Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add example csproj project #169

Merged
merged 1 commit into from
Oct 14, 2019
Merged

Add example csproj project #169

merged 1 commit into from
Oct 14, 2019

Conversation

jimmycav
Copy link
Contributor

@jimmycav jimmycav commented Sep 5, 2019

Adding an example C# project to support fixing issues

@Reamer
Copy link
Member

Reamer commented Sep 7, 2019

Thanks for providing a c# example. I'm a Linux user, can you provide a way, that your example project is usable on Linux, maybe with a Dockerfile.

@jimmycav
Copy link
Contributor Author

@Reamer I've changed the project and added a docker file. Hopefully that works for you (it only picks up one vulnerability, but I figured I'd just push as-is)

@Reamer
Copy link
Member

Reamer commented Sep 26, 2019

Hi @jimmycav,

this Dockerfile should be better. It use an official microsoft image as base and has no sonarqube installed (because we are using an external sonarqube)

FROM mcr.microsoft.com/dotnet/core/sdk:2.2
ARG sonarHost

ENV NODEREPO=node_10.x \
    DEPENDENCY_CHECK=5.2.1 \
    PATH="$PATH:/root/.dotnet/tools"

RUN /usr/bin/apt-get update && \
    # Install Java 8 and other tools
    DEBIAN_FRONTEND=noninteractive apt-get install -y openjdk-8-jre unzip wget lsb-release gnupg apt-transport-https && \
    # Install Sonarqube-Scanner
    dotnet tool install --global dotnet-sonarscanner && \
    # Install dependency-check
    /usr/bin/wget -q -O /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip https://dl.bintray.com/jeremy-long/owasp/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
    /usr/bin/wget -q -O /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc https://dl.bintray.com/jeremy-long/owasp/dependency-check-5.2.1-release.zip.asc && \
    /usr/bin/gpg --batch --keyserver keyserver.ubuntu.com --recv-keys F9514E84AE3708288374BBBE097586CFEA37F9A6 && \
    /usr/bin/gpg --batch --verify /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
    /usr/bin/unzip /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip -d /opt && \
    /bin/mkdir /opt/dependency-check/data && \
    /bin/chmod g+w -R /opt/dependency-check/data && \
    /bin/ln -s /opt/dependency-check/bin/dependency-check.sh /usr/bin/dependency-check.sh && \
    /bin/rm -v /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip.asc /opt/dependency-check-${DEPENDENCY_CHECK}-release.zip && \
    # Install Node for Sonarqube-Scanner
    # Docu Way, but without a potential dangerous script.
    # https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based-linux-distributions
    /usr/bin/wget -qO- https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - && \
    echo "deb https://deb.nodesource.com/${NODEREPO} $(lsb_release -c -s) main" > /etc/apt/sources.list.d/nodesource.list && \
    echo "deb-src https://deb.nodesource.com/${NODEREPO} $(lsb_release -c -s) main" >> /etc/apt/sources.list.d/nodesource.list && \
    /usr/bin/apt-get update && \
    DEBIAN_FRONTEND=noninteractive /usr/bin/apt-get install -y nodejs && \
    # Cleanup
    /usr/bin/apt-get clean && \
    /bin/rm -rf /var/lib/apt/lists/*

WORKDIR /app

COPY *.sln ./
COPY ExampleApp1 ./ExampleApp1
COPY ExampleApp2 ./ExampleApp2

RUN /usr/bin/dependency-check.sh -f XML -f HTML -s . -o .
RUN dotnet sonarscanner begin /k:exampleCSproj \
    /d:sonar.host.url=${sonarHost}  \
    /d:sonar.dependencyCheck.reportPath="/app/dependency-check-report.xml" \
    /d:sonar.dependencyCheck.htmlReportPath="/app/dependency-check-report.html" && \
    dotnet build && \
    dotnet sonarscanner end

Reamer
Reamer requested changes Sep 26, 2019
View reviewed changes
Copy link
Member

@Reamer Reamer left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needed things before merge:

  • Improve Dockerfile
  • Remove changes in .gitignore
  • Reduce Codacy Issues
    • I just enabled some codacy rules, checkout other README files
  • Squash Commits

.gitignore Outdated
@@ -9,3 +9,11 @@ target/
build/
node_modules/
package-lock.json
bin/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we are using a docker image this changes should be obsolete.

@jimmycav
Copy link
Contributor Author

Updated based on request

@jimmycav
Copy link
Contributor Author

Note, I needed the bin/ and obj/ directorings in the gitignore file because the solution is built as part of the dockerfile

@Reamer
Copy link
Member

Reamer commented Oct 9, 2019

Hi @jimmycav,
sorry for the late response. I think we doesn't need the bin/ and obj/ directories in the gitignore, because we COPY all files from the example c# project into docker container and the build happens in the container (outside of the git project).
Is there something that I overlooked?

@Reamer Reamer self-requested a review October 9, 2019 09:50
Reamer
Reamer requested changes Oct 9, 2019
View reviewed changes
Copy link
Member

@Reamer Reamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need answer for ".gitignore"

@jimmycav
Copy link
Contributor Author

Hi, sorry for the delay. @Reamer you are right. I've removed the obj/ and bin/ folders from gitignore. Please have another look. Thanks

@Reamer Reamer merged commit 787b4bb into dependency-check:master Oct 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Reamer Reamer Reamer requested changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jimmycav @Reamer