[csharp] How to write a test case with external DLLs ?

[Hug0Vincent]

Hello, I would like to create a test case for a query, so far I have this structure:

ExtensionSinks.cs
ExtensionSinks.expected
ExtensionSinks.ql
options

CodeQL can't compile my test code (I can compile it with Visual Studio). I don't know how to create the options file:

semmle-extractor-options: /r:System.Data.Common.dll /r:System.Xml.XmlSerializer.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Runtime.Serialization.Xml.dll /r:System.Collections.dll /r:System.Private.Xml.dll /r:System.Private.DataContractSerialization.dll /r:System.Runtime.Extensions.dll /r:System.ComponentModel.TypeConverter.dll /r:System.Xml.ReaderWriter.dll /r:System.IO.FileSystem.dll /r:System.Security.Claims.dll /r:System.Web.dll

Is there a way to list the required DLLs ?

$ codeql test run .\ql\csharp\tests\ --show-extractor-output
Executing 1 tests in 1 directories.
WARNING: Pattern 'generated/*.yml' did not match any extension files. (F:\tools\QLinspector\ql\csharp\ext\qlpack.yml:1,1-1)
WARNING: Pattern 'generated/**/*.yml' did not match any extension files. (F:\tools\QLinspector\ql\csharp\ext\qlpack.yml:1,1-1)
Extracting test database in F:\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks.
[005] Error:   Unable to resolve reference 'System.Data.Linq.dll'
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(4,14): error CS0234: The type or namespace name 'Activities' does not exist in the namespace 'System' (are you missing an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(5,18): error CS0234: The type or namespace name 'Caching' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(6,19): error CS0234: The type or namespace name 'Linq' does not exist in the namespace 'System.Data' (are you missing an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(8,18): error CS0234: The type or namespace name 'SessionState' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(10,18): error CS0234: The type or namespace name 'Security' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(28,32): error CS0246: The type or namespace name 'WorkflowDesigner' could not be found (are you missing a using directive or an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(31,13): error CS0103: The name 'DBConvert' does not exist in the current context
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(32,13): error CS0103: The name 'DBConvert' does not exist in the current context
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(34,13): error CS0103: The name 'OutputCache' does not exist in the current context
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(36,13): error CS0103: The name 'HttpStaticObjectsCollection' does not exist in the current context
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(38,13): error CS0103: The name 'SessionStateItemCollection' does not exist in the current context
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(41,27): error CS0246: The type or namespace name 'RolePrincipal' could not be found (are you missing a using directive or an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(42,27): error CS0246: The type or namespace name 'RolePrincipal' could not be found (are you missing a using directive or an assembly reference?)
[001] Error:   Compilation error: \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs(43,27): error CS0246: The type or namespace name 'RolePrincipal' could not be found (are you missing a using directive or an assembly reference?)
[004] Error:   Namespace not found in using System.Activities.Presentation; at \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs: (3,0)-(3,37)    at Semmle.Extraction.CSharp.Context.ReportError(InternalError error)
   at Semmle.Extraction.CSharp.Context.ModelError(SyntaxNode node, String msg)
   at Semmle.Extraction.CSharp.Entities.UsingDirective.Populate(TextWriter trapFile)
   at Semmle.Extraction.CSharp.Entities.FreshEntity.<TryPopulate>b__2_0()
   at Semmle.Extraction.CSharp.Context.Try(SyntaxNode node, ISymbol symbol, Action a)
[004] Error:   Namespace not found in using System.Web.Caching; at \\VBoxSvr\Mount\tools\QLinspector\ql\csharp\tests\tests\ExtensionSinks\ExtensionSinks.cs: (4,0)-(4,25)    at Semmle.Extraction.CSharp.Context.ReportError(InternalError error)
...

Here is my code if it can help:

using System.IO;
using System.Text;
using System.Xml;
using System.Activities.Presentation;
using System.Web.Caching;
using System.Data.Linq;
using System.Web;
using System.Web.SessionState;
using System.Security.Principal;
using System.Web.Security;

namespace ExtensionSinks
{
    internal class Program
    {
        static void Main(string[] args)
        {
            // Simulated tainted input
            string tainted = "tainted_input";
            string taintedInput = "";
            byte[] taintedBytes = Encoding.UTF8.GetBytes(tainted);
            Stream taintedStream = new MemoryStream(taintedBytes);
            TextReader taintedReader = new StringReader(tainted);
            XmlReader xmlReader = XmlReader.Create(taintedReader);
            BinaryReader binaryReader = new BinaryReader(taintedStream);


            var designer = new WorkflowDesigner();
            designer.PropertyInspectorFontAndColorData = tainted;

            DBConvert.ChangeType(tainted, typeof(string));
            DBConvert.ChangeType<string>(tainted);

            OutputCache.Deserialize(taintedStream);

            HttpStaticObjectsCollection.Deserialize(binaryReader);

            SessionStateItemCollection.Deserialize(binaryReader);

            var identity = new GenericIdentity("user");
            var rp1 = new RolePrincipal(identity, tainted);
            var rp2 = new RolePrincipal(tainted, identity, tainted);
            var rp3 = new RolePrincipal(identity, tainted);
        }
    }
}

I reviewed the CodeQL source repository and noticed that it supports linking .csproj files. However, when I attempted to use the one generated by Visual Studio, the process failed. I also came across tests that use stubs—is there a way to generate these stubs automatically? Unfortunately, I haven’t been able to find clear documentation on how to do this.

[jketema]

Hi @Hug0Vincent,

Thanks for your question. Your options file looks correct to me, or at least very similar to things that our see in our tests. Let me ask internally how this is supposed to work.

[michaelnebel]

• The script we use for stub generation can be found here: https://github.com/github/codeql/tree/main/csharp/scripts/stubs.
• If you have an application you can build using dotnet (containing the code you pasted above), then maybe check the bin/Debug folder to see, which DLLs it uses?

[Hug0Vincent]

But how is CodeQL resolving dlls ? For example I'm using System.Data.Linq.dll but it fails:

[005] Error: Unable to resolve reference 'System.Data.Linq.dll'

And this is a System wide DLL that can be found in the GAC

[Hug0Vincent]

Also The DLLs are not there (it's a dotnet Framework app):

PS ...\ConsoleApp1\bin\Debug> dir


    Directory: ...\ConsoleApp1\bin\Debug


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          9/1/2025   8:55 AM          20480 ConsoleApp1.exe
-a----         6/17/2025   2:39 AM            187 ConsoleApp1.exe.config
-a----          9/1/2025   8:55 AM          67072 ConsoleApp1.pdb
-a----          7/9/2019   7:24 PM        1113856 microsoft.identitymodel.dll
-a----          3/8/2023   8:09 AM         711952 Newtonsoft.Json.dll
-a----          3/8/2023   8:05 AM         713541 Newtonsoft.Json.xml
-a----         8/13/2025   3:29 AM        6600192 System.Management.Automation.dll

[michaelnebel]

The extractor is resolving DLL's in the following way:

1. If the path is "rooted" (this is not the case for /r:System.Data.Linq.dll) use the concrete provided path to find the reference.
2. For "unrooted" paths (this is the case for /r:System.Data.Linq.dll), the extractor tries to find the reference in the following way (in the order below)
   A. Look in the current working directory where the compiler is invoked from (in your case this is the test directory).
   B. Look in the common language runtime system directory (this is most likely a directory in your dotnet installation - if you are using dotnet).
   C. Look in directories specified by the $LIB environment variable.

@hvitved : As applications are getting more "complicated" - do you know of any easy way to "detect" which assemblies to provide to the extractor for testing purposes (other than looking it up)?

[hvitved]

We have talked about, in the past, adding support for writing tests that look more like dotnet projects, but we never got around to doing that. So, for now, its a manual process.

[Hug0Vincent]

I tried this @michaelnebel but still the same error:

PS > dir C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Linq.dll


    Directory: C:\Windows\Microsoft.NET\Framework64\v4.0.30319


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          4/1/2024   9:22 AM         682400 System.Data.Linq.dll


PS > set LIB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\"

I also tried with the full path

[michaelnebel]

From the original example it doesn't like /r:System.Data.Linq.dll is added to the list of extractor options. Have you added it subsequently?
If adding it to the options file (and setting the $LIB doesn't work) then maybe try and copy the DLL directly into the test directory and check if the extractor picks it up.

[Hug0Vincent]

Yes sorry it's in my option file but not here, I'm trying the stub way, it's working thanks :)