JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
General
Third-Party External
Third-Party Included

Including Tier 3 Components in a CodeSonar Project

CodeSonar provides full front ends for languages in tier 1 (C, C++) and tier 2 (Java, C#). All other languages are in tier 3.

This page describes how to include a component to your CodeSonar project when that component is in a tier 3 language.

Overview

CodeSonar provides full front ends for languages in tier 1 (C, C++) and tier 2 (Java, C#). All other languages are in tier 3.

The general process for including a tier 3 component has five steps.

  1. Install any required language tools, such as compilers.
    You may need to do this if you are responsible for running the CodeSonar analysis, but have not previously needed to build the component in question.
  2. Install the third-party analyzer.
    You may need to do this if you have not previously needed to run the third-party analyzer.
  3. Install the third-party SARIF converter, if needed.
    Some analysis tools do not produce SARIF output. For these tools, you may also need to install a third-party SARIF converter so that you can produce SARIF files from the tool results.
    In some cases, these tools may refer to themselves as "SARIF formatters" rather than "SARIF converters", but it is the conversion functionality that is important here.
  4. Extend the regular build to invoke the third-party analyzer (and SARIF converter, if needed).
    Make sure your normal software build accounts for running the third-party analysis tool and outputting its results in SARIF format.
  5. Extend the CodeSonar-facing build.
    In most cases, this will involve adding one or more invocations of codesonar import_sarif.py to identify the SARIF files containing the third-party analyzer results and the associated tier 3 source files.
    In a small number of cases, we provide a simpler subcommand that wraps these invocations along with other commands. For details, see Individual Languages, below.
  6. Perform the CodeSonar build/analysis, observing the entire execution of your CodeSonar-facing build.

Importing source files with codesonar import_sarif.py

For any tier 3 language (that is, any language other than C, C++, Java, C#), we must ensure that the source files are imported into the CodeSonar project. If the source files are not imported, the analysis will not be able to resolve source locations specified in the SARIF and so will not be able to create corresponding CodeSonar warnings.

There are several consequences when files are directly imported with codesonar import_sarif.py.

Note

In this section (and throughout this manual), $CSONAR indicates the CodeSonar installation directory.

Language-Specific Subcommands

We provide specific codesonar subcommands, along with detailed examples, for the following languages.

Language CodeSonar-facing Build: add one or more invocations of...
Go codesonar go_scan.py
JavaScript/TypeScript codesonar es_scan.py
Kotlin codesonar kotlin_scan.py
Python codesonar python_scan.py
Rust codesonar rust_scan.py

Example Makefile

An example Makefile for a mixed project is shown below. 

RUST_PKG=$(SRCDIR)/rust_component
GOMODULE=$(SRCDIR)/go_component
JSTS_MODULE=$(SRCDIR)/jsts_component

.PHONY: all clean RustComponent csonar_facing csonar_C csonar_Kotlin csonar_Python csonar_Rust csonar_Go csonar_JavaScript_TypeScript

all: CComponent kotlin_component.jar $(SRCDIR)/python_component.py RustComponent GoComponent $(JSTS_MODULE)/index.js \
   $(JSTS_MODULE)/ts_file.ts

csonar_facing: csonar_C csonar_Kotlin csonar_Python csonar_Rust csonar_Go csonar_JavaScript_TypeScript

clean:
	rm *.jar
	rm GoComponent
	cd $(RUST_PKG) && cargo clean
	rm CComponent

# ########## C ##########
# Note that there is no need for a separate CodeSonar-facing target for C or C++ components:
# CodeSonar recognizes compilations and observes them directly.

CComponent: $(SRCDIR)/c_component.c
	$(CC) -o CComponent $(SRCDIR)/c_component.c

csonar_C: CComponent

# ########## Kotlin ##########

# For the sake of this example, target the JVM. The steps required to
# create a CodeSonar-facing build for Kotlin are the same regardless of
# the target platform.
kotlin_component.jar: $(SRCDIR)/kotlin_component.kt
	kotlinc "$(SRCDIR)/kotlin_component.kt" -d kotlin_component.jar

# Invoke codesonar kotlin_scan.py to analyze the Kotlin source code with detekt,
#  then import the SARIF results and the source file into the project.
csonar_Kotlin: $(SRCDIR)/kotlin_component.kt
	"$(CSONAR)"/codesonar/bin/codesonar kotlin_scan.py \
	    "$(SRCDIR)/kotlin_component.kt"

# ########## Python ##########

# Invoke codesonar python_scan.py to analyze the Python source file with Pylint,
# then import the SARIF results and the source file into the project.
csonar_Python: $(SRCDIR)/python_component.py
	"$(CSONAR)"/codesonar/bin/codesonar python_scan.py -include-sources "$(SRCDIR)/python_component.py"

# ########## Rust ##########

# The regular Rust build is managed by cargo.
# In this example the package only has one source file, main.rs.
# If there were other source files, they would be dependencies too.
RustComponent: $(RUST_PKG)/src/main.rs $(RUST_PKG)/Cargo.toml
	cargo build --manifest-path $(RUST_PKG)/Cargo.toml

# Invoke codesonar rust_scan.py to:
# - Analyze our Rust source files (in this case, $(RUST_PKG)/src/main.rs) with Clippy.
# - Convert the Clippy results to SARIF format with clippy-sarif.
# - Import the SARIF and Rust source files into the CodeSonar project.
csonar_Rust: $(RUST_PKG)/src/main.rs
	"$(CSONAR)"/codesonar/bin/codesonar rust_scan.py $(RUST_PKG)

# ########## Go ##########

GoComponent: $(GOMODULE)/go_component.go $(GOMODULE)/go.mod
	cd "$(GOMODULE)" && go build -o ../GoComponent

# Invoke codesonar go_scan.py to analyze our Go source file with Staticcheck,
# then import the SARIF results and the source file into the CodeSonar project.
csonar_Go: $(GOMODULE)/go_component.go
	"$(CSONAR)"/codesonar/bin/codesonar go_scan.py go_component.go -C "$(GOMODULE)"

# ########## JavaScript_TypeScript ##########

# Invoke codesonar es_scan.py to analyze our JavaScript and TypeScript
# source files with ESLint, then import the analysis results and source files into
# the CodeSonar project.
csonar_JavaScript_TypeScript: $(JSTS_MODULE)/index.js $(JSTS_MODULE)/ts_file.ts
	"$(CSONAR)"/codesonar/bin/codesonar es_scan.py index.js ts_file.ts -C $(JSTS_MODULE)

Related Links

 

To report problems with this documentation, please visit https://support.codesecure.com/.