C#: Tolerate missing call targets in LogMessageSink

[tamasvajk]

In the standalone mode, we're automatically adding implicit usings to the compilation. If we detect any web application in the repo, we're adding the asp.net core specific implicit usings, which include Microsoft.Extensions.Logging. This namespace contains ILogger, which is quite a common name, and oftentimes conflict with ILogger interfaces defined in the repo. As a result, we're facing ambiguities in the standalone extracted compilation, and we end up with an incomplete DB. This PR adjusts the LogMessageSink class to work in cases when "logger-like" method calls have no extracted target.

[tamasvajk]

DCA shows no changes (in the nightly suite).

[hvitved]

OOI, which type does Roslyn then assign to this field?

[tamasvajk]

In this case it's A.ILogger. What's odd is that when we process the field, there's no sign of ambiguity.

[hvitved]

That's also what I don't understand, I would have expected that Roslyn didn't assign any type at all. Or is it perhaps because we just take the first candidate symbol?

[tamasvajk]

No, it's not us.

[tamasvajk]

To conclude, we found that there's no ambiguity when processing the field or the reference to the field. But the field's type symbol is actually an ambiguous error symbol.

[michaelnebel]

Looks good to me!
Will this improve the logging injection query alert retention rate on our standalone suite?

[tamasvajk]

Looks good to me! Will this improve the logging injection query alert retention rate on our standalone suite?

Yes it will. The issue was found through the lost cs/exposure-of-sensitive-information alerts in nopSolutions/nopCommerce.

Let me kick off a DCA experiment to see the changes in Standalone...

[tamasvajk]

DCA shows 86 new cs/exposure-of-sensitive-information and 5 new cs/log-forging alerts on nopSolutions/nopCommerce.