sonar-fsharpsecurity-plugin
sonar-fsharpsecurity-plugin is a F# plugin for SonarQube focused on security/vuln scanning only.
Rationale
Many enterprises use the SonarC# and SonarVB static code analysers for scanning C# and VB.NET code to check for security and vulnerability issues.
In some cases, this scanning is required before deployment. For another .NET language such as F# to be accepted at these companies, an equivalent scanning tool is required. The lack of such a tool is a hard blocker for F# acceptance.
SonarQube themselves have not built an F# plugin, hence this project.
The code is closely based on the C# code at https://github.com/SonarSource/sonar-dotnet. It uses exactly the same test suites (translated to F#) and the same rules (translated to F#). This is to short circuit any complaints about the logic used. If it's good enough for C#, it's good enough for F#!
Features
- 19 "Security Hotspot" rules have been ported from C# (C# rules here).
- 26 "Vulnerabilities" rules are coming soon.
How to run SonarQube locally
NOTE: In order to run SonarQube, you will need a recent version of the JDK (v11 or newer). If you don't have it, follow instructions in building, testing and debugging the Java plugin.
Install SonarQube:
- Install the Community Edition version of SonarQube. Instructions here.
- Run the server with
StartSonar.batand make sure you can see the site at http://localhost:9000. Make sureJAVA_HOMEor equivalent is set.
Install the plugin:
- Download the plugin
sonar-fsharpsecurity-plugin.jarfile from Appveyor. - Shut down SonarQube, then copy the plugin
sonar-fsharpsecurity-plugin.jarfile to the SonarQube plugins directory and restart SonarQube.
Prepare for using SonarScanner:
- Get a user token, aka login key.
- Install SonarScanner.
Now you can try running the scanner!
- In the SonarQube UI, create a project such as
myProject. - Go to the directory containing the F# project
- Run the following (assumes that
sonar-scanner.batis not already on your path and your login token is01234567890)
set JAVA_HOME=path\to\jdk // optional
set SONARSCANNER=path\to\sonar-scanner\bin
%SONARSCANNER%\sonar-scanner.bat -D"sonar.projectKey=myProject" -D"sonar.sources=." -D"sonar.host.url=http://localhost:9000" -D"sonar.login=01234567890"
You can eliminate the need for the host.url and login parameters by editing $install_directory/conf/sonar-scanner.properties.
(Instructions).
To run directly without using the SonarQube server
The plugin contains an executable (FsSonarRunner) that can be run on its own. To use this:
- Download the plugin as described above
- Unzip the .JAR file to reveal the
SonarAnalyzer.FSharp.zip - Unzip
SonarAnalyzer.FSharp.zipto reveal awin-x86directory. - Copy this directory to your favorite location.
To run the scanner, just do:
FsSonarRunner
This will show the available command line options.
As a demonstration, try running it on the test cases which are part of the test suite in this repository.
FsSonarRunner -d .\SonarAnalyzer.FSharp\tests\SonarAnalyzer.FSharp.UnitTest\TestCases
The output file (sonarDiagnostics.xml) will be written to that directory.
Have question or feedback?
To provide feedback (request a feature, report a bug etc.), simply create a GitHub Issue.
Building, testing and debugging locally
If you would like to build or modify the code, see the instructions at:
How to contribute
Check out the contributing page to see the best places to log issues and start discussions.
Acknowledgments
Massive thanks to jmecosta and milbrandt for creating the fslint SonarQube F# plugin. I copied all the Java and maven code from that project and I would never have been able to implement this plugin without that as an example!
License
Licensed under the GPL. See LICENSE.txt.