infersharp/.inferconfig

{
  "force-delete-results-dir": true,
  "siof-safe-methods": ["getGlobalNonPODAllowListed", "allow_listed::getGlobalNonPOD",
                        "allow_listed::TemplatedObject::getGlobalNonPOD"],
  "enable-issue-type" : [ "PULSE_RESOURCE_LEAK",  "TAINT_ERROR", "NULLPTR_DEREFERENCE", "THREAD_SAFETY_VIOLATION" ],
  "disable-issue-type" : [ "DOTNET_RESOURCE_LEAK", "PULSE_UNINITIALIZED_VALUE" ],
  "debug-level" : 1,
  "sarif" : true,
  "pulse" : true,
  "biabduction" : false,
  "timeout": 180,
  "pulse-taint-policies": [
    { "short_description": "SQL injection risk",
      "taint_flows": [
        { "source_kinds": ["UserControlledURI", "UserControlledString"],
          "sink_kinds": ["SQLInjection"]  }
      ]
    },
    {
      "short_description": "Remote data to unsafe deserializer",
      "taint_flows": [
        { "source_kinds": ["UserControlledURI", "UserControlledString"],
          "sink_kinds": ["Deserialization"] }
      ]
    }
  ],
  "pulse-taint-sources": [
    { "method_with_annotation" : "HttpGetAttribute",
      "kinds": ["UserControlledURI"],
      "taint_target": "AllArguments"},
    { "method_with_annotation" : "HttpPutAttribute",
      "kinds": ["UserControlledURI"],
      "taint_target": "AllArguments"},
    { "method_with_annotation" : "HttpPostAttribute",
      "kinds": ["UserControlledURI"],
      "taint_target": "AllArguments"},
    { "method_with_annotation" : "HttpDeleteAttribute",
      "kinds": ["UserControlledURI"],
      "taint_target": "AllArguments"},
    { "class_names": ["System.Web.UI.Page"],
      "method_names": ["get_Request"],
      "kinds": ["UserControlledURI"]},
    { "class_names": ["System.Web.UI.WebControls.TextBox", "System.Windows.Forms.TextBox"],
      "method_names": ["get_Text"],
      "kinds": ["UserControlledString"]
    },
    { "class_names": ["System.Console"],
      "method_names": ["ReadLine"],
      "kinds": ["UserControlledString"]
    }
  ],
  "pulse-taint-sinks": [
    { "class_names": ["System.Data.Common.DbCommand"],
      "method_names": ["set_CommandText"],
      "kinds": ["SQLInjection"]
    },
    { "class_names": ["System.Data.SqlClient.SqlCommand"],
      "method_names": [".ctor"],
      "kinds": ["SQLInjection"],
      "taint_target": ["ArgumentPositions", [1]]
    } ,
    { "class_names": ["System.Runtime.Serialization.Formatters.Binary.BinaryFormatter",
                      "System.Runtime.Deserialization.Formatters.Soap.SoapFormatter",
                      "System.Web.UI.ObjectStateFormatter",
                      "System.Runtime.Serialization.NetDataContractSerializer",
                      "System.Web.UI.LosFormatter",
                      "YamlDotNet.Serialization.Deserializer"],
      "method_names": ["Deserialize"],
      "kinds": ["Deserialization"]
    },
    { "class_names": ["System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"],
      "method_names": ["UnsafeDeserialize", "UnsafeDeserializeMethodResponse"],
      "kinds": ["Deserialization"]
    },
    { "class_names": ["System.Runtime.Serialization.NetDataContractSerializer"],
      "method_names": ["ReadObject"],
      "kinds": ["Deserialization"]
    },
    { "class_names": ["System.Windows.Markup.XamlReader",
                      "System.Workflow.ComponentModel.Activity"],
      "method_names": ["Load", "LoadAsync", "Parse"],
      "kinds": ["Deserialization"]
    },
    { "class_names": ["System.Data.DataSet",
                      "System.Data.DataTable"],
      "method_names": ["ReadXmlSchema", "ReadXml"],
      "kinds": ["Deserialization"]
    }
  ]
}