SmolerSAST.Rules.Base 0.2.0

.NET 9.0 This package targets .NET 9.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package SmolerSAST.Rules.Base --version 0.2.0
                    


                    

                
NuGet\Install-Package SmolerSAST.Rules.Base -Version 0.2.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="SmolerSAST.Rules.Base" Version="0.2.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="SmolerSAST.Rules.Base" Version="0.2.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="SmolerSAST.Rules.Base" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add SmolerSAST.Rules.Base --version 0.2.0
                    


                    

                
#r "nuget: SmolerSAST.Rules.Base, 0.2.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package SmolerSAST.Rules.Base@0.2.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=SmolerSAST.Rules.Base&version=0.2.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=SmolerSAST.Rules.Base&version=0.2.0
                    


                            Install as a Cake Tool

SmolerSAST

Plataforma modular de análise estática de segurança (SAST) para codebases .NET, voltada ao mercado financeiro brasileiro.

Diferencial: detecção baseada em Roslyn symbol resolution (não regex), com regras específicas para LGPD, Bacen 4.658, CVM, e camada semântica com Claude para análise de exploitability.

Status

Phase Descrição Status
1 Skeleton & Core Engine Concluída
2 Base Rule Pack (40 regras) Pendente
3 Brazil Rule Pack & Semantic Layer Pendente
4 Reporting, CLI, Analyzer NuGet Pendente
5 Integration, Determinism, Docs Pendente

Requisitos

  • .NET SDK 9.0+ (testado com 10.0)
  • Windows, Linux ou macOS

Verificar instalação:

dotnet --version

Quick Start

# 1. Restaurar dependências
dotnet restore

# 2. Compilar
dotnet build -c Release

# 3. Rodar testes
dotnet test -c Release

# 4. Escanear código C#
dotnet run --project src/SmolerSAST.Cli -- scan --path <caminho-para-arquivos-cs> --output resultado.sarif

Exemplo com as fixtures incluídas

dotnet run --project src/SmolerSAST.Cli -- scan \
  --path fixtures/cli-scan-sample \
  --output scan-results.sarif

Output esperado:

SmolerSAST v0.1.0 — Scanning: fixtures/cli-scan-sample
Analysis complete: 5 finding(s) in ~8s
  [Critical] SMOL0009: Instanciação de BinaryFormatter detectada.
  [Critical] SMOL0009: Chamada a BinaryFormatter.Deserialize() detectada.
  ...

Arquitetura

                    ┌──────────────────────┐
                    │   SmolerSAST.Cli     │  ← Ponto de entrada
                    └──────────┬───────────┘
                               │
                    ┌──────────▼───────────┐
                    │  AnalysisPipeline     │  ← Orquestrador
                    └──────────┬───────────┘
                               │
              ┌────────────────┼────────────────┐
              │                │                │
   ┌──────────▼──────┐ ┌──────▼──────┐ ┌───────▼───────┐
   │ Compilation     │ │ Symbol      │ │ Rule          │
   │ Acquirer        │ │ Index       │ │ Registry      │
   └─────────────────┘ └─────────────┘ └───────┬───────┘
                                                │
                                     ┌──────────▼──────────┐
                                     │ SmolerRule instances │
                                     │ (SMOL0009, ...)      │
                                     └──────────┬──────────┘
                                                │
                                     ┌──────────▼──────────┐
                                     │ Findings → SARIF     │
                                     └─────────────────────┘

Pipeline de Análise

  1. Compilation Acquisition — Carrega código C# em uma CSharpCompilation Roslyn
  2. Symbol Indexing — Indexa tipos, métodos, propriedades e campos
  3. Rule Registration — Cada SmolerRule registra callbacks (SyntaxNode, Symbol)
  4. Parallel Execution — Regras executam em paralelo por syntax tree (stateless)
  5. Finding Collection — Findings coletados via ConcurrentBag thread-safe
  6. SARIF Emission — Output determinístico em SARIF 2.1.0

Estrutura do Projeto

src/
├── SmolerSAST.Core/              # Motor de análise
│   ├── Compilation/              #   Aquisição de compilação (Roslyn)
│   ├── Indexing/                 #   Indexação de símbolos
│   ├── Pipeline/                 #   Orquestrador do pipeline
│   └── Rules/                    #   Framework de regras (base classes, Finding, etc.)
├── SmolerSAST.Rules.Base/       # Pack de regras .NET genéricas
│   └── Deserialization/          #   SMOL0009: BinaryFormatter
├── SmolerSAST.Rules.BR/         # Pack de regras brasileiras (LGPD/Bacen/CVM) [skeleton]
├── SmolerSAST.Semantic/         # Camada semântica com Claude [skeleton]
├── SmolerSAST.Reporting/        # Emissor SARIF 2.1.0
├── SmolerSAST.Cli/              # CLI (scan, version)
└── SmolerSAST.Analyzer/         # Roslyn Analyzer NuGet [skeleton]

tests/
├── SmolerSAST.Core.Tests/       # Testes do core (34 testes)
└── SmolerSAST.Rules.Base.Tests/ # Testes de regras (9 testes)

fixtures/
├── cli-scan-sample/             # Fixtures para scan via CLI
└── vulnerable-samples/          # Fixtures com código vulnerável (raw source)

phase1/                          # Artefatos de evidência Phase 1

Regras Implementadas (Phase 1)

ID Nome CWE OWASP Severidade Precisão
SMOL0009 BinaryFormatter Usage CWE-502 A08:2021 Critical High

Regras Planejadas (Phase 2-3)

Injection (SMOL0001-0008): SQL, LDAP, XPath, Command, LINQ, NoSQL, Dapper Deserialization (SMOL0010-0016): NetDataContractSerializer, LosFormatter, ViewState, JSON TypeNameHandling, YamlDotNet Cryptography (SMOL0017-0024): MD5/SHA1, ECB, hardcoded keys, RijndaelManaged, weak TLS ASP.NET (SMOL0025-0032): AllowAnonymous, CSRF, Cookie config, DI lifetime Config/Secrets (SMOL0033-0040): Hardcoded secrets, insecure HttpClient, DI mismatch LGPD (SMOL1001-1006): PII em logs, URL, DB sem encryption, consent Bacen/CVM (SMOL1007-1012): JWT validation, mTLS, HSM, audit trail

Criando uma Nova Regra

  1. Criar classe selada derivando de SmolerRule em src/SmolerSAST.Rules.Base/
  2. Implementar propriedades de metadata (Id, CweIds, Severity, etc.)
  3. Implementar RegisterActions() com callbacks de análise via Roslyn
  4. Adicionar testes com ≥ 3 positivos e ≥ 3 negativos
public sealed class MyRule : SmolerRule
{
    public override RuleId Id { get; } = new("SMOL0042");
    public override ImmutableArray<int> CweIds { get; } = [79]; // XSS
    public override string OwaspCategory => "A03:2021";
    public override RuleSeverity Severity => RuleSeverity.High;
    public override RulePrecision Precision => RulePrecision.Medium;
    // ... demais propriedades ...

    public override void RegisterActions(AnalysisContext context)
    {
        context.RegisterSyntaxNodeAction(AnalyzeNode, SyntaxKind.InvocationExpression);
    }

    private static void AnalyzeNode(SyntaxNodeAnalysisContext ctx)
    {
        // Usar ctx.SemanticModel para symbol resolution
        // NUNCA usar regex para detecção
        // Reportar via ctx.ReportFinding(new Finding(...))
    }
}

Output SARIF

O CLI emite relatórios SARIF 2.1.0, compatíveis com:

  • GitHub Advanced Security
  • Azure DevOps
  • Microsoft Defender
  • Qualquer ferramenta que consuma SARIF
dotnet run --project src/SmolerSAST.Cli -- scan --path ./my-app --output report.sarif

Testes

# Todos os testes
dotnet test -c Release

# Com cobertura
dotnet test -c Release --collect:"XPlat Code Coverage"

# Testes de um projeto específico
dotnet test tests/SmolerSAST.Rules.Base.Tests -c Release

Requisito mínimo: 75% line coverage.

Princípios de Design

  • Symbol resolution, não regex: Toda detecção usa SemanticModel do Roslyn
  • Regras stateless: Nenhum estado mutável em instâncias de SmolerRule
  • False positive rate como métrica: Cada regra declara sua precisão
  • Determinismo: Mesmo input → mesmo output (sort keys, timestamps fixos)
  • Imutabilidade: Finding, FindingLocation, RuleId são records imutáveis
  • Zero warnings: Build com TreatWarningsAsErrors=true

Licença

Proprietário — uso interno.

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.4.0 50 5/21/2026
0.3.0 52 5/19/2026
0.2.0 51 5/18/2026
0.1.0-alpha.1 56 5/18/2026