dotnetarium-scs
1.1.0
dotnet tool install --global dotnetarium-scs --version 1.1.0
dotnet new tool-manifest # if you are setting up this repo dotnet tool install --local dotnetarium-scs --version 1.1.0
#tool dotnet:?package=dotnetarium-scs&version=1.1.0
nuke :add-package dotnetarium-scs --version 1.1.0
DotnetariumSCS
DotnetariumSCS is a console application designed to provide comprehensive static code analysis for .NET projects and solutions. A standalone fork of Security Code Scan
This repo contains only Tools (console apps for .NET Fx and .NET global tool). Nuget package repo with analyzers.
Synked fork (with updated packages and the latest Roslyn) is available here
New
Version 1.1.0 includes taint data visualization in the SARIF output file. The relatedLocations are populated from the additionalLocations generated by the Dotnetarium.Analyzers.SCS nuget package. It is a post-scan step to reconstruct the data flow with taint data.
More information here.
To disable this behavior you can provide a custom configuration file.
Create DotnetariumSCS.Config.yml
file with the following content and pass it as a parameter -c
:
Version: 3.1
TaintFlowVisualizationEnabled: false
Getting Started
Prerequisites
- .NET SDK to install the app as a global tool
Supported .NET versions
- .NET 6.0
- .NET 8.0
- .NET 4.7.2 - 4.8
End-of-life .NET versions will be dropped; new stable .NET versions will be added
Installation
As a .NET Global Tool
To install DotnetariumSCS as a .NET global tool, run:
dotnet tool install --global dotnetarium-scs
As a .NET Framework tool
Check releases page to download an artifact for .NET 4.x
As a NuGet Package
To install DotnetariumSCS as a NuGet package, add the following package to your project Dotnetarium.Analyzers.SCS
As a Visual Studio extension
Not supported yet. Continue to use Security Code Scan version. At this point, no changes will affect the Visual Studio extension experience.
Usage
Run the application from the command line using the required options. Below are the available options: Required Options
<solution-or-project-path>
Description: Specifies the path to the solution or project file.
Usage: dotnetarium-scs "<path-to-solution-or-project>"
Optional Options
-w | --excl-warn=<warnings>
Description: Semicolon delimited list of warnings to exclude.
Usage: -w "CS0168;CS0219"
--incl-warn=<warnings>
Description: Semicolon delimited list of warnings to include.
Usage: --incl-warn "CS0028;CS0052"
-p | --excl-proj=<patterns>
Description: Semicolon delimited list of glob project patterns to exclude.
Usage: -p "*.Tests;*.Samples"
--incl-proj=<patterns>
Description: Semicolon delimited list of glob project patterns to include.
Usage: --incl-proj "*.Main;*.Core"
-x | --export=<file-path>
Description: Path to the SARIF file for exporting analysis results.
Usage: -x "results.sarif"
-c | --config=<file-path>
Description: Path to an additional configuration file.
Usage: -c "config.json"
--cwe
Description: Show CWE IDs in the analysis results.
Usage: --cwe
-t | --threads=<number>
Description: Run analysis in parallel (experimental).
Usage: -t 4
--sdk-path=<path>
Description: Path to the .NET SDK to use.
Usage: --sdk-path "C:\Program Files\dotnet\sdk"
--ignore-msbuild-errors
Description: Do not stop on MSBuild errors.
Usage: --ignore-msbuild-errors
--ignore-compiler-errors
Description: Do not exit with a non-zero code on compilation errors.
Usage: --ignore-compiler-errors
-f | --fail-any-warn
Description: Fail on security warnings with a non-zero exit code.
Usage: -f
-n | --no-banner
Description: Do not show the banner.
Usage: -n
-v | --verbose
Description: Display more diagnostic messages.
Usage: -v
-h | -? | --help
Description: Show this message and exit.
Usage: -h
Examples Basic Analysis
dotnetarium-scs "path/to/solution.sln"
Exclude Specific Warnings
dotnetarium-scs "path/to/project.csproj" -w "CS0168;CS0219"
Include Specific Projects Only
dotnetarium-scs "path/to/solution.sln" --incl-proj "*.Main;*.Core"
Export Results to SARIF File
dotnetarium-scs "path/to/solution.sln" -x "results.sarif"
Compatibility
DotnetariumSCS is backward compatible with the Security Code Scan project. The Security Code Scan GitHub repository has more details.
Contributing
If you would like to contribute to DotnetariumSCS, please fork the repository and submit a pull request. For major changes, please open an issue to discuss what you would like to change.
License
DotnetariumSCS is licensed under the LGPL License. See the LICENSE file for more information.
Contact
For support or any inquiries, please open an issue on GitHub
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
This package has no dependencies.