Merge pull request #3953 from dotpaul/datasetdatatablefixes

Remove CA2363; not sure if we'd run into it

src/NetAnalyzers/Core/AnalyzerReleases.Unshipped.md

@@ -10,4 +10,3 @@ CA2355 | Security | Disabled | DataSetDataTableInSerializableObjectGraphAnalyzer
 CA2356 | Security | Disabled | DataSetDataTableInWebSerializableObjectGraphAnalyzer, [Documentation](https://docs.microsoft.com/visualstudio/code-quality/ca2356)
 CA2361 | Security | Disabled | DoNotUseDataSetReadXml, [Documentation](https://docs.microsoft.com/visualstudio/code-quality/ca2361)
 CA2362 | Security | Disabled | DataSetDataTableInSerializableTypeAnalyzer, [Documentation](https://docs.microsoft.com/visualstudio/code-quality/ca2362)
-CA2363 | Security | Disabled | DataSetDataTableInSerializableTypeAnalyzer, [Documentation](https://docs.microsoft.com/visualstudio/code-quality/ca2363)

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/MicrosoftNetCoreAnalyzersResources.resx

@@ -1248,12 +1248,6 @@
   <data name="DataSetDataTableInRceDeserializableObjectGraphTitle" xml:space="preserve">
     <value>Unsafe DataSet or DataTable in deserialized object graph can be vulnerable to remote code execution attacks</value>
   </data>
-  <data name="DataSetDataTableInAutogeneratedSerializableTypeMessage" xml:space="preserve">
-    <value>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</value>
-  </data>
-  <data name="DataSetDataTableInAutogeneratedSerializableTypeTitle" xml:space="preserve">
-    <value>Unsafe DataSet or DataTable in autogenerated serializable type</value>
-  </data>
   <data name="DataSetDataTableInRceAutogeneratedSerializableTypeMessage" xml:space="preserve">
     <value>When deserializing untrusted input with an IFormatter-based serializer, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</value>
   </data>
@@ -1272,10 +1266,4 @@
   <data name="DataSetReadXmlAutogeneratedTitle" xml:space="preserve">
     <value>Ensure autogenerated class containing DataSet.ReadXml() is not used with untrusted data</value>
   </data>
-  <data name="DataTableReadXmlAutogeneratedMessage" xml:space="preserve">
-    <value>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</value>
-  </data>
-  <data name="DataTableReadXmlAutogeneratedTitle" xml:space="preserve">
-    <value>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</value>
-  </data>
 </root>

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/Security/DataSetDataTableInSerializableTypeAnalyzer.cs

@@ -48,21 +48,12 @@ public sealed class DataSetDataTableInSerializableTypeAnalyzer : DiagnosticAnaly
                 RuleLevel.Disabled,
                 isPortedFxCopRule: false,
                 isDataflowRule: false);
-        internal static readonly DiagnosticDescriptor AutogeneratedSerializableContainsDangerousType =
-            SecurityHelpers.CreateDiagnosticDescriptor(
-                "CA2363",
-                nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInAutogeneratedSerializableTypeTitle),
-                nameof(MicrosoftNetCoreAnalyzersResources.DataSetDataTableInAutogeneratedSerializableTypeMessage),
-                RuleLevel.Disabled,
-                isPortedFxCopRule: false,
-                isDataflowRule: false);
 
         public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics =>
             ImmutableArray.Create(
                 RceSerializableContainsDangerousType,
                 SerializableContainsDangerousType,
-                RceAutogeneratedSerializableContainsDangerousType,
-                AutogeneratedSerializableContainsDangerousType);
+                RceAutogeneratedSerializableContainsDangerousType);
 
         [SuppressMessage("Style", "IDE0047:Remove unnecessary parentheses", Justification = "Group related conditions together.")]
         public override void Initialize(AnalysisContext context)
@@ -171,19 +162,16 @@ public override void Initialize(AnalysisContext context)
                                     out ImmutableArray<InsecureObjectGraphResult> results))
                             {
                                 DiagnosticDescriptor diagnosticToReport;
-                                if (isProbablyAutogeneratedForGuiApp)
+                                if (hasSerializableAttribute)
                                 {
                                     diagnosticToReport =
-                                        hasSerializableAttribute
+                                        isProbablyAutogeneratedForGuiApp
                                             ? RceAutogeneratedSerializableContainsDangerousType
-                                            : AutogeneratedSerializableContainsDangerousType;
+                                            : RceSerializableContainsDangerousType;
                                 }
                                 else
                                 {
-                                    diagnosticToReport =
-                                        hasSerializableAttribute
-                                            ? RceSerializableContainsDangerousType
-                                            : SerializableContainsDangerousType;
+                                    diagnosticToReport = SerializableContainsDangerousType;
                                 }
 
                                 foreach (InsecureObjectGraphResult result in results)

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf

@@ -157,16 +157,6 @@
         <target state="translated">Spolehlivost</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeMessage">
-        <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</source>
-        <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeTitle">
-        <source>Unsafe DataSet or DataTable in autogenerated serializable type</source>
-        <target state="new">Unsafe DataSet or DataTable in autogenerated serializable type</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataSetDataTableInDeserializableObjectGraphMessage">
         <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</source>
         <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</target>
@@ -247,16 +237,6 @@
         <target state="new">Do not use DataSet.ReadXml() with untrusted data</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedMessage">
-        <source>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</source>
-        <target state="new">The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedTitle">
-        <source>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</source>
-        <target state="new">Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataTableReadXmlMessage">
         <source>The method '{0}' is insecure when deserializing untrusted data</source>
         <target state="new">The method '{0}' is insecure when deserializing untrusted data</target>

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf

@@ -157,16 +157,6 @@
         <target state="translated">Zuverlässigkeit</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeMessage">
-        <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</source>
-        <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeTitle">
-        <source>Unsafe DataSet or DataTable in autogenerated serializable type</source>
-        <target state="new">Unsafe DataSet or DataTable in autogenerated serializable type</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataSetDataTableInDeserializableObjectGraphMessage">
         <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</source>
         <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</target>
@@ -247,16 +237,6 @@
         <target state="new">Do not use DataSet.ReadXml() with untrusted data</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedMessage">
-        <source>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</source>
-        <target state="new">The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedTitle">
-        <source>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</source>
-        <target state="new">Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataTableReadXmlMessage">
         <source>The method '{0}' is insecure when deserializing untrusted data</source>
         <target state="new">The method '{0}' is insecure when deserializing untrusted data</target>

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf

@@ -157,16 +157,6 @@
         <target state="translated">Fiabilidad</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeMessage">
-        <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</source>
-        <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeTitle">
-        <source>Unsafe DataSet or DataTable in autogenerated serializable type</source>
-        <target state="new">Unsafe DataSet or DataTable in autogenerated serializable type</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataSetDataTableInDeserializableObjectGraphMessage">
         <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</source>
         <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</target>
@@ -247,16 +237,6 @@
         <target state="new">Do not use DataSet.ReadXml() with untrusted data</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedMessage">
-        <source>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</source>
-        <target state="new">The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedTitle">
-        <source>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</source>
-        <target state="new">Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataTableReadXmlMessage">
         <source>The method '{0}' is insecure when deserializing untrusted data</source>
         <target state="new">The method '{0}' is insecure when deserializing untrusted data</target>

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf

@@ -157,16 +157,6 @@
         <target state="translated">Fiabilité</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeMessage">
-        <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</source>
-        <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeTitle">
-        <source>Unsafe DataSet or DataTable in autogenerated serializable type</source>
-        <target state="new">Unsafe DataSet or DataTable in autogenerated serializable type</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataSetDataTableInDeserializableObjectGraphMessage">
         <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</source>
         <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</target>
@@ -247,16 +237,6 @@
         <target state="new">Do not use DataSet.ReadXml() with untrusted data</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedMessage">
-        <source>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</source>
-        <target state="new">The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedTitle">
-        <source>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</source>
-        <target state="new">Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataTableReadXmlMessage">
         <source>The method '{0}' is insecure when deserializing untrusted data</source>
         <target state="new">The method '{0}' is insecure when deserializing untrusted data</target>

src/NetAnalyzers/Core/Microsoft.NetCore.Analyzers/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf

@@ -157,16 +157,6 @@
         <target state="translated">Affidabilità</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeMessage">
-        <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</source>
-        <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}. Ensure that the autogenerated type is never deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataSetDataTableInAutogeneratedSerializableTypeTitle">
-        <source>Unsafe DataSet or DataTable in autogenerated serializable type</source>
-        <target state="new">Unsafe DataSet or DataTable in autogenerated serializable type</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataSetDataTableInDeserializableObjectGraphMessage">
         <source>When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</source>
         <target state="new">When deserializing untrusted input, deserializing a {0} object is insecure. '{1}' either is or derives from {0}</target>
@@ -247,16 +237,6 @@
         <target state="new">Do not use DataSet.ReadXml() with untrusted data</target>
         <note />
       </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedMessage">
-        <source>The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</source>
-        <target state="new">The method '{0}' is insecure when deserializing untrusted data. Make sure that autogenerated class containing the '{0}' call is not deserialized with untrusted data.</target>
-        <note />
-      </trans-unit>
-      <trans-unit id="DataTableReadXmlAutogeneratedTitle">
-        <source>Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</source>
-        <target state="new">Ensure autogenerated class containing DataTable.ReadXml() is not used with untrusted data</target>
-        <note />
-      </trans-unit>
       <trans-unit id="DataTableReadXmlMessage">
         <source>The method '{0}' is insecure when deserializing untrusted data</source>
         <target state="new">The method '{0}' is insecure when deserializing untrusted data</target>