Scanning an intentionally vulnerable .NET 6 project with the stand-alone runner does not yield any detection results about security-code-scan HOT 11 OPEN

I also just tested the tool by trying to compile a garbage Program.cs (with a bunch of junk in it that was clearly not going to build) and I still get 0 errors from the secure scan tool. It looks like if it's trying to compile a .NET 6 application, it is ignoring the compilation errors (or, rather, the compiler is not failing).

from security-code-scan.

There are multiple reasons/problem for that:

1. Looks like the syntactic sugar is not supported out of the box. Until I find the way to do it, you need to define the Main function in old fashion way.
2. At some point I have decided that args should not be tainted by default since command line arguments often are trusted. Which was probably inconsistent because at same time Console.ReadLine was left as tainted by default.

Said that you need to define the main as tainted in global or project config. Below is an example of project level config if your class' fully qualified name is ConsoleApp2.Program:

Version: 3.1

TaintEntryPoints:
  ConsoleApp2.Program:
    Method:
      Name: Main

Another option is to use Console.ReadLine instead of args as the source of untrusted data for testing or create a sample web app instead. Then the additional configuration is not needed.
3. After this is set it works if SCS is used as vsix or nuget. Unfortunately the stand alone tools fails. I need to investigate why. Meanwhile I recommend using SCS as Visual Studio extension or Nuget.

from security-code-scan.

Thanks for the response, @JarLob.

I modified my test application to use the old-style Main function (I'm not even a fan of the new stuff- way too messy, but it's the default now 🙄)... And I am still not getting any results. I even modified it to use Console.ReadLine(), as well as adding an additional configuration file (as you showed above) and still nothing.

My entire Program.cs looks like this:

using System.Diagnostics;
using System.Xml;

public class Program
{
    public static void Main(string[] args)
    {
        var input = Console.ReadLine();

        var rnd = new Random();
        byte[] buffer = new byte[16];
        rnd.NextBytes(buffer);
        var byteString = BitConverter.ToString(buffer);

        var doc = new XmlDocument { XmlResolver = null };
        doc.Load("/config.xml");
        var results = doc.SelectNodes("/Config/Devices/Device[id='" + input + "']");

        var p = new Process();
        p.StartInfo.FileName = "exportLegacy.exe";
        p.StartInfo.Arguments = " -user " + input + " -role user";
        p.Start();
    }
}

Something else to note is that the Visual Studio plugin works, and correctly identifies these issues:

Unfortunately I am attempting to use the Secure Scan application in my CI pipeline, however, so my only real option is the stand-alone runner.

from security-code-scan.

I modified my test application to use the old-style Main function (I'm not even a fan of the new stuff- way too messy, but it's the default now 🙄)... And I am still not getting any results. I even modified it to use Console.ReadLine(), as well as adding an additional configuration file (as you showed above) and still nothing.

3. After this is set it works if SCS is used as vsix or nuget. Unfortunately the stand alone tools fails. I need to investigate why. Meanwhile I recommend using SCS as Visual Studio extension or Nuget.

Unfortunately I am attempting to use the Secure Scan application in my CI pipeline, however, so my only real option is the stand-alone runner.

While the stand alone tool may have been more convenient, the Nuget package still allows to use SCS in pipelines as it generates warnings (or errors if configured) in the output.

from security-code-scan.

So, since I know you're probably super busy- I pulled the code and looked into the inability for the stand-alone tool to find a weak random number generator.

It looks like the analyzer is not working properly because there are compilation errors that exist when compiling my Program.cs. Notably, there are a bunch of CS0103 errors, claiming that the types don't exist for things like Console, Random, BitConverter, etc. Pretty much anything in the System namespace.

After further investigation, it seems like the compiler is not respecting the the implicit usings that are created in .NET 6 projects by default. These using statements are put into a GlobalUsings.g.cs file that is auto-generated by the compiler in C# 10. If I fully qualify my declaration statements in the code, or when I add the <ImplicitUsings>disable</ImplicitUsings> tag in my project and put using statements at the top of my Program.cs, the scan actually works correctly and finds the security issues in my project.

Looking into it a little more, it looks like the version of the Microsoft.CodeAnalysis libraries that are currently in use do not support C# 10 (where implicit usings were introduced), and therefore will not work with any project that employs them.

The solution is to update the NuGet packages for the Microsoft.CodeAnalysis namespace to take advantage of the latest Roslyn compiler.

from security-code-scan.

Attaching the project I used to reproduce the last time.
ConsoleApp2.zip
I don't see any build errors it just returns 0 warnings in standalone tool case. Could you please verify?

from security-code-scan.

Yeah, it's very strange as to why the compilation is succeeding when there are errors.

I can see the errors when I debug the secure scan tool, and put a breakpoint here. Then I look at the compilation.GetDiagnostics() which contains a list of the diagnostic errors.

The list of diagnostic errors that are returned by the compilation.GetDiagnostics() call yields the following:

C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(2,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(3,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(4,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(5,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(6,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(7,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(8,1): error CS0116: A namespace cannot directly contain members such as fields or methods
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\Program.cs(10,27): error CS0246: The type or namespace name 'Random' could not be found (are you missing a using directive or an assembly reference?)
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\Program.cs(13,30): error CS0103: The name 'BitConverter' does not exist in the current context
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\.NETCoreApp,Version=v6.0.AssemblyAttributes.cs(3,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(8,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(7,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(6,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(3,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(4,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.AssemblyInfo.cs(11,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(5,8): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\.NETCoreApp,Version=v6.0.AssemblyAttributes.cs(2,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.AssemblyInfo.cs(12,1): hidden CS8019: Unnecessary using directive.
C:\Temp\ConsoleApp2\ConsoleApp2\ConsoleApp2\obj\Debug\net6.0\ConsoleApp2.GlobalUsings.g.cs(2,8): hidden CS8019: Unnecessary using directive.

from security-code-scan.

It looks like there are two issues at play here-

1. .NET 6 code is not compiled correctly because the Microsoft.CodeAnalysis stuff does not support C# 10
2. The Secure Scan tool is not correctly reporting on compilation issues

For item 1, the solution is to update the NuGet packages... item 2 is less straight-forward, but it looks like you should be using compilationWithAnalyzers.GetAllDiagnosticsAsync() instead of compilationWithAnalyzers.GetAnalyzerDiagnosticsAsync() here.

I know that you have a flag where I can ignore MSBuild errors, but I am not sure how that would factor in here, especially when a project failing to compile will make it so the secure scan tool misses issues.

from security-code-scan.

Thank you for digging into it. I have pushed the fix. It should work now. Though it gives some errors and warnings building the .net 6 project. I have also introduced the ignore compilation errors flag to work around it. To get rid of them completely I think I need to start a new fork VS2022 and migrate to 4.x CodeAnalysis. This may take few weeks as the next week is super busy for me. Meanwhile you should be able to run the locally built tool.

from security-code-scan.

Thanks... I really appreciate your contributions to the community with this project.

Also, I found an issue (or at least I think it's an issue) with MSBuildWorkspace, which is that it does not allow you load a workspace for a .NET framework that is newer than the one that the project instantiating MSBuildWorkspace is compiled with. This makes it impossible to use your tool on newer frameworks (e.g. .NET 7) without re-compiling your tool using that newer framework.

I filed an issue related to that here: MSBuildWorkspace.Create() fails when pointing to the .NET 7 SDK from a .NET 6 project

from security-code-scan.

So yeah, it looks like there is no forward compatibility in the MSBuildWorkspace, so you'll have to retarget the application to .NET 7 in order to support it 😢

from security-code-scan.