C#: New query VulnerablePackage#335
Conversation
|
@calumgrant I'll have a look at this. Shall I wait for the technical review to be completed first? |
|
@jf205 That would probably be best. |
hvitved
left a comment
There was a problem hiding this comment.
Very nice. My only concern is that we have to keep Vulnerabilities.qll up-to-date manually.
Note: I did not check all vulnerability version numbers in detail.
| <overview> | ||
| <p> | ||
| Using a package with a known vulnerability is a security risk that could leave the | ||
| software vulnerable to attack. |
There was a problem hiding this comment.
I think you could use any of the above suggestions–my preference would be to leave as it is though.
There was a problem hiding this comment.
I think you could use any of the above suggestions–my preference would be to leave as it is though.
There was a problem hiding this comment.
Any of the above would work I think–my preference would be to leave as is.
|
|
||
| from Vulnerability vuln, VulnerablePackage package | ||
| where vuln = package.getVulnerability() | ||
| select package, "Package " + package + " has vulnerability $@, and should be upgraded to version " + package.getFixedVersion() + ".", |
There was a problem hiding this comment.
Have you checked that the links to vuln.getUrl() render correctly in both QL4E and on LGTM.com?
There was a problem hiding this comment.
If the above does not work, I think something like this should:
"Package " + package + " has vulnerability [[\"" + vuln + "\"|\"" +vuln.getUrl()+ "\"]], and should be upgraded to version " + package.getFixedVersion() + "."
There was a problem hiding this comment.
If the above does not work, I think something like this should:
"Package " + package + " has vulnerability [[\"" + vuln + "\"|\"" +vuln.getUrl()+ "\"]], and should be upgraded to version " + package.getFixedVersion() + "."
There was a problem hiding this comment.
If the above does not work, I think something like this should:
"Package " + package + " has vulnerability [[\"" + vuln + "\"|\"" +vuln.getUrl()+ "\"]], and should be upgraded to version " + package.getFixedVersion() + "."
jf205
left a comment
There was a problem hiding this comment.
One very minor suggestion, otherwise LGTM.
One question: does this query need to be added to a standard suite?
| <overview> | ||
| <p> | ||
| Using a package with a known vulnerability is a security risk that could leave the | ||
| software vulnerable to attack. |
There was a problem hiding this comment.
I think you could use any of the above suggestions–my preference would be to leave as it is though.
| <overview> | ||
| <p> | ||
| Using a package with a known vulnerability is a security risk that could leave the | ||
| software vulnerable to attack. |
There was a problem hiding this comment.
I think you could use any of the above suggestions–my preference would be to leave as it is though.
| <recommendation> | ||
| <p> | ||
| Upgrade the package to the recommended version, for example using the NuGet package manager, | ||
| or by editing the project files directly. |
There was a problem hiding this comment.
Suggest very minor rewording here:
Upgrade the package to the recommended version, using, for example, the NuGet package manager, or by editing the project files directly.
| <recommendation> | ||
| <p> | ||
| Upgrade the package to the recommended version, for example using the NuGet package manager, | ||
| or by editing the project files directly. |
There was a problem hiding this comment.
Suggest very minor rewording here:
Upgrade the package to the recommended version, using, for example, the NuGet package manager, or by editing the project files directly.
jf205
left a comment
There was a problem hiding this comment.
One very minor suggestion, otherwise LGTM.
One question: does this query need to be added to a standard suite?
| <overview> | ||
| <p> | ||
| Using a package with a known vulnerability is a security risk that could leave the | ||
| software vulnerable to attack. |
There was a problem hiding this comment.
Any of the above would work I think–my preference would be to leave as is.
| <recommendation> | ||
| <p> | ||
| Upgrade the package to the recommended version, for example using the NuGet package manager, | ||
| or by editing the project files directly. |
There was a problem hiding this comment.
Suggest a very minor re-wording here:
Upgrade the package to the recommended version using, for example, the NuGet package manager, or by editing the project files directly.
| <recommendation> | ||
| <p> | ||
| Upgrade the package to the recommended version, for example using the NuGet package manager, | ||
| or by editing the project files directly. |
There was a problem hiding this comment.
Suggest a very minor re-wording here:
Upgrade the package to the recommended version using, for example, the NuGet package manager, or by editing the project files directly.
Kotlin: Handle annotation classes
This query finds vulnerable packages imported in project or config files.
Vulnerabilities are described in QL, and the design is extensible to make it straightforward to add new CVEs.
Autobuilder has been changed to also index
.csprojand.propsfiles as XML.An initial version of this query attempted to use the paths of imported assemblies, but this had the disadvantage that it was hard to report the location of the error and it is often hard to track down the root cause of the import. This new version reports the XML element that caused the import, which is more actionable and easier to test.