CodeQl is not identifying password in plain text in c# code

I have a sample c# application which has password in plain text. I have configured a codeql workflow. The workflow only identifies few javascript issues but its not identifying the plain password security issue present in c# application

Hi,
we have the cs/hardcoded-credentials query which should catch this.
If the code is not proprietary, would you mind sharing the sample project and the workflow you used to analyze the project with codescanning?

Hi Please find below the repo details

Refer the codeql-analysis.yml in it

Based on: updated con string · umaranit/corewebapp@88b06d6 · GitHub

Compiling query plan for /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.
Resolving imports for /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.
Compilation cache hit for /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.
[25/166] Found in cache: /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.

Starting evaluation of codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.

[56/166 eval 58.1s] Evaluation done; writing results to codeql-csharp/Security Features/CWE-798/HardcodedCredentials.bqrs.
[57/166 eval 1m2s] Evaluation done; writing results to codeql-csharp/Security Features/CWE-798/HardcodedConnectionString.bqrs.

Intepreted pathproblem query "Hard-coded connection string with credentials" (cs/hardcoded-connection-string-credentials) at path /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedConnectionString.ql.
Interpreting /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql...
... found results file at /home/runner/work/_temp/codeql_databases/csharp/results/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.bqrs.
Intepreted pathproblem query "Hard-coded credentials" (cs/hardcoded-credentials) at path /opt/hostedtoolcache/CodeQL/0.0.0-20210809/x64/codeql/qlpacks/codeql-csharp/Security Features/CWE-798/HardcodedCredentials.ql.

I only noticed the hard coded connect string item part way through my search, but anyway “pathproblem” might give you a hint about what’s going on, or something to search :man_shrugging: Having the q1 and bqrs references might give you a lead to lookup the actual queries and see why your item isn’t being picked up.

Hi

I am not clear. Have I done any wrong configuration in the workflow? Which area do I need to investigate?

1 Like

Hi,
so I had a look at your source code.
Our queries try to detect real-world vulnerabilities. Your project currently is not vulnerable because you never really use the hardcoded password (the only thing you have is a dead read).
This means that you have to use the hardcoded password somewhere for us to detect it.

In CodeQL, we have a concept of dataflow, which describes where data comes from (a source, in your case a string literal), and where it flows to (a sink).
In your case, you are missing a sink.
Sinks in the HardcodedCredentials query are for example library methods (i.e. coming from a dotnet assembly, not your own project) with parameters that have the name password or passphrase.
I hope that helps!

2 Likes

@criemen whats with the “pathproblem “ string in the logs? Is that just an unfortunate set of words for people unfamiliar with CodeQL?

ok. Got it. Thanks for the details

@kingthorin Ah, I think you got side-tracked here.
This pathproblem string does not refer to a problem during query evaluation at all, it rather refers to the query @kind attribute. See the documentation here if you’re interested to learn more about query kinds.
pathproblem means that the query looks for problems in your code that are associated with one or more dataflow paths.

I hope that helps!

Thank you, that does help.