hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Remove VulnerablePackage.ql query

Browse Source
This commit is contained in:
Tom Hvitved
2021-03-24 20:20:23 +01:00
parent 7e33b571c9
commit b94c189946
11 changed files with 0 additions and 569 deletions
Download Patch File Download Diff File Expand all files Collapse all files

335
csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll
View File

@@ -1,335 +0,0 @@
/**
* Provides a list of NuGet packages with known vulnerabilities.
*
* To add a new vulnerability follow the existing pattern.
* Create a new class that extends the abstract class `Vulnerability`,
* supplying the name and the URL, and override one (or both) of
* `matchesRange` and `matchesVersion`.
*/
import csharp
import Vulnerability
class MicrosoftAdvisory4021279 extends Vulnerability {
MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Text.Encodings.Web" and
(
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
name = "System.Net.Http" and
(
affected = "4.1.1" and fixed = "4.1.2"
or
affected = "4.3.1" and fixed = "4.3.2"
)
or
name = "System.Net.Http.WinHttpHandler" and
(
affected = "4.0.1" and fixed = "4.0.2"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
name = "System.Net.Security" and
(
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
(
name = "Microsoft.AspNetCore.Mvc"
or
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Abstractions"
or
name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
or
name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
or
name = "Microsoft.AspNetCore.Mvc.Localization"
or
name = "Microsoft.AspNetCore.Mvc.Razor.Host"
or
name = "Microsoft.AspNetCore.Mvc.Razor"
or
name = "Microsoft.AspNetCore.Mvc.TagHelpers"
or
name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
or
name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
) and
(
affected = "1.0.0" and fixed = "1.0.4"
or
affected = "1.1.0" and fixed = "1.1.3"
)
}
}
class CVE_2017_8700 extends Vulnerability {
CVE_2017_8700() { this = "CVE-2017-8700" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
) and
(
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
)
}
}
class CVE_2018_0765 extends Vulnerability {
CVE_2018_0765() { this = "CVE-2018-0765" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Security.Cryptography.Xml" and
affected = "0.0.0" and
fixed = "4.4.2"
}
}
class AspNetCore_Mar18 extends Vulnerability {
AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Server.Kestrel.Core"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
) and
affected = "2.0.0" and
fixed = "2.0.3"
or
name = "Microsoft.AspNetCore.All" and
affected = "2.0.0" and
fixed = "2.0.8"
}
}
class CVE_2018_8409 extends Vulnerability {
CVE_2018_8409() { this = "CVE-2018-8409" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
or
(name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
affected = "2.1.0" and
fixed = "2.1.4"
}
}
class CVE_2018_8171 extends Vulnerability {
CVE_2018_8171() { this = "CVE-2018-8171" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Identity" and
(
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
or
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
}
}
class CVE_2018_8356 extends Vulnerability {
CVE_2018_8356() { this = "CVE-2018-8356" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.Private.ServiceModel"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
) and
(
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
(
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and
(
affected = "4.0.0" and fixed = "4.0.4"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
name = "System.ServiceModel.NetTcp" and
(
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.1"
)
}
}
class ASPNETCore_Jul18 extends Vulnerability {
ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Server.Kestrel.Core" and
(
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.All" and
(
affected = "2.0.0" and fixed = "2.0.9"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.App" and
affected = "2.1.0" and
fixed = "2.1.2"
}
}
class CVE_2018_8292 extends Vulnerability {
CVE_2018_8292() { this = "CVE-2018-8292" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
override predicate matchesVersion(string name, Version affected, Version fixed) {
name = "System.Net.Http" and
(
affected = "2.0" or
affected = "4.0.0" or
affected = "4.1.0" or
affected = "1.1.1" or
affected = "4.1.2" or
affected = "4.3.0" or
affected = "4.3.1" or
affected = "4.3.2" or
affected = "4.3.3"
) and
fixed = "4.3.4"
}
}
class CVE_2018_0786 extends Vulnerability {
CVE_2018_0786() { this = "CVE-2018-0786" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
or
name = "System.Private.ServiceModel"
) and
(
affected = "4.4.0" and fixed = "4.4.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or
(
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.Private.ServiceModel"
) and
affected = "4.1.0" and
fixed = "4.1.1"
or
(
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and
affected = "4.0.1" and
fixed = "4.0.2"
}
}
class CVE_2019_0657 extends Vulnerability {
CVE_2019_0657() { this = "CVE-2019-0657" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.NETCore.App" and
(
affected = "2.1.0" and fixed = "2.1.8"
or
affected = "2.2.0" and fixed = "2.2.2"
)
}
override predicate matchesVersion(string name, Version affected, Version fixed) {
name = "System.Private.Uri" and
affected = "4.3.0" and
fixed = "4.3.1"
}
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/97" }
}

93
csharp/ql/src/Security Features/CWE-937/Vulnerability.qll
View File

@@ -1,93 +0,0 @@
import csharp
/**
* A package reference in an XML file, for example in a
* `.csproj` file, a `.props` file, or a `packages.config` file.
*/
class Package extends XMLElement {
string name;
Version version;
Package() {
(this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
name = this.getAttributeValue("Include") and
version = this.getAttributeValue("Version")
or
this.getName() = "package" and
name = this.getAttributeValue("id") and
version = this.getAttributeValue("version")
}
/** Gets the name of the package, for example `System.IO.Pipelines`. */
string getPackageName() { result = name }
/** Gets the version of the package, for example `4.5.1`. */
Version getVersion() { result = version }
override string toString() { result = name + " " + version }
}
/**
* A vulnerability, where the name of the vulnerability is this string.
* One of `matchesRange` or `matchesVersion` must be overridden in order to
* specify which packages are vulnerable.
*/
abstract class Vulnerability extends string {
bindingset[this]
Vulnerability() { any() }
/**
* Holds if a package with name `name` is vulnerable from version `affected`
* until version `fixed`.
*/
predicate matchesRange(string name, Version affected, Version fixed) { none() }
/**
* Holds if a package with name `name` is vulnerable in version `affected`, and
* is fixed by version `fixed`.
*/
predicate matchesVersion(string name, Version affected, Version fixed) { none() }
/** Gets the URL describing the vulnerability. */
abstract string getUrl();
/**
* Holds if a package with name `name` and version `version`
* has this vulnerability. The fixed version is given by `fixed`.
*/
bindingset[name, version]
predicate isVulnerable(string name, Version version, Version fixed) {
exists(Version affected, string n | name.toLowerCase() = n.toLowerCase() |
matchesRange(n, affected, fixed) and
version.compareTo(fixed) < 0 and
version.compareTo(affected) >= 0
or
matchesVersion(n, affected, fixed) and
version.compareTo(affected) = 0
)
}
}
bindingset[name, version]
private Version getUltimateFix(string name, Version version) {
result = max(Version fix | any(Vulnerability v).isVulnerable(name, version, fix))
}
/**
* A package with a vulnerability.
*/
class VulnerablePackage extends Package {
Vulnerability vuln;
VulnerablePackage() { vuln.isVulnerable(this.getPackageName(), this.getVersion(), _) }
/** Gets the vulnerability of this package. */
Vulnerability getVulnerability() { result = vuln }
/** Gets the version of this package where the vulnerability is fixed. */
Version getFixedVersion() {
// This is needed because sometimes the "fixed" version of some
// vulnerabilities are themselves vulnerable to other vulnerabilities.
result = getUltimateFix(this.getPackageName(), this.getVersion())
}
}

43
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp
View File

@@ -1,43 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using a package with a known vulnerability is a security risk that could leave the
software vulnerable to attack.
</p>
<p>
This query reads the packages imported by the project build files and
<code>.config</code> files, and checks them against a list of packages with known
vulnerabilities.
</p>
</overview>
<recommendation>
<p>
Upgrade the package to the recommended version using, for example, the NuGet package manager,
or by editing the project files directly.
</p>
</recommendation>
<example>
<p>
The following example shows a C# project file referencing package <code>System.Net.Http</code>
version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
</p>
<sample src="VulnerablePackageBAD.csproj" />
<p>
The project file can be fixed by changing the version of the package to 4.3.4.
</p>
<sample src="VulnerablePackageGOOD.csproj" />
</example>
<references>
<li>
OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
</li>
</references>
</qhelp>

20
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql
View File

@@ -1,20 +0,0 @@
/**
* @name Using a package with a known vulnerability
* @description Using a package with a known vulnerability is a security risk.
* Upgrade the package to a version that does not contain the vulnerability.
* @kind problem
* @problem.severity error
* @precision high
* @id cs/use-of-vulnerable-package
* @tags security
* external/cwe/cwe-937
*/
import csharp
import Vulnerabilities
from Vulnerability vuln, VulnerablePackage package
where vuln = package.getVulnerability()
select package,
"Package '" + package + "' has vulnerability $@, and should be upgraded to version " +
package.getFixedVersion() + ".", vuln.getUrl(), vuln.toString()

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj
View File

@@ -1,15 +0,0 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.1" />
</ItemGroup>
</Project>

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj
View File

@@ -1,15 +0,0 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
</ItemGroup>
</Project>

0
csharp/ql/test/query-tests/Security Features/CWE-937/Program.cs
View File

12
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected
View File

@@ -1,12 +0,0 @@
| csproj.config:4:5:4:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:5:5:5:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:6:5:6:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:7:5:7:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
| csproj.config:8:5:8:70 | System.Private.Uri 4.3.0 | Package 'System.Private.Uri 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:9:5:9:73 | Microsoft.NETCore.App 2.1.0 | Package 'Microsoft.NETCore.App 2.1.0' has vulnerability $@, and should be upgraded to version 2.1.8. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| csproj.config:10:5:10:73 | Microsoft.NETCore.App 2.2.1 | Package 'Microsoft.NETCore.App 2.2.1' has vulnerability $@, and should be upgraded to version 2.2.2. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
| packages.config:9:3:9:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:10:3:10:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/300 | ASPNETCore-Mar18 |
| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |
| packages.config:12:3:12:84 | Microsoft.AspNetCore.All 2.0.8 | Package 'Microsoft.AspNetCore.All 2.0.8' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |

1
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.qlref
View File

@@ -1 +0,0 @@
Security Features/CWE-937/VulnerablePackage.ql

22
csharp/ql/test/query-tests/Security Features/CWE-937/csproj.config
View File

@@ -1,22 +0,0 @@
<Project>
<ItemGroup>
<!-- These are BAD -->
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
<PackageReference Include="system.text.encodings.web" Version="4.3" />
<PackageReference Include="System.Net.Http" Version="4.1.1" />
<PackageReference Include="System.Net.Http" Version="4.1.2" />
<PackageReference Include="System.Private.Uri" Version="4.3.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.1" />
<!-- These are GOOD -->
<PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
<PackageReference Include="System.Private.Uri" Version="4.3.1" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.1.8" />
<PackageReference Include="Microsoft.NETCore.App" Version="2.2.2" />
</ItemGroup>
</Project>

13
csharp/ql/test/query-tests/Security Features/CWE-937/packages.config
View File

@@ -1,13 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<!-- These are GOOD -->
<package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
<package id="Microsoft.AspNetCore.All" version="2.0.9" targetFramework="net45" />
<!-- These are BAD -->
<package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
<package id="microsoft.aspnetcore.all" version="2.0.0" targetFramework="net45" />
<package id="Microsoft.AspNetCore.All" version="2.0.8" targetFramework="net45" />
</packages>