From 968755c25972accb75dc58694dfd9f6244575c2d Mon Sep 17 00:00:00 2001 From: Manish Vasani Date: Thu, 22 Oct 2020 07:02:03 -0700 Subject: [PATCH 1/3] Add CompilationEnd custom tag to diagnostics reported in compilation end actions Required to account for IDE experience for compilation end diagnostics as a consequence of https://github.com/dotnet/roslyn/pull/48762 As many security rules are compilation end diagnostics, I have made the new parameter `isReportedAtCompilationEnd` a required parameter for `SecurityHelpers.CreateDiagnosticDescriptor` helper. --- .../Core/FixAnalyzers/FixerWithFixAllAnalyzer.cs | 2 +- .../MetaAnalyzers/DiagnosticAnalyzerAPIUsageAnalyzer.cs | 4 ++-- .../DiagnosticDescriptorCreationAnalyzer.cs | 4 ++-- .../Core/SymbolIsBannedAnalyzer.cs | 2 +- .../MarkAssembliesWithAttributesDiagnosticAnalyzer.cs | 3 ++- .../ApiDesignGuidelines/MarkAssembliesWithComVisible.cs | 3 ++- .../TypeNamesShouldNotMatchNamespaces.cs | 6 ++++-- .../AvoidUninstantiatedInternalClasses.cs | 3 ++- .../Maintainability/AvoidUnusedPrivateFields.cs | 3 ++- .../Maintainability/CodeMetricsAnalyzer.cs | 3 ++- .../Maintainability/ReviewUnusedParameters.cs | 3 ++- .../QualityGuidelines/MarkMembersAsStatic.cs | 3 ++- .../MarkAssembliesWithNeutralResourcesLanguage.cs | 3 ++- .../Runtime/DisposableFieldsShouldBeDisposed.cs | 3 ++- ...taTableInIFormatterSerializableObjectGraphAnalyzer.cs | 3 ++- .../DataSetDataTableInSerializableObjectGraphAnalyzer.cs | 3 ++- .../DataSetDataTableInSerializableTypeAnalyzer.cs | 9 ++++++--- ...taSetDataTableInWebSerializableObjectGraphAnalyzer.cs | 3 ++- .../DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs | 1 + .../DoNotCallDangerousMethodsInDeserialization.cs | 3 ++- .../Security/DoNotDisableHttpClientCRLCheck.cs | 2 ++ .../Security/DoNotHardCodeCertificate.cs | 1 + .../Security/DoNotHardCodeEncryptionKey.cs | 1 + .../Security/DoNotInstallRootCert.cs | 2 ++ .../Security/DoNotSerializeTypeWithPointerFields.cs | 3 ++- .../Security/DoNotSetSwitch.cs | 2 ++ .../Security/DoNotUseCreateEncryptorWithNonDefaultIV.cs | 2 ++ .../Security/DoNotUseDataSetReadXml.cs | 6 ++++-- .../Security/DoNotUseDataTableReadXml.cs | 3 ++- .../Security/DoNotUseDeprecatedSecurityProtocols.cs | 4 +++- ...DoNotUseInsecureDeserializerBinaryFormatterMethods.cs | 1 + ...seInsecureDeserializerBinaryFormatterWithoutBinder.cs | 6 ++++-- ...rializerJavascriptSerializerWithSimpleTypeResolver.cs | 6 ++++-- .../DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs | 6 ++++-- .../Security/DoNotUseInsecureDeserializerLosFormatter.cs | 3 ++- ...secureDeserializerNetDataContractSerializerMethods.cs | 1 + ...DeserializerNetDataContractSerializerWithoutBinder.cs | 6 ++++-- .../DoNotUseInsecureDeserializerObjectStateFormatter.cs | 3 ++- .../Security/DoNotUseInsecureSettingsForJsonNet.cs | 6 ++++-- .../DoNotUseWeakKDFInsufficientIterationCount.cs | 2 ++ .../Security/Helpers/SecurityHelpers.cs | 6 +++++- .../Security/JsonNetTypeNameHandling.cs | 1 + .../PotentialReferenceCycleInDeserializedObjectGraph.cs | 3 ++- .../ReviewCodeForCommandExecutionVulnerabilities.cs | 3 ++- .../Security/ReviewCodeForDllInjectionVulnerabilities.cs | 3 ++- .../ReviewCodeForFilePathInjectionVulnerabilities.cs | 3 ++- .../ReviewCodeForInformationDisclosureVulnerabilities.cs | 3 ++- .../ReviewCodeForLdapInjectionVulnerabilities.cs | 3 ++- .../Security/ReviewCodeForOpenRedirectVulnerabilities.cs | 3 ++- .../ReviewCodeForRegexInjectionVulnerabilities.cs | 3 ++- .../Security/ReviewCodeForSqlInjectionVulnerabilities.cs | 3 ++- .../ReviewCodeForXPathInjectionVulnerabilities.cs | 3 ++- .../ReviewCodeForXamlInjectionVulnerabilities.cs | 3 ++- .../Security/ReviewCodeForXmlInjectionVulnerabilities.cs | 3 ++- .../Security/ReviewCodeForXssVulnerabilities.cs | 3 ++- .../Security/SetHttpOnlyForHttpCookie.cs | 1 + .../Security/SslProtocolsAnalyzer.cs | 2 ++ .../Security/UseAutoValidateAntiforgeryToken.cs | 2 ++ .../Security/UseDefaultDllImportSearchPathsAttribute.cs | 2 ++ .../Security/UseSecureCookiesASPNetCore.cs | 2 ++ .../Core/Analyzers/DeclarePublicApiAnalyzer.cs | 6 +++--- ...SymbolDeclaredEventMustBeGeneratedForSourceSymbols.cs | 2 +- src/Utilities/Compiler/DiagnosticDescriptorHelper.cs | 7 +++++++ .../Extensions/WellKnownDiagnosticTagsExtensions.cs | 2 ++ 64 files changed, 146 insertions(+), 59 deletions(-) diff --git a/src/Microsoft.CodeAnalysis.Analyzers/Core/FixAnalyzers/FixerWithFixAllAnalyzer.cs b/src/Microsoft.CodeAnalysis.Analyzers/Core/FixAnalyzers/FixerWithFixAllAnalyzer.cs index 6b68a4ca87..cb0167557e 100644 --- a/src/Microsoft.CodeAnalysis.Analyzers/Core/FixAnalyzers/FixerWithFixAllAnalyzer.cs +++ b/src/Microsoft.CodeAnalysis.Analyzers/Core/FixAnalyzers/FixerWithFixAllAnalyzer.cs @@ -66,7 +66,7 @@ public sealed class FixerWithFixAllAnalyzer : DiagnosticAnalyzer DiagnosticSeverity.Warning, description: s_localizableOverrideGetFixAllProviderDescription, isEnabledByDefault: true, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(CreateCodeActionEquivalenceKeyRule, OverrideCodeActionEquivalenceKeyRule, OverrideGetFixAllProviderRule); diff --git a/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticAnalyzerAPIUsageAnalyzer.cs b/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticAnalyzerAPIUsageAnalyzer.cs index a566e14b11..17ad6e0c58 100644 --- a/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticAnalyzerAPIUsageAnalyzer.cs +++ b/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticAnalyzerAPIUsageAnalyzer.cs @@ -35,7 +35,7 @@ public abstract class DiagnosticAnalyzerApiUsageAnalyzer : Diagnost DiagnosticSeverity.Warning, isEnabledByDefault: true, description: s_localizableDescription, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); public static readonly DiagnosticDescriptor DoNotUseTypesFromAssemblyIndirectRule = new DiagnosticDescriptor( DiagnosticIds.DoNotUseTypesFromAssemblyRuleId, @@ -45,7 +45,7 @@ public abstract class DiagnosticAnalyzerApiUsageAnalyzer : Diagnost DiagnosticSeverity.Warning, isEnabledByDefault: true, description: s_localizableDescription, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); protected abstract bool IsNamedTypeDeclarationBlock(SyntaxNode syntax); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(DoNotUseTypesFromAssemblyDirectRule, DoNotUseTypesFromAssemblyIndirectRule); diff --git a/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticDescriptorCreationAnalyzer.cs b/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticDescriptorCreationAnalyzer.cs index 544c372bdd..e3838bf319 100644 --- a/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticDescriptorCreationAnalyzer.cs +++ b/src/Microsoft.CodeAnalysis.Analyzers/Core/MetaAnalyzers/DiagnosticDescriptorCreationAnalyzer.cs @@ -102,7 +102,7 @@ public sealed class DiagnosticDescriptorCreationAnalyzer : DiagnosticAnalyzer DiagnosticSeverity.Warning, isEnabledByDefault: true, description: s_localizableUseUniqueDiagnosticIdDescription, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); public static readonly DiagnosticDescriptor UseCategoriesFromSpecifiedRangeRule = new DiagnosticDescriptor( DiagnosticIds.UseCategoriesFromSpecifiedRangeRuleId, @@ -122,7 +122,7 @@ public sealed class DiagnosticDescriptorCreationAnalyzer : DiagnosticAnalyzer DiagnosticSeverity.Warning, isEnabledByDefault: true, description: s_localizableAnalyzerCategoryAndIdRangeFileInvalidDescription, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( UseLocalizableStringsInDescriptorRule, diff --git a/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Core/SymbolIsBannedAnalyzer.cs b/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Core/SymbolIsBannedAnalyzer.cs index 90842ef8a3..96b65798c4 100644 --- a/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Core/SymbolIsBannedAnalyzer.cs +++ b/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Core/SymbolIsBannedAnalyzer.cs @@ -39,7 +39,7 @@ internal static class SymbolIsBannedAnalyzer isEnabledByDefault: true, description: BannedApiAnalyzerResources.DuplicateBannedSymbolDescription, helpLinkUri: "https://github.com/dotnet/roslyn-analyzers/blob/master/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/BannedApiAnalyzers.Help.md", - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); } public abstract class SymbolIsBannedAnalyzer : DiagnosticAnalyzer diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithAttributesDiagnosticAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithAttributesDiagnosticAnalyzer.cs index c0575da156..0b08696020 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithAttributesDiagnosticAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithAttributesDiagnosticAnalyzer.cs @@ -38,7 +38,8 @@ public sealed class MarkAssembliesWithAttributesDiagnosticAnalyzer : DiagnosticA description: s_localizableDescriptionCA1014, isPortedFxCopRule: true, isDataflowRule: false, - isEnabledByDefaultInFxCopAnalyzers: false); + isEnabledByDefaultInFxCopAnalyzers: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(CA1016Rule, CA1014Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithComVisible.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithComVisible.cs index ab94ed8f55..5fc522606e 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithComVisible.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/MarkAssembliesWithComVisible.cs @@ -37,7 +37,8 @@ public sealed class MarkAssembliesWithComVisibleAnalyzer : DiagnosticAnalyzer description: s_localizableDescription, isPortedFxCopRule: true, isDataflowRule: false, - isEnabledByDefaultInFxCopAnalyzers: false); + isEnabledByDefaultInFxCopAnalyzers: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(RuleChangeComVisible, RuleAddComVisible); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/TypeNamesShouldNotMatchNamespaces.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/TypeNamesShouldNotMatchNamespaces.cs index f3cc7b27db..7d670ca5fc 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/TypeNamesShouldNotMatchNamespaces.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/ApiDesignGuidelines/TypeNamesShouldNotMatchNamespaces.cs @@ -32,7 +32,8 @@ public sealed class TypeNamesShouldNotMatchNamespacesAnalyzer : DiagnosticAnalyz RuleLevel.Disabled, description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); internal static DiagnosticDescriptor SystemRule = DiagnosticDescriptorHelper.Create(RuleId, s_localizableTitle, s_localizableMessageSystem, @@ -40,7 +41,8 @@ public sealed class TypeNamesShouldNotMatchNamespacesAnalyzer : DiagnosticAnalyz RuleLevel.Disabled, description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(DefaultRule, SystemRule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUninstantiatedInternalClasses.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUninstantiatedInternalClasses.cs index 1f6a68e9c9..ed9a33d7ed 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUninstantiatedInternalClasses.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUninstantiatedInternalClasses.cs @@ -32,7 +32,8 @@ public sealed class AvoidUninstantiatedInternalClassesAnalyzer : DiagnosticAnaly RuleLevel.Disabled, // Code coverage tools provide superior results when done correctly. description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUnusedPrivateFields.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUnusedPrivateFields.cs index ad32f6a7b8..f4828e7f1e 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUnusedPrivateFields.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/AvoidUnusedPrivateFields.cs @@ -31,7 +31,8 @@ public sealed class AvoidUnusedPrivateFieldsAnalyzer : DiagnosticAnalyzer RuleLevel.Disabled, // Need to figure out how to handle runtime only references. We also have an implementation in the IDE. description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/CodeMetricsAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/CodeMetricsAnalyzer.cs index 450a6a73b0..86fab38243 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/CodeMetricsAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/CodeMetricsAnalyzer.cs @@ -114,7 +114,8 @@ public sealed class CodeMetricsAnalyzer : DiagnosticAnalyzer description: s_localizableDescriptionCA1509, isPortedFxCopRule: false, isDataflowRule: false, - isEnabledByDefaultInFxCopAnalyzers: false); + isEnabledByDefaultInFxCopAnalyzers: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(CA1501Rule, CA1502Rule, CA1505Rule, CA1506Rule, InvalidEntryInCodeMetricsConfigFileRule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParameters.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParameters.cs index 21f667c164..3c4035de43 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParameters.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/Maintainability/ReviewUnusedParameters.cs @@ -34,7 +34,8 @@ public sealed class ReviewUnusedParametersAnalyzer : DiagnosticAnalyzer RuleLevel.Disabled, // We have an implementation in IDE. description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/QualityGuidelines/MarkMembersAsStatic.cs b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/QualityGuidelines/MarkMembersAsStatic.cs index 0da42cb186..d83d8b8cff 100644 --- a/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/QualityGuidelines/MarkMembersAsStatic.cs +++ b/src/NetAnalyzers/Core/Microsoft.CodeQuality.Analyzers/QualityGuidelines/MarkMembersAsStatic.cs @@ -32,7 +32,8 @@ public sealed class MarkMembersAsStaticAnalyzer : DiagnosticAnalyzer RuleLevel.IdeSuggestion, description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Resources/MarkAssembliesWithNeutralResourcesLanguage.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Resources/MarkAssembliesWithNeutralResourcesLanguage.cs index edfa78d426..a77d5bdf72 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Resources/MarkAssembliesWithNeutralResourcesLanguage.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Resources/MarkAssembliesWithNeutralResourcesLanguage.cs @@ -35,7 +35,8 @@ public abstract class MarkAssembliesWithNeutralResourcesLanguageAnalyzer : Diagn RuleLevel.IdeSuggestion, description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); protected abstract void RegisterAttributeAnalyzer(CompilationStartAnalysisContext context, Action onResourceFound); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Runtime/DisposableFieldsShouldBeDisposed.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Runtime/DisposableFieldsShouldBeDisposed.cs index ea818105c3..210f9f176d 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Runtime/DisposableFieldsShouldBeDisposed.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Runtime/DisposableFieldsShouldBeDisposed.cs @@ -32,7 +32,8 @@ public sealed class DisposableFieldsShouldBeDisposed : DiagnosticAnalyzer RuleLevel.Disabled, description: s_localizableDescription, isPortedFxCopRule: true, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer.cs index 7584533272..05550c300c 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer.cs @@ -26,7 +26,8 @@ public sealed class DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInRceDeserializableObjectGraphMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(ObjectGraphContainsDangerousTypeDescriptor); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableObjectGraphAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableObjectGraphAnalyzer.cs index 0d02b9a294..ab9368326f 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableObjectGraphAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableObjectGraphAnalyzer.cs @@ -36,7 +36,8 @@ public sealed class DataSetDataTableInSerializableObjectGraphAnalyzer : Diagnost nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInDeserializableObjectGraphMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(ObjectGraphContainsDangerousTypeDescriptor); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableTypeAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableTypeAnalyzer.cs index 65d9000fd7..70c731eadd 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableTypeAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableTypeAnalyzer.cs @@ -27,7 +27,8 @@ public sealed class DataSetDataTableInSerializableTypeAnalyzer : DiagnosticAnaly nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInRceSerializableTypeMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); internal static readonly DiagnosticDescriptor SerializableContainsDangerousType = SecurityHelpers.CreateDiagnosticDescriptor( @@ -36,7 +37,8 @@ public sealed class DataSetDataTableInSerializableTypeAnalyzer : DiagnosticAnaly nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInSerializableTypeMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); // Autogenerated classes for GUI apps are less likely to be serialized / deserialized with untrusted data, so // categorize with different IDs. @@ -47,7 +49,8 @@ public sealed class DataSetDataTableInSerializableTypeAnalyzer : DiagnosticAnaly nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInRceAutogeneratedSerializableTypeMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInWebSerializableObjectGraphAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInWebSerializableObjectGraphAnalyzer.cs index 3f5042dcff..ccb9981068 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInWebSerializableObjectGraphAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInWebSerializableObjectGraphAnalyzer.cs @@ -26,7 +26,8 @@ public sealed class DataSetDataTableInWebSerializableObjectGraphAnalyzer : Diagn nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInWebDeserializableObjectGraphMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(ObjectGraphContainsDangerousTypeDescriptor); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs index 6cdbb1cc38..e5dc11bcbb 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotAddArchiveItemPathToTheTargetFileSystemPath.cs @@ -20,6 +20,7 @@ public class DoNotAddArchiveItemPathToTheTargetFileSystemPath : SourceTriggeredT RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotAddArchiveItemPathToTheTargetFileSystemPathDescription)); protected override SinkKind SinkKind { get { return SinkKind.ZipSlip; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotCallDangerousMethodsInDeserialization.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotCallDangerousMethodsInDeserialization.cs index 4d72dd0f10..1b09dc776e 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotCallDangerousMethodsInDeserialization.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotCallDangerousMethodsInDeserialization.cs @@ -49,7 +49,8 @@ public sealed class DoNotCallDangerousMethodsInDeserialization : DiagnosticAnaly RuleLevel.BuildWarning, description: s_Description, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotDisableHttpClientCRLCheck.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotDisableHttpClientCRLCheck.cs index 5b59494a05..b864f2f075 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotDisableHttpClientCRLCheck.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotDisableHttpClientCRLCheck.cs @@ -28,6 +28,7 @@ internal class DoNotDisableHttpClientCRLCheck : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotDisableHttpClientCRLCheckDescription)); internal static DiagnosticDescriptor MaybeDisableHttpClientCRLCheckRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5400", @@ -36,6 +37,7 @@ internal class DoNotDisableHttpClientCRLCheck : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotDisableHttpClientCRLCheckDescription)); public override ImmutableArray SupportedDiagnostics => diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeCertificate.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeCertificate.cs index f8fbdf3295..a31c34b3b6 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeCertificate.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeCertificate.cs @@ -17,6 +17,7 @@ public class DoNotHardCodeCertificate : SourceTriggeredTaintedDataAnalyzerBase RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotHardCodeCertificateDescription)); protected override SinkKind SinkKind { get { return SinkKind.HardcodedCertificate; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeEncryptionKey.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeEncryptionKey.cs index 8880b87050..eb6a8b38fb 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeEncryptionKey.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotHardCodeEncryptionKey.cs @@ -18,6 +18,7 @@ public class DoNotHardCodeEncryptionKey : SourceTriggeredTaintedDataAnalyzerBase RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotHardCodeEncryptionKeyDescription)); protected override SinkKind SinkKind { get { return SinkKind.HardcodedEncryptionKey; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotInstallRootCert.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotInstallRootCert.cs index b33b20ed21..11156b55f8 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotInstallRootCert.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotInstallRootCert.cs @@ -30,6 +30,7 @@ public sealed class DoNotInstallRootCert : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotInstallRootCertDescription)); internal static DiagnosticDescriptor MaybeInstallRootCertRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5381", @@ -39,6 +40,7 @@ public sealed class DoNotInstallRootCert : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotInstallRootCertDescription)); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSerializeTypeWithPointerFields.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSerializeTypeWithPointerFields.cs index 369f92457d..b7a035a8bf 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSerializeTypeWithPointerFields.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSerializeTypeWithPointerFields.cs @@ -36,7 +36,8 @@ public sealed class DoNotSerializeTypeWithPointerFields : DiagnosticAnalyzer description: s_Description, isPortedFxCopRule: false, isDataflowRule: false, - isEnabledByDefaultInFxCopAnalyzers: false); + isEnabledByDefaultInFxCopAnalyzers: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSetSwitch.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSetSwitch.cs index ab245a7c65..c12f626eb6 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSetSwitch.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotSetSwitch.cs @@ -30,6 +30,7 @@ public sealed class DoNotSetSwitch : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotDisableSchUseStrongCryptoDescription)); internal static DiagnosticDescriptor DoNotDisableSpmSecurityProtocolsRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5378", @@ -37,6 +38,7 @@ public sealed class DoNotSetSwitch : DiagnosticAnalyzer nameof(MicrosoftNetCoreAnalyzersResources.DoNotDisableUsingServicePointManagerSecurityProtocolsMessage), RuleLevel.Disabled, isPortedFxCopRule: false, + isReportedAtCompilationEnd: false, isDataflowRule: true); internal static ImmutableDictionary BadSwitches = diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseCreateEncryptorWithNonDefaultIV.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseCreateEncryptorWithNonDefaultIV.cs index a43abdf289..c141493c30 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseCreateEncryptorWithNonDefaultIV.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseCreateEncryptorWithNonDefaultIV.cs @@ -27,6 +27,7 @@ public sealed class DoNotUseCreateEncryptorWithNonDefaultIV : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseCreateEncryptorWithNonDefaultIVDescription)); internal static DiagnosticDescriptor MaybeUseCreateEncryptorWithNonDefaultIVRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5402", @@ -35,6 +36,7 @@ public sealed class DoNotUseCreateEncryptorWithNonDefaultIV : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseCreateEncryptorWithNonDefaultIVDescription)); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataSetReadXml.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataSetReadXml.cs index c15e5c363a..08b2fecced 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataSetReadXml.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataSetReadXml.cs @@ -23,7 +23,8 @@ internal class DoNotUseDataSetReadXml : DoNotUseInsecureDeserializerMethodsBase nameof(MicrosoftNetCoreAnalyzersResources.DataSetReadXmlMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); internal static readonly DiagnosticDescriptor RealMethodUsedInAutogeneratedDescriptor = SecurityHelpers.CreateDiagnosticDescriptor( @@ -32,7 +33,8 @@ internal class DoNotUseDataSetReadXml : DoNotUseInsecureDeserializerMethodsBase nameof(MicrosoftNetCoreAnalyzersResources.DataSetReadXmlAutogeneratedMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(RealMethodUsedDescriptor, RealMethodUsedInAutogeneratedDescriptor); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataTableReadXml.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataTableReadXml.cs index e1eab71a27..4411573ca3 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataTableReadXml.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDataTableReadXml.cs @@ -23,7 +23,8 @@ internal class DoNotUseDataTableReadXml : DoNotUseInsecureDeserializerMethodsBas nameof(MicrosoftNetCoreAnalyzersResources.DataTableReadXmlMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); protected override string DeserializerTypeMetadataName => WellKnownTypeNames.SystemDataDataTable; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDeprecatedSecurityProtocols.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDeprecatedSecurityProtocols.cs index e146cd2033..dc2b565b4e 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDeprecatedSecurityProtocols.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseDeprecatedSecurityProtocols.cs @@ -22,6 +22,7 @@ public sealed class DoNotUseDeprecatedSecurityProtocols : DiagnosticAnalyzer RuleLevel.BuildWarning, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseDeprecatedSecurityProtocolsDescription)); internal static DiagnosticDescriptor HardCodedRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5386", @@ -30,7 +31,8 @@ public sealed class DoNotUseDeprecatedSecurityProtocols : DiagnosticAnalyzer nameof(MicrosoftNetCoreAnalyzersResources.HardCodedSecurityProtocolMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); private readonly ImmutableHashSet HardCodedSafeProtocolMetadataNames = ImmutableHashSet.Create( StringComparer.Ordinal, diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterMethods.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterMethods.cs index d854a0f4b8..952984b7cc 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterMethods.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterMethods.cs @@ -24,6 +24,7 @@ internal class DoNotUseInsecureDeserializerBinaryFormatterMethods : DoNotUseInse RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.BinaryFormatterMethodUsedDescription)); protected override string DeserializerTypeMetadataName => diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder.cs index 4f94e6d40d..fa55269fae 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder.cs @@ -23,7 +23,8 @@ public class DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder : DoNotUse nameof(MicrosoftNetCoreAnalyzersResources.BinaryFormatterDeserializeWithoutBinderSetMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); internal static readonly DiagnosticDescriptor RealBinderMaybeNotSetDescriptor = SecurityHelpers.CreateDiagnosticDescriptor( "CA2302", @@ -31,7 +32,8 @@ public class DoNotUseInsecureDeserializerBinaryFormatterWithoutBinder : DoNotUse nameof(MicrosoftNetCoreAnalyzersResources.BinaryFormatterDeserializeMaybeWithoutBinderSetMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); protected override string DeserializerTypeMetadataName => WellKnownTypeNames.SystemRuntimeSerializationFormattersBinaryBinaryFormatter; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJavascriptSerializerWithSimpleTypeResolver.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJavascriptSerializerWithSimpleTypeResolver.cs index 3df27b25c5..5365d840e8 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJavascriptSerializerWithSimpleTypeResolver.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJavascriptSerializerWithSimpleTypeResolver.cs @@ -32,7 +32,8 @@ internal class DoNotUseInsecureDeserializerJavaScriptSerializerWithSimpleTypeRes nameof(MicrosoftNetCoreAnalyzersResources.JavaScriptSerializerWithSimpleTypeResolverMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); internal static readonly DiagnosticDescriptor MaybeWithSimpleTypeResolver = SecurityHelpers.CreateDiagnosticDescriptor( "CA2322", @@ -40,7 +41,8 @@ internal class DoNotUseInsecureDeserializerJavaScriptSerializerWithSimpleTypeRes nameof(MicrosoftNetCoreAnalyzersResources.JavaScriptSerializerMaybeWithSimpleTypeResolverMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs index ee008b98d9..a0598f3a9a 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs @@ -34,7 +34,8 @@ internal class DoNotUseInsecureDeserializerJsonNetWithoutBinder : DiagnosticAnal nameof(MicrosoftNetCoreAnalyzersResources.JsonNetInsecureSerializerMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); internal static readonly DiagnosticDescriptor MaybeInsecureSerializer = SecurityHelpers.CreateDiagnosticDescriptor( "CA2330", @@ -42,7 +43,8 @@ internal class DoNotUseInsecureDeserializerJsonNetWithoutBinder : DiagnosticAnal nameof(MicrosoftNetCoreAnalyzersResources.JsonNetMaybeInsecureSerializerMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerLosFormatter.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerLosFormatter.cs index 9d7390174e..2d07f1899c 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerLosFormatter.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerLosFormatter.cs @@ -22,7 +22,8 @@ public class DoNotUseInsecureDeserializerLosFormatter : DoNotUseInsecureDeserial nameof(MicrosoftNetCoreAnalyzersResources.LosFormatterMethodUsedMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); protected override string DeserializerTypeMetadataName => WellKnownTypeNames.SystemWebUILosFormatter; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerMethods.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerMethods.cs index ae1c77667a..607013a19f 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerMethods.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerMethods.cs @@ -24,6 +24,7 @@ internal class DoNotUseInsecureDeserializerNetDataContractSerializerMethods : Do RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.NetDataContractSerializerMethodUsedDescription)); protected override string DeserializerTypeMetadataName => diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder.cs index b9d8dbeb46..b9c07f87b5 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder.cs @@ -23,7 +23,8 @@ public class DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder nameof(MicrosoftNetCoreAnalyzersResources.NetDataContractSerializerDeserializeWithoutBinderSetMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); internal static readonly DiagnosticDescriptor RealBinderMaybeNotSetDescriptor = SecurityHelpers.CreateDiagnosticDescriptor( "CA2312", @@ -31,7 +32,8 @@ public class DoNotUseInsecureDeserializerNetDataContractSerializerWithoutBinder nameof(MicrosoftNetCoreAnalyzersResources.NetDataContractSerializerDeserializeMaybeWithoutBinderSetMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); protected override string DeserializerTypeMetadataName => WellKnownTypeNames.SystemRuntimeSerializationNetDataContractSerializer; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerObjectStateFormatter.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerObjectStateFormatter.cs index 6c8a90e719..14ff3345a3 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerObjectStateFormatter.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureDeserializerObjectStateFormatter.cs @@ -22,7 +22,8 @@ public class DoNotUseInsecureDeserializerObjectStateFormatter : DoNotUseInsecure nameof(MicrosoftNetCoreAnalyzersResources.ObjectStateFormatterMethodUsedMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: false); + isDataflowRule: false, + isReportedAtCompilationEnd: false); protected override string DeserializerTypeMetadataName => WellKnownTypeNames.SystemWebUIObjectStateFormatter; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureSettingsForJsonNet.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureSettingsForJsonNet.cs index ab93dd4fd2..536e488edb 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureSettingsForJsonNet.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseInsecureSettingsForJsonNet.cs @@ -33,7 +33,8 @@ public sealed class DoNotUseInsecureSettingsForJsonNet : DiagnosticAnalyzer nameof(MicrosoftNetCoreAnalyzersResources.JsonNetInsecureSettingsMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); internal static readonly DiagnosticDescriptor MaybeInsecureSettings = SecurityHelpers.CreateDiagnosticDescriptor( "CA2328", @@ -41,7 +42,8 @@ public sealed class DoNotUseInsecureSettingsForJsonNet : DiagnosticAnalyzer nameof(MicrosoftNetCoreAnalyzersResources.JsonNetMaybeInsecureSettingsMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseWeakKDFInsufficientIterationCount.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseWeakKDFInsufficientIterationCount.cs index 8cbfc9141c..f2d73fbfb3 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseWeakKDFInsufficientIterationCount.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DoNotUseWeakKDFInsufficientIterationCount.cs @@ -30,6 +30,7 @@ public sealed class DoNotUseWeakKDFInsufficientIterationCount : DiagnosticAnalyz RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseWeakKDFInsufficientIterationCountDescription)); internal static DiagnosticDescriptor MaybeUseWeakKDFInsufficientIterationCountRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5388", @@ -39,6 +40,7 @@ public sealed class DoNotUseWeakKDFInsufficientIterationCount : DiagnosticAnalyz RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseWeakKDFInsufficientIterationCountDescription)); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/Helpers/SecurityHelpers.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/Helpers/SecurityHelpers.cs index d1c9d9cd4a..f01fc20016 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/Helpers/SecurityHelpers.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/Helpers/SecurityHelpers.cs @@ -35,6 +35,7 @@ public static DiagnosticDescriptor CreateDiagnosticDescriptor( RuleLevel ruleLevel, bool isPortedFxCopRule, bool isDataflowRule, + bool isReportedAtCompilationEnd, string? descriptionResourceStringName = null) { return CreateDiagnosticDescriptor( @@ -45,6 +46,7 @@ public static DiagnosticDescriptor CreateDiagnosticDescriptor( ruleLevel, isPortedFxCopRule, isDataflowRule, + isReportedAtCompilationEnd, descriptionResourceStringName); } @@ -68,6 +70,7 @@ public static DiagnosticDescriptor CreateDiagnosticDescriptor( RuleLevel ruleLevel, bool isPortedFxCopRule, bool isDataflowRule, + bool isReportedAtCompilationEnd, string? descriptionResourceStringName = null) { return DiagnosticDescriptorHelper.Create( @@ -79,7 +82,8 @@ public static DiagnosticDescriptor CreateDiagnosticDescriptor( descriptionResourceStringName != null ? GetResourceString(resourceSource, descriptionResourceStringName) : null, isPortedFxCopRule, isDataflowRule, - isEnabledByDefaultInFxCopAnalyzers: ruleLevel == RuleLevel.BuildWarning); + isEnabledByDefaultInFxCopAnalyzers: ruleLevel == RuleLevel.BuildWarning, + isReportedAtCompilationEnd: isReportedAtCompilationEnd); } /// diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/JsonNetTypeNameHandling.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/JsonNetTypeNameHandling.cs index 5bd03086ef..e1ea0c7ed5 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/JsonNetTypeNameHandling.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/JsonNetTypeNameHandling.cs @@ -26,6 +26,7 @@ internal class JsonNetTypeNameHandling : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.JsonNetTypeNameHandlingDescription)); public override ImmutableArray SupportedDiagnostics => diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/PotentialReferenceCycleInDeserializedObjectGraph.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/PotentialReferenceCycleInDeserializedObjectGraph.cs index c1ca07ed37..f7353d9d03 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/PotentialReferenceCycleInDeserializedObjectGraph.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/PotentialReferenceCycleInDeserializedObjectGraph.cs @@ -37,7 +37,8 @@ public sealed class PotentialReferenceCycleInDeserializedObjectGraph : Diagnosti description: s_Description, isPortedFxCopRule: false, isDataflowRule: false, - isEnabledByDefaultInFxCopAnalyzers: false); + isEnabledByDefaultInFxCopAnalyzers: false, + isReportedAtCompilationEnd: true); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(Rule); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForCommandExecutionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForCommandExecutionVulnerabilities.cs index a688b49610..05c32f6641 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForCommandExecutionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForCommandExecutionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForCommandExecutionVulnerabilities : SourceTriggeredTaint nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForProcessCommandInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.ProcessCommand; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForDllInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForDllInjectionVulnerabilities.cs index 513887a663..f3fd7c8b3a 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForDllInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForDllInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForDllInjectionVulnerabilities : SourceTriggeredTaintedDa nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForDllInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Dll; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForFilePathInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForFilePathInjectionVulnerabilities.cs index d0b129e906..9527dead11 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForFilePathInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForFilePathInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForFilePathInjectionVulnerabilities : SourceTriggeredTain nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForFilePathInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind => SinkKind.FilePathInjection; diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForInformationDisclosureVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForInformationDisclosureVulnerabilities.cs index 4c49ea8235..cf1e21912b 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForInformationDisclosureVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForInformationDisclosureVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForInformationDisclosureVulnerabilities : SourceTriggered nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForInformationDisclosureVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.InformationDisclosure; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForLdapInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForLdapInjectionVulnerabilities.cs index 5cc208a8f6..5f3bc08e24 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForLdapInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForLdapInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForLdapInjectionVulnerabilities : SourceTriggeredTaintedD nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForLdapInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Ldap; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForOpenRedirectVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForOpenRedirectVulnerabilities.cs index eb5d2ed485..225e29daba 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForOpenRedirectVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForOpenRedirectVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForOpenRedirectVulnerabilities : SourceTriggeredTaintedDa nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForOpenRedirectVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Redirect; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForRegexInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForRegexInjectionVulnerabilities.cs index ab120c4a31..ab54c4dad8 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForRegexInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForRegexInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForRegexInjectionVulnerabilities : SourceTriggeredTainted nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForRegexInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Regex; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForSqlInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForSqlInjectionVulnerabilities.cs index 4dc970707b..c4bb128f2e 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForSqlInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForSqlInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForSqlInjectionVulnerabilities : SourceTriggeredTaintedDa nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForSqlInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Sql; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXPathInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXPathInjectionVulnerabilities.cs index c4677c60ef..dcea5dcfea 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXPathInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXPathInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForXPathInjectionVulnerabilities : SourceTriggeredTainted nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForXPathInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.XPath; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXamlInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXamlInjectionVulnerabilities.cs index e0887189e4..91ae7d1b36 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXamlInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXamlInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForXamlInjectionVulnerabilities : SourceTriggeredTaintedD nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForXamlInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Xaml; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXmlInjectionVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXmlInjectionVulnerabilities.cs index f9285c5e91..bc160e7069 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXmlInjectionVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXmlInjectionVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForXmlInjectionVulnerabilities : SourceTriggeredTaintedDa nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForXmlInjectionVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Xml; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXssVulnerabilities.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXssVulnerabilities.cs index 5b839a6510..ed0736ea03 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXssVulnerabilities.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/ReviewCodeForXssVulnerabilities.cs @@ -16,7 +16,8 @@ public class ReviewCodeForXssVulnerabilities : SourceTriggeredTaintedDataAnalyze nameof(MicrosoftNetCoreAnalyzersResources.ReviewCodeForXssVulnerabilitiesMessage), RuleLevel.Disabled, isPortedFxCopRule: false, - isDataflowRule: true); + isDataflowRule: true, + isReportedAtCompilationEnd: false); protected override SinkKind SinkKind { get { return SinkKind.Xss; } } diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SetHttpOnlyForHttpCookie.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SetHttpOnlyForHttpCookie.cs index 002c764956..e2a6a564ec 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SetHttpOnlyForHttpCookie.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SetHttpOnlyForHttpCookie.cs @@ -27,6 +27,7 @@ internal class SetHttpOnlyForHttpCookie : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.SetHttpOnlyForHttpCookieDescription)); public override ImmutableArray SupportedDiagnostics => diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SslProtocolsAnalyzer.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SslProtocolsAnalyzer.cs index 33086a65f1..7468018783 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SslProtocolsAnalyzer.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/SslProtocolsAnalyzer.cs @@ -22,6 +22,7 @@ public sealed class SslProtocolsAnalyzer : DiagnosticAnalyzer RuleLevel.BuildWarning, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DeprecatedSslProtocolsDescription)); internal static DiagnosticDescriptor HardcodedRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5398", @@ -30,6 +31,7 @@ public sealed class SslProtocolsAnalyzer : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.HardcodedSslProtocolsDescription)); private readonly ImmutableHashSet HardcodedSslProtocolsMetadataNames = ImmutableHashSet.Create( diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseAutoValidateAntiforgeryToken.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseAutoValidateAntiforgeryToken.cs index cf714f591c..213d1555c9 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseAutoValidateAntiforgeryToken.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseAutoValidateAntiforgeryToken.cs @@ -27,6 +27,7 @@ public sealed class UseAutoValidateAntiforgeryToken : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseAutoValidateAntiforgeryTokenDescription)); internal static DiagnosticDescriptor MissHttpVerbAttributeRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5395", @@ -36,6 +37,7 @@ public sealed class UseAutoValidateAntiforgeryToken : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.MissHttpVerbAttributeDescription)); private static readonly Regex s_AntiForgeryAttributeRegex = new Regex("^[a-zA-Z]*Validate[a-zA-Z]*Anti[Ff]orgery[a-zA-Z]*Attribute$", RegexOptions.Compiled); diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs index 680a73ed45..9c56da828b 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -23,6 +23,7 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeDescription)); internal static DiagnosticDescriptor DoNotUseUnsafeDllImportSearchPathRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5393", @@ -31,6 +32,7 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathDescription)); // DllImportSearchPath.AssemblyDirectory = 2. diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseSecureCookiesASPNetCore.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseSecureCookiesASPNetCore.cs index 757b2174ab..44ed161cbb 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseSecureCookiesASPNetCore.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseSecureCookiesASPNetCore.cs @@ -28,6 +28,7 @@ public sealed class UseSecureCookiesASPNetCore : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseSecureCookiesASPNetCoreDescription)); internal static DiagnosticDescriptor MaybeUseSecureCookiesASPNetCoreRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5383", @@ -37,6 +38,7 @@ public sealed class UseSecureCookiesASPNetCore : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: true, + isReportedAtCompilationEnd: true, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseSecureCookiesASPNetCoreDescription)); public override ImmutableArray SupportedDiagnostics => ImmutableArray.Create( diff --git a/src/PublicApiAnalyzers/Core/Analyzers/DeclarePublicApiAnalyzer.cs b/src/PublicApiAnalyzers/Core/Analyzers/DeclarePublicApiAnalyzer.cs index acebcf2b50..82b6015708 100644 --- a/src/PublicApiAnalyzers/Core/Analyzers/DeclarePublicApiAnalyzer.cs +++ b/src/PublicApiAnalyzers/Core/Analyzers/DeclarePublicApiAnalyzer.cs @@ -45,7 +45,7 @@ public sealed partial class DeclarePublicApiAnalyzer : DiagnosticAnalyzer isEnabledByDefault: true, description: PublicApiAnalyzerResources.RemoveDeletedApiDescription, helpLinkUri: "https://github.com/dotnet/roslyn-analyzers/blob/master/src/PublicApiAnalyzers/PublicApiAnalyzers.Help.md", - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); internal static readonly DiagnosticDescriptor ExposedNoninstantiableType = new DiagnosticDescriptor( id: DiagnosticIds.ExposedNoninstantiableTypeRuleId, @@ -65,7 +65,7 @@ public sealed partial class DeclarePublicApiAnalyzer : DiagnosticAnalyzer defaultSeverity: DiagnosticSeverity.Warning, isEnabledByDefault: true, helpLinkUri: "https://github.com/dotnet/roslyn-analyzers/blob/master/src/PublicApiAnalyzers/PublicApiAnalyzers.Help.md", - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); internal static readonly DiagnosticDescriptor DuplicateSymbolInApiFiles = new DiagnosticDescriptor( id: DiagnosticIds.DuplicatedSymbolInPublicApiFiles, @@ -75,7 +75,7 @@ public sealed partial class DeclarePublicApiAnalyzer : DiagnosticAnalyzer defaultSeverity: DiagnosticSeverity.Warning, isEnabledByDefault: true, helpLinkUri: "https://github.com/dotnet/roslyn-analyzers/blob/master/src/PublicApiAnalyzers/PublicApiAnalyzers.Help.md", - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); internal static readonly DiagnosticDescriptor AvoidMultipleOverloadsWithOptionalParameters = new DiagnosticDescriptor( id: DiagnosticIds.AvoidMultipleOverloadsWithOptionalParameters, diff --git a/src/Roslyn.Diagnostics.Analyzers/Core/SymbolDeclaredEventMustBeGeneratedForSourceSymbols.cs b/src/Roslyn.Diagnostics.Analyzers/Core/SymbolDeclaredEventMustBeGeneratedForSourceSymbols.cs index ef135af9fa..821ccfd449 100644 --- a/src/Roslyn.Diagnostics.Analyzers/Core/SymbolDeclaredEventMustBeGeneratedForSourceSymbols.cs +++ b/src/Roslyn.Diagnostics.Analyzers/Core/SymbolDeclaredEventMustBeGeneratedForSourceSymbols.cs @@ -28,7 +28,7 @@ public abstract class SymbolDeclaredEventAnalyzer : DiagnosticAnaly DiagnosticSeverity.Error, isEnabledByDefault: false, description: s_localizableDescription, - customTags: WellKnownDiagnosticTags.Telemetry); + customTags: WellKnownDiagnosticTagsExtensions.CompilationEndAndTelemetry); public sealed override ImmutableArray SupportedDiagnostics => ImmutableArray.Create(SymbolDeclaredEventRule); diff --git a/src/Utilities/Compiler/DiagnosticDescriptorHelper.cs b/src/Utilities/Compiler/DiagnosticDescriptorHelper.cs index 8fc3cc420e..b808cc4c8b 100644 --- a/src/Utilities/Compiler/DiagnosticDescriptorHelper.cs +++ b/src/Utilities/Compiler/DiagnosticDescriptorHelper.cs @@ -21,6 +21,7 @@ public static DiagnosticDescriptor Create( bool isPortedFxCopRule, bool isDataflowRule, bool isEnabledByDefaultInFxCopAnalyzers = true, + bool isReportedAtCompilationEnd = false, params string[] additionalCustomTags) { // PERF: Ensure that all DFA rules are disabled by default in NetAnalyzers package. @@ -35,6 +36,12 @@ public static DiagnosticDescriptor Create( var customTags = isPortedFxCopRule ? (isDataflowRule ? FxCopWellKnownDiagnosticTags.PortedFxCopDataflowRule : FxCopWellKnownDiagnosticTags.PortedFxCopRule) : (isDataflowRule ? WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry : WellKnownDiagnosticTagsExtensions.Telemetry); + + if (isReportedAtCompilationEnd) + { + customTags = customTags.Concat(WellKnownDiagnosticTagsExtensions.CompilationEnd).ToArray(); + } + if (additionalCustomTags.Length > 0) { customTags = customTags.Concat(additionalCustomTags).ToArray(); diff --git a/src/Utilities/Compiler/Extensions/WellKnownDiagnosticTagsExtensions.cs b/src/Utilities/Compiler/Extensions/WellKnownDiagnosticTagsExtensions.cs index f36fd7f4c4..70ae17c2e0 100644 --- a/src/Utilities/Compiler/Extensions/WellKnownDiagnosticTagsExtensions.cs +++ b/src/Utilities/Compiler/Extensions/WellKnownDiagnosticTagsExtensions.cs @@ -5,7 +5,9 @@ namespace Microsoft.CodeAnalysis internal static class WellKnownDiagnosticTagsExtensions { public const string Dataflow = nameof(Dataflow); + public const string CompilationEnd = nameof(CompilationEnd); public static string[] DataflowAndTelemetry = new string[] { Dataflow, WellKnownDiagnosticTags.Telemetry }; public static string[] Telemetry = new string[] { WellKnownDiagnosticTags.Telemetry }; + public static string[] CompilationEndAndTelemetry = new string[] { CompilationEnd, WellKnownDiagnosticTags.Telemetry }; } } From 67520aaf8cace15b3fc9487c73ae710610716605 Mon Sep 17 00:00:00 2001 From: Manish Vasani Date: Thu, 22 Oct 2020 08:02:54 -0700 Subject: [PATCH 2/3] Run pack to update documentation file --- .../MetaCompilation.Analyzers.sarif | 2 +- .../Microsoft.CodeAnalysis.Analyzers.sarif | 11 +- ...soft.CodeAnalysis.BannedApiAnalyzers.sarif | 8 +- .../Microsoft.CodeAnalysis.FxCopAnalyzers.md | 146 +++++------ ...icrosoft.CodeAnalysis.FxCopAnalyzers.sarif | 197 ++++++++++----- ...ft.CodeAnalysis.VersionCheckAnalyzer.sarif | 2 +- .../Microsoft.CodeQuality.Analyzers.sarif | 32 ++- .../Microsoft.NetCore.Analyzers.md | 136 +++++------ .../Microsoft.NetCore.Analyzers.sarif | 159 ++++++++---- .../Microsoft.NetFramework.Analyzers.sarif | 6 +- .../Microsoft.CodeAnalysis.NetAnalyzers.md | 145 +++++------ .../Microsoft.CodeAnalysis.NetAnalyzers.sarif | 226 ++++++++++++------ ...alysis.PerformanceSensitiveAnalyzers.sarif | 4 +- ...soft.CodeAnalysis.PublicApiAnalyzers.sarif | 7 +- .../Roslyn.Diagnostics.Analyzers.sarif | 21 +- 15 files changed, 684 insertions(+), 418 deletions(-) diff --git a/src/MetaCompilation.Analyzers/MetaCompilation.Analyzers.sarif b/src/MetaCompilation.Analyzers/MetaCompilation.Analyzers.sarif index d97110ffae..374aa799b5 100644 --- a/src/MetaCompilation.Analyzers/MetaCompilation.Analyzers.sarif +++ b/src/MetaCompilation.Analyzers/MetaCompilation.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "MetaCompilation.Analyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/Microsoft.CodeAnalysis.Analyzers/Microsoft.CodeAnalysis.Analyzers.sarif b/src/Microsoft.CodeAnalysis.Analyzers/Microsoft.CodeAnalysis.Analyzers.sarif index 6bf6fa0784..afde969bb2 100644 --- a/src/Microsoft.CodeAnalysis.Analyzers/Microsoft.CodeAnalysis.Analyzers.sarif +++ b/src/Microsoft.CodeAnalysis.Analyzers/Microsoft.CodeAnalysis.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.Analyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -146,6 +146,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -200,6 +201,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -236,6 +238,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -299,7 +302,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.CSharp.Analyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -452,6 +455,7 @@ "C#" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -479,7 +483,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VisualBasic.Analyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -615,6 +619,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } diff --git a/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Microsoft.CodeAnalysis.BannedApiAnalyzers.sarif b/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Microsoft.CodeAnalysis.BannedApiAnalyzers.sarif index bc29d3a1f2..41ae125ffd 100644 --- a/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Microsoft.CodeAnalysis.BannedApiAnalyzers.sarif +++ b/src/Microsoft.CodeAnalysis.BannedApiAnalyzers/Microsoft.CodeAnalysis.BannedApiAnalyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.BannedApiAnalyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -14,7 +14,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.CSharp.BannedApiAnalyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -50,6 +50,7 @@ "C#" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -76,7 +77,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VisualBasic.BannedApiAnalyzers", - "version": "2.9.9", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -112,6 +113,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md index 41a6ac1f3d..73c086a293 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.md @@ -140,76 +140,78 @@ Sr. No. | Rule ID | Title | Category | Enabled | Severity | CodeFix | Descriptio 137 | [CA2328](https://docs.microsoft.com/visualstudio/code-quality/ca2328) | Ensure that JsonSerializerSettings are secure | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using JsonSerializerSettings, ensure TypeNameHandling.None is specified, or for values other than None, ensure a SerializationBinder is specified to restrict deserialized types. | 138 | [CA2329](https://docs.microsoft.com/visualstudio/code-quality/ca2329) | Do not deserialize with JsonSerializer using an insecure configuration | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | 139 | [CA2330](https://docs.microsoft.com/visualstudio/code-quality/ca2330) | Ensure that JsonSerializer has a secure configuration when deserializing | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | -140 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use insecure deserialization with DataTable.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | -141 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use insecure deserialization with DataSet.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | +140 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use DataTable.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | +141 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use DataSet.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | 142 | [CA2352](https://docs.microsoft.com/visualstudio/code-quality/ca2352) | Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -143 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Unsafe DataSet or DataTable in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -144 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -145 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet or DataTable type found in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -146 | [CA2356](https://docs.microsoft.com/visualstudio/code-quality/ca2356) | Unsafe DataSet or DataTable type in web deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -147 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -148 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -149 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -150 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | -151 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -152 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -153 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -154 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -155 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -156 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -157 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -158 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -159 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | -160 | [CA3075](https://docs.microsoft.com/visualstudio/code-quality/ca3075) | Insecure DTD processing in XML | Security | True | Warning | False | Using XmlTextReader.Load(), creating an insecure XmlReaderSettings instance when invoking XmlReader.Create(), setting the InnerXml property of the XmlDocument and enabling DTD processing using XmlUrlResolver insecurely can lead to information disclosure. Replace it with a call to the Load() method overload that takes an XmlReader instance, use XmlReader.Create() to accept XmlReaderSettings arguments or consider explicitly setting secure values. The DataViewSettingCollectionString property of DataViewManager should always be assigned from a trusted source, the DtdProcessing property should be set to false, and the XmlResolver property should be changed to XmlSecureResolver or null.  | -161 | [CA3076](https://docs.microsoft.com/visualstudio/code-quality/ca3076) | Insecure XSLT script processing. | Security | True | Warning | False | Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argurment with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported. | -162 | [CA3077](https://docs.microsoft.com/visualstudio/code-quality/ca3077) | Insecure Processing in API Design, XmlDocument and XmlTextReader | Security | True | Warning | False | Enabling DTD processing on all instances derived from XmlTextReader or  XmlDocument and using XmlUrlResolver for resolving external XML entities may lead to information disclosure. Ensure to set the XmlResolver property to null, create an instance of XmlSecureResolver when processing untrusted input, or use XmlReader.Create method with a secure XmlReaderSettings argument. Unless you need to enable it, ensure the DtdProcessing property is set to false.  | -163 | [CA3147](https://docs.microsoft.com/visualstudio/code-quality/ca3147) | Mark Verb Handlers With Validate Antiforgery Token | Security | True | Warning | False | Missing ValidateAntiForgeryTokenAttribute on controller action {0}. | -164 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | -165 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | -166 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | -167 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | -168 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | -169 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | -170 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Potential reference cycle in deserialized object graph | Security | False | Warning | False | Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data. | -171 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | -172 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | -173 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | -174 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader For DataSet Read Xml | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -175 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | -176 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | -177 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader For Deserialize | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -178 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader For Validating Reader | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -179 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader For Schema Read | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -180 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader For XPathDocument | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -181 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | -182 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | -183 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | -184 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | -185 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | -186 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | -187 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Do Not Use Weak Key Derivation Function Algorithm | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | -188 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -189 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -190 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -191 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -192 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | -193 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | -194 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | -195 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -196 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -197 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -198 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | -199 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | -200 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | -201 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | -202 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | -203 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | -204 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | -205 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | -206 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | -207 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -208 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -209 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -210 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -211 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | -212 | CA9999 | Analyzer version mismatch | Reliability | True | Warning | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. | +143 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Unsafe DataSet or DataTable in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +144 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +145 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet or DataTable type found in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +146 | [CA2356](https://docs.microsoft.com/visualstudio/code-quality/ca2356) | Unsafe DataSet or DataTable type in web deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +147 | [CA2361](https://docs.microsoft.com/visualstudio/code-quality/ca2361) | Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data. | +148 | [CA2362](https://docs.microsoft.com/visualstudio/code-quality/ca2362) | Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data. | +149 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +150 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +151 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +152 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | +153 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +154 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +155 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +156 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +157 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +158 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +159 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +160 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +161 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | +162 | [CA3075](https://docs.microsoft.com/visualstudio/code-quality/ca3075) | Insecure DTD processing in XML | Security | True | Warning | False | Using XmlTextReader.Load(), creating an insecure XmlReaderSettings instance when invoking XmlReader.Create(), setting the InnerXml property of the XmlDocument and enabling DTD processing using XmlUrlResolver insecurely can lead to information disclosure. Replace it with a call to the Load() method overload that takes an XmlReader instance, use XmlReader.Create() to accept XmlReaderSettings arguments or consider explicitly setting secure values. The DataViewSettingCollectionString property of DataViewManager should always be assigned from a trusted source, the DtdProcessing property should be set to false, and the XmlResolver property should be changed to XmlSecureResolver or null.  | +163 | [CA3076](https://docs.microsoft.com/visualstudio/code-quality/ca3076) | Insecure XSLT script processing. | Security | True | Warning | False | Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argurment with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported. | +164 | [CA3077](https://docs.microsoft.com/visualstudio/code-quality/ca3077) | Insecure Processing in API Design, XmlDocument and XmlTextReader | Security | True | Warning | False | Enabling DTD processing on all instances derived from XmlTextReader or  XmlDocument and using XmlUrlResolver for resolving external XML entities may lead to information disclosure. Ensure to set the XmlResolver property to null, create an instance of XmlSecureResolver when processing untrusted input, or use XmlReader.Create method with a secure XmlReaderSettings argument. Unless you need to enable it, ensure the DtdProcessing property is set to false.  | +165 | [CA3147](https://docs.microsoft.com/visualstudio/code-quality/ca3147) | Mark Verb Handlers With Validate Antiforgery Token | Security | True | Warning | False | Missing ValidateAntiForgeryTokenAttribute on controller action {0}. | +166 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | +167 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | +168 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | +169 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | +170 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | +171 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | +172 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Potential reference cycle in deserialized object graph | Security | False | Warning | False | Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data. | +173 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | +174 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | +175 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | +176 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader for 'DataSet.ReadXml()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +177 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | +178 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | +179 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader for 'XmlSerializer.Deserialize()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +180 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader for XmlValidatingReader constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +181 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader for 'XmlSchema.Read()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +182 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader for XPathDocument constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +183 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | +184 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | +185 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | +186 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | +187 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | +188 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | +189 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Ensure Key Derivation Function algorithm is sufficiently strong | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | +190 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +191 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +192 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +193 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +194 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | +195 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | +196 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | +197 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +198 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +199 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +200 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | +201 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | +202 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | +203 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | +204 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | +205 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | +206 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | +207 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | +208 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | +209 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +210 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +211 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +212 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +213 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | +214 | CA9999 | Analyzer version mismatch | Reliability | True | Warning | False | Analyzers in this package require a certain minimum version of Microsoft.CodeAnalysis to execute correctly. Refer to https://docs.microsoft.com/visualstudio/code-quality/install-fxcop-analyzers#fxcopanalyzers-package-versions to install the correct analyzer version. | diff --git a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif index dabaec2179..9adab9808f 100644 --- a/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif +++ b/src/Microsoft.CodeAnalysis.FxCopAnalyzers/Microsoft.CodeAnalysis.FxCopAnalyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VersionCheckAnalyzer", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -29,7 +29,7 @@ { "tool": { "name": "Microsoft.CodeQuality.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -130,7 +130,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -170,7 +171,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -827,7 +829,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1067,7 +1070,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1107,7 +1111,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1167,7 +1172,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1247,7 +1253,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1267,7 +1274,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1530,7 +1538,7 @@ { "tool": { "name": "Microsoft.CodeQuality.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -1727,7 +1735,7 @@ { "tool": { "name": "Microsoft.CodeQuality.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -1962,7 +1970,7 @@ { "tool": { "name": "Microsoft.NetCore.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -2380,7 +2388,8 @@ "tags": [ "PortedFromFxCop", "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2559,7 +2568,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2579,7 +2589,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2637,7 +2648,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2657,7 +2669,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2696,7 +2709,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2716,7 +2730,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2755,7 +2770,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2775,7 +2791,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2795,7 +2812,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2815,14 +2833,15 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, "CA2350": { "id": "CA2350", - "shortDescription": "Do not use insecure deserialization with DataTable.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataTable.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2350", "properties": { @@ -2840,8 +2859,8 @@ }, "CA2351": { "id": "CA2351", - "shortDescription": "Do not use insecure deserialization with DataSet.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataSet.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2351", "properties": { @@ -2879,7 +2898,7 @@ "CA2353": { "id": "CA2353", "shortDescription": "Unsafe DataSet or DataTable in serializable type", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2353", "properties": { @@ -2898,7 +2917,7 @@ "CA2354": { "id": "CA2354", "shortDescription": "Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2354", "properties": { @@ -2917,7 +2936,7 @@ "CA2355": { "id": "CA2355", "shortDescription": "Unsafe DataSet or DataTable type found in deserializable object graph", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2355", "properties": { @@ -2936,7 +2955,7 @@ "CA2356": { "id": "CA2356", "shortDescription": "Unsafe DataSet or DataTable type in web deserializable object graph", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2356", "properties": { @@ -2952,6 +2971,44 @@ ] } }, + "CA2361": { + "id": "CA2361", + "shortDescription": "Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2361", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DoNotUseDataSetReadXml", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, + "CA2362": { + "id": "CA2362", + "shortDescription": "Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks", + "fullDescription": "When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2362", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DataSetDataTableInSerializableTypeAnalyzer", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, "CA3001": { "id": "CA3001", "shortDescription": "Review code for SQL injection vulnerabilities", @@ -3302,7 +3359,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3341,7 +3399,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3404,7 +3463,7 @@ }, "CA5366": { "id": "CA5366", - "shortDescription": "Use XmlReader For DataSet Read Xml", + "shortDescription": "Use XmlReader for 'DataSet.ReadXml()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5366", @@ -3436,7 +3495,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3461,7 +3521,7 @@ }, "CA5369": { "id": "CA5369", - "shortDescription": "Use XmlReader For Deserialize", + "shortDescription": "Use XmlReader for 'XmlSerializer.Deserialize()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5369", @@ -3480,7 +3540,7 @@ }, "CA5370": { "id": "CA5370", - "shortDescription": "Use XmlReader For Validating Reader", + "shortDescription": "Use XmlReader for XmlValidatingReader constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5370", @@ -3499,7 +3559,7 @@ }, "CA5371": { "id": "CA5371", - "shortDescription": "Use XmlReader For Schema Read", + "shortDescription": "Use XmlReader for 'XmlSchema.Read()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5371", @@ -3518,7 +3578,7 @@ }, "CA5372": { "id": "CA5372", - "shortDescription": "Use XmlReader For XPathDocument", + "shortDescription": "Use XmlReader for XPathDocument constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5372", @@ -3654,7 +3714,7 @@ }, "CA5379": { "id": "CA5379", - "shortDescription": "Do Not Use Weak Key Derivation Function Algorithm", + "shortDescription": "Ensure Key Derivation Function algorithm is sufficiently strong", "fullDescription": "Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5379", @@ -3687,7 +3747,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3707,7 +3768,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3727,7 +3789,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3747,7 +3810,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3824,7 +3888,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3844,7 +3909,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3903,7 +3969,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3979,7 +4046,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3999,7 +4067,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4057,7 +4126,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4077,7 +4147,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4097,7 +4168,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4117,7 +4189,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4146,7 +4219,7 @@ { "tool": { "name": "Microsoft.NetCore.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -4203,7 +4276,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4285,7 +4359,7 @@ { "tool": { "name": "Microsoft.NetCore.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -4342,7 +4416,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4424,7 +4499,7 @@ { "tool": { "name": "Microsoft.NetFramework.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -4510,7 +4585,7 @@ { "tool": { "name": "Microsoft.NetFramework.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -4555,7 +4630,7 @@ { "tool": { "name": "Microsoft.NetFramework.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/Microsoft.CodeAnalysis.VersionCheckAnalyzer/Microsoft.CodeAnalysis.VersionCheckAnalyzer.sarif b/src/Microsoft.CodeAnalysis.VersionCheckAnalyzer/Microsoft.CodeAnalysis.VersionCheckAnalyzer.sarif index c747453a7b..1f90fab3ca 100644 --- a/src/Microsoft.CodeAnalysis.VersionCheckAnalyzer/Microsoft.CodeAnalysis.VersionCheckAnalyzer.sarif +++ b/src/Microsoft.CodeAnalysis.VersionCheckAnalyzer/Microsoft.CodeAnalysis.VersionCheckAnalyzer.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VersionCheckAnalyzer", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.sarif b/src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.sarif index 3a3010c8a6..1df2e32d04 100644 --- a/src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.sarif +++ b/src/Microsoft.CodeQuality.Analyzers/Microsoft.CodeQuality.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Humanizer", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -14,7 +14,7 @@ { "tool": { "name": "Microsoft.CodeQuality.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -115,7 +115,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -155,7 +156,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -812,7 +814,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1052,7 +1055,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1092,7 +1096,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1152,7 +1157,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1232,7 +1238,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1252,7 +1259,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1515,7 +1523,7 @@ { "tool": { "name": "Microsoft.CodeQuality.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -1712,7 +1720,7 @@ { "tool": { "name": "Microsoft.CodeQuality.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md index 87ece2670f..dec2a0aab1 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.md @@ -51,71 +51,73 @@ Sr. No. | Rule ID | Title | Category | Enabled | Severity | CodeFix | Descriptio 48 | [CA2328](https://docs.microsoft.com/visualstudio/code-quality/ca2328) | Ensure that JsonSerializerSettings are secure | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using JsonSerializerSettings, ensure TypeNameHandling.None is specified, or for values other than None, ensure a SerializationBinder is specified to restrict deserialized types. | 49 | [CA2329](https://docs.microsoft.com/visualstudio/code-quality/ca2329) | Do not deserialize with JsonSerializer using an insecure configuration | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | 50 | [CA2330](https://docs.microsoft.com/visualstudio/code-quality/ca2330) | Ensure that JsonSerializer has a secure configuration when deserializing | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | -51 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use insecure deserialization with DataTable.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | -52 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use insecure deserialization with DataSet.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | +51 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use DataTable.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | +52 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use DataSet.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | 53 | [CA2352](https://docs.microsoft.com/visualstudio/code-quality/ca2352) | Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -54 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Unsafe DataSet or DataTable in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -55 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -56 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet or DataTable type found in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -57 | [CA2356](https://docs.microsoft.com/visualstudio/code-quality/ca2356) | Unsafe DataSet or DataTable type in web deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -58 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -59 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -60 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -61 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | -62 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -63 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -64 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -65 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -66 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -67 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -68 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -69 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -70 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | -71 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | -72 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | -73 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | -74 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | -75 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | -76 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | -77 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Potential reference cycle in deserialized object graph | Security | False | Warning | False | Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data. | -78 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | -79 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | -80 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | -81 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader For DataSet Read Xml | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -82 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | -83 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | -84 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader For Deserialize | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -85 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader For Validating Reader | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -86 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader For Schema Read | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -87 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader For XPathDocument | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -88 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | -89 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | -90 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | -91 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | -92 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | -93 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | -94 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Do Not Use Weak Key Derivation Function Algorithm | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | -95 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -96 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -97 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -98 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -99 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | -100 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | -101 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | -102 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -103 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -104 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -105 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | -106 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | -107 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | -108 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | -109 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | -110 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | -111 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | -112 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | -113 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | -114 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -115 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -116 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -117 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -118 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | +54 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Unsafe DataSet or DataTable in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +55 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +56 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet or DataTable type found in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +57 | [CA2356](https://docs.microsoft.com/visualstudio/code-quality/ca2356) | Unsafe DataSet or DataTable type in web deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +58 | [CA2361](https://docs.microsoft.com/visualstudio/code-quality/ca2361) | Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data. | +59 | [CA2362](https://docs.microsoft.com/visualstudio/code-quality/ca2362) | Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data. | +60 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +61 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +62 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +63 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | +64 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +65 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +66 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +67 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +68 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +69 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +70 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +71 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +72 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | +73 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | +74 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | +75 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | +76 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | +77 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | +78 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | +79 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Potential reference cycle in deserialized object graph | Security | False | Warning | False | Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data. | +80 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | +81 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | +82 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | +83 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader for 'DataSet.ReadXml()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +84 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | +85 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | +86 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader for 'XmlSerializer.Deserialize()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +87 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader for XmlValidatingReader constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +88 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader for 'XmlSchema.Read()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +89 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader for XPathDocument constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +90 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | +91 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | +92 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | +93 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | +94 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | +95 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | +96 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Ensure Key Derivation Function algorithm is sufficiently strong | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | +97 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +98 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +99 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +100 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +101 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | +102 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | +103 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | +104 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +105 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +106 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +107 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | +108 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | +109 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | +110 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | +111 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | +112 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | +113 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | +114 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | +115 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | +116 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +117 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +118 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +119 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +120 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | diff --git a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif index 55a8930f0d..be78e73f3f 100644 --- a/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif +++ b/src/Microsoft.NetCore.Analyzers/Microsoft.NetCore.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.NetCore.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -423,7 +423,8 @@ "tags": [ "PortedFromFxCop", "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -602,7 +603,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -622,7 +624,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -680,7 +683,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -700,7 +704,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -739,7 +744,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -759,7 +765,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -798,7 +805,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -818,7 +826,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -838,7 +847,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -858,14 +868,15 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, "CA2350": { "id": "CA2350", - "shortDescription": "Do not use insecure deserialization with DataTable.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataTable.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2350", "properties": { @@ -883,8 +894,8 @@ }, "CA2351": { "id": "CA2351", - "shortDescription": "Do not use insecure deserialization with DataSet.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataSet.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2351", "properties": { @@ -922,7 +933,7 @@ "CA2353": { "id": "CA2353", "shortDescription": "Unsafe DataSet or DataTable in serializable type", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2353", "properties": { @@ -941,7 +952,7 @@ "CA2354": { "id": "CA2354", "shortDescription": "Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2354", "properties": { @@ -960,7 +971,7 @@ "CA2355": { "id": "CA2355", "shortDescription": "Unsafe DataSet or DataTable type found in deserializable object graph", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2355", "properties": { @@ -979,7 +990,7 @@ "CA2356": { "id": "CA2356", "shortDescription": "Unsafe DataSet or DataTable type in web deserializable object graph", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2356", "properties": { @@ -995,6 +1006,44 @@ ] } }, + "CA2361": { + "id": "CA2361", + "shortDescription": "Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2361", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DoNotUseDataSetReadXml", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, + "CA2362": { + "id": "CA2362", + "shortDescription": "Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks", + "fullDescription": "When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2362", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DataSetDataTableInSerializableTypeAnalyzer", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, "CA3001": { "id": "CA3001", "shortDescription": "Review code for SQL injection vulnerabilities", @@ -1345,7 +1394,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1384,7 +1434,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1447,7 +1498,7 @@ }, "CA5366": { "id": "CA5366", - "shortDescription": "Use XmlReader For DataSet Read Xml", + "shortDescription": "Use XmlReader for 'DataSet.ReadXml()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5366", @@ -1479,7 +1530,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1504,7 +1556,7 @@ }, "CA5369": { "id": "CA5369", - "shortDescription": "Use XmlReader For Deserialize", + "shortDescription": "Use XmlReader for 'XmlSerializer.Deserialize()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5369", @@ -1523,7 +1575,7 @@ }, "CA5370": { "id": "CA5370", - "shortDescription": "Use XmlReader For Validating Reader", + "shortDescription": "Use XmlReader for XmlValidatingReader constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5370", @@ -1542,7 +1594,7 @@ }, "CA5371": { "id": "CA5371", - "shortDescription": "Use XmlReader For Schema Read", + "shortDescription": "Use XmlReader for 'XmlSchema.Read()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5371", @@ -1561,7 +1613,7 @@ }, "CA5372": { "id": "CA5372", - "shortDescription": "Use XmlReader For XPathDocument", + "shortDescription": "Use XmlReader for XPathDocument constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5372", @@ -1697,7 +1749,7 @@ }, "CA5379": { "id": "CA5379", - "shortDescription": "Do Not Use Weak Key Derivation Function Algorithm", + "shortDescription": "Ensure Key Derivation Function algorithm is sufficiently strong", "fullDescription": "Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5379", @@ -1730,7 +1782,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1750,7 +1803,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1770,7 +1824,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1790,7 +1845,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1867,7 +1923,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1887,7 +1944,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1946,7 +2004,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2022,7 +2081,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2042,7 +2102,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2100,7 +2161,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2120,7 +2182,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2140,7 +2203,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2160,7 +2224,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2189,7 +2254,7 @@ { "tool": { "name": "Microsoft.NetCore.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -2246,7 +2311,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2328,7 +2394,7 @@ { "tool": { "name": "Microsoft.NetCore.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -2385,7 +2451,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, diff --git a/src/Microsoft.NetFramework.Analyzers/Microsoft.NetFramework.Analyzers.sarif b/src/Microsoft.NetFramework.Analyzers/Microsoft.NetFramework.Analyzers.sarif index eac31cf307..c85bca91d4 100644 --- a/src/Microsoft.NetFramework.Analyzers/Microsoft.NetFramework.Analyzers.sarif +++ b/src/Microsoft.NetFramework.Analyzers/Microsoft.NetFramework.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.NetFramework.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -91,7 +91,7 @@ { "tool": { "name": "Microsoft.NetFramework.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -136,7 +136,7 @@ { "tool": { "name": "Microsoft.NetFramework.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.md b/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.md index 4fb4a296d5..33bda0cdd4 100644 --- a/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.md +++ b/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.md @@ -140,74 +140,77 @@ Sr. No. | Rule ID | Title | Category | Enabled | Severity | CodeFix | Descriptio 137 | [CA2328](https://docs.microsoft.com/visualstudio/code-quality/ca2328) | Ensure that JsonSerializerSettings are secure | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using JsonSerializerSettings, ensure TypeNameHandling.None is specified, or for values other than None, ensure a SerializationBinder is specified to restrict deserialized types. | 138 | [CA2329](https://docs.microsoft.com/visualstudio/code-quality/ca2329) | Do not deserialize with JsonSerializer using an insecure configuration | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | 139 | [CA2330](https://docs.microsoft.com/visualstudio/code-quality/ca2330) | Ensure that JsonSerializer has a secure configuration when deserializing | Security | False | Warning | False | When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder. | -140 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use insecure deserialization with DataTable.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | -141 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use insecure deserialization with DataSet.ReadXml() | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD. | -142 | [CA2352](https://docs.microsoft.com/visualstudio/code-quality/ca2352) | Do not use DataSet.ReadXml() without ReadXmlSchema() on untrusted data | Security | False | Warning | False | When deserializing untrusted input, DataSet.ReadXml() without first calling DataSet.ReadXmlSchema() is insecure. | -143 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Ensure DataSet.ReadXmlSchema() is called before ReadXml() on untrusted data | Security | False | Warning | False | When deserializing untrusted input, DataSet.ReadXml() without first calling DataSet.ReadXmlSchema() is insecure. | -144 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet/DataTable object declared in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -145 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet/DataTable type in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | -146 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -147 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -148 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -149 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | -150 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -151 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -152 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -153 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -154 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -155 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -156 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -157 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | -158 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | -159 | [CA3075](https://docs.microsoft.com/visualstudio/code-quality/ca3075) | Insecure DTD processing in XML | Security | True | Warning | False | Using XmlTextReader.Load(), creating an insecure XmlReaderSettings instance when invoking XmlReader.Create(), setting the InnerXml property of the XmlDocument and enabling DTD processing using XmlUrlResolver insecurely can lead to information disclosure. Replace it with a call to the Load() method overload that takes an XmlReader instance, use XmlReader.Create() to accept XmlReaderSettings arguments or consider explicitly setting secure values. The DataViewSettingCollectionString property of DataViewManager should always be assigned from a trusted source, the DtdProcessing property should be set to false, and the XmlResolver property should be changed to XmlSecureResolver or null.  | -160 | [CA3076](https://docs.microsoft.com/visualstudio/code-quality/ca3076) | Insecure XSLT script processing. | Security | True | Warning | False | Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argurment with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported. | -161 | [CA3077](https://docs.microsoft.com/visualstudio/code-quality/ca3077) | Insecure Processing in API Design, XmlDocument and XmlTextReader | Security | True | Warning | False | Enabling DTD processing on all instances derived from XmlTextReader or  XmlDocument and using XmlUrlResolver for resolving external XML entities may lead to information disclosure. Ensure to set the XmlResolver property to null, create an instance of XmlSecureResolver when processing untrusted input, or use XmlReader.Create method with a secure XmlReaderSettings argument. Unless you need to enable it, ensure the DtdProcessing property is set to false.  | -162 | [CA3147](https://docs.microsoft.com/visualstudio/code-quality/ca3147) | Mark Verb Handlers With Validate Antiforgery Token | Security | True | Warning | False | Missing ValidateAntiForgeryTokenAttribute on controller action {0}. | -163 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | -164 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | -165 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | -166 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | -167 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | -168 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | -169 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Do Not Refer Self In Serializable Class | Security | False | Warning | False | This can allow an attacker to DOS or exhaust the memory of the process. | -170 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | -171 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | -172 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | -173 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader For DataSet Read Xml | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -174 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | -175 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | -176 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader For Deserialize | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -177 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader For Validating Reader | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -178 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader For Schema Read | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -179 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader For XPathDocument | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | -180 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | -181 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | -182 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | -183 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | -184 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | -185 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | -186 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Do Not Use Weak Key Derivation Function Algorithm | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | -187 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -188 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | -189 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -190 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | -191 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | -192 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | -193 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | -194 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -195 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | -196 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | -197 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | -198 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | -199 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | -200 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | -201 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | -202 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | -203 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | -204 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | -205 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | -206 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -207 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | -208 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -209 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | -210 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | +140 | [CA2350](https://docs.microsoft.com/visualstudio/code-quality/ca2350) | Do not use DataTable.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | +141 | [CA2351](https://docs.microsoft.com/visualstudio/code-quality/ca2351) | Do not use DataSet.ReadXml() with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data | +142 | [CA2352](https://docs.microsoft.com/visualstudio/code-quality/ca2352) | Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. | +143 | [CA2353](https://docs.microsoft.com/visualstudio/code-quality/ca2353) | Unsafe DataSet or DataTable in serializable type | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +144 | [CA2354](https://docs.microsoft.com/visualstudio/code-quality/ca2354) | Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +145 | [CA2355](https://docs.microsoft.com/visualstudio/code-quality/ca2355) | Unsafe DataSet or DataTable type found in deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +146 | [CA2356](https://docs.microsoft.com/visualstudio/code-quality/ca2356) | Unsafe DataSet or DataTable type in web deserializable object graph | Security | False | Warning | False | When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0} | +147 | [CA2361](https://docs.microsoft.com/visualstudio/code-quality/ca2361) | Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data | Security | False | Warning | False | The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data. | +148 | [CA2362](https://docs.microsoft.com/visualstudio/code-quality/ca2362) | Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks | Security | False | Warning | False | When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data. | +149 | [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001) | Review code for SQL injection vulnerabilities | Security | False | Warning | False | Potential SQL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +150 | [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002) | Review code for XSS vulnerabilities | Security | False | Warning | False | Potential cross-site scripting (XSS) vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +151 | [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003) | Review code for file path injection vulnerabilities | Security | False | Warning | False | Potential file path injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +152 | [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004) | Review code for information disclosure vulnerabilities | Security | False | Warning | False | Potential information disclosure vulnerability was found where '{0}' in method '{1}' may contain unintended information from '{2}' in method '{3}'. | +153 | [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005) | Review code for LDAP injection vulnerabilities | Security | False | Warning | False | Potential LDAP injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +154 | [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006) | Review code for process command injection vulnerabilities | Security | False | Warning | False | Potential process command injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +155 | [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007) | Review code for open redirect vulnerabilities | Security | False | Warning | False | Potential open redirect vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +156 | [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008) | Review code for XPath injection vulnerabilities | Security | False | Warning | False | Potential XPath injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +157 | [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009) | Review code for XML injection vulnerabilities | Security | False | Warning | False | Potential XML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +158 | [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010) | Review code for XAML injection vulnerabilities | Security | False | Warning | False | Potential XAML injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +159 | [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011) | Review code for DLL injection vulnerabilities | Security | False | Warning | False | Potential DLL injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +160 | [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012) | Review code for regex injection vulnerabilities | Security | False | Warning | False | Potential regex injection vulnerability was found where '{0}' in method '{1}' may be tainted by user-controlled data from '{2}' in method '{3}'. | +161 | [CA3061](https://docs.microsoft.com/visualstudio/code-quality/ca3061) | Do Not Add Schema By URL | Security | True | Warning | False | This overload of XmlSchemaCollection.Add method internally enables DTD processing on the XML reader instance used, and uses UrlResolver for resolving external XML entities. The outcome is information disclosure. Content from file system or network shares for the machine processing the XML can be exposed to attacker. In addition, an attacker can use this as a DoS vector. | +162 | [CA3075](https://docs.microsoft.com/visualstudio/code-quality/ca3075) | Insecure DTD processing in XML | Security | True | Warning | False | Using XmlTextReader.Load(), creating an insecure XmlReaderSettings instance when invoking XmlReader.Create(), setting the InnerXml property of the XmlDocument and enabling DTD processing using XmlUrlResolver insecurely can lead to information disclosure. Replace it with a call to the Load() method overload that takes an XmlReader instance, use XmlReader.Create() to accept XmlReaderSettings arguments or consider explicitly setting secure values. The DataViewSettingCollectionString property of DataViewManager should always be assigned from a trusted source, the DtdProcessing property should be set to false, and the XmlResolver property should be changed to XmlSecureResolver or null.  | +163 | [CA3076](https://docs.microsoft.com/visualstudio/code-quality/ca3076) | Insecure XSLT script processing. | Security | True | Warning | False | Providing an insecure XsltSettings instance and an insecure XmlResolver instance to XslCompiledTransform.Load method is potentially unsafe as it allows processing script within XSL, which on an untrusted XSL input may lead to malicious code execution. Either replace the insecure XsltSettings argument with XsltSettings.Default or an instance that has disabled document function and script execution, or replace the XmlResolver argurment with null or an XmlSecureResolver instance. This message may be suppressed if the input is known to be from a trusted source and external resource resolution from locations that are not known in advance must be supported. | +164 | [CA3077](https://docs.microsoft.com/visualstudio/code-quality/ca3077) | Insecure Processing in API Design, XmlDocument and XmlTextReader | Security | True | Warning | False | Enabling DTD processing on all instances derived from XmlTextReader or  XmlDocument and using XmlUrlResolver for resolving external XML entities may lead to information disclosure. Ensure to set the XmlResolver property to null, create an instance of XmlSecureResolver when processing untrusted input, or use XmlReader.Create method with a secure XmlReaderSettings argument. Unless you need to enable it, ensure the DtdProcessing property is set to false.  | +165 | [CA3147](https://docs.microsoft.com/visualstudio/code-quality/ca3147) | Mark Verb Handlers With Validate Antiforgery Token | Security | True | Warning | False | Missing ValidateAntiForgeryTokenAttribute on controller action {0}. | +166 | [CA5350](https://docs.microsoft.com/visualstudio/code-quality/ca5350) | Do Not Use Weak Cryptographic Algorithms | Security | True | Warning | False | Cryptographic algorithms degrade over time as attacks become for advances to attacker get access to more computation. Depending on the type and application of this cryptographic algorithm, further degradation of the cryptographic strength of it may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA-2 512, SHA-2 384, or SHA-2 256. | +167 | [CA5351](https://docs.microsoft.com/visualstudio/code-quality/ca5351) | Do Not Use Broken Cryptographic Algorithms | Security | True | Warning | False | An attack making it computationally feasible to break this algorithm exists. This allows attackers to break the cryptographic guarantees it is designed to provide. Depending on the type and application of this cryptographic algorithm, this may allow attackers to read enciphered messages, tamper with enciphered  messages, forge digital signatures, tamper with hashed content, or otherwise compromise any cryptosystem based on this algorithm. Replace encryption uses with the AES algorithm (AES-256, AES-192 and AES-128 are acceptable) with a key length greater than or equal to 128 bits. Replace hashing uses with a hashing function in the SHA-2 family, such as SHA512, SHA384, or SHA256. Replace digital signature uses with RSA with a key length greater than or equal to 2048-bits, or ECDSA with a key length greater than or equal to 256 bits. | +168 | [CA5358](https://docs.microsoft.com/visualstudio/code-quality/ca5358) | Review cipher mode usage with cryptography experts | Security | False | Warning | False | These cipher modes might be vulnerable to attacks. Consider using recommended modes (CBC, CTS). | +169 | [CA5359](https://docs.microsoft.com/visualstudio/code-quality/ca5359) | Do Not Disable Certificate Validation | Security | True | Warning | False | A certificate can help authenticate the identity of the server. Clients should validate the server certificate to ensure requests are sent to the intended server. If the ServerCertificateValidationCallback always returns 'true', any certificate will pass validation. | +170 | [CA5360](https://docs.microsoft.com/visualstudio/code-quality/ca5360) | Do Not Call Dangerous Methods In Deserialization | Security | True | Warning | False | Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It’s frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data which is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. | +171 | [CA5361](https://docs.microsoft.com/visualstudio/code-quality/ca5361) | Do Not Disable SChannel Use of Strong Crypto | Security | False | Warning | False | Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are recommeded to use new protocols. The old ones have protocol weaknesses and are not supported. Setting Switch.System.Net.DontEnableSchUseStrongCrypto with true will use the old weak crypto check and opt out of the protocol migration. | +172 | [CA5362](https://docs.microsoft.com/visualstudio/code-quality/ca5362) | Potential reference cycle in deserialized object graph | Security | False | Warning | False | Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data. | +173 | [CA5363](https://docs.microsoft.com/visualstudio/code-quality/ca5363) | Do Not Disable Request Validation | Security | True | Warning | False | Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. So, it is generally desirable and should be left enabled for defense in depth. | +174 | [CA5364](https://docs.microsoft.com/visualstudio/code-quality/ca5364) | Do Not Use Deprecated Security Protocols | Security | True | Warning | False | Using a deprecated security protocol rather than the system default is risky. | +175 | [CA5365](https://docs.microsoft.com/visualstudio/code-quality/ca5365) | Do Not Disable HTTP Header Checking | Security | True | Warning | False | HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. | +176 | [CA5366](https://docs.microsoft.com/visualstudio/code-quality/ca5366) | Use XmlReader for 'DataSet.ReadXml()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +177 | [CA5367](https://docs.microsoft.com/visualstudio/code-quality/ca5367) | Do Not Serialize Types With Pointer Fields | Security | False | Warning | False | Pointers are not "type safe" in the sense that you cannot guarantee the correctness of the memory they point at. So, serializing types with pointer fields is dangerous, as it may allow an attacker to control the pointer. | +178 | [CA5368](https://docs.microsoft.com/visualstudio/code-quality/ca5368) | Set ViewStateUserKey For Classes Derived From Page | Security | True | Warning | False | Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. Otherwise, there will be cross-site request forgery vulnerabilities. | +179 | [CA5369](https://docs.microsoft.com/visualstudio/code-quality/ca5369) | Use XmlReader for 'XmlSerializer.Deserialize()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +180 | [CA5370](https://docs.microsoft.com/visualstudio/code-quality/ca5370) | Use XmlReader for XmlValidatingReader constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +181 | [CA5371](https://docs.microsoft.com/visualstudio/code-quality/ca5371) | Use XmlReader for 'XmlSchema.Read()' | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +182 | [CA5372](https://docs.microsoft.com/visualstudio/code-quality/ca5372) | Use XmlReader for XPathDocument constructor | Security | True | Warning | False | Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. | +183 | [CA5373](https://docs.microsoft.com/visualstudio/code-quality/ca5373) | Do not use obsolete key derivation function | Security | True | Warning | False | Password-based key derivation should use PBKDF2 with SHA-2. Avoid using PasswordDeriveBytes since it generates a PBKDF1 key. Avoid using Rfc2898DeriveBytes.CryptDeriveKey since it doesn't use the iteration count or salt. | +184 | [CA5374](https://docs.microsoft.com/visualstudio/code-quality/ca5374) | Do Not Use XslTransform | Security | True | Warning | False | Do not use XslTransform. It does not restrict potentially dangerous external references. | +185 | [CA5375](https://docs.microsoft.com/visualstudio/code-quality/ca5375) | Do Not Use Account Shared Access Signature | Security | False | Warning | False | Shared Access Signatures(SAS) are a vital part of the security model for any application using Azure Storage, they should provide limited and safe permissions to your storage account to clients that don't have the account key. All of the operations available via a service SAS are also available via an account SAS, that is, account SAS is too powerful. So it is recommended to use Service SAS to delegate access more carefully. | +186 | [CA5376](https://docs.microsoft.com/visualstudio/code-quality/ca5376) | Use SharedAccessProtocol HttpsOnly | Security | False | Warning | False | HTTPS encrypts network traffic. Use HttpsOnly, rather than HttpOrHttps, to ensure network traffic is always encrypted to help prevent disclosure of sensitive data. | +187 | [CA5377](https://docs.microsoft.com/visualstudio/code-quality/ca5377) | Use Container Level Access Policy | Security | False | Warning | False | No access policy identifier is specified, making tokens non-revocable. | +188 | [CA5378](https://docs.microsoft.com/visualstudio/code-quality/ca5378) | Do not disable ServicePointManagerSecurityProtocols | Security | False | Warning | False | Do not set Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols to true. Setting this switch limits Windows Communication Framework (WCF) to using Transport Layer Security (TLS) 1.0, which is insecure and obsolete. | +189 | [CA5379](https://docs.microsoft.com/visualstudio/code-quality/ca5379) | Ensure Key Derivation Function algorithm is sufficiently strong | Security | True | Warning | False | Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher. | +190 | [CA5380](https://docs.microsoft.com/visualstudio/code-quality/ca5380) | Do Not Add Certificates To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +191 | [CA5381](https://docs.microsoft.com/visualstudio/code-quality/ca5381) | Ensure Certificates Are Not Added To Root Store | Security | False | Warning | False | By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. Since all trusted root CAs can issue certificates for any domain, an attacker can pick a weak or coercible CA that you install by yourself to target for an attack – and a single vulnerable, malicious or coercible CA undermines the security of the entire system. To make matters worse, these attacks can go unnoticed quite easily. | +192 | [CA5382](https://docs.microsoft.com/visualstudio/code-quality/ca5382) | Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +193 | [CA5383](https://docs.microsoft.com/visualstudio/code-quality/ca5383) | Ensure Use Secure Cookies In ASP.Net Core | Security | False | Warning | False | Applications available over HTTPS must use secure cookies. | +194 | [CA5384](https://docs.microsoft.com/visualstudio/code-quality/ca5384) | Do Not Use Digital Signature Algorithm (DSA) | Security | True | Warning | False | DSA is too weak to use. | +195 | [CA5385](https://docs.microsoft.com/visualstudio/code-quality/ca5385) | Use Rivest–Shamir–Adleman (RSA) Algorithm With Sufficient Key Size | Security | True | Warning | False | Encryption algorithms are vulnerable to brute force attacks when too small a key size is used. | +196 | [CA5386](https://docs.microsoft.com/visualstudio/code-quality/ca5386) | Avoid hardcoding SecurityProtocolType value | Security | False | Warning | False | Avoid hardcoding SecurityProtocolType {0}, and instead use SecurityProtocolType.SystemDefault to allow the operating system to choose the best Transport Layer Security protocol to use. | +197 | [CA5387](https://docs.microsoft.com/visualstudio/code-quality/ca5387) | Do Not Use Weak Key Derivation Function With Insufficient Iteration Count | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +198 | [CA5388](https://docs.microsoft.com/visualstudio/code-quality/ca5388) | Ensure Sufficient Iteration Count When Using Weak Key Derivation Function | Security | False | Warning | False | When deriving cryptographic keys from user-provided inputs such as password, use sufficient iteration count (at least 100k). | +199 | [CA5389](https://docs.microsoft.com/visualstudio/code-quality/ca5389) | Do Not Add Archive Item's Path To The Target File System Path | Security | False | Warning | False | When extracting files from an archive and using the archive item's path, check if the path is safe. Archive path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. | +200 | [CA5390](https://docs.microsoft.com/visualstudio/code-quality/ca5390) | Do not hard-code encryption key | Security | False | Warning | False | SymmetricAlgorithm's .Key property, or a method's rgbKey parameter, should never be a hard-coded value. | +201 | [CA5391](https://docs.microsoft.com/visualstudio/code-quality/ca5391) | Use antiforgery tokens in ASP.NET Core MVC controllers | Security | False | Warning | False | Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. | +202 | [CA5392](https://docs.microsoft.com/visualstudio/code-quality/ca5392) | Use DefaultDllImportSearchPaths attribute for P/Invokes | Security | False | Warning | False | By default, P/Invokes using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. | +203 | [CA5393](https://docs.microsoft.com/visualstudio/code-quality/ca5393) | Do not use unsafe DllImportSearchPath value | Security | False | Warning | False | There could be a malicious DLL in the default DLL search directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. Use a DllImportSearchPath value that specifies an explicit search path instead. The DllImportSearchPath flags that this rule looks for can be configured in .editorconfig. | +204 | [CA5394](https://docs.microsoft.com/visualstudio/code-quality/ca5394) | Do not use insecure randomness | Security | False | Warning | False | Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. Use a cryptographically strong random number generator if an unpredictable value is required, or ensure that weak pseudo-random numbers aren't used in a security-sensitive manner. | +205 | [CA5395](https://docs.microsoft.com/visualstudio/code-quality/ca5395) | Miss HttpVerb attribute for action methods | Security | False | Warning | False | All the methods that create, edit, delete, or otherwise modify data do so in the [HttpPost] overload of the method, which needs to be protected with the anti forgery attribute from request forgery. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. | +206 | [CA5396](https://docs.microsoft.com/visualstudio/code-quality/ca5396) | Set HttpOnly to true for HttpCookie | Security | False | Warning | False | As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. | +207 | [CA5397](https://docs.microsoft.com/visualstudio/code-quality/ca5397) | Do not use deprecated SslProtocols values | Security | True | Warning | False | Older protocol versions of Transport Layer Security (TLS) are less secure than TLS 1.2 and TLS 1.3, and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. | +208 | [CA5398](https://docs.microsoft.com/visualstudio/code-quality/ca5398) | Avoid hardcoded SslProtocols values | Security | False | Warning | False | Current Transport Layer Security protocol versions may become deprecated if vulnerabilities are found. Avoid hardcoding SslProtocols values to keep your application secure. Use 'None' to let the Operating System choose a version. | +209 | [CA5399](https://docs.microsoft.com/visualstudio/code-quality/ca5399) | HttpClients should enable certificate revocation list checks | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +210 | [CA5400](https://docs.microsoft.com/visualstudio/code-quality/ca5400) | Ensure HttpClient certificate revocation list check is not disabled | Security | False | Warning | False | Using HttpClient without providing a platform specific handler (WinHttpHandler or CurlHandler or HttpClientHandler) where the CheckCertificateRevocationList property is set to true, will allow revoked certificates to be accepted by the HttpClient as valid. | +211 | [CA5401](https://docs.microsoft.com/visualstudio/code-quality/ca5401) | Do not use CreateEncryptor with non-default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +212 | [CA5402](https://docs.microsoft.com/visualstudio/code-quality/ca5402) | Use CreateEncryptor with the default IV | Security | False | Warning | False | Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. | +213 | [CA5403](https://docs.microsoft.com/visualstudio/code-quality/ca5403) | Do not hard-code certificate | Security | False | Warning | False | Hard-coded certificates in source code are vulnerable to being exploited. | diff --git a/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.sarif b/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.sarif index 2c2aaa9308..68a31cd63b 100644 --- a/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.sarif +++ b/src/NetAnalyzers/Microsoft.CodeAnalysis.NetAnalyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Humanizer", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -14,7 +14,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.CSharp.NetAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -221,7 +221,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -377,7 +378,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.NetAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -478,7 +479,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -518,7 +520,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1316,7 +1319,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1556,7 +1560,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1596,7 +1601,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1656,7 +1662,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1795,7 +1802,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -1815,7 +1823,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2131,7 +2140,8 @@ "tags": [ "PortedFromFxCop", "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2505,7 +2515,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2525,7 +2536,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2583,7 +2595,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2603,7 +2616,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2642,7 +2656,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2662,7 +2677,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2701,7 +2717,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2721,7 +2738,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2741,7 +2759,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -2761,14 +2780,15 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, "CA2350": { "id": "CA2350", - "shortDescription": "Do not use insecure deserialization with DataTable.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataTable.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2350", "properties": { @@ -2786,8 +2806,8 @@ }, "CA2351": { "id": "CA2351", - "shortDescription": "Do not use insecure deserialization with DataSet.ReadXml()", - "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. If deserializing untrusted data, replace with TBD.", + "shortDescription": "Do not use DataSet.ReadXml() with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2351", "properties": { @@ -2805,54 +2825,52 @@ }, "CA2352": { "id": "CA2352", - "shortDescription": "Do not use DataSet.ReadXml() without ReadXmlSchema() on untrusted data", - "fullDescription": "When deserializing untrusted input, DataSet.ReadXml() without first calling DataSet.ReadXmlSchema() is insecure.", + "shortDescription": "Unsafe DataSet or DataTable in serializable type can be vulnerable to remote code execution attacks", + "fullDescription": "When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2352", "properties": { "category": "Security", "isEnabledByDefault": false, - "typeName": "DoNotUseDataSetReadXmlWithoutReadXmlSchema", + "typeName": "DataSetDataTableInSerializableTypeAnalyzer", "languages": [ "C#", "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } }, "CA2353": { "id": "CA2353", - "shortDescription": "Ensure DataSet.ReadXmlSchema() is called before ReadXml() on untrusted data", - "fullDescription": "When deserializing untrusted input, DataSet.ReadXml() without first calling DataSet.ReadXmlSchema() is insecure.", + "shortDescription": "Unsafe DataSet or DataTable in serializable type", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2353", "properties": { "category": "Security", "isEnabledByDefault": false, - "typeName": "DoNotUseDataSetReadXmlWithoutReadXmlSchema", + "typeName": "DataSetDataTableInSerializableTypeAnalyzer", "languages": [ "C#", "Visual Basic" ], "tags": [ - "Dataflow", "Telemetry" ] } }, "CA2354": { "id": "CA2354", - "shortDescription": "Unsafe DataSet/DataTable object declared in serializable type", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "shortDescription": "Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2354", "properties": { "category": "Security", "isEnabledByDefault": false, - "typeName": "DataSetDataTableInSerializableTypeAnalyzer", + "typeName": "DataSetDataTableInIFormatterSerializableObjectGraphAnalyzer", "languages": [ "C#", "Visual Basic" @@ -2864,8 +2882,8 @@ }, "CA2355": { "id": "CA2355", - "shortDescription": "Unsafe DataSet/DataTable type in deserializable object graph", - "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}.", + "shortDescription": "Unsafe DataSet or DataTable type found in deserializable object graph", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2355", "properties": { @@ -2881,6 +2899,63 @@ ] } }, + "CA2356": { + "id": "CA2356", + "shortDescription": "Unsafe DataSet or DataTable type in web deserializable object graph", + "fullDescription": "When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2356", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DataSetDataTableInWebSerializableObjectGraphAnalyzer", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, + "CA2361": { + "id": "CA2361", + "shortDescription": "Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data", + "fullDescription": "The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2361", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DoNotUseDataSetReadXml", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, + "CA2362": { + "id": "CA2362", + "shortDescription": "Unsafe DataSet or DataTable in autogenerated serializable type can be vulnerable to remote code execution attacks", + "fullDescription": "When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.", + "defaultLevel": "warning", + "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca2362", + "properties": { + "category": "Security", + "isEnabledByDefault": false, + "typeName": "DataSetDataTableInSerializableTypeAnalyzer", + "languages": [ + "C#", + "Visual Basic" + ], + "tags": [ + "Telemetry" + ] + } + }, "CA3001": { "id": "CA3001", "shortDescription": "Review code for SQL injection vulnerabilities", @@ -3269,7 +3344,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3295,20 +3371,21 @@ }, "CA5362": { "id": "CA5362", - "shortDescription": "Do Not Refer Self In Serializable Class", - "fullDescription": "This can allow an attacker to DOS or exhaust the memory of the process.", + "shortDescription": "Potential reference cycle in deserialized object graph", + "fullDescription": "Review code that processes untrusted deserialized data for handling of unexpected reference cycles. An unexpected reference cycle should not cause the code to enter an infinite loop. Otherwise, an unexpected reference cycle can allow an attacker to DOS or exhaust the memory of the process when deserializing untrusted data.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5362", "properties": { "category": "Security", "isEnabledByDefault": false, - "typeName": "DoNotReferSelfInSerializableClass", + "typeName": "PotentialReferenceCycleInDeserializedObjectGraph", "languages": [ "C#", "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3371,7 +3448,7 @@ }, "CA5366": { "id": "CA5366", - "shortDescription": "Use XmlReader For DataSet Read Xml", + "shortDescription": "Use XmlReader for 'DataSet.ReadXml()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5366", @@ -3403,7 +3480,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3428,7 +3506,7 @@ }, "CA5369": { "id": "CA5369", - "shortDescription": "Use XmlReader For Deserialize", + "shortDescription": "Use XmlReader for 'XmlSerializer.Deserialize()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5369", @@ -3447,7 +3525,7 @@ }, "CA5370": { "id": "CA5370", - "shortDescription": "Use XmlReader For Validating Reader", + "shortDescription": "Use XmlReader for XmlValidatingReader constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5370", @@ -3466,7 +3544,7 @@ }, "CA5371": { "id": "CA5371", - "shortDescription": "Use XmlReader For Schema Read", + "shortDescription": "Use XmlReader for 'XmlSchema.Read()'", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5371", @@ -3485,7 +3563,7 @@ }, "CA5372": { "id": "CA5372", - "shortDescription": "Use XmlReader For XPathDocument", + "shortDescription": "Use XmlReader for XPathDocument constructor", "fullDescription": "Processing XML from untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5372", @@ -3621,7 +3699,7 @@ }, "CA5379": { "id": "CA5379", - "shortDescription": "Do Not Use Weak Key Derivation Function Algorithm", + "shortDescription": "Ensure Key Derivation Function algorithm is sufficiently strong", "fullDescription": "Some implementations of the Rfc2898DeriveBytes class allow for a hash algorithm to be specified in a constructor parameter or overwritten in the HashAlgorithm property. If a hash algorithm is specified, then it should be SHA-256 or higher.", "defaultLevel": "warning", "helpUri": "https://docs.microsoft.com/visualstudio/code-quality/ca5379", @@ -3654,7 +3732,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3674,7 +3753,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3694,7 +3774,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3714,7 +3795,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3791,7 +3873,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3811,7 +3894,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3870,7 +3954,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3946,7 +4031,8 @@ "Visual Basic" ], "tags": [ - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -3966,7 +4052,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4024,7 +4111,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4044,7 +4132,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4064,7 +4153,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4084,7 +4174,8 @@ ], "tags": [ "Dataflow", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, @@ -4113,7 +4204,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VisualBasic.NetAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -4320,7 +4411,8 @@ ], "tags": [ "PortedFromFxCop", - "Telemetry" + "Telemetry", + "CompilationEnd" ] } }, diff --git a/src/PerformanceSensitiveAnalyzers/Microsoft.CodeAnalysis.PerformanceSensitiveAnalyzers.sarif b/src/PerformanceSensitiveAnalyzers/Microsoft.CodeAnalysis.PerformanceSensitiveAnalyzers.sarif index f5c6dd9653..36c73bb970 100644 --- a/src/PerformanceSensitiveAnalyzers/Microsoft.CodeAnalysis.PerformanceSensitiveAnalyzers.sarif +++ b/src/PerformanceSensitiveAnalyzers/Microsoft.CodeAnalysis.PerformanceSensitiveAnalyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.CSharp.PerformanceSensitiveAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -184,7 +184,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.PerformanceSensitiveAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/PublicApiAnalyzers/Microsoft.CodeAnalysis.PublicApiAnalyzers.sarif b/src/PublicApiAnalyzers/Microsoft.CodeAnalysis.PublicApiAnalyzers.sarif index 3e16a7bad0..2504127175 100644 --- a/src/PublicApiAnalyzers/Microsoft.CodeAnalysis.PublicApiAnalyzers.sarif +++ b/src/PublicApiAnalyzers/Microsoft.CodeAnalysis.PublicApiAnalyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.PublicApiAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -43,6 +43,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -81,6 +82,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -100,6 +102,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -147,7 +150,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.PublicApiAnalyzers.CodeFixes", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { diff --git a/src/Roslyn.Diagnostics.Analyzers/Roslyn.Diagnostics.Analyzers.sarif b/src/Roslyn.Diagnostics.Analyzers/Roslyn.Diagnostics.Analyzers.sarif index 7825bf9bc3..ed12edd2ad 100644 --- a/src/Roslyn.Diagnostics.Analyzers/Roslyn.Diagnostics.Analyzers.sarif +++ b/src/Roslyn.Diagnostics.Analyzers/Roslyn.Diagnostics.Analyzers.sarif @@ -5,7 +5,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.BannedApiAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -14,7 +14,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.CSharp.BannedApiAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -50,6 +50,7 @@ "C#" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -76,7 +77,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.PublicApiAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -114,6 +115,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -152,6 +154,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -171,6 +174,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -218,7 +222,7 @@ { "tool": { "name": "Microsoft.CodeAnalysis.VisualBasic.BannedApiAnalyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -254,6 +258,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -280,7 +285,7 @@ { "tool": { "name": "Roslyn.Diagnostics.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -379,7 +384,7 @@ { "tool": { "name": "Roslyn.Diagnostics.CSharp.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -464,6 +469,7 @@ "C#" ], "tags": [ + "CompilationEnd", "Telemetry" ] } @@ -473,7 +479,7 @@ { "tool": { "name": "Roslyn.Diagnostics.VisualBasic.Analyzers", - "version": "2.9.10", + "version": "2.9.12", "language": "en-US" }, "rules": { @@ -575,6 +581,7 @@ "Visual Basic" ], "tags": [ + "CompilationEnd", "Telemetry" ] } From a4193e782e5b3668a009e1ab41bb2241a381265f Mon Sep 17 00:00:00 2001 From: Manish Vasani Date: Fri, 23 Oct 2020 09:19:16 -0700 Subject: [PATCH 3/3] Fix formatting --- .../Security/UseDefaultDllImportSearchPathsAttribute.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs index 9c56da828b..682b583e50 100644 --- a/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs +++ b/src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/UseDefaultDllImportSearchPathsAttribute.cs @@ -23,7 +23,7 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, - isReportedAtCompilationEnd: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.UseDefaultDllImportSearchPathsAttributeDescription)); internal static DiagnosticDescriptor DoNotUseUnsafeDllImportSearchPathRule = SecurityHelpers.CreateDiagnosticDescriptor( "CA5393", @@ -32,7 +32,7 @@ public sealed class UseDefaultDllImportSearchPathsAttribute : DiagnosticAnalyzer RuleLevel.Disabled, isPortedFxCopRule: false, isDataflowRule: false, - isReportedAtCompilationEnd: false, + isReportedAtCompilationEnd: false, descriptionResourceStringName: nameof(MicrosoftNetCoreAnalyzersResources.DoNotUseUnsafeDllImportSearchPathDescription)); // DllImportSearchPath.AssemblyDirectory = 2.