static code analysis tools such as SonarQube?
Is it possible to retrieve the translated file (I guess it would be necessary for debugging the code generation/compiler anyway somehow) in the process?
Br,
Stefan
Re: Security Scan for X#
Stefan,
The X# code is not really translated into C# code.
What happens is this:
- The X# compiler translates the source code into what's known as a parse tree. The C# compiler does something similar.
- Our compiler creates an X# parse tree and converts that to a C# parse tree, and then uses the C# backend to convert that into code.
- That backend has been slightly modified because there are some differences between things that are allowed in X# compared to C#. For example our language is case insensitive by default.
Robert
The X# code is not really translated into C# code.
What happens is this:
- The X# compiler translates the source code into what's known as a parse tree. The C# compiler does something similar.
- Our compiler creates an X# parse tree and converts that to a C# parse tree, and then uses the C# backend to convert that into code.
- That backend has been slightly modified because there are some differences between things that are allowed in X# compared to C#. For example our language is case insensitive by default.
Robert
XSharp Development Team
The Netherlands
robert@xsharp.eu
The Netherlands
robert@xsharp.eu
Re: Security Scan for X#
Hi Robert,
thank you for the clarifaction. So we will have to find a different way to get the source code scanned and verified.
We may have to find a similar solution as Volkmar did.
Thank you.
Br,
Stefan
thank you for the clarifaction. So we will have to find a different way to get the source code scanned and verified.
We may have to find a similar solution as Volkmar did.
Thank you.
Br,
Stefan