Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S5332 FP: Ignore for WPF xml definitions #6141

Closed
GeertvanHorrik opened this issue Sep 29, 2022 · 4 comments · Fixed by #6207
Closed

Fix S5332 FP: Ignore for WPF xml definitions #6141

GeertvanHorrik opened this issue Sep 29, 2022 · 4 comments · Fixed by #6207
Assignees
@martin-strecker-sonarsource
Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.
Milestone
8.47

Comments

@GeertvanHorrik
Copy link

GeertvanHorrik commented Sep 29, 2022
edited
Loading

Description

The rule is S5332 ("Using clear-text protocols is security-sensitive")

Repro steps

When developing a WPF component or app, it will create security hotspots for these items:

[assembly: XmlnsPrefix("http://schemas.catelproject.com", "catel")]
[assembly: XmlnsDefinition("http://schemas.catelproject.com", "Catel.MVVM")]

In case of xml namespaces, does it really need to create these issues (is it a true risk)? If not, then maybe the XmlnsPrefix and XmlnsDefinition can be used to exclude this?

  • C#/VB.NET Plugins version (C# 11)
  • Visual Studio version (VS 2022)
  • MSBuild / dotnet version (.NET 6)
  • SonarScanner for .NET version (if used) (5.8.0)
@pavel-mikula-sonarsource
Copy link
Contributor

Hi @GeertvanHorrik,

Thank you for reporting this case. Xml namespaces indeed should not be reported and I confirm it as FP.

@pavel-mikula-sonarsource pavel-mikula-sonarsource added Type: False Positive Rule IS triggered when it shouldn't be. Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules labels Sep 29, 2022
@pavel-mikula-sonarsource
Copy link
Contributor

Namespace: System.Windows.Markup

@pavel-mikula-sonarsource pavel-mikula-sonarsource added this to the 8.47 milestone Oct 3, 2022
@pavel-mikula-sonarsource pavel-mikula-sonarsource removed their assignment Oct 11, 2022
@martin-strecker-sonarsource
Copy link
Contributor

martin-strecker-sonarsource commented Oct 13, 2022
edited
Loading

Also

Update list of wellknown namespaces
https://referencesource.microsoft.com/#system.xml/System/Xml/XmlReservedNs.cs

Add oasis-open.org namespaces (e.g. wss, see e.g. peach):
http://docs.oasis-open.org/wss/2004/01/

http://ws-i.org/ e.g. peach

Merged
@andrei-epure-sonarsource andrei-epure-sonarsource changed the title [S5332] Using http protocol is insecure => ignore for xml definitions? S5332 FP: should ignore for xml definitions Oct 14, 2022
@pavel-mikula-sonarsource pavel-mikula-sonarsource changed the title S5332 FP: should ignore for xml definitions Fix S5332 FP: Ignore for WPF xml definitions Oct 14, 2022
Closed
12 tasks
@martin-strecker-sonarsource
Copy link
Contributor

Created #6223 as a follow-up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martin-strecker-sonarsource martin-strecker-sonarsource

Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Positive Rule IS triggered when it shouldn't be.
Projects
None yet
Milestone
8.47
Development

Successfully merging a pull request may close this issue.

Fix S5332 FP: Ignore for WPF xml definitions SonarSource/sonar-dotnet
3 participants
@GeertvanHorrik @pavel-mikula-sonarsource @martin-strecker-sonarsource