Azure

0.9.9

Sql/Microsoft.WindowsAzure.Commands.SqlDatabase.dll.CodeAnalysisLog.xml

                                <?xml version="1.0" encoding="utf-8"?>

<?xml-stylesheet type="text/xsl" href="c:\program files (x86)\microsoft visual studio 12.0\team tools\static analysis tools\fxcop\Xml\CodeAnalysisReport.xsl"?>

<FxCopReport Version="12.0">

 <Targets>

  <Target Name="D:\Code\GitHub\azure-powershell\src\Package\Debug\ServiceManagement\Azure\Sql\Microsoft.WindowsAzure.Commands.SqlDatabase.dll">

   <Modules>

    <Module Name="microsoft.windowsazure.commands.sqldatabase.dll">

     <Namespaces>

      <Namespace Name="Microsoft.WindowsAzure.Commands.SqlDatabase.Services.Server">

       <Types>

        <Type Name="TSqlConnectionContext" Kind="Class" Accessibility="Public" ExternallyVisible="True">

         <Members>

          <Member Name="#AlterDatabaseName(System.String,System.String)" Kind="Method" Static="False" Accessibility="Private" ExternallyVisible="False">

           <Messages>

            <Message TypeName="Review SQL queries for security vulnerabilities" Category="Microsoft.Security" CheckId="CA2100" Status="Active" Created="2015-09-22 22:01:37Z" FixCategory="DependsOnFix">

             <Issue Name="WithNonLiterals" Certainty="75" Level="Warning" Path="d:\Code\GitHub\azure-powershell\src\ServiceManagement\Sql\Commands.SqlDatabase\Services\Server" File="TSqlConnectionContext.cs" Line="949">The query string passed to 'DbCommand.CommandText.set(string)' in 'TSqlConnectionContext.AlterDatabaseName(string, string)' could contain the following variables 'this.SqlEscape(databaseName)', 'this.SqlEscape(newDatabaseName)'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.</Issue>

            </Message>

           </Messages>

          </Member>

          <Member Name="#RemoveDatabase(System.String)" Kind="Method" Static="False" Accessibility="Public" ExternallyVisible="True">

           <Messages>

            <Message TypeName="Review SQL queries for security vulnerabilities" Category="Microsoft.Security" CheckId="CA2100" Status="Active" Created="2015-09-22 22:01:37Z" FixCategory="DependsOnFix">

             <Issue Name="WithNonLiterals" Certainty="75" Level="Warning" Path="d:\Code\GitHub\azure-powershell\src\ServiceManagement\Sql\Commands.SqlDatabase\Services\Server" File="TSqlConnectionContext.cs" Line="555">The query string passed to 'DbCommand.CommandText.set(string)' in 'TSqlConnectionContext.RemoveDatabase(string)' could contain the following variables 'this.SqlEscape(databaseName)'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.</Issue>

            </Message>

           </Messages>

          </Member>

         </Members>

        </Type>

       </Types>

      </Namespace>

     </Namespaces>

    </Module>

   </Modules>

  </Target>

 </Targets>

 <Rules>

  <Rule TypeName="Review SQL queries for security vulnerabilities" Category="Microsoft.Security" CheckId="CA2100">

   <Name>Review SQL queries for security vulnerabilities</Name>

   <Description>A SQL command string built from user input is vulnerable to SQL injection attacks. Microsoft SQL Server and other database servers support stored procedures and parameterized SQL queries, which reduce the risk of injection attacks.</Description>

   <Resolution Name="WithNonLiterals">The query string passed to {0} in {1} could contain the following variables {2}. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.</Resolution>

   <Owner>RuleOwner</Owner>

   <Url>http://msdn.microsoft.com/library/ms182310.aspx</Url>

   <Email />

   <MessageLevel Certainty="75">Warning</MessageLevel>

   <File Name="dataflowrules.dll" Version="12.0.0.0" />

  </Rule>

 </Rules>

 <Localized>

  <String Key="Category">Category</String>

  <String Key="Certainty">Certainty</String>

  <String Key="CollapseAll">Collapse All</String>

  <String Key="CheckId">Check Id</String>

  <String Key="Error">Error</String>

  <String Key="Errors">error(s)</String>

  <String Key="ExpandAll">Expand All</String>

  <String Key="Help">Help</String>

  <String Key="Line">Line</String>

  <String Key="Messages">message(s)</String>

  <String Key="LocationNotStoredInPdb">[Location not stored in Pdb]</String>

  <String Key="Project">Project</String>

  <String Key="Resolution">Resolution</String>

  <String Key="Rule">Rule</String>

  <String Key="RuleFile">Rule File</String>

  <String Key="RuleDescription">Rule Description</String>

  <String Key="Source">Source</String>

  <String Key="Status">Status</String>

  <String Key="Target">Target</String>

  <String Key="Warning">Warning</String>

  <String Key="Warnings">warning(s)</String>

  <String Key="ReportTitle">Code Analysis Report</String>

 </Localized>

</FxCopReport>