Roslyn Diagnostics Security Analyzers Overview


Roslyn diagnostic analyzers utilize the power of Roslyn open-source C# and Visual Basic (VB) compilers to help you write more robust and secure code through rich code analysis and detailed issue explanation. In this blog post, we’ll cover some of the basics to get you started on using the security specific set of analyzers for your project.

What is Roslyn?

Roslyn is the open source .NET compiler platform providing developers using C# and VB the ability to see what is happening with their source code as it goes through the compiler pipeline and its API layers. For a more in depth explanation, please check out the project’s GitHub page.

What are Roslyn Analyzers?

Roslyn Analyzers expose the live static analysis APIs available through the Diagnostics layer to give you a deep analytical insight into the syntax, semantics, security and other issues found in your code, along with instructions on how and where to fix them. Since our focus in this article will be on security, check out the GitHub project page for more on the other analyzers.

What Security Analyzers are available today?

Currently, we have six analyzers that cover common vulnerabilities on cryptography, XML and exception handling. They’re found as one NuGet package known as Desktop.Analyzers, and here’s a bit more about them:

  • CA5350: Do Not Use Weak Cryptographic Algorithms – this analyzer checks to see if you’re using any of the cryptographic algorithms claimed to be weak by the security community, which as of this blog post timestamp include TripleDES, SHA1 and RIPEMD160. These algorithms shouldn’t be used if you’re guaranteeing confidentiality on the product or service you’re using it on.
  • CA5351: Do Not Use Broken Cryptographic Algorithms – this, like the analyzer above, checks to see if you’re using any cryptographic algorithms that are no longer effective at keeping secrets but instead of weak are known to be “broken”. This analyzer checks for MD5, DES and RC2 usage.
  • CA3075: Insecure DTD Processing – using Document Type Definition (DTD) processing can be tricky, especially since it allows your parser to accept external untrusted input, which could be leveraged by attackers to disclose information or compromise your system. This analyzer checks a number of security aspects of DtdProcessing. First, it tells you to not use Dtd at all, unless you need to. Second, if you have Dtd enabled, it ensures you only resolve external entities using XmlSecureResolver. Third, it ensures you specify an XmlReader instance in all Load() cases.
  • CA3076: Insecure XSLT Script Execution – this analyzer checks to see if you’re using Extensible Stylesheets Language Transformations XSLT to transform XML to HTML, text or other format insecurely and throws you a warning to ensure you don’t execute malicious script from an untrusted source.
  • CA3077: Insecure Processing in API Design, XML Document and XML Text Reader – this analyzer, similar to the CA3075, focuses on the DTDProcessing using XmlDocument and XmlTextReader’s subclasses. It checks how you handle exceptions and resolve external entities.
  • CA2153: Do Not Catch Corrupted State Exceptions – CSE indicates that the state of a process has been corrupted and not caught by the system. In the corrupted state scenario, a general handler only catches the exception if you mark your method with the proper handling attribute. By default, the Common Language Runtime (CLR)will not invoke catch handlers for CSEs. This warning triggers when catching CSEs with a general handler that catches all exceptions, such as catch(exception) or catch(no exception specification).

How Do I Use Them?

To get started, follow these steps:

  1. Install the Desktop.Analyzers package from NuGet in the Visual Studio Package Manager Console
  2. Add the Microsoft Security Recommended ruleset (make sure to change the extension to “.ruleset”) and follow the steps to use it as an additional ruleset, which pre-selects the appropriate security rules for you

Once you have the two items above installed, just go to the “Analysis” menu item and select “Run code analysis on the solution” from the drop down. Any warnings will appear in the Error List tab and clicking on the warning number will take you to the MSDN article that explains each issue identified more in detail.

Next Steps

Take our analyzers for a spin and let us know if you encounter any issues by commenting on this blog post. Also, we encourage you to play around with the code on GitHub, develop your own set of security analyzers to use in your own projects or submit them to Microsoft for future consideration in the Security Analyzers rule package.

We look forward to seeing what you can do!

Comments (19)

  1. Pradip says:

    Hey rodrigo.js,

    I wanted to know by when every issue will be fixed and the latest beta version will be marked as a stable version so that we can check.

    Please let me know.

    Thanks & Regards,
    Pradip

    1. rodrigo.js says:

      Pradip, I can’t repro the issue you’re having. However, I need you to try 2 more things before we try other things:
      When I changed the ruleset I originally had on the post and added to my project, the new checks weren’t selected. Seems like VS doesn’t recognize the file as different since it contained the same name. So please delete the ruleset file and re-add using the latest copy available on the blog post
      Make sure you have the 3 analyzers you need enabled under the “Desktop.CSharp.Analyzers” selection under references
      Once you confirm these 2 things with me, let’s move forward. Try also enabling the checks I listed in the file manually in case you still have issues with the file, or try renaming it as well.

  2. Pradip says:

    On 3075 I am getting this
    Analyzer ‘Desktop.Analyzers.DoNotUseInsecureDTDProcessingAnalyzer’ threw an exception of type ‘System.InvalidOperationException’ with message ‘Feature ‘IOperation’ is disabled.’.

    I am using Beta package

    1. rodrigo.js says:

      Hey Pradip, for the CA3075 error, the tool owners made a very recent change that now allows you to scan through C# and VB using operation instead of syntax nodes. We’ll write more about that soon, but in the meantime, there’s 1 step you need to take to make it work: 1) go to your project file (csproj for example) 2) Add this flag: IOperation 3)Reload the project 4)Enjoy! 5)Let me know if there are any other issues.

      1. Pradip says:

        Could you explain a bit on where to add IOperation ? As a resource ?

      2. rodrigo.js says:

        Absolutely. Make sure to follow these steps:
        Right click on the project and select “Unload project”
        Right click on the unloaded project and select “Edit .csproj”
        Under the first tag, add a bracket that says Features, add IOperation then close the features bracket
        Reload the project
        This should get you on track!

  3. Pradip says:

    I am getting the CA0064 warning when I am trying the violations code from the 5350 and 5351. Why its not loading the rules ?

    CA0064 : No analysis was performed because the specified rule set could not be loaded or did not contain any managed code analysis rules.

    1. rodrigo.js says:

      Hey Pradip, someone also had the same issue earlier. I did add a new ruleset copy, which fixed the issue for the other dev, so I’m wondering if maybe you could try to re-download the ruleset and run it again? Just to let you know, with Roslyn analyzers, you’ll get quite a few rich analyzers, but the ones we’re mainly focused on are few and you can enable them manually by editing your ruleset. Just make sure to enable the ones we mentioned in the blog and you should be good. Please let me know how it goes.

  4. Pradip says:

    I am not able to find 3075, 3076, 3077 in the list. Are they removed ?

    1. rodrigo.js says:

      We submitted the analyzers to the Microsoft Developer Division folks, and they were planning on releasing these checks soon. Hang tight and you should see an updated package soon with the 3 analyzers included.

      1. Pradip says:

        Thank Rodrigo.

  5. LocTeam says:

    Does it work in visual studio 2015 only?

      1. jlo says:

        I get the warning : CA0064 : No analysis was performed because the specified rule set could not be loaded or did not contain any managed code analysis rules.
        I have downloaded https://msdnshared.blob.core.windows.net/media/2016/03/Microsoft-Security-Recommended.txt and renamed to Microsoft-Security-Recommended.ruleset.
        I have installed the nuget package by package manager console (for some reason it is not visible in “manage packages for solution”)
        Is there some requirement between the lines? Any prereqs? Speific project type? Mine is console app. Specific .net version?

      2. rodrigo.js says:

        Hey jlo, apologies for the wait. Your request was filtered erroneously and marked as spam. Thanks for reaching out to us. The issue is that the ruleset was missing quite a few warnings, so it threw the error you saw. Can you please try running the ruleset I just uploaded to the post and see if that solves your issue? I look forward to hearing from you!

      3. jlo says:

        I have redownloaded the file, but still got the same error. Then I have updated Desktop.Analyzers to version 1.2 beta and now I get an additional error. Maybe there is a clue what is wrong in my case? I’m using VS2015 professional edition.
        1>CSC : warning AD0001: Analyzer ‘Desktop.Analyzers.DoNotCatchCorruptedStateExceptionsAnalyzer’ threw an exception of type ‘System.InvalidOperationException’ with message ‘Feature ‘IOperation’ is disabled.’.
        1> Running Code Analysis…
        1>MSBUILD : warning : CA0064 : No analysis was performed because the specified rule set could not be loaded or did not contain any managed code analysis rules.
        1> Code Analysis Complete — 0 error(s), 1 warning(s)

      4. jlo says:

        I have read other comments and finally I was able to make it work, here are my findings:
        1) The updated ruleset didn’t help because rule ids other than from Desktop.Analyzers have to be under different RuleSet element, like:

        2) warning : CA0064 : No analysis was performed… occures when no single rule from Managed Binary Analysis is selected. To fix it after a rule set is selected, press Open and select anything under “Managed Binary Analysis” group, press Save.

        However I have some questions:

        I see only CA2153, CA5350, and CA5351 under Desktop.CSharp.Analyzers. Where is CA3075 and others?

        I have added these lines to my program, but I get only a single warning about RC2. Why it doesn’t warn about md5 and sha1 usage as it is documented?
        var hashAlg = MD5.Create();
        var encAlg = RC2.Create();
        var hashAlg2 = SHA1.Create();

      5. jlo says:

        I was able to get more warning options available after upgrading to Desktop.Analyzers 1.2 beta2, but the question about md5 is still valid.

Skip to main content