Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C#: Deprecate experimental queries. #17911

Merged
merged 3 commits into from
Jan 21, 2025

Conversation

michaelnebel
Copy link
Contributor

The experimental queries are being deprecated. Instead a copy of the queries have been added to the CodeQL-Community-Packs.

isClassUnsafeXmlSerializerImplementation(c, m) and
message =
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
classMessage = c.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
"Defining an serializable class $@ that has member $@ of a type that is derived from DataSet or DataTable types and may lead to a security problem. Please visit https://go.microsoft.com/fwlink/?linkid=2132227 for details." and
classMessage = c.toString() and
member = m and
memberMessage = m.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
FlowToDataSerializerConstructor::flow(source, sink) and
message =
"Unsafe type is used in data contract serializer. Make sure $@ comes from the trusted source." and
sourceMessage = source.toString()

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
timeComparisonCall, selStatement) and
message =
"Possible TimeBomb logic triggered by an $@ that takes into account $@ from the $@ as part of the potential trigger." and
timeComparisonCallString = timeComparisonCall.toString() and

Check warning

Code scanning / CodeQL

Using 'toString' in query logic Warning

Query logic depends on implementation of 'toString'.
@michaelnebel
Copy link
Contributor Author

DCA didn't report any performance degradations of changes to alerts.

@michaelnebel michaelnebel force-pushed the csharp/deprecateexperimental branch from 8e6a849 to 9e86ef1 Compare November 7, 2024 08:57
@michaelnebel michaelnebel marked this pull request as ready for review November 7, 2024 15:00
@michaelnebel michaelnebel requested a review from a team as a code owner November 7, 2024 15:00
@michaelnebel michaelnebel force-pushed the csharp/deprecateexperimental branch from 9e86ef1 to 315279f Compare November 8, 2024 08:44
@michaelnebel michaelnebel force-pushed the csharp/deprecateexperimental branch from 315279f to 9356295 Compare January 21, 2025 12:14
@michaelnebel michaelnebel merged commit 43bc3e5 into github:main Jan 21, 2025
19 checks passed
@michaelnebel michaelnebel deleted the csharp/deprecateexperimental branch January 21, 2025 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants