SonarQube dynamic code detection

HalilGurer · July 23, 2024, 3:12pm

Enterprise Edition
Version 9.9.2 (build 77730)
C# with version .NET6

Hi community,

Is there a rule among SonarQube rules that will detect codes that dynamically generate code?

Thank you for your help,
Have a good day!

Colin · July 23, 2024, 4:07pm

Hey there.

I don’t think so. Can you give me an example of what this kind of code looks like?

HalilGurer · July 24, 2024, 6:39am

Hi Colin,

Codes that dynamically create code, convert it to Assembly, and run it.

Example from Chatgpt


class Program
{
    static void Main()
    {
        string code = @"
            using System;

            public class DynamicClass
            {
                public void HelloWorld()
                {
                    Console.WriteLine(""Merhaba, dünya!"");
                }
            }
        ";

        // C# syntax tree oluşturma
        SyntaxTree syntaxTree = CSharpSyntaxTree.ParseText(code);

        // C# derleme ayarları
        string assemblyName = Path.GetRandomFileName();
        MetadataReference[] references = new MetadataReference[]
        {
            MetadataReference.CreateFromFile(typeof(object).Assembly.Location),
            MetadataReference.CreateFromFile(typeof(Console).Assembly.Location)
        };
        CSharpCompilation compilation = CSharpCompilation.Create(
            assemblyName,
            syntaxTrees: new[] { syntaxTree },
            references: references,
            options: new CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary));

        // Derleme oluşturma
        using (var ms = new MemoryStream())
        {
            EmitResult result = compilation.Emit(ms);

            if (!result.Success)
            {
                Console.WriteLine("Derleme başarısız!");
                IEnumerable<Diagnostic> failures = result.Diagnostics.Where(diagnostic =>
                    diagnostic.IsWarningAsError ||
                    diagnostic.Severity == DiagnosticSeverity.Error);

                foreach (Diagnostic diagnostic in failures)
                {
                    Console.Error.WriteLine("{0}: {1}", diagnostic.Id, diagnostic.GetMessage());
                }
            }
            else
            {
                Console.WriteLine("Derleme başarılı!");

                // Derleme yükleyerek çalıştırma
                ms.Seek(0, SeekOrigin.Begin);
                Assembly assembly = Assembly.Load(ms.ToArray());
                dynamic dynamicClassInstance = assembly.CreateInstance("DynamicClass");

                // Dinamik sınıfı kullanma
                dynamicClassInstance.HelloWorld();
            }
        }
    }
}

Is there a rule that will give findings regarding these codes?

Colin · July 24, 2024, 7:12am

SonarQube (Developer Edition and above) can detect when Dynamic code execution is vulnerable to injection attacks, but there’s no rule that will just raise an issue because dynamic code is detected.

HalilGurer · July 24, 2024, 10:02am

That’s the answer I wanted to get. Thank you very much.

system · July 31, 2024, 10:02am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.