Feature/horusec-csharp (#131)

* Adding base horusec csharp cli

* Adding csharp rules structure

* Fixing security hashes

* Adding horusec csharp cli injetion rules

* Adding others rules

* Adding sql injection linq rule

* Update leaks with set pwd

* Update make file and adding pipeline of horusec-csharp

* Adding password validation

* Adding sql injection rules in csharp cli

* Adding rules of cookies, view state

* Fixing errors

* Adding some cryptography rules to csharp cli

* Fixing total rules csharp

* Adding weak cipher rules

* Adding more rules of csharp

* Fixing test

* Adding more csharp rules

* add NewCsharpRegularDebugBuildEnabled

* add NewCsharpRegularDebugBuildEnabled

* Adding custom errors disabled rule

* Adding rules csharp

* Adding rule vulnerable package reference

* Adding rule jwt signature validation disabled

* Add cors allow origin wildcard rules

* Adding NewCsharpAndFormsAuthenticationCookielessMode

* Adding regular anti forgery token rule

* Adding form validations

* Adding missing authorize attribute rule

* Adding rules of xml in csharp

* Fix test

* Adding more csharp rules

* Adding password lockout disabled rule

* Adding more rules in csharp of cookies and assinatures

* Adding cross site rules

* Weak password rule

* Adding ldap injection filter rule

* Adding more rules in csharp

* Adding more rules in csharp

* Adding more rules in csharp

* Adding ldap injection rules

* Adding more rules in csharp

* Adding csharp in deployments to up version

* Adding csharp in deployments to up version

* Rename test zip to csharp

* Adding horusec csharp cli

* Change language to csharp

* Adding test to check netcore is deprecated

* Updating regular rules

* Adding rule no log sensitive information in console

* Fix conflict

* Fixing error removing old regular expressions

* Update weak rsa key length

* Removing deplicated rule

* Fixing rules of java min 128 bits in key generator

* Adding unit tests in csharp engine

* Fixing fmt lint

* Fixing test

* Fixing test

* Adding readme.md in horusec-csharp

* Update README.md

* Fixing tests

* Merge and update doc

Co-authored-by: Wilian Gabriel <wilian.silva@zup.com.br>
Co-authored-by: Wilian Gabriel <63816070+wiliansilvazup@users.noreply.github.com>

.github/workflows/csharp-pipeline.yml

@@ -0,0 +1,46 @@
+name: HorusecCSharpPipeline
+
+on:
+  push:
+    branches: [ "master", "develop" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  install-build-test-fmt-lint:
+    name: install-build-test-fmt-lint
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    steps:
+      - name: Set up Go 1.14
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.14
+        id: go
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: fmt
+        run: |
+          echo "==> Checking that code complies with gofmt requirements..."
+          gofmt_files=$(gofmt -l `find ./horusec-csharp -name '*.go' | grep -v vendor`)
+          echo $gofmt_files
+          if [ ! -z $gofmt_files ]; then
+              echo 'gofmt needs running on the following files:'
+              echo "$gofmt_files"
+              echo "You can use the command: \`gofmt -w \$(gofmt -l \'find ./horusec-csharp -name \'*.go\' | grep -v vendor)\` to reformat code."
+              exit 1
+          fi
+          echo "=) The project horusec-csharp it's OK!"
+      - name: lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.25.0
+          ./bin/golangci-lint run -v --timeout=2m -c .golangci.yml ./horusec-csharp/...
+      - name: test
+        run: |
+          go clean -testcache
+          go test -v ./horusec-csharp/... -timeout=2m -parallel=1 -failfast -short
+#      - name: coverage
+#        run: make coverage-horusec-csharp
+      - name: build
+        run: go build -o "./tmp/bin/horusec-csharp" ./horusec-csharp/cmd/app/main.go
+

.github/workflows/deploy-cli-tools.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       tool_name:
-        description: 'Tool to deploy on dockerhub: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks'
+        description: 'Tool to deploy on dockerhub: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks, horusec-csharp'
         required: true
       update_type:
         description: 'Update Type: alpha, rc, release, minor, major'

Makefile

@@ -153,38 +153,37 @@ install-semver:
 	chmod +x ./deployments/scripts/install-semver.sh
 	./deployments/scripts/install-semver.sh
 
+PATH_BINARY_BUILD_CLI ?= $(GOPATH)/bin
 build-install-cli:
-	$(GO) build -o horusec ./horusec-cli/cmd/horusec/main.go
-	chmod +x horusec
-	rm -rf $(GOPATH)/bin/horusec
-	mv horusec $(GOPATH)/bin
-	cd ..
+	rm -rf "$(PATH_BINARY_BUILD_CLI)/horusec" &> /dev/null
+	$(GO) build -o "$(PATH_BINARY_BUILD_CLI)/horusec" ./horusec-cli/cmd/horusec/main.go
+	chmod +x "$(PATH_BINARY_BUILD_CLI)/horusec"
 	horusec version
 
 build-install-leaks-cli:
-	$(GO) build -o horusec ./horusec-leaks/cmd/app/main.go
-	chmod +x horusec
-	rm -rf $(GOPATH)/bin/horusec-leaks
-	mv horusec $(GOPATH)/bin/horusec-leaks
-	cd ..
+	rm -rf "$(PATH_BINARY_BUILD_CLI)/horusec-leaks" &> /dev/null
+	$(GO) build -o "$(PATH_BINARY_BUILD_CLI)/horusec-leaks" ./horusec-leaks/cmd/app/main.go
+	chmod +x "$(PATH_BINARY_BUILD_CLI)/horusec-leaks"
 	horusec-leaks version
 
 build-install-kotlin-cli:
-	$(GO) build -o horusec ./horusec-kotlin/cmd/app/main.go
-	chmod +x horusec
-	rm -rf $(GOPATH)/bin/horusec-kotlin
-	mv horusec $(GOPATH)/bin/horusec-kotlin
-	cd ..
+	rm -rf "$(PATH_BINARY_BUILD_CLI)/horusec-kotlin" &> /dev/null
+	$(GO) build -o "$(PATH_BINARY_BUILD_CLI)/horusec-kotlin" ./horusec-kotlin/cmd/app/main.go
+	chmod +x "$(PATH_BINARY_BUILD_CLI)/horusec-kotlin"
 	horusec-kotlin version
 
 build-install-java-cli:
-	$(GO) build -o horusec ./horusec-java/cmd/app/main.go
-	chmod +x horusec
-	rm -rf $(GOPATH)/bin/horusec-java
-	mv horusec $(GOPATH)/bin/horusec-java
-	cd ..
+	rm -rf "$(PATH_BINARY_BUILD_CLI)/horusec-java" &> /dev/null
+	$(GO) build -o "$(PATH_BINARY_BUILD_CLI)/horusec-java" ./horusec-java/cmd/app/main.go
+	chmod +x "$(PATH_BINARY_BUILD_CLI)/horusec-java"
 	horusec-java version
 
+build-install-csharp-cli:
+	rm -rf "$(PATH_BINARY_BUILD_CLI)/horusec-csharp" &> /dev/null
+	$(GO) build -o "$(PATH_BINARY_BUILD_CLI)/horusec-csharp" ./horusec-csharp/cmd/app/main.go
+	chmod +x "$(PATH_BINARY_BUILD_CLI)/horusec-csharp"
+	horusec-csharp version
+
 # ========================================================================================= #
 
 update-cli:

deployments/scripts/update-image-tool.sh

@@ -89,13 +89,17 @@ getDirectoryAndImageNameByToolName () {
             IMAGE_NAME="horuszup/horusec-java"
             DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/java/horusecjava/config.go"
             DIRECTORY_SEMVER="$CURRENT_FOLDER/horusec-java";;
+        "horusec-csharp")
+            IMAGE_NAME="horuszup/horusec-csharp"
+            DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/csharp/horuseccsharp/config.go"
+            DIRECTORY_SEMVER="$CURRENT_FOLDER/horusec-csharp";;
         "horusec-leaks")
             IMAGE_NAME="horuszup/horusec-leaks"
             DIRECTORY_CONFIG="$CURRENT_FOLDER/horusec-cli/internal/services/formatters/leaks/horusecleaks/config.go"
             DIRECTORY_SEMVER="$CURRENT_FOLDER/horusec-leaks";;
         *)
             echo "Param Tool Name is invalid, please use the examples bellow allowed and try again!"
-            echo "Params Tool Name allowed: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks"
+            echo "Params Tool Name allowed: bandit, brakeman, gitleaks, gosec, npmaudit, safety, securitycodescan, hcl, spotbugs, horusec-kotlin, horusec-java, horusec-leaks, horusec-csharp"
             exit 1;;
     esac
 }
@@ -172,7 +176,7 @@ updateImage () {
     updateVersionInConfigFile
     updateVersionInCliVersionFile
 
-    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" ]]
+    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" || "$TOOL_NAME" == "horusec-csharp" ]]
     then
         DIRECTORY_SEMVER="$DIRECTORY_SEMVER/deployments"
     fi
@@ -195,7 +199,7 @@ updateVersionInConfigFile () {
 }
 
 updateVersionInCliVersionFile () {
-    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" ]]
+    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" || "$TOOL_NAME" == "horusec-csharp" ]]
     then
         sed -i -e "s/{{VERSION_NOT_FOUND}}/$NEW_RELEASE/g" "./development-kit/pkg/cli_standard/cmd/version/version.go"
     fi
@@ -207,7 +211,7 @@ rollbackVersionInConfigFile () {
 }
 
 rollbackVersionInCliVersionFile () {
-    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" ]]
+    if [[ "$TOOL_NAME" == "horusec-leaks" || "$TOOL_NAME" == "horusec-kotlin" || "$TOOL_NAME" == "horusec-java" || "$TOOL_NAME" == "horusec-csharp" ]]
     then
         sed -i -e "s/$NEW_RELEASE/{{VERSION_NOT_FOUND}}/g" "./development-kit/pkg/cli_standard/cmd/version/version.go"
     fi

development-kit/pkg/engines/csharp/analysis/analysis.go

@@ -0,0 +1,65 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package analysis
+
+import (
+	"encoding/json"
+
+	engine "github.com/ZupIT/horusec-engine"
+	"github.com/ZupIT/horusec-engine/text"
+	"github.com/ZupIT/horusec/development-kit/pkg/cli_standard/config"
+	"github.com/ZupIT/horusec/development-kit/pkg/engines/csharp/rules"
+	"github.com/ZupIT/horusec/development-kit/pkg/utils/logger"
+)
+
+type Interface interface {
+	StartAnalysis() error
+}
+
+type Analysis struct {
+	configs      *config.Config
+	serviceRules rules.Interface
+}
+
+func NewAnalysis(configs *config.Config) Interface {
+	return &Analysis{
+		configs:      configs,
+		serviceRules: rules.NewRules(),
+	}
+}
+
+func (a *Analysis) StartAnalysis() error {
+	textUnit, err := text.LoadDirIntoSingleUnit(a.configs.GetProjectPath(), []string{
+		".cs", ".vb", ".cshtml", ".csproj", ".xml"})
+	if err != nil {
+		return err
+	}
+	a.logJSON("Text Unit selected is: ", textUnit)
+
+	allRules := a.serviceRules.GetAllRules()
+	a.logJSON("All rules selected are: ", allRules)
+
+	outputFilePath := a.configs.GetOutputFilePath()
+	logger.LogDebugWithLevel("Sending units and rules to engine "+
+		" and expected response in path: ", logger.DebugLevel, outputFilePath)
+	return engine.RunOutputInJSON([]engine.Unit{textUnit}, allRules, outputFilePath)
+}
+
+func (a *Analysis) logJSON(message string, content interface{}) {
+	b, err := json.Marshal(content)
+	if err == nil {
+		logger.LogTraceWithLevel(message, logger.DebugLevel, string(b))
+	}
+}

development-kit/pkg/engines/csharp/analysis/analysis_test.go

@@ -0,0 +1,57 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package analysis
+
+import (
+	"encoding/json"
+	engine "github.com/ZupIT/horusec-engine"
+	"github.com/ZupIT/horusec/development-kit/pkg/cli_standard/config"
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func TestNewAnalysis(t *testing.T) {
+	assert.IsType(t, NewAnalysis(config.NewConfig()), &Analysis{})
+}
+
+func TestAnalysis_StartAnalysis(t *testing.T) {
+	t.Run("Should return success when read analysis and return seven vulnerabilities", func(t *testing.T) {
+		configs := config.NewConfig()
+		configs.SetOutputFilePath("./csharp-tmp.output.json")
+		configs.SetProjectPath("../../examples/csharp-generic-vuln")
+		err := NewAnalysis(configs).StartAnalysis()
+		assert.NoError(t, err)
+		fileBytes, err := ioutil.ReadFile("./csharp-tmp.output.json")
+		data := []engine.Finding{}
+		_ = json.Unmarshal(fileBytes, &data)
+		assert.NoError(t, os.RemoveAll(configs.GetOutputFilePath()))
+		assert.Equal(t, 6, len(data))
+	})
+	t.Run("Should return error when create file", func(t *testing.T) {
+		configs := config.NewConfig()
+		configs.SetOutputFilePath("./////")
+		err := NewAnalysis(configs).StartAnalysis()
+		assert.Error(t, err)
+	})
+	t.Run("Should return error when get units in project path", func(t *testing.T) {
+		configs := config.NewConfig()
+		configs.SetOutputFilePath("./////")
+		configs.SetProjectPath("./not exists path")
+		err := NewAnalysis(configs).StartAnalysis()
+		assert.Error(t, err)
+	})
+}

development-kit/pkg/engines/csharp/rules/rules.go

@@ -0,0 +1,43 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rules
+
+import (
+	engine "github.com/ZupIT/horusec-engine"
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/engine/advisories/csharp"
+)
+
+type Interface interface {
+	GetAllRules() (rules []engine.Rule)
+}
+
+type Rules struct{}
+
+func NewRules() Interface {
+	return &Rules{}
+}
+
+func (r *Rules) GetAllRules() (rules []engine.Rule) {
+	for index := range csharp.AllRulesCsharpAnd() {
+		rules = append(rules, csharp.AllRulesCsharpAnd()[index])
+	}
+	for index := range csharp.AllRulesCsharpOr() {
+		rules = append(rules, csharp.AllRulesCsharpOr()[index])
+	}
+	for index := range csharp.AllRulesCsharpRegular() {
+		rules = append(rules, csharp.AllRulesCsharpRegular()[index])
+	}
+	return rules
+}

development-kit/pkg/engines/csharp/rules/rules_test.go

@@ -0,0 +1,39 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rules
+
+import (
+	"testing"
+
+	"github.com/ZupIT/horusec-engine/text"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewRules(t *testing.T) {
+	assert.IsType(t, NewRules(), &Rules{})
+}
+
+func TestRules_GetAllRules(t *testing.T) {
+	t.Run("Should return all rules enable", func(t *testing.T) {
+		rules := NewRules().GetAllRules()
+		totalRegexes := 0
+		for i := range rules {
+			textRule := rules[i].(text.TextRule)
+			totalRegexes += len(textRule.Expressions)
+		}
+		assert.Greater(t, len(rules), 0)
+		assert.Greater(t, totalRegexes, 0)
+	})
+}

development-kit/pkg/engines/examples/csharp-generic-vuln/Errors.cs

@@ -0,0 +1,15 @@
+namespace NetCoreVulnerabilities
+{
+    public class Errors
+    {
+        public void NotUsedVar()
+        {
+            var neverUsedVar1 = "";
+        }
+
+        public void NotUsedVar2()
+        {
+            var neverUsedVar2 = "";
+        }
+    }
+}

development-kit/pkg/engines/examples/csharp-generic-vuln/NetCoreVulnerabilities.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>netcoreapp3.1</TargetFramework>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.2.5" />
+    <PackageReference Include="SecurityCodeScan.VS2017" Version="3.5.0" />
+  </ItemGroup>
+
+</Project>