Generating an IRX for a .NET Core project

Scanning of .NET Core projects is supported through the Command Line Interface (CLI) and through the Visual Studio 2017 and Visual Studio 2019 plugins on Windows only.

.NET Core scanning

AppScan 360° does not support the portable PDB format, which is the default in Visual Studio 2017 and Visual Studio 2019.

Change the PDB format to Full and rebuild the project prior to scanning:
  • For C# projects:
    1. In Visual Studio, right-click the project and choose Properties.
    2. Click the Build tab.
    3. Click the Advanced button.
    4. Set the Debugging Information setting to Full.
  • For VB.NET projects:
    1. In Visual Studio, right-click the project and choose Properties.
    2. Click the Compile tab.
    3. Click the Advanced Compile Options button.
    4. Set the Generate debug Info setting to Full.
  • For C# and VB.NET projects with Visual Studio 2022:
    1. In Solution Explorer, right-click the project and choose Properties.
    2. In the side pane, choose Build > General.
    3. In the Debug symbols list, choose PDB file, current platform.

Scanning .NET Core through the CLI

HCL AppScan 360° supports scanning of self-contained deployments of .NET Core projects and scanning of .NET Core projects in Visual Studio solution files from the CLI.

To publish a self-contained deployment (SCD) for .NET Core project for scanning with the CLI, either:
  • Publish the project from the command line:
    1. Open a command prompt and change to the project directory.
    2. For .NET Core 1.x only, run the restore command:

      dotnet restore

    3. For all versions, run the publish command:

      dotnet publish [-o|--output] [-r|--runtime]

      For example, if the .NET Core project is located in C:\Test\AwesomeApplication\:
      1. Launch the Visual Studio Developer command prompt.
      2. Change directories to C:\Test\AwesomeApplication.
      3. Run the publish command:

        dotnet publish -r win-x64

  • Publish the project from within Visual Studio:
    1. In Visual Studio, right-click the project and choose Publish.
    2. Create a new publish profile and specify publishing options, including target location.

After the publish completes, change directories to the output directory (for example, C:\Test\AwesomeApplication\bin\debug\netcoreapp2.0\publish) and run the appscan prepare command.

Scanning .NET Core through the Visual Studio 2017 or Visual Studio 2019 plugin

Scanning of all .NET projects that target .NET Core, including ASP.NET, is supported.

To scan using the Visual Studio IDE:
  • In Visual Studio, right-click the project and choose Security Analysis > Run Static Analysis.

Troubleshooting

If you encounter issues, verify the following:

  • Use the Visual Studio NuGet Package Manager to add any third-party dependencies to your project.
  • Alter the csproj file to include package references and/or runtime identifiers by editing the csproj file directly or using the Visual Studio IDE (Right-click on the project then choose Edit > <project name>.csproj.
    • Add package references to third-party libraries to the <ItemGroup> section of the file. For example, to include Json.Net:

      <PackageReference Include="Newtonsoft.json" Version="10.0.1" />

    • Runtime identifiers can be included anywhere in the file. For example, to identify Win10-x64:

      <RuntimeIdentifiers>win10-x64</RuntimeIdentifiers>

Note:

For more information on publishing and Microsoft commands, please refer to these Microsoft documents: