search

dotnet-security-guard / roslyn-security-guard

Roslyn analyzers that aim to help security audit on .NET applications.
https://dotnet-security-guard.github.io
GNU Lesser General Public License v3.0
208 stars 38 forks source link

VS 2017 .net core 1 - Large number of exception from taint analyzer #89

Open oazabir opened 7 years ago

oazabir commented 7 years ago

On VS 2017 - .net core 1 project, large number of warnings are generated showing Taint Analyzer exceptions:

Severity    Code    Description Project File    Line    Suppression State   Detail Description
Warning AD0001  Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method GetCustomerID : Object reference not set to an instance of an object.'.   epsweb      1   Active  Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw the following exception:
'Exception occurred with following context:
Compilation: epsweb
SyntaxTree: ... HomeController.cs
SyntaxNode: private int GetCustomerID(ApplicationUser ... [MethodDeclarationSyntax]@[39137..39662) (715,8)-(728,9)

System.Exception: Unhandle exception while visiting method GetCustomerID : Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   --- End of inner exception stack trace ---
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__DisplayClass42_1`1.<ExecuteSyntaxNodeAction>b__1()
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock(DiagnosticAnalyzer analyzer, Action analyze, Nullable`1 info)
-----
System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
-----
'.
domdeger commented 6 years ago

Also experiencing this problem with a normal ASP.NET MVC Project on VS 2017.


System.Exception: Unhandle exception while visiting method SetItem : Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt. ---> System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   bei RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   --- Ende der internen Ausnahmestapelüberwachung ---
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   bei Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__43`1.<ExecuteSyntaxNodeAction>b__43_0(ValueTuple`2 data)
   bei Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.
   bei RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   bei RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   bei RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
-----
ghost commented 6 years ago

+1 for MVC project in vs 2017

Byxelkr0k commented 6 years ago

+1 for MVC, console app and class library projects in vs 2017. We have hundreds of these.

JarLob commented 6 years ago

The author abandoned the project #92. Try https://security-code-scan.github.io/

obilodeau commented 6 years ago

@JarLob why fork and rebrand the project? Have you proposed to contribute and do releases?

JarLob commented 6 years ago

Because I’m tired of being ignored.

obilodeau commented 6 years ago

Because I’m tired of being ignored.

You've got to be kidding...

not being ignored

I'm guessing you are not familiar with open source projects. Regarding your single rejection: PRs with line-noise (unrelated whitespace or indentation changes) or bundling many unrelated changes together are never going to be merged by most projects because they take away maintainers' time due to a longer review required. Also, it doesn't look as if you are ignored that much. Lastly, have you offered to step in to do releases? I guess not... :disappointed:

Good luck with your fork! You are welcome to come back if you want to become a maintainer!

JarLob commented 6 years ago

I had to rebrand because I need a page for new analysis items. There are more to just ignored pull request. Btw I don’t mind when there is an argumented comment why it doesn’t fit. But there was nothing. No release was done in seven months. My request to make a new release has been ignored. Yet people comment on issues that were alteady fixed. My question about the change set number the last release is based on was ignored. I understand if people are busy, but another PR was approved the same day, while no reply to me in two months. But now I’m free to do whatever I want. Thank you. I had a pleasure of being contributor of the project. You are welcome to contribute to mine fork.