CodeSonar Analysis in a GitLab Pipeline on Microsoft Windows: Modifications for CodeSonar 7.2 and Earlier

The main Windows instructions are designed for use with CodeSonar 7.3 or later. CodeSonar 7.3 adds the codesonar analyze -remote-archive option, which allows for a more streamlined pipeline setup. This page contains modifications for users of CodeSonar 7.2 and earlier, and is designed to be followed alongside the main Windows instructions.

If one of the following applies, you do not need the modifications in this document and can follow the main Windows instructions directly.

• You are using CodeSonar 7.3 or later.
• You are using CodeSonar 7.2 or earlier and your hub has one or more associated remote analysis launch daemons that you can use to perform remote-managed analyses (with codesonar analyze -remote).

The instructions below will assume that your are using PowerShell. Many of these tasks can also be performed with a Windows Command Prompt, but you will need to be sure to substitute appropriate syntax and commands. In particular, PowerShell variables are prefixed by a $ character, but Command Prompt variables are enclosed by % characters.

Prerequisites

No change.

Overview

• A. Prepare an example project (zlib)
• B. Create and install an analysis data server
• C. Create and install a pipeline build runner
• D. Create a basic pipeline that can build your code
• E. Install CodeSonar and integration tools in CI builder environment
• F. Update the pipeline job definition to perform CodeSonar analysis

A. Prepare an example project (zlib)

No change.

B. Create and install an analysis data server

Follow the instructions to create a relocating analysis data server.

C. Create and install a pipeline build runner

No change.

D. Create a basic pipeline that can build your code

No change.

E. Install CodeSonar and integration tools in CI builder environment

No change.

One step is different:

• 3. Configure your CI/CD pipeline to use CodeSonar.

Replacement Step 3: Configure your CI/CD pipeline to use CodeSonar (CodeSonar 7.2 and earlier)

You will need to add a "codesonar-sast" job to your .gitlab-ci.yml file in order to analyze your code. If you are not using a remote-managed or SaaS analysis, then you will also need to add a codesonar-relocate job so that you can relocate your analysis results to a persistent server. An example is shown further below.

This example makes use of many environment variables. Some of the variables are Predefined by GitLab. Other variables are defined in the pipeline definition itself. Still others are defined in your GitLab project settings as custom "CI/CD Variables". For more information see: https://docs.gitlab.com/ee/ci/variables/. A summary of the project settings custom CI/CD variables will be provided further below.

Note that some GitLab features will assume that your "SAST scanning" job name is suffixed with "-sast".

Modify your .gitlab-ci.yml file by using the example shown below as a template. Make the following changes to the example:

• Ensure that the tags for each job match the runner that the job requires.
• Update the SARIF2SAST, CODESONAR, and CSPYTHON variables so that they refer to the correct locations.
• Update the codesonar execution commands to ensure they specify hub authentication options appropriate to your CodeSonar hub.
• Update the codesonar analyze command to provide a custom name for your analysis.
• Update the CI_SERVER_CAFILE variable (if necessary) so that it refers to your GitLab Server's HTTPS root authority certificate file.
• Be sure to add the test and publish_analysis items under the stages section of the YAML file.

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

stages:
  - build
  - test
  - publish_analysis

build:
  stage: build
  tags:
    - Windows
    - MSVC
  variables:
    VSDIR: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional'
  script:
    - >
        Import-Module $Env:VSDIR\Common7\Tools\Microsoft.VisualStudio.DevShell.dll ;
        Enter-VsDevShell -VsInstallPath $Env:VSDIR
    - >
        nmake /f win32\Makefile.msc

codesonar-sast:
  stage: test
  tags:
    - Windows
    - MSVC
    - CodeSonar
  variables:
    SARIF2SAST: 'C:\Program Files\CodeSonarTools\codesonar-gitlab-integration\distro-image\codesonar-sarif2sast'
    CODESONAR: 'C:\Program Files\GrammaTech\CodeSonar\codesonar\bin\codesonar.exe'
    CSPYTHON: 'C:\Program Files\GrammaTech\CodeSonar\codesonar\bin\cspython.exe'
    CODESONAR_PROJECT_NAME: ${CI_PROJECT_NAME}
    CI_SERVER_CAFILE: 'gitlab.root.cacert'
    VSDIR: 'C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional'
  script:
    - >
        Import-Module $Env:VSDIR\Common7\Tools\Microsoft.VisualStudio.DevShell.dll ;
        Enter-VsDevShell -VsInstallPath $Env:VSDIR
    - >
        & "${CODESONAR}" analyze
        "${CODESONAR_PROJECT_NAME}"
        -no-services
        -foreground
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        -name "gitlab-ci ref=${CI_COMMIT_REF_NAME} update=${CI_MERGE_REQUEST_IID} job=${CI_PIPELINE_ID}.${CI_JOB_ID} commit=${CI_COMMIT_SHORT_SHA}"
        "${CODESONAR_HUB_URL}"
        nmake /f win32\Makefile.msc
    - >
        Compress-Archive 
        "${CODESONAR_PROJECT_NAME}.prj_files",
        "${CODESONAR_PROJECT_NAME}.prj",
        "${CODESONAR_PROJECT_NAME}.conf"
        analysis_data.zip
    - $CODESONAR_ANALYSIS_ID = & "${CSPYTHON}" "${SARIF2SAST}\analysis_id.py" "${CODESONAR_PROJECT_NAME}"
    - >
        & "${CODESONAR}" get
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        -o allwarnings.sarif
        "${CODESONAR_HUB_URL}/analysis/${CODESONAR_ANALYSIS_ID}-allwarnings.sarif?filter=%22${CODESONAR_VISIBILITY_FILTER}%22"
    - >
        & "${CSPYTHON}" "${SARIF2SAST}\sarif2sast.py"
        --sarif allwarnings.sarif
        --output gl-sast-report.json
        --summary-report sast-summary-report.md
        --codesonar-url "${CODESONAR_HUB_URL}"
        --analysis-id ${CODESONAR_ANALYSIS_ID}
        --max ${CODESONAR_MAX_WARNINGS}
        --threshold ${CODESONAR_WARNING_THRESHOLD}
  after_script:
    - >
        & "${CSPYTHON}" "${SARIF2SAST}\upload_gitlab_mr_notes.py"
        --api-token-variable GITLAB_TOKEN
        --report sast-summary-report.md
        --cafile "${CI_SERVER_CAFILE}"
  artifacts:
    reports:
      sast: gl-sast-report.json
    expire_in: 1 day
    paths:
      - analysis_data.zip

codesonar-relocate:
  stage: publish_analysis
  needs:
    - job: codesonar-sast
      artifacts: true
  tags:
    - codesonar_analysis_server
    - Windows
  variables:
    CODESONAR: 'C:\Program Files\GrammaTech\CodeSonar\codesonar\bin\codesonar.exe'
    DATA_ROOT_DIR: 'C:\ProgramData\CodeSonar-GitLab\pipelines\${CI_PIPELINE_ID}'
    CSONAR_HUB_URL: "${CODESONAR_HUB_URL}"
    CODESONAR_PROJECT_NAME: "${CI_PROJECT_NAME}"
  script:
    - mkdir "${DATA_ROOT_DIR}" -Force
    - Expand-Archive analysis_data.zip -Force
    - move analysis_data "${DATA_ROOT_DIR}"
    - >
        cd "${DATA_ROOT_DIR}" ;
        & "$CODESONAR" relocate
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        "${DATA_ROOT_DIR}\analysis_data\${CODESONAR_PROJECT_NAME}"
        "${CSONAR_HUB_URL}"

---