Catching .NET Vulnerabilities Early: A Hands-On Guide with Puma Scan

#security #csharp #dotnet #tutorial

Catching .NET Vulnerabilities Early: A Hands-On SAST Demo with Puma Scan

Static Application Security Testing (SAST) helps developers find security flaws directly in source code—before they reach production. In this article, I demonstrate how to use Puma Scan, a .NET-focused SAST tool listed by OWASP, to detect real vulnerabilities in a minimal C# application. The entire workflow—including code, automation script, and scan results—is publicly available on GitHub.

🔗 GitHub Demo Repository:

https://github.com/Vlkair/dotnet-sast-pumascan-demo

Why Puma Scan?

From the official OWASP Source Code Analysis Tools list, many SAST tools exist—but this assignment excluded Sonar, Snyk, Semgrep, and Veracode. Among the remaining options for C#/.NET, Puma Scan stood out because:

It’s designed specifically for .NET and C#
It integrates with Visual Studio, VS Code, and the command line
It detects common OWASP Top 10 issues like SQL Injection and Cross-Site Scripting (XSS)
A Community Edition is available for free learning and testing

The Vulnerable Code Sample

To keep the demo simple and reproducible, I created a minimal C# class with a classic SQL injection vulnerability:

// TestVuln.cs
using System;
using System.Data.SqlClient;

public class VulnerableClass
{
    public void UnsafeQuery(string userInput)
    {
        // ⚠️ SQL Injection: user input concatenated directly into query
        string query = "SELECT * FROM Users WHERE Id = " + userInput;
        SqlCommand cmd = new SqlCommand(query);
    }
}

If an attacker inputs 1 OR 1=1, the query becomes:

SELECT * FROM Users WHERE Id = 1 OR 1=1

→ All user records are exposed.

This matches CWE-89 and OWASP Top 10: A03:2021 – Injection.

Automated Detection with Puma Scan
Step 1: Add Puma Scan to your project
dotnet add package Puma.Security.Rules

I created a simple PowerShell script (scan.ps1):

# scan.ps1 - PumaScan SAST Analysis Script
Write-Host "======================================" -ForegroundColor Cyan
Write-Host " PumaScan - SAST Security Analysis" -ForegroundColor Cyan
Write-Host "======================================" -ForegroundColor Cyan
Write-Host ""

# Build the project with PumaScan analysis
Set-Location PumaScanner
dotnet clean | Out-Null
dotnet build

Write-Host ""
Write-Host "======================================" -ForegroundColor Green
Write-Host " Analysis Complete!" -ForegroundColor Green
Write-Host "======================================" -ForegroundColor Green
Write-Host ""
Write-Host "Look for security warnings above:" -ForegroundColor Yellow
Write-Host "  - SEC0107: SQL Injection vulnerability" -ForegroundColor Yellow
Write-Host ""
Set-Location ..

Step 3: See the result
When you run powershell -ExecutionPolicy Bypass -File .\scan.ps1, you get this clear warning: