diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6225b01..d435204 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,11 +29,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -44,7 +44,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -58,4 +58,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v3 diff --git a/DataAccess.cs b/DataAccess.cs index 4a3ccbd..e7c5292 100644 --- a/DataAccess.cs +++ b/DataAccess.cs @@ -26,6 +26,15 @@ public bool IsValidUser(string username, string password) return _users[username] == password; } + string GeneratePassword() + { + // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ + // BAD: Password is generated using a cryptographically insecure RNG + Random gen = new Random(); + string password = "mypassword" + gen.Next(); + return password; + } + private void PopulateUsers() { try @@ -49,6 +58,7 @@ private void PopulateUsers() _users.Add("user2", "password2"); _users.Add("user3", "password3"); _users.Add("user4", "password4"); + _users.Add("user5", "password5"); } } diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..584ffff --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 code-ql-testing + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Program.cs b/Program.cs index 57dc255..cf66af7 100644 --- a/Program.cs +++ b/Program.cs @@ -29,5 +29,15 @@ static void Main(string[] args) } + + string GeneratePassword() + { + // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ + // BAD: Password is generated using a cryptographically insecure RNG + Random gen = new Random(); + string password = "mypassword" + gen.Next(); + return password; + } } + }