microsoft / infersharpaction Goto Github PK

About Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects null dereferences, resource leaks, and thread-safety violations. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections.

License: MIT License

Dockerfile 5.16% Shell 94.84%

infersharpaction's Introduction

Infer# GitHub Action

Infer# is an interprocedural and scalable static code analyzer for C#. Via the capabilities of Facebook's Infer, this tool detects race condition, null pointer dereferences and resource leaks. It also performs taint flow tracking to detect critical security vulnerabilities like SQL injections. Its source code can be found here.

Usage

Option 1 - Uploading SARIF output to GitHub

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Upload SARIF output to GitHub Security Center
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: infer-out/report.sarif

You can view and manage the results at the Security tab -> Code scanning alerts. For example, if an alert is a false positive, you can dismiss it. Next time code scanning runs, the same code won't generate an alert. For all supported features, please see GitHub Docs on managing alerts.

Option 2 - Displaying results directly in workflow logs

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Infer# analysis results
  run: cat infer-out/report.txt

Option 3 - Uploading results as an artifact

- name: Run Infer#      
  uses: microsoft/[email protected]
  id: runinfersharp
  with:
    binary-path: '<path to the binary directory containing .dlls and .pdbs>'

- name: Upload Infer# report as an artifact
  uses: actions/upload-artifact@v2
  with:
    name: report
    path: infer-out/report.txt

Parameters

`binary-path`

Required Path to the binary directory containing .dlls and .pdbs.

`github-sarif`

Optional If set to true, address issue #51

`optional-flags`

See https://fbinfer.com/docs/man-infer-run/#OPTIONS for the complete list.

You can concatenate multiple flags with space.

Limitations

GitHub does not currently support Linux containers hosted on Windows; your CI pipeline must run on Linux. If it doesn't, you may still apply the analyzer by creating a dependent workflow which transports the binaries to a Linux host on which to run the analysis.
If the project is too large, the analysis may time out.
The analyzer may report warnings outside of your own code. This is because it runs on all input .pdbs, including those belonging to third-party library references. To prevent this, isolate the desired binaries in the input binary-path directory.

Troubleshooting

Please see here for troubleshooting tips.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

infersharpaction's People

Contributors

Stargazers

Watchers

Forkers

kishan574 linked-pro trucnguyenlam taffywrinkle claudiusgonzo exiledev global-localhost global19 global19-atlassian-net woodywu guden christopher-watanabe-snkeos workgroupengineering pepe57

infersharpaction's Issues

Feature Request: Still generate a report when no linting issues have been found

The current behavior of the action is to generate an empty reports.txt file in the case that the linting did not produce any results. Would it be a valuable feature if the report.txt still had some readable output, such as:

No linting issues found!

Or something similar?

Unable to upload "infer-out/report.sarif" as it is not valid SARIF - startColumn/startLine must have a minimum value of 1

After running the microsoft/[email protected] action and trying to upload the report generated to GitHub using the github/codeql-action/upload-sarif@v2 action the following error is displayed:

**Stack trace**


Unable to upload "infer-out/report.sarif" as it is not valid SARIF:
Error details: instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1
  {
    "property": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn",
    "message": "must have a minimum value of 1",
    "schema": {
      "description": "The column number of the first character in the region.",
      "type": "integer",
      "minimum": 1
    },
    "name": "minimum",
    "argument": 1,
    "stack": "instance.runs[0].results[1].codeFlows[0].threadFlows[0].locations[2].location.physicalLocation.region.startColumn must have a minimum value of 1"
  }

This also happens for the following JSON Path: instance.runs.results.locations.physicalLocation.region.startLine, for example.

To bypass this error we have a temporary workaround

run Infer tool using microsoft/[email protected] action
run a custom step to fix SARIF report
upload the resulting report (from previous step) into GitHub using github/codeql-action/upload-sarif@v2 action.

The custom step enumerated in 2. is just checking if the paths having trouble have a value equal to zero, and if so, overwriting it with 1 and then saving a new report with this overwritten values.

An example of the SARIF report generated with this kind of errors:

{
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Infer",
          "informationUri": "https://github.com/facebook/infer",
          "version": "1.1.0",
          "rules": [
            {
              "id": "PULSE_RESOURCE_LEAK",
              "shortDescription": {
                "text": "Pulse Resource Leak"
              },
              "helpUri": "https://fbinfer.com/docs/next/all-issue-types#pulse_resource_leak"
            }
          ]
        }
      },
      "results": [
        {
          "message": {
            "text": "Resource dynamically allocated by constructor (...) on line 16 is not closed after the last access at line 16, column 15."
          },
          "level": "error",
          "ruleId": "PULSE_RESOURCE_LEAK",
          "codeFlows": [...],
          "locations": [...]
        },
        {
          "message": {
            "text": "Resource dynamically allocated by constructor (...) on line 56 is not closed after the last access at line 16707566, column 0."
          },
          "level": "error",
          "ruleId": "PULSE_RESOURCE_LEAK",
          "codeFlows": [
            {
              "threadFlows": [
                {
                  "locations": [ 
                    {},
                    {},
                    {
                      "nestingLevel": 0,
                      "location": {
                        "physicalLocation": {
                          "artifactLocation": {
                            "uri": "Something.cs",
                            "uriBaseId": "Something.cs"
                          },
                          "region": {
                            "startLine": 16707566,
                            "startColumn": 0
                          }
                        },
                        "message": {
                          "text": "memory becomes unreachable here"
                        }
                      }
                    }
                  ]
                }
              ]
            }
          ],
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                    "uri": "Something.cs",
                    "uriBaseId": "Something.cs"
                },
                "region": {
                  "startLine": 16707566,
                  "startColumn": 0
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

Usage with Unity projects

Is this somehow usable with Unity projects?

Unable to get job output

I tried

            - name: Run Infer#
              id: runinfersharp
              uses: microsoft/[email protected]
              with:
                  binary-path: .
            - name: Write Infer# analysis results
              run: echo "${{join(steps.runinfersharp.outputs.*, '\n')}}" >> report.txt

Doesn't works

Exception while analyzing a project: Cilsil.Services.ServiceExecutionException: Popping on empty stack at method

I added infer# to my project as a GitHub action.

There are lots of messages about Unable to parse instruction xxx, More than two space-separated tokens in xxx and there is one exception at the end:

Unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> Cilsil.Services.ServiceExecutionException: Popping on empty stack at method: System.Void modreq(System.Runtime.CompilerServices.IsExternalInit) modreq(System.Runtime.CompilerServices.IsExternalInit) Meziantou.Framework.StronglyTypedId.StronglyTypedIdSourceGenerator$StronglyTypedStruct::set_ContainingSymbol(Microsoft.CodeAnalysis.ISymbol) instruction: IL_0007: ret location: Line 978
   at Cilsil.Utils.ProgramState.Pop() in /app/Cilsil/Utils/ProgramState.cs:line 241
   at Cilsil.Cil.Parsers.RetParser.ParseCilInstructionInternal(Instruction instruction, ProgramState state) in /app/Cilsil/Cil/Parsers/RetParser.cs:line 18
   at Cilsil.Cil.Parsers.InstructionParser.ParseCilInstruction(Instruction instruction, ProgramState state) in /app/Cilsil/Cil/Parsers/InstructionParser.cs:line 84
   at Cilsil.Services.CfgParserService.ComputeMethodCfg(MethodDefinition method) in /app/Cilsil/Services/CfgParserService.cs:line 113
   at Cilsil.Services.CfgParserService.Execute() in /app/Cilsil/Services/CfgParserService.cs:line 49
   at Cilsil.Program.ExecuteTranslation(String[] paths, String printprocs) in /app/Cilsil/Program.cs:line 123
   at Cilsil.Program.Translate(String[] paths, String printprocs, String outcfg, String cfgtxt, String outtenv, String dot) in /app/Cilsil/Program.cs:line 95
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Delegate.DynamicInvokeImpl(Object[] args)
   at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
   at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass2_0.<<InvokeAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseParseErrorReporting>b__16_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c__DisplayClass8_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseSuggestDirective>b__7_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseParseDirective>b__6_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<UseHelp>b__14_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass3_0.<<UseVersionOption>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c.<<RegisterWithDotnetSuggest>b__17_0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.CommandLine.Invocation.InvocationExtensions.<>c__DisplayClass5_0.<<UseExceptionHandler>b__0>d.MoveNext()

Is there something wrong in my CI or is it a bug in infer#?

Redundant files

There are redundant source-related files inside your docker image. For example, .git folder (which has all tracked sources).

Feature request: SARIF format support

Hello dear community,

It seems that at the moment the format of the output for the github action is hard-coded and it is txt. It will be more valuable to support SARIF option as well as this is the main format for GitHub Security Center support.

As far as I can see both infer and infer# support this as an option however it is no exposed as part of this action. It could be for sure added to this script that is used under the hood of the action.

I would propose this feature to be added to the GitHub action as it will bring a lot of value to the consumers.

Thanks.

README.md contains a broken link to the InferSharp source code

Issue

Commit b6e7e91 introduced a link to https://github.com/microsoft/infersharp to obtain the InferSharp source code.

However, this repo either doesn't yet exist, or is private -- either way, you get a 404.

Feature request: Add whitelisting errors list and exit if new error occured

I want to have the ability to provide whitelist patterns and filter them from results,
then if a new issue popped out it will fail on exit code 1.

Suggestion: record a link to third party libraries if they are available

I have one example of code scan results that point a third party library. The results can be seen at https://github.com/lumoin/Verifiable/pull/48/checks?check_run_id=4552813964.

Clicking on of them shows the library and path, e.g. https://github.com/lumoin/Verifiable/security/code-scanning/52?query=ref%3Arefs%2Fpull%2F48%2Fmerge+ref%3Arefs%2Fpull%2F48%2Fhead+ref%3Arefs%2Fheads%2Fadd-infersharp.

This likely a long-shot one, but it occurred to me I could record as a suggestion to link to third party repositories if the source is available (e.g. via source link or via search APIs).

Here is also a screenshot if the links here become unavailable in the future.

Planning to upgrade logo on GitHub Marketplace to Microsoft logo by end of May 2021

Team,
We are planning to upgrade the logo for all 13 GitHub Actions projects listed on the GitHub Marketplace to the official Microsoft logo.

We'd like to make this change by the end of May 2021.

Please let us know if you have any objection, otherwise we'll proceed.

Where are the binary files supposed to be

Hello,

I've juste tested the github actions with this piece of code

      - name: Run Infer#
        uses: microsoft/[email protected]
        id: runinfersharp
        with:
          binary-path: ${{ env.PUBLISH_WEBSITE }}
      - name: Infer# analysis results
        run: echo "${{ steps.runinfersharp.outputs.results }}"
        
      - name: Zip Website
        run: pushd ${{ env.PUBLISH_WEBSITE }}; zip -r ${{ env.PUBLISH_WEBSITE_ZIP }} .; popd

Where ${{ env.PUBLISH_WEBSITE }} equals to :

    env:
      BUILD_CONFIGURATION: Release
      PUBLISH_WEBSITE: ${{ github.workspace }}/artifacts/Website

Looking at the logs I have this error :

cp: cannot stat '/home/runner/work/MyWebsite/MyWebsite/artifacts/Website': No such file or directory
Timed out methods: 0
Unknown instructions:

I'm sure the dlls are here and the directory exists because this is the pipeline I use to deploy my webapp.

Have I missed something from the doc ?

Analyzer fails to build container

When trying to use this action I get the following:

Build container for action use: '/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile'.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Sending build context to Docker daemon  60.93kB

Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
##[warning]Docker build failed with exit code 1, back off 7.787 seconds before retry.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
Sending build context to Docker daemon  60.93kB

pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
##[warning]Docker build failed with exit code 1, back off 9.625 seconds before retry.
/usr/bin/docker build -t 3888d3:59e75f2b20424588af762728dae4f8b8 -f "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta/Dockerfile" "/home/runner/work/_actions/microsoft/CSharpCodeAnalyzer/v0.1-beta"
Sending build context to Docker daemon  60.93kB

Step 1/3 : FROM xinshi/csharpcodeanalyzer:3721994-g1f43701f1f1b62a54e21600c4b3bf788082d64c2
pull access denied for xinshi/csharpcodeanalyzer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
##[error]Docker build failed with exit code 1