Add 4 CSharp Audit Queries

config/codeql-audit.yml

@@ -1,6 +1,9 @@
 name: "GitHub Field CodeQL Audit Configuration"
 
 queries:
+  # CSharp queries
+  - uses: advanced-security/codeql-queries/csharp/suites/codeql-csharp-audit.qls@main
+
   # JavaScript/TypeScript queries
   - uses: advanced-security/codeql-queries/javascript/suites/codeql-javascript-audit.qls@main
 

csharp/.data/queries.json

@@ -1,4 +1,10 @@
 {
+  "audit": [
+    "csharp/CWE-078/CommandInjectionAudit.ql",
+    "csharp/CWE-094/CodeInjectionAudit.ql",
+    "csharp/CWE-502/UnsafeDeserializationAudit.ql",
+    "csharp/CWE-611/UnsafeXMLResolverAudit.ql"
+  ],
   "default": [
     "codeql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql",
     "codeql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql",
@@ -49,7 +55,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -122,7 +127,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -296,7 +300,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",
@@ -369,7 +372,6 @@
     "codeql/csharp/ql/src/Diagnostics/ExtractorMessage.ql",
     "codeql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql",
     "codeql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql",
-    "codeql/csharp/ql/src/Telemetry/SupportedExternalApis.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalSources.ql",
     "codeql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql",

csharp/CWE-078/CommandInjectionAudit.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Usage of Command Injection sink
+ * @description Using externally controlled strings in a command line may allow a malicious
+ *              user to change the meaning of the command.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/command-line-injection
+ * @tags security
+ *       external/cwe/cwe-078
+ *       external/cwe/cwe-088
+ *       audit
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.CommandInjectionQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Command Injection sink"

csharp/CWE-094/CodeInjectionAudit.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Use of Code Injection sink
+ * @description Treating externally controlled strings as code can allow an attacker to execute
+ *              malicious code.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/code-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-096
+ *       audit
+ */
+
+import csharp
+import semmle.code.csharp.security.dataflow.CodeInjectionQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Code Injection sink"

csharp/CWE-502/UnsafeDeserializationAudit.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Usage of Unsafe Deserialize sink
+ * @description Calling an unsafe deserializer with data controlled by an attacker
+ *              can lead to denial of service and other security problems.
+ * @kind problem
+ * @id cs/audit/unsafe-deserialization
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @tags security
+ *       external/cwe/cwe-502
+ *       audit
+ */
+
+// https://github.com/advanced-security/codeql-queries/blob/audit-csharp/codeql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
+import csharp
+import semmle.code.csharp.security.dataflow.UnsafeDeserializationQuery
+
+from DataFlow::Node sink
+where sink instanceof Sink
+select sink, "Usage of Unsafe Deserialize sink"

csharp/CWE-611/UnsafeXMLResolverAudit.ql

@@ -0,0 +1,23 @@
+/**
+ * @name XML is read insecurely
+ * @description XML may include dangerous external references, which should
+ *              be restricted using a secure resolver or disabling DTD processing.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 2.0
+ * @precision low
+ * @id cs/audit/insecure-xml-read
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-827
+ *       external/cwe/cwe-776
+ *       audit
+ */
+
+// https://github.com/advanced-security/codeql-queries/blob/c8cfb6a0cc44da3d2baae4b985262a84652f71ee/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql#L22s
+import csharp
+import semmle.code.csharp.security.xml.InsecureXMLQuery
+
+from InsecureXmlProcessing xmlProcessing, string reason
+where xmlProcessing.isUnsafe(reason)
+select xmlProcessing, "Insecure XML processing: " + reason

csharp/README.md

@@ -4,10 +4,11 @@
 <!-- AUTOMATION-SUITES -->
 | Name | Queries Count | Description | Path |
 | :--- | :---- | :--- | :--- |
-| `default` | 54 | Default Query Suite | `codeql/csharp/ql/src/codeql-suites/code-scanning` |
-| `extended` | 71 | Security Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-extended` |
-| `quality` | 172 | Security and Quality Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-and-quality` |
-| `super-extended` | 81 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp.qls@main` |
+| `default` | 53 | Default Query Suite | `codeql/csharp/ql/src/codeql-suites/code-scanning` |
+| `extended` | 70 | Security Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-extended` |
+| `quality` | 171 | Security and Quality Extended Suite | `codeql/csharp/ql/src/codeql-suites/security-and-quality` |
+| `super-extended` | 80 | Security Extended with Experimental and Custom Queries Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp.qls@main` |
+| `audit` | 4 | Security Audit Query Suite | `advanced-security/codeql-queries/csharp/suites/codeql-csharp-audit.qls@main` |
 
 
 <!-- AUTOMATION-SUITES -->

csharp/suites/codeql-csharp-audit.qls

@@ -0,0 +1,15 @@
+# This is the field security specialist audit pack
+
+- description: "CSharp Audit Pack"
+
+# Field query pack with some audit queries
+- qlpack: github-queries-csharp
+
+- include:
+    kind:
+    - problem
+    - path-problem
+    - metric
+    - diagnostic
+    tags contain:
+    - audit