From 306839d8cc3810c7c3ed7fa30e2dfded010aaaa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Tue, 9 Feb 2021 17:54:02 +0200 Subject: [PATCH 1/3] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8e2a18f0..f0714c6c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Build status](https://ci.appveyor.com/api/projects/status/se4ok0surqu73ob7?svg=true)](https://ci.appveyor.com/project/JarLob/security-code-scan) ### Downloading -Official releases are available as nuget packages ([Master](https://www.nuget.org/packages/SecurityCodeScan/) and [VS2017](https://www.nuget.org/packages/SecurityCodeScan.VS2017/) branches) and as Visual Studio extensions ([Master](https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScan) and [VS2017](https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScanVS2017) branches). +Official releases are available as nuget packages ([VS2015](https://www.nuget.org/packages/SecurityCodeScan/) and [VS2017](https://www.nuget.org/packages/SecurityCodeScan.VS2017/) branches) and as Visual Studio extensions ([VS2015](https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScan) and [VS2017](https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScanVS2017) branches). Nightly builds are available from [appveyor](https://ci.appveyor.com/project/JarLob/security-code-scan) (go to `Configuration: Release` -> `Artifacts`). ### Building @@ -19,7 +19,7 @@ msbuild SecurityCodeScan.sln ``` ### Contributing -* All documentation from the [official site](https://security-code-scan.github.io) is open-source and located in the [website](https://github.com/security-code-scan/security-code-scan/tree/master/website) folder. Feel free to modify the markdown files and contribute to it. +* All documentation from the [official site](https://security-code-scan.github.io) is open-source and located in the [website](https://github.com/security-code-scan/security-code-scan/tree/vs2015/website) folder. Feel free to modify the markdown files and contribute to it. * You may customize the behavior of Security Code Scan by creating a local configuration file as described in [ExternalConfigurationFiles section](https://security-code-scan.github.io/#ExternalConfigurationFiles). It is easy to add new vulnerable functions (sinks) that should trigger a warning, define untrusted sources, etc. Once you think you have working configuration file you are welcome to contribute your changes to the main built-in configuration file. Ideally your Pull Request comes with tests that cover the changes. * Review the list of available [issues.](https://github.com/security-code-scan/security-code-scan/issues) The general understanding of Roslyn might be handy: - [Use Roslyn to Write a Live Code Analyzer for Your API](https://docs.microsoft.com/en-us/archive/msdn-magazine/2014/special-issue/csharp-and-visual-basic-use-roslyn-to-write-a-live-code-analyzer-for-your-api) From 7bb07314b3b4f808a91bce3c74be399fb4a6c363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Tue, 9 Feb 2021 17:57:22 +0200 Subject: [PATCH 2/3] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f0714c6c..173c9483 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ msbuild SecurityCodeScan.sln ``` ### Contributing -* All documentation from the [official site](https://security-code-scan.github.io) is open-source and located in the [website](https://github.com/security-code-scan/security-code-scan/tree/vs2015/website) folder. Feel free to modify the markdown files and contribute to it. +* All documentation from the [official site](https://security-code-scan.github.io) is open-source and located in the [website](https://github.com/security-code-scan/security-code-scan/tree/vs2019/website) folder. Feel free to modify the markdown files and contribute to it. * You may customize the behavior of Security Code Scan by creating a local configuration file as described in [ExternalConfigurationFiles section](https://security-code-scan.github.io/#ExternalConfigurationFiles). It is easy to add new vulnerable functions (sinks) that should trigger a warning, define untrusted sources, etc. Once you think you have working configuration file you are welcome to contribute your changes to the main built-in configuration file. Ideally your Pull Request comes with tests that cover the changes. * Review the list of available [issues.](https://github.com/security-code-scan/security-code-scan/issues) The general understanding of Roslyn might be handy: - [Use Roslyn to Write a Live Code Analyzer for Your API](https://docs.microsoft.com/en-us/archive/msdn-magazine/2014/special-issue/csharp-and-visual-basic-use-roslyn-to-write-a-live-code-analyzer-for-your-api) From 990d4cc891af350e02c8a4cdd5121a443066c94e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= Date: Thu, 11 Feb 2021 00:00:05 +0200 Subject: [PATCH 3/3] Deprecation message --- SecurityCodeScan.Vsix/marketplace.md | 4 +++- SecurityCodeScan/Analyzers/CompilationAnalyzer.cs | 12 ++++++++++++ .../Analyzers/SecurityAnalysisContext.cs | 3 +++ SecurityCodeScan/Config/Messages.yml | 4 ++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/SecurityCodeScan.Vsix/marketplace.md b/SecurityCodeScan.Vsix/marketplace.md index 329198ec..6800f1d9 100644 --- a/SecurityCodeScan.Vsix/marketplace.md +++ b/SecurityCodeScan.Vsix/marketplace.md @@ -1,4 +1,6 @@ -# Security static code analyzer for .NET +**_This extension is legacy and is no longer maintained, please use [SecurityCodeScan VS2019](https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScanVS2019) instead._** + +# Security static code analyzer for .NET [Website](https://security-code-scan.github.io) * Detects various [security vulnerability patterns](https://security-code-scan.github.io/#rules): SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML eXternal Entity Injection (XXE), etc. diff --git a/SecurityCodeScan/Analyzers/CompilationAnalyzer.cs b/SecurityCodeScan/Analyzers/CompilationAnalyzer.cs index e95b0346..57cc3002 100644 --- a/SecurityCodeScan/Analyzers/CompilationAnalyzer.cs +++ b/SecurityCodeScan/Analyzers/CompilationAnalyzer.cs @@ -15,4 +15,16 @@ public void OnCompilationAction(CompilationAnalysisContext ctx) ctx.ReportDiagnostic(Diagnostic.Create(Rule, Location.None)); } } + + internal class DeprecationAnalyzer + { + public const string DiagnosticId = "SCS9999"; + + public static readonly DiagnosticDescriptor Rule = LocaleUtil.GetDescriptor(DiagnosticId); + + public void OnCompilationAction(CompilationAnalysisContext ctx) + { + ctx.ReportDiagnostic(Diagnostic.Create(Rule, Location.None)); + } + } } diff --git a/SecurityCodeScan/Analyzers/SecurityAnalysisContext.cs b/SecurityCodeScan/Analyzers/SecurityAnalysisContext.cs index a72961e8..56dee35e 100644 --- a/SecurityCodeScan/Analyzers/SecurityAnalysisContext.cs +++ b/SecurityCodeScan/Analyzers/SecurityAnalysisContext.cs @@ -36,6 +36,7 @@ public void Initialize(AnalysisContext analysisContext, IEnumerable> OnCompilationStartActions = new List>(); @@ -65,6 +66,8 @@ private void OnCompilationAction(CompilationAnalysisContext context) action(context); } + DeprecationAnalyzer.OnCompilationAction(context); + if (ProjectConfiguration.ReportAnalysisCompletion) FinalAnalyzer.OnCompilationAction(context); } diff --git a/SecurityCodeScan/Config/Messages.yml b/SecurityCodeScan/Config/Messages.yml index 70f5ce0d..99074afa 100644 --- a/SecurityCodeScan/Config/Messages.yml +++ b/SecurityCodeScan/Config/Messages.yml @@ -15,6 +15,10 @@ SCS0000: title: "Compilation analysis completed." description: This a fake warning you may enable in configuration just to have a proof in a log that analyzer did run. +SCS9999: + title: "This package is legacy and is no longer maintained." + description: Please use SecurityCodeScan.VS2019 NuGet instead. + # Injections SCS0001: