AndroidX icon indicating copy to clipboard operation
AndroidX copied to clipboard
verified publisher icon xamarin

Manual updates 20240502 security wave 1

Open moljac opened this issue 1 year ago • 15 comments

Does this change any of the generated binding API's?

No.

Describe your contribution

C&AI Security Wave 1

This is 1st part of set of security improvements for AX repo

  1. Added NuGetAudit properties https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
  2. TODO: Added SAST tool .NET Security Guard Needs investigation. Adding NuGet SecurityCodeScan.VS2019causes build issues (see comments) https://owasp.org/www-community/Source_Code_Analysis_Tools

EDIT:

Builds with net9.0-rc1 revealed few security warnings

https://github.com/xamarin/AndroidX/pull/996

.NET is designed with security in mind, but security issues can happen especially through transitive dependencies which is scanned by NuGetAudit, while SecurityCodeScan.VS2019 is a static analysis tool that can help identify security vulnerabilities in the code used in this repo. Admittedly this repo does not use much security critical .NET BCL APIs, but this NuGet will act preventive if such API calls might be added.

moljac avatar May 03 '24 08:05 moljac

Few additional thoughts:

  1. "false negative" problem

    Functionality of security scanning tools (AV scanners, static code analyzer...) is usually expressed in percentage of detected issues and those are never 100%. Having more tools (eyes) should increase accuracy - decrease "false negative" percentage.

    .NET security issues are mostly ASP.net related. For this repo following could be interesting

    • SCS0001 - Command Injection

    • SCS0003 - XPath Injection

    • XML eXternal Entity Injection (XXE)

    • SCS0018 - Path Traversal

    • few crypto and security related (hardcoded passwords)

    • XSLT settings

    • SCS0028 - Insecure Deserialization

  2. location (local or cloud)

    CodeQL works on CI - after commit and push. This nuget works during builds and issues can be fixed before commited. IMO prevention should occur as early as possible.

  3. reporting, analysis, fixing

Reporting and analysis is also easier if done locally (on premise).

Before I started writing this comment I found out that CodeQL has some issues for our builds.

https://github.com/dotnet/android-libraries/security

https://github.com/dotnet/android-libraries/security/code-scanning/tools/CodeQL/status/configurations/automatic/9283c23397ab89b9cdebcdba43eab0be03d8f3e5cbdb50d380d9781e6e595f3f

moljac avatar Nov 07 '24 09:11 moljac

/azp run

moljac avatar Dec 19 '24 13:12 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Dec 19 '24 13:12 azure-pipelines[bot]

/azp run

moljac avatar Jan 09 '25 19:01 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Jan 09 '25 19:01 azure-pipelines[bot]

/azp run

moljac avatar Jan 17 '25 10:01 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Jan 17 '25 10:01 azure-pipelines[bot]

/azp run

moljac avatar Feb 04 '25 20:02 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Feb 04 '25 20:02 azure-pipelines[bot]

/azp run

moljac avatar Mar 04 '25 07:03 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Mar 04 '25 07:03 azure-pipelines[bot]

/azp run

moljac avatar Mar 13 '25 15:03 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Mar 13 '25 15:03 azure-pipelines[bot]

/azp run

moljac avatar Apr 26 '25 16:04 moljac

Azure Pipelines successfully started running 1 pipeline(s).

azure-pipelines[bot] avatar Apr 26 '25 16:04 azure-pipelines[bot]