https://github.com/microsoft/sqltoolsservice ·
lang: csharp ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED134 [MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` c… |
high | 9 |
AIC003 Duplicated implementation block across source files |
low | 9 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 6 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED051 Csharp Null Forgive |
info | 4 |
SEC001 Hardcoded Password |
critical | 3 |
SEC020 Secret Printed to Logs |
high | 3 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 2 |
AIC004 Suspicious implementation file appears unreferenced |
medium | 1 |
AIC001 Parallel implementation file sits beside a canonical file |
medium | 1 |
MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/integration-tests.yml:27
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/integration-tests.yml:30
· conf 0.90
[MINED115] Action `actions/setup-dotnet` pinned to mutable ref `@v5`: `uses: actions/setup-dotnet@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/integration-tests.yml:56
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/integration-tests.yml:150
· conf 0.90
[MINED115] Action `dorny/test-reporter` pinned to mutable ref `@v3`: `uses: dorny/test-reporter@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/integration-tests.yml:159
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/packages-validation-comment.yml:15
· conf 0.90
[MINED115] Action `mshick/add-pr-comment` pinned to mutable ref `@v3`: `uses: mshick/add-pr-comment@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/Castle.Core.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/Castle.Core.dll` committed in source repo: `bin/ref/Castle.Core.dll` is a .dll binary (264,192 bytes) committed to a repo that otherwise has 1647 source files. Trojan …MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/Moq.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/Moq.dll` committed in source repo: `bin/ref/Moq.dll` is a .dll binary (168,960 bytes) committed to a repo that otherwise has 1647 source files. Trojan binaries inside …MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/Newtonsoft.Json.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/Newtonsoft.Json.dll` committed in source repo: `bin/ref/Newtonsoft.Json.dll` is a .dll binary (636,416 bytes) committed to a repo that otherwise has 1647 source files.…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/ScriptoriaCommonDefs.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1647 sour…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/Scriptoria.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/Scriptoria.dll` committed in source repo: `bin/ref/Scriptoria.dll` is a .dll binary (229,408 bytes) committed to a repo that otherwise has 1647 source files. Trojan bi…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/SqlCopilotCommon.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/SqlCopilotCommon.dll` committed in source repo: `bin/ref/SqlCopilotCommon.dll` is a .dll binary (25,120 bytes) committed to a repo that otherwise has 1647 source files…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/SqlScriptoriaCommon.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/SqlScriptoriaCommon.dll` committed in source repo: `bin/ref/SqlScriptoriaCommon.dll` is a .dll binary (16,928 bytes) committed to a repo that otherwise has 1647 source…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/SqlScriptoria.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/SqlScriptoria.dll` committed in source repo: `bin/ref/SqlScriptoria.dll` is a .dll binary (707,104 bytes) committed to a repo that otherwise has 1647 source files. Tro…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
bin/ref/YamlDotNet.dll:1
· conf 0.90
[MINED134] Binary file `bin/ref/YamlDotNet.dll` committed in source repo: `bin/ref/YamlDotNet.dll` is a .dll binary (287,264 bytes) committed to a repo that otherwise has 1647 source files. Trojan bi…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/Microsoft.SqlTools.Connectors.VSCode/InternalUtilities/src/Diagnostics/Verify.cs:112
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
docs/samples/jsonrpc/netcore/executequery/Utility/SelfCleaningTempFile.cs:39
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/Microsoft.SqlTools.Authentication/Authenticator.cs:163
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/Microsoft.SqlTools.Hosting/Hosting/Protocol/MessageWriter.cs:27
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AIC001
Parallel implementation file sits beside a canonical file
src/Microsoft.SqlTools.Credentials/Credentials/OSX/Interop.Security.old.cs:1
· conf 0.82
Parallel implementation file sits beside a canonical fileAIC004
Suspicious implementation file appears unreferenced
src/Microsoft.SqlTools.Credentials/Credentials/OSX/Interop.Security.old.cs:1
· conf 0.78
Suspicious implementation file appears unreferencedSEC001
Hardcoded Password
src/Microsoft.SqlTools.Hosting/Utility/SqlConstants.cs:16
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC001
Hardcoded Password
src/Microsoft.SqlTools.Shared/Utility/Constants.cs:16
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC136
AI-typical over-broad exception handler swallowing all errors
src/Microsoft.SqlTools.SqlCore/SchemaCompare/SchemaCompareUtils.cs:100
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.Hosting/Hosting/Protocol/Channel/StdioClientChannel.cs:51
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.Hosting/Localization/sr.cs:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ManagedBatchParser/Localization/sr.cs:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ManagedBatchParser/Utility/Logger.cs:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ResourceProvider.Core/Localization/sr.cs:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ResourceProvider.DefaultImpl/Localization/sr.cs:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ResourceProvider/ResourceProviderHostLoader.cs:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ServiceLayer/Admin/Database/DatabasePrototype90.cs:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/Microsoft.SqlTools.ServiceLayer/Agent/Jobs/JobHistoryItem.cs:9
· conf 0.86
Duplicated implementation block across source filesAIC005
Duplicate top-level symbol appears in a patch-style file
src/Microsoft.SqlTools.Credentials/Credentials/OSX/Interop.Security.old.cs:1
· conf 0.64
Duplicate top-level symbol appears in a patch-style fileSEC132
String concat where the language has interpolation (AI style drift)
docs/samples/smo/netcore/ModifySetting/Program.cs:23
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
src/Microsoft.SqlTools.ServiceLayer/AutoParameterizaition/Exceptions/ParameterizationFormatException.cs:37
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED043
Http Not Https
CWE-319
src/Microsoft.SqlTools.ResourceProvider.Core/Firewall/FirewallErrorParser.cs:103
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED051
Csharp Null Forgive
CWE-476
[MINED051] Csharp Null Forgive (and 9 more): Same pattern found in 9 additional files. Review if needed.MINED051
Csharp Null Forgive
CWE-476
src/Microsoft.SqlTools.Authentication/Sql/AuthenticationProvider.cs:91
· conf 1.00
[MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullable check. NRE risk if wrong.MINED051
Csharp Null Forgive
CWE-476
src/Microsoft.SqlTools.Connectors.VSCode/InternalUtilities/src/Http/HttpClientExtensions.cs:51
· conf 1.00
[MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullable check. NRE risk if wrong.MINED051
Csharp Null Forgive
CWE-476
src/Microsoft.SqlTools.Connectors.VSCode/InternalUtilities/src/Http/HttpHeaderConstant.cs:32
· conf 1.00
[MINED051] Csharp Null Forgive: x! tells compiler "definitely not null" — bypasses nullable check. NRE risk if wrong.SEC001
Hardcoded Password
src/Microsoft.SqlTools.Hosting/Hosting/Contracts/ServiceOption.cs:12
· conf 0.15
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC020
Secret Printed to Logs
src/Microsoft.SqlTools.Authentication/MSALEncryptedCacheHelper.cs:85
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/Microsoft.SqlTools.ServiceLayer/Connection/CachingTokenFetcher.cs:52
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/Microsoft.SqlTools.ServiceLayer/Connection/ConnectionInfo.cs:222
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/6db4f5ae-f3ca-4625-a6f1-f2bca7a92a20/.