-
|
I hope this is the right place to place this issue. I created a ridiculously simple application in C# that was intended to showcase CodeQL alerts as part of the CodeQL workflow template offered by Github. The C# repo is here: here The CodeQL workflow does not report any security alerts or issues at all. Typically I would expect it to pick up on a few (like the connection string). Am I missing something here or is it that it is in fact too trival to pick anything up? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Hi @glav. Could you please elaborate on which security alerts you were expecting? We do have a query for detecting hard-coded connection strings, but it does not produce any alerts because your |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Thanks for the response. Perhaps this was my misunderstanding then and perhaps touches on the point I made about it being too trivial an example. I had assumed it would still be picked up as it still contained a password, even if unused. I also thought the hardcoded admin username and password may also be detected as well. I'll add in an actual use of the connection string to trigger that. |
Beta Was this translation helpful? Give feedback.
-
|
I modified the code to actually make use of a connection string and attempt to query and lo and behold, the alerts appear. Thanks @hvitved and sorry to waste your time. I just assumed even those simplistic scenarios would trigger. Clearly I was wrong. Thanks again. |
Beta Was this translation helpful? Give feedback.
-
|
Excellent, glad that it worked :-) |
Beta Was this translation helpful? Give feedback.
Hi @glav.
Could you please elaborate on which security alerts you were expecting? We do have a query for detecting hard-coded connection strings, but it does not produce any alerts because your
SqlConnectionStringis not actually used as a connection string.