software

Catching .NET Vulnerabilities Early: A Hands-On Guide with Puma Scan

Published: (December 4, 2025 at 01:50 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Why Puma Scan?

From the official OWASP Source Code Analysis Tools list, many SAST tools exist—but this assignment excluded Sonar, Snyk, Semgrep, and Veracode. Among the remaining options for C#/.NET, Puma Scan stood out because:

  • It’s designed specifically for .NET and C#
  • It integrates with Visual Studio, VS Code, and the command line
  • It detects common OWASP Top 10 issues like SQL Injection and Cross‑Site Scripting (XSS)
  • A Community Edition is available for free learning and testing

The full demo—including code, automation script, and scan results—is publicly available on GitHub.

The Vulnerable Code Sample

To keep the demo simple and reproducible, a minimal C# class with a classic SQL injection vulnerability is used:

// TestVuln.cs
using System;
using System.Data.SqlClient;

public class VulnerableClass
{
    public void UnsafeQuery(string userInput)
    {
        // ⚠️ SQL Injection: user input concatenated directly into query
        string query = "SELECT * FROM Users WHERE Id = " + userInput;
        SqlCommand cmd = new SqlCommand(query);
    }
}

If an attacker supplies 1 OR 1=1, the query becomes:

SELECT * FROM Users WHERE Id = 1 OR 1=1

→ All user records are exposed.

This matches CWE‑89 and OWASP Top 10: A03:2021 – Injection.

Automated Detection with Puma Scan

Step 1: Add Puma Scan to your project

dotnet add package Puma.Security.Rules

Step 2: PowerShell script (scan.ps1)

# scan.ps1 - PumaScan SAST Analysis Script
Write-Host "======================================" -ForegroundColor Cyan
Write-Host " PumaScan - SAST Security Analysis" -ForegroundColor Cyan
Write-Host "======================================" -ForegroundColor Cyan
Write-Host ""

# Build the project with PumaScan analysis
Set-Location PumaScanner
dotnet clean | Out-Null
dotnet build

Write-Host ""
Write-Host "======================================" -ForegroundColor Green
Write-Host " Analysis Complete!" -ForegroundColor Green
Write-Host "======================================" -ForegroundColor Green
Write-Host ""
Write-Host "Look for security warnings above:" -ForegroundColor Yellow
Write-Host "  - SEC0107: SQL Injection vulnerability" -ForegroundColor Yellow
Write-Host ""
Set-Location ..

Step 3: See the result

Run the script with:

powershell -ExecutionPolicy Bypass -File .\scan.ps1

The output includes a clear warning such as:

SEC0107: SQL Injection vulnerability

indicating that Puma Scan successfully identified the injected query in the sample code.

Back to Blog

Related posts

Read more »

Convert Excel to PDF in C# Applications

Overview Transforming Excel files into polished, share‑ready PDFs doesn’t have to be a slow or complicated process. With the GroupDocs.Conversion Cloud SDK for...