codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

C#: Re-generate .NET 8 Runtime models.

Open michaelnebel opened this issue 1 year ago • 1 comments

Re-generating the .NET runtime models revealed the very broad set of database (reader) sources.

Since we are now generating models that applies to all subclasses of database reader, the issue with result multiplicity gets a lot bigger, if we still perceive all database reader expressions as sources. As a result, we need to adjust the database reader sources. Combined with the new summaries, it reduces result multiplicities and yields better path explanations.

michaelnebel avatar May 23 '24 11:05 michaelnebel

:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

csharp

Generated file changes for csharp

  • Changes to framework-coverage-csharp.rst:
-    System,"``System.*``, ``System``",44,10429,59,9
+    System,"``System.*``, ``System``",44,9873,49,9
-    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",54,1518,148,
+    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``JsonToItemsTaskFactory``, ``Microsoft.Android.Build``, ``Microsoft.Apple.Build``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.NET.WebAssembly.Webcil``, ``Microsoft.VisualBasic``, ``Microsoft.WebAssembly.Build.Tasks``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",54,1357,148,
-    Totals,,98,11954,401,9
+    Totals,,98,11237,391,9
  • Changes to framework-coverage-csharp.csv:
- ILLink.Shared,,,32,,,,,,,,,,,,,,,,,,,29,3
+ ILLink.Shared,,,32,,,,,,,,,,,,,,,,,,,30,2
- Internal.IL,,,69,,,,,,,,,,,,,,,,,,,67,2
+ Internal.IL,,,46,,,,,,,,,,,,,,,,,,,44,2
- Internal.TypeSystem,,,367,,,,,,,,,,,,,,,,,,,331,36
+ Internal.TypeSystem,,,291,,,,,,,,,,,,,,,,,,,275,16
- Microsoft.CSharp,,,24,,,,,,,,,,,,,,,,,,,24,
+ Microsoft.CSharp,,,10,,,,,,,,,,,,,,,,,,,10,
- Microsoft.Diagnostics.Tools.Pgo,,,13,,,,,,,,,,,,,,,,,,,13,
+ Microsoft.Diagnostics.Tools.Pgo,,,12,,,,,,,,,,,,,,,,,,,12,
- Microsoft.Extensions.Configuration,,2,83,,,,,,,,,,,,,2,,,,,,81,2
+ Microsoft.Extensions.Configuration,,2,77,,,,,,,,,,,,,2,,,,,,76,1
- Microsoft.Extensions.DependencyInjection,,,120,,,,,,,,,,,,,,,,,,,120,
+ Microsoft.Extensions.DependencyInjection,,,96,,,,,,,,,,,,,,,,,,,95,1
- Microsoft.Extensions.DependencyModel,,,12,,,,,,,,,,,,,,,,,,,12,
+ Microsoft.Extensions.DependencyModel,,,9,,,,,,,,,,,,,,,,,,,9,
- Microsoft.Extensions.Diagnostics.Metrics,,,13,,,,,,,,,,,,,,,,,,,13,
+ Microsoft.Extensions.Diagnostics.Metrics,,,15,,,,,,,,,,,,,,,,,,,15,
- Microsoft.Extensions.Hosting,,,23,,,,,,,,,,,,,,,,,,,22,1
+ Microsoft.Extensions.Hosting,,,26,,,,,,,,,,,,,,,,,,,25,1
- Microsoft.Extensions.Logging,,,60,,,,,,,,,,,,,,,,,,,59,1
+ Microsoft.Extensions.Logging,,,53,,,,,,,,,,,,,,,,,,,52,1
- Microsoft.Interop,,,78,,,,,,,,,,,,,,,,,,,78,
+ Microsoft.Interop,,,73,,,,,,,,,,,,,,,,,,,73,
- Microsoft.VisualBasic,,,10,,,,,,,,,,,,,,,,,,,5,5
+ Microsoft.VisualBasic,,,6,,,,,,,,,,,,,,,,,,,1,5
- Mono.Linker,,,161,,,,,,,,,,,,,,,,,,,161,
+ Mono.Linker,,,158,,,,,,,,,,,,,,,,,,,158,
- System,59,44,10429,,8,8,1,,,4,5,,33,2,,3,15,17,3,4,,8460,1969
+ System,49,44,9873,,3,3,1,,,4,5,,33,2,,3,15,17,3,4,,7968,1905

github-actions[bot] avatar May 23 '24 11:05 github-actions[bot]

For the first DCA execution (remote flow sources) there are 5 new results. 1 in the powershell project and 4 in the mono project. I spot checked the result in the powershell project and this seems sound. The result path uses at least the following new summary:

"System.Reflection", "Assembly", True, "get_Location", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"

The path consists around 100 steps, but it appears that the assembly location is "stored" which appears to be a true positive for the cs/cleartext-storage-of-sensitive-information query.

michaelnebel avatar May 29 '24 12:05 michaelnebel

The "lost" sql-injection results from local sources are because flow is not identified via the source code overrides of GetString (IDataRecord member). To fix this issue we promote the generated summaries to manual as they are then still considered even though the source code is present.

michaelnebel avatar May 30 '24 10:05 michaelnebel

The latest DCA run looks good; I have also spot checked one of the local source results. The new cs/sql-injection result on mono is because of the summary

["System.Data", "IDataRecord", True, "GetString", "(System.Int32)", "", "Argument[this]", "ReturnValue", "taint", "manual"]

which looks sound.

That is, with the update .NET 8 Runtime models we

  • Get 15 new results on our DCA projects.
  • A reduction in the multiplicity of database sourced results AND better (longer) path explanations for database sources.

michaelnebel avatar May 30 '24 14:05 michaelnebel

DCA still looks good.

michaelnebel avatar Jun 03 '24 07:06 michaelnebel