Comments (11)
I also just tested the tool by trying to compile a garbage Program.cs
(with a bunch of junk in it that was clearly not going to build) and I still get 0 errors from the secure scan tool. It looks like if it's trying to compile a .NET 6 application, it is ignoring the compilation errors (or, rather, the compiler is not failing).
from security-code-scan.
There are multiple reasons/problem for that:
- Looks like the syntactic sugar is not supported out of the box. Until I find the way to do it, you need to define the
Main
function in old fashion way. - At some point I have decided that
args
should not be tainted by default since command line arguments often are trusted. Which was probably inconsistent because at same time Console.ReadLine was left as tainted by default.
Said that you need to define the main as tainted in global or project config. Below is an example of project level config if your class' fully qualified name is ConsoleApp2.Program
:
Version: 3.1
TaintEntryPoints:
ConsoleApp2.Program:
Method:
Name: Main
Another option is to use Console.ReadLine
instead of args
as the source of untrusted data for testing or create a sample web app instead. Then the additional configuration is not needed.
3. After this is set it works if SCS is used as vsix or nuget. Unfortunately the stand alone tools fails. I need to investigate why. Meanwhile I recommend using SCS as Visual Studio extension or Nuget.
from security-code-scan.
Thanks for the response, @JarLob.
I modified my test application to use the old-style Main
function (I'm not even a fan of the new stuff- way too messy, but it's the default now 🙄)... And I am still not getting any results. I even modified it to use Console.ReadLine()
, as well as adding an additional configuration file (as you showed above) and still nothing.
My entire Program.cs
looks like this:
using System.Diagnostics;
using System.Xml;
public class Program
{
public static void Main(string[] args)
{
var input = Console.ReadLine();
var rnd = new Random();
byte[] buffer = new byte[16];
rnd.NextBytes(buffer);
var byteString = BitConverter.ToString(buffer);
var doc = new XmlDocument { XmlResolver = null };
doc.Load("/config.xml");
var results = doc.SelectNodes("/Config/Devices/Device[id='" + input + "']");
var p = new Process();
p.StartInfo.FileName = "exportLegacy.exe";
p.StartInfo.Arguments = " -user " + input + " -role user";
p.Start();
}
}
Something else to note is that the Visual Studio plugin works, and correctly identifies these issues:
Unfortunately I am attempting to use the Secure Scan application in my CI pipeline, however, so my only real option is the stand-alone runner.
from security-code-scan.
I modified my test application to use the old-style
Main
function (I'm not even a fan of the new stuff- way too messy, but it's the default now 🙄)... And I am still not getting any results. I even modified it to useConsole.ReadLine()
, as well as adding an additional configuration file (as you showed above) and still nothing.
- After this is set it works if SCS is used as vsix or nuget. Unfortunately the stand alone tools fails. I need to investigate why. Meanwhile I recommend using SCS as Visual Studio extension or Nuget.
Unfortunately I am attempting to use the Secure Scan application in my CI pipeline, however, so my only real option is the stand-alone runner.
While the stand alone tool may have been more convenient, the Nuget package still allows to use SCS in pipelines as it generates warnings (or errors if configured) in the output.
from security-code-scan.
So, since I know you're probably super busy- I pulled the code and looked into the inability for the stand-alone tool to find a weak random number generator.
It looks like the analyzer is not working properly because there are compilation errors that exist when compiling my Program.cs
. Notably, there are a bunch of CS0103
errors, claiming that the types don't exist for things like Console
, Random
, BitConverter
, etc. Pretty much anything in the System
namespace.
After further investigation, it seems like the compiler is not respecting the the implicit usings that are created in .NET 6 projects by default. These using
statements are put into a GlobalUsings.g.cs
file that is auto-generated by the compiler in C# 10. If I fully qualify my declaration statements in the code, or when I add the <ImplicitUsings>disable</ImplicitUsings>
tag in my project and put using
statements at the top of my Program.cs
, the scan actually works correctly and finds the security issues in my project.
Looking into it a little more, it looks like the version of the Microsoft.CodeAnalysis
libraries that are currently in use do not support C# 10 (where implicit usings were introduced), and therefore will not work with any project that employs them.
The solution is to update the NuGet packages for the Microsoft.CodeAnalysis
namespace to take advantage of the latest Roslyn compiler.
from security-code-scan.
Attaching the project I used to reproduce the last time.
ConsoleApp2.zip
I don't see any build errors it just returns 0 warnings in standalone tool case. Could you please verify?
from security-code-scan.
Yeah, it's very strange as to why the compilation is succeeding when there are errors.
I can see the errors when I debug the secure scan tool, and put a breakpoint here. Then I look at the compilation.GetDiagnostics()
which contains a list of the diagnostic errors.
The list of diagnostic errors that are returned by the compilation.GetDiagnostics()
call yields the following:
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(2,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(3,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(4,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(5,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(6,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(7,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(8,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\Program.cs(10,27): error CS0246: The type or namespace name 'Random' could not be found (are you missing a using directive or an assembly reference?)
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\Program.cs(13,30): error CS0103: The name 'BitConverter' does not exist in the current context
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\.NETCoreApp,Version=v6.0.AssemblyAttributes.cs(3,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(8,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(7,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(6,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(3,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(4,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.AssemblyInfo.cs(11,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(5,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\.NETCoreApp,Version=v6.0.AssemblyAttributes.cs(2,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.AssemblyInfo.cs(12,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(2,8): hidden CS8019: Unnecessary using directive.
from security-code-scan.
It looks like there are two issues at play here-
- .NET 6 code is not compiled correctly because the
Microsoft.CodeAnalysis
stuff does not support C# 10 - The Secure Scan tool is not correctly reporting on compilation issues
For item 1, the solution is to update the NuGet packages... item 2 is less straight-forward, but it looks like you should be using compilationWithAnalyzers.GetAllDiagnosticsAsync()
instead of compilationWithAnalyzers.GetAnalyzerDiagnosticsAsync()
here.
I know that you have a flag where I can ignore MSBuild errors, but I am not sure how that would factor in here, especially when a project failing to compile will make it so the secure scan tool misses issues.
from security-code-scan.
Thank you for digging into it. I have pushed the fix. It should work now. Though it gives some errors and warnings building the .net 6 project. I have also introduced the ignore compilation errors
flag to work around it. To get rid of them completely I think I need to start a new fork VS2022 and migrate to 4.x CodeAnalysis. This may take few weeks as the next week is super busy for me. Meanwhile you should be able to run the locally built tool.
from security-code-scan.
Thanks... I really appreciate your contributions to the community with this project.
Also, I found an issue (or at least I think it's an issue) with MSBuildWorkspace
, which is that it does not allow you load a workspace for a .NET framework that is newer than the one that the project instantiating MSBuildWorkspace
is compiled with. This makes it impossible to use your tool on newer frameworks (e.g. .NET 7) without re-compiling your tool using that newer framework.
I filed an issue related to that here: MSBuildWorkspace.Create() fails when pointing to the .NET 7 SDK from a .NET 6 project
from security-code-scan.
So yeah, it looks like there is no forward compatibility in the MSBuildWorkspace
, so you'll have to retarget the application to .NET 7 in order to support it 😢
from security-code-scan.
Related Issues (20)
- ReflectionTypeLoadException on startup HOT 2
- Standalone can not understand shproj. HOT 2
- Is this project maintained HOT 6
- Solution Items
- Standalone scanner throws exception: 'ProjectName' is already part of the workspace HOT 4
- Security Code Scan Standalone Tool throws Method not found: Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1)' with VS2022 17.3 MSBuild HOT 4
- Standalone tool with `.sln` don't start scanning
- SCS0016 False positive for ODataController
- The analyzer fails to detect a vulnerability when an interface is used as declaring type
- CLI tool prefixes findings with "Found:" which is not consistent with MSBuild output format HOT 2
- security-scan /your/solution.sln throws up error. HOT 5
- SCS0012 after upgrading from net6.0 to net7.0 HOT 1
- security-scan' is not recognized as an internal or external command HOT 1
- Analyzer 'SecurityCodeScan.Analyzers.XxeDiagnosticAnalyzerCSharp' threw an exception
- Upload Visual Studio Code extension to Open VSX HOT 1
- VS 17.6.2 many errors started to appear for Security Code Scan 5.6.7 HOT 3
- New exceptions thrown for SCS extension after upgrading VS HOT 2
- Security-scan4x.zip build fails due to Method not found: 'System.ReadOnlySpan`1<Char> Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1<Char>) HOT 1
- Standalone runner not working in .NET 7 on Bitbucket pipelines
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-code-scan.