RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer

[ianp-its]

Severity	Code	Description	Project	File	Line	Suppression State	Detail Description
Warning	AD0001	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method ToggleScheduledJobs : Object reference not set to an instance of an object.'.	xxxx.xxxx.Web		1	Active	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw the following exception:
'Exception occurred with following context:
Compilation: xxxx.xxxx.Web
SyntaxTree: C:\Users\xxxx\Documents\Visual Studio 2015\Projects\xxxxx\xxxxx.xxxxx.Web\Controllers\HomeController.cs
SyntaxNode: public ActionResult ToggleScheduledJobs ... [MethodDeclarationSyntax]@[4815..5520) (142,8)-(161,9)

System.Exception: Unhandle exception while visiting method ToggleScheduledJobs : Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   --- End of inner exception stack trace ---
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__43`1.<ExecuteSyntaxNodeAction>b__43_0(ValueTuple`2 data)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
-----
'.

[antonio-cordoba]

I'm getting something similar (sample pasted at the end).
I tried it on one solution with a OWIN WEB API on VS 2017 Pro. The solution consists of three projects:

1. The Web Api OWIN host.
2. A dll to add OData to the OWIN pipeline (.Net 4.5.1 using MS AspNet.OData v6.0.0)
3. A dll to add EF access to a Postgres database (.Net 4.5.1 using EF6 with NPGSQL v3.2.5)

Solution compiles and runs ok, but with RoslynSecurityGuard enabled I get 6 warnings on the error list regarding "Object reference not set to an instance of an object" : 2 while visiting method 'IsAuthorized', 2 while visiting method 'OnAuthorization' and 2 while visiting 'Patch'

Any suggestions? Here is a sample output for the first warning:

Warning AD0001 Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method IsAuthorized : Object reference not set to an instance of an object.'. RestApi 1 Active Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw the following exception:

'Exception occurred with following context:
Compilation: RestApi
SyntaxTree: ...path...\RestApi\ApiConfig\ReportAuthorize.cs
SyntaxNode: protected override bool IsAuthorized ... [MethodDeclarationSyntax]@[374..1128) (14,8)-(31,9)

System.Exception: Unhandle exception while visiting method IsAuthorized : Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.
at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
--- End of inner exception stack trace ---
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__431.<ExecuteSyntaxNodeAction>b__43_0(ValueTuple2 data)
at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action1 analyze, TArg argument, Nullable1 info)

System.NullReferenceException: Object reference not set to an instance of an object.
at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpressionStatement(ExpressionStatementSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
'.

[ronenfe]

I got the same problem in multiple projects and solutions:

Warning AD0001 Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method ... : Object reference not set to an instance of an object.'.

Does Anyone know the problem?

[SJMakin]

So I dont want to patronise you guys, as you're clearly developers, but why arnt you adding reproduction steps to your issues? How do you expect anyone to solve your problem without showing them how to get the same issue? NullReferenceExceptions are normally trivial to fix but without knowing which line causing the problem, or having a failing test case to investigate, it is usually just guesswork.

If you have the time to raise issues surely you can spend the extra five minutes to download the source, fire up a debugger (on the vsix project), open your solution, document the actual source of the problem and maybe even work out the solution (and submit a p/r with a fix).

[ronenfe]

I don't mind debugging if you explain me how to run and debug the project together with the code that it's supposed to analyze.

[developerWolf]

Using the Roslyn Security Guard Nuget Packages (2.3.0), I receive the same error. However, after building the code within the repo and adding the locally built analyzer, the error went away.
Further, I do not experience this error while using the visual studio plugin.

Error appears to be directly linked to the Nuget Package.

[ritchiecarroll]

Steps to reproduce:

(1) Install Roslyn Security Guard from the Marketplace link:
https://marketplace.visualstudio.com/items?itemName=PhilippeArteau.RoslynSecurityGuard

(2) Make sure extension is installed and enabled inside Visual Studio 2017

(3) Build the following open source application:
https://github.com/GridProtectionAlliance/openHistorian

(4) Get errors like the following:

Warning	AD0001	Analyzer 'RoslynSecurityGuard.Analyzers.Taint.TaintAnalyzer' threw an exception of type 'System.Exception' with message 'Unhandle exception while visiting method ServerIsResponding: Object reference not set to an instance of an object.'.	openHistorian.Adapters		1	Active

FYI, actual method looks like this:

        public static bool ServerIsResponding()
        {
            try
            {
                // Test server response by hitting root page
                dynamic result = CallAPIFunction(HttpMethod.Get, s_baseUrl).Result;
                return (object)result != null;
            }
            catch
            {
                return false;
            }
        }

See: https://github.com/GridProtectionAlliance/openHistorian/blob/master/Source/Libraries/Adapters/openHistorian.Adapters/GrafanaAuthProxyController.cs#L288

Not sure what the issue is here. I am not using a NuGet package for the analyzer.

Thanks,
Ritchie

PS) Here is the exception context:

Compilation: openHistorian.Adapters
SyntaxTree: D:\Projects\openHistorian\Source\Libraries\Adapters\openHistorian.Adapters\GrafanaAuthProxyController.cs
SyntaxNode: public static bool ServerIsResponding ... [MethodDeclarationSyntax]@[13267..13650) (290,8)-(302,9)

System.Exception: Unhandle exception while visiting method ServerIsResponding : Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitVariableDeclaration(VariableDeclarationSyntax declaration, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitLocalDeclaration(LocalDeclarationStatementSyntax declaration, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   --- End of inner exception stack trace ---
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.<>c__43`1.<ExecuteSyntaxNodeAction>b__43_0(ValueTuple`2 data)
   at Microsoft.CodeAnalysis.Diagnostics.AnalyzerExecutor.ExecuteAndCatchIfThrows_NoLock[TArg](DiagnosticAnalyzer analyzer, Action`1 analyze, TArg argument, Nullable`1 info)
-----
System.NullReferenceException: Object reference not set to an instance of an object.
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.ExtractGenericParameterSignature(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.MethodBehaviorRepository.GetMethodBehavior(ISymbol symbol)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitInvocationAndCreation(ExpressionSyntax node, ArgumentListSyntax argList, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodInvocation(InvocationExpressionSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitExpression(ExpressionSyntax expression, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitVariableDeclaration(VariableDeclarationSyntax declaration, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitLocalDeclaration(LocalDeclarationStatementSyntax declaration, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitNode(SyntaxNode node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethodDeclaration(MethodDeclarationSyntax node, ExecutionState state)
   at RoslynSecurityGuard.Analyzers.Taint.CSharpCodeEvaluation.VisitMethods(SyntaxNodeAnalysisContext ctx)
-----

[mganeshphani]

Anyone looking at this issue to fix?

[ritchiecarroll]

Keep-Alive-Ping

[VadymZakusyloDevPro]

Hi, any news ? 🔢

[JarLob]

Please read the first line of readme.md on the main page.

[VadymZakusyloDevPro]

@JarLob thanks, make sense than, lol

[The-DevOps-Guy]

Update: The tool is still broken in 2019.