Prepare the application source code
AIP Console expects the application source code to be delivered either via a ZIP file or via a source code located in a folder configured in AIP Console. Whichever option you chose, you should include in the ZIP/source code folder all of your .NET application source code. CAST highly recommends placing all the relevant files in a folder and using sub-folders where necessary. You can deliver other technologies at the same time (for example, database DDL). If you are using a ZIP/archive file, zip the folders in the "temp" folder as shown in the image below - but do not zip the "temp" folder itself, nor create any intermediary folders:
|Any additional framework specific source code (such as Entity Framework, Silverlight Framework, WCF, WPF, NoSQL should also be provided in the ZIP/archive file or the source code folder.|
What about delivering framework/external/custom assemblies?
The .NET Analyzer needs to know the location of any assemblies such as the .NET Framework assemblies, external assemblies (third-party DLLs) and other custom assemblies that are used by your application source code. There are various ways to declare the location of these assemblies when using AIP Console, but the action you choose also depends on the release of the .NET Analyzer you are using. This is explained in more detail below:
.NET Framework assemblies
.NET Framework assemblies are used by all .NET applications and therefore the .NET Analyzer needs to have access to these assemblies in order to resolve references correctly. Here there is a choice of options:
|Using .NET Analyzer ≥ 1.1|
When using .NET Analyzer ≥ 1.1, the .NET Framework assemblies are provided in the extension itself (as listed in the section Dependent frameworks and third-party packages provided in the extension in the extension documentation) and they will be used to resolve references to specific assemblies that have been used by the Application source code. Therefore it is not necessary to declare the location of these .NET Framework assemblies, however, if you do not declare them, "missing references" type alerts will be generated during the source code delivery process, for example as shown below. These alerts can be safely ignored. The resulting analysis will use the .NET Framework assemblies delivered in the .NET Analyzer extension.
Click to enlarge
If you prefer not to have missing references type alerts, then you can, optionally, declare the location of the .NET Framework assemblies using the
aip-node-app.properties file on the AIP Node responsible for analyzing your application, ensuring that the AIP Node can access the declared location (i.e. a folder on the AIP Node or a shared network location). These assemblies will be used in priority over the .NET Framework assemblies provided in the extension itself.
|Using .NET Analyzer 1.0|
When using .NET Analyzer 1.0, the .NET Framework assemblies are NOT provided in the extension, therefore you MUST declare the location of these .NET Framework assemblies using the
aip-node-app.properties file, ensuring that the AIP Node responsible for analyzing your application can access the declared location (i.e. a folder on the AIP Node or a shared network location). If you do not declare them, then the analysis will fail with a missing mandatory reference error:
External assemblies (third-party DLLs)/custom assemblies
When using .NET Analyzer ≥ 1.1, CAST provides some specific frameworks and third party packages in the extension itself which will automatically be used. Therefore if your source code uses these specific frameworks and third party packages, it is not necessary to deliver these items. However, missing library/assembly alerts for these items will be generated during the delivery. The alerts can be safely ignored if the alert references an item that CAST provides in the extension.
See the section Dependent frameworks and third-party packages provided in the extension documentation for more information.
If your application uses external assemblies provided by third parties or your own custom assemblies, the .NET Analyzer also needs to know the location of them:
- if these assemblies are stored in the correct location as specified in the project definition file and are delivered with the application (in the ZIP file or via a source code located in a folder), then the .NET Analyzer will find them without you needing to do anything.
- if these assemblies are not stored in the correct location, then there are two options available to you to ensure that the .NET Analyzer is aware of their location:
|Declare the location in aip-node-app.properties|
This option involves:
- placing the assemblies in a folder that the AIP Node responsible for analyzing your application can access, i.e. a folder on the AIP Node or a shared network location.
- declaring this folder using the
aip-node-app.properties file on the AIP Node.
When the analysis is run, the .NET Analyzer will search the folder declared in
aip-node-app.properties and find the assemblies required by your application source code.
|Deliver with the application source code|
This option involves:
- delivering the assemblies in a dedicated folder (typically this is a sub folder or the "bin" folder) together with the application source code (i.e. in the ZIP file or via a source code located in a folder).
- ensuring that the
scanner.detect.dotnet.assemblies option is set to true the
aip-node-app.properties file on the AIP Node.
When the analysis is run, the .NET Analyzer will attempt to find the assemblies required by your application source code.
|This option is limited in scope however and if in doubt, you should use the alternative option described above (Declare the location in aip-node-app.properties): only one folder in the delivered source code will be detected by the .NET Analyzer - the folder containing the largest number of assemblies (dll files). Therefore if your assemblies are distributed in multiple folders throughout the source code, this method is not recommended.|
What about Nuget package dependencies?
An extension (NuGet Resources Extractor) has been published that provides the means to configure an automatic extraction of NuGet package dependencies from a NuGet repository specifically for .NET application source code. In other words, NuGet package based source code that resides in a simple local or nuget.org location. For example, when your .NET application contains .csproj files which have package references defined, you can use this extractor to extract those NuGet packages from the NuGet repository.
Out of the box, if a .csproj file is detected in the delivered source code, the extension will be downloaded and installed as part of the analysis process. If the .csproj file contains package dependency references, these references will automatically be accessed and included in the analysis. Example package references shown below:
<!-- ... -->
<PackageReference Include="Contoso.Utility.UsefulStuff" Version="3.6.0" />
<!-- ... -->
The extractor will extract all NuGet package dependencies and place them inside a folder called "nugetPck" folder located in the Deploy folder. The extractor is driven by the
%PROGRAMDATA%\CAST\AipConsole\AipNode\aip-node-app.properties file attribute
# HTTP V3 Nuget repository to download package dependencies https://api.nuget.org/v3/index.json or file system like file://C:/Users/johndoe/.nuget/packages
Declaring options/locations in aip-node-app.properties
To declare the location, edit the following file with a text editor on the AIP Node responsible for analyzing your Application:
Locate the following sections:
# .NET assembly configuration
# Provide a list of locations to use for .NET Assemblies to be given to the code scanner
# Provide a full path separated by ';' like
# enable this option to detect the dotnet assemblies in the source code(feature in beta)
Now edit either/both of the options as appropriate:
Use this option to declare the assemblies as required. For example to declare .NET Framework assemblies installed the AIP Node you can add
C:/Windows/Microsoft.NET/Framework64/v4.0.30319. Or to declare custom assemblies in a shared folder:
Set this option to true if you have decided to deliver assemblies in the ZIP file or via a source code located in a folder and these assemblies are not in the location defined in the project definition file.
Save the aip-node-app.properties file and then restart the AIP Node package in order for the configuration to be taken into account.