Suppress credscan false positives#38026
Conversation
|
I couldn't figure out the best area label to add to this PR. Please help me learn by adding exactly one area label. |
| } | ||
|
|
||
| if (($endpoints | Measure-Object).Count -gt 0) { | ||
| # [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Endpoint code example")] |
There was a problem hiding this comment.
yeah, this line suppress false positive in the comment below
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs
Outdated
Show resolved
Hide resolved
...ries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs
Show resolved
Hide resolved
src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Http/tests/UnitTests/HttpEnvironmentProxyTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.WebSockets.Client/tests/ConnectTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs
Outdated
Show resolved
Hide resolved
...ries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs
Outdated
Show resolved
Hide resolved
ManickaP
left a comment
ManickaP
left a comment
There was a problem hiding this comment.
I'd mostly go with the comment suppression instead of obfuscation.
src/libraries/Common/tests/System/Net/Configuration.Certificates.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/TestUtilities/System/SecretsHelper.Net.cs
Outdated
Show resolved
Hide resolved
...braries/System.Security.Cryptography.Xml/tests/System.Security.Cryptography.Xml.Tests.csproj
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs
Outdated
Show resolved
Hide resolved
aik-jahoda
force-pushed
the
jajahoda/credscan1
branch
from
3e3ef19 to
5db9bfa
Compare
There was a problem hiding this comment.
Why are these commented out? Shouldn't they either be deleted or uncommented? Or does the tooling pay attention to commented out SuppressMessage attributes?
There was a problem hiding this comment.
Yes, it is official way how to suppress report for the next line.
There was a problem hiding this comment.
I wonder how we will remember to not remove these as dead code! Would this also be recognized?
// [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="It is property descriptor, not secret value.")] // Commented line recognized by credscan tool?
There was a problem hiding this comment.
My preference would be actually running the analyzer in dotnet/runtime.
There was a problem hiding this comment.
Can you clarify, I thought that's what @aik-jahoda is doing.
There was a problem hiding this comment.
Very few direct check-ins are made to the private mirror. It makes no sense to me to run analyzers over that source that we don't also run as part of the public repo, where 99.999% of all commits come from. Doing that only causes additional dev work and headaches, and it's caused problems as well, where mirroring fails because the already merged commits then fail the subsequent pre-merge validation. This also isn't a one-time thing; PRs like this have been submitted at multiple times in the past in order to mop up from such analyzers that are being run late. And to your question about not deleting code as dead/stale, this exact mechanism would address that. So I don't understand the concerns or pushbavk. It seems like a no brainer to me. What am I not comprehending?
Not all files are in the build
And what percentage of the changes in this PR are to such files? I'm not saying it would prevent all possible problems. You're saying it's useless if it's not 100% false negatives? I highly doubt the existing tooling even gets close to that.
There was a problem hiding this comment.
Just info about the tool and public PRs, it cannot be run out in the open: dotnet/arcade#4663
But there's an open issue https://github.com/dotnet/core-eng/issues/5747 about running it on public PRs.
Though I'm not what it will be good for without the results 🤣
There was a problem hiding this comment.
Thanks. I don't buy the answer in that issue, though. We run analyzers that validate, for example, SHA1 isn't being used, and that's an "SDL static verification tool".
There was a problem hiding this comment.
@danmosemsft, are you ok to merge this PR? I think we currently don't have a better option how to suppress the bugs reported by the tool.
There was a problem hiding this comment.
The changes look OK to me, modulo the large conceptual problem of how there's a gap between checkins and analysis. I'm withholding a checkmark to let @danmosemsft decide if we want to block this on the conceptual problem or not.
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.Authentication.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.DefaultProxyCredentials.cs
Outdated
Show resolved
Hide resolved
...ies/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyPemTests.cs
Outdated
Show resolved
Hide resolved
...toryServices.AccountManagement/tests/System.DirectoryServices.AccountManagement.Tests.csproj
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/TestHelpers.cs
Outdated
Show resolved
Hide resolved
src/libraries/Common/tests/TestUtilities/System/TestSecretHelper.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/TestData.cs
Outdated
Show resolved
Hide resolved
|
@bartonjs, @stephentoub thanks for your comments. I have replied, can you let me know your thoughts please? |
|
There is an example how it would look like if we have |
Personally, I like it much better 👍 It's clearer what it's for than the Although I think that, for most of the test files, we could have just leave the whole file suppressed in CredScanSuppressions.json. |
aik-jahoda
force-pushed
the
jajahoda/credscan1
branch
from
2295353 to
186991e
Compare
|
I reverted it to the |
...ries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/EC/ECKeyFileTests.cs
Outdated
Show resolved
Hide resolved
...es/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs
Outdated
Show resolved
Hide resolved
...es/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs
Outdated
Show resolved
Hide resolved
...es/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/RSAKeyFileTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ExportTests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.Xml/tests/EncryptedXmlTest.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Jeremy Barton <jbarton@microsoft.com>
aik-jahoda
force-pushed
the
jajahoda/credscan1
branch
from
9f53327 to
921d9f0
Compare
src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs
Outdated
Show resolved
Hide resolved
danmoseley
left a comment
danmoseley
left a comment
There was a problem hiding this comment.
I think this is OK -- whether or not we can move this credscan checking "upstream" or not, it makes sense to get it clean now as part of the larger effort, and minimally affects the product code.
src/libraries/System.DirectoryServices.AccountManagement/tests/PrincipalTest.cs
Show resolved
Hide resolved
* Suppress initial cred issues * Another bunch of supresses * Clean up * Another bunch of supresses * Revert to suppression messages * Clean up * Apply suggestions from code review Co-authored-by: Jeremy Barton <jbarton@microsoft.com> * Revert passwords literals * Fix suppression justification comment Co-authored-by: Jan Jahoda <jajahoda@.microsoft.com> Co-authored-by: Jeremy Barton <jbarton@microsoft.com>
ghost
locked as resolved and limited conversation to collaborators
6 participants
In libraries, there is a lot of credscan false positives. We use a lot of plaintext passwords and certificates in networking test code. All the passwords and certificates are generated only for test purpose and they are considered safe.
To prevent false positives next time this PR introduces a helper class to explicitly mark the test passwords and certificates.