Initial SAST Support for .NET Framework
Description
The first implementation of SAST for .NET is based on Security Code Scan and the microsoft/dotnet Docker image. The Docker image runs on Linux systems and it integrates with SAST but it suffers from a major limitation: it only contains .NET Core. Most projects need the .NET Framework in order to compile.
There's a Docker image that contains the .NET Framework but it requires a Windows system: https://hub.docker.com/r/microsoft/dotnet-framework
Proposal
Assuming that customers already have GitLab Runners deployed on Windows servers, and that they've configured a CI job that builds the .NET project, make it possible to run SAST for .NET from within that build job. This involves:
- Build a Windows-compatible binary the users can install and run on their CI servers.
- Write some documentation on how to install and execute the binary in order to generate SAST artifacts.
- Determine if there are multiple
.csproj
files in the repo and be able to support the case of one or more than one
Ideally we'd provide a Nuget package that would depend on SecurityCodeScan
and generate the artifact automatically when building the .NET project.
Tasks
-
Determine golang support for older windows server versions so we can clearly communicate which versions of windows server are supported. See #205908 (comment 322707008) for more info. -
https://gitlab.com/gitlab-org/security-products/tests/webgoat.net/pipelines/132790703/security shows that running on windows may result in paths in the findings look to be duplicated: (e.g. "File: C:\Users\dsearles\builds\jEPGiVGF\0\gitlab-org\security-products\tests\webgoat.net\WebGoat\ C:\Users\dsearles\builds\jEPGiVGF\0\gitlab-org\security-products\tests\webgoat.net\WebGoat\App_Code\CookieManager.cs:18") -
Document how to use SAST for .NET Framework on the shared windows runners
Windows Version Support
Windows version support per golang version is found at https://github.com/golang/go/wiki/Windows
As of writing this out, the latest version of golang is 1.14.2. We should not upgrade past that without checking for any changes in which versions of Windows are supported.
Distributions | Architectures | Initial support version | Final support version |
---|---|---|---|
Windows 7, Windows Server 2008R2 or above | amd64, 386 | Go 1 * | |
Windows Vista, Windows Server 2008 | amd64, 386 | Go 1 * | Go 1.10.8 |
Windows XP, Windows Server 2003 | amd64, 386 | Go 1 * | Go 1.10.8 |