Build fails for Security Code Scan for .NET projects with C++
Summary
Builds during the Security Code Scan job fail with errors like the following:
/builds/path/to/project.vcxproj(56,3): error MSB4019: The imported project "/Microsoft.Cpp.Default.props" was not found. Confirm that the expression in the Import declaration "/Microsoft.Cpp.Default.props" is correct, and that the file exists on disk.The line refers to an imported project $(VCTargetsPath)\Microsoft.Cpp.Default.props. $VCTargetsPath should be valid and the default for vs2019 projects.
Since we're not able to use a pre-compilation strategy or skip builds, the SAST scan is unable to proceed on certain projects.
We've tried:
- Updating the analyzer tag from v2 to v3 which includes analyzer
v5.2.1which has vs2019 support. - Upgrading the dotnet-sdk-* packages in the
before_script - Tried to search for Microsoft.Cpp.Default.props in the before_script
- Excluding the referenced path using
SAST_EXCLUDED_PATHS
Additional Notes:
-
Microsoft.Cpp.Default.propsdoesn't actually exist within the context of the SAST job. However, it does exist in the local development environment. - It fails using a bare bones template:
include:
template: SAST.gitlab-ci.yml- Visual Studio version is 2019
- Project is primarily C# and C++
- Related issues #336156 (closed) and #338168 (closed)
Steps to reproduce
Not able to reproduce from a fresh project, see example project.
Example Project
Example project can be found in ZD Ticket (Internal):
What is the current bug behavior?
The Security Code Scan job fails on .NET projects with msbuild and fails to find Microsoft.Cpp.Default.props
What is the expected behavior?
The Security Code Scan job should be able to build and scan supported .NET projects.
Relevant logs and/or screenshots
See example project and ticket
Output of checks
This happens on GitLab.com 14.4.0-pre 09514d4e