fabiano / dotnet-ossindex Goto Github PK
View Code? Open in Web Editor NEWA .NET Core global tool to check the packages for known vulnerabilities
License: MIT License
A .NET Core global tool to check the packages for known vulnerabilities
License: MIT License
We have to support a number of older .net framework windows apps that use the older packages.config xml file rather than the new .net core csproj. Any objections to adding a feature that automatically detects a packages.config xml file adjacent to a csproj file and adds any dependencies located inside that to the list to be validated?
Would be cool to have "--verbose" flag; thoughts/ideas that might help
It would be nice to recursively walk the dependency tree, looking for vulnerabilities in any indirect dependencies as well.
In .NET Core, this can be accomplished by walking the project.assets.json
file for each target project. This is the approach taken by CycloneDX when generating a BOM.
see https://github.com/fabiano/dotnet-ossindex/blob/master/DotNetOSSIndex/Program.cs#L210
if (!string.IsNullOrEmpty(Username) && !string.IsNullOrEmpty(ApiToken))
{
var bytes = Encoding.UTF8.GetBytes($"{Username}:{ApiToken}");
var value = Convert.ToBase64String(bytes);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", value);
}
$ dotnet-ossindex --help
A .NET Core global tool to check the packages for known vulnerabilities.
Usage: dotnet ossindex [options] <Path>
Arguments:
Path The path to a .sln, .csproj or .vbproj file
Options:
-u|--username <USERNAME> OSS Index Username
-a|--api-token <API_TOKEN> OSS Index API Token
-?|-h|--help Show help information
It wasn't clear to us that BOTH the username and the token were required, so when we were making requests, we started only supplying the token; and the tool didn't complain or reject;
As a precaution, it would be great if the tool does sanity check here; something like:
if (!string.IsNullOrEmpty(Username) || !string.IsNullOrEmpty(ApiToken))
>> ERROR, must supply both `--api-token` and `--username`
Replace the licenseUrl element with the new license element:
C:\Program Files\dotnet\sdk\5.0.200\Sdks\NuGet.Build.Tasks.Pack\build\NuGet.Build.Tasks.Pack.targets(221,5): warning NU5125: The 'licenseUrl' element will be deprecated. Consider using the 'license' element instead.
When running in an environment with only .NET 5 SDK available, get the following error:
$> dotnet ossindex ./Redacted.sln
It was not possible to find any compatible framework version
The framework 'Microsoft.NETCore.App', version '3.1.0' was not found.
- The following frameworks were found:
5.0.3 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]
You can resolve the problem by installing the specified framework and/or SDK.
Are there plans to release an update to support .NET 5.0? Happy to submit a PR for this if needed.
Hi!
We've been running this dotnet-ossindex
tool for many months against .NETcore 3.1.
Suddenly (starting last night), we receive:
error NU1202: Package dotnet-ossindex 0.6.0 is not compatible with netcoreapp3.1 (.NETCoreApp,Version=v3.1) / any. Package dotnet-ossindex 0.6.0 supports: net5.0 (.NETCoreApp,Version=v5.0)
We install it dynamically using:
- export PATH="$PATH:/root/.dotnet/tools"
- dotnet tool install --global dotnet-ossindex
other messages/notes from the error:
The tool package could not be restored.
Tool 'dotnet-ossindex' failed to install. This failure may have been caused by:
* You are attempting to install a preview release and did not use the --version option to specify the version.
* A package by this name was found, but it was not a .NET Core tool.
* The required NuGet feed cannot be accessed, perhaps because of an Internet connection problem.
* You mistyped the name of the tool.
For more reasons, including package naming enforcement, visit https://aka.ms/failure-installing-tool
Thanks for the great tool. I have found a bug - when you reference the framework packages without an explicit version which is the prefered way to reference them in dotnet core 2.2 updwards the tool craches, because the API returns an error.
Example project file
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<TargetFramework>netcoreapp2.2</TargetFramework>
<AssemblyName>MyApp</AssemblyName>
<RootNamespace>MyApp</RootNamespace>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.App" />
</ItemGroup>
</Project>
API request JSON
{
"coordinates": [
"pkg:nuget/Microsoft.AspNetCore.App@",
]
}
API response
{
"code": 400,
"message": "Missing coordinates version"
}
A suggestion/enhancement! it would be great (for CI / gitlab / etc) - if ANY vulnerabilities are found, the tool returns non-zero
consider:
$ dotnet-ossindex (params) ./FooMySolution.sln
...
10 project(s) found
No packages affected
No packages affected
etc
$ echo $?
0
but ... if we find vulnerabilities
$ dotnet-ossindex (params) ./FooMySolution.sln
...
10 project(s) found
No packages affected
1 package(s) affected
Package: pkg:nuget/[email protected]
Reference: https://ossindex.sonatype.org/component/pkg:nuget/[email protected]
Vulnerabilities: - MEDIUM [CVE-2019-11358] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
- MEDIUM CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
etc
$ echo $?
0
suggestion is that the tool returns a non-zero return code if ANY vulnerabilities are found;
(certainly up for debate or configuration if the user wants to filter or exclude certain severity?)
Hello!
Dotnet 3.1 and 5.0 are nearing their end of support dates soon. Do you know when support for 6.0 will be available?
Thanks!
Consider this example project structure:
MyProject.sln
MyProject.Common/MyProject.Common.csproj
MyProject.Foo/MyProject.Foo.csproj
If we run like this, everything works:
find . -type f -name "*.csproj" -exec dotnet-ossindex {} \;
However, if we run against the solution file (easier and preferred way), the pathing construction for finding projects within the solution is broken (maybe a hard coded \
for Windows pathing --)
dotnet-ossindex ./MyProject.sln
> Solution: /home/<USER>/<sub-paths>/MyProject.sln
## project(s) found
Project file "/home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj" does not exist
Whoops! as you can see,
$ ls -al /home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj
ls: cannot access '...': No such file or directory
But, this is the problem:
"/home/<USER>/<sub-paths>/MyProject.Common\MyProject.Common.csproj"
should be
"/home/<USER>/<sub-paths>/MyProject.Common/MyProject.Common.csproj"
^
Hello!
PER 9d969ee, commit was added to support .NET 3.1.
$ dotnet-ossindex
It was not possible to find any compatible framework version
The framework 'Microsoft.NETCore.App', version '2.2.0' was not found.
- The following frameworks were found:
3.1.4 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]
dotnet tool list --global | grep ossindex
dotnet-ossindex 0.2.0 dotnet-ossindex
Don't see a new release for 2020 yet;
https://github.com/fabiano/dotnet-ossindex/releases
(ETA? :o)
hello!
we started getting this
dotnet-ossindex --username USER --api-token TOKEN OurSolution.sln
> Solution: /builds/dev/SNIP
12 project(s) found
> Project: /builds/dev/SNIP
An unhandled exception occurred while checking for vulnerabilities: 500 InternalServerError
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.