## Problem Various customers have raised concerns about C# detection efficacy. Usually this relates to false-negative results. There is enough signal here that I would like us to take a step back and holistically evaluate our current detection rules. ## Definition of Done - New test cases defined and used - Assessment of source/propagator/sink completeness completed - Rule changes shipped ## Notes It is possible that our source/sink definitions are not complete enough. Though, note that we have made improvements recently. https://gitlab.com/gitlab-org/gitlab/-/issues/499767 ## Related cases - https://gitlab.com/djb_ultimate_group/568577/vulnerability-example-code/-/merge_requests/2 contains customer-provided examples of TPs and FNs. This is associated with [Zendesk ticket 568577](https://gitlab.zendesk.com/agent/tickets/568577) (internal link). - https://gitlab.com/gitlab-org/gitlab/-/issues/499767+ (fixed in %17.7) - https://gitlab.com/gitlab-org/gitlab/-/issues/512953+ ## Resources - [existing definitions](https://gitlab.com/search?search=csharp+file%3Ayaml&nav_source=navbar&project_id=56463244&group_id=85134092&search_code=true&repository_ref=main) (internal link) - [Apache 2.0-licensed list of sinks](https://github.com/mandiant/route-sixty-sink/blob/master/RouteSixtySink/sinks.json), part of a [useful-looking but archived project](https://github.com/mandiant/route-sixty-sink/tree/master)