none
FxCop rule CA2140 violated by auto-generated serialization assemblies - Need help fixing violation RRS feed

  • Question

  • Hello,

    I am using FxCop 10.0 with a set of .NET 4.0 assemblies. The Visual Studio project build option 'Generate serialization assembly:' is turned on for some of these assemblies. The generated assemblies violate FxCop rule CA2140 (Transparent code must not reference security critical items).

    Here is a sample error:

    [Location not stored in Pdb] : error  : CA2140 : Microsoft.Security : Transparent method 'XmlSerializerContract.GetSerializer(Type)' references security critical type 'WorksheetSectionType'.  In order for this reference to be allowed under the security transparency rules, either 'XmlSerializerContract.GetSerializer(Type)' must become security critical or safe-critical, or 'WorksheetSectionType' become security safe-critical or transparent.

    If I'm reading this error correctly, it looks like my non-auto-generated assemblies are security critical while my auto-generated XML serialization assemblies are security transparent. (When I run SecAnnotate on an XML serialization assembly it doesn't find any errors.)

    Can you tell me what I need to do to fix this error? For a test, I tried adding the following lines to an AssemblyInfo.cs file, but it didn't change my FxCop output:

     [assembly: System.Security.AllowPartiallyTrustedCallers()]
     [assembly: System.Security.SecurityTransparent()]

    Thanks,
    Don

    Friday, May 11, 2012 8:32 PM

Answers

All replies

  • Hi, 

    To fix this, you should mark on method , that have XmlSerializerContract.GetSerializer, with SecuritySafeCriticalAttribute


    If this post answers your question, please click "Mark As Answer". If this post is helpful please click "Mark as Helpful".

    Saturday, May 12, 2012 10:22 AM
  • Hi Don,

    To fix this violation, 

    For details, please check:

    http://msdn.microsoft.com/en-us/library/bb264475.aspx


    Regards, http://shwetamannjain.blogspot.com

    Sunday, May 13, 2012 5:34 AM
  • The XmlSerializerContract.GetSerializer method is contained in the auto-generated serialization assembly. How do I apply the SecuritySafeCriticalAttribute to these types of methods?

    Thanks

    Monday, May 14, 2012 1:38 PM
  • Hello,

    As I mentioned in my reply to Kris444, I don't know how to apply the SecurityCriticalAttribute to an auto-generated serialization assembly for which I have no source. I tried the second option of applying the SecurityTransparentAttribute. As I mentioned in my original post, I added these lines to my AssemblyInfo.cs file, but it didn't change anything.

    [assembly: System.Security.AllowPartiallyTrustedCallers()]
    [assembly: System.Security.SecurityTransparent()]

    Thanks

    Monday, May 14, 2012 1:43 PM
  • Hi, 

    Adding SecurityTransperent sets to safe from security perspective, it does not allow executing any dangerous operations. it's also makes unable to execute security critical code directly.

    making as SecurityCritical will allow you execute any operation it wishes. since, you have no control on method which has access to critical code mark with securitycritical

    [assembly: SecurityRules(SecurityRuleSet.Level2)]
    [assembly: SecurityCritical()]
    Only fully trusted code can be security critical (also by default fully trusted code is by default security critical) 

    For more information please go through http://msdn.microsoft.com/en-us/library/dd233102.aspx#examples

    I hope this helps you...


    If this post answers your question, please click "Mark As Answer". If this post is helpful please click "Mark as Helpful".

    Monday, May 14, 2012 5:13 PM
  • Hi Kris444,

    Ideally, I think I want my assembly and the auto-generated serialization assembly to both be SecurityCritical, but I don't know how to make the auto-generated serialization assembly SecurityCritical. Can you tell me how I can set the security level of an auto-generated serialization assembly?

    Thanks,

    Don

    Monday, May 14, 2012 7:55 PM
  • Hi donzie1, 

    ok, How auto-generated serialization assembly being created? using Sgen.exe? If this is the case you can sign the assmbly right? 

    There option /compiler, through which you can sign the assembly (this makes your assembly security critical)

    (more details on /compiler options from )

    I hope this helps you...


    If this post answers your question, please click "Mark As Answer". If this post is helpful please click "Mark as Helpful".

    Tuesday, May 15, 2012 4:20 AM
  • My assembly and the auto-generated serialization assembly are both signed. I can verify this using the sn tool. Why am I getting this error if my assembly and the auto-generated serialization assembly are both signed?

    [Location not stored in Pdb] : error  : CA2140 : Microsoft.Security : Transparent method 'XmlSerializerContract.GetSerializer(Type)' references security critical type 'WorksheetSectionType'.  In order for this reference to be allowed under the security transparency rules, either 'XmlSerializerContract.GetSerializer(Type)' must become security critical or safe-critical, or 'WorksheetSectionType' become security safe-critical or transparent.

    Tuesday, May 15, 2012 12:24 PM
  • It may be a bug or something else.

    Ghost,
    Call me ghost for short, Thanks
    To get the better answer, it should be a better question.

    Monday, May 21, 2012 11:26 AM
  • When I look at the auto-generated serialization assembly in .NET reflector, I see it has the following .NET assembly options.
    As expected, the assembly is set to SecurityTransparent. I'd like to know if it's possible to change this.

    [assembly:AssemblyVersion("0.0.0.0")] [assembly:SecurityRules(1)] [assembly:RuntimeCompatibility(WrapNonExceptionThrows=true)] [assembly:SecurityTransparent] [assembly:AllowPartiallyTrustedCallers] [assembly:XmlSerializerVersion(ParentAssemblyId="8cde60da-a2ad-4da2-81b1-96098aff857c,", Version="4.0.0.0")] [assembly:CompilationRelaxations(8)]

    Wednesday, June 27, 2012 5:42 AM