-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add example csproj project #169
Conversation
Thanks for providing a c# example. I'm a Linux user, can you provide a way, that your example project is usable on Linux, maybe with a Dockerfile. |
@Reamer I've changed the project and added a docker file. Hopefully that works for you (it only picks up one vulnerability, but I figured I'd just push as-is) |
Hi @jimmycav, this Dockerfile should be better. It use an official microsoft image as base and has no sonarqube installed (because we are using an external sonarqube) FROM mcr.microsoft.com/dotnet/core/sdk:2.2
ARG sonarHost
ENV NODEREPO=node_10.x \
DEPENDENCY_CHECK=5.2.1 \
PATH="$PATH:/root/.dotnet/tools"
RUN /usr/bin/apt-get update && \
# Install Java 8 and other tools
DEBIAN_FRONTEND=noninteractive apt-get install -y openjdk-8-jre unzip wget lsb-release gnupg apt-transport-https && \
# Install Sonarqube-Scanner
dotnet tool install --global dotnet-sonarscanner && \
# Install dependency-check
/usr/bin/wget -q -O /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip https://dl.bintray.com/jeremy-long/owasp/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
/usr/bin/wget -q -O /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.2.1-release.zip.asc && \
/usr/bin/gpg --batch --keyserver keyserver.ubuntu.com --recv-keys F9514E84AE3708288374BBBE097586CFEA37F9A6 && \
/usr/bin/gpg --batch --verify /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
/usr/bin/unzip /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip -d /opt && \
/bin/mkdir /opt/dependency-check/data && \
/bin/chmod g+w -R /opt/dependency-check/data && \
/bin/ln -s /opt/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check.sh && \
/bin/rm -v /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
# Install Node for Sonarqube-Scanner
# Docu Way, but without a potential dangerous script.
# https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based-linux-distributions
/usr/bin/wget -qO- https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - && \
echo "deb https://deb.nodesource.com/${NODEREPO} $(lsb_release -c -s) main" > /etc/apt/sources.list.d/nodesource.list && \
echo "deb-src https://deb.nodesource.com/${NODEREPO} $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/nodesource.list && \
/usr/bin/apt-get update && \
DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get install -y nodejs && \
# Cleanup
/usr/bin/apt-get clean && \
/bin/rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY *.sln ./
COPY ExampleApp1 ./ExampleApp1
COPY ExampleApp2 ./ExampleApp2
RUN /usr/bin/dependency-check.sh -f XML -f HTML -s . -o .
RUN dotnet sonarscanner begin /k:exampleCSproj \
/d:sonar.host.url=${sonarHost} \
/d:sonar.dependencyCheck.reportPath="/app/dependency-check-report.xml" \
/d:sonar.dependencyCheck.htmlReportPath="/app/dependency-check-report.html" && \
dotnet build && \
dotnet sonarscanner end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needed things before merge:
- Improve Dockerfile
- Remove changes in
.gitignore
- Reduce Codacy Issues
- I just enabled some codacy rules, checkout other README files
- Squash Commits
.gitignore
Outdated
@@ -9,3 +9,11 @@ target/ | |||
build/ | |||
node_modules/ | |||
package-lock.json | |||
bin/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because we are using a docker image this changes should be obsolete.
bf9340a
to
2b27d88
Compare
Updated based on request |
2b27d88
to
3980b31
Compare
Note, I needed the bin/ and obj/ directorings in the gitignore file because the solution is built as part of the dockerfile |
Hi @jimmycav, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need answer for ".gitignore"
85fbe55
to
ce6eb49
Compare
Hi, sorry for the delay. @Reamer you are right. I've removed the obj/ and bin/ folders from gitignore. Please have another look. Thanks |
Adding an example C# project to support fixing issues