Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4211

Members should not have conflicting transparency annotations

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Change or remove this attribute to be consistent with its container
    • Highlighting:
      Hide

      primary: Attribute declaration of member
      secondary: Attribute declaration of container

      Show
      primary: Attribute declaration of member secondary: Attribute declaration of container
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#
    • Irrelevant for Languages:
      ABAP, C, C++, Cobol, CSS, Flex, HTML, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources
    • OWASP:
      A6
    • FxCop:
      TransparencyAnnotationsShouldNotConflict, CA2136

      Description

      Transparency attributes, SecurityCriticalAttribute and SecuritySafeCriticalAttribute are used to identify code that performs security-critical operations. The second one indicates that it is safe to call this code from transparent, while the first one does not. Since the transparency attributes of code elements with larger scope take precedence over transparency attributes of code elements that are contained in the first element a class, for instance, with a SecurityCriticalAttribute can not contain a method with a SecuritySafeCriticalAttribute.

      This rule raises an issue when a member is marked with a System.Security security attribute that has a different transparency than the security attribute of a container of the member.

      Noncompliant Code Example

      using System;
      using System.Security;
      
      namespace MyLibrary
      {
      
          [SecurityCritical]
          public class Foo
          {
              [SecuritySafeCritical] // Noncompliant
              public void Bar()
              {
              }
          }
      }
      

      Compliant Solution

      using System;
      using System.Security;
      
      namespace MyLibrary
      {
      
          [SecurityCritical]
          public class Foo
          {
              public void Bar()
              {
              }
          }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: