codeql/change-notes/1.20/analysis-csharp.md

# Improvements to C# analysis

## General improvements

## New queries

| **Query**                   | **Tags**  | **Purpose**                                                        |
|-----------------------------|-----------|--------------------------------------------------------------------|

## Changes to existing queries

| *@name of query (Query ID)*  | *Impact on results*    | *How/why the query has changed*   |
|------------------------------|------------------------|-----------------------------------|
| Off-by-one comparison against container length (`cs/index-out-of-bounds`) | Fewer false positives | Results have been removed when there are additional guards on the index. |
| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) | Improved results | The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. |
| SQL query built from user-controlled sources (`cs/sql-injection`), Improper control of generation of code (`cs/code-injection`), Uncontrolled format string (`cs/uncontrolled-format-string`), Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`), Exposure of private information (`cs/exposure-of-sensitive-information`) | More results | Data sources have been added from user controls in `System.Windows.Forms`. |
| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
| Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. |
| Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. |
| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. |
| Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. |

## Changes to code extraction

* Fix extraction of `for` statements where the condition declares new variables using `is`.
* Initializers of `stackalloc` arrays are now extracted.

## Changes to QL libraries

* The class `TrivialProperty` now includes library properties determined to be trivial using CIL analysis. This may increase the number of results for all queries that use data flow.
* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint-tracking.
* Support has been added for EntityFrameworkCore, including
  - Stored data flow sources
  - Sinks for SQL expressions
  - Data flow through fields that are mapped to the database.

## Changes to the autobuilder
C#: Change notes. 2018-11-28 23:21:34 +03:00			`# Improvements to C# analysis`

			`## General improvements`

			`## New queries`

			`\| Query \| Tags \| Purpose \|`
			`\|-----------------------------\|-----------\|--------------------------------------------------------------------\|`

			`## Changes to existing queries`

C#: Update change note 2018-12-04 18:08:41 +03:00			`\| @name of query (Query ID) \| Impact on results \| How/why the query has changed \|`
			`\|------------------------------\|------------------------\|-----------------------------------\|`
C#: Address review comments (documentation). 2019-02-20 21:00:30 +03:00			\| Off-by-one comparison against container length (`cs/index-out-of-bounds`) \| Fewer false positives \| Results have been removed when there are additional guards on the index. \|
			\| Dereferenced variable is always null (`cs/dereferenced-value-is-always-null`) \| Improved results \| The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. \|
			\| Dereferenced variable may be null (`cs/dereferenced-value-may-be-null`) \| Improved results \| The query has been rewritten from scratch, and the analysis is now based on static single assignment (SSA) forms. The query is now enabled by default in LGTM. \|
			\| SQL query built from user-controlled sources (`cs/sql-injection`), Improper control of generation of code (`cs/code-injection`), Uncontrolled format string (`cs/uncontrolled-format-string`), Clear text storage of sensitive information (`cs/cleartext-storage-of-sensitive-information`), Exposure of private information (`cs/exposure-of-sensitive-information`) \| More results \| Data sources have been added from user controls in `System.Windows.Forms`. \|
			\| Use of default ToString() (`cs/call-to-object-tostring`) \| Fewer false positives \| Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. \|
			\| Use of default ToString() (`cs/call-to-object-tostring`) \| Fewer results \| Results have been removed when the object is an interface or an abstract class. \|
			\| Unused format argument (`cs/format-argument-unused`) \| Fewer false positives \| Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. \|
			\| Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) \| Fewer false positives, more true positives \| Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. \|
C#: Update cs/use-of-vulnerable-package to detect CVE-2019-0657 2019-02-21 14:48:48 +03:00			\| Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) \| More results \| This query detects packages vulnerable to CVE-2019-0657. \|
C#: Update change notes. Decrease the priority of this query because the `volatile` keyword is no longer needed on modern .Net runtimes. 2019-01-21 21:06:16 +03:00
C#: Change notes. 2018-11-28 23:21:34 +03:00			`## Changes to code extraction`

C#: Update change notes. 2018-12-11 13:31:39 +03:00			* Fix extraction of `for` statements where the condition declares new variables using `is`.
C#: Add change note. 2018-12-12 19:16:07 +03:00			* Initializers of `stackalloc` arrays are now extracted.
C#: Update change notes. 2018-12-11 13:31:39 +03:00
C#: Change notes. 2018-11-28 23:21:34 +03:00			`## Changes to QL libraries`

C#: Add changenote. 2019-02-07 15:10:18 +03:00			* The class `TrivialProperty` now includes library properties determined to be trivial using CIL analysis. This may increase the number of results for all queries that use data flow.
C#: Add change note. 2019-01-29 19:46:50 +03:00			* Taint-tracking steps have been added for the `Json.NET` package. This will improve results for queries that use taint-tracking.
C#: Change notes. 2019-02-08 16:47:41 +03:00			`* Support has been added for EntityFrameworkCore, including`
			`- Stored data flow sources`
			`- Sinks for SQL expressions`
C#: Add `preservesValue` to `NonLocalJumpNode.getAJumpSuccessor`. Allow `DataFlow::Configuration::isAdditionalFlowStep` to jump between callables. 2019-02-21 14:00:26 +03:00			`- Data flow through fields that are mapped to the database.`
C#: Add changenote. 2019-02-07 15:10:18 +03:00
C#: Change notes. 2018-11-28 23:21:34 +03:00			`## Changes to the autobuilder`