Scanning .NET projects

OpenText ScanCentral SASTMSBuild integration is available on Windows only. OpenText ScanCentral SASTdotnet integration is available on Windows and Linux.

To translate and scan .NET projects, the client machine must have the software required to build and package .NET projects installed:

MSBuild or dotnet
For supported versions of MSBuild and dotnet, see the Application Security Software System Requirements document.
NuGet (optional)
.NET Framework, .NET Core, or .NET Standard as required for the project configuration

To use OpenText ScanCentral SASTMSBuild integration, the required MSBuild version must be included in the PATH environment variable. To make sure the project is built correctly, OpenText recommends that you start OpenText ScanCentral SAST from the Developer Command Prompt for Visual Studio, which sets the required .NET environment variables automatically. To use OpenText ScanCentral SASTdotnet integration, the required dotnet version must be included in the PATH environment variable.

Some projects also require that you start NuGet to restore some dependencies. If any dependencies are unresolved, the build fails and the scan results might be incomplete. For these types of projects, you must install NuGet manually on the machine and make sure it is included in the PATH environment variable. If NuGet is found, OpenText ScanCentral SAST runs it automatically.

The following are command-line examples to translate and scan a .NET project:

scancentral -sscurl<ssc_url> -ssctoken<token> start --build-tool msbuild --build-file <sln_file_or_path_to_sln_file>

scancentral -sscurl<ssc_url> -ssctoken<token> start --build-tool dotnet

The following command uses MSBuild integration on a Windows client and dotnet integration on a Linux client because no build tool option is specified:

scancentral -sscurl<ssc_url> -ssctoken<token> start --build-file <sln_file_or_path_to_sln_file>

To use the dotnet integration on a Windows client, you must include -bt dotnet.

If no build tool is specified, OpenText ScanCentral SAST client tries to automatically detect the build tool for *.sln, *.csproj, *.vbproj, and dirs.proj.

OpenText ScanCentral SAST returns a job token that you can use to track the scan.

Excluding .NET Projects from analysis

To exclude a .NET project from OpenText ScanCentral SAST analysis, you must create a build configuration to exclude the project, and then specify the build configuration with the --build-command option.

For example, the solution MySolution.sln includes two projects: ProjectA and ProjectB. The <build_config> file, created in Visual Studio excludes ProjectB from the builds. To exclude ProjectB from OpenText ScanCentral SAST analysis, run the following from the directory where the solution file resides:

scancentral -sscurl<ssc_url> -ssctoken<token> start --build-tool msbuild --build-file MySolution.sln --build-command "/t:Rebuild /p:Configuration=<build_config>"