C#: Remove duplicate results from cs/use-of-vulnerable-package

calumgrant · calumgrant · commit 1aa5e24108e3 · 2018-11-16T16:50:35.000Z
diff --git a/csharp/ql/src/Security Features/CWE-937/Vulnerability.qll b/csharp/ql/src/Security Features/CWE-937/Vulnerability.qll
@@ -41,22 +41,22 @@ class Package extends XMLElement {
 abstract class Vulnerability extends string {
   bindingset[this]
   Vulnerability() { any() }
-  
+
   /**
    * Holds if a package with name `name` is vulnerable from version `affected`
    * until version `fixed`.
    */
   predicate matchesRange(string name, Version affected, Version fixed) { none() }
-  
+
   /**
    * Holds if a package with name `name` is vulnerable in version `affected`, and
    * is fixed by version `fixed`.
    */
   predicate matchesVersion(string name, Version affected, Version fixed) { none() }
-  
+
   /** Gets the URL describing the vulnerability. */
   abstract string getUrl();
-  
+
   /**
    * Holds if a package with name `name` and version `version`
    * has this vulnerability. The fixed version is given by `fixed`.
@@ -75,20 +75,28 @@ abstract class Vulnerability extends string {
   }
 }
 
+bindingset[name, version]
+private Version getUltimateFix(string name, Version version) {
+  result = max(Version fix | any(Vulnerability v).isVulnerable(name,  version,  fix))
+}
+
 /**
  * A package with a vulnerability.
  */
 class VulnerablePackage extends Package {
   Vulnerability vuln;
-  Version fixed;
-  
+
   VulnerablePackage() {
-    vuln.isVulnerable(this.getPackageName(), this.getVersion(), fixed)
+    vuln.isVulnerable(this.getPackageName(), this.getVersion(), _)
   }
-  
+
   /** Gets the vulnerability of this package. */
   Vulnerability getVulnerability() { result = vuln }
-  
+
   /** Gets the version of this package where the vulnerability is fixed. */
-  Version getFixedVersion() { result = fixed }
+  Version getFixedVersion() {
+    // This is needed because sometimes the "fixed" version of some
+    // vulnerabilities are themselves vulnerable to other vulnerabilities.
+    result = getUltimateFix(this.getPackageName(), this.getVersion())
+  }
 }
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected b/csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected
@@ -2,5 +2,8 @@
 | csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
 | csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
 | csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
-| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
-| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:9:3:9:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:10:3:10:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/300 | ASPNETCore-Mar18 |
+| packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |
+| packages.config:12:3:12:84 | Microsoft.AspNetCore.All 2.0.8 | Package 'Microsoft.AspNetCore.All 2.0.8' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/311 | ASPNETCore-July18 |
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-937/packages.config b/csharp/ql/test/query-tests/Security Features/CWE-937/packages.config
@@ -3,8 +3,11 @@
   <!-- These are GOOD -->
   <package id="System.IO.Pipelines" version="4.5.1" targetFramework="net45" />
   <package id="System.IO.Pipelines" version="4.5.1.0" targetFramework="net45" />
-
+  <package id="Microsoft.AspNetCore.All" version="2.0.9" targetFramework="net45" />
+  
   <!-- These are BAD -->
   <package id="System.IO.Pipelines" version="4.5.0" targetFramework="net45" />
   <package id="System.IO.Pipelines" version="4.5.0.0" targetFramework="net45" />
+  <package id="microsoft.aspnetcore.all" version="2.0.0" targetFramework="net45" />
+  <package id="Microsoft.AspNetCore.All" version="2.0.8" targetFramework="net45" />
 </packages>
