Comments (3)
Thanks for the report. This is something we didn't investigate. However I was able to suppress the warning from context menu "Suppress SCS0007->In Suppression File". Since the file is auto-generated it is preferable to suppress in a separate file rather in the same file source.
It generated me
[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Security", "SCS0007:XML parsing vulnerable to XXE", Justification = "<Pending>", Scope = "member", Target = "~M:Build.MainConsole.Dispose(System.Boolean)")]
and this is fine if you go and click on every occurrence, but I guess if you play with the scope it is possible to suppress for whole generated file with just a single attribute. You can read about scopes here - https://msdn.microsoft.com/en-us/library/ms244717.aspx
Another workaround for the particular warning a workaround would be to target at least .NET 4.5.2.
P.S.
Overall, Microsoft analyzers call ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
all over. I need to investigate does it mean do not analyze even if "Analyze Generaged Code" enabled...
Another funny fact is here https://github.com/dotnet/roslyn-analyzers/blob/9ed3fc4d2f2d69f511b44948ecc9215b2be12cf7/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureCryptographicAlgorithms.cs
// Security analyzer - analyze and report diagnostics on generated code.
analysisContext.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
SCS is a security analyzer :) but I think it should be configurable and suppressible even in generated code.
from security-code-scan.
For me this issue remains unresolved. Yes it is possible to put in an individual exception for each warning in generated files, but this is a major nuisance.
Targeting a newer framework brings with it a whole other set of considerations and is not a solution to the general problem.
Finally, I have not found a way to suppress an entire code member in the suppression file. Yes, as you point out there are scoping options but none seem to do what is needed. And the ability for SCS to respect the "no scan for generated code" setting, which it does not do apparently, seems important.
from security-code-scan.
You are welcome to pull request.
from security-code-scan.
Related Issues (20)
- ReflectionTypeLoadException on startup HOT 2
- Standalone can not understand shproj. HOT 2
- Is this project maintained HOT 6
- Solution Items
- Standalone scanner throws exception: 'ProjectName' is already part of the workspace HOT 4
- Security Code Scan Standalone Tool throws Method not found: Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1)' with VS2022 17.3 MSBuild HOT 4
- Standalone tool with `.sln` don't start scanning
- SCS0016 False positive for ODataController
- Scanning an intentionally vulnerable .NET 6 project with the stand-alone runner does not yield any detection results HOT 11
- The analyzer fails to detect a vulnerability when an interface is used as declaring type
- CLI tool prefixes findings with "Found:" which is not consistent with MSBuild output format HOT 2
- security-scan /your/solution.sln throws up error. HOT 5
- SCS0012 after upgrading from net6.0 to net7.0 HOT 1
- security-scan' is not recognized as an internal or external command HOT 1
- Analyzer 'SecurityCodeScan.Analyzers.XxeDiagnosticAnalyzerCSharp' threw an exception
- Upload Visual Studio Code extension to Open VSX HOT 1
- VS 17.6.2 many errors started to appear for Security Code Scan 5.6.7 HOT 3
- New exceptions thrown for SCS extension after upgrading VS HOT 2
- Security-scan4x.zip build fails due to Method not found: 'System.ReadOnlySpan`1<Char> Microsoft.IO.Path.GetFileName(System.ReadOnlySpan`1<Char>) HOT 1
- Standalone runner not working in .NET 7 on Bitbucket pipelines
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-code-scan.