SAST for .NET installs SecurityCodeScan 2.8.0, which is not compatible with Unix

Summary

SecurityCodeScan 2.8.0 is no longer compatible with Unix but security-code-scan analyzer for GitLab uses the microsoft/dotnet Docker image which is built on top of Debian.

See release message:

Bad news: this release will no longer run on Unix machines.

Good news: for Continuous Integration builds on Unix use https://www.nuget.org/packages/SecurityCodeScan.VS2017 nuget package.

See https://gitlab.com/gitlab-org/gitlab-ee/issues/4824#note_89705694

Thank you @Pavardenis for reporting this!

I'm still investigating on this seen I've not been enable to reproduce the issue.

Steps to reproduce

It should fail when running the integration tests of security-code-scan analyzer and find no vulnerability at all. As a consequence, the CI pipeline should also fail.

So far I have not been able to reproduce the issue. I'm still able to run the integration tests and get the expected results even though it install SecurityCodeScan 2.8.0 as shown in app.csproj after running the scan:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netcoreapp2.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="SecurityCodeScan" Version="2.8.0.0" />
  </ItemGroup>

</Project>

Example Project

Any .NET project where SAST is enabled.

What is the current bug behavior?

No vulnerability.

What is the expected correct behavior?

SecurityCodeScan scans the .NET source code and find vulnerabilities.

Possible fixes

Make security-code-scan analyzer install SecurityCodeScan.VS2017 instead of SecurityCodeScan.