TOPIC:

Hi,

We are considering X# for replacing some of our VFP components. We have the requirement for security scan support (e.g. like SonarCube), if we introduce a new programming language. Is there any known tool or SonarCube plug-in which can support this search for bugs, vulnerabilities and code smells for X# or maybe on MSIL/CIL level?

Thank you
Markus

Markus,
I am not familiar with SonarCube, but if this product can scan IL code, such as produced by C# and VB, then it should have no problem with assemblies produced by X#. We are using the same underlying components as C# and VB to produce our binaries.
If SonarCube scans source code then it most likely does not support X#.

Robert

Robert,
Thank you for your fast response. SonarCube has dedicated VB/C# plug-ins and I have not found any IL scanner. I was curious if someone in the forum would know a tool for IL security scanning or would have the same request.
Markus

Hello,

we use SonarQube for some of our c# projects. I tried, if the dotnet scanner of SonarQube picks up X# code, but sadly that is not the case.

It is possible to create plugins for SonarQube to add new languages. I created a proof of concept, that scans x# code and counts statements and comments, but it's quite complicate. IMO, one possible way to implement the integration is to use the XSharpParser or XSharpCompiler to create a file with the parsed sourcefile and a plugin that imports this data into SonarQube.

Volkmar

Sonarqube sounds interesting!

Hello,

Volkmar, how far did you get with the SonarQube plugin proof of concept?
I would be interested even in just being able to count statements and comments.

I would be interested in how complicated it would be to extend and improve the plugin too.

Joshua

Hello Joshua,

yes, we made some progress. With the help of a summer intern, we managed to create a basic integration of x# to sonarqube. We did the following.

* A scanner (written in c#) uses the XSharp.VsParser.Helpers Nuget to parse the x# files into ASTs
* The ASTs are used to export the Tokens as a JSON file
* Additionally, the ASTs are used to evaluate some simple "rules" (like empty method, if can be simplified, ...), which are also saved as JSON
* A SonarQube Plugin (written in kotlin) is used to import the data stored in the JSON files into SonarQube

The whole process is very tailored to our use case, but we it gives some benefits like statistics, syntax highlighting and duplicate code analysis. And the issues, that the scanner detects, are also shown...

Volkmar