rspec/rules/S4211/csharp/rule.adoc

== Why is this an issue?

Transparency attributes, ``++SecurityCriticalAttribute++`` and ``++SecuritySafeCriticalAttribute++`` are used to identify code that performs security-critical operations. The second one indicates that it is safe to call this code from transparent, while the first one does not.  Since the transparency attributes of code elements with larger scope take precedence over transparency attributes of code elements that are contained in the first element a class, for instance, with a ``++SecurityCriticalAttribute++`` can not contain a method with a ``++SecuritySafeCriticalAttribute++``.


This rule raises an issue when a member is marked with a ``++System.Security++`` security attribute that has a different transparency than the security attribute of a container of the member.


=== Noncompliant code example

[source,csharp]
----
using System;
using System.Security;

namespace MyLibrary
{

    [SecurityCritical]
    public class Foo
    {
        [SecuritySafeCritical] // Noncompliant
        public void Bar()
        {
        }
    }
}
----


=== Compliant solution

[source,csharp]
----
using System;
using System.Security;

namespace MyLibrary
{

    [SecurityCritical]
    public class Foo
    {
        public void Bar()
        {
        }
    }
}
----


== Resources

* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

include::highlighting.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Transparency attributes, ``++SecurityCriticalAttribute++`` and ``++SecuritySafeCriticalAttribute++`` are used to identify code that performs security-critical operations. The second one indicates that it is safe to call this code from transparent, while the first one does not. Since the transparency attributes of code elements with larger scope take precedence over transparency attributes of code elements that are contained in the first element a class, for instance, with a ``++SecurityCriticalAttribute++`` can not contain a method with a ``++SecuritySafeCriticalAttribute++``.


			This rule raises an issue when a member is marked with a ``++System.Security++`` security attribute that has a different transparency than the security attribute of a container of the member.

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`using System;`
			`using System.Security;`

			`namespace MyLibrary`
			`{`

			`[SecurityCritical]`
			`public class Foo`
			`{`
			`[SecuritySafeCritical] // Noncompliant`
			`public void Bar()`
			`{`
			`}`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`using System;`
			`using System.Security;`

			`namespace MyLibrary`
			`{`

			`[SecurityCritical]`
			`public class Foo`
			`{`
			`public void Bar()`
			`{`
			`}`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A05_2021-Security_Misconfiguration/[OWASP Top 10 2021 Category A5] - Security Misconfiguration`
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

			`include::highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`