hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Update cs/use-of-vulnerable-package to detect CVE-2019-0657

Browse Source
This commit is contained in:
calum
2019-02-21 11:48:48 +00:00
parent a382a5876f
commit 15341965e0
4 changed files with 41 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected
View File

@@ -1,7 +1,10 @@
| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
| csproj.config:4:5:4:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:5:5:5:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:6:5:6:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:7:5:7:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
| csproj.config:8:5:8:70 | System.Private.Uri 4.3.0 | Package 'System.Private.Uri 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:9:5:9:73 | Microsoft.NETCore.App 2.1.0 | Package 'Microsoft.NETCore.App 2.1.0' has vulnerability $@, and should be upgraded to version 2.1.8. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:10:5:10:73 | Microsoft.NETCore.App 2.2.1 | Package 'Microsoft.NETCore.App 2.2.1' has vulnerability $@, and should be upgraded to version 2.2.2. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| packages.config:9:3:9:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:10:3:10:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/300 | ASPNETCore-Mar18 |

18
csharp/ql/test/query-tests/Security Features/CWE-937/csproj.config
View File

@@ -1,16 +1,22 @@
<Project>
<ItemGroup>
<!-- These are GOOD -->
<PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
<!-- These are BAD -->
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
<PackageReference Include="system.text.encodings.web" Version="4.3" />
<PackageReference Include="System.Net.Http" Version="4.1.1" />
<PackageReference Include="System.Net.Http" Version="4.1.2" />
<PackageReference Include="System.Private.Uri" Version="4.3.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.1" />
<!-- These are GOOD -->
<PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
<PackageReference Include="System.Private.Uri" Version="4.3.1" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.8" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.2" />
</ItemGroup>
</Project>