codeql
codeql copied to clipboard
Published
20 hours ago •
github
github
C#: SQL Injection improvements for SQLite.
trafficstars
The content on this PR is to address the issue: https://github.com/github/codeql-csharp-team/issues/172 Following the link to the original ticket it is worth noticing that
- The project referenced on the ticket doesn't build, which could lead to the missing results.
- The project referenced on the ticket is fork of another project which does build and
- The claimed missing SQL injection is found by our query even though we don't directly support the SQLite framework.
- The claimed missing Second Order SQL injection is in parts of the code that isn't included in the build. That being said, the Second Order SQL injection query will not find this.
In this PR we
- Provide better support for the SQLite framework.
- Explicit summaries for this Framework has been made, including Adapters (which was not supported before).
- Stubs for the SQLite framework has been included.
- Coding examples with weaknesses discovered by the SQL injection query are included.
- FileStream and StreamReader summaries.
- Flow summaries for FileStream and StreamReader has been included.
- Example similar to the Second Order SQL injection has been provided and will no be caught as a first order SQL injection, if the filename is tainted.
- FileStreams are now considered StoredFlowSources.
- FileStreams are now considered stored flow sources.
- Second Order SQL injection now catches an example similar to the one provided in the referenced ticket.
A change note will be added, when the exact scope of the PR is decided.
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,12038,28,5
+ System,"``System.*``, ``System``",3,12044,36,5
- Totals,,3,12599,359,5
+ Totals,,3,12605,367,5
- Changes to framework-coverage-csharp.csv:
- System,28,3,12038,,4,,23,1,3,10096,1942
+ System,36,3,12044,,4,,31,1,3,10102,1942
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,12038,28,5
+ System,"``System.*``, ``System``",3,12044,36,5
- Totals,,3,12599,359,5
+ Totals,,3,12605,367,5
- Changes to framework-coverage-csharp.csv:
- System,28,3,12038,,4,,23,1,3,10096,1942
+ System,36,3,12044,,4,,31,1,3,10102,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",3,11802,40,7
- Totals,,3,12357,363,7
+ Totals,,3,12363,371,7
- Changes to framework-coverage-csharp.csv:
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,3,11802,,4,,33,3,3,9860,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",4,11803,40,7
- Totals,,3,12357,363,7
+ Totals,,4,12364,371,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,55,,,,
+ Dapper,55,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,73,18
- ServiceStack,194,,7,27,,75,92,,,7,
+ ServiceStack,194,,7,27,,75,92,,,,7,
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,4,11803,,4,,33,3,1,3,9861,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",4,11810,40,7
- Totals,,3,12357,363,7
+ Totals,,4,12371,371,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,55,,,,
+ Dapper,55,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,73,18
- ServiceStack,194,,7,27,,75,92,,,7,
+ ServiceStack,194,,7,27,,75,92,,,,7,
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,4,11810,,4,,33,3,1,3,9868,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",4,11809,40,7
- Totals,,3,12357,363,7
+ Totals,,4,12370,371,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,55,,,,
+ Dapper,55,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,73,18
- ServiceStack,194,,7,27,,75,92,,,7,
+ ServiceStack,194,,7,27,,75,92,,,,7,
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,4,11809,,4,,33,3,1,3,9867,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",4,11809,40,7
- Totals,,3,12357,363,7
+ Totals,,4,12370,371,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,55,,,,
+ Dapper,55,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,73,18
- ServiceStack,194,,7,27,,75,92,,,7,
+ ServiceStack,194,,7,27,,75,92,,,,7,
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,4,11809,,4,,33,3,1,3,9867,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,32,7
+ System,"``System.*``, ``System``",4,11809,40,7
- Totals,,3,12357,363,7
+ Totals,,4,12370,371,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,55,,,,
+ Dapper,55,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,73,18
- ServiceStack,194,,7,27,,75,92,,,7,
+ ServiceStack,194,,7,27,,75,92,,,,7,
- System,32,3,11796,,4,,25,3,3,9854,1942
+ System,40,4,11809,,4,,33,3,1,3,9867,1942
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,35,7
+ System,"``System.*``, ``System``",4,11809,43,7
- Totals,,3,12357,367,7
+ Totals,,4,12370,375,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,,,,,55,,,,
+ Dapper,55,,,,,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,,,,,73,18
- ServiceStack,194,,7,27,,,,,,75,92,,,7,
+ ServiceStack,194,,7,27,,,,,,75,92,,,,7,
- System,35,3,11796,,1,1,1,,4,,25,3,3,9854,1942
+ System,43,4,11809,,1,1,1,,4,,33,3,1,3,9867,1942
- Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,
+ Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,
Unit tests are failing; otherwise LGTM.
Yes, this is due to the rebase after the new stubs were generated. Will fix. I will also add a release note and start DCA.
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,35,7
+ System,"``System.*``, ``System``",4,11809,43,7
- Totals,,3,12357,367,7
+ Totals,,4,12370,375,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,,,,,55,,,,
+ Dapper,55,,,,,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,,,,,73,18
- ServiceStack,194,,7,27,,,,,,75,92,,,7,
+ ServiceStack,194,,7,27,,,,,,75,92,,,,7,
- System,35,3,11796,,1,1,1,,4,,25,3,3,9854,1942
+ System,43,4,11809,,1,1,1,,4,,33,3,1,3,9867,1942
- Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,
+ Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,
:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.
Click to show differences in coverage
csharp
Generated file changes for csharp
- Changes to framework-coverage-csharp.rst:
- System,"``System.*``, ``System``",3,11796,35,7
+ System,"``System.*``, ``System``",4,11809,43,7
- Totals,,3,12357,367,7
+ Totals,,4,12370,375,7
- Changes to framework-coverage-csharp.csv:
- package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:local,summary:taint,summary:value
+ package,sink,source,summary,sink:code,sink:encryption-decryptor,sink:encryption-encryptor,sink:encryption-keyprop,sink:encryption-symmetrickey,sink:html,sink:remote,sink:sql,sink:xss,source:file,source:local,summary:taint,summary:value
- Dapper,55,,,,,,,,,,55,,,,
+ Dapper,55,,,,,,,,,,55,,,,,
- JsonToItemsTaskFactory,,,7,,,,,,,,,,,7,
+ JsonToItemsTaskFactory,,,7,,,,,,,,,,,,7,
- Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,
+ Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,28,,,,,
- Microsoft.CSharp,,,24,,,,,,,,,,,24,
+ Microsoft.CSharp,,,24,,,,,,,,,,,,24,
- Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,
+ Microsoft.EntityFrameworkCore,6,,,,,,,,,,6,,,,,
- Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.Caching.Distributed,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,45,1
+ Microsoft.Extensions.Caching.Memory,,,46,,,,,,,,,,,,45,1
- Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,80,3
+ Microsoft.Extensions.Configuration,,,83,,,,,,,,,,,,80,3
- Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,62,
+ Microsoft.Extensions.DependencyInjection,,,62,,,,,,,,,,,,62,
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,12,
- Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,15,
+ Microsoft.Extensions.FileProviders,,,15,,,,,,,,,,,,15,
- Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,13,2
+ Microsoft.Extensions.FileSystemGlobbing,,,15,,,,,,,,,,,,13,2
- Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,16,1
+ Microsoft.Extensions.Hosting,,,17,,,,,,,,,,,,16,1
- Microsoft.Extensions.Http,,,10,,,,,,,,,,,10,
+ Microsoft.Extensions.Http,,,10,,,,,,,,,,,,10,
- Microsoft.Extensions.Logging,,,37,,,,,,,,,,,37,
+ Microsoft.Extensions.Logging,,,37,,,,,,,,,,,,37,
- Microsoft.Extensions.Options,,,8,,,,,,,,,,,8,
+ Microsoft.Extensions.Options,,,8,,,,,,,,,,,,8,
- Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,63,
+ Microsoft.Extensions.Primitives,,,63,,,,,,,,,,,,63,
- Microsoft.Interop,,,27,,,,,,,,,,,27,
+ Microsoft.Interop,,,27,,,,,,,,,,,,27,
- Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,1,
+ Microsoft.NET.Build.Tasks,,,1,,,,,,,,,,,,1,
- Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,4,
+ Microsoft.NETCore.Platforms.BuildTasks,,,4,,,,,,,,,,,,4,
- Microsoft.VisualBasic,,,9,,,,,,,,,,,5,4
+ Microsoft.VisualBasic,,,9,,,,,,,,,,,,5,4
- Microsoft.Win32,,,8,,,,,,,,,,,8,
+ Microsoft.Win32,,,8,,,,,,,,,,,,8,
- MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,
+ MySql.Data.MySqlClient,48,,,,,,,,,,48,,,,,
- Newtonsoft.Json,,,91,,,,,,,,,,,73,18
+ Newtonsoft.Json,,,91,,,,,,,,,,,,73,18
- ServiceStack,194,,7,27,,,,,,75,92,,,7,
+ ServiceStack,194,,7,27,,,,,,75,92,,,,7,
- System,35,3,11796,,1,1,1,,4,,25,3,3,9854,1942
+ System,43,4,11809,,1,1,1,,4,,33,3,1,3,9867,1942
- Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,
+ Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,
Lots of projects failed in DCA. Will re-execute DCA as there is an alerts diff on the projects that succeeded (which is not totally unexpected).
Comments on the DCA execution
- There are no performance regressions.
- The failure of ASP.NET Core is most likely unrelated (it fails with out of memory - the same was the case for the nightly run)
- The new alerts are all for queries that use StoredFlowSource as a source of taint and the first step is opening a FileStream, which makes sense, since we are now considered a file a StoredFlowSource. Are these alerts something we want?
- The new alerts are all for queries that use StoredFlowSource as a source of taint and the first step is opening a FileStream, which makes sense, since we are now considered a file a StoredFlowSource. Are these alerts something we want?
AFAICT, there are no new results on WebGoat. Were we expecting that?
- The new alerts are all for queries that use StoredFlowSource as a source of taint and the first step is opening a FileStream, which makes sense, since we are now considered a file a StoredFlowSource. Are these alerts something we want?
AFAICT, there are no new results on WebGoat. Were we expecting that?
No, we were not expecting more results. (1) The first order SQL injection result was already found without any changes. (2) The second SQL injection result will not be a found as the references code is not included in the compilation of the project.