CodeSonar Analysis in a GitLab Pipeline on Linux with Docker: Modifications for CodeSonar 7.2 and Earlier

The main Linux+Docker instructions are designed for use with CodeSonar 7.3 or later. CodeSonar 7.3 adds the codesonar analyze -remote-archive option, which allows for a more streamlined pipeline setup. This page contains modifications for users of CodeSonar 7.2 and earlier, and is designed to be followed alongside the main Linux+Docker instructions.

If one of the following applies, you do not need the modifications in this document and can follow the main Linux+Docker instructions directly.

The following instructions are for Linux Containers using Docker.

Prerequisites

No change.

Overview

A. Prepare an example project (zlib)

No change.

B. Create and install an analysis data server

Follow the instructions to create a relocating analysis data server.

C. Create and install a pipeline build runner

No change.

D. Create a basic pipeline that can build your code

No change.

E. Install CodeSonar and integration tools in CI builder environment

No change.

F. Update the pipeline job definition to perform CodeSonar analysis

One step is different:

Replacement Step 3: Configure your CI/CD pipeline to use CodeSonar (CodeSonar 7.2 and earlier)

Modify your .gitlab-ci.yml file to add a codesonar-sast job, using the example below as a template. (Note that some GitLab features will assume that your "SAST scanning" job name is suffixed with "-sast".)

This example makes use of many environment variables.

For more information see: https://docs.gitlab.com/ee/ci/variables/.

Make the following changes to the example.

For full details of the codesonar analyze command, see the CodeSonar manual: Using CodeSonar > Building and Analyzing Projects > Command Line Build/Analysis

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

stages:
  - build
  - test
  - publish_analysis

build:
  stage: build
  tags:
    - Linux
    - Docker
  image: $CI_REGISTRY_IMAGE:latest
  script:
    - ./configure
    - make all

codesonar-sast:
  stage: test
  tags:
    - Linux
    - Docker
  image: $CI_REGISTRY_IMAGE/codesonar:latest
  variables:
    SARIF2SAST: "/opt/codesonar-sarif2sast"
    CODESONAR: "/opt/codesonar/codesonar/bin/codesonar"
    CSPYTHON: "/opt/codesonar/codesonar/bin/cspython"
    CODESONAR_PROJECT_NAME: "$CI_PROJECT_NAME"
    CI_SERVER_CAFILE: "gitlab.root.cacert"
  script:
    - ./configure
    - >
        $CODESONAR analyze
        "${CODESONAR_PROJECT_NAME}"
        -foreground
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        -name "gitlab-ci ref=${CI_COMMIT_REF_NAME} update=${CI_MERGE_REQUEST_IID} job=${CI_PIPELINE_ID}.${CI_JOB_ID} commit=${CI_COMMIT_SHORT_SHA}"
        "${CODESONAR_HUB_URL}"
        make all
        |& tee analysis.log
    - >
        tar -czf analysis_data.tar.gz
        "${CODESONAR_PROJECT_NAME}.prj_files"
        "${CODESONAR_PROJECT_NAME}.prj"
        "${CODESONAR_PROJECT_NAME}.conf"
    - CODESONAR_ANALYSIS_ID=$($CSPYTHON $SARIF2SAST/analysis_id.py "${CODESONAR_PROJECT_NAME}")
    - >
        $CODESONAR get
        -auth password
        -hubuser "${CODESONAR_HUBUSER}"
        -hubpwfile ${CODESONAR_HUBPWFILE}
        -o allwarnings.sarif
        "${CODESONAR_HUB_URL}/analysis/${CODESONAR_ANALYSIS_ID}-allwarnings.sarif?filter=\"${CODESONAR_VISIBILITY_FILTER}\""
    - >
        $CSPYTHON $SARIF2SAST/sarif2sast.py
        --sarif allwarnings.sarif
        --output gl-sast-report.json
        --summary-report sast-summary-report.md
        --codesonar-url "${CODESONAR_HUB_URL}"
        --analysis-id ${CODESONAR_ANALYSIS_ID}
        --max ${CODESONAR_MAX_WARNINGS}
        --threshold ${CODESONAR_WARNING_THRESHOLD}
  after_script:
    - >
        $CSPYTHON $SARIF2SAST/upload_gitlab_mr_notes.py
        --api-token-variable GITLAB_TOKEN
        --report sast-summary-report.md
        --cafile "${CI_SERVER_CAFILE}"
  artifacts:
    reports:
      sast: gl-sast-report.json
    expire_in: 1 day
    paths:
      - analysis_data.tar.gz

codesonar-relocate:
  stage: publish_analysis
  needs:
    - job: codesonar-sast
      artifacts: true
  tags:
    - codesonar_analysis_server
  variables:
    CODESONAR: "/opt/codesonar/codesonar/bin/codesonar"
    TARGETDIR: /srv/codesonar/analysis_data/pipelines/${CI_PIPELINE_ID}
    CSONAR_HUB_URL: "${CODESONAR_HUB_URL}"
    CODESONAR_PROJECT_NAME: "${CI_PROJECT_NAME}"
  script:
    - mkdir -p "${TARGETDIR}"
    - tar -C "${TARGETDIR}" -xzf analysis_data.tar.gz
    # Current directory is a temporary runner build directory,
    #  change to a more permanent location
    #  to avoid launchd errors if the build directory gets removed:
    - >
        cd "${TARGETDIR}"
        && $CODESONAR relocate
        -auth password
        -hubuser "${CODESONAR_HUBUSER}"
        -hubpwfile "${CODESONAR_HUBPWFILE}"
        "${TARGETDIR}/${CODESONAR_PROJECT_NAME}"
        "${CSONAR_HUB_URL}"