Coder Social home page Coder Social logo

fabiano / dotnet-ossindex Goto Github PK

View Code? Open in Web Editor NEW
9.0 2.0 5.0 132 KB

A .NET Core global tool to check the packages for known vulnerabilities

License: MIT License

C# 92.85% Batchfile 3.79% PowerShell 3.36%
dotnet tool ossindex nuget vulnerability-scanner vulnerability-detection dotnet-core

dotnet-ossindex's People

Contributors

fabiano avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

attackgithub alastairtree trilochantripathi-01 pombredanne nevind7

dotnet-ossindex's Issues

Add support for package.config

We have to support a number of older .net framework windows apps that use the older packages.config xml file rather than the new .net core csproj. Any objections to adding a feature that automatically detects a packages.config xml file adjacent to a csproj file and adds any dependencies located inside that to the list to be validated?

Add --verbose to help users diagnose issues from server-side etc

Would be cool to have "--verbose" flag; thoughts/ideas that might help

  1. diagnoses of server-side issues more easily (i.e. #11)
  2. user/token authentication mistakes or perhaps invalid login
  3. "maybe" there is something interesting for happy-path output in verbose mode? (can't think of it though)

running tool w/out BOTH username & API token silently ignores the other input parameter

see https://github.com/fabiano/dotnet-ossindex/blob/master/DotNetOSSIndex/Program.cs#L210

            if (!string.IsNullOrEmpty(Username) && !string.IsNullOrEmpty(ApiToken))
            {
                var bytes = Encoding.UTF8.GetBytes($"{Username}:{ApiToken}");
                var value = Convert.ToBase64String(bytes);

                client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", value);
            }
$ dotnet-ossindex --help
A .NET Core global tool to check the packages for known vulnerabilities.

Usage: dotnet ossindex [options] <Path>

Arguments:
  Path                        The path to a .sln, .csproj or .vbproj file

Options:
  -u|--username <USERNAME>    OSS Index Username
  -a|--api-token <API_TOKEN>  OSS Index API Token
  -?|-h|--help                Show help information

It wasn't clear to us that BOTH the username and the token were required, so when we were making requests, we started only supplying the token; and the tool didn't complain or reject;

As a precaution, it would be great if the tool does sanity check here; something like:

            if (!string.IsNullOrEmpty(Username) || !string.IsNullOrEmpty(ApiToken))
           >> ERROR, must supply both `--api-token` and `--username`

Use the new license element

Replace the licenseUrl element with the new license element:

C:\Program Files\dotnet\sdk\5.0.200\Sdks\NuGet.Build.Tasks.Pack\build\NuGet.Build.Tasks.Pack.targets(221,5): warning NU5125: The 'licenseUrl' element will be deprecated. Consider using the 'license' element instead.

Request: Support .NET 5.0

When running in an environment with only .NET 5 SDK available, get the following error:

 $> dotnet ossindex ./Redacted.sln
 It was not possible to find any compatible framework version
 The framework 'Microsoft.NETCore.App', version '3.1.0' was not found.
   - The following frameworks were found:
       5.0.3 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]
 
 You can resolve the problem by installing the specified framework and/or SDK.

Are there plans to release an update to support .NET 5.0? Happy to submit a PR for this if needed.

Suddenly dotnet-ossindex is incompatible with netcoreapp3.1

Hi!

We've been running this dotnet-ossindex tool for many months against .NETcore 3.1.

Suddenly (starting last night), we receive:

error NU1202: Package dotnet-ossindex 0.6.0 is not compatible with netcoreapp3.1 (.NETCoreApp,Version=v3.1) / any. Package dotnet-ossindex 0.6.0 supports: net5.0 (.NETCoreApp,Version=v5.0)

We install it dynamically using:

        - export PATH="$PATH:/root/.dotnet/tools"
        - dotnet tool install --global dotnet-ossindex

other messages/notes from the error:

The tool package could not be restored.
Tool 'dotnet-ossindex' failed to install. This failure may have been caused by:
* You are attempting to install a preview release and did not use the --version option to specify the version.
* A package by this name was found, but it was not a .NET Core tool.
* The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
* You mistyped the name of the tool.
For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool

Versionless framework references not handled

Thanks for the great tool. I have found a bug - when you reference the framework packages without an explicit version which is the prefered way to reference them in dotnet core 2.2 updwards the tool craches, because the API returns an error.

Example project file

<Project Sdk="Microsoft.NET.Sdk.Web">
  <PropertyGroup>
    <TargetFramework>netcoreapp2.2</TargetFramework>
    <AssemblyName>MyApp</AssemblyName>
    <RootNamespace>MyApp</RootNamespace>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.App" />
  </ItemGroup>
</Project>

API request JSON

{
    "coordinates": [
        "pkg:nuget/Microsoft.AspNetCore.App@",
    ]
}

API response

{
    "code": 400,
    "message": "Missing coordinates version"
}

enhancement: tool should return non-zero return code if vulnerabilities found

A suggestion/enhancement! it would be great (for CI / gitlab / etc) - if ANY vulnerabilities are found, the tool returns non-zero

consider:

$ dotnet-ossindex (params) ./FooMySolution.sln

...
  10 project(s) found

  No packages affected

  No packages affected

etc

$ echo $?
0

but ... if we find vulnerabilities

$ dotnet-ossindex (params) ./FooMySolution.sln

...
  10 project(s) found

  No packages affected

  1 package(s) affected

          Package: pkg:nuget/[email protected]
        Reference: https://ossindex.sonatype.org/component/pkg:nuget/[email protected]
  Vulnerabilities: - MEDIUM   [CVE-2019-11358]  Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
                   - MEDIUM   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

etc

$ echo $?
0

suggestion is that the tool returns a non-zero return code if ANY vulnerabilities are found;
(certainly up for debate or configuration if the user wants to filter or exclude certain severity?)

Support .NET 6.0?

Hello!

Dotnet 3.1 and 5.0 are nearing their end of support dates soon. Do you know when support for 6.0 will be available?

Thanks!

Bug in pathing on Linux when running against solution sln project (backslash)

Consider this example project structure:

MyProject.sln
MyProject.Common/MyProject.Common.csproj
MyProject.Foo/MyProject.Foo.csproj

If we run like this, everything works:

find . -type f -name "*.csproj" -exec dotnet-ossindex {} \;

However, if we run against the solution file (easier and preferred way), the pathing construction for finding projects within the solution is broken (maybe a hard coded \ for Windows pathing --)

dotnet-ossindex ./MyProject.sln 

> Solution: /home/<USER>/<sub-paths>/MyProject.sln

  ## project(s) found

Project file "/home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj" does not exist

Whoops! as you can see,

$ ls -al /home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj
ls: cannot access '...': No such file or directory

But, this is the problem:

"/home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj"

should be

"/home/<USER>/<sub-paths>/MyProject.Common/MyProject.Common.csproj"
                                          ^

pending release to support .NET 3.1?

Hello!

PER 9d969ee, commit was added to support .NET 3.1.

$ dotnet-ossindex
It was not possible to find any compatible framework version
The framework 'Microsoft.NETCore.App', version '2.2.0' was not found.
  - The following frameworks were found:
      3.1.4 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]

dotnet tool list --global | grep ossindex
dotnet-ossindex      0.2.0        dotnet-ossindex

Don't see a new release for 2020 yet;
https://github.com/fabiano/dotnet-ossindex/releases
(ETA? :o)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.