Giter VIP home page Giter VIP logo

security-code-scan-results-action's Introduction

Security Code Scan
Vulnerability Patterns Detector for C# and VB.NET - Website

Build

Downloading

Official releases are available as nuget package, Visual Studio extension and stand-alone runner.

Building

git clone https://github.com/security-code-scan/security-code-scan.git
cd security-code-scan

Open SecurityCodeScan.sln in Visual Studio or build from command line:

nuget restore SecurityCodeScan.sln
msbuild SecurityCodeScan.sln

Contributing

Tests

Most of the tests are written in two languages: C# and VB.NET. If you aren't an expert in VB.NET (me neither) use any online converter to create the VB.NET counterpart from tested C# code example.
Tests are ideal for developing features and fixing bugs as it is easy to debug.

Debugging

In case you are not sure what is wrong or you see AD0001 error with an exception, it is possible to debug the analysis of problematic Visual Studio solution.

Visual Studio offloads some static analysis work to a separate process. It is a good idea to uncomment the lines to have a chance to debug the child process.

First, make sure there are no Security Code Scan Visual Studio extensions installed to avoid interference.
Right click SecurityCodeScan.Vsix project in the solution and choose Set as StartUp project.
Start debugging in Visual Studio. It will open another instance of Visual Studio with debugger attached.
Open the solution with the problematic source.

security-code-scan-results-action's People

Contributors

jarlob avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

mstrisoline jmservera marcelraschke norschel validusa techcloud0-actions felickz ok-omes stone-payments

security-code-scan-results-action's Issues

"You cannot call a method on a null-valued expression." on "Set up projects for analysis"

I'm getting this error on "Set up projects for analysis"

InvalidOperation: D:\a\_temp\238bcc4a-d7dd-49be-9a75-f51f8f0d60ab.ps1:94
Line |
  94 |    $propertyGroups[0].AppendChild($errorLog)
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

Error: Process completed with exit code 1.

Repo is this: https://github.com/paulomorgado/Microsoft.Extensions.AspNet

securitycodescan-analysis.yml file:

# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET

name: SecurityCodeScan

on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    - cron: '31 23 * * 6'

jobs:
  SCS:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v2
      - uses: nuget/[email protected]
      - uses: microsoft/[email protected]
      
      - name: Set up projects for analysis
        uses: security-code-scan/security-code-scan-add-action@main
        
      - name: Restore dependencies	
        run: dotnet restore

      - name: Build
        run: dotnet build --no-restore

      - name: Convert sarif for uploading to GitHub
        uses: security-code-scan/security-code-scan-results-action@main

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v1

How can I diagnose this?

TypeError: Cannot read properties of undefined (reading 'filter')

Getting the following Error at the Convert sarif for uploading to GitHub step

I have tried Tag v1.2, v1.3 and main

Run security-code-scan/security-code-scan-results-action@main
Run dotnet tool install --global Sarif.Multitool --version 2.3.10

Welcome to .NET 7.0!
---------------------
SDK Version: 7.0.202

Telemetry
---------
The .NET tools collect usage data in order to help us improve your experience. It is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry

----------------
Installed an ASP.NET Core HTTPS development certificate.
To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only).
Learn about HTTPS: https://aka.ms/dotnet-https
----------------
Write your first app: https://aka.ms/dotnet-hello-world
Find out what's new: https://aka.ms/dotnet-whats-new
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https://github.com/dotnet/core
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli
--------------------------------------------------------------------------------------
You can invoke the tool using the following command: sarif
Tool 'sarif.multitool' (version '2.3.10') was successfully installed.
D:\a\ViVeTool-GUI\ViVeTool-GUI\convert.js:12
    run.tool.driver.rules = run.tool.driver.rules.filter((e => e.id.startsWith("SCS")));
                                                  ^

TypeError: Cannot read properties of undefined (reading 'filter')
    at Object.<anonymous> (D:\a\ViVeTool-GUI\ViVeTool-GUI\convert.js:12:51)
    at Module._compile (node:internal/modules/cjs/loader:1254:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1308:10)
    at Module.load (node:internal/modules/cjs/loader:1117:32)
    at Module._load (node:internal/modules/cjs/loader:958:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:[81](https://github.com/PeterStrick/ViVeTool-GUI/actions/runs/4616456594/jobs/8161487714#step:8:83):12)
    at node:internal/main/run_main_module:23:47

Node.js v18.15.0
Error: Process completed with exit code 1.

Workflow File:

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature
# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET

name: SecurityCodeScan

on:
  push:
  pull_request:
  schedule:
    - cron: '30 6 * * 3'

jobs:
  SCS:
    if: ${{ github.actor != 'dependabot[bot]' }}
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3
      - uses: nuget/setup-nuget@fd9fffd6ca4541cf4152a9565835ca1a88a6eb37
      - uses: microsoft/[email protected]
      
      - name: Set up projects for analysis
        uses: security-code-scan/[email protected]
        
      - name: Restore dependencies	
        run: nuget restore

      - name: Build
        run: msbuild

      - name: Convert sarif for uploading to GitHub
        uses: security-code-scan/security-code-scan-results-action@main

      - name: Display Sarif Files in the results Folder
        run: cat D:\a\ViVeTool-GUI\results\*.sarif

      - name: Upload sarif
        uses: github/codeql-action/upload-sarif@v2

Link to failed Workflow: https://github.com/PeterStrick/ViVeTool-GUI/actions/runs/4616456594

TypeError: Cannot read property 'filter' of undefined

I'm getting this error:

2021-07-08T07:40:28.5323142Z ##[group]Run security-code-scan/security-code-scan-results-action@main
2021-07-08T07:40:28.5323987Z with:
2021-07-08T07:40:28.5324433Z   sarif_directory: ../results
2021-07-08T07:40:28.5324804Z env:
2021-07-08T07:40:28.5325356Z   NUGET: C:\hostedtoolcache\windows\nuget.exe\5.10.0\x64/nuget.exe
2021-07-08T07:40:28.5326087Z ##[endgroup]
2021-07-08T07:40:33.7776972Z You can invoke the tool using the following command: sarif
2021-07-08T07:40:33.7778165Z Tool 'sarif.multitool' (version '2.3.10') was successfully installed.
2021-07-08T07:40:43.2192577Z D:\a\Microsoft.Extensions.AspNet\Microsoft.Extensions.AspNet\convert.js:12
2021-07-08T07:40:43.2194554Z     run.tool.driver.rules = run.tool.driver.rules.filter((e => e.id.startsWith("SCS")));
2021-07-08T07:40:43.2195578Z                                                   ^
2021-07-08T07:40:43.2195957Z 
2021-07-08T07:40:43.2196729Z TypeError: Cannot read property 'filter' of undefined
2021-07-08T07:40:43.2199700Z     at Object.<anonymous> (D:\a\Microsoft.Extensions.AspNet\Microsoft.Extensions.AspNet\convert.js:12:51)
2021-07-08T07:40:43.2201166Z     at Module._compile (internal/modules/cjs/loader.js:1085:14)
2021-07-08T07:40:43.2202090Z     at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
2021-07-08T07:40:43.2202947Z     at Module.load (internal/modules/cjs/loader.js:950:32)
2021-07-08T07:40:43.2203976Z     at Function.Module._load (internal/modules/cjs/loader.js:790:14)
2021-07-08T07:40:43.2205158Z     at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
2021-07-08T07:40:43.2206709Z     at internal/main/run_main_module.js:17:47
2021-07-08T07:40:43.2312568Z ##[error]Process completed with exit code 1.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.