- https://github.com/caioketo/QIERP/blob/master/QIERPDatabase/VerpContext.cs#L55 (with default sa pwd and use of Database.ExecuteSqlCommand:)
- https://github.com/revolutionaryarts/wewillgather/blob/master/src/Libraries/Gather.Data/GatherObjectContext.cs#L69
- https://github.com/philpeace/PointyPointy/blob/master/PointyPointy.Web/Data/StoryContext.cs#L51
- https://github.com/samandmoore/GetRDoneWeb/blob/master/GetRDone/GetRDoneContext.cs#L25
- https://github.com/slask/MVCArchitectureTemplate/blob/master/Solution/DataAccess/Context/ScrabbleClubContext.cs#L106
This one look OK (on diagonal reading)
- https://github.com/JayBeavers/ChronoZoom/blob/exceptionalIo/Source/Chronozoom.Entities/Storage.cs#L122 (Ok, because timelinesMap.Keys are GUIDs). There are multiple other uses of Database.SqlQuery which look ok because either the parameters options were used, or the string concats where done on GUIDs)
Idea for Cat.NET workflow
Now wouldn't it be great if we could automate an Cat.NET (or another SAST scanner) to do this type of analysis automatically?
Now wouldn't it be great if we could automate an Cat.NET (or another SAST scanner) to do this type of analysis automatically?
For example an Bot ot TeamCity workflow that:
- cloned/pulled a repo
- compile it
- run cat.net on it (with default or custom rules)
- automatically package the issues discovered
- send issues to repo owner
- allow rules to be customised (maybe as an XML file somewhere in the repo), for example, wrappers around Database.SQLQuery need to be marked as sinks)
- go back to 1
Ideally all this would be linked to Developer friendly guidance (like TeamMentor or OWASP content) in order to help the developers to easily understand the issues and write the required fixes
