SAST Analyzer error: Unable to build project using `dotnet`, attempting to build using `nuget` and `msbuild`

DevSecOps
,
1

SAST Analyzer error: Unable to build project using dotnet, attempting to build using nuget and msbuild

Describe your question in as much detail as possible:

When the security-code-scan runs it’s failing a giving me the following errors:

[WARN] [security-code-scan] [2021-01-28T16:09:50Z] ▶ Unable to build project using dotnet, attempting to build using nugetandmsbuild`` [FATA] [security-code-scan] [2021-01-28T16:09:54Z] ▶ Unable to build project from solution file using nuget and msbuild. Err: %!s()`

  • Add the CI configuration from .gitlab-ci.yml and other configuration if relevant (e.g. docker-compose.yml)

security-code-scan-sast:
extends: .sast-analyzer
image:
name: “$SAST_ANALYZER_IMAGE”
variables:
SAST_ANALYZER_IMAGE: “$SECURE_ANALYZERS_PREFIX/security-code-scan:$SAST_ANALYZER_IMAGE_TAG”
rules:
- if: $SAST_DISABLED
when: never
- if: $CI_COMMIT_BRANCH &&
$SAST_DEFAULT_ANALYZERS =~ /security-code-scan/
exists:
- ‘/*.csproj’
- '/*.vbproj’

Thanks for taking the time to be thorough in your request, it really helps! :blush:

1 Like
2

I have the exact same issue. Any hints are highly appreciated.
Our projects uses custom nuget repositories. For the SAST image to be able to pick it up, we copy the nuget.config to the project root within the before_script section. But still it does not work…

3

So I started to learn GO, for this… damn it…
The most I was able to dig is:
error: NU3028: Package ‘System.Collections.Immutable 5.0.0’ from source ‘https://api.nuget.org/v3/index.json’: The author primary signature’s timestamp found a chain building issue: UntrustedRoot: self signed certificate in certificate chain

Which is probably related to expired MS certificate

4

Hi @tersam_95, Hi @jan.zahradnik! Thanks for sharing your observations about this problem. Please note that we also have an open issue about it, and a workaround has been posted in the middle of this comment. Cheers!

2 Likes
5

I am also facing the same issue when running the SAST Analyzer for a .NET 5.0 Solution, Can you please help @katrinleinweber

6

Hi dear!

Could you solve this problem?

7

@dacardona you may want to try this, this helped me build
security-code-scan-sast:
before_script:
- wget https://dot.net/v1/dotnet-install.sh
- bash ./dotnet-install.sh -c 5.0
- dotnet new xunit