(Windows only) Configuring Sensors to Offload Translation for .NET Languages

If you plan to use your ScanCentral SAST sensors for remote translation of code written in a .NET language, make sure that the following requirements are met.

ScanCentral SAST client Requesting program or user in a client/server relationship. For example, the user of a web browser is effectively making client requests for pages from servers all over the web. The browser itself is a client in its relationship with the computer that is getting and returning the requested HTML file. The computer handling the request and sending back the HTML file is a server. machine requirements:

MSBuild (See supported versions of MSBuild in the Micro Focus Fortify System Requirements document.)
NuGet (optional)
.NET Framework, .NET Core, or .NET Standard, depending on project configuration
Windows operating system

ScanCentral SAST sensor machine requirements:

.NET Framework supported for Fortify Static Code Analyzer

Note: The .NET Framework version installed on a sensor machine must be the same as or later than the version that the project to be translated requires. This means, for example, that you cannot run a translation of a project that uses .NET Framework 4.8 on a sensor that has .NET Framework 4.7.2 installed.
Windows operating system

Tip: For information about specific version requirements, see the Micro Focus Fortify Software System Requirements document.

Beginning with (CloudScan) version 19.2.0, remote translation and scanning for .NET projects were supported. ScanCentral SAST supports the same MSBuild versions as Fortify Static Code Analyzer. (.NET packaging and scanning work only on Windows systems.)

The requirements for using this feature are as follows:

Configure at least one sensor with the software required to support .NET capability.
Clients must have the software required to build and pack .NET projects installed.

Enabling .NET Translation Capability on Sensors

To enable remote translation of .NET, do the following:

Install the .NET Framework version that Fortify Static Code Analyzer supports. (See the Micro Focus Fortify Software System Requirements document.)

After you start a ScanCentral SAST sensor, it automatically detects the .NET Framework version installed and displays a message that .NET capability is enabled for the detected .NET Framework version. This indicates that the sensor can now translate .NET projects built with same or earlier .NET Framework version. The rule is not applied to .NET Core or .NET Standard because any .NET Framework version can scan this kind of project.

Remote translation of .NET is disabled if:

.NET Framework is not installed on the sensor.
A .NET Framework version earlier than the supported version (for Fortify Static Code Analyzer) is installed on the sensor.

Important! To avoid Windows errors caused by too long a path during .NET translation, Fortify strongly recommends that you start ScanCentral SAST sensors from a folder with a short name and path. For more information, see https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file.

Excluding .NET Projects from Analysis

To exclude a .NET project from ScanCentral SAST analysis, you must create a build configuration to exclude the project, and then specify the build configuration in the --build-command option.

Example: The <solution_name.sln> MSBuild solution includes two projects: ProjectA and ProjectB. The <build_config> file, created in Visual Studio, was created to exclude ProjectB from builds.

To exclude ProjectB from ScanCentral SAST translation and scanning run the folllowing:

cd <solution_dir>
scancentral package -bt msbuild -bf <solution_name.sln> -bc "/t:Rebuild/p:Configuration=<build_config>" -o <package_name>.zip>