Move SecurityCodeScan from IDE integration to CI run as for RDMP (#1833)

* Move SecurityCodeScan from IDE integration to CI run as for RDMP
SMI · May 28, 2024 · 1189483 · 1189483
1 parent f64c749
commit 1189483
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 10 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -29,14 +29,32 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
-      - name: Autobuild
-        if: ${{ matrix.language != 'java' }}
+      - name: Build Python
+        if: ${{ matrix.language == 'python' }}
         uses: github/codeql-action/autobuild@v3
+      - name: Build .Net
+        if: ${{ matrix.language == 'csharp' }}
+        run: dotnet build -c Release
       - name: Build java
         if: ${{ matrix.language == 'java' }}
         # NOTE(rkm 2023-03-21) Ensure test code is detected but don't actually run anything
         run: ./bin/ctp/test.py --install-libs -DskipTests
+      - name: SecurityCodescan
+        if: ${{ matrix.language == 'csharp' }}
+        run: |
+          dotnet tool install --global security-scan
+          mkdir -p sarif-results
+          security-scan SmiServices.sln -n -x sarif-results/scs.sarif
+          sed -i 's/"language": ""/"language": "en-US"/' sarif-results/scs.sarif
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
+          upload: False
+          output: sarif-results
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sarif-results
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -21,7 +21,6 @@
     <PackageVersion Include="NLog" Version="5.3.2" />
     <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageVersion Include="RabbitMQ.Client" Version="6.8.1" />
-    <PackageVersion Include="SecurityCodeScan.VS2019" Version="5.6.7" />
     <PackageVersion Include="Spectre.Console" Version="0.49.1" />
     <PackageVersion Include="System.IO.Abstractions" Version="21.0.2" />
     <PackageVersion Include="StackExchange.Redis" Version="2.7.33" />

diff --git a/PACKAGES.md b/PACKAGES.md
@@ -22,7 +22,6 @@
 | NLog                                    | [GitHub](https://github.com/NLog/NLog)                                     | [BSD 3-Clause](https://github.com/NLog/NLog/blob/dev/LICENSE.txt)                                   | Flexible user configurable logging                                                          |
 | Newtonsoft.Json                         | [GitHub](https://github.com/JamesNK/Newtonsoft.Json)                       | [MIT](https://opensource.org/licenses/MIT)                                                          | Serialization of objects for sharing/transmission                                           |
 | RabbitMQ.Client                         | [GitHub](https://github.com/rabbitmq/rabbitmq-dotnet-client)               | [Apache License v2 / MPL 1.1](https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/main/LICENSE) | Handles messaging between microservices                                                     |
-| SecurityCodeScan.VS2019                 | [GitHub](https://security-code-scan.github.io/)                            | [LGPL 3.0](https://opensource.org/licenses/lgpl-3.0.html)                                           | Scans code for security issues during build                                                 |
 | StackExchange.Redis                     | [GitHub](https://github.com/StackExchange/StackExchange.Redis)             | [MIT](https://opensource.org/licenses/MIT)                                                          | Required for RedisSwapper                                                                   |
 | Stanford.NLP.CoreNLP                    | [GitHub Pages](https://sergey-tihon.github.io/Stanford.NLP.NET/)           | [GNU v2](https://github.com/sergey-tihon/Stanford.NLP.NET/blob/master/LICENSE.txt)                  | Name / Organisation detection in text                                                       |
 | System.Drawing.Common                   | [GitHub](https://github.com/dotnet/corefx)                                 | [MIT](https://opensource.org/licenses/MIT)                                                          | Supports reading pixel data                                                                 |

diff --git a/news/1833-feature.md b/news/1833-feature.md
@@ -0,0 +1 @@
+Move SecurityCodeScan.VS2019 analysis to run as part of CodeQL CI checks not in IDE
diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -4,10 +4,4 @@
   <ItemGroup>
     <Compile Include="$(MSBuildThisFileDirectory)\SharedAssemblyInfo.cs" Link="Properties\SharedAssemblyInfo.cs"/>
   </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="SecurityCodeScan.VS2019">
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-      <PrivateAssets>all</PrivateAssets>
-    </PackageReference>
-  </ItemGroup>
 </Project>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Move SecurityCodeScan.VS2019 analysis to run as part of CodeQL CI checks not in IDE