C#

This article shows you how to analyze your applications that are written in C#. It assumes that you have already installed and authenticated with ShiftLeft.

Requirements

Inspect supports the analysis of applications written in C# 7.3 (or earlier) with the following characteristics:

Component

Requirement

Specification

MSBuild format (.csproj file).

Build Environment (.NET Framework)

.NET 4.6.1 and MSBuild 15.0+

Determining Your MSBuild Version

You can determine the version of MSBuild installed by:

  1. Running msbuild /version in the newly-launched prompt

Building Your Application

Before analyzing your code with Inspect, we recommend building your application to make sure that you have restored dependencies and that you've applied any necessary project-specific settings. For applications based on the .NET Framework, use nuget restore.

For example, you can verify that a .NET Framework-based application can be built by doing the following:

  1. In the newly-launched command prompt, navigate to your project location

  2. Restore NuGet packages using nuget.exe restore <MySolution.sln>

  3. Start the build with msbuild <MyProject.csproj>. Depending on your application, you may need to apply additional options

You must submit your code to Inspect from a system that can build your application.

Analyzing Your C# Application

To analyze your C# application, run:

sl analyze --app <name> --csharp --cpg --dotnet-framework [<path>]

Parameter

Description

--app <name>

The name of the application to be analyzed

--csharp

The flag identifying the application's language

<path>

The location of the application's .csproj or .sln file to be analyzed

Combining C# Projects for Analysis

You can combine multiple C# projects for analysis as follows:

sl analyze --app Xyz --csharp --dotnet-framework --cpg --dep lib.csproj --dep component.csproj app.csproj

Note that you can include --dep multiple times for libs, subprojects, components, etc. The --dep option allows you to filter for the subprojects/dependencies to include with the primary .csproj project for analysis. This allows you to adopt the middle ground between analyzing just the primary project:

sl analyze --app Xyz --csharp --cpg app.csproj

and analyzing the primary file with all of its dependencies/subprojects:

sl analyze --app Xyz --csharp --cpg --csharp2cpg-args "--with-ProjectReference"

Enabling Log Information

You can enable logs at the Information level by including the -l info flag:

sl analyze csharp --app Xyz app.csproj --csharp2cpg-args "--with-ProjectReference -l info"