The CAST Highlight tool is just another static code analysis tool and part of our SecDevOps portfolio. So the task was to integrate it into the Azure pipeline after creating a tag.
The first attempt to use the Azure Marketplace Add-In did not work for me. It returns that a wrong Java version is used to execute CAST Highlight.
stdout: stderr: Error: A JNI error has occurred, please check your installation and try again Exception in thread "main" java.lang.UnsupportedClassVersionError: com/castsoftware/highlight/HighlightAutomation has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
After checking with the Azure Build Agent installed tools reference sheet, it turned out, that there is already an Azure Pipeline task to set the Java version to an already installed and compatible version.
- task: JavaToolInstaller@0 inputs: versionSpec: '11' jdkArchitectureOption: 'x64' jdkSourceOption: 'PreInstalled'
This works with Linux and Windows images.
After I fixed the java error, I was getting a wired error message that a given parameter was missing. The parameter „sourceDir“ was provided so something else must have been wrong.
HIGHLIGHT SCAN java -jar "D:\a\_tasks\highlightcodescan_d09a7949-d043-4058-b56c-103b0da04686\5.4.73\HighlightAutomation.jar" --perlInstallDir "C:\Program Files\CAST\HighlightAgent\strawberry\perl" --analyzerDir "D:\a\_tasks\highlightcodescan_d09a7949-d043-4058-b56c-103b0da04686\5.4.73/perl" --workingDir "C:\src\" --sourceDir "C:\src\" --technologies "CS,TSql,TypeScript,JS" --skipUpload stdout: Missing required option(s) [sourceDir]
So I gave up on the Azure Marketplace task and used another approach.
Success with Docker
I found a tutorial to execute the code scan within a docker container. I used this approach to execute this in the Azure Pipeline hence Azure supports docker commands. The „script“ task is quite simple and runs CAST Highlight in a container so everything is already prepared to run the analysis.
- script: | docker run --user $UID -v $(pwd):/sourceDir -v /tmp:/workingDir casthighlight/hl-agent-cli --technologies 'CS, TSql, TypeScript, JS' --sourceDir /sourceDir --workingDir /workingDir --applicationId <id> --companyId <id> --serverUrl 'https://rpa.casthighlight.com' --basicAuth 'THIS IS A BASE64 ENCODED username:password'
Finally, this works perfectly. But be aware of one fact. If you use a Windows VM image for your build agent, this does not work. To run the CAST Highlight Linux container, the agent needs to run as a Linux container as well.