CodeSonar Analysis in a GitLab Pipeline on Linux: Modifications for CodeSonar 7.2 and Earlier

The main Linux instructions are designed for use with CodeSonar 7.3 or later. CodeSonar 7.3 adds the codesonar analyze -remote-archive option, which allows for a more streamlined pipeline setup. This page contains modifications for users of CodeSonar 7.2 and earlier, and is designed to be followed alongside the main Linux instructions.

If one of the following applies, you do not need the modifications in this document and can follow the main Linux instructions directly.

• You are using CodeSonar 7.3 or later.
• You are using CodeSonar 7.2 or earlier and your hub has one or more associated remote analysis launch daemons that you can use to perform remote-managed analyses (with codesonar analyze -remote).

The following instructions are for Linux, but should be adaptable to some other POSIX operating systems.

Prerequisites

No change.

Overview

• A. Prepare an example project (zlib)
• B. Create and install an analysis data server
• C. Create and install a pipeline build runner
• D. Create a basic pipeline that can build your code
• E. Install CodeSonar and integration tools in CI builder environment
• F. Update the pipeline job definition to perform CodeSonar analysis

A. Prepare an example project (zlib)

No change.

B. Create and install an analysis data server

Follow the instructions to create a relocating analysis data server.

C. Create and install a pipeline build runner

No change.

D. Create a basic pipeline that can build your code

No change.

E. Install CodeSonar and integration tools in CI builder environment

No change.

F. Update the pipeline job definition to perform CodeSonar analysis

One step is different:

• 3. Configure your CI/CD pipeline to use CodeSonar.

Replacement Step 3: Configure your CI/CD pipeline to use CodeSonar (CodeSonar 7.2 and earlier)

Modify your .gitlab-ci.yml file to add a codesonar-sast job, using the example below as a template. (Note that some GitLab features will assume that your "SAST scanning" job name is suffixed with "-sast".)

This example makes use of many environment variables.

• Some of the variables are Predefined by GitLab.
• Other variables are defined in the pipeline definition itself.
• Still others are defined in your GitLab project settings as custom "CI/CD Variables" (a full list is provided in the next step).

For more information see: https://docs.gitlab.com/ee/ci/variables/.

Make the following changes to the example.

• Ensure that the tags for each job match the runner that the job requires.
• Update the SARIF2SAST, CODESONAR, and CSPYTHON variables so that they refer to the correct locations.
• Update the CI_SERVER_CAFILE variable if necessary so that it refers to your GitLab Server's HTTPS root authority certificate file.
• Update the TARGETDIR variable in the codesonar-relocate job if necessary so that it refers to the correct analysis data root directory ($CODESONAR_ANALYSIS_DATA) as defined when you configured your analysis data server.
• Be sure to add the test and publish_analysis items under the stages section of the YAML file.
• To provide a different name for your analysis, modify the -name value.

• For password-based authentication, replace each occurrence of

  -auth certificate -hubcert "$CODESONAR_HUB_USER_CERT_FILE" -hubkey "$CODESONAR_HUB_USER_KEY_FILE"
  

  with

  -auth password -hubuser "${CODESONAR_HUBUSER}" -hubpwfile ${CODESONAR_HUBPWFILE}
  

  (note that there are multiple occurrences).

For full details of the codesonar analyze command, see the CodeSonar manual: Using CodeSonar > Building and Analyzing Projects > Command Line Build/Analysis

workflow:
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

stages:
  - build
  - test
  - publish_analysis

build:
  stage: build
  tags:
    - Linux
    - GCC
  script:
    - ./configure
    - make all

codesonar-sast:
  stage: test
  tags:
    - Linux
    - GCC
    - CodeSonar
  variables:
    SARIF2SAST: "/opt/codesonar-gitlab-integration/distro-image/codesonar-sarif2sast"
    CODESONAR: "/opt/codesonar/codesonar/bin/codesonar"
    CSPYTHON: "/opt/codesonar/codesonar/bin/cspython"
    CODESONAR_PROJECT_NAME: ${CI_PROJECT_NAME}
    CI_SERVER_CAFILE: "gitlab.root.cacert"
  script:
    - ./configure
    - >
        $CODESONAR analyze
        "${CODESONAR_PROJECT_NAME}"
        -foreground
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        -name "gitlab-ci ref=${CI_COMMIT_REF_NAME} update=${CI_MERGE_REQUEST_IID} job=${CI_PIPELINE_ID}.${CI_JOB_ID} commit=${CI_COMMIT_SHORT_SHA}"
        "${CODESONAR_HUB_URL}"
        make all
        |& tee analysis.log
    - >
        tar -czf analysis_data.tar.gz
        "${CODESONAR_PROJECT_NAME}.prj_files"
        "${CODESONAR_PROJECT_NAME}.prj"
        "${CODESONAR_PROJECT_NAME}.conf"
    - CODESONAR_ANALYSIS_ID=$($CSPYTHON $SARIF2SAST/analysis_id.py "${CODESONAR_PROJECT_NAME}")
    - >
        $CODESONAR get
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        -o allwarnings.sarif
        "${CODESONAR_HUB_URL}/analysis/${CODESONAR_ANALYSIS_ID}-allwarnings.sarif?filter=\"${CODESONAR_VISIBILITY_FILTER}\""
    - >
        $CSPYTHON $SARIF2SAST/sarif2sast.py
        --sarif allwarnings.sarif
        --output gl-sast-report.json
        --summary-report sast-summary-report.md
        --codesonar-url "${CODESONAR_HUB_URL}"
        --analysis-id ${CODESONAR_ANALYSIS_ID}
        --max ${CODESONAR_MAX_WARNINGS}
        --threshold ${CODESONAR_WARNING_THRESHOLD}
  after_script:
    - >
        $CSPYTHON $SARIF2SAST/upload_gitlab_mr_notes.py
        --api-token-variable GITLAB_TOKEN
        --report sast-summary-report.md
        --cafile "${CI_SERVER_CAFILE}"
  artifacts:
    reports:
      sast: gl-sast-report.json
    expire_in: 1 day
    paths:
      - analysis_data.tar.gz

codesonar-relocate:
  stage: publish_analysis
  needs:
    - job: codesonar-sast
      artifacts: true
  tags:
    - codesonar_analysis_server
  variables:
    CODESONAR: /opt/codesonar/codesonar/bin/codesonar
    TARGETDIR: /srv/codesonar/analysis_data/pipelines/${CI_PIPELINE_ID}
    CSONAR_HUB_URL: "${CODESONAR_HUB_URL}"
    CODESONAR_PROJECT_NAME: "${CI_PROJECT_NAME}"
  script:
    - mkdir -p "${TARGETDIR}"
    - tar -C "${TARGETDIR}" -xzf analysis_data.tar.gz
    # Current directory is a temporary runner build directory,
    #  change to a more permanent location
    #  to avoid launchd errors if the build directory gets removed:
    - >
        cd "${TARGETDIR}"
        && $CODESONAR relocate
        -auth certificate -hubcert "${CODESONAR_HUB_USER_CERT_FILE}" -hubkey "${CODESONAR_HUB_USER_KEY_FILE}"
        "${TARGETDIR}/${CODESONAR_PROJECT_NAME}"
        "${CSONAR_HUB_URL}"

---