Spectra Assure

warningRisk: Secrets

Scanned:

IntelliCode for C# Dev Kit

Artifact:

latest

Top 1k

AI-assisted development for C# Dev Kit

License: unknown

Published:

Publisher: ms-dotnettools

Visit GitHub

See on Visual Studio Code

SAFE Assessment

Compliance

Licenses

No license compliance issues

Secrets

4 debugging symbols found

Security

Vulnerabilities

No known vulnerabilities detected

Hardening

2 outdated toolchains detected

Threats

Tampering

No evidence of software tampering

Malware

No evidence of malware inclusion

List of software quality issues with the number of affected components.

Policies

Info

Problem

Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.

Prevalence in Visual Studio Code community

79 packages

found in

Top 100

622 packages

found in

Top 1k

4233 packages

found in

Top 10k

29.36k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider an alternative delivery mechanism for software packages.

Problem

Export restrictions (or a restriction on exportation) are limitations on the quantity of goods exported to a specific country or countries by a Government. The United States Government has imposed export restrictions on a number of countries and regions. These restrictions may or may not apply to digital goods such as software and other related intellectual property. It is advised that the reported findings are put in the usage context so that they can be audited and reviewed by the legal department before the software package is deployed. Current list of countries with export restrictions includes: Cuba (.cu), Iran (.ir), North Korea (.nk) and Syria (.sy).

Prevalence in Visual Studio Code community

7 packages

found in

Top 100

35 packages

found in

Top 1k

79 packages

found in

Top 10k

356 packages

in community

Next steps

Investigate reported detections.

You should delay the software release until the legal review is completed.

Problem

Export restrictions (or a restriction on exportation) are limitations on the quantity of goods exported to a specific country or countries by a Government. The European Union has imposed export restrictions on a number of countries and regions. These restrictions may or may not apply to digital goods such as software and other related intellectual property. It is advised that the reported findings are put in the usage context so that they can be audited and reviewed by the legal department before the software package is deployed. Current list of countries with export restrictions includes: Belarus (.by), Iran (.ir), Iraq (.iq), Libya (.ly), Myanmar (.mm), North Korea (.nk), Syria (.sy), Venezuela (.ve) and Zimbabwe (.zw).

Prevalence in Visual Studio Code community

13 packages

found in

Top 100

77 packages

found in

Top 1k

242 packages

found in

Top 10k

1.05k packages

in community

Next steps

Investigate reported detections.

You should delay the software release until the legal review is completed.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks minimize the number of security issues by enforcing strict memory access checks. They also prevent the use of hard-to-secure string and memory manipulation functions. To prove the binary has been compiled with these checks enabled, the compiler emits a special debug object. Removing the debug table eliminates this proof. Therefore, this check only applies to binaries that still have their debug tables.

Prevalence in Visual Studio Code community

43 packages

found in

Top 100

257 packages

found in

Top 1k

754 packages

found in

Top 10k

3.7k packages

in community

Next steps

You should keep the debug table to prove that the SDL process has been followed.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors. These checks prevent the use of hard-to-secure memory manipulation functions. They enforce static memory access checks, and allow only the use of range-verified memory access functions. While these checks do not prevent every memory corruption issue by themselves, they do help reduce the likelihood.

Prevalence in Visual Studio Code community

25 packages

found in

Top 100

134 packages

found in

Top 1k

216 packages

found in

Top 10k

904 packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Imported function addresses are pointers to the symbols that implement the application-required functionality. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. Newest linker versions isolate delay imports into their own protected memory region for extra security. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.

Prevalence in Visual Studio Code community

12 packages

found in

Top 100

68 packages

found in

Top 1k

221 packages

found in

Top 10k

1.13k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed-source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.

Prevalence in Visual Studio Code community

7 packages

found in

Top 100

21 packages

found in

Top 1k

68 packages

found in

Top 10k

200 packages

in community

Next steps

Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.

The integrity verification of the embedded database files should not be done with insecure hashing algorithms. SHA1 and MD5 hashes should be deprecated throughout the application, and a more secure SHA256 algorithm should be used instead.

Problem

Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.

Prevalence in Visual Studio Code community

8 packages

found in

Top 100

49 packages

found in

Top 1k

130 packages

found in

Top 10k

479 packages

in community

Next steps

Remove private debug database files from the software package before you release it.

Problem

Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are commonly abused by malicious software with the intent to cause harm. When a software package shares behavior traits with malicious software, it may become flagged by security solutions. Any detection from security solutions can cause friction for the end-users during software deployment. While the behavior is likely intended by the developer, there is a small chance this detection is true positive, and an early indication of a software supply chain attack.

Prevalence in Visual Studio Code community

60 packages

found in

Top 100

434 packages

found in

Top 1k

2301 packages

found in

Top 10k

13.88k packages

in community

Next steps

Investigate reported detections.

If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider rewriting the flagged code without using the marked behaviors.

Problem

Each security solution has a unique footprint that consists of installed files and changes to system configuration. Malicious code often tries to detect security solutions by accessing registry keys and folder locations associated with the software installation. Detecting which security solution is installed plays a key role in selecting the optimal malware infection strategy. When a computer system is protected by a security solution, malware may decide to behave differently. Malware may choose to delay its execution, change infection stages, or even avoid running altogether. While the presence of code that detects security solutions does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that check for presence of installed security software. One example of acceptable use for such functions is informing the user about possible compatibility issues with the detected security software.

Prevalence in Visual Studio Code community

13 packages

found in

Top 100

46 packages

found in

Top 1k

70 packages

found in

Top 10k

235 packages

in community

Next steps

Investigate reported detections as indicators of software tampering.

Consult Mitre ATT&CK documentation: T1518.001 - Security Software Discovery.

Consider rewriting the flagged code without using the marked behaviors.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.

This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is here.

List of software quality issues with the number of affected components.

Policies

Info

Problem

Prevalence in Visual Studio Code community

79 packages

found in

Top 100

622 packages

found in

Top 1k

4233 packages

found in

Top 10k

29.36k packages

in community

Next steps

Investigate reported detections.

If the software should not include these network references, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider an alternative delivery mechanism for software packages.

Problem

Prevalence in Visual Studio Code community

7 packages

found in

Top 100

35 packages

found in

Top 1k

79 packages

found in

Top 10k

356 packages

in community

Next steps

Investigate reported detections.

You should delay the software release until the legal review is completed.

Problem

Prevalence in Visual Studio Code community

13 packages

found in

Top 100

77 packages

found in

Top 1k

242 packages

found in

Top 10k

1.05k packages

in community

Next steps

Investigate reported detections.

You should delay the software release until the legal review is completed.

Problem

Prevalence in Visual Studio Code community

43 packages

found in

Top 100

257 packages

found in

Top 1k

754 packages

found in

Top 10k

3.7k packages

in community

Next steps

You should keep the debug table to prove that the SDL process has been followed.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Prevalence in Visual Studio Code community

25 packages

found in

Top 100

134 packages

found in

Top 1k

216 packages

found in

Top 10k

904 packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Prevalence in Visual Studio Code community

12 packages

found in

Top 100

68 packages

found in

Top 1k

221 packages

found in

Top 10k

1.13k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Prevalence in Visual Studio Code community

7 packages

found in

Top 100

21 packages

found in

Top 1k

68 packages

found in

Top 10k

200 packages

in community

Next steps

Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.

Problem

Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.

Prevalence in Visual Studio Code community

8 packages

found in

Top 100

49 packages

found in

Top 1k

130 packages

found in

Top 10k

479 packages

in community

Next steps

Remove private debug database files from the software package before you release it.

Problem

Prevalence in Visual Studio Code community

60 packages

found in

Top 100

434 packages

found in

Top 1k

2301 packages

found in

Top 10k

13.88k packages

in community

Next steps

Investigate reported detections.

If the software intent does not relate to the reported behavior, investigate your build and release environment for software supply chain compromise.

You should delay the software release until the investigation is completed, or until the issue is risk accepted.

Consider rewriting the flagged code without using the marked behaviors.

Problem

Prevalence in Visual Studio Code community

13 packages

found in

Top 100

46 packages

found in

Top 1k

70 packages

found in

Top 10k

235 packages

in community

Next steps

Investigate reported detections as indicators of software tampering.

Consult Mitre ATT&CK documentation: T1518.001 - Security Software Discovery.

Consider rewriting the flagged code without using the marked behaviors.

IntelliCode for C# Dev Kit

SAFE Assessment

Compliance

Security

Threats

TH17127Detected presence of files containing URLs that link to raw files on GitHub.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH18101Detected presence of files containing URLs that reside in regions with US export restrictions.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH18102Detected presence of files containing URLs that reside in regions with EU export restrictions.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14138Detected Windows executable files that were compiled without following the recommended SDL process.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14139Detected Windows executable files compiled without following the SDL best practices while using banned memory functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14157Detected Windows executable files with delay import functions susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14160Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.Causes risk: outdated toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ34202Detected presence of private debug database files.Causes risk: debugging symbols foundsecrets

Problem

Prevalence in Visual Studio Code community

Next steps

TH15103Detected presence of files with behaviors commonly used by malicious software.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH16117Detected presence of software components that can detect installed security software.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

Did you know...

TH17127Detected presence of files containing URLs that link to raw files on GitHub.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH18101Detected presence of files containing URLs that reside in regions with US export restrictions.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

TH18102Detected presence of files containing URLs that reside in regions with EU export restrictions.hunting

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14138Detected Windows executable files that were compiled without following the recommended SDL process.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14139Detected Windows executable files compiled without following the SDL best practices while using banned memory functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14157Detected Windows executable files with delay import functions susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ14160Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.Causes risk: outdated toolchains detectedhardening

Problem

Prevalence in Visual Studio Code community

Next steps

SQ34202Detected presence of private debug database files.Causes risk: debugging symbols foundsecrets

Problem

Prevalence in Visual Studio Code community

Next steps

TH15103Detected presence of files with behaviors commonly used by malicious software.hunting

Problem