C# 强化清洁规则不';Don’不要清洗一切
我的团队最近开始在我们的.NET代码库(C#6和VB.NET)上使用Fortify Static Code Analyzer(17.10.0 156版),并且由于报告了大量误报而感到痛苦。对于任何给定的问题,我们不看它就无法知道它是否为假阳性,我们也不希望任何实际问题在混乱中迷失 我们有一个实用程序库,其中包含一个方法C# 强化清洁规则不';Don’不要清洗一切,c#,fortify,C#,Fortify,我的团队最近开始在我们的.NET代码库(C#6和VB.NET)上使用Fortify Static Code Analyzer(17.10.0 156版),并且由于报告了大量误报而感到痛苦。对于任何给定的问题,我们不看它就无法知道它是否为假阳性,我们也不希望任何实际问题在混乱中迷失 我们有一个实用程序库,其中包含一个方法ReadEmbeddedSql,该方法从程序集中嵌入的资源中提取sql以执行。强化标记任何执行此方法返回的sql且带有sql注入漏洞的OracleCommand(来自Oracle.
ReadEmbeddedSqlOracleCommandOracle.ManagedDataAccess.ClientReadEmbeddedSqlExecuteSomeSql()ExecuteSomeSql()ExecuteSomeLocalSql()namespace Our.Utilities.Database
{
public abstract class BaseDao
{
protected string ReadEmbeddedSql(string key)
{
//... extract sql from assembly
return sql;
}
}
}
namespace Our.Application.DataAccess
{
public class TestDao: Our.Utilities.Database.BaseDao
{
public void ExecuteSomeSql()
{
//... connection is created
// Fortify Does not trust sqlText returned from library method.
var sqlText = ReadEmbeddedSql("sql.for.ExecuteSomeSql");
using(var someSqlCommand = new OracleCommand(sqlText, connection)) // Fortify flags creation of OracleCommand as SqlInjection vulnerability.
{
someSqlCommand.ExecuteNonQuery();
}
}
public void ExecuteSomeSqlDifferently()
{
//... connection is created
// Fortify Does not trust sqlText returned from library method.
var sqlText = ReadEmbeddedSql("sql.for.ExecuteSomeSql");
using(var someSqlCommand = connection.CreateCommand())
{
someSqlCommand.CommandText = sqlText; //Fortify flags setting CommandText as SqlInjection vulnerability.
someSqlCommand.ExecuteNonQuery();
}
}
public void ExecuteSomeLocalSql()
{
//... connection is created
var sqlText = ReadEmbeddedSqlLocallyDefined("sql.for.ExecuteSomeSql");
using(var someSqlCommand = new OracleCommand(sqlText, connection))
{
someSqlCommand.ExecuteNonQuery();
}
}
protected string ReadEmbeddedSqlLocallyDefined(string key)
{
//... extract sql from assembly
return sql;
}
}
}
<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
<RulePackID>5A78FC44-4EEB-49C7-91DA-6564805C3F23</RulePackID>
<SKU>SKU-C:\local\path\to\custom\rules\Our-Utilities</SKU>
<Name><![CDATA[C:\local\path\to\custom\rules\Our-Utilities]]></Name>
<Version>1.0</Version>
<Description><![CDATA[]]></Description>
<Rules version="17.10">
<RuleDefinitions>
<DataflowCleanseRule formatVersion="17.10" language="dotnet">
<RuleID>7C49FEDA-AA67-490D-8820-684F3BDD58B7</RuleID>
<FunctionIdentifier>
<NamespaceName>
<Pattern>Our.Utilities.Database</Pattern>
</NamespaceName>
<ClassName>
<Pattern>BaseDao</Pattern>
</ClassName>
<FunctionName>
<Pattern>ReadSqlTemplate</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
<DataflowCleanseRule formatVersion="17.10" language="dotnet">
<RuleID>14C423ED-5A51-4BA1-BAE1-075E566BE58D</RuleID>
<TaintFlags>+VALIDATED_SQL_INJECTION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>Our.Utilities.Database</Pattern>
</NamespaceName>
<ClassName>
<Pattern>BaseDao</Pattern>
</ClassName>
<FunctionName>
<Pattern>ReadSqlTemplate</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
</RuleDefinitions>
</Rules>
</RulePack>
5A78FC44-4EEB-49C7-91DA-6564805C3F23
SKU-C:\local\path\to\custom\rules\Our Utilities
1
7C49FEDA-AA67-490D-8820-684F3BDD58B7
我们的.Utilities.Database
BaseDao
ReadSqlTemplate
返回
14C423ED-5A51-4BA1-BAE1-075E566BE58D
+验证的SQL注入
我们的.Utilities.Database
BaseDao
ReadSqlTemplate
返回
- 规则ID
- 实例ID
- 类别
\Samples\Advanced\filter*注意:您对使用过滤器的分析(在评论中)非常准确。-1请再次尝试阅读该问题,此答案几乎将此场景的所有内容都弄错了,读起来是“做您说过已经做过的事情,但没有按应有的方式工作。”。Fortify不是在抱怨数据库出了什么,而是在抱怨数据库出了什么。(报告的漏洞是在命令上设置sql的地方,而不是在执行sql的地方,也不是在使用结果的地方(没有使用结果)。我添加了一个示例和注释,希望能更好地说明这一点。)。我报告的问题是,即使有规则,Fortify也不信任sql。Fortify没有显示“受污染”的输入来自何处。(为了更好地演示这一点,我添加了分析证据和图表的截图。)。未报告
ExecuteSomeLocalSqlReadEmbeddedSQLLocalDefined