Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: C#: Generate source files from cshtml files in standalone #13722

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

WIP: C#: Generate source files from cshtml files in standalone #13722

wants to merge 7 commits into from

Conversation

tamasvajk
Copy link
Contributor

No description provided.

@github-actions github-actions bot added the C# label Jul 11, 2023
github-code-scanning[bot]
github-code-scanning bot found potential problems Jul 11, 2023
View reviewed changes
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Razor.cs Fixed Show fixed Hide fixed
csharp/extractor/Semmle.Extraction.CSharp.Standalone/BuildAnalysis.cs Fixed Show fixed Hide fixed
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Razor.cs
Comment on lines +93 to +96
catch
{
// Ignore
}

Check notice

Code scanning / CodeQL

Generic catch clause Note

Generic catch clause.
tamasvajk
tamasvajk commented Jul 12, 2023
View reviewed changes
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Razor.cs Outdated
args.Append($"/additionalfile:{f} ");
}

var res = dotNet.Exec(args.ToString());
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be reworked. When the application is run through the codeql CLI, the tracer finds this dotnet exec csc call, and it gets extracted. We need a way to opt out of this.

tamasvajk
tamasvajk commented Jul 12, 2023
View reviewed changes
csharp/tools/tracing-config.lua Outdated
@@ -138,6 +138,8 @@ function RegisterExtractorPack(id)
end

local windowsMatchers = {
CreatePatternMatcher({ '^Semmle%.Extraction%.CSharp%.Standalone$' },
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add %.exe

tamasvajk
tamasvajk commented Jul 13, 2023
View reviewed changes
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Razor.cs
GenerateAnalyzerConfig(cshtmls, Path.Combine(sourceGeneratorFolder, analyzerConfig));

var args = new StringBuilder();
args.Append($"{cscPath} --do-not-trace /target:exe /generatedfilesout:{outputFolder} /out:{dllPath} /analyzerconfig:{analyzerConfig} ");
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--do-not-trace is an ugly workaround to the issue I faced with 78f3a38. This call will only work if it is traced. The tracer will remove this argument. (When the standalone extractor is called directly (during debugging or semmle-extractor-options: --standalone), the call will fail.

github-code-scanning[bot]
github-code-scanning bot found potential problems Jul 14, 2023
View reviewed changes
csharp/extractor/Semmle.Extraction.CSharp.Standalone/BuildAnalysis.cs
Comment on lines +134 to +137
catch
{
// It's okay, we tried our best to generate source files from cshtml files.
}

Check notice

Code scanning / CodeQL

Generic catch clause Note

Generic catch clause.
@tamasvajk
Copy link
Contributor Author

After adding the references to the dotnet exec csc call that generates C# files from cshtmls, the security extended suite returns the same results on a traced and standalone DB of tobyash86/WebGoat.NET.

redsun82
redsun82 reviewed Jul 14, 2023
View reviewed changes
csharp/ql/integration-tests/all-platforms/standalone/test.py
@@ -0,0 +1,3 @@
from create_database_utils import *

run_codeql_database_create([], lang="csharp", extra_args=["--extractor-option=buildless=true", "--extractor-option=cil=false"])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

recently I changed run_codeql_database to have [] as default command, so to invoke the autobuilder you can simply write

Suggested change
run_codeql_database_create([], lang="csharp", extra_args=["--extractor-option=buildless=true", "--extractor-option=cil=false"])
run_codeql_database_create(lang="csharp", extra_args=["--extractor-option=buildless=true", "--extractor-option=cil=false"])

tamasvajk
tamasvajk commented Jul 14, 2023
View reviewed changes
csharp/extractor/Semmle.Extraction.CSharp.Standalone/Razor.cs
Comment on lines +67 to +78
foreach (var f in Directory.GetFiles(sourceGeneratorFolder, "*.dll"))
{
args.Append($"/analyzer:{f} ");
}
foreach (var f in cshtmls)
{
args.Append($"/additionalfile:{f} ");
}
foreach (var f in references)
{
args.Append($"/reference:{f} ");
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the paths need to be quoted. (This is the reason why the integration tests fail)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redsun82 redsun82 redsun82 left review comments

@github/codeql-csharp codeql-csharp Awaiting requested review from github/codeql-csharp github/codeql-csharp will be requested when the pull request is marked ready for review github/codeql-csharp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C#
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tamasvajk @redsun82