C#: Address review comments in QL.

calumgrant · calumgrant · commit 61232cb08e38 · 2018-10-19T16:33:04.000+01:00
diff --git a/csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll b/csharp/ql/src/Security Features/CWE-937/Vulnerabilities.qll
@@ -1,5 +1,5 @@
 /**
- * A list of NuGet packages with known vulnerabilities.
+ * Provides a list of NuGet packages with known vulnerabilities.
  * 
  * To add a new vulnerability follow the existing pattern.
  * Create a new class that extends the abstract class `Vulnerability`,
@@ -113,11 +113,13 @@ class AspNetCore_Mar18 extends Vulnerability {
       name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions"
       or
       name = "Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv"
-      or
-      name = "Microsoft.AspNetCore.All"
     ) and
     affected = "2.0.0" and
     fixed = "2.0.3"
+    or
+    name = "Microsoft.AspNetCore.All" and
+    affected = "2.0.0" and
+    fixed = "2.0.8"
   }
 }
 
diff --git a/csharp/ql/src/Security Features/CWE-937/Vulnerability.qll b/csharp/ql/src/Security Features/CWE-937/Vulnerability.qll
@@ -2,7 +2,7 @@ import csharp
 
 /**
  * A package reference in an XML file, for example in a
- * .csproj file, a .props file or a packages.config file.
+ * `.csproj` file, a `.props` file, or a `packages.config` file.
  */
 class Package extends XMLElement {
   string name;
@@ -43,16 +43,16 @@ abstract class Vulnerability extends string {
   Vulnerability() { any() }
   
   /**
-   * A package with name `name` is vulnerable from version `affected`
+   * Holds if a package with name `name` is vulnerable from version `affected`
    * until version `fixed`.
    */
   predicate matchesRange(string name, Version affected, Version fixed) { none() }
   
   /**
-   * A package with name `name` is vulnerable in version `affected`, and
+   * Holds if a package with name `name` is vulnerable in version `affected`, and
    * is fixed by version `fixed`.
    */
-  predicate matchesVersion(string name, Version affecter, Version fixed) { none() }
+  predicate matchesVersion(string name, Version affected, Version fixed) { none() }
   
   /** Gets the URL describing the vulnerability. */
   abstract string getUrl();
diff --git a/csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql b/csharp/ql/src/Security Features/CWE-937/VulnerablePackage.ql
@@ -15,5 +15,5 @@ import Vulnerabilities
 
 from Vulnerability vuln, VulnerablePackage package
 where vuln = package.getVulnerability()
-select package, "Package " + package + " has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".",
+select package, "Package '" + package + "' has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".",
   vuln.getUrl(), vuln.toString()
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected b/csharp/ql/test/query-tests/Security Features/CWE-937/VulnerablePackage.expected
@@ -1,6 +1,6 @@
-| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package System.Text.Encodings.Web 4.3.0 has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package system.text.encodings.web 4.3 has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package System.Net.Http 4.1.1 has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package System.Net.Http 4.1.2 has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
-| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package System.IO.Pipelines 4.5.0 has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
-| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package System.IO.Pipelines 4.5.0.0 has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
+| packages.config:8:3:8:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
+| packages.config:9:3:9:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
