Reduce false negatives in C# Advanced SAST
Problem
Various customers have raised concerns about C# detection efficacy. Usually this relates to false-negative results.
There is enough signal here that I would like us to take a step back and holistically evaluate our current detection rules.
Definition of Done
- New test cases defined and used
- Assessment of source/propagator/sink completeness completed
- Rule changes shipped
Notes
It is possible that our source/sink definitions are not complete enough. Though, note that we have made improvements recently. #499767 (closed)
Related cases
- https://gitlab.com/djb_ultimate_group/568577/vulnerability-example-code/-/merge_requests/2 contains customer-provided examples of TPs and FNs. This is associated with Zendesk ticket 568577 (internal link).
- Advanced SAST missing C# SQL Injection (#499767 - closed) (fixed in %17.7)
- https://gitlab.com/gitlab-org/gitlab/-/issues/512953+
Resources
- existing definitions (internal link)
- Apache 2.0-licensed list of sinks, part of a useful-looking but archived project
Edited by Connor Gilbert