Monday, July 30, 2018

Projects and Builds Reporting

When building a project from the command line, Microsoft Dynamics AX
reporting tools does not perform any checks for unsafe entries in the project file.
The project file entries are not analyzed by Microsoft Dynamics AX reporting
tools from a security perspective. Therefore, it is strongly recommended that you
do not build third-party reporting projects from the command line. Build from the
command line only in trusted scenarios.


Microsoft Visual Studio, with the help of MSBuild, analyzes unsafe entries in a
project file when it is loaded and warns you about them. An example of an unsafe
entry is the redirection of the project output path to a system folder. For example,
the output path could be redirected to C:\Windows, which could overwrite a
system file. Or, the output path could be redirected so as to overwrite a default
MSBuild property for Microsoft Dynamics AX reporting tools projects. When
attempting to open a reporting project that contains unsafe entries, a dialog box
displays that prompts you not to open the project. If you experience this, you
should inspect the unsafe entries as you decide whether to open the project.
Project files, model files, code files, and referenced assemblies should always be
placed in a safe location whether it is a local folder, network share, or source
code control database. The default project location for Microsoft Visual Studio
projects is \My Documents\Visual Studio 2010\Projects, which is protected by
the administrator and current user access control lists.


Threat detection in a business logic project is limited to the functionality
provided by standard C# and Visual Basic project systems in Microsoft Visual
Studio. The current implementation of the C# and Visual Basic project systems
displays only the first detected threat in the project file. Therefore, if you skip the
threat and load the project file, all other threats that exist in the project file will
be skipped.


The build cache file has an internal binary structure. The first violation of this
structure that is discovered will force the compilation to regenerate the file. If the
file is modified without violating the structure, the issue will not be mitigated,
but you can invoke a clean build to regenerate the build cache file to eliminate
the threat.


Regards,
Hossein Karimi

No comments:

Post a Comment

Configure the Firewall on the Enterprise Portal Server

After you install Enterprise Portal, enable Web Server (HTTP) in Windows Firewall. If you do not enable the web server in Windows Firewall...