.NET, .NET Core, C#, CSharp, Library, Programming, security

Security Code Scan – open source vulnerability patterns detector

Security Code Scan is open source (LGPL v3.0) vulnerability patterns detector for C# (including .NET Core) and VB.NET. It has two installation modes: either as VS extension or as nuget package (SecurityCodeScan).

Instead of writing about types of attacks which it can detect – let’s demo it. As a test application, I created API application from template (.NET Core 3.1) and installed the library as nuget package. The scan results are visible as warning during the build process. I believe that for most cases it is enough and you don’t need to monitor in real time (as warnings in impacted places). It’s quite “heavy” if your code base is high.

Empty project (from template) contains some code with random numbers generators which is immediatly reported as Warning (Code: SCS0005, Description: Weak random generator).

var rng = new Random();
return Enumerable.Range(1, 5).Select(_ => new WeatherForecast
{
	TemperatureC = rng.Next(-20, 55),
})

Visual Studio suggested to configure importance of the issue with the following values:

  • None
  • Silent
  • Suggestion
  • Warning
  • Error

Unfortunately it did not say how to reconfigure to have strong numbers generator. Fortunately you can find it by clicking code in warnings (redirect to detailed description) or googling.

using System.Security.Cryptography;
var rnd = RandomNumberGenerator.Create();

Library can detect also SQL Injection. During creation of this article the latest EF Core version was 3.1.1 which has new method called FromSqlRaw. I entered following string concatenation and suprisingly it was not detected as an issue. I expected that it will be reported. I checked with Microsoft’s documentation and it confirms that it may lead to SQL Injection. So there is some small chance that library itself is looking for known methods and that’s why this one was not reported.

dbContext.Books.FromSqlRaw("SELECT * FROM Books where BookId = " + bookId + " and Id = 2").ToList();

When I used old, well known FromSql, a warning was raised immediatly (Code SCS0035, message Possible SQL injection in 1st argument passed to ‘dbContext.Books.FromSql’ ). Also an error appeared telling me that the method is obsolete.

dbContext.Books.FromSql("SELECT * FROM Books where BookId = " + bookId);

So the conclusion is that library is not fully up-to-date and its users need to keep an eye on the code during code reviews as this automate is not bulletproof. However it is very good beginning, even if not detects everything, this software is very good alternative comparing to expensive enterprise solutions.

More about Security Code Scan you can read here.

UPDATE 1:

I reported issue with FromSqlRaw on GitHub and it was just fixed. I’m really impressed by very quick reaction of contributor.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *