search

microsoft / infersharp

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.
MIT License
727 stars 29 forks source link

When I scan the C# project with the docker container, there seems to be an error, integer overflow, and no vulnerabilities scanned #152

Closed chenkehao1998 closed 1 year ago

chenkehao1998 commented 2 years ago 
[root@MiWiFi-R3600-srv Miniblog.Core]# docker run -v /home/Jonas/Project/Miniblog.Core:/infersharp/binary_path --rm mcr.microsoft.com/infersharp:v1.3 /bin/bash -c "./run_infersharp.sh binary_path; cp infer-out/report.txt /infersharp/binary_path/report.txt"
Processing {binary_path}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 0 (-2147483648%)
Method partially translated: 0 (-2147483648%)
Instructions translated: 0 (-2147483648%)
Instructions skipped: 0 (-2147483648%)
======================================

Code translation completed. Analyzing...

  No issues found
[root@MiWiFi-R3600-srv Miniblog.Core]# docker run -v /home/Jonas/Project/Miniblog.Core:/infersharp/Examples -it mcr.microsoft.com/infersharp:v1.3
root@9facf129f394:/infersharp# ./run_infersharp.sh Examples
Processing {Examples}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 0 (-2147483648%)
Method partially translated: 0 (-2147483648%)
Instructions translated: 0 (-2147483648%)
Instructions skipped: 0 (-2147483648%)
======================================

Code translation completed. Analyzing...

  No issues found
Jonas-sci commented 2 years ago

I also find this problem 

[root@MiWiFi-R3600-srv Project]# docker run -v /home/Jonas/Project/OrchardCore/:/infersharp/Examples -it mcr.microsoft.com/infersharp:v1.3 
root@ffd2c246885c:/infersharp# ./run_infersharp.sh Examples/
Processing {Examples/}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 0 (-2147483648%)
Method partially translated: 0 (-2147483648%)
Instructions translated: 0 (-2147483648%)
Instructions skipped: 0 (-2147483648%)
======================================

Code translation completed. Analyzing...

  No issues found
chenkehao1998 commented 2 years ago

When I scan the example , this situation will not occured .

Jonas-sci commented 2 years ago

When I scan the example , this situation will not occured .

when I scan example ,I can get this result

[root@MiWiFi-R3600-srv Project]# docker run -it mcr.microsoft.com/infersharp:v1.3
root@5972e11cfb91:/infersharp# ./run_infersharp.sh Examples/ 
Processing {Examples/}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 11 (100%)
Method partially translated: 0 (0%)
Instructions translated: 143 (100%)
Instructions skipped: 0 (0%)
======================================

Code translation completed. Analyzing...

/Examples/Examples/Program.cs:53: error: Dotnet Resource Leak
  Leaked resource sw of type System.IO.StreamWriter in method "Void Program.ResourceLeakIntraproceduralBad()".

/Examples/Examples/Program.cs:78: error: Dotnet Resource Leak
  Leaked resource stream of type System.IO.StreamWriter in method "Void Program.ResourceLeakInterproceduralBad()".

/Examples/Examples/Program.cs:124: error: Dotnet Resource Leak
  Leaked resource p.Examples.Program.SWGlobal of type System.IO.StreamWriter, Leaked resource p.Examples.Program.SRGlobal of type System.IO.StreamReader in method "Void MainClass.Main(String[])".

/Examples/Examples/Program.cs:128: error: Null Dereference
  ``String Program.NullDeReferenceBad()`` could be null (from the call to `Program.NullDeReferenceBad()` on line 128) and is dereferenced.

Found 4 issues
                  Issue Type(ISSUED_TYPE_ID): #
  Dotnet Resource Leak(DOTNET_RESOURCE_LEAK): 3
       Null Dereference(NULLPTR_DEREFERENCE): 1

they can scan the vulnerability.and percent is correct

xinshiMSFT commented 2 years ago

@chenkehao1998, @Jonas-sci, thanks for reporting this. I should have made the instructions clearer. I will make an update to the doc.

There are two modes running Docker - direct and interactive. You are using the direct mode. In that case, path_to_binary_folder should be a Windows path. For example, C:\project1\bin. If the binaries are already at a Linux path, you can use the interactive mode - ./run_infersharp.sh Examples/ where Examples/ is the path that is relative to the script.

chenkehao1998 commented 2 years ago

@chenkehao1998, @Jonas-sci, thanks for reporting this. I should have made the instructions clearer. I will make an update to the doc.

There are two modes running Docker - direct and interactive. You are using the direct mode. In that case, path_to_binary_folder should be a Windows path. For example, C:\project1\bin. If the binaries are already at a Linux path, you can use the interactive mode - ./run_infersharp.sh Examples/ where Examples/ is the path that is relative to the script.

Thanks for your reply!!! But I have used the interactive mode , the result is still not correct .

I used the command like this.

docker run 
-v /home/Jonas/Project/Miniblog.Core:/infersharp/Examples 
-it mcr.microsoft.com/infersharp:v1.3

And then ,

./run_infersharp.sh Examples

the file in directory Examples is my C# project files now.

but the result is 

Processing {Examples}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 0 (-2147483648%)
Method partially translated: 0 (-2147483648%)
Instructions translated: 0 (-2147483648%)
Instructions skipped: 0 (-2147483648%)
======================================

Code translation completed. Analyzing...

  No issues found
xinshiMSFT commented 2 years ago

The Example folder comes with the Docker image. It provides some example binaries that you can try. To run your own binaries, assuming you are using Windows Command Prompt, the exact steps for the interactive mode are:

  1. Run docker run -it mcr.microsoft.com/infersharp:v1.3
  2. Open another Command Prompt, run docker ps -a to find out the container ID. Then run docker cp <your project folder path on Windows> <container_id>:infersharp/<your project folder name>
  3. Go back to the other Command Prompt from step 1 and run ./run_infersharp.sh <your project folder name>
m-sedl commented 1 year ago

Hi! I also found this bug. I have run InferSharp 1.4 and InferSharp 1.3 via docker container on two systems: macos 12.0.1 and ubuntu 22.04.01.

I did different launches, I will describe each one separately.

1) InferSharp 1.4 via docker interactively on macos. Ran ./run_inferharp Examples. Everything works perfectly.

2) InferSharp 1.4 via docker interactively on ubuntu . Ran ./run_inferharp Examples. I get a known bug:

  Code translation started...
  Translation stage 1/3: Loading binaries.
  Translation stage 2/3: Computing type environment.
  Translation stage 3/3: Computing control-flow graph.

  Coverage Statistics:

  Method successfully translated: 0 (-2147483648%)
  Method partially translated: 0 (-2147483648%)
  Instructions translated: 0 (-2147483648%)
  Instructions skipped: 0 (-2147483648%)

3) InferSharp 1.4 via docker in direct mode on macos. I built a project with this file using dotnet 6.0.402 on macos . Everything works perfectly.

4) InferSharp 1.4 via docker in direct mode on ubuntu . I built the same project but using dotnet 6.0.110 in ubutnu . The bug is reproducing.

5) InferSharp 1.4 via docker in direct mode on ubuntu . I used the results of building a test project from macos. Everything works perfectly. I compiled on macos for different runtimes (linux-x64, osx.12-x64). InferSharp 1.4 was able to analyze all the assembly variants made in macos.

6) InferSharp 1.3 works correctly through docker (in both modes) on both ubuntu and macos.

I found that the difference is in how assemblies made on macos and ubuntu are loaded. In the second case, the dll's cannot be loaded by this method. A SymbolsNotMatchingException is thrown in the Mono.cecil library. Because of this, the assembly is considered broken and cecil cannot work with it correctly, so none of the methods are loaded.

It is possible that since the release of version 1.3 you somehow affected the logic of loading assemblies, or one of your docker image dependencies was updated in such a way that the loading of dlls built on linux broke.

I will try to debug this problem, but I consider it necessary to tell you everything that I managed to find.

xinshiMSFT commented 1 year ago

@m-sedl, thank you so much for providing the detailed repro steps!

We recently updated the script to speed up the binary copying process (https://github.com/microsoft/infersharp/commit/bc6fb62d01115a6edc81ad46e15d75934be1fa68). Instead of copying everything from a user-specified folder, the script only copies the .dll and pdb files and flattens the structure.

.NET produces Examples.dll under the Examples/ref folder after dotnet publish. However, it is not the matching .dll file with Examples/Examples.pdb. On Linux, the script probably copied Examples/ref/Examples.dll and Examples/Examples.pdb first, then ignored Examples/Examples.dll. It is probably why you are seeing a SymbolNotMatchingException.

I don't have a Mac, but I am guessing the reason you are not seeing it on MacOS is that the copying behavior is different. It probably copied the matching Examples/Examples.dll and Examples/Example.pdb first, then ignored Examples/ref/Examples.dll.

I made a PR https://github.com/microsoft/infersharp/pull/179 so that the copying behavior becomes consistent across different OSs. Would you mind updating run_infersharp.sh in your local docker container and try again?

m-sedl commented 1 year ago

Thanks a lot for the quick response!

Indeed, your pr fixes the behavior of version 1.4 on ubuntu. The new version also works on macos. Thank you!

But unlike version 1.3, patched version 1.4 crashes on relatively large projects on macos. On linux it works correctly. Both cases ran the same docker image

For example, I ran an analysis of the NLog project. Version 1.3 works successfully, but patched 1.4 crashes with an error (it's more correct to say that it crashes infer, not infer#). I don't know if this behavior is related to the logic of copying binary files. Might be need opening a new issue.

docker run -v /projects/NLog/src/NLog.Database/bin:/infersharp/binary_path --rm infersharp:new-1 /bin/bash -c "./run_infersharp.sh binary_path; cp -R infer-out/ /infersharp/binary_path/"
Processing {binary_path}
Copying binaries to a staging folder...

Code translation started...
Translation stage 1/3: Loading binaries.
Translation stage 2/3: Computing type environment.
Translation stage 3/3: Computing control-flow graph.

Coverage Statistics:

Method successfully translated: 5331 (90%)
Method partially translated: 587 (10%)
Instructions translated: 109941 (84%)
Instructions skipped: 21296 (16%)
======================================

Code translation completed. Analyzing...

Capturing using JSON mode...
Found 380 source files to analyze in /infersharp/infer-out
/projects/NLog/src/NLog/Targets/Wrappers/WrapperTargetBase.cs starting
/projects/NLog/src/NLog/Targets/NLogViewerTarget.cs starting
/projects/NLog/src/NLog/Internal/NetworkSenders/IWebRequestFactory.cs starting
/projects/NLog/src/NLog/Time/CachedTimeSource.cs starting
/projects/NLog/src/NLog/Internal/Collections/ArrayHelper.cs starting
/projects/NLog/src/NLog/Internal/ObjectPools/ReusableBufferCreator.cs starting
/projects/NLog/src/NLog/Internal/ObjectPools/ReusableBufferCreator.cs DONE
/projects/NLog/src/NLog/Targets/Wrappers/PostFilteringTargetWrapper.cs starting
/projects/NLog/src/NLog/Time/CachedTimeSource.cs DONE
/projects/NLog/src/NLog/Internal/Collections/ArrayHelper.cs DONE
/projects/NLog/src/NLog/Targets/ConsoleWordHighlightingRule.cs starting
/projects/NLog/src/NLog/LayoutRenderers/Wrappers/WhenEmptyLayoutRendererWrapper.cs starting
/projects/NLog/src/NLog/Internal/NetworkSenders/IWebRequestFactory.cs DONE
/projects/NLog/src/NLog/Logger.cs starting
Internal Error: Subprocess 3: died after receiving sigkill (signal number 9)
Error backtrace:
Raised at Core_unix.improve in file "core_unix/src/core_unix.ml" (inlined), line 45, characters 4-43
Called from Core_unix.wait_gen in file "core_unix/src/core_unix.ml" (inlined), line 923, characters 4-246
Called from Core_unix.wait in file "core_unix/src/core_unix.ml" (inlined), line 952, characters 2-34
Called from IBase__ProcessPool.killall.(fun) in file "src/base/ProcessPool.ml", line 187, characters 10-30
Re-raised at IBase__Die.raise_error.do_raise in file "src/base/Die.ml" (inlined), line 26, characters 8-56
Called from IBase__Logging.die.(fun) in file "src/base/Logging.ml", line 338, characters 6-39
Called from IBase__ProcessPool.process_updates.(fun) in file "src/base/ProcessPool.ml" (inlined), line 254, characters 9-70
Called from Base__Option.iter in file "src/option.ml" (inlined), line 68, characters 14-17
Called from IBase__ProcessPool.process_updates in file "src/base/ProcessPool.ml" (inlined), line 253, characters 5-115
Called from IBase__ProcessPool.process_updates in file "src/base/ProcessPool.ml" (inlined), line 252, characters 2-137
Called from IBase__ProcessPool.process_updates in file "src/base/ProcessPool.ml" (inlined), line 253, characters 5-115
Called from IBase__ProcessPool.process_updates in file "src/base/ProcessPool.ml", line 252, characters 2-137
Called from Backend__InferAnalyze.analyze in file "src/backend/InferAnalyze.ml", line 223, characters 24-47
Called from Integration__Driver.execute_analyze.(fun) in file "src/integration/Driver.ml" (inlined), line 212, characters 2-34
Called from Backend__GCStats.log_f in file "src/backend/GCStats.ml" (inlined), line 90, characters 10-14
Called from Integration__Driver.execute_analyze in file "src/integration/Driver.ml", line 209, characters 2-239
Called from IBase__Utils.timeit in file "src/base/Utils.ml", line 423, characters 16-20
Called from IBase__ScubaLogging.execute_with_time_logging in file "src/base/ScubaLogging.ml" (inlined), line 83, characters 29-44
Called from Integration__Driver.analyze_and_report in file "src/integration/Driver.ml", line 305, characters 2-119
Called from Dune__exe__Infer.run in file "src/infer.ml" (inlined), line 21, characters 2-47
Called from IBase__Utils.timeit in file "src/base/Utils.ml" (inlined), line 423, characters 16-20
Called from IBase__ScubaLogging.execute_with_time_logging in file "src/base/ScubaLogging.ml" (inlined), line 83, characters 29-44
Called from Dune__exe__Infer.run in file "src/infer.ml", line 25, characters 22-94

Run the command again with `--keep-going` to try and ignore this error.
xinshiMSFT commented 1 year ago

@m-sedl, you are probably right. It looks like the crash comes from the Infer backend. But just to be sure, can you try reverting run_infersharp.sh to this commit and run the analysis with the 1.4 bits again?

Please note that we currently do not support MacOS officially, but we will see what we can do to unblock you. If you are still seeing the same issue on MacOS, do you mind sharing the binaries with us, or pointing us to the commit/version of NLog on GitHub so that we can investigate on our side?

m-sedl commented 1 year ago

@xinshiMSFT, reverting run_infersharp.sh helped. 1.4 version with reverted script worked successfully on NLog project on macos

xinshiMSFT commented 1 year ago

@m-sedl, thank you! It is probably due to the copy logic then. Good to know that at least you are not blocked.

Can you please share the NLog binaries on your machine with us so that we are sure we are looking at the same binaries? Or if the size is too large or it is not convenient, can you point us to the commit/version of NLog you are using so we can build it ourselves?

m-sedl commented 1 year ago

@xinshiMSFT, sorry for not posting the link sooner. commit: fe7ed742c28a179ec96a2c26fc6fc8d60078780b binary files built on macos: https://disk.yandex.ru/d/Ns2-3nSvFXcxDA

xi-liu-ds commented 1 year ago

@xinshiMSFT, sorry for not posting the link sooner. commit: fe7ed742c28a179ec96a2c26fc6fc8d60078780b binary files built on macos: https://disk.yandex.ru/d/Ns2-3nSvFXcxDA

Hi @m-sedl , thanks for sharing binaries. I have tested on a MacBook Pro with the following command:

docker run -v Downloads/bin/:/infersharp/binary_path --rm mcr.microsoft.com/infersharp:v1.4  /bin/bash -c "./run_infersharp.sh binary_path; cp infer-out/report.txt /infersharp/binary_path/report.txt"

and replaced the run_infersharp.sh with the latest one. It runs with no crash.

Could you confirm that you are using the latest docker desktop (v4.12.0)? And what is your spec settings for your docker desktop? Attached below is my settings:

image
m-sedl commented 1 year ago

@xi-liu-ds, Hmm. Very strange, but I can't reproduce the error. Now everything is working properly. Maybe I made a mistake yesterday when launching on macos. I'm sorry for the inconvenience.

My docker desktop version is 4.12.0 My parameters:

image
xi-liu-ds commented 1 year ago

Closing this issue. Please feel free to open a new issue if runs into this problem again.

BlairMcClelland commented 1 year ago

I had the same error when using Windows 11/Docker, it turns out my .wslconfig looked like this

[wsl2]
memory=2GB
swap=0

After changing it to below and rebooting all is well

[wsl2]
memory=8GB