I'm trying to run following powerShell script for scan my solution(.NET Core 2.0) with Fortify:
$SolutionFilePath = "C:\Repositories\MyProject"
$SolutionFileName = "MyProjectToTest"
$SSCFPRFileName = "MyProjectToTest.fpr"
$BuildIdName = "MyProjectToTest"
$path = "D:\Fortify"
If(!(test-path $path))
{
New-Item -ItemType Directory -Force -Path $path
}
cd \
cd "C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\MSBuild\Current\Bin"
sourceanalyzer -b $BuildIdName -clean
sourceanalyzer -b $BuildIdName msbuild "$SolutionFilePath\$SolutionFileName.sln"
sourceanalyzer -b $BuildIdName -scan -f "$path\$SSCFPRFileName"
exit 0
Every things works fine in my local machine.
But when I tried to run it in the server as a build step in TeamCity (TeamCity Enterprise 2018.2.1 (build 61078)) I got an error:
Microsoft (R) Build Engine version 16.0.461+g6ff56ef63c for .NET Framework
Copyright (C) Microsoft Corporation. All rights reserved.
MSBUILD : error MSB1021: Cannot create an instance of the logger. Could not load file or assembly 'Microsoft.Build.Utilities, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.
Switch: C:\Program Files\HPE_Security\Fortify_SCA_and_Apps_17.20\Core\lib\FortifyMSBuildTouchless.dll
I'm using same version of Fortify in my local and the server (Fortify Static Code Analyzer 17.20.0183 (using JRE 1.8.0_144)
).
In both server and local machine I installed Build Tools for Visual Studio 2019 and .Net core SDK.
I tried with different version of MsBuild(14, 15, 16) and dotnet.exe and devenv.exe and I installed PowerShell Core. I got the same error.
I also could run the script in the same server for .NETFramework projects successfully, the only change is I used different path:
cd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"
It seems Fortify 17.20 does not support the .NETCore 2.X, When I add the
-dotnet-core-version 2.0
I got an error (in both local and server):
[error]: Invalid parameter 2.0 for command line argument -dotnet-core-version
but with 1.X is OK, so how is possible the same version of fortify works fine in local but not in the server?
What is the problem with .NETCore projects? any idea?
After some searching I found this one and it works fine for me:
$SolutionFilePath = "C:\Repositories\MyProject"
$SolutionFileName = "MyProjectToTest"
$SSCFPRFileName = "MyProjectToTest.fpr"
$BuildIdName = "MyProjectToTest"
$path = "D:\Fortify"
If(!(test-path $path))
{
New-Item -ItemType Directory -Force -Path $path
}
cd \
cd "$SolutionFilePath"
sourceanalyzer -b $BuildIdName -clean
sourceanalyzer -b $BuildIdName -libdirs **/* **/*
sourceanalyzer -b $BuildIdName -scan -f "$path\$SSCFPRFileName"
exit 0
No msbuild no other commands just navigate to solution folder and run it without any extra command.
Related
I'm trying the following command for my .NET Core 3.1. Console application in the folder D:\core:
D:\core>dotnet publish -c Release –r ubuntu-x64 --self-contained true
And it gives an error:
MSBUILD : error MSB1008: Only one project can be specified. Switch:
ubuntu-x64
For switch syntax, type "MSBuild -help"
When I use these two commands separately they work perfectly fine, but I need Release for Ubuntu; when I don't try to specify Release for Ubuntu it creates Publish folder in Debug folder:
D:\core>dotnet publish –r ubuntu-x64 --self-contained true
D:\core>dotnet publish -c Release
To summarize, the problem is that I can't currently publish for Release for a specified OS.
You have a –r in your command. That's a em-dash (–) followed by an r. Have you tried using a normal dash/hyphen?
That works for me:
$ dotnet new console
Getting ready...
The template "Console Application" was created successfully.
Processing post-creation actions...
Running 'dotnet restore' on /home/omajid/temp/HelloWorld/HelloWorld.csproj...
Determining projects to restore...
Restored /home/omajid/temp/HelloWorld/HelloWorld.csproj (in 66 ms).
Restore succeeded.
$ dotnet publish -c Release -r ubuntu-x64 --self-contained true
Microsoft (R) Build Engine version 16.7.0-preview-20220-01+80e487bff for .NET Core
Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore...
Restored /home/omajid/temp/HelloWorld/HelloWorld.csproj (in 16.86 sec).
You are using a preview version of .NET. See: https://aka.ms/dotnet-core-preview
HelloWorld -> /home/omajid/temp/HelloWorld/bin/Release/net5.0/ubuntu-x64/HelloWorld.dll
HelloWorld -> /home/omajid/temp/HelloWorld/bin/Release/net5.0/ubuntu-x64/publish/
Aside: you should use the linux-x64 runtime id rather than ubuntu-x64. linux-x64 is compatible with Ubuntu, but also many other distributions too.
I'm using GitLab CE as our source control system. It's on prem but updated to the latest version.
I have a Runner configured to build .net projects.
I have a dotNet Core Project that I want to build. The problem i'm having is loading the .net Build environments. I'm trying to run this to establish the environment:
`- 'cmd /K "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools\VsMSBuildCmd.bat"'
This executes correct to the point that I get this output:
$ cmd /K "C:\Program Files ^(x86^)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools\VsMSBuildCmd.bat"
**********************************************************************
** Visual Studio 2017 MSBuild Command Prompt
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************
C:\GitLab-Runner\builds\352e1762\0\online\WebApp>$ nuget restore src/Online-WebApp.sln
MSBuild auto-detection: using msbuild version '15.5.179.9764' from 'C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\bin'.
...rest removed...
The problem is when it gets the job step in the Yml, the msbuild command is reported as not recognized.
Here's the full YAML.
Note that manually setting the PATH worked to find msbuild....
variables:
DATABASE_URL: "example=not-real" #just to show this is an option; https://docs.gitlab.com/ce/ci/variables/README.html
stages:
- build
before_script:
#- 'PATH=%PATH%;C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\MSBuild\15.0\Bin'
#- 'cmd /K "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools\VsDevCmd.bat"'
#- 'cmd /K "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools\LaunchDevCmd.bat"'
- 'cmd /K "C:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools\VsMSBuildCmd.bat"'
- 'nuget restore src/Online-WebApp.sln'
# What is important, is that each job is run independently from each other. "build" is a job.
build:
stage: build
script:
- 'msbuild src/Online-WebApp.sln /t:Clean,ReBuild /p:Configuration=Release;Platform="Any CPU"'
- 'dotnet pack src/Online-WebApp/Online-WebApp.csproj -c Release -v d --output nupkgs --no-build'
only:
- master
Does any know how to run EF core command on a server with VS 2017.
I have SDK 2.0.3 installed on the server.
I ran this command from source code folder:
dotnet exec --depsfile auth.deps.json --runtimeconfig auth.runtimeconfig.json ef.dll migrations list --assembly auth.dll
and got this error:
No project was found. Change the current working directory or use the
--project option.
Try this:
Copy the content this files
ef.dll
ef.runtimeconfig.json
From:
C:\Program
Files\dotnet\sdk\NuGetFallbackFolder\microsoft.entityframeworkcore.tools.dotnet\2.0.0\tools\netcoreapp2.0
to your source files, open command prompt in admin mode, point to you source file folder and run your command again
I have this .bat file which scans one of mine applications at work.
I'm comparing two ways I've generated the .fpr file:
Using Scan Wizard
Using the HP Fortify Plugin for Visual Studio.
What is happening is that when the .fpr file is generated by Scan Wizard's .bat file it seems to ignore completely all my .aspx, aspx.cs and .cs files inside the application .
My app is an old Web Forms, which in order to publish it, we need to select that precompiled option in Visual Studio.
I've already tried Eric's solution in the post.
HP Fortify scans get ASP Pre-Compilation error
But still nothing.
I've already tryed to generate the bat file before and after the publish, but both returned the same number of vulnerabilities. Something around 15.
After the publish it generates dll's to all pages though, which means that theorically it should detect all the application code.
In the other hand, when I've generated the .fpr file through the Visual Studio plugin, it returns me about 600 vulnerabilities.
My real problem is that we need to run over the .bat file, not the Visual Studio, because we have a continuous integration process, in which we build the app, run code analyze and then the HP Fortify to complete the process, so I need that the number of vulnerabilities returned running the plugin to be the same one when I run with the .bat file.
Any help would be very appreciated.
Thank you for your time !
There are several different options you can do.
1) Have Visual Studio installed on the CI machine with the Fortify Plugin installed. Here is a sample batch file that I used to scan WebGoat.Net using Visual Studio
sourceanalyzer -b test -clean
sourceanalyzer -b test -Xmx6G -verbose -debug -logfile vs_translate.txt "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe" NewWebForms.sln /REBUILD Debug
sourceanalyzer -b test -show-files > vs_files.txt
sourceanalyzer -b test -show-build-warnings > vs_warnings.txt
sourceanalyzer -b test -verbose -debug -logfile vs_scanlog.txt -scan -f vs_scan.fpr
fprutility -information -categoryIssueCounts -project vs_scan.fpr
2) With the latest version of Fortify (16.20) you can scan .Net code directly. Here is the batch file I created to scan WebGoat.Net
sourceanalyzer -b test -clean
sourceanalyzer -b test -dotnet-version 4.5.2 -cs-extern-alias "global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.EntityFramework.2.2.1\lib\net45\Microsoft.AspNet.Identity.EntityFramework.dll;global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.Core.2.2.1\lib\net45\Microsoft.AspNet.Identity.Core.dll;global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.Owin.2.2.1\lib\net45\Microsoft.AspNet.Identity.Owin.dll;global=C:\Samples\NewWebForms\packages\Microsoft.Owin.3.0.1\lib\net45\Microsoft.Owin.dll" -dotnetwebroot NewWebForms\ -libdirs packages\**/*.dll;NewWebForms\bin\*.dll NewWebForms\**/*
sourceanalyzer -b test -show-files > cmd_files.txt
sourceanalyzer -b test -show-build-warnings > cmd_warnings.txt
sourceanalyzer -b test -Xmx6G -verbose -debug -logfile cmd_scanlog.txt -scan -f cmd_scan.fpr
fprutility -information -categoryIssueCounts -project cmd_scan.fpr
3) If you want, you can also scan the compile .dll's of your project. Here is what I did to scan WebGoat.Net
sourceanalyzer -b test -Xmx8G -vsversion 14.0
#excludelist.txt
-Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat
-libdirs WebGoat.NET\WebGoat\bin WebGoat.NET\**/*.dll
WebGoat.NET/**/*
For a more detailed look at this, take a look at my answer over at Fortify to scan 3rd party dll's
Assuming this folder structure
SampleApp
global.json
Src
Web
project.json
Startup.cs
...
Model
project.json
Startup.cs
...
how does one compile both projects using dotnet? (from command line, not in visual studio)
If you run dotnet build at the root folder level you get
Could not find file .. project.json
I can see there is this outstanding enhancement on the CLI repo but that is from Feb2.
Any script would have to take dependencies into account before just blindly calling dotnet on all src sub-folders.
The dotnet build command accepts glob patterns. So you can do this:
dotnet build Src/**/project.json
There's no such a tool yet. Even KoreBuild, the tool that the ASP.NET team uses, goes blindly in each folder and invokes dotnet build/pack.
The nice thing is that dotnet build is now smart enough to not recompile the dependencies if they haven't changed, so that's not a problem anymore.
For linux I'm using:
for p in $(find . -name *.csproj); do dotnet build $p; done
I had a similar requirement. This is my workaround:
#echo off
for /D %%d in (*) do (
cd %%d
cd
dotnet restore
dotnet build
cd ..
)
exit /b
Use GNU Make. I use it to build my projects. all you have to do create a Makefile in your project root folder. You can nest Makefiles in directories and have a Top Level Makefile that runs the subdirectories. then you set up Makefiles for each of your "Sub Projects" folders and run any comandline tool. with dotnet core is is dotnet .
Wait... GNU - "GNU is not Unix" that's a Unix/Linux application... I run windows. Well the good news is you can do this is in windows. I'm using make.exe through my git-bash installation (git for windows). You will have to go find the cygwin port of make. (google: "make for git-bash") Then install it to your bin directory under the cygwin folder. You could also just install cygwin if you really wanted to.
The nice thing about using Gnu-Make is it is universal. Since dotnet core is platform agnostic, every environment Mac/FreeBSD/Linux have "make" most likely already installed. Adding it to your Windows machine and projects to me makes a lot of sense. Since you project can now be built by everyone the same way.
some of my projects need to build docker containers with dockerfiles, or snap packages, deploy to test, etc... Make (pardon the pun) makes it easy.
Here is a sample of simple projects Makefile. Running 'make' by itself is like saying 'make all' you could set up a command like 'cd ./subdir; make' as one of your .phoney directives. (Google: "Makefile documentation")
project_drive?=/c/prj
nuget_repo_name?=Local_Nuget_Packages
local_nuget_dir?=$(project_drive)/$(nuget_repo_name)
RELEASE_VERSION:= `grep "<Version>" *.csproj | cut -d '>' -f 2 | cut -d '<' -f 1`
.PHONEY: clean release test doc nuget install debug_nuget debug_install
all: doc MSBuild
test:
./test.sh
MSBuild:
dotnet build
clean:
dotnet clean; dotnet restore
release:
dotnet build -c Release
doc:
doxygen ./Doxyfile.config
nuget: release
dotnet pack -c Release
install:
cp ./bin/Release/*.$(RELEASE_VERSION).nupkg $(local_nuget_dir)
debug_nuget: MSBuild
dotnet pack
debug_install:
cp ./bin/debug/*.$(RELEASE_VERSION).nupkg $(local_nuget_dir)
What's missing is that you can also use the commands on project.sln files if you do not have project.json
dotnet build src/**/project.json
-- or --
dotnet build src/project.sln
same goes for dotnet test