Vulnerability Patterns Detector for C# and VB.NET - Website
Official releases are available as nuget package, Visual Studio extension and stand-alone runner.
git clone https://github.com/security-code-scan/security-code-scan.git
cd security-code-scan
Open SecurityCodeScan.sln
in Visual Studio or build from command line:
nuget restore SecurityCodeScan.sln
msbuild SecurityCodeScan.sln
- All documentation from the official site is open-source and located in the website folder. Feel free to modify the markdown files and contribute to it.
- You may customize the behavior of Security Code Scan by creating a local configuration file as described in ExternalConfigurationFiles section. It is easy to add new vulnerable functions (sinks) that should trigger a warning, define untrusted sources, etc. Once you think you have working configuration file you are welcome to contribute your changes to the main built-in configuration file. Ideally your Pull Request comes with tests that cover the changes.
- Review the list of available issues. The general understanding of Roslyn might be handy:
Most of the tests are written in two languages: C# and VB.NET. If you aren't an expert in VB.NET (me neither) use any online converter to create the VB.NET counterpart from tested C# code example.
Tests are ideal for developing features and fixing bugs as it is easy to debug.
In case you are not sure what is wrong or you see AD0001 error with an exception, it is possible to debug the analysis of problematic Visual Studio solution.
Visual Studio offloads some static analysis work to a separate process. It is a good idea to uncomment the lines to have a chance to debug the child process.
First, make sure there are no Security Code Scan Visual Studio extensions installed to avoid interference.
Right click SecurityCodeScan.Vsix
project in the solution and choose Set as StartUp project
.
Start debugging in Visual Studio. It will open another instance of Visual Studio with debugger attached.
Open the solution with the problematic source.