missing file VulnerabilityData.bin about nugetdefense HOT 10 CLOSED

I'll leave this issue open until the version that fixes it is released.

from nugetdefense.

In that version, I didn't check for errors with dotnet list prior to writing that line out. This currently checks with OSSIndex and NVD for known vulnerabilities.

Getting a results file requires changing the settings in nugetdefense.json for that project/solution. I believe it may not output if there are no vulnerabilities (been a bit since I added that report and I don't use it myself). The original objective was replacing SafeNuGet in my own projects, so most of the original testing/development was for feedback on build if any of the dependencies had known vulnerabilities.

Depending on your use case, you may also check out dotnet-retire and devaudit.

from nugetdefense.

Should be fixed in v1.0.16 and v2.1.0. I have further improvements in mind for locating the vulnerability bin in the future.

from nugetdefense.

I have my OSSIndex API key user name set in the NugetDefense.json file
the rest is default

from nugetdefense.

I've hopefully fixed this in an upcoming release. The NVD scanner will have a function to build vulnerability data on demand if it's missing. I've also changed how it looks for it.

Would you like a VulnerabilityData.bin to drop in for now? alternatively, you can build one using the feed importer in the NuGetDefense.NVD repo.

My timeline for the release is getting pushed back as I've found multiple issues that would make a release of current code somewhat useless.

from nugetdefense.

thanks for quick response I will try to feed importer just to understand it more

yet if you have the file and it not too much work I'll take that too. If not no worries.

from nugetdefense.

VulnerabilityData.zip
had to zip it to attach it

from nugetdefense.

great

I was able to get it work with .\Src\NVDFeedImporter\bin\Release\netcoreapp3.1\NVDFeedImporter.exe as well
too easy.

Now I getting a clean run with a warning error; the exit code is 0

I do not see any results or results file

PS E:\apps\dotnet_core\app> nugetdefense .\app.csproj netcoreapp3.1
`dotnet list` Errors:

Am I missing something? this is a very simple rest api service app.

We are looking for a stronger tool than OWASP Dependency-check

from nugetdefense.

fyi, Dependecy-check results are clean for this app

I assume similar result for NugetDefense , maybe you do not give a report if no issues

Scan Information (show less):

    dependency-check version: 6.1.1
    Report Generated On: Mon, 22 Feb 2021 21:16:58 GMT
    Dependencies Scanned: 11 (7 unique)
    Vulnerable Dependencies: 0
    Vulnerabilities Found: 0
    Vulnerabilities Suppressed: 0
    NVD CVE Checked: 2021-02-22T20:53:44
    NVD CVE Modified: 2021-02-22T19:00:45
    VersionCheckOn: 2021-02-22T20:53:44

from nugetdefense.

How to produce/import VulnerabilityData.bin, just in case someone else runs into this.

I am running this for a dotnet core 3.1 service thus we have to run NugetDefense version 1.0.15

dotnet tool install NuGetDefense.Tool -g --version 1.0.15

Next, need to clone NuGetDefense.NVD repo to get importer and run import

git clone https://github.com/digitalcoyote/NuGetDefense.NVD.git 
.\NuGetDefense.NVD\build.ps1 
.\NuGetDefense.NVD\Src\NVDFeedImporter\bin\Release\netcoreapp3.1\NVDFeedImporter.exe

Importer will drop the VulnerabilityData.bin data file in the current directory, we need to copy/move that to NugetDefense location

copy-item -path .\VulnerabilityData.bin -destionation C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin

Once that is done you can run the NugetDefense

nugetdefense SLN_PATH TARGER_FRAMWORK`

from nugetdefense.