From c79ea6b2b46d06c93fb93af74b66f4b9ee8cd9a0 Mon Sep 17 00:00:00 2001 From: Eredis Gutierrez Date: Wed, 16 Jun 2021 16:24:19 -0400 Subject: [PATCH 1/8] Create LICENSE --- LICENSE | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..584ffff --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2021 code-ql-testing + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. From 67707e99904b5b8f17746d983e476884507af52b Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 10:40:48 -0400 Subject: [PATCH 2/8] Update DataAccess.cs --- DataAccess.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/DataAccess.cs b/DataAccess.cs index 4a3ccbd..0536605 100644 --- a/DataAccess.cs +++ b/DataAccess.cs @@ -49,6 +49,7 @@ private void PopulateUsers() _users.Add("user2", "password2"); _users.Add("user3", "password3"); _users.Add("user4", "password4"); + _users.Add("user5", "password5"); } } From faeaa5f684063534fdec01241376815f14f25182 Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 10:45:49 -0400 Subject: [PATCH 3/8] Update codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6225b01..5544ec2 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -33,7 +33,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -44,7 +44,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -58,4 +58,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 From 4afb0ba296664240c0e788da4092887962fee7f6 Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 10:50:23 -0400 Subject: [PATCH 4/8] Update codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5544ec2..d435204 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -29,11 +29,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -44,7 +44,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -58,4 +58,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 From 929fb2763d00c4d99ec61ee8c9ba8e1b8a89f530 Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 11:00:17 -0400 Subject: [PATCH 5/8] Update Program.cs --- Program.cs | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Program.cs b/Program.cs index 57dc255..0902c2b 100644 --- a/Program.cs +++ b/Program.cs @@ -1,4 +1,6 @@ using System; +using System.Security.Cryptography; +using System.Web.Security; namespace CodeQLAlertTrigger { @@ -30,4 +32,13 @@ static void Main(string[] args) } } + + string GeneratePassword() + { + // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ + // BAD: Password is generated using a cryptographically insecure RNG + Random gen = new Random(); + string password = "mypassword" + gen.Next(); + return password; + } } From 9dd4c7be3992be532f301054668f3d5492ea67cb Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 11:03:12 -0400 Subject: [PATCH 6/8] Update Program.cs --- Program.cs | 2 -- 1 file changed, 2 deletions(-) diff --git a/Program.cs b/Program.cs index 0902c2b..c96f95e 100644 --- a/Program.cs +++ b/Program.cs @@ -1,6 +1,4 @@ using System; -using System.Security.Cryptography; -using System.Web.Security; namespace CodeQLAlertTrigger { From 7325b6a5428cb4286b9aa861c60f1768d61c13a3 Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 11:05:54 -0400 Subject: [PATCH 7/8] Update Program.cs --- Program.cs | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/Program.cs b/Program.cs index c96f95e..cf66af7 100644 --- a/Program.cs +++ b/Program.cs @@ -29,14 +29,15 @@ static void Main(string[] args) } + + string GeneratePassword() + { + // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ + // BAD: Password is generated using a cryptographically insecure RNG + Random gen = new Random(); + string password = "mypassword" + gen.Next(); + return password; + } } - string GeneratePassword() - { - // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ - // BAD: Password is generated using a cryptographically insecure RNG - Random gen = new Random(); - string password = "mypassword" + gen.Next(); - return password; - } } From 77ced4f6552a2fedd687b94c11adf72b51630c2a Mon Sep 17 00:00:00 2001 From: Will Gorman Date: Fri, 18 Jul 2025 12:06:07 -0400 Subject: [PATCH 8/8] Update DataAccess.cs --- DataAccess.cs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/DataAccess.cs b/DataAccess.cs index 0536605..e7c5292 100644 --- a/DataAccess.cs +++ b/DataAccess.cs @@ -26,6 +26,15 @@ public bool IsValidUser(string username, string password) return _users[username] == password; } + string GeneratePassword() + { + // https://codeql.github.com/codeql-query-help/csharp/cs-insecure-randomness/ + // BAD: Password is generated using a cryptographically insecure RNG + Random gen = new Random(); + string password = "mypassword" + gen.Next(); + return password; + } + private void PopulateUsers() { try