Skip to content

Commit dd6fd40

Browse files
hvitvedhvitved
authored
Merge pull request #335 from calumgrant/cs/cwe-937
C#: New query VulnerablePackage
2 parents 40def8d + fde3341 commit dd6fd40

File tree

14 files changed

+528
-16
lines changed

14 files changed

+528
-16
lines changed

change-notes/1.19/analysis-csharp.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,8 @@
1010

1111
| **Query** | **Tags** | **Purpose** |
1212
|-----------------------------|-----------|--------------------------------------------------------------------|
13-
| *@name of query (Query ID)* | *Tags* |*Aim of the new query and whether it is enabled by default or not* |
13+
| Using a package with a known vulnerability (cs/use-of-vulnerable-package) | security, external/cwe/cwe-937 | Finds project build files that import packages with known vulnerabilities. This is included by default. |
14+
1415

1516
## Changes to existing queries
1617

csharp/extractor/Semmle.Autobuild.Tests/BuildScripts.cs

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -358,7 +358,7 @@ public void TestDefaultCSharpAutoBuilder()
358358
Actions.RunProcess["cmd.exe /C dotnet restore"] = 0;
359359
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
360360
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
361-
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
361+
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
362362
Actions.FileExists["csharp.log"] = true;
363363
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
364364
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -377,7 +377,7 @@ public void TestLinuxCSharpAutoBuilder()
377377
Actions.RunProcess["dotnet restore"] = 0;
378378
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
379379
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
380-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
380+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
381381
Actions.FileExists["csharp.log"] = true;
382382
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
383383
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -488,7 +488,7 @@ public void TestLinuxBuildlessExtractionSuccess()
488488
{
489489
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone --references:."] = 0;
490490
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
491-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
491+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
492492
Actions.FileExists["csharp.log"] = true;
493493
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
494494
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -520,7 +520,7 @@ public void TestLinuxBuildlessExtractionSolution()
520520
{
521521
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:."] = 0;
522522
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
523-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
523+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
524524
Actions.FileExists["csharp.log"] = true;
525525
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
526526
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -564,7 +564,7 @@ public void TestLinuxBuildCommand()
564564
{
565565
Actions.RunProcess["C:\\odasa\\tools\\odasa index --auto \"./build.sh --skip-tests\""] = 0;
566566
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
567-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
567+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
568568
Actions.FileExists["csharp.log"] = true;
569569
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
570570
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -589,7 +589,7 @@ public void TestLinuxBuildSh()
589589
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto build/build.sh"] = 0;
590590
Actions.RunProcessWorkingDirectory[@"C:\odasa\tools\odasa index --auto build/build.sh"] = "build";
591591
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
592-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
592+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
593593
Actions.FileExists["csharp.log"] = true;
594594

595595
var autobuilder = CreateAutoBuilder("csharp", false);
@@ -643,7 +643,7 @@ public void TestWindowsBuildBat()
643643
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = 0;
644644
Actions.RunProcessWorkingDirectory[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = "";
645645
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
646-
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
646+
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
647647
Actions.FileExists["csharp.log"] = true;
648648

649649
var autobuilder = CreateAutoBuilder("csharp", true);
@@ -694,7 +694,7 @@ public void TestWindowCSharpMsBuild()
694694
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test2.sln"] = 0;
695695
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
696696
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
697-
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
697+
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
698698
Actions.FileExists["csharp.log"] = true;
699699
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
700700
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -750,7 +750,7 @@ public void TestSkipNugetMsBuild()
750750
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test1.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
751751
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
752752
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
753-
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
753+
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
754754
Actions.FileExists["csharp.log"] = true;
755755
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
756756
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -778,7 +778,7 @@ public void TestSkipNugetBuildless()
778778
{
779779
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:. --skip-nuget"] = 0;
780780
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
781-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
781+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
782782
Actions.FileExists["csharp.log"] = true;
783783
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
784784
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -798,7 +798,7 @@ public void TestSkipNugetDotnet()
798798
Actions.RunProcess["dotnet restore"] = 0;
799799
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false --no-restore"] = 0;
800800
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
801-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
801+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
802802
Actions.FileExists["csharp.log"] = true;
803803
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
804804
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -822,7 +822,7 @@ public void TestDotnetVersionNotInstalled()
822822
Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
823823
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
824824
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
825-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
825+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
826826
Actions.FileExists["csharp.log"] = true;
827827
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
828828
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -847,7 +847,7 @@ public void TestDotnetVersionAlreadyInstalled()
847847
Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
848848
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
849849
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
850-
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
850+
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
851851
Actions.FileExists["csharp.log"] = true;
852852
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
853853
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -870,7 +870,7 @@ public void TestDotnetVersionWindows()
870870
Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore"] = 0;
871871
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
872872
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
873-
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
873+
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
874874
Actions.FileExists["csharp.log"] = true;
875875
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
876876
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;

csharp/extractor/Semmle.Autobuild/XmlBuildRule.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ public BuildScript Analyse(Autobuilder builder)
1111
{
1212
var command = new CommandBuilder(builder.Actions).
1313
RunCommand(builder.Odasa).
14-
Argument("index --xml --extensions config");
14+
Argument("index --xml --extensions config csproj props xml");
1515
return command.Script;
1616
}
1717
}

0 commit comments

Comments
 (0)