Add support for specifying project file in SAST dotnet security-code-scan

Problem to solve

Our security-code-scan analyzer for dotnet currently searches and uses the first project file it locates. This does not work for users with multiple csproj or vbproj files within a single gitlab project.

Target audience

Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
Sam, Security Analyst, https://design.gitlab.com/research/personas#persona-sam

Further details

Relevant code: https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/blob/11-4-stable/analyze.go#L68

Proposal

A) Add a flag/ENV to explicitly pass the project name to the analyzer.
B) Update analyzer to locate solution (*.sln), supporting multi-project gitlab projects.

(A) should be a quick change but I'm unsure about the feasibility of (B) with our current tooling.

Documentation

What does success look like, and how can we measure that?

Allow dotnet security scans to run against specified project file instead of first-found.

What is the type of buyer?

GitLab Ultimate

Links / references

Edited Feb 26, 2019 by Lucas Charles