SmolerSAST.Core 0.2.0

.NET 9.0 This package targets .NET 9.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package SmolerSAST.Core --version 0.2.0
                    


                    

                
NuGet\Install-Package SmolerSAST.Core -Version 0.2.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="SmolerSAST.Core" Version="0.2.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="SmolerSAST.Core" Version="0.2.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="SmolerSAST.Core" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add SmolerSAST.Core --version 0.2.0
                    


                    

                
#r "nuget: SmolerSAST.Core, 0.2.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package SmolerSAST.Core@0.2.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=SmolerSAST.Core&version=0.2.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=SmolerSAST.Core&version=0.2.0
                    


                            Install as a Cake Tool

SmolerSAST

Plataforma modular de análise estática de segurança (SAST) para codebases .NET, voltada ao mercado financeiro brasileiro.

Diferencial: detecção baseada em Roslyn symbol resolution (não regex), com regras específicas para LGPD, Bacen 4.658, CVM, e camada semântica com Claude para análise de exploitability.

Status

Phase Descrição Status
1 Skeleton & Core Engine Concluída
2 Base Rule Pack (40 regras) Pendente
3 Brazil Rule Pack & Semantic Layer Pendente
4 Reporting, CLI, Analyzer NuGet Pendente
5 Integration, Determinism, Docs Pendente

Requisitos

  • .NET SDK 9.0+ (testado com 10.0)
  • Windows, Linux ou macOS

Verificar instalação:

dotnet --version

Quick Start

# 1. Restaurar dependências
dotnet restore

# 2. Compilar
dotnet build -c Release

# 3. Rodar testes
dotnet test -c Release

# 4. Escanear código C#
dotnet run --project src/SmolerSAST.Cli -- scan --path <caminho-para-arquivos-cs> --output resultado.sarif

Exemplo com as fixtures incluídas

dotnet run --project src/SmolerSAST.Cli -- scan \
  --path fixtures/cli-scan-sample \
  --output scan-results.sarif

Output esperado:

SmolerSAST v0.1.0 — Scanning: fixtures/cli-scan-sample
Analysis complete: 5 finding(s) in ~8s
  [Critical] SMOL0009: Instanciação de BinaryFormatter detectada.
  [Critical] SMOL0009: Chamada a BinaryFormatter.Deserialize() detectada.
  ...

Arquitetura

                    ┌──────────────────────┐
                    │   SmolerSAST.Cli     │  ← Ponto de entrada
                    └──────────┬───────────┘
                               │
                    ┌──────────▼───────────┐
                    │  AnalysisPipeline     │  ← Orquestrador
                    └──────────┬───────────┘
                               │
              ┌────────────────┼────────────────┐
              │                │                │
   ┌──────────▼──────┐ ┌──────▼──────┐ ┌───────▼───────┐
   │ Compilation     │ │ Symbol      │ │ Rule          │
   │ Acquirer        │ │ Index       │ │ Registry      │
   └─────────────────┘ └─────────────┘ └───────┬───────┘
                                                │
                                     ┌──────────▼──────────┐
                                     │ SmolerRule instances │
                                     │ (SMOL0009, ...)      │
                                     └──────────┬──────────┘
                                                │
                                     ┌──────────▼──────────┐
                                     │ Findings → SARIF     │
                                     └─────────────────────┘

Pipeline de Análise

  1. Compilation Acquisition — Carrega código C# em uma CSharpCompilation Roslyn
  2. Symbol Indexing — Indexa tipos, métodos, propriedades e campos
  3. Rule Registration — Cada SmolerRule registra callbacks (SyntaxNode, Symbol)
  4. Parallel Execution — Regras executam em paralelo por syntax tree (stateless)
  5. Finding Collection — Findings coletados via ConcurrentBag thread-safe
  6. SARIF Emission — Output determinístico em SARIF 2.1.0

Estrutura do Projeto

src/
├── SmolerSAST.Core/              # Motor de análise
│   ├── Compilation/              #   Aquisição de compilação (Roslyn)
│   ├── Indexing/                 #   Indexação de símbolos
│   ├── Pipeline/                 #   Orquestrador do pipeline
│   └── Rules/                    #   Framework de regras (base classes, Finding, etc.)
├── SmolerSAST.Rules.Base/       # Pack de regras .NET genéricas
│   └── Deserialization/          #   SMOL0009: BinaryFormatter
├── SmolerSAST.Rules.BR/         # Pack de regras brasileiras (LGPD/Bacen/CVM) [skeleton]
├── SmolerSAST.Semantic/         # Camada semântica com Claude [skeleton]
├── SmolerSAST.Reporting/        # Emissor SARIF 2.1.0
├── SmolerSAST.Cli/              # CLI (scan, version)
└── SmolerSAST.Analyzer/         # Roslyn Analyzer NuGet [skeleton]

tests/
├── SmolerSAST.Core.Tests/       # Testes do core (34 testes)
└── SmolerSAST.Rules.Base.Tests/ # Testes de regras (9 testes)

fixtures/
├── cli-scan-sample/             # Fixtures para scan via CLI
└── vulnerable-samples/          # Fixtures com código vulnerável (raw source)

phase1/                          # Artefatos de evidência Phase 1

Regras Implementadas (Phase 1)

ID Nome CWE OWASP Severidade Precisão
SMOL0009 BinaryFormatter Usage CWE-502 A08:2021 Critical High

Regras Planejadas (Phase 2-3)

Injection (SMOL0001-0008): SQL, LDAP, XPath, Command, LINQ, NoSQL, Dapper Deserialization (SMOL0010-0016): NetDataContractSerializer, LosFormatter, ViewState, JSON TypeNameHandling, YamlDotNet Cryptography (SMOL0017-0024): MD5/SHA1, ECB, hardcoded keys, RijndaelManaged, weak TLS ASP.NET (SMOL0025-0032): AllowAnonymous, CSRF, Cookie config, DI lifetime Config/Secrets (SMOL0033-0040): Hardcoded secrets, insecure HttpClient, DI mismatch LGPD (SMOL1001-1006): PII em logs, URL, DB sem encryption, consent Bacen/CVM (SMOL1007-1012): JWT validation, mTLS, HSM, audit trail

Criando uma Nova Regra

  1. Criar classe selada derivando de SmolerRule em src/SmolerSAST.Rules.Base/
  2. Implementar propriedades de metadata (Id, CweIds, Severity, etc.)
  3. Implementar RegisterActions() com callbacks de análise via Roslyn
  4. Adicionar testes com ≥ 3 positivos e ≥ 3 negativos
public sealed class MyRule : SmolerRule
{
    public override RuleId Id { get; } = new("SMOL0042");
    public override ImmutableArray<int> CweIds { get; } = [79]; // XSS
    public override string OwaspCategory => "A03:2021";
    public override RuleSeverity Severity => RuleSeverity.High;
    public override RulePrecision Precision => RulePrecision.Medium;
    // ... demais propriedades ...

    public override void RegisterActions(AnalysisContext context)
    {
        context.RegisterSyntaxNodeAction(AnalyzeNode, SyntaxKind.InvocationExpression);
    }

    private static void AnalyzeNode(SyntaxNodeAnalysisContext ctx)
    {
        // Usar ctx.SemanticModel para symbol resolution
        // NUNCA usar regex para detecção
        // Reportar via ctx.ReportFinding(new Finding(...))
    }
}

Output SARIF

O CLI emite relatórios SARIF 2.1.0, compatíveis com:

  • GitHub Advanced Security
  • Azure DevOps
  • Microsoft Defender
  • Qualquer ferramenta que consuma SARIF
dotnet run --project src/SmolerSAST.Cli -- scan --path ./my-app --output report.sarif

Testes

# Todos os testes
dotnet test -c Release

# Com cobertura
dotnet test -c Release --collect:"XPlat Code Coverage"

# Testes de um projeto específico
dotnet test tests/SmolerSAST.Rules.Base.Tests -c Release

Requisito mínimo: 75% line coverage.

Princípios de Design

  • Symbol resolution, não regex: Toda detecção usa SemanticModel do Roslyn
  • Regras stateless: Nenhum estado mutável em instâncias de SmolerRule
  • False positive rate como métrica: Cada regra declara sua precisão
  • Determinismo: Mesmo input → mesmo output (sort keys, timestamps fixos)
  • Imutabilidade: Finding, FindingLocation, RuleId são records imutáveis
  • Zero warnings: Build com TreatWarningsAsErrors=true

Licença

Proprietário — uso interno.

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (3)

Showing the top 3 NuGet packages that depend on SmolerSAST.Core:

Package Downloads
SmolerSAST.Rules.Base

SmolerSAST base rule pack — .NET-specific security rules for deserialization, injection, cryptography, ASP.NET, and configuration vulnerabilities.
SmolerSAST.Reporting

SmolerSAST reporting — SARIF 2.1.0 emitter and evidence artifact generation for security scan results.
SmolerSAST.Rules.BR

SmolerSAST Brazil-specific rule pack — 22 rules for LGPD, Bacen 4.658, PCI-DSS, CVM, Open Finance (SMOL1001-SMOL1024).

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.4.0 89 5/21/2026
0.3.0 95 5/19/2026
0.2.0 93 5/18/2026
0.1.0-alpha.1 53 5/18/2026