From a5fbad858bdc10daa34779dc68ef25068cbf5c86 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 13 Mar 2019 09:49:09 +0000 Subject: [PATCH 1/3] Sort table alphabetically --- change-notes/1.20/analysis-csharp.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/change-notes/1.20/analysis-csharp.md b/change-notes/1.20/analysis-csharp.md index 3763ddf811a0..88cf9d2bf88a 100644 --- a/change-notes/1.20/analysis-csharp.md +++ b/change-notes/1.20/analysis-csharp.md @@ -1,24 +1,18 @@ # Improvements to C# analysis -## General improvements - -## New queries - -| **Query** | **Tags** | **Purpose** | -|-----------------------------|-----------|--------------------------------------------------------------------| - ## Changes to existing queries -| *@name of query (Query ID)* | *Impact on results* | *How/why the query has changed* | +| **Query** | **Expected impact** | **Change** | |------------------------------|------------------------|-----------------------------------| -| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. | + | Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. | | Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. | +| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. | +| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. | | SQL query built from user-controlled sources (`cs/sql-injection`), Improper control of generation of code (`cs/code-injection`), Uncontrolled format string (`cs/uncontrolled-format-string`), Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`), Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. | | Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. | | Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. | -| Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. | -| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. | | Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. | ## Changes to code extraction From e46eb36e58117b32502af93183934838631caee8 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 13 Mar 2019 10:25:41 +0000 Subject: [PATCH 2/3] Duplicate information for easier look up --- change-notes/1.20/analysis-csharp.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/change-notes/1.20/analysis-csharp.md b/change-notes/1.20/analysis-csharp.md index 88cf9d2bf88a..981eccb2ddc7 100644 --- a/change-notes/1.20/analysis-csharp.md +++ b/change-notes/1.20/analysis-csharp.md @@ -4,12 +4,15 @@ | **Query** | **Expected impact** | **Change** | |------------------------------|------------------------|-----------------------------------| - -| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. | -| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. | -| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. | +| Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. | +| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. | +| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positive and more true positive results | No longer highlights code where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. | +| Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| Improper control of generation of code (`cs/code-injection`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | | Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. | -| SQL query built from user-controlled sources (`cs/sql-injection`), Improper control of generation of code (`cs/code-injection`), Uncontrolled format string (`cs/uncontrolled-format-string`), Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`), Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| SQL query built from user-controlled sources (`cs/sql-injection`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| Uncontrolled format string (`cs/uncontrolled-format-string`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | | Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. | | Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. | | Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. | From 7c4ab6f2ae89c5b2c95a1f89a6395c03b7595b0c Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Wed, 13 Mar 2019 10:31:44 +0000 Subject: [PATCH 3/3] Text updates for consistency --- change-notes/1.20/analysis-csharp.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/change-notes/1.20/analysis-csharp.md b/change-notes/1.20/analysis-csharp.md index 981eccb2ddc7..17d7aa9014ee 100644 --- a/change-notes/1.20/analysis-csharp.md +++ b/change-notes/1.20/analysis-csharp.md @@ -4,18 +4,18 @@ | **Query** | **Expected impact** | **Change** | |------------------------------|------------------------|-----------------------------------| -| Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | +| Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. | | Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. | | Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. Results are now shown by default in LGTM. | | Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positive and more true positive results | No longer highlights code where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. | -| Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | -| Improper control of generation of code (`cs/code-injection`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | -| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. | -| SQL query built from user-controlled sources (`cs/sql-injection`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | -| Uncontrolled format string (`cs/uncontrolled-format-string`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. | -| Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. | -| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. | -| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. | +| Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. | +| Improper control of generation of code (`cs/code-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. | +| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positive results | No longer reports results when there are additional guards on the index. | +| SQL query built from user-controlled sources (`cs/sql-injection`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. | +| Uncontrolled format string (`cs/uncontrolled-format-string`) | More results | Now includes data sources for user controls in `System.Windows.Forms`. | +| Unused format argument (`cs/format-argument-unused`) | Fewer false positive results | No longer reports results where the format string is empty. This is often used as a default value and is not an interesting result. | +| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positive results | No longer reports results for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. | +| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | No longer reports results when the object is an interface or an abstract class. | | Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. | ## Changes to code extraction @@ -26,14 +26,13 @@ ## Changes to QL libraries * The class `TrivialProperty` now includes library properties determined to be trivial using CIL analysis. This may increase the number of results for all queries that use data flow. -* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint-tracking. +* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint tracking. * Support has been added for EntityFrameworkCore, including - Stored data flow sources - Sinks for SQL expressions - - Data flow through fields that are mapped to the database. + - Data flow through fields that are mapped to the database * Support has been added for NHibernate-Core, including - Stored data flow sources - Sinks for SQL expressions - - Data flow through fields that are mapped to the database. + - Data flow through fields that are mapped to the database -## Changes to the autobuilder