xsharp.eu

Hi,

We are considering X# for replacing some of our VFP components. We have the requirement for security scan support (e.g. like SonarCube), if we introduce a new programming language. Is there any known tool or SonarCube plug-in which can support this search for bugs, vulnerabilities and code smells for X# or maybe on MSIL/CIL level?

Thank you
Markus

Markus,
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.

Robert

Robert,
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus

Hello,

we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.

It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.

Volkmar

Sonarqube sounds interesting!

Hello,

Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.

I would be interested in how complicated it would be to extend and improve the plugin too.

Joshua

Hello Joshua,

yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.

* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube

The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...

Volkmar

Hello,

as I understand, in the compilation process the (for example) VFP code will get translated into a modified C# syntax, shouldn't it be possible to scan this resulting code with existing static code analysis tools such as SonarQube?

Is it possible to retrieve the translated file (I guess it would be necessary for debugging the code generation/compiler anyway somehow) in the process?

Br,
Stefan

Stefan,

The X# code is not really translated into C# code.
What happens is this:
- The X# compiler translates the source code into what's known as a parse tree. The C# compiler does something similar.
- Our compiler creates an X# parse tree and converts that to a C# parse tree, and then uses the C# backend to convert that into code.
- That backend has been slightly modified because there are some differences between things that are allowed in X# compared to C#. For example our language is case insensitive by default.

Robert

Hi Robert,

thank you for the clarifaction. So we will have to find a different way to get the source code scanned and verified.
We may have to find a similar solution as Volkmar did.

Thank you.

Br,
Stefan