SAST for .NET uses obsolete SecurityCodeScan package
SAST for .NET currently uses the SecurityCodeScan package: https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/v3.4.2/analyze.go#L24
In NuGet, that package is marked deprecated: https://www.nuget.org/packages/SecurityCodeScan/
This package has been deprecated as it is legacy and is no longer maintained.
Suggested Alternatives
SecurityCodeScan.VS2019Additional Details
Please use SecurityCodeScan.VS2019 NuGet instead
It produces this build warning:
warning SCS9999: This package is legacy and is no longer maintained.
Unfortunately, this is causing pipeline failures for my org due to a couple non-standard things we're doing in our csproj files:
- We use the
<TreatWarningsAsErrors>true</TreatWarningAsErrors>
csproj setting to strictly enforce code analysis rules, which converts the above warning into an error. - We have a custom build target that calls
dotnet run
for another project in the solution, which triggers a build for that project after SAST has already added SecurityCodeScan to it, which fails like this:
$ /analyzer run
[INFO] [security-code-scan] [2022-06-08T21:53:19Z] ▶ GitLab security-code-scan analyzer v3.4.2
[INFO] [security-code-scan] [2022-06-08T21:53:19Z] ▶ Detecting project
[INFO] [security-code-scan] [2022-06-08T21:53:19Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [security-code-scan] [2022-06-08T21:53:19Z] ▶ Running analyzer
[INFO] [security-code-scan] [2022-06-08T21:53:19Z] ▶ Found solution /builds/Example.sln
[ERRO] [security-code-scan] [2022-06-08T21:53:45Z] ▶ dotnet add error:
CSC : error SCS9999: This package is legacy and is no longer maintained. [/builds/OtherProject.csproj] [/builds/Example.csproj]
The build failed. Fix the build errors and run again.
/builds/Example.csproj(49,9): error MSB3073: The command "dotnet run --project /builds/OtherProject.csproj" exited with code 1.
Unable to create dependency graph file for project '/builds/Example.csproj'. Cannot add package reference.
Edited by Seiji Suenaga