Skip to main content

Запросы C# для анализа CodeQL

Explore the queries that CodeQL uses to analyze code written in C# when you select the default or the security-extended query suite.

Кто эту функцию можно использовать?

Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "About GitHub Advanced Security."

CodeQL includes many queries for analyzing C# code. All queries in the default query suite are run by default. If you choose to use the security-extended query suite, additional queries are run. For more information, see "CodeQL query suites."

Built-in queries for C# analysis

This table lists the queries available with the latest release of the CodeQL action and CodeQL CLI. For more information, see CodeQL change logs in the CodeQL documentation site.

Query nameRelated CWEsDefaultExtended
'requireSSL' attribute is not set to true319, 614
Arbitrary file access during archive extraction ("Zip Slip")022
ASP.NET config file enables directory browsing548
Assembly path injection114
Clear text storage of sensitive information312, 315, 359
Cookie security: overly broad domain287
Cookie security: overly broad path287
Cookie security: persistent cookie539
Creating an ASP.NET debug binary may reveal sensitive information11, 532
Cross-site scripting079, 116
Denial of Service from comparison of user input against expensive regex1333, 730, 400
Deserialization of untrusted data502
Deserialized delegate502
Empty password in configuration file258, 862
Encryption using ECB327
Exposure of private information359
Failure to abandon session384
Hard-coded connection string with credentials259, 321, 798
Hard-coded credentials259, 321, 798
Header checking disabled113
Improper control of generation of code094, 095, 096
Information exposure through an exception209, 497
Information exposure through transmitted data201
Insecure Direct Object Reference639
Insecure randomness338
Insecure SQL connection327
LDAP query built from stored user-controlled sources090
LDAP query built from user-controlled sources090
Log entries created from user input117
Missing cross-site request forgery token validation352
Missing function level access control285, 284, 862
Missing global error handler12, 248
Missing X-Frame-Options HTTP header451, 829
Missing XML validation112
Password in configuration file13, 256, 313
Regular expression injection730, 400
Resource injection099
Serialization check bypass20
SQL query built from stored user-controlled sources089
SQL query built from user-controlled sources089
Stored cross-site scripting079, 116
Stored XPath injection643
Thread-unsafe capturing of an ICryptoTransform object362
Thread-unsafe use of a static ICryptoTransform field362
Uncontrolled command line078, 088
Uncontrolled command line from stored user input078, 088
Uncontrolled data used in path expression022, 023, 036, 073, 099
Uncontrolled format string134
Untrusted XML is read insecurely611, 827, 776
Unvalidated local pointer arithmetic119, 120, 122, 788
URL redirection from remote source601
Use of file upload434
User-controlled bypass of sensitive method807, 247, 350
Weak encryption327
Weak encryption: inadequate RSA padding327, 780
Weak encryption: Insufficient key size326
XML injection091
XPath injection643