Puma Scan - Visual Studio Security Extension

Puma Scan - Visual Studio Security Extension | hack4.net

Visual Studio Security Extension

       Puma Scan is the leading software security Visual Studio analyzer extension. Built on top of Roslyn, the open-source .NET Compiler Platform, Puma Scan provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.

      Roslyn code analyzer extensions are supported by Visual Studio 2015 versions and higher. Either install Visual Studio Community or a licensed version from your MSDN Subscription account. Alternatively, PC’s configured with the Chocolatey can install the Visual Studio Community package.




     To install the Puma Scan NuGet Package for all projects that require analysis, use the Tools > NuGet Package Manager > Package Manager Console and run the command for all projects:

PM > Get-Project -All | Install-Package Puma.Security.Rules



     To use Puma Scan for all projects in the Visual Studio instance, open the Tools menu and select the Extensions and Updates… menu item. In the Online > Visual Studio Galley, search for “Puma Scan” and download the extension.



    To use Puma Scan in Continuous Integration (CI) tools, you must install Puma Scan in each project via the NuGet package. Running the commands from the Package Manager console to install the .NET compilers, CodeAnalysis, and Puma Scan packages will enable scanning in CI/CD pipelines.

Installing Puma Scan to run during calls to MSBuild:

PM > Get-Project -All | Install-Package Microsoft.Net.CompilersPM > Get-Project -All | Install-Package Microsoft.CodeAnalysisPM > Get-Project -All | Install-Package Puma.Security.Rules

From a CI server (e.g. Jenkins) run MSBuild using a command similar to the one shown here. This will produce a warnings.log file, which contains all of the build warnings. This file contains all of the Puma Scan findings.

Example command to invoke MSBuild in a Jenkins task and output the warnings log file.

MSBuild.exe /p:DeployOnBuild=true /p:Configuration=Release /p:OutDir=../Publish /fl1 /fl2 /fl3 /flp1:logfile=build.log /flp2:logfile=build_errors.log;errorsonly /flp3:logfile=build_warnings.log;warningsonly %WORKSPACE%\WidgetTown.sln

The Puma Parser utility in the public repo handles parsing the warnings.log file and capturing only the Puma Scan results. Running this command in a new CI step allows you to process the Puma Scan results and set thresholds to meet your organizations risk tolerance.

Shell command to invoke the Puma Parser utility and export Puma Scan warnings to the puma_warnings.log file.

"C:\Program Files\dotnet\dotnet.exe" "C:\Tools\Puma.Security.Parser\Puma.Security.Parser.dll" --file "%WORKSPACE%\build_warnings.log" --workspace "%WORKSPACE%" --output puma_warnings.log


Additional File Analysis

      Puma’s non-code file analyzers (e.g. configuration and view markup files) rely on Roslyn’s additional files feature, which is not currently enabled by default. To enable additional file analysis, you must manually edit each project file (.csproj and .vbproj) and add a new “AdditionalFileItemNames” element to the project’s main “PropertyGroup”. See the associated code examples for details.

Currently, Puma creates an Information diagnostic alerting users about any project files that do not have additional file analysis enabled.

You must do this for every project (.csproj, .vbproj) file in a solution.After enabling the non-code file analyzers, you will notice there are still some limitations for analysis in non-code files:

  • Error list naviagation (e.g. double clicking on the warning) to a non-code file is not supported. For now, Puma inserts the file path and offending line of code in the diagnostic message disaplyed in the error list.
  • Non-code files do not have the same “spellcheck” support as code files. (e.g. no light bulbs, squiggles, or code fix suggestions)
  • Rule suppression support is not possible

More details on enhancing Roslyn and Visual Studio to treat non-code files as first class citizens can be found here: https://github.com/dotnet/roslyn/issues/11097


No comments

Note: Only a member of this blog may post a comment.

Powered by Blogger.