C#: qhelp for VulnerablePackage.

calumgrant · calumgrant · commit 5ad060c1beea · 2018-10-18T10:24:20.000+01:00
diff --git a/csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll b/csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll
@@ -11,7 +11,6 @@ import csharp
 import Vulnerability
 
 class MicrosoftAdvisory4021279 extends Vulnerability {
-
   MicrosoftAdvisory4021279() { this = "Microsoft Security Advisory 4021279" }
 
   override string getUrl() { result = "https://github.com/dotnet/corefx/issues/19535" }
diff --git a/csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp b/csharp/ql/src/Security Features/CWE-937/VulnerablePackage.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Using a package with a known vulnerability is a security risk that could leave the
+software vulnerable to attack.
+</p>
+<p>
+This query reads the packages imported by the project build files and
+<code>.config</code> files, and checks them against a list of packages with known
+vulnerabilities.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Upgrade the package to the recommended version, for example using the NuGet package manager,
+or by editing the project files directly.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example shows a C# project file referencing package <code>System.Net.Http</code>
+version 4.3.1, which is vulnerable to <a href="https://github.com/dotnet/announcements/issues/88">CVE-2018-8292</a>.
+</p>
+<sample src="VulnerablePackageBAD.csproj" />
+<p>
+The project file can be fixed by changing the version of the package to 4.3.4.
+</p>
+<sample src="VulnerablePackageGOOD.csproj" />
+</example>
+
+<references>
+<li>
+OWASP: <a href="https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities">A9-Using Components with Known Vulnerabilities</a>.
+</li>
+</references>
+
+</qhelp>
diff --git a/csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj b/csharp/ql/src/Security Features/CWE-937/VulnerablePackageBAD.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <AssemblyName>Semmle.Autobuild</AssemblyName>
+    <RootNamespace>Semmle.Autobuild</RootNamespace>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
+    <PackageReference Include="System.Net.Http" Version="4.3.1" />
+  </ItemGroup>
+
+</Project>
diff --git a/csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj b/csharp/ql/src/Security Features/CWE-937/VulnerablePackageGOOD.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netcoreapp2.0</TargetFramework>
+    <AssemblyName>Semmle.Autobuild</AssemblyName>
+    <RootNamespace>Semmle.Autobuild</RootNamespace>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Build" Version="15.8.166" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+  </ItemGroup>
+
+</Project>
