github
diff --git a/‎csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll‎
Lines changed: 291 additions & 0 deletions b/‎csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll‎
Lines changed: 291 additions & 0 deletions
diff --git a/‎csharp/ql/src/Security Features/CWE-937/Vulnerability.qll‎
Lines changed: 94 additions & 0 deletions b/‎csharp/ql/src/Security Features/CWE-937/Vulnerability.qll‎
Lines changed: 94 additions & 0 deletions
@@ -0,0 +1,291 @@
+/**
+ * A list of NuGet packages with known vulnerabilities.
+ * 
+ * To add a new vulnerability follow the existing pattern.
+ * Create a new class that extends the abstract class `Vulnerability`,
+ * supplying the name and the URL, and override one (or both) of
+ * `matchesRange` and `matchesVersion`.
+ */
+
+import csharp
+import Vulnerability
+
+class MicrosoftAdvisory4021279 extends Vulnerability {
+
+  MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
+
+  override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Text.Encodings.Web" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Http" and (
+      affected = "4.1.1" and fixed = "4.1.2"
+      or
+      affected = "4.3.1" and fixed = "4.3.2"
+    ) or
+    name = "System.Net.Http.WinHttpHandler" and (
+      affected = "4.0.1" and fixed = "4.0.2"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or
+    name = "System.Net.Security" and (
+      affected = "4.0.0" and fixed = "4.0.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    ) or (
+      name = "Microsoft.AspNetCore.Mvc"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ApiExplorer"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+      or
+      name = "Microsoft.AspNetCore.Mvc.DataAnnotations"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Json"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Formatters.Xml"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Localization"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor.Host"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Razor"
+      or
+      name = "Microsoft.AspNetCore.Mvc.TagHelpers"
+      or
+      name = "Microsoft.AspNetCore.Mvc.ViewFeatures"
+      or
+      name = "Microsoft.AspNetCore.Mvc.WebApiCompatShim"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.4"
+      or
+      affected = "1.1.0" and fixed = "1.1.3"
+    )
+  }
+}
+
+class CVE_2017_8700 extends Vulnerability {
+  CVE_2017_8700() { this = "CVE-2017-8700" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/279" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Mvc.Core"
+      or
+      name = "Microsoft.AspNetCore.Mvc.Cors"
+    ) and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+    )
+  }
+}
+
+class CVE_2018_0765 extends Vulnerability {
+  CVE_2018_0765() { this = "CVE-2018-0765" }
+  
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/67" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.Security.Cryptography.Xml" and
+    affected = "0.0.0" and
+    fixed = "4.4.2"
+  }
+}
+
+class AspNetCore_Mar18 extends Vulnerability {
+  AspNetCore_Mar18() { this = "ASPNETCore-Mar18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/300" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "Microsoft.AspNetCore.Server.Kestrel.Core"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
+      or
+      name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
+      or
+      name = "Microsoft.AspNetCore.All"
+    ) and
+    affected = "2.0.0" and
+    fixed = "2.0.3"
+  }
+}
+
+class CVE_2018_8409 extends Vulnerability {
+  CVE_2018_8409() { this = "CVE-2018-8409" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/316" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "System.IO.Pipelines" and affected = "4.5.0" and fixed = "4.5.1"
+    or
+    (name = "Microsoft.AspNetCore.All" or name = "Microsoft.AspNetCore.App") and
+    affected = "2.1.0" and fixed = "2.1.4"
+  }
+}
+
+class CVE_2018_8171 extends Vulnerability {
+  CVE_2018_8171() { this = "CVE-2018-8171" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/310" }
+  
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Identity" and (
+      affected = "1.0.0" and fixed = "1.0.6"
+      or
+      affected = "1.1.0" and fixed = "1.1.6"
+      or
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+  }
+}
+
+class CVE_2018_8356 extends Vulnerability {
+  CVE_2018_8356() { this = "CVE-2018-8356" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/73" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.Private.ServiceModel"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+    ) and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and (
+      affected = "4.0.0" and fixed = "4.0.4"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.3"
+    )
+    or
+    name = "System.ServiceModel.NetTcp" and (
+      affected = "4.0.0" and fixed = "4.1.3"
+      or
+      affected = "4.3.0" and fixed = "4.3.3"
+      or
+      affected = "4.4.0" and fixed = "4.4.4"
+      or
+      affected = "4.5.0" and fixed = "4.5.1"
+    )
+  }
+}
+
+class ASPNETCore_Jul18 extends Vulnerability {
+  ASPNETCore_Jul18() { this = "ASPNETCore-July18" }
+  
+  override string getUrl() { result = "https://github.com/aspnet/Announcements/issues/311" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.AspNetCore.Server.Kestrel.Core" and (
+      affected = "2.0.0" and fixed = "2.0.4"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.All" and (
+      affected = "2.0.0" and fixed = "2.0.9"
+      or
+      affected = "2.1.0" and fixed = "2.1.2"
+    )
+    or
+    name = "Microsoft.AspNetCore.App" and
+    affected = "2.1.0" and
+    fixed = "2.1.2"
+  }
+}
+
+class CVE_2018_8292 extends Vulnerability {
+  CVE_2018_8292() { this = "CVE-2018-8292" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/88" }
+
+  override predicate matchesVersion(string name, Version affected, Version fixed) {
+    name = "System.Net.Http" and (
+      affected = "2.0" or
+      affected = "4.0.0" or
+      affected = "4.1.0" or
+      affected = "1.1.1" or
+      affected = "4.1.2" or
+      affected = "4.3.0" or
+      affected = "4.3.1" or
+      affected = "4.3.2" or
+      affected = "4.3.3"
+    ) and
+    fixed = "4.3.4"
+  }
+}
+
+class CVE_2018_0786 extends Vulnerability {
+  CVE_2018_0786() { this = "CVE-2018-0786" }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/51" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+      or
+      name = "System.Private.ServiceModel"
+    ) and (
+      affected = "4.4.0" and fixed = "4.4.1"
+      or
+      affected = "4.3.0" and fixed = "4.3.1"
+    )
+    or (
+      name = "System.ServiceModel.Primitives"
+      or
+      name = "System.ServiceModel.Http"
+      or
+      name = "System.ServiceModel.NetTcp"
+      or
+      name = "System.Private.ServiceModel"
+    ) and
+    affected = "4.1.0" and
+    fixed = "4.1.1"
+    or (
+      name = "System.ServiceModel.Duplex"
+      or
+      name = "System.ServiceModel.Security"
+    ) and
+    affected = "4.0.1" and
+    fixed = "4.0.2"
+  }
+}
@@ -0,0 +1,94 @@
+import csharp
+
+/**
+ * A package reference in an XML file, for example in a
+ * .csproj file, a .props file or a packages.config file.
+ */
+class Package extends XMLElement {
+  string name;
+  Version version;
+
+  Package() {
+    (this.getName() = "PackageManagement" or this.getName() = "PackageReference") and
+    name = this.getAttributeValue("Include") and
+    version = this.getAttributeValue("Version")
+    or
+    this.getName() = "package" and
+    name = this.getAttributeValue("id") and
+    version = this.getAttributeValue("version")
+  }
+
+  /** Gets the name of the package, for example `System.IO.Pipelines`. */
+  string getPackageName() {
+    result = name
+  }
+
+  /** Gets the version of the package, for example `4.5.1`. */
+  Version getVersion() {
+    result = version
+  }
+
+  override string toString() {
+    result = name + " " + version
+  }
+}
+
+/**
+ * A vulnerability, where the name of the vulnerability is this string.
+ * One of `matchesRange` or `matchesVersion` must be overridden in order to
+ * specify which packages are vulnerable.
+ */
+abstract class Vulnerability extends string {
+  bindingset[this]
+  Vulnerability() { any() }
+  
+  /**
+   * A package with name `name` is vulnerable from version `affected`
+   * until version `fixed`.
+   */
+  predicate matchesRange(string name, Version affected, Version fixed) { none() }
+  
+  /**
+   * A package with name `name` is vulnerable in version `affected`, and
+   * is fixed by version `fixed`.
+   */
+  predicate matchesVersion(string name, Version affecter, Version fixed) { none() }
+  
+  /** Gets the URL describing the vulnerability. */
+  abstract string getUrl();
+  
+  /**
+   * Holds if a package with name `name` and version `version`
+   * has this vulnerability. The fixed version is given by `fixed`.
+   */
+  bindingset[name, version]
+  predicate isVulnerable(string name, Version version, Version fixed) {
+    exists(Version affected, string n |
+      name.toLowerCase() = n.toLowerCase() |
+      matchesRange(n, affected, fixed) and
+      version.compareTo(fixed) < 0 and
+      version.compareTo(affected) >= 0
+      or
+      matchesVersion(n, affected, fixed) and
+      version.compareTo(affected) = 0
+    )
+  }
+}
+
+/**
+ * A package with a vulnerability.
+ */
+class VulnerablePackage extends Package {
+  Vulnerability vuln;
+  Version fixed;
+  
+  VulnerablePackage() {
+    vuln.isVulnerable(this.getPackageName(), this.getVersion(), fixed)
+  }
+  
+  /** Gets the vulnerability of this package. */
+  Vulnerability getVulnerability() { result = vuln }
+  
+  /** Gets the version of this package where the vulnerability is fixed. */
+  Version getFixedVersion() { result = fixed }
+}