sonarqube-8.6.0.39681 (Developer Edition)
sonar-scanner-msbuild-5.0.4.24009-net46
Visual Studio 2019 Professional
C# Windows Form Project.
Windows 10 64bit
I try to prevent SQL Injection in C# projects. But "csharpsquid:S2077" & "roslyn.sonaranalyzer.security.cs:S3649" rules did not work with following code.
//
private void button1_Click(object sender, EventArgs e)
{
DoQuery(this.textBox1.Text);
}
private void DoQuery(string UserID)
{
string constr = clsCodeScanner.ConnectionString;
OracleConnection con = new OracleConnection(constr);
con.Open();
string testSQL = "select * from THEUSER "
+ "where USERID = '" + UserID + "'";
OracleCommand cmd = new OracleCommand(testSQL, con);
DataTable t = new DataTable();
var dr = cmd.ExecuteReader();
//create the DataTable object according to Oracle table
t.Load(dr);
dr.Close();
cmd.Dispose();
con.Dispose();
}
public void Bar(SqlConnection connection, string param)
{
SqlCommand command;
string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
command = new SqlCommand(sensitiveQuery); // Sensitive
command.CommandText = sensitiveQuery; // Sensitive
SqlDataAdapter adapter;
adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive
}
//
I am sure the two rules are activate on my server.
After more test. I find that S2077 works, but S3649 still do not work on following code.
//
private void button1_Click(object sender, EventArgs e)
{
DoQuery(this.textBox1.Text);
}
private void DoQuery(string UserID)
{
string constr = clsCodeScanner.ConnectionString;
OracleConnection con = new OracleConnection(constr);
con.Open();
string testSQL = "select * from THEUSER "
+ "where USERID = '" + UserID + "'";
OracleCommand cmd = new OracleCommand(testSQL, con);
DataTable t = new DataTable();
var dr = cmd.ExecuteReader();
//create the DataTable object according to Oracle table
t.Load(dr);
dr.Close();
cmd.Dispose();
con.Dispose();
}
this is interesting. I’ve run an analysis on my side with for the exact code you sent me and the issue is raised. Would it be possible for you to check and share the contents of:
.sonarqube\conf\cs\SonarLint.xml - in order to check if S2077 is active
.sonarqube\conf\SonarQubeRoslyn-cs.ruleset - to check it’s action type
.sonarqube\out\ProjectInfo.log - to see if the project type product or test
.sonarqube\out\sonar-project.properties - to see if the project file is analyzed
Additionally, it would be great if you can make a zip with the contents of .sonarqube\out\ucfg_cs2 and share it with us.
The .sonarqube directory is generated in the folder where the code analysis is started.
Edit:
I would also like to double check that you run the end step and check the results on SonarQube. Issues raised by sonar-security are available only on SonarQube since they are not raised during the build.
I read this post twice and I cant tell if the problem is that the OP has created the above pattern to ensure that sonar raises an issue with the code, or if OP is saying the above code is fine and that sonar is reporting issues when there should not be.
@Cary - when you say “do not work”, are you expecting to see issues reported for this code, or no issues reported for this code?
I’m sorry for my late reply. I’ve took a look at the generated files you sent me but the source graph seems to be different than the code from the snippet.
The issue should be raised without any problems if you use a sonar qube version lower than 8.7. If you still use a version older than 8.7 and the issue is not raised you can send us the contents of the ucfg_cs2 folder and we will take a look.
Unfortunately starting from 8.7 windows form inputs are not considered anymore as a source and the warnings will not be raised. This is due to an undergoing effort to rework how non-web applications are handled by our security analyzers.
I know this is old, but I wanted to check to see if the latest versions of SonarQube support additional libraries such as Microsoft base classes System.Data.Common or Oracle ManagedClient for Oracle 2.19.110 (Oracle.ManagedDataAccess.Core). We have Sonarqube v.8.9.x and it did not detect a SQL injection vulnerability in a .NET 4.8.1 application.
I did not look at the history of this thread. I just want to react to your specific statement.
SonarQube Community Edition doesn’t detect SQL Injection, this is true and expected. It’s only the SonarQube Developer Edition that comes with a specific taint analyzer able to detect when a malicious input can reach a SQL sink.
The rule S3649 is only provided with SQ DE+ and is not part of SQ CE.
Thanks for your question. Can you provide a copy of the code that expects an issue to be raised on, as well as the edition of your SonarQube system?
If you have a Community Edition SonarQube system, this answer from Alex resolves it.
If you have another Edition, please create another post containing your question, the code sample, the SonarQube version, and SonarQube edition; and ping me from the post.
After that, since this is an old post, we will close it (except if @Cary has some updates about their issues ).
).