Movatterモバイル変換

security-code-scan/security-code-scanPublic

NotificationsYou must be signed in to change notification settings
Fork161
Star965

Vulnerability Patterns Detector for C# and VB.NET

security-code-scan.github.io

License

LGPL-3.0 license

965 stars 161 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 1,074 Commits
.github		.github
Roslyn		Roslyn
SecurityCodeScan.Test		SecurityCodeScan.Test
SecurityCodeScan.Tool		SecurityCodeScan.Tool
SecurityCodeScan.Vsix		SecurityCodeScan.Vsix
SecurityCodeScan		SecurityCodeScan
website		website
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
.lgtm.yml		.lgtm.yml
Directory.Build.props		Directory.Build.props
LGTM.sln		LGTM.sln
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
SecurityCodeScan.sln		SecurityCodeScan.sln
clean.cmd		clean.cmd

Repository files navigation

Vulnerability Patterns Detector for C# and VB.NET -Website

Downloading

Official releases are available asnuget package,Visual Studio extension andstand-alone runner.

Building

git clone https://github.com/security-code-scan/security-code-scan.gitcd security-code-scan

OpenSecurityCodeScan.sln in Visual Studio or build from command line:

nuget restore SecurityCodeScan.slnmsbuild SecurityCodeScan.sln

Contributing

All documentation from theofficial site is open-source and located in thewebsite folder. Feel free to modify the markdown files and contribute to it.
You may customize the behavior of Security Code Scan by creating a local configuration file as described inExternalConfigurationFiles section. It is easy to add new vulnerable functions (sinks) that should trigger a warning, define untrusted sources, etc. Once you think you have working configuration file you are welcome to contribute your changes to the main built-in configuration file. Ideally your Pull Request comes with tests that cover the changes.
Review the list of availableissues. The general understanding of Roslyn might be handy:

Tests

Most of the tests are written in two languages: C# and VB.NET. If you aren't an expert in VB.NET (me neither) useany online converter to create the VB.NET counterpart from tested C# code example.
Tests are ideal for developing features and fixing bugs as it is easy to debug.

Debugging

In case you are not sure what is wrong or you see AD0001 error with an exception, it is possible to debug the analysis of problematic Visual Studio solution.

Visual Studio offloads some static analysis work to a separate process. It is a good idea to uncommentthe lines to have a chance to debug the child process.

First, make sure there are no Security Code Scan Visual Studio extensions installed to avoid interference.
Right clickSecurityCodeScan.Vsix project in the solution and chooseSet as StartUp project.
Start debugging in Visual Studio. It will open another instance of Visual Studio with debugger attached.
Open the solution with the problematic source.