Merge branch 'main' into csharp-ext

2026-04-28 02:05:14 +02:00 · 2023-06-22 13:30:08 +01:00
parent 62b3d5ea19 7efbd8828b
commit 0fcc1cb588
375 changed files with 2061 additions and 993 deletions
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.3
+
+No user-facing changes.
+
 ## 1.5.2

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.5.3.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.5.3.md
@@ -0,0 +1,3 @@
+## 1.5.3
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.2
+lastReleaseVersion: 1.5.3
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.5.3-dev
+version: 1.5.4-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.3
+
+No user-facing changes.
+
 ## 1.5.2

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.5.3.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.5.3.md
@@ -0,0 +1,3 @@
+## 1.5.3
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.2
+lastReleaseVersion: 1.5.3
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.5.3-dev
+version: 1.5.4-dev
 groups:
    - csharp
    - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.6.3
+
+### Major Analysis Improvements
+
+* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
+
+### Minor Analysis Improvements
+
+* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
+* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
+* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
+* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
+* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
+* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
+* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+  * `code` to `code-injection`
+  * `sql` to `sql-injection`
+  * `html` to `html-injection`
+  * `xss` to `js-injection`
+  * `remote` to `file-content-store`
+
 ## 0.6.2

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2023-05-17-update-csharp-sink-kinds.md
+++ b/csharp/ql/lib/change-notes/2023-05-17-update-csharp-sink-kinds.md
@@ -1,9 +0,0 @@
---
-category: minorAnalysis
---
-* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
-  * `code` to `code-injection`
-  * `sql` to `sql-injection`
-  * `html` to `html-injection`
-  * `xss` to `js-injection`
-  * `remote` to `file-content-store`
--- a/csharp/ql/lib/change-notes/2023-05-30-source-generators.md
+++ b/csharp/ql/lib/change-notes/2023-05-30-source-generators.md
@@ -1,4 +0,0 @@
---
-category: majorAnalysis
---
-* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
--- a/csharp/ql/lib/change-notes/2023-06-06-dotnettest.md
+++ b/csharp/ql/lib/change-notes/2023-06-06-dotnettest.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
--- a/csharp/ql/lib/change-notes/2023-06-02-delete-deps.md
+++ b/csharp/ql/lib/change-notes/2023-06-02-delete-deps.md
@@ -1,8 +1,20 @@
---
-category: minorAnalysis
---
+## 0.6.3
+
+### Major Analysis Improvements
+
+* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
+
+### Minor Analysis Improvements
+
+* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
 * Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
 * Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
 * Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
 * Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
 * Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
+* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+  * `code` to `code-injection`
+  * `sql` to `sql-injection`
+  * `html` to `html-injection`
+  * `xss` to `js-injection`
+  * `remote` to `file-content-store`
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,11 +1,12 @@
 name: codeql/csharp-all
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/mad: ${workspace}
  codeql/ssa: ${workspace}
  codeql/tutorial: ${workspace}
  codeql/util: ${workspace}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -95,6 +95,7 @@ private import internal.DataFlowPublic
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
+private import codeql.mad.ModelValidation as SharedModelVal

 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel = Extensions::sourceModel/9;
@@ -204,33 +205,18 @@ module ModelValidation {
    )
  }

-  private string getInvalidModelKind() {
-    exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) |
-      not kind = ["taint", "value"] and
-      result = "Invalid kind \"" + kind + "\" in summary model."
-    )
-    or
-    exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) |
-      not kind =
-        [
-          "code-injection", "command-injection", "file-content-store", "html-injection",
-          "ldap-injection", "log-injection", "sql-injection", "url-redirection", "js-injection",
-        ] and
-      not kind.matches("encryption-%") and
-      result = "Invalid kind \"" + kind + "\" in sink model."
-    )
-    or
-    exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["local", "remote", "file", "file-write"] and
-      result = "Invalid kind \"" + kind + "\" in source model."
-    )
-    or
-    exists(string kind | neutralModel(_, _, _, _, kind, _) |
-      not kind = ["summary", "source", "sink"] and
-      result = "Invalid kind \"" + kind + "\" in neutral model."
-    )
+  private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
+
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
+
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
+
+    predicate neutralKind(string kind) { neutralModel(_, _, _, _, kind, _) }
  }

+  private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
+
  private string getInvalidModelSignature() {
    exists(
      string pred, string namespace, string type, string name, string signature, string ext,
@@ -272,7 +258,7 @@ module ModelValidation {
    msg =
      [
        getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        getInvalidModelKind()
+        KindVal::getInvalidModelKind()
      ]
  }
 }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.3
+
+No user-facing changes.
+
 ## 0.6.2

 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/0.6.3.md
+++ b/csharp/ql/src/change-notes/released/0.6.3.md
@@ -0,0 +1,3 @@
+## 0.6.3
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: 
  - csharp
  - queries
--- a/csharp/ql/test/query-tests/API
+++ b/csharp/ql/test/query-tests/API
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/CallToObsoleteMethod/options
+++ b/Abuse/CallToObsoleteMethod/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/ClassDoesNotImplementEquals/options
+++ b/Abuse/ClassDoesNotImplementEquals/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/ClassImplementsICloneable/options
+++ b/Abuse/ClassImplementsICloneable/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/DisposeNotCalledOnException/options
+++ b/Abuse/DisposeNotCalledOnException/options
@@ -1,2 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll /r:${testdir}/../../../resources/assemblies/System.Data.dll /r:System.Data.Common.dll
-semmle-extractor-options: /langversion:8.0
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj
--- a/csharp/ql/test/query-tests/API
+++ b/csharp/ql/test/query-tests/API
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.Runtime.Extensions.dll /r:System.Diagnostics.TraceSource.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/InconsistentEqualsGetHashCode/options
+++ b/Abuse/InconsistentEqualsGetHashCode/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs
+++ b/Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.cs
@@ -1,15 +1,4 @@
-namespace System
-{
-    public interface IComparable
-    {
-        int CompareTo(object obj); // GOOD: the very definition of IComparable.CompareTo()
-    }
-
-    public interface IComparable<in T>
-    {
-        int CompareTo(T other);  // GOOD: the very definition of IComparable<T>.CompareTo()
-    }
-}
+using System;

 class C1<T>
 {
--- a/Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.expected
+++ b/Abuse/IncorrectCompareToSignature/IncorrectCompareToSignature.expected
@@ -1,2 +1,2 @@
-| IncorrectCompareToSignature.cs:16:16:16:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignature.cs:14:10:14:10 | T | T | IncorrectCompareToSignature.cs:14:7:14:11 | C1<> | C1<> | IncorrectCompareToSignature.cs:14:10:14:10 | T | T |
+| IncorrectCompareToSignature.cs:5:16:5:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignature.cs:3:10:3:10 | T | T | IncorrectCompareToSignature.cs:3:7:3:11 | C1<> | C1<> | IncorrectCompareToSignature.cs:3:10:3:10 | T | T |
 | IncorrectCompareToSignatureBad.cs:5:16:5:24 | CompareTo | The parameter of this 'CompareTo' method is of type $@, but $@ does not implement 'IComparable<$@>'. | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad | IncorrectCompareToSignatureBad.cs:3:7:3:9 | Bad | Bad |
--- a/Abuse/IncorrectCompareToSignature/options
+++ b/Abuse/IncorrectCompareToSignature/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/IncorrectEqualsSignature/options
+++ b/Abuse/IncorrectEqualsSignature/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/MissingDisposeCall/options
+++ b/Abuse/MissingDisposeCall/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/MissingDisposeMethod/options
+++ b/Abuse/MissingDisposeMethod/options
@@ -1 +1,2 @@
-semmle-extractor-options: /r:System.ComponentModel.Primitives.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/NoDisposeCallOnLocalIDisposable/options
+++ b/Abuse/NoDisposeCallOnLocalIDisposable/options
@@ -1 +1 @@
-semmle-extractor-options: --cil /langversion:8.0 /r:System.Xml.dll /r:System.Xml.ReaderWriter.dll /r:System.Private.Xml.dll /r:System.ComponentModel.Primitives.dll /r:System.IO.Compression.dll /r:System.Runtime.Extensions.dll
+semmle-extractor-options: --cil /r:System.Private.Xml.dll /r:System.IO.Compression.dll
--- a/Abuse/NonOverridingMethod/options
+++ b/Abuse/NonOverridingMethod/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/NullArgumentToEquals/options
+++ b/Abuse/NullArgumentToEquals/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/Abuse/UncheckedReturnValue/UncheckedReturnValue.cs
+++ b/Abuse/UncheckedReturnValue/UncheckedReturnValue.cs
@@ -1,11 +1,6 @@
 using System;
-class HashSet<T>
-{
-    public bool Add(T t)
-    {
-        return true;
-    }
-}
+using System.Text;
+using System.Collections.Generic;

 class C1
 {
@@ -30,11 +25,6 @@ class C1
    }
 }

-class StringBuilder
-{
-    public StringBuilder Append(string s) { return this; }
-}
-
 class C2
 {
    static void Main(string[] args)
@@ -59,20 +49,6 @@ class C2
    }
 }

-namespace System.IO
-{
-    public abstract class Stream
-    {
-        public abstract int Read(byte[] buffer, int offset, int count);
-        public virtual int ReadByte() { return 0; }
-    }
-
-    public class MemoryStream : Stream
-    {
-        public override int Read(byte[] buffer, int offset, int count) { return 0; }
-    }
-}
-
 class C3
 {
    static void Main(string[] args)
--- a/Abuse/UncheckedReturnValue/UncheckedReturnValue.expected
+++ b/Abuse/UncheckedReturnValue/UncheckedReturnValue.expected
@@ -1,8 +1,8 @@
-| UncheckedReturnValue.cs:29:9:29:31 | call to method Add | Result of call to 'Add' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:91:9:91:26 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |
-| UncheckedReturnValue.cs:92:9:92:20 | call to method ReadByte | Result of call to 'ReadByte' is ignored, but should always be checked. |
-| UncheckedReturnValue.cs:109:9:109:17 | call to method M1<Int32> | Result of call to 'M1<Int32>' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:130:9:130:21 | call to method M2<Decimal> | Result of call to 'M2<Decimal>' is ignored, but 90% of calls to this method have their result used. |
-| UncheckedReturnValue.cs:142:9:142:20 | call to method M3<C6> | Result of call to 'M3<C6>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:24:9:24:31 | call to method Add | Result of call to 'Add' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:67:9:67:26 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |
+| UncheckedReturnValue.cs:68:9:68:20 | call to method ReadByte | Result of call to 'ReadByte' is ignored, but should always be checked. |
+| UncheckedReturnValue.cs:85:9:85:17 | call to method M1<Int32> | Result of call to 'M1<Int32>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:106:9:106:21 | call to method M2<Decimal> | Result of call to 'M2<Decimal>' is ignored, but 90% of calls to this method have their result used. |
+| UncheckedReturnValue.cs:118:9:118:20 | call to method M3<C6> | Result of call to 'M3<C6>' is ignored, but 90% of calls to this method have their result used. |
 | UncheckedReturnValueBad.cs:29:9:29:20 | call to method DoPrint | Result of call to 'DoPrint' is ignored, but 90% of calls to this method have their result used. |
 | UncheckedReturnValueBad.cs:36:13:36:40 | call to method Read | Result of call to 'Read' is ignored, but should always be checked. |
--- a/Abuse/UncheckedReturnValue/options
+++ b/Abuse/UncheckedReturnValue/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/query-tests/AlertSuppression/options
+++ b/csharp/ql/test/query-tests/AlertSuppression/options
@@ -0,0 +1,2 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
--- a/csharp/ql/test/resources/assemblies/System.Data.dll
+++ b/csharp/ql/test/resources/assemblies/System.Data.dll
--- a/csharp/ql/test/resources/assemblies/System.Web.ApplicationServices.dll
+++ b/csharp/ql/test/resources/assemblies/System.Web.ApplicationServices.dll