Comments (10)
I'll leave this issue open until the version that fixes it is released.
from nugetdefense.
In that version, I didn't check for errors with dotnet list
prior to writing that line out. This currently checks with OSSIndex and NVD for known vulnerabilities.
Getting a results file requires changing the settings in nugetdefense.json for that project/solution. I believe it may not output if there are no vulnerabilities (been a bit since I added that report and I don't use it myself). The original objective was replacing SafeNuGet in my own projects, so most of the original testing/development was for feedback on build if any of the dependencies had known vulnerabilities.
Depending on your use case, you may also check out dotnet-retire and devaudit.
from nugetdefense.
Should be fixed in v1.0.16 and v2.1.0. I have further improvements in mind for locating the vulnerability bin in the future.
from nugetdefense.
I have my OSSIndex API key user name set in the NugetDefense.json file
the rest is default
from nugetdefense.
I've hopefully fixed this in an upcoming release. The NVD scanner will have a function to build vulnerability data on demand if it's missing. I've also changed how it looks for it.
Would you like a VulnerabilityData.bin to drop in for now? alternatively, you can build one using the feed importer in the NuGetDefense.NVD repo.
My timeline for the release is getting pushed back as I've found multiple issues that would make a release of current code somewhat useless.
from nugetdefense.
thanks for quick response I will try to feed importer just to understand it more
yet if you have the file and it not too much work I'll take that too. If not no worries.
from nugetdefense.
VulnerabilityData.zip
had to zip it to attach it
from nugetdefense.
great
I was able to get it work with .\Src\NVDFeedImporter\bin\Release\netcoreapp3.1\NVDFeedImporter.exe
as well
too easy.
Now I getting a clean run with a warning error; the exit code is 0
I do not see any results or results file
PS E:\apps\dotnet_core\app> nugetdefense .\app.csproj netcoreapp3.1
`dotnet list` Errors:
Am I missing something? this is a very simple rest api service app.
We are looking for a stronger tool than OWASP Dependency-check
from nugetdefense.
fyi, Dependecy-check results are clean for this app
I assume similar result for NugetDefense , maybe you do not give a report if no issues
Scan Information (show less):
dependency-check version: 6.1.1
Report Generated On: Mon, 22 Feb 2021 21:16:58 GMT
Dependencies Scanned: 11 (7 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0
NVD CVE Checked: 2021-02-22T20:53:44
NVD CVE Modified: 2021-02-22T19:00:45
VersionCheckOn: 2021-02-22T20:53:44
from nugetdefense.
How to produce/import VulnerabilityData.bin, just in case someone else runs into this.
I am running this for a dotnet core 3.1 service thus we have to run NugetDefense version 1.0.15
dotnet tool install NuGetDefense.Tool -g --version 1.0.15
Next, need to clone NuGetDefense.NVD repo to get importer and run import
git clone https://github.com/digitalcoyote/NuGetDefense.NVD.git
.\NuGetDefense.NVD\build.ps1
.\NuGetDefense.NVD\Src\NVDFeedImporter\bin\Release\netcoreapp3.1\NVDFeedImporter.exe
Importer will drop the VulnerabilityData.bin data file in the current directory, we need to copy/move that to NugetDefense location
copy-item -path .\VulnerabilityData.bin -destionation C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin
Once that is done you can run the NugetDefense
nugetdefense SLN_PATH TARGER_FRAMWORK`
from nugetdefense.
Related Issues (20)
- does not support csproj with multiple target frameworks that target different versions of same package HOT 4
- System.ServiceModel.Primitives @ 4.10.0 wrongly reported as vulnerable HOT 1
- Support for Central Package Management HOT 4
- sonatype-2019-0115 reported for jQuery @ 3.6.3, but not on ossindex.sonatype.org HOT 1
- Question: Where is the default cache location? HOT 5
- Global NVD Vulnerability Data HOT 1
- Scanner crashes when encountering a SSIS project in a solution HOT 2
- Tool crashes with a fatal exception HOT 2
- .nugetdefense folder location on different Operating Systems
- Upgrade to new NVD API HOT 6
- SqlLiteVulnerabilityCache TODO: Debug this query to make sure Vulnerable versions are input correctly HOT 2
- Question: how does this differ from dotnet list HOT 3
- Does not create settings file HOT 2
- GitHub advisory responses are not reported HOT 5
- Warn only option is forced to on HOT 1
- JsonReport is incomplete HOT 3
- Missing ConfigFile leads to ExitCode > 0 HOT 3
- NVD Source not reporting vulnerability in Microsoft.ChakraCore 1.11.23
- packages without vulnerablities are in Report HOT 3
- Build fails with dotnet publish after upgrading from NuGetDefense 2.1 to 3.0.7 HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nugetdefense.