hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #335 from calumgrant/cs/cwe-937

Browse Source 
C#: New query VulnerablePackage
This commit is contained in:
Tom Hvitved
2018-11-12 10:34:53 +01:00
committed by GitHub
parent 40def8d364 fde3341455
commit dd6fd400aa
14 changed files with 528 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
change-notes/1.19/analysis-csharp.md
View File

@@ -10,7 +10,8 @@
| **Query** | **Tags** | **Purpose** |
|-----------------------------|-----------|--------------------------------------------------------------------|
| *@name of query (Query ID)* | *Tags* |*Aim of the new query and whether it is enabled by default or not* |
| Using a package with a known vulnerability (cs/use-of-vulnerable-package) | security, external/cwe/cwe-937 | Finds project build files that import packages with known vulnerabilities. This is included by default. |
## Changes to existing queries

28
csharp/extractor/Semmle.Autobuild.Tests/BuildScripts.cs
View File

@@ -358,7 +358,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess["cmd.exe /C dotnet restore"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -377,7 +377,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess["dotnet restore"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -488,7 +488,7 @@ namespace Semmle.Extraction.Tests
{
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone --references:."] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -520,7 +520,7 @@ namespace Semmle.Extraction.Tests
{
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:."] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -564,7 +564,7 @@ namespace Semmle.Extraction.Tests
{
Actions.RunProcess["C:\\odasa\\tools\\odasa index --auto \"./build.sh --skip-tests\""] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -589,7 +589,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto build/build.sh"] = 0;
Actions.RunProcessWorkingDirectory[@"C:\odasa\tools\odasa index --auto build/build.sh"] = "build";
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
var autobuilder = CreateAutoBuilder("csharp", false);
@@ -643,7 +643,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = 0;
Actions.RunProcessWorkingDirectory[@"cmd.exe /C C:\odasa\tools\odasa index --auto build.bat"] = "";
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
var autobuilder = CreateAutoBuilder("csharp", true);
@@ -694,7 +694,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\csharp\nuget\nuget.exe restore C:\Project\test2.sln"] = 0;
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -750,7 +750,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test1.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
Actions.RunProcess["cmd.exe /C CALL ^\"C:\\Program Files ^(x86^)\\Microsoft Visual Studio 12.0\\VC\\vcvarsall.bat^\" && C:\\odasa\\tools\\odasa index --auto msbuild C:\\Project\\test2.sln /p:UseSharedCompilation=false /t:Windows /p:Platform=\"x86\" /p:Configuration=\"Debug\" /p:MvcBuildViews=true /P:Fu=Bar"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vswhere.exe"] = false;
Actions.FileExists[@"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat"] = false;
@@ -778,7 +778,7 @@ namespace Semmle.Extraction.Tests
{
Actions.RunProcess[@"C:\odasa\tools\csharp\Semmle.Extraction.CSharp.Standalone foo.sln --references:. --skip-nuget"] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -798,7 +798,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess["dotnet restore"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto dotnet build --no-incremental /p:UseSharedCompilation=false --no-restore"] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -822,7 +822,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -847,7 +847,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"C:\Project\.dotnet\dotnet restore"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
Actions.RunProcess[@"C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;
@@ -870,7 +870,7 @@ namespace Semmle.Extraction.Tests
Actions.RunProcess[@"cmd.exe /C C:\Project\.dotnet\dotnet restore"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --auto C:\Project\.dotnet\dotnet build --no-incremental /p:UseSharedCompilation=false"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\java\bin\java -jar C:\odasa\tools\extractor-asp.jar ."] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config"] = 0;
Actions.RunProcess[@"cmd.exe /C C:\odasa\tools\odasa index --xml --extensions config csproj props xml"] = 0;
Actions.FileExists["csharp.log"] = true;
Actions.GetEnvironmentVariable["TRAP_FOLDER"] = null;
Actions.GetEnvironmentVariable["SOURCE_ARCHIVE"] = null;

2
csharp/extractor/Semmle.Autobuild/XmlBuildRule.cs
View File

@@ -11,7 +11,7 @@ namespace Semmle.Autobuild
{
var command = new CommandBuilder(builder.Actions).
RunCommand(builder.Odasa).
Argument("index --xml --extensions config");
Argument("index --xml --extensions config csproj props xml");
return command.Script;
}
}

292
csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll Normal file
View File

@@ -0,0 +1,292 @@
/**
* Provides a list of NuGet packages with known vulnerabilities.
*
* To add a new vulnerability follow the existing pattern.
* Create a new class that extends the abstract class `Vulnerability`,
* supplying the name and the URL, and override one (or both) of
* `matchesRange` and `matchesVersion`.
*/
import csharp
import Vulnerability
class MicrosoftAdvisory4021279 extends Vulnerability {
MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Text.Encodings.Web" and (
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
) or
name = "System.Net.Http" and (
affected = "4.1.1" and fixed = "4.1.2"
or
affected = "4.3.1" and fixed = "4.3.2"
) or
name = "System.Net.Http.WinHttpHandler" and (
affected = "4.0.1" and fixed = "4.0.2"
or
affected = "4.3.0" and fixed = "4.3.1"
) or
name = "System.Net.Security" and (
affected = "4.0.0" and fixed = "4.0.1"
or
affected = "4.3.0" and fixed = "4.3.1"
) or (
name = "Microsoft.AspNetCore.Mvc"
or
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Abstractions"
or
name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
or
name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
or
name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
or
name = "Microsoft.AspNetCore.Mvc.Localization"
or
name = "Microsoft.AspNetCore.Mvc.Razor.Host"
or
name = "Microsoft.AspNetCore.Mvc.Razor"
or
name = "Microsoft.AspNetCore.Mvc.TagHelpers"
or
name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
or
name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
) and (
affected = "1.0.0" and fixed = "1.0.4"
or
affected = "1.1.0" and fixed = "1.1.3"
)
}
}
class CVE_2017_8700 extends Vulnerability {
CVE_2017_8700() { this = "CVE-2017-8700" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Mvc.Core"
or
name = "Microsoft.AspNetCore.Mvc.Cors"
) and (
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
)
}
}
class CVE_2018_0765 extends Vulnerability {
CVE_2018_0765() { this = "CVE-2018-0765" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.Security.Cryptography.Xml" and
affected = "0.0.0" and
fixed = "4.4.2"
}
}
class AspNetCore_Mar18 extends Vulnerability {
AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "Microsoft.AspNetCore.Server.Kestrel.Core"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
or
name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
) and
affected = "2.0.0" and
fixed = "2.0.3"
or
name = "Microsoft.AspNetCore.All" and
affected = "2.0.0" and
fixed = "2.0.8"
}
}
class CVE_2018_8409 extends Vulnerability {
CVE_2018_8409() { this = "CVE-2018-8409" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
or
(name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
affected = "2.1.0" and fixed = "2.1.4"
}
}
class CVE_2018_8171 extends Vulnerability {
CVE_2018_8171() { this = "CVE-2018-8171" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Identity" and (
affected = "1.0.0" and fixed = "1.0.6"
or
affected = "1.1.0" and fixed = "1.1.6"
or
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
}
}
class CVE_2018_8356 extends Vulnerability {
CVE_2018_8356() { this = "CVE-2018-8356" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.Private.ServiceModel"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
) and (
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
(
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and (
affected = "4.0.0" and fixed = "4.0.4"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.3"
)
or
name = "System.ServiceModel.NetTcp" and (
affected = "4.0.0" and fixed = "4.1.3"
or
affected = "4.3.0" and fixed = "4.3.3"
or
affected = "4.4.0" and fixed = "4.4.4"
or
affected = "4.5.0" and fixed = "4.5.1"
)
}
}
class ASPNETCore_Jul18 extends Vulnerability {
ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
override predicate matchesRange(string name, Version affected, Version fixed) {
name = "Microsoft.AspNetCore.Server.Kestrel.Core" and (
affected = "2.0.0" and fixed = "2.0.4"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.All" and (
affected = "2.0.0" and fixed = "2.0.9"
or
affected = "2.1.0" and fixed = "2.1.2"
)
or
name = "Microsoft.AspNetCore.App" and
affected = "2.1.0" and
fixed = "2.1.2"
}
}
class CVE_2018_8292 extends Vulnerability {
CVE_2018_8292() { this = "CVE-2018-8292" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
override predicate matchesVersion(string name, Version affected, Version fixed) {
name = "System.Net.Http" and (
affected = "2.0" or
affected = "4.0.0" or
affected = "4.1.0" or
affected = "1.1.1" or
affected = "4.1.2" or
affected = "4.3.0" or
affected = "4.3.1" or
affected = "4.3.2" or
affected = "4.3.3"
) and
fixed = "4.3.4"
}
}
class CVE_2018_0786 extends Vulnerability {
CVE_2018_0786() { this = "CVE-2018-0786" }
override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
override predicate matchesRange(string name, Version affected, Version fixed) {
(
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
or
name = "System.Private.ServiceModel"
) and (
affected = "4.4.0" and fixed = "4.4.1"
or
affected = "4.3.0" and fixed = "4.3.1"
)
or (
name = "System.ServiceModel.Primitives"
or
name = "System.ServiceModel.Http"
or
name = "System.ServiceModel.NetTcp"
or
name = "System.Private.ServiceModel"
) and
affected = "4.1.0" and
fixed = "4.1.1"
or (
name = "System.ServiceModel.Duplex"
or
name = "System.ServiceModel.Security"
) and
affected = "4.0.1" and
fixed = "4.0.2"
}
}

94
csharp/ql/src/Security Features/CWE-937/Vulnerability.qll Normal file
View File

@@ -0,0 +1,94 @@
import csharp
/**
* A package reference in an XML file, for example in a
* `.csproj` file, a `.props` file, or a `packages.config` file.
*/
class Package extends XMLElement {
string name;
Version version;
Package() {
(this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
name = this.getAttributeValue("Include") and
version = this.getAttributeValue("Version")
or
this.getName() = "package" and
name = this.getAttributeValue("id") and
version = this.getAttributeValue("version")
}
/** Gets the name of the package, for example `System.IO.Pipelines`. */
string getPackageName() {
result = name
}
/** Gets the version of the package, for example `4.5.1`. */
Version getVersion() {
result = version
}
override string toString() {
result = name + " " + version
}
}
/**
* A vulnerability, where the name of the vulnerability is this string.
* One of `matchesRange` or `matchesVersion` must be overridden in order to
* specify which packages are vulnerable.
*/
abstract class Vulnerability extends string {
bindingset[this]
Vulnerability() { any() }
/**
* Holds if a package with name `name` is vulnerable from version `affected`
* until version `fixed`.
*/
predicate matchesRange(string name, Version affected, Version fixed) { none() }
/**
* Holds if a package with name `name` is vulnerable in version `affected`, and
* is fixed by version `fixed`.
*/
predicate matchesVersion(string name, Version affected, Version fixed) { none() }
/** Gets the URL describing the vulnerability. */
abstract string getUrl();
/**
* Holds if a package with name `name` and version `version`
* has this vulnerability. The fixed version is given by `fixed`.
*/
bindingset[name, version]
predicate isVulnerable(string name, Version version, Version fixed) {
exists(Version affected, string n |
name.toLowerCase() = n.toLowerCase() |
matchesRange(n, affected, fixed) and
version.compareTo(fixed) < 0 and
version.compareTo(affected) >= 0
or
matchesVersion(n, affected, fixed) and
version.compareTo(affected) = 0
)
}
}
/**
* A package with a vulnerability.
*/
class VulnerablePackage extends Package {
Vulnerability vuln;
Version fixed;
VulnerablePackage() {
vuln.isVulnerable(this.getPackageName(), this.getVersion(), fixed)
}
/** Gets the vulnerability of this package. */
Vulnerability getVulnerability() { result = vuln }
/** Gets the version of this package where the vulnerability is fixed. */
Version getFixedVersion() { result = fixed }
}

43
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp Normal file
View File

@@ -0,0 +1,43 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Using a package with a known vulnerability is a security risk that could leave the
software vulnerable to attack.
</p>
<p>
This query reads the packages imported by the project build files and
<code>.config</code> files, and checks them against a list of packages with known
vulnerabilities.
</p>
</overview>
<recommendation>
<p>
Upgrade the package to the recommended version using, for example, the NuGet package manager,
or by editing the project files directly.
</p>
</recommendation>
<example>
<p>
The following example shows a C# project file referencing package <code>System.Net.Http</code>
version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
</p>
<sample src="VulnerablePackageBAD.csproj" />
<p>
The project file can be fixed by changing the version of the package to 4.3.4.
</p>
<sample src="VulnerablePackageGOOD.csproj" />
</example>
<references>
<li>
OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
</li>
</references>
</qhelp>

19
csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql Normal file
View File

@@ -0,0 +1,19 @@
/**
* @name Using a package with a known vulnerability
* @description Using a package with a known vulnerability is a security risk.
* Upgrade the package to a version that does not contain the vulnerability.
* @kind problem
* @problem.severity error
* @precision high
* @id cs/use-of-vulnerable-package
* @tags security
* external/cwe/cwe-937
*/
import csharp
import Vulnerabilities
from Vulnerability vuln, VulnerablePackage package
where vuln = package.getVulnerability()
select package, "Package '" + package + "' has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".",
vuln.getUrl(), vuln.toString()

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj Normal file
View File

@@ -0,0 +1,15 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.1" />
</ItemGroup>
</Project>

15
csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj Normal file
View File

@@ -0,0 +1,15 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>netcoreapp2.0</TargetFramework>
<AssemblyName>Semmle.Autobuild</AssemblyName>
<RootNamespace>Semmle.Autobuild</RootNamespace>
<OutputType>Exe</OutputType>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Build" Version="15.8.166" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
</ItemGroup>
</Project>

0
csharp/ql/test/query-tests/Security Features/CWE-937/Program.cs Normal file
View File

6
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected Normal file
View File

@@ -0,0 +1,6 @@
| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |

1
csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.qlref Normal file
View File

@@ -0,0 +1 @@
Security Features/CWE-937/VulnerablePackage.ql

16
csharp/ql/test/query-tests/Security Features/CWE-937/csproj.config Normal file
View File

@@ -0,0 +1,16 @@
<Project>
<ItemGroup>
<!-- These are GOOD -->
<PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
<PackageReference Include="System.Net.Http" Version="4.3.4" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
<!-- These are BAD -->
<PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
<PackageReference Include="system.text.encodings.web" Version="4.3" />
<PackageReference Include="System.Net.Http" Version="4.1.1" />
<PackageReference Include="System.Net.Http" Version="4.1.2" />
</ItemGroup>
</Project>

10
csharp/ql/test/query-tests/Security Features/CWE-937/packages.config Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<!-- These are GOOD -->
<package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
<!-- These are BAD -->
<package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
<package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
</packages>