Merge pull request #961 from calumgrant/cs/cve-2019-0657

C#: Update cs/use-of-vulnerable-package to detect CVE-2019-0657
2019-02-22 18:01:58 +01:00 · 2019-02-22 18:01:58 +01:00 · 116997cf85
--- a/change-notes/1.20/analysis-csharp.md
+++ b/change-notes/1.20/analysis-csharp.md
@ -19,6 +19,7 @@
 | Use of default ToString() (`cs/call-to-object-tostring`) | Fewer results | Results have been removed when the object is an interface or an abstract class. |
 | Unused format argument (`cs/format-argument-unused`) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. |
 | Double-checked lock is not thread-safe (`cs/unsafe-double-checked-lock`) | Fewer false positives, more true positives | Results have been removed where the underlying field was not updated in the `lock` statement, or where the field is a `struct`. Results have been added where there are other statements inside the `lock` statement. |
+| Using a package with a known vulnerability (`cs/use-of-vulnerable-package`) | More results | This query detects packages vulnerable to CVE-2019-0657. |

 ## Changes to code extraction

--- a/Features/CWE-937/Vulnerabilities.qll
+++ b/Features/CWE-937/Vulnerabilities.qll
@ -312,3 +312,24 @@ class CVE_2018_0786 extends Vulnerability {
    fixed = "4.0.2"
  }
 }
+
+class CVE_2019_0657 extends Vulnerability {
+  CVE_2019_0657() { this = "CVE-2019-0657" }
+
+  override predicate matchesRange(string name, Version affected, Version fixed) {
+    name = "Microsoft.NETCore.App" and
+    (
+      affected = "2.1.0" and fixed = "2.1.8"
+      or
+      affected = "2.2.0" and fixed = "2.2.2"
+    )
+  }
+
+  override predicate matchesVersion(string name, Version affected, Version fixed) {
+    name = "System.Private.Uri" and
+    affected = "4.3.0" and
+    fixed = "4.3.1"
+  }
+
+  override string getUrl() { result = "https://github.com/dotnet/announcements/issues/97" }
+}
--- a/Features/CWE-937/VulnerablePackage.expected
+++ b/Features/CWE-937/VulnerablePackage.expected
@ -1,7 +1,10 @@
-| csproj.config:10:5:10:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:11:5:11:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:12:5:12:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
-| csproj.config:13:5:13:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
+| csproj.config:4:5:4:77 | System.Text.Encodings.Web 4.3.0 | Package 'System.Text.Encodings.Web 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:5:5:5:75 | system.text.encodings.web 4.3 | Package 'system.text.encodings.web 4.3' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:6:5:6:67 | System.Net.Http 4.1.1 | Package 'System.Net.Http 4.1.1' has vulnerability $@, and should be upgraded to version 4.1.2. | https://github.com/dotnet/corefx/issues/19535 | Microsoft Security Advisory 4021279 |
+| csproj.config:7:5:7:67 | System.Net.Http 4.1.2 | Package 'System.Net.Http 4.1.2' has vulnerability $@, and should be upgraded to version 4.3.4. | https://github.com/dotnet/announcements/issues/88 | CVE-2018-8292 |
+| csproj.config:8:5:8:70 | System.Private.Uri 4.3.0 | Package 'System.Private.Uri 4.3.0' has vulnerability $@, and should be upgraded to version 4.3.1. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
+| csproj.config:9:5:9:73 | Microsoft.NETCore.App 2.1.0 | Package 'Microsoft.NETCore.App 2.1.0' has vulnerability $@, and should be upgraded to version 2.1.8. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
+| csproj.config:10:5:10:73 | Microsoft.NETCore.App 2.2.1 | Package 'Microsoft.NETCore.App 2.2.1' has vulnerability $@, and should be upgraded to version 2.2.2. | https://github.com/dotnet/announcements/issues/97 | CVE-2019-0657 |
 | packages.config:9:3:9:79 | System.IO.Pipelines 4.5.0 | Package 'System.IO.Pipelines 4.5.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
 | packages.config:10:3:10:81 | System.IO.Pipelines 4.5.0.0 | Package 'System.IO.Pipelines 4.5.0.0' has vulnerability $@, and should be upgraded to version 4.5.1. | https://github.com/aspnet/Announcements/issues/316 | CVE-2018-8409 |
 | packages.config:11:3:11:84 | microsoft.aspnetcore.all 2.0.0 | Package 'microsoft.aspnetcore.all 2.0.0' has vulnerability $@, and should be upgraded to version 2.0.9. | https://github.com/aspnet/Announcements/issues/300 | ASPNETCore-Mar18 |
--- a/csharp/ql/test/query-tests/Security
+++ b/csharp/ql/test/query-tests/Security
@ -1,16 +1,22 @@
 <Project>
  <ItemGroup>
-    <!-- These are GOOD -->
-    <PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
-    <PackageReference Include="System.Net.Http" Version="4.3.4" />
-    <PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
-    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
-
    <!-- These are BAD -->
    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.0" />
    <PackageReference Include="system.text.encodings.web" Version="4.3" />
    <PackageReference Include="System.Net.Http" Version="4.1.1" />
    <PackageReference Include="System.Net.Http" Version="4.1.2" />
+    <PackageReference Include="System.Private.Uri" Version="4.3.0" />
+    <PackageReference Include="Microsoft.NETCore.App" Version="2.1.0" />
+    <PackageReference Include="Microsoft.NETCore.App" Version="2.2.1" />
+
+    <!-- These are GOOD -->
+    <PackageManagement Include="Microsoft.AspNetCore.All" Version="2.1.5" />
+    <PackageReference Include="System.Net.Http" Version="4.3.4" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.2.9" />
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.3.1" />
+    <PackageReference Include="System.Private.Uri" Version="4.3.1" />
+    <PackageReference Include="Microsoft.NETCore.App" Version="2.1.8" />
+    <PackageReference Include="Microsoft.NETCore.App" Version="2.2.2" />

  </ItemGroup>
 </Project>