@fabasoad/sarif-to-slack 0.2.4 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (193) hide show
  1. package/.github/workflows/release.yml +1 -1
  2. package/.github/workflows/security.yml +0 -1
  3. package/.github/workflows/send-sarif-to-slack.yml +148 -76
  4. package/.gitleaksignore +8 -0
  5. package/.pre-commit-config.yaml +3 -3
  6. package/.tool-versions +1 -1
  7. package/dist/Logger.js +4 -1
  8. package/dist/SarifToSlackClient.d.ts +33 -0
  9. package/dist/SarifToSlackClient.d.ts.map +1 -0
  10. package/dist/SarifToSlackClient.js +178 -0
  11. package/dist/SlackMessageBuilder.js +34 -82
  12. package/dist/System.d.ts +2 -0
  13. package/dist/System.d.ts.map +1 -0
  14. package/dist/System.js +15 -0
  15. package/dist/index.cjs +843 -467
  16. package/dist/index.d.ts +35 -12
  17. package/dist/index.d.ts.map +1 -1
  18. package/dist/index.js +36 -12
  19. package/dist/model/Color.d.ts +70 -0
  20. package/dist/model/Color.d.ts.map +1 -0
  21. package/dist/model/Color.js +119 -0
  22. package/dist/model/Finding.d.ts +2 -0
  23. package/dist/model/Finding.d.ts.map +1 -0
  24. package/dist/model/Finding.js +93 -0
  25. package/dist/model/FindingsArray.d.ts +2 -0
  26. package/dist/model/FindingsArray.d.ts.map +1 -0
  27. package/dist/model/FindingsArray.js +24 -0
  28. package/dist/processors/CodeQLProcessor.d.ts +2 -0
  29. package/dist/processors/CodeQLProcessor.d.ts.map +1 -0
  30. package/dist/processors/CodeQLProcessor.js +17 -0
  31. package/dist/processors/CommonProcessor.d.ts +2 -0
  32. package/dist/processors/CommonProcessor.d.ts.map +1 -0
  33. package/dist/processors/CommonProcessor.js +84 -0
  34. package/dist/processors/ProcessorFactory.d.ts +2 -0
  35. package/dist/processors/ProcessorFactory.d.ts.map +1 -0
  36. package/dist/processors/ProcessorFactory.js +22 -0
  37. package/dist/processors/SnykProcessor.d.ts +2 -0
  38. package/dist/processors/SnykProcessor.d.ts.map +1 -0
  39. package/dist/processors/SnykProcessor.js +18 -0
  40. package/dist/representations/CompactGroupByRepresentation.d.ts +2 -0
  41. package/dist/representations/CompactGroupByRepresentation.d.ts.map +1 -0
  42. package/dist/representations/CompactGroupByRepresentation.js +58 -0
  43. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts +2 -0
  44. package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts.map +1 -0
  45. package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +13 -0
  46. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts +2 -0
  47. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts.map +1 -0
  48. package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +13 -0
  49. package/dist/representations/CompactGroupByRunRepresentation.d.ts +2 -0
  50. package/dist/representations/CompactGroupByRunRepresentation.d.ts.map +1 -0
  51. package/dist/representations/CompactGroupByRunRepresentation.js +39 -0
  52. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts +2 -0
  53. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts.map +1 -0
  54. package/dist/representations/CompactGroupBySarifPerLevelRepresentation.js +13 -0
  55. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts +2 -0
  56. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts.map +1 -0
  57. package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.js +13 -0
  58. package/dist/representations/CompactGroupBySarifRepresentation.d.ts +2 -0
  59. package/dist/representations/CompactGroupBySarifRepresentation.d.ts.map +1 -0
  60. package/dist/representations/CompactGroupBySarifRepresentation.js +40 -0
  61. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts +2 -0
  62. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts.map +1 -0
  63. package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.js +13 -0
  64. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts +2 -0
  65. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts.map +1 -0
  66. package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.js +13 -0
  67. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts +2 -0
  68. package/dist/representations/CompactGroupByToolNameRepresentation.d.ts.map +1 -0
  69. package/dist/representations/CompactGroupByToolNameRepresentation.js +39 -0
  70. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts +2 -0
  71. package/dist/representations/CompactTotalPerLevelRepresentation.d.ts.map +1 -0
  72. package/dist/representations/CompactTotalPerLevelRepresentation.js +13 -0
  73. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts +2 -0
  74. package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts.map +1 -0
  75. package/dist/representations/CompactTotalPerSeverityRepresentation.js +13 -0
  76. package/dist/representations/CompactTotalRepresentation.d.ts +2 -0
  77. package/dist/representations/CompactTotalRepresentation.d.ts.map +1 -0
  78. package/dist/representations/CompactTotalRepresentation.js +25 -0
  79. package/dist/representations/Representation.d.ts +2 -0
  80. package/dist/representations/Representation.d.ts.map +1 -0
  81. package/dist/representations/Representation.js +28 -0
  82. package/dist/representations/RepresentationFactory.d.ts +2 -0
  83. package/dist/representations/RepresentationFactory.d.ts.map +1 -0
  84. package/dist/representations/RepresentationFactory.js +37 -0
  85. package/dist/sarif-to-slack.d.ts +337 -85
  86. package/dist/tsdoc-metadata.json +1 -1
  87. package/dist/types.d.ts +215 -51
  88. package/dist/types.d.ts.map +1 -1
  89. package/dist/types.js +225 -33
  90. package/dist/utils/Comparators.d.ts +2 -0
  91. package/dist/utils/Comparators.d.ts.map +1 -0
  92. package/dist/utils/Comparators.js +18 -0
  93. package/dist/utils/ExtendedArray.d.ts +2 -0
  94. package/dist/utils/ExtendedArray.d.ts.map +1 -0
  95. package/dist/utils/ExtendedArray.js +11 -0
  96. package/dist/utils/FileUtils.d.ts +2 -0
  97. package/dist/utils/FileUtils.d.ts.map +1 -0
  98. package/dist/utils/FileUtils.js +51 -0
  99. package/dist/utils/SarifUtils.js +19 -53
  100. package/etc/sarif-to-slack.api.md +161 -99
  101. package/jest.config.json +2 -2
  102. package/package.json +9 -9
  103. package/scripts/save-metadata.sh +15 -0
  104. package/src/Logger.ts +4 -0
  105. package/src/SarifToSlackClient.ts +202 -0
  106. package/src/SlackMessageBuilder.ts +35 -115
  107. package/src/System.ts +16 -0
  108. package/src/index.ts +47 -20
  109. package/src/model/Color.ts +201 -0
  110. package/src/model/Finding.ts +137 -0
  111. package/src/model/FindingsArray.ts +27 -0
  112. package/src/processors/CodeQLProcessor.ts +19 -0
  113. package/src/processors/CommonProcessor.ts +103 -0
  114. package/src/processors/ProcessorFactory.ts +23 -0
  115. package/src/processors/SnykProcessor.ts +19 -0
  116. package/src/representations/CompactGroupByRepresentation.ts +67 -0
  117. package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +14 -0
  118. package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +14 -0
  119. package/src/representations/CompactGroupByRunRepresentation.ts +44 -0
  120. package/src/representations/CompactGroupBySarifPerLevelRepresentation.ts +15 -0
  121. package/src/representations/CompactGroupBySarifPerSeverityRepresentation.ts +15 -0
  122. package/src/representations/CompactGroupBySarifRepresentation.ts +45 -0
  123. package/src/representations/CompactGroupByToolNamePerLevelRepresentation.ts +15 -0
  124. package/src/representations/CompactGroupByToolNamePerSeverityRepresentation.ts +15 -0
  125. package/src/representations/CompactGroupByToolNameRepresentation.ts +44 -0
  126. package/src/representations/CompactTotalPerLevelRepresentation.ts +14 -0
  127. package/src/representations/CompactTotalPerSeverityRepresentation.ts +14 -0
  128. package/src/representations/CompactTotalRepresentation.ts +27 -0
  129. package/src/representations/Representation.ts +35 -0
  130. package/src/representations/RepresentationFactory.ts +49 -0
  131. package/src/types.ts +270 -53
  132. package/src/utils/Comparators.ts +19 -0
  133. package/src/utils/ExtendedArray.ts +11 -0
  134. package/src/utils/FileUtils.ts +60 -0
  135. package/src/utils/SarifUtils.ts +19 -71
  136. package/test-data/sarif/codeql-python.sarif +1448 -1
  137. package/test-data/sarif/codeql-typescript.sarif +3474 -1
  138. package/test-data/sarif/grype-github-actions.sarif +65 -0
  139. package/test-data/sarif/osv-scanner-composer.sarif +972 -0
  140. package/test-data/sarif/osv-scanner-container.sarif +2278 -0
  141. package/test-data/sarif/osv-scanner-gomodules.sarif +813 -0
  142. package/test-data/sarif/osv-scanner-hex.sarif +147 -0
  143. package/test-data/sarif/osv-scanner-maven.sarif +171 -0
  144. package/test-data/sarif/osv-scanner-npm.sarif +627 -0
  145. package/test-data/sarif/osv-scanner-pip.sarif +206 -0
  146. package/test-data/sarif/osv-scanner-pipenv.sarif +243 -0
  147. package/test-data/sarif/osv-scanner-pnpm.sarif +174 -0
  148. package/test-data/sarif/osv-scanner-poetry.sarif +1893 -0
  149. package/test-data/sarif/osv-scanner-rubygems.sarif +402 -0
  150. package/test-data/sarif/osv-scanner-uv.sarif +206 -0
  151. package/test-data/sarif/osv-scanner-yarn.sarif +5207 -0
  152. package/test-data/sarif/runs-0.sarif +5 -0
  153. package/test-data/sarif/runs-2-tools-2-results-0.sarif +1 -1
  154. package/test-data/sarif/runs-2-tools-2.sarif +1 -1
  155. package/test-data/sarif/runs-3-tools-2-results-0.sarif +1 -1
  156. package/test-data/sarif/runs-3-tools-2.sarif +1 -1
  157. package/test-data/sarif/tmp/codeql-csharp.sarif +1 -0
  158. package/test-data/sarif/tmp/grype-container.sarif +1774 -0
  159. package/test-data/sarif/tmp/runs-1-tools-1-results-0.sarif +18 -0
  160. package/test-data/sarif/tmp/runs-2-tools-2.sarif +686 -0
  161. package/test-data/sarif/trivy-iac.sarif +1 -1
  162. package/tests/integration/SendSarifToSlack.spec.ts +95 -27
  163. package/tsconfig.json +2 -0
  164. package/dist/Processors.d.ts +0 -2
  165. package/dist/Processors.d.ts.map +0 -1
  166. package/dist/Processors.js +0 -61
  167. package/dist/SarifToSlackService.d.ts +0 -39
  168. package/dist/SarifToSlackService.d.ts.map +0 -1
  169. package/dist/SarifToSlackService.js +0 -102
  170. package/dist/model/SarifModelPerRun.d.ts +0 -2
  171. package/dist/model/SarifModelPerRun.d.ts.map +0 -1
  172. package/dist/model/SarifModelPerRun.js +0 -90
  173. package/dist/model/SarifModelPerSarif.d.ts +0 -2
  174. package/dist/model/SarifModelPerSarif.d.ts.map +0 -1
  175. package/dist/model/SarifModelPerSarif.js +0 -102
  176. package/dist/model/types.d.ts +0 -2
  177. package/dist/model/types.d.ts.map +0 -1
  178. package/dist/model/types.js +0 -49
  179. package/dist/utils/SortUtils.d.ts +0 -2
  180. package/dist/utils/SortUtils.d.ts.map +0 -1
  181. package/dist/utils/SortUtils.js +0 -20
  182. package/dist/version.d.ts +0 -2
  183. package/dist/version.d.ts.map +0 -1
  184. package/dist/version.js +0 -11
  185. package/scripts/save-version.sh +0 -13
  186. package/src/Processors.ts +0 -68
  187. package/src/SarifToSlackService.ts +0 -115
  188. package/src/model/SarifModelPerRun.ts +0 -123
  189. package/src/model/SarifModelPerSarif.ts +0 -126
  190. package/src/model/types.ts +0 -50
  191. package/src/utils/SortUtils.ts +0 -33
  192. package/src/version.ts +0 -10
  193. package/tests/Processors.spec.ts +0 -76
package/test-data/sarif/runs-0.sarif ADDED
@@ -0,0 +1,5 @@
1
+ {
2
+ "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
3
+ "version": "2.1.0",
4
+ "runs": []
5
+ }
package/test-data/sarif/runs-2-tools-2-results-0.sarif CHANGED
@@ -16,7 +16,7 @@
16
16
  "columnKind": "utf16CodeUnits",
17
17
  "originalUriBaseIds": {
18
18
  "ROOTPATH": {
19
- "uri": "file:///Users/john.doe/Source/personal/business-card-deployment/"
19
+ "uri": "file:///Users/john.doe/projects/business-card-deployment/"
20
20
  }
21
21
  }
22
22
  },
package/test-data/sarif/runs-2-tools-2.sarif CHANGED
@@ -126,7 +126,7 @@
126
126
  "columnKind": "utf16CodeUnits",
127
127
  "originalUriBaseIds": {
128
128
  "ROOTPATH": {
129
- "uri": "file:///Users/john.doe/Source/personal/business-card-deployment/"
129
+ "uri": "file:///Users/john.doe/projects/business-card-deployment/"
130
130
  }
131
131
  }
132
132
  },
package/test-data/sarif/runs-3-tools-2-results-0.sarif CHANGED
@@ -40,7 +40,7 @@
40
40
  "columnKind": "utf16CodeUnits",
41
41
  "originalUriBaseIds": {
42
42
  "ROOTPATH": {
43
- "uri": "file:///Users/john.doe/Source/personal/business-card-deployment/"
43
+ "uri": "file:///Users/john.doe/projects/business-card-deployment/"
44
44
  }
45
45
  }
46
46
  }
package/test-data/sarif/runs-3-tools-2.sarif CHANGED
@@ -270,7 +270,7 @@
270
270
  "columnKind": "utf16CodeUnits",
271
271
  "originalUriBaseIds": {
272
272
  "ROOTPATH": {
273
- "uri": "file:///Users/john.doe/Source/personal/business-card-deployment/"
273
+ "uri": "file:///Users/john.doe/projects/business-card-deployment/"
274
274
  }
275
275
  }
276
276
  }
package/test-data/sarif/tmp/codeql-csharp.sarif ADDED
@@ -0,0 +1 @@
1
+ {"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"cs/compilation-message","name":"cs/compilation-message","shortDescription":{"text":"Compilation message"},"fullDescription":{"text":"A message emitted by the compiler, including warnings and errors."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"A message emitted by the compiler, including warnings and errors.","id":"cs/compilation-message","kind":"diagnostic","name":"Compilation message"}},{"id":"cs/diagnostics/extraction-errors","name":"cs/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all errors reported by the extractor or the compiler. Extractor errors are limited to those files where there are no compilation errors."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all errors reported by the extractor or the compiler. Extractor errors are\n limited to those files where there are no compilation errors.","id":"cs/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"cs/compilation-error","name":"cs/compilation-error","shortDescription":{"text":"Compilation error"},"fullDescription":{"text":"A compilation error can cause extraction problems, and could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"A compilation error can cause extraction problems, and could lead to inaccurate results.","id":"cs/compilation-error","kind":"diagnostic","name":"Compilation error"}},{"id":"cs/diagnostics/successfully-extracted-files","name":"cs/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"A list of all files in the source code directory that were extracted without encountering an extraction or compiler error in the file."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"A list of all files in the source code directory that were extracted\n without encountering an extraction or compiler error in the file.","id":"cs/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"cs/extraction-message","name":"cs/extraction-message","shortDescription":{"text":"Extraction message"},"fullDescription":{"text":"An error message reported by the extractor. This could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"An error message reported by the extractor. This could lead to inaccurate results.","id":"cs/extraction-message","kind":"diagnostic","name":"Extraction message"}},{"id":"cs/extraction-error","name":"cs/extraction-error","shortDescription":{"text":"Extraction error"},"fullDescription":{"text":"An error message reported by the extractor, limited to those files where there are no compilation errors. This indicates a bug or limitation in the extractor, and could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"An error message reported by the extractor, limited to those files where there are no\n compilation errors. This indicates a bug or limitation in the extractor, and could lead\n to inaccurate results.","id":"cs/extraction-error","kind":"diagnostic","name":"Extraction error"}},{"id":"csharp/diagnostic/database-quality","name":"csharp/diagnostic/database-quality","shortDescription":{"text":"Low C# analysis quality"},"fullDescription":{"text":"Low C# analysis quality"},"defaultConfiguration":{"enabled":true},"properties":{"description":"Low C# analysis quality","id":"csharp/diagnostic/database-quality","kind":"diagnostic","name":"Low C# analysis quality"}},{"id":"cs/baseline/expected-extracted-files","name":"cs/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"cs/sensitive-data-transmission","name":"cs/sensitive-data-transmission","shortDescription":{"text":"Information exposure through transmitted data"},"fullDescription":{"text":"Transmitting sensitive information to the user is a potential security risk."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-201"],"description":"Transmitting sensitive information to the user is a potential security risk.","id":"cs/sensitive-data-transmission","kind":"path-problem","name":"Information exposure through transmitted data","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"cs/code-injection","name":"cs/code-injection","shortDescription":{"text":"Improper control of generation of code"},"fullDescription":{"text":"Treating externally controlled strings as code can allow an attacker to execute malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-096"],"description":"Treating externally controlled strings as code can allow an attacker to execute\n malicious code.","id":"cs/code-injection","kind":"path-problem","name":"Improper control of generation of code","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"cs/information-exposure-through-exception","name":"cs/information-exposure-through-exception","shortDescription":{"text":"Information exposure through an exception"},"fullDescription":{"text":"Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Leaking information about an exception, such as messages and stack traces, to an\n external user can expose implementation details that are useful to an attacker for\n developing a subsequent exploit.","id":"cs/information-exposure-through-exception","kind":"path-problem","name":"Information exposure through an exception","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"cs/user-controlled-bypass","name":"cs/user-controlled-bypass","shortDescription":{"text":"User-controlled bypass of sensitive method"},"fullDescription":{"text":"User-controlled bypassing of sensitive methods may allow attackers to avoid passing through authentication systems."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-807","external/cwe/cwe-247","external/cwe/cwe-350"],"description":"User-controlled bypassing of sensitive methods may allow attackers to avoid\n passing through authentication systems.","id":"cs/user-controlled-bypass","kind":"path-problem","name":"User-controlled bypass of sensitive method","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/web/missing-x-frame-options","name":"cs/web/missing-x-frame-options","shortDescription":{"text":"Missing X-Frame-Options HTTP header"},"fullDescription":{"text":"If the 'X-Frame-Options' setting is not provided, a malicious user may be able to overlay their own UI on top of the site by using an iframe."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-451","external/cwe/cwe-829"],"description":"If the 'X-Frame-Options' setting is not provided, a malicious user may be able to\n overlay their own UI on top of the site by using an iframe.","id":"cs/web/missing-x-frame-options","kind":"problem","name":"Missing X-Frame-Options HTTP header","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/web/unvalidated-url-redirection","name":"cs/web/unvalidated-url-redirection","shortDescription":{"text":"URL redirection from remote source"},"fullDescription":{"text":"URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"cs/web/unvalidated-url-redirection","kind":"path-problem","name":"URL redirection from remote source","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"cs/web/persistent-cookie","name":"cs/web/persistent-cookie","shortDescription":{"text":"Cookie security: persistent cookie"},"fullDescription":{"text":"Persistent cookies are vulnerable to attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-539"],"description":"Persistent cookies are vulnerable to attacks.","id":"cs/web/persistent-cookie","kind":"problem","name":"Cookie security: persistent cookie","precision":"high","problem.severity":"warning","security-severity":"8.2"}},{"id":"cs/assembly-path-injection","name":"cs/assembly-path-injection","shortDescription":{"text":"Assembly path injection"},"fullDescription":{"text":"Loading a .NET assembly based on a path constructed from user-controlled sources may allow a malicious user to load code which modifies the program in unintended ways."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-114"],"description":"Loading a .NET assembly based on a path constructed from user-controlled sources\n may allow a malicious user to load code which modifies the program in unintended\n ways.","id":"cs/assembly-path-injection","kind":"path-problem","name":"Assembly path injection","precision":"high","problem.severity":"error","security-severity":"8.2"}},{"id":"cs/web/directory-browse-enabled","name":"cs/web/directory-browse-enabled","shortDescription":{"text":"ASP.NET config file enables directory browsing"},"fullDescription":{"text":"Directory browsing should not be enabled in production as it can leak sensitive information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-548"],"description":"Directory browsing should not be enabled in production as it can leak sensitive information.","id":"cs/web/directory-browse-enabled","kind":"problem","name":"ASP.NET config file enables directory browsing","precision":"very-high","problem.severity":"warning","security-severity":"6.5"}},{"id":"cs/exposure-of-sensitive-information","name":"cs/exposure-of-sensitive-information","shortDescription":{"text":"Exposure of private information"},"fullDescription":{"text":"If private information is written to an external location, it may be accessible by unauthorized persons."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-359"],"description":"If private information is written to an external location, it may be accessible by\n unauthorized persons.","id":"cs/exposure-of-sensitive-information","kind":"path-problem","name":"Exposure of private information","precision":"high","problem.severity":"error","security-severity":"6.5"}},{"id":"cs/web/requiressl-not-set","name":"cs/web/requiressl-not-set","shortDescription":{"text":"'requireSSL' attribute is not set to true"},"fullDescription":{"text":"Omitting the 'requireSSL' attribute allows data to be transmitted insecurely using HTTP. Always set 'requireSSL' to 'true' to ensure that HTTPS is used at all times."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-319","external/cwe/cwe-614"],"description":"Omitting the 'requireSSL' attribute allows data to be transmitted insecurely\n using HTTP. Always set 'requireSSL' to 'true' to ensure that HTTPS\n is used at all times.","id":"cs/web/requiressl-not-set","kind":"problem","name":"'requireSSL' attribute is not set to true","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/sql-injection","name":"cs/sql-injection","shortDescription":{"text":"SQL query built from user-controlled sources"},"fullDescription":{"text":"Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a SQL query from user-controlled sources is vulnerable to insertion of\n malicious SQL code by the user.","id":"cs/sql-injection","kind":"path-problem","name":"SQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/web/missing-global-error-handler","name":"cs/web/missing-global-error-handler","shortDescription":{"text":"Missing global error handler"},"fullDescription":{"text":"ASP.NET applications should not set the 'customError' mode to \"off\" without providing a global error handler, otherwise they may leak exception information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-12","external/cwe/cwe-248"],"description":"ASP.NET applications should not set the 'customError' mode to \"off\" without providing\n a global error handler, otherwise they may leak exception information.","id":"cs/web/missing-global-error-handler","kind":"problem","name":"Missing global error handler","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/inadequate-rsa-padding","name":"cs/inadequate-rsa-padding","shortDescription":{"text":"Weak encryption: inadequate RSA padding"},"fullDescription":{"text":"Finds uses of RSA encryption with inadequate padding."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-780"],"description":"Finds uses of RSA encryption with inadequate padding.","id":"cs/inadequate-rsa-padding","kind":"problem","name":"Weak encryption: inadequate RSA padding","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/insufficient-key-size","name":"cs/insufficient-key-size","shortDescription":{"text":"Weak encryption: Insufficient key size"},"fullDescription":{"text":"Finds uses of encryption algorithms with too small a key size"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Finds uses of encryption algorithms with too small a key size","id":"cs/insufficient-key-size","kind":"problem","name":"Weak encryption: Insufficient key size","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/web/debug-binary","name":"cs/web/debug-binary","shortDescription":{"text":"Creating an ASP.NET debug binary may reveal sensitive information"},"fullDescription":{"text":"ASP.NET projects should not produce debug binaries when deploying to production as debug builds provide additional information useful to a malicious attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","maintainability","frameworks/asp.net","external/cwe/cwe-11","external/cwe/cwe-532"],"description":"ASP.NET projects should not produce debug binaries when deploying to production as\n debug builds provide additional information useful to a malicious attacker.","id":"cs/web/debug-binary","kind":"problem","name":"Creating an ASP.NET debug binary may reveal sensitive information","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/web/request-validation-disabled","name":"cs/web/request-validation-disabled","shortDescription":{"text":"Page request validation is disabled"},"fullDescription":{"text":"ASP.NET pages should not disable the built-in request validation."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","frameworks/asp.net","external/cwe/cwe-16"],"description":"ASP.NET pages should not disable the built-in request validation.","id":"cs/web/request-validation-disabled","kind":"problem","name":"Page request validation is disabled","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/resource-injection","name":"cs/resource-injection","shortDescription":{"text":"Resource injection"},"fullDescription":{"text":"Building a resource descriptor from untrusted user input is vulnerable to a malicious user providing an unintended resource."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-099"],"description":"Building a resource descriptor from untrusted user input is vulnerable to a\n malicious user providing an unintended resource.","id":"cs/resource-injection","kind":"path-problem","name":"Resource injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/ldap-injection","name":"cs/ldap-injection","shortDescription":{"text":"LDAP query built from user-controlled sources"},"fullDescription":{"text":"Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-090"],"description":"Building an LDAP query from user-controlled sources is vulnerable to insertion of\n malicious LDAP code by the user.","id":"cs/ldap-injection","kind":"path-problem","name":"LDAP query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/xml-injection","name":"cs/xml-injection","shortDescription":{"text":"XML injection"},"fullDescription":{"text":"Building an XML document from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-091"],"description":"Building an XML document from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"cs/xml-injection","kind":"path-problem","name":"XML injection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/weak-encryption","name":"cs/weak-encryption","shortDescription":{"text":"Weak encryption"},"fullDescription":{"text":"Finds uses of encryption algorithms that are weak and obsolete"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Finds uses of encryption algorithms that are weak and obsolete","id":"cs/weak-encryption","kind":"problem","name":"Weak encryption","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/unvalidated-local-pointer-arithmetic","name":"cs/unvalidated-local-pointer-arithmetic","shortDescription":{"text":"Unvalidated local pointer arithmetic"},"fullDescription":{"text":"Using the result of a virtual method call in pointer arithmetic without validation is dangerous because the method may be overridden by a subtype to return any value."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-119","external/cwe/cwe-120","external/cwe/cwe-122","external/cwe/cwe-788"],"description":"Using the result of a virtual method call in pointer arithmetic without\n validation is dangerous because the method may be overridden by a subtype\n to return any value.","id":"cs/unvalidated-local-pointer-arithmetic","kind":"problem","name":"Unvalidated local pointer arithmetic","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/log-forging","name":"cs/log-forging","shortDescription":{"text":"Log entries created from user input"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"cs/log-forging","kind":"path-problem","name":"Log entries created from user input","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"cs/web/broad-cookie-domain","name":"cs/web/broad-cookie-domain","shortDescription":{"text":"Cookie security: overly broad domain"},"fullDescription":{"text":"Finds cookies with an overly broad domain."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-287"],"description":"Finds cookies with an overly broad domain.","id":"cs/web/broad-cookie-domain","kind":"problem","name":"Cookie security: overly broad domain","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/session-reuse","name":"cs/session-reuse","shortDescription":{"text":"Failure to abandon session"},"fullDescription":{"text":"Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-384"],"description":"Reusing an existing session as a different user could allow\n an attacker to access someone else's account by using\n their session.","id":"cs/session-reuse","kind":"problem","name":"Failure to abandon session","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/cleartext-storage-of-sensitive-information","name":"cs/cleartext-storage-of-sensitive-information","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n attacker.","id":"cs/cleartext-storage-of-sensitive-information","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/ecb-encryption","name":"cs/ecb-encryption","shortDescription":{"text":"Encryption using ECB"},"fullDescription":{"text":"Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks.","id":"cs/ecb-encryption","kind":"problem","name":"Encryption using ECB","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/uncontrolled-format-string","name":"cs/uncontrolled-format-string","shortDescription":{"text":"Uncontrolled format string"},"fullDescription":{"text":"Passing untrusted format strings from remote data sources can throw exceptions and cause a denial of service."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Passing untrusted format strings from remote data sources can throw exceptions\n and cause a denial of service.","id":"cs/uncontrolled-format-string","kind":"path-problem","name":"Uncontrolled format string","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"cs/web/missing-token-validation","name":"cs/web/missing-token-validation","shortDescription":{"text":"Missing cross-site request forgery token validation"},"fullDescription":{"text":"Handling a POST request without verifying that the request came from the user allows a malicious attacker to submit a request on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Handling a POST request without verifying that the request came from the user\n allows a malicious attacker to submit a request on behalf of the user.","id":"cs/web/missing-token-validation","kind":"problem","name":"Missing cross-site request forgery token validation","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/unsafe-deserialization-untrusted-input","name":"cs/unsafe-deserialization-untrusted-input","shortDescription":{"text":"Deserialization of untrusted data"},"fullDescription":{"text":"Calling an unsafe deserializer with data controlled by an attacker can lead to denial of service and other security problems."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Calling an unsafe deserializer with data controlled by an attacker\n can lead to denial of service and other security problems.","id":"cs/unsafe-deserialization-untrusted-input","kind":"path-problem","name":"Deserialization of untrusted data","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/deserialized-delegate","name":"cs/deserialized-delegate","shortDescription":{"text":"Deserialized delegate"},"fullDescription":{"text":"Deserializing a delegate allows for remote code execution when an attacker can control the serialized data."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing a delegate allows for remote code execution when an\n attacker can control the serialized data.","id":"cs/deserialized-delegate","kind":"problem","name":"Deserialized delegate","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"cs/regex-injection","name":"cs/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to provide a regex that could require\n exponential time on certain inputs.","id":"cs/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/redos","name":"cs/redos","shortDescription":{"text":"Denial of Service from comparison of user input against expensive regex"},"fullDescription":{"text":"User input should not be matched against a regular expression that could require exponential time on certain input."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be matched against a regular expression that could require\n exponential time on certain input.","id":"cs/redos","kind":"path-problem","name":"Denial of Service from comparison of user input against expensive regex","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/zipslip","name":"cs/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"cs/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/path-injection","name":"cs/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access unexpected resources.","id":"cs/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/xml/insecure-dtd-handling","name":"cs/xml/insecure-dtd-handling","shortDescription":{"text":"Untrusted XML is read insecurely"},"fullDescription":{"text":"Untrusted XML is read with an insecure resolver and DTD processing enabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827","external/cwe/cwe-776"],"description":"Untrusted XML is read with an insecure resolver and DTD processing enabled.","id":"cs/xml/insecure-dtd-handling","kind":"path-problem","name":"Untrusted XML is read insecurely","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"cs/command-line-injection","name":"cs/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"cs/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/web/broad-cookie-path","name":"cs/web/broad-cookie-path","shortDescription":{"text":"Cookie security: overly broad path"},"fullDescription":{"text":"Finds cookies with an overly broad path."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-287"],"description":"Finds cookies with an overly broad path.","id":"cs/web/broad-cookie-path","kind":"problem","name":"Cookie security: overly broad path","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/xml/xpath-injection","name":"cs/xml/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"cs/xml/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/web/disabled-header-checking","name":"cs/web/disabled-header-checking","shortDescription":{"text":"Header checking disabled"},"fullDescription":{"text":"Finds places where header checking is disabled."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-113"],"description":"Finds places where header checking is disabled.","id":"cs/web/disabled-header-checking","kind":"problem","name":"Header checking disabled","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"cs/web/xss","name":"cs/web/xss","shortDescription":{"text":"Cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a web page allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a web page\n allows for a cross-site scripting vulnerability.","id":"cs/web/xss","kind":"path-problem","name":"Cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"cs/insecure-randomness","name":"cs/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security sensitive value may allow an attacker to predict what sensitive value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security sensitive value may allow an attacker to predict what sensitive value will\n be generated.","id":"cs/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"cs/summary/lines-of-code","name":"cs/summary/lines-of-code","shortDescription":{"text":"Total lines of C# code in the database"},"fullDescription":{"text":"The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.","id":"cs/summary/lines-of-code","kind":"metric","name":"Total lines of C# code in the database"}},{"id":"cs/telemetry/supported-external-api-taint","name":"cs/telemetry/supported-external-api-taint","shortDescription":{"text":"Supported flow steps in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as flow steps. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as flow steps. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-taint","kind":"metric","name":"Supported flow steps in external libraries"}},{"id":"cs/telemetry/unsupported-external-api","name":"cs/telemetry/unsupported-external-api","shortDescription":{"text":"Usage of unsupported APIs coming from external libraries"},"fullDescription":{"text":"A list of 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries.","id":"cs/telemetry/unsupported-external-api","kind":"metric","name":"Usage of unsupported APIs coming from external libraries"}},{"id":"cs/telemetry/supported-external-api-sources","name":"cs/telemetry/supported-external-api-sources","shortDescription":{"text":"Supported sources in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as sources. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as sources. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-sources","kind":"metric","name":"Supported sources in external libraries"}},{"id":"cs/telemetry/external-libs","name":"cs/telemetry/external-libs","shortDescription":{"text":"External libraries"},"fullDescription":{"text":"A list of external libraries used in the code given by their namespace."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of external libraries used in the code given by their namespace.","id":"cs/telemetry/external-libs","kind":"metric","name":"External libraries"}},{"id":"cs/telemetry/supported-external-api-sinks","name":"cs/telemetry/supported-external-api-sinks","shortDescription":{"text":"Supported sinks in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as sinks. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as sinks. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-sinks","kind":"metric","name":"Supported sinks in external libraries"}},{"id":"cs/telemetry/extraction-information","name":"cs/telemetry/extraction-information","shortDescription":{"text":"C# extraction information"},"fullDescription":{"text":"Information about the extraction for a C# database"},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"Information about the extraction for a C# database","id":"cs/telemetry/extraction-information","kind":"metric","name":"C# extraction information"}},{"id":"cs/telemetry/supported-external-api","name":"cs/telemetry/supported-external-api","shortDescription":{"text":"Usage of supported APIs coming from external libraries"},"fullDescription":{"text":"A list of supported 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of supported 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api","kind":"metric","name":"Usage of supported APIs coming from external libraries"}}]},"extensions":[{"name":"codeql/csharp-queries","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/csharp-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/csharp-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/csharp-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":1,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":2,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":10,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":50,"endColumn":74}}}],"message":{"text":"Warning SYSLIB0021 'DESCryptoServiceProvider' is obsolete: 'Derived cryptographic types are obsolete. Use the Create method on the base type instead.'"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Warning SYSLIB0021 'DESCryptoServiceProvider' is obsolete: 'Derived cryptographic types are obsolete. Use the Create method on the base type instead.'"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.GlobalUsings.g.cs","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/baseline/expected-extracted-files","index":7},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T08:00:49.139+00:00","descriptor":{"id":"cli/sip-enablement","index":8},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"obj/Debug/net9.0/csharp.GlobalUsings.g.cs","uriBaseId":"%SRCROOT%","index":3}}],"results":[{"ruleId":"cs/weak-encryption","ruleIndex":20,"rule":{"id":"cs/weak-encryption","index":20},"message":{"text":"DES encryption uses keys of 56 bits only. Switch to AesCryptoServiceProvider or RijndaelManaged instead."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":46,"endColumn":76}}}],"partialFingerprints":{"primaryLocationLineHash":"cacc56887e648f5d:1","primaryLocationStartColumnFingerprint":"37"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"cs/summary/lines-of-code","index":42},"ruleId":"cs/summary/lines-of-code","ruleIndex":42,"value":38,"baseline":19},{"rule":{"id":"cs/telemetry/supported-external-api-taint","index":43},"ruleId":"cs/telemetry/supported-external-api-taint","ruleIndex":43,"value":1,"message":{"text":"System.Text#Encoding.GetBytes(System.String)"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System.Security.Cryptography"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System.Text"}},{"rule":{"id":"cs/telemetry/supported-external-api-sinks","index":47},"ruleId":"cs/telemetry/supported-external-api-sinks","ruleIndex":47,"value":1,"message":{"text":"System.Security.Cryptography#SymmetricAlgorithm.CreateEncryptor()"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":3.0,"message":{"text":"Compiler diagnostic count for CS8933"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Compiler diagnostic count for SYSLIB0021"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/sdk/9.0.200/Sdks/Microsoft.NET.Sdk/targets/../analyzers/Microsoft.CodeAnalysis.CSharp.NetAnalyzers.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/sdk/9.0.200/Sdks/Microsoft.NET.Sdk/targets/../analyzers/Microsoft.CodeAnalysis.NetAnalyzers.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.ComInterfaceGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.JavaScript.JSImportGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.LibraryImportGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.SourceGeneration.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/System.Text.Json.SourceGeneration.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/System.Text.RegularExpressions.Generator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":3.0,"message":{"text":"Number of diagnostics with severity 0"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of diagnostics with severity 2"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of files with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":165.0,"message":{"text":"Number of files with extension dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":4.0,"message":{"text":"Number of files with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of files with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":15.0,"message":{"text":"Number of lines of code with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":38.0,"message":{"text":"Number of lines of code with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Number of lines of code with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":15.0,"message":{"text":"Total number of lines with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":60.0,"message":{"text":"Total number of lines with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Total number of lines with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":172.0,"message":{"text":"Number of files"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":85.0,"message":{"text":"Total number of lines"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":63.0,"message":{"text":"Number of lines of code"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of access with target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":2343.0,"message":{"text":"Number of access with target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of calls with call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Number of calls with call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of expressions with known kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of expressions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of access with missing target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":58216.0,"message":{"text":"Number of expressions with known kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":60.0,"message":{"text":"Number of expressions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of type mentions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of expressions with unknown kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of expressions with unknown type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":24.0,"message":{"text":"Number of type mentions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of calls with missing call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of type mentions with unknown type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Is extracted with build-mode set to 'none'"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of compiler reported ambiguity errors"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of compiler reported ambiguity error messages"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Text#Encoding.GetBytes(System.String)"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Text#Encoding.get_ASCII()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System#Console.WriteLine(System.Object)"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System#Array.get_Length()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Security.Cryptography#SymmetricAlgorithm.CreateEncryptor()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Security.Cryptography#ICryptoTransform.TransformFinalBlock(System.Byte\\[\\],System.Int32,System.Int32)"}}]}}]}