Merge pull request #335 from calumgrant/cs/cwe-937

C#: New query VulnerablePackage

change-notes/1.19/analysis-csharp.md

@@ -10,7 +10,8 @@
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
 |-----------------------------|-----------|--------------------------------------------------------------------|
-| *@name of query (Query ID)* | *Tags*    |*Aim of the new query and whether it is enabled by default or not*  |
+| Using a package with a known vulnerability (cs/use-of-vulnerable-package) | security, external/cwe/cwe-937 | Finds project build files that import packages with known vulnerabilities. This is included by default. |
+
 
 ## Changes to existing queries
 

csharp/extractor/Semmle.Autobuild.Tests/BuildScripts.cs

@@ -358,7 +358,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess["cmd.exe /C dotnet restore"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -377,7 +377,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess["dotnet restore"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -488,7 +488,7 @@ namespace Semmle.Extraction.Tests
         {
             Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone --references:."] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -520,7 +520,7 @@ namespace Semmle.Extraction.Tests
         {
             Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:."] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -564,7 +564,7 @@ namespace Semmle.Extraction.Tests
         {
             Actions.RunProcess["C:\\odasa\\tools\\odasa index --auto \"./build.sh --skip-tests\""] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -589,7 +589,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"C:\odasa\tools\odasa index --auto build/build.sh"] = 0;
             Actions.RunProcessWorkingDirectory[@"C:\odasa\tools\odasa index --auto build/build.sh"] = "build";
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
 
             var autobuilder = CreateAutoBuilder("csharp", false);
@@ -643,7 +643,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = 0;
             Actions.RunProcessWorkingDirectory[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = "";
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
 
             var autobuilder = CreateAutoBuilder("csharp", true);
@@ -694,7 +694,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test2.sln"] = 0;
             Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -750,7 +750,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test1.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
             Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
             Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -778,7 +778,7 @@ namespace Semmle.Extraction.Tests
         {
             Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:. --skip-nuget"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -798,7 +798,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess["dotnet restore"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false --no-restore"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -822,7 +822,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -847,7 +847,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
             Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -870,7 +870,7 @@ namespace Semmle.Extraction.Tests
             Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
             Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
-            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
+            Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
             Actions.FileExists["csharp.log"] = true;
             Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
             Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;

csharp/extractor/Semmle.Autobuild/XmlBuildRule.cs

@@ -11,7 +11,7 @@ namespace Semmle.Autobuild
         {
             var command = new CommandBuilder(builder.Actions).
                 RunCommand(builder.Odasa).
-                Argument("index --xml --extensions config");
+                Argument("index --xml --extensions config csproj props xml");
             return command.Script;
         }
     }

csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll

@@ -0,0 +1,292 @@
+/**
+ * Provides a list of NuGet packages with known vulnerabilities.
+ * 
+ * To add a new vulnerability follow the existing pattern.
+ * Create a new class that extends the abstract class `Vulnerability`,
+ * supplying the name and the URL, and override one (or both) of
+ * `matchesRange` and `matchesVersion`.
+ */
+
+import csharp
+import Vulnerability
+
+class MicrosoftAdvisory4021279 extends Vulnerability {
+  MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
+
+  override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Text.Encodings.Web" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Http" and (
+      affected = "4.1.1" and fixed = "4.1.2"
+      or
+      affected = "4.3.1" and fixed = "4.3.2"
+    ) or
+    name = "System.Net.Http.WinHttpHandler" and (
+      affected = "4.0.1" and fixed = "4.0.2"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Security" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or (
+      name = "Microsoft.AspNetCore.Mvc"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+      or
+      name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Localization"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor.Host"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor"
+      or
+      name = "Microsoft.AspNetCore.Mvc.TagHelpers"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
+      or
+      name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.4"
+      or
+      affected = "1.1.0" and fixed = "1.1.3"
+    )
+  }
+}
+
+class CVE_2017_8700 extends Vulnerability {
+  CVE_2017_8700() { this = "CVE-2017-8700" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+    )
+  }
+}
+
+class CVE_2018_0765 extends Vulnerability {
+  CVE_2018_0765() { this = "CVE-2018-0765" }
+  
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Security.Cryptography.Xml" and
+    affected = "0.0.0" and
+    fixed = "4.4.2"
+  }
+}
+
+class AspNetCore_Mar18 extends Vulnerability {
+  AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Server.Kestrel.Core"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
+    ) and
+    affected = "2.0.0" and
+    fixed = "2.0.3"
+    or
+    name = "Microsoft.AspNetCore.All" and
+    affected = "2.0.0" and
+    fixed = "2.0.8"
+  }
+}
+
+class CVE_2018_8409 extends Vulnerability {
+  CVE_2018_8409() { this = "CVE-2018-8409" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
+    or
+    (name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
+    affected = "2.1.0" and fixed = "2.1.4"
+  }
+}
+
+class CVE_2018_8171 extends Vulnerability {
+  CVE_2018_8171() { this = "CVE-2018-8171" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Identity" and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+      or
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+  }
+}
+
+class CVE_2018_8356 extends Vulnerability {
+  CVE_2018_8356() { this = "CVE-2018-8356" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.Private.ServiceModel"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+    ) and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and (
+      affected = "4.0.0" and fixed = "4.0.4"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    name = "System.ServiceModel.NetTcp" and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.1"
+    )
+  }
+}
+
+class ASPNETCore_Jul18 extends Vulnerability {
+  ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Server.Kestrel.Core" and (
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.All" and (
+      affected = "2.0.0" and fixed = "2.0.9"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.App" and
+    affected = "2.1.0" and
+    fixed = "2.1.2"
+  }
+}
+
+class CVE_2018_8292 extends Vulnerability {
+  CVE_2018_8292() { this = "CVE-2018-8292" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
+
+  override predicate matchesVersion(string name, Version affected, Version fixed) {
+    name = "System.Net.Http" and (
+      affected = "2.0" or
+      affected = "4.0.0" or
+      affected = "4.1.0" or
+      affected = "1.1.1" or
+      affected = "4.1.2" or
+      affected = "4.3.0" or
+      affected = "4.3.1" or
+      affected = "4.3.2" or
+      affected = "4.3.3"
+    ) and
+    fixed = "4.3.4"
+  }
+}
+
+class CVE_2018_0786 extends Vulnerability {
+  CVE_2018_0786() { this = "CVE-2018-0786" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+      or
+      name = "System.Private.ServiceModel"
+    ) and (
+      affected = "4.4.0" and fixed = "4.4.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    )
+    or (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.Private.ServiceModel"
+    ) and
+    affected = "4.1.0" and
+    fixed = "4.1.1"
+    or (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and
+    affected = "4.0.1" and
+    fixed = "4.0.2"
+  }
+}

csharp/ql/src/Security Features/CWE-937/Vulnerability.qll

@@ -0,0 +1,94 @@
+import csharp
+
+/**
+ * A package reference in an XML file, for example in a
+ * `.csproj` file, a `.props` file, or a `packages.config` file.
+ */
+class Package extends XMLElement {
+  string name;
+  Version version;
+
+  Package() {
+    (this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
+    name = this.getAttributeValue("Include") and
+    version = this.getAttributeValue("Version")
+    or
+    this.getName() = "package" and
+    name = this.getAttributeValue("id") and
+    version = this.getAttributeValue("version")
+  }
+
+  /** Gets the name of the package, for example `System.IO.Pipelines`. */
+  string getPackageName() {
+    result = name
+  }
+
+  /** Gets the version of the package, for example `4.5.1`. */
+  Version getVersion() {
+    result = version
+  }
+
+  override string toString() {
+    result = name + " " + version
+  }
+}
+
+/**
+ * A vulnerability, where the name of the vulnerability is this string.
+ * One of `matchesRange` or `matchesVersion` must be overridden in order to
+ * specify which packages are vulnerable.
+ */
+abstract class Vulnerability extends string {
+  bindingset[this]
+  Vulnerability() { any() }
+  
+  /**
+   * Holds if a package with name `name` is vulnerable from version `affected`
+   * until version `fixed`.
+   */
+  predicate matchesRange(string name, Version affected, Version fixed) { none() }
+  
+  /**
+   * Holds if a package with name `name` is vulnerable in version `affected`, and
+   * is fixed by version `fixed`.
+   */
+  predicate matchesVersion(string name, Version affected, Version fixed) { none() }
+  
+  /** Gets the URL describing the vulnerability. */
+  abstract string getUrl();
+  
+  /**
+   * Holds if a package with name `name` and version `version`
+   * has this vulnerability. The fixed version is given by `fixed`.
+   */
+  bindingset[name, version]
+  predicate isVulnerable(string name, Version version, Version fixed) {
+    exists(Version affected, string n |
+      name.toLowerCase() = n.toLowerCase() |
+      matchesRange(n, affected, fixed) and
+      version.compareTo(fixed) < 0 and
+      version.compareTo(affected) >= 0
+      or
+      matchesVersion(n, affected, fixed) and
+      version.compareTo(affected) = 0
+    )
+  }
+}
+
+/**
+ * A package with a vulnerability.
+ */
+class VulnerablePackage extends Package {
+  Vulnerability vuln;
+  Version fixed;
+  
+  VulnerablePackage() {
+    vuln.isVulnerable(this.getPackageName(), this.getVersion(), fixed)
+  }
+  
+  /** Gets the vulnerability of this package. */
+  Vulnerability getVulnerability() { result = vuln }
+  
+  /** Gets the version of this package where the vulnerability is fixed. */
+  Version getFixedVersion() { result = fixed }
+}

csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using a package with a known vulnerability is a security risk that could leave the
+software vulnerable to attack.
+</p>
+<p>
+This query reads the packages imported by the project build files and
+<code>.config</code> files, and checks them against a list of packages with known
+vulnerabilities.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Upgrade the package to the recommended version using, for example, the NuGet package manager,
+or by editing the project files directly.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows a C# project file referencing package <code>System.Net.Http</code>
+version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
+</p>
+<sample src="VulnerablePackageBAD.csproj" />
+<p>
+The project file can be fixed by changing the version of the package to 4.3.4.
+</p>
+<sample src="VulnerablePackageGOOD.csproj" />
+</example>
+
+<references>
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
+</li>
+</references>
+
+</qhelp>

csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Using a package with a known vulnerability
+ * @description Using a package with a known vulnerability is a security risk.
+ *              Upgrade the package to a version that does not contain the vulnerability.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id cs/use-of-vulnerable-package
+ * @tags security
+ *       external/cwe/cwe-937
+ */
+
+import csharp
+import Vulnerabilities
+
+from Vulnerability vuln, VulnerablePackage package
+where vuln = package.getVulnerability()
+select package, "Package '" + package + "' has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".",
+  vuln.getUrl(), vuln.toString()

csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <AssemblyName>Semmle.Autobuild</AssemblyName>
+    <RootNamespace>Semmle.Autobuild</RootNamespace>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
+    <PackageReference Include="System.Net.Http" Version="4.3.1" />
+  </ItemGroup>
+
+</Project>

csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <AssemblyName>Semmle.Autobuild</AssemblyName>
+    <RootNamespace>Semmle.Autobuild</RootNamespace>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+  </ItemGroup>
+
+</Project>

csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected

@@ -0,0 +1,6 @@
+| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
+| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |

csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.qlref

@@ -0,0 +1 @@
+Security Features/CWE-937/VulnerablePackage.ql

csharp/ql/test/query-tests/Security Features/CWE-937/csproj.config

@@ -0,0 +1,16 @@
+<Project>
+  <ItemGroup>
+    <!-- These are GOOD -->
+    <PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
+    
+    <!-- These are BAD -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
+    <PackageReference Include="system.text.encodings.web" Version="4.3" />
+    <PackageReference Include="System.Net.Http" Version="4.1.1" />
+    <PackageReference Include="System.Net.Http" Version="4.1.2" />
+    
+  </ItemGroup>
+</Project>

csharp/ql/test/query-tests/Security Features/CWE-937/packages.config

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <!-- These are GOOD -->
+  <package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
+  <package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
+
+  <!-- These are BAD -->
+  <package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
+  <package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
+</packages>