ASP.NET and FxCop
Does anybody have a guide on what FxCop rules should be enabled/disabled when analyzing an ASP.NET Application?
Thanks!
[129 byte] By [JustinTerada] at [2007-12-20] 
I'm not aware of any guides, but in general you may encounter violations that simply cannot be fixed because of ASP.NET's bizarre design. Newer versions of FxCop are better about special-casing ASP.NET situations.
For now, when you run into unfixable issues, you can either exclude them, or, if it's particularly annoying, disable the rule. It might be best to move all your business logic into a Class Library project so you can leave the full FxCop suite enabled at least against that part.
-Ryan / Kardax
RyanLamansky at 2007-9-9 >
FxCop was originally designed for reusable libraries and has tended to fire many, many false positives against ASP.NET binaries. We've enabled code analysis for web apps in VS2005 Developer, however, and as part of that work we've made a significant pass through the rule set in order to eliminate noise. We completed a few outstanding work items just yesterday. The result is that the next version of FxCop (1.34) will return a much more focused result set when targeting Web Apps. This noise reduction will occur only on v2.0 of the framework, btw, due to our dependency on a new CLR attribute (GeneratedCodeAttribute) that helps identify wizard or otherwise auto-generated code.
There is only one rule in FxCop, currently, that was written with web apps in mind and it is the security check 'Review Sql queries for security vulnerabilities'. We hope to greatly increase our web app analysis capabilities in the next version of VS.
Michael Fanning
MS Development: VSTS Code Analysis/FxCop
MichaelFanning-MS at 2007-9-9 >
Hello!
I'm working on presentation for DevDays about Security.
I want to show how senior developers can minimize attack surface with tools such fxCop. (I have last version installed and ASP.NET 2.0)
I copied a code from ''Review Sql queries for security vulnerabilities'' Rule and make small changes. Exception didn't fire up, but vulnerability exists!
What should I do for firing this rule up?
public
partial class _Default : System.Web.UI.Page{
protected void Page_Load(object sender, EventArgs e){
}
protected void Button1_Click(object sender, EventArgs e){
labelResult.Text = tbQuery.Text;
DoQuery(tbQuery.Text);
}
public void DoQuery(string queryString){
SqlConnection someConnection = new SqlConnection(@"Data Source=.\sqlexpress;Initial Catalog=Werp;Integrated Security=True;Pooling=False"); SqlCommand someCommand = new SqlCommand();someCommand.Connection = someConnection;
someCommand.CommandText =
"SELECT LastName FROM Employees " + "WHERE FirstName='" + queryString + "'";someConnection.Open();
SqlDataReader reader = someCommand.ExecuteReader(); while (reader.Read()){
Response.Write(
"<li>" + reader[0]);}
someConnection.Close();
}
}
BeerBong at 2007-9-9 >
I simplified example and move method to the Class Library.
Rule dosn't fire up too for such simple method.
public List<String> DoQuery(string query){
SqlConnection someConnection = new SqlConnection(@"Data Source=.\sqlexpress;Initial Catalog=Werp;Integrated Security=True;Pooling=False"); SqlCommand someCommand = new SqlCommand();someCommand.Connection = someConnection;
someCommand.CommandText =
"SELECT LastName FROM Employees " + "WHERE FirstName='" + query + "' OR LastName ='" + query + '"';someConnection.Open();
SqlDataReader reader = someCommand.ExecuteReader(); List<String> result = new List<string>(); while (reader.Read()){
result.Add(reader[0].ToString());
}
someConnection.Close();
return result;}
But method _WITHOUT_ generic collection is performed well. Does VisitCall work for methods with generic types?
BeerBong at 2007-9-9 >
Are you using the latest version of FxCop, 1.35, from gotdotnet? I seem to recall a previous issue retrieving method bodies for generic methods, that has now been resolved.
MichaelFanning-MS at 2007-9-9 >
Actually, I have installed fxCop from Windows Vista SDK February CTP.
I reinstalled fxCop taken from gotdotnet (RC1) and no, it doesn't catch vulnerability with generics inside.
Here the sample. SQL Injection rule fires up only for DoQuery method
public static class MyService{
private static string connection = @"Data Source=.\sqlexpress;Initial Catalog=Werp;Integrated Security=True;Pooling=False"; public static string[] DoQuery(string query){
SqlConnection someConnection = new SqlConnection(connection); SqlCommand someCommand = new SqlCommand();someCommand.Connection = someConnection;
someCommand.CommandText =
"SELECT LastName FROM Employees " + "WHERE FirstName='" + query + "'";someConnection.Open();
SqlDataReader reader = someCommand.ExecuteReader(); ArrayList result = new ArrayList(); while (reader.Read()){
result.Add(reader[0]);
}
someConnection.Close();
return (string[])result.ToArray(typeof(String));}
public static List<String> DoQuery1(string query){
SqlConnection someConnection = new SqlConnection(connection); SqlCommand someCommand = new SqlCommand();someCommand.Connection = someConnection;
someCommand.CommandText =
"SELECT LastName FROM Employees " + "WHERE FirstName='" + query + "'";someConnection.Open();
SqlDataReader reader = someCommand.ExecuteReader(); List<String> result = new List<string>(); while (reader.Read()){
result.Add(reader[0].ToString());
}
someConnection.Close();
return result;}
}
BeerBong at 2007-9-9 >
Visual Studio Team System Hot Topic
- DoNotDeclareVisibleInstanceFields
- Agile, then CMMI
- We want your feedback!
- Team Portal - Remaining Work - The page cannot be displayed
- VTS Beta 3 Refresh: I get the following error while viewing reports. - NOT RESOLVED
- FxCopCmd.exe returned error code 8
- Team Foundation Web Services
- Installation error : "...error occurred during the login process..."
Visual Studio Team System New Topic
Visual Studio Team System
- Visual Studio Team System - General
- Visual Studio Team System - Architecture & Design
- Visual Studio Performance Tools (Profiler)
- Visual Studio Application Verifier
- Visual Studio Code Analysis and Code Metrics
- Visual Studio Team System - Testing
- Visual Studio Team System - Web and Load Testing
- Visual Studio Team System - Database Professionals
- Visual Studio Team System - Microsoft Solutions Framework (MSF)
- Team Foundation Server - General
- Team Foundation Server - Setup
- Team Foundation Server - Administration
- Team Foundation Server - Build Automation
- Team Foundation Server – Power Tools & Add-ons
- Team Foundation Server - Process Templates
- Team Foundation Server - Reporting & Warehouse
- Team Foundation Server - Team System Web Access
- Team Foundation Server - Version Control
- Team Foundation Server - Work Item Tracking
Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech
Site Classified
- SQL Server
- Windows Forms
- .NET Development
- Visual Basic
- Visual Studio
- Visual Studio Team System
- Visual Studio Orcas
- Visual Studio Express Editions
- Software Development for Windows Vista
- Visual C#
- Visual C++
- Smart Device Development
- SharePoint Products and Technologies
- Feedback for forums and MSDN websites
- Game Technologies: DirectX, XNA, XACT, etc.
- Visual Studio Tools for Office
- Windows Live Developer Forums
- Microsoft ISV Community Center Forums
- Internet Explorer Development
- Visual FoxPro
- Windows Search Technologies
- Audio and Video Development
- Architecture
- Commerce Server
- Gadgets
- Microsoft Robotics Studio
- Community Chat
- BizTalk Server
- Visual J#
- Windows Networking Development
- Silverlight (formerly WPF/E)
- Popfly
- SQL Server Katmai
- Connected Services Framework
- Office Live Development
- Customer Care Framework
- Incubation Technologies
- Software Engineering Discussion
- System Center
- Software Licensing and Protection Services
- Visual Studio Rosario
- Small Business Application Development
- Office
- Windows Server 2008
- JScript
- Storage Platform – Core
- Misc