S3649 and S2077 do not work

I am using following tools to do my work.

sonarqube-8.6.0.39681 (Developer Edition)
sonar-scanner-msbuild-5.0.4.24009-net46
Visual Studio 2019 Professional
C# Windows Form Project.
Windows 10 64bit

I try to prevent SQL Injection in C# projects. But "csharpsquid:S2077" & "roslyn.sonaranalyzer.security.cs:S3649" rules did not work with following code.

//

    private void button1_Click(object sender, EventArgs e)
    {
       DoQuery(this.textBox1.Text);
    }

    private void DoQuery(string UserID)
    {
        string constr = clsCodeScanner.ConnectionString;
        OracleConnection con = new OracleConnection(constr);
        con.Open();

        string testSQL = "select * from THEUSER "
                       + "where USERID = '" + UserID + "'";

        OracleCommand cmd = new OracleCommand(testSQL, con);

        DataTable t = new DataTable();
        var dr = cmd.ExecuteReader();
        //create the DataTable object according to Oracle table
        t.Load(dr);
        dr.Close();


        cmd.Dispose();
        con.Dispose();
    }

    public void Bar(SqlConnection connection, string param)
    {
        SqlCommand command;
        string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
        command = new SqlCommand(sensitiveQuery); // Sensitive

        command.CommandText = sensitiveQuery; // Sensitive

        SqlDataAdapter adapter;
        adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive
    }

//
I am sure the two rules are activate on my server.

  I find S3649 rule displayed in scanning process, but the entrypoints is zero.

image

  Please help to solve it.

After more test. I find that S2077 works, but S3649 still do not work on following code.
//
private void button1_Click(object sender, EventArgs e)
{
DoQuery(this.textBox1.Text);
}

private void DoQuery(string UserID)
{
    string constr = clsCodeScanner.ConnectionString;
    OracleConnection con = new OracleConnection(constr);
    con.Open();

    string testSQL = "select * from THEUSER "
                   + "where USERID = '" + UserID + "'";

    OracleCommand cmd = new OracleCommand(testSQL, con);

    DataTable t = new DataTable();
    var dr = cmd.ExecuteReader();
    //create the DataTable object according to Oracle table
    t.Load(dr);
    dr.Close();


    cmd.Dispose();
    con.Dispose();
}

Hi @Cary,

are you using OracleCommand from System.Data.OracleClient or from NuGet Gallery | Oracle.ManagedDataAccess 19.10.1 or another library?

Currently we support only System.Data.OracleClient but we do plan to add support for other libraries too.

Hi! @costin.zaharia,
I had used System.Data.OracleClient instead. But S3649 still not work.

Hi,

this is interesting. I’ve run an analysis on my side with for the exact code you sent me and the issue is raised. Would it be possible for you to check and share the contents of:

  • .sonarqube\conf\cs\SonarLint.xml - in order to check if S2077 is active
  • .sonarqube\conf\SonarQubeRoslyn-cs.ruleset - to check it’s action type
  • .sonarqube\out\ProjectInfo.log - to see if the project type product or test
  • .sonarqube\out\sonar-project.properties - to see if the project file is analyzed

Additionally, it would be great if you can make a zip with the contents of .sonarqube\out\ucfg_cs2 and share it with us.

The .sonarqube directory is generated in the folder where the code analysis is started.

Edit:
I would also like to double check that you run the end step and check the results on SonarQube. Issues raised by sonar-security are available only on SonarQube since they are not raised during the build.

Thanks,
Costin

Hi! @costin.zaharia,
As I said on Jan. 29, I found that S2077 is active. But S3649 still does not work yet. Please refer to the attachment.

Others.zip (4.1 KB) ucfg_cs2.zip (5.9 KB)

As I said on Jan. 29, I found that S2077 is active. But S3649 still does not work yet.

My bad, I was thinking S3649 but I’ve wrote S2077 instead.

Thanks for the logs and config files. I’ll try to take a look later today.

I read this post twice and I cant tell if the problem is that the OP has created the above pattern to ensure that sonar raises an issue with the code, or if OP is saying the above code is fine and that sonar is reporting issues when there should not be.

@Cary - when you say “do not work”, are you expecting to see issues reported for this code, or no issues reported for this code?

  I expect to see rule S3649 raise issues reported for this code. But it didn't happen.
1 Like

Hi @Cary

I’m sorry for my late reply. I’ve took a look at the generated files you sent me but the source graph seems to be different than the code from the snippet.

I’ve done a small POC with your code (from the snippet) which you can analyze. You can clone the solution from here: GitHub - costin-zaharia-sonarsource/security-poc-S3649

The issue should be raised without any problems if you use a sonar qube version lower than 8.7. If you still use a version older than 8.7 and the issue is not raised you can send us the contents of the ucfg_cs2 folder and we will take a look.

Unfortunately starting from 8.7 windows form inputs are not considered anymore as a source and the warnings will not be raised. This is due to an undergoing effort to rework how non-web applications are handled by our security analyzers.