pumasecurity / puma-scan

Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
https://www.pumascan.com
Mozilla Public License 2.0
447 stars 79 forks source link

XmlException when used in a project with PostSharp #63

Closed AdamRiddick closed 4 years ago

AdamRiddick commented 4 years ago

Hi,

We're experiencing an issue when using PumaScan in the same project as PostSharp.

A warning is generated with Code AD0001. This is causing problems as we enforce warnings as errors across all projects.

Platform .Net Core 3.1

Packages Postsharp: V6.6.8 (Essentials License) Puma.Security.Rules: 2.3.0

Replication Steps Create a .Net Core 3.1 Console Application Add PostSharp 6.6.8 Add Puma.Security.Rules 2.3.0

Issue Severity Code Description Project File Line Suppression State Warning AD0001 Analyzer 'Puma.Security.Rules.Suites.PumaDiagnosticSuite' threw an exception of type 'System.Xml.XmlException' with message 'Data at the root level is invalid. Line 1, position 1.'. PostSharpPumaScan C:\Users\adam.riddick\source\repos\PostSharpPumaScan\CSC 1 N/A

ejohn20 commented 4 years ago

Thanks for reporting this. My guess is the configuration analyzer is finding a .config XML file that is invalid. We'll take a look at this as time allows.

Might be a little bit before we can get to this though. Feel free (if you have time) to debug the project and try to locate the bug.

gregpakes commented 4 years ago

I am having the same issue. The issue is because there is a config file which is not valid xml.

obj/debug/net48/Before-Postsharp/PostSharpAnalyzers.config

The file is not XML and it's contents are as follows:

PostSharpSymbolLocationOutputDirectory=C:\xxx\xxx\xxx\xxx\obj\Debug\net48\Before-PostSharp

So I guess PumaScan is assuming all *.config files are supposed to be XML. In this case, it isn't.

Is there a way to exclude the file?

gregpakes commented 4 years ago

I have opened this issue at PostSharp regarding this...

https://support.postsharp.net/request/27144-postsharpanalyzersconfig-is-not-xml-and-causes

I'm not laying blame at their door, but just wanted to reference it here.

ejohn20 commented 4 years ago

This makes sense. Currently, there is not a way to exclude files / directories from analysis. Question - are you receiving other configuration warnings? You can try removing debug="false" from the release transform file and that should show up.

I think the ultimate solution on our side is to better log .config files that fail parsing to the output window.

gregpakes commented 4 years ago

Added first stab at PR:

https://github.com/pumasecurity/puma-scan/pull/64

ejohn20 commented 4 years ago

@gregpakes Merged into develop and verified that this build does not produce the AD0001 with the Postsharp package installed. Getting a build put together now...

ejohn20 commented 4 years ago

@gregpakes This released in the 2.4 version of the NuGet package. Let us know if that does the trick.