digitalcoyote / nugetdefense Goto Github PK
View Code? Open in Web Editor NEWAn MSBuildTask that checks for known vulnerabilities. Inspired by OWASP SafeNuGet.
License: MIT License
An MSBuildTask that checks for known vulnerabilities. Inspired by OWASP SafeNuGet.
License: MIT License
Source
OWASP Dependency-Check has a CLI tool that if globally installed will keep itself up-to-date with data from NVD.
Why should this source be considered?
Having an option other than our own implementation of NVD checking will provide a backup for NVD data checking.
Should this source be checked by default?
No, it cannot be guaranteed that the CLI tool will be accessible via PATH when the project is built.
Would this be better in an independent package?
Optionally, Yes. If a user only wanted to run this tool, and wanted it configured by default. Maybe "NugetDefense.OWASP.DependencyCheck"?
What is the Feature? Please describe.
Apologies in advanced if I missed something, but I wanted to know if there is a way to output the results of a finding, positive or negative to a text file. Perhaps just having a field in the NugetDefense.json like:
output: "myfile.txt"
As a way of keeping audit trail of findings.
Use Case
The use would be for a way to look at previous builds in a ci/ci pipeline and see if there was any issues.
Describe alternatives you've considered
I had considered parsing the output of the failure, but I thought might ask to see if something like this already exists.
Additional context
Add any other context or screenshots about the feature request here.
What is the Feature? Please describe.
I would like a configuration option (maybe scoped to OssIndex would make sense) that allows me to list names of packages that should not be transmitted to a third party, and have that configuration acted upon. Essentially, if I provided a list of packages that we consider internal or sensitive, then NuGet Defense would not send them in the request to OSS Index.
Use Case
As a sec ops, I would like to be able to exclude certain packages being sent to OSS Index, so that commercially-sensitive package names are not sent to a third party.
We have internal packages used in the projects that we are scanning with NuGet Defense, but our legal department would like the names of those internal packages not to be sent to third party services (such as OSS Index), in case the names are commercially sensitive (e.g. "SecretNewFeaturePackage").
Describe alternatives you've considered
We have considered just disabling the call to OSS Index, and just using NVD, but we're concerned that will provide a less fulsome vulnerability scan.
We have also considered excluding the internal packages manually, by removing them from the project before scanning. However, we would like to integrate this into our CI/CD pipeline, so the security scan will run automatically on new commits.
Additional context
We very much appreciate your work on NuGet Defense. We were using SafeNuGet but had similar concerns to you about it being out of date. We were very excited to see you had created NuGet Defense!
What is the Feature? Please describe.
Provide a wrapper for the dotnet tool so it can be installed into an Azure DevOps organisation.
Use Case
Most people would not want to modify their projects, but adding a task to a build pipeline is much less intrusive
Describe alternatives you've considered
Dependabot, nukeeper etc.
Package Dependencies should also be checked for vulnerabilities and the message should make it clear which package the dependency is for.
Describe the bug
NuGetDefense will not output the reports no matter what the settings are.
Describe the bug
OSS Index does not allow scanning more than 128 packages at a time
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Sends 128 packages at a time
Error Message
{"code":400,"message":"Request for more than 128 components"}
Tools (please complete the following information):
Additional context
Was building an Azure Function and hit this problem.
First I've seen of this error.
What is the Feature? Please describe.
Include dependencies from all referenced projects in the scan.
Use Case
I just started evaluating NuGetDefense for use in the solutions within my organisation. Most of our solutions consist of multiple projects following a layered architecture (business logic, contract model, data layer ...). I would prefer that adding NuGetDefense to the top level project would scan all the referenced projects too (also nested references).
Describe alternatives you've considered
It seems quite redundant to be forced to add NuGetDefense to all of the projects.
Additional context
Tested with 2.0.2 and 1.0.15.1
We are using Net Core 3.1, Visual Studio 2019 16.8.2
What is the Feature? Please describe.
NuGet Dependency Scanning [Optional]
Details
I originally removed this functionality because I did not have a way to check that the dependencies that came back were the correct ones for the current Framework. But I fund this dotnet list package --include-transitive
. While it doesn't link the packages up to their resolved dependencies and versions, it has a framework flag and I can cross-reference this with the list of dependencies available for each package.
What is the Feature? Please describe.
Unit Tests will ensure that CI is able to detect issues and prevent them from being released.
Projects to Unit Test
Hello, I'm getting this error when running unit tests inside a docker container:
"IdentityProvider.csproj : error : NuGetDefense : OSS Index scan failed with exception: System.AggregateException: One or more errors occurred. (The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true. Path: $ | LineNumber: 0 | BytePositionInLine: 0.)"
When I run on my machine it works, but when I run on my pipeline I got this error, I'm not sure if it's because the docker.
Describe the bug
Vulnerabilities reported when I have updated version to be past the known vulnerabilities list.
To Reproduce
I just had bootstrap 3.4.1 in the project, saw vulnerabilities (good), and then updated from 3.4.1 to 4.4.1 -- the vulnerabilities persisted (bad -- I think).
Expected behavior
I would have expected the vulnerabilities on bootstrap to go away. The packages.config shows "bootsrap" (lower case b) and the vulnerabilities show Bootstrap, and I'm not sure if that makes a difference.
Let me know if I have misinterpreted results.
Tools (please complete the following information):
Additional context
Add any other context about the problem here.
First things first: Great seeing you put work into this package, thanks a lot for that.
Describe the bug
When building my solution I encounter a System.ArgumentOutOfRangeException: Length cannot be less than zero.
To Reproduce
Steps to reproduce the behavior:
{ "WarnOnly": false, "Log": null, "VulnerabilityReports": {}, "Logs": null, "CheckTransitiveDependencies": true, "ErrorSettings": { "ErrorSeverityThreshold": 5, "Cvss3Threshold": -1, "IgnoredPackages": [ { "Id": "NugetDefense", "Version": "1.0.8.0" } ], "IgnoredCvEs": [], "AllowedPackages": [], "WhiteListedPackages": null, "BlockedPackages": [], "BlacklistedPackages": null }, "OssIndex": { "Enabled": true, "BreakIfCannotRun": true }, "NVD": { "SelfUpdate": false, "TimeoutInSeconds": 15, "Enabled": true, "BreakIfCannotRun": true } }
error : Encountered a fatal exception while checking for Dependencies in C:\Users\***\source\repos\NugetDefenseTest\ConsoleApp1\ConsoleApp1.csproj. Exception: System.ArgumentOutOfRangeException: Length cannot be less than zero. (Parameter 'length') 1> at System.String.Substring(Int32 startIndex, Int32 length) 1> at NuGetDefense.Core.NuGetFile.<>c__DisplayClass7_0.<ParseListPackages>b__2(String l) 1> at System.Linq.Enumerable.WhereSelectEnumerableIterator
2.MoveNext()1 source, Func
2 keySelector, IEqualityComparer1 comparer) 1> at NuGetDefense.Core.NuGetFile.ParseListPackages(String dotnetListOutput) 1> at NuGetDefense.Core.NuGetFile.dotnetListPackages(String projectFile, String targetFramework) 1> at NuGetDefense.Core.NuGetFile.LoadPackages(String targetFramework, Boolean checkTransitiveDependencies) 1> at NuGetDefense.Program.Main(String[] args)
Expected behavior
I expected a successful build with positive / negative NugetDefense messages.
Tools (please complete the following information):
What is the Feature? Please describe.
I'm looking for a library where i can provide a list of package names and versions to a .NET method and get a list of the vulnerable packages. I think this should be easily doable by extracting the actual code into a e.g. NuGetDefinse.Core package.
Use Case
I want to leverage this library in https://apimundo.com in the NuGet package index and .NET project index.
An icon or logo helps to associate a "brand" and makes the project more identifiable on other platforms.
Not a priority, but I'm open to any contributions.
Describe the bug
when I run nugetdefense app.csproj netcoreapp3.1
on a CI runner box
I get below error
app.csproj: Error : Encountered a fatal exception while checking for Dependencies in app.csproj. Exception: System.TimeoutException: Reading vulnerability data failed:'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'
---> System.IO.FileNotFoundException: Could not find file 'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'.
File name: 'C:\Users\USER\.dotnet\tools\.store\nugetdefense.tool\1.0.15\nugetdefense.tool\1.0.15\tools\netcoreapp3.1\any\VulnerabilityData.bin'
at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at NuGetDefense.NVD.Scanner..ctor(String nugetFile, TimeSpan vulnDataReaTimeout, Boolean breakIfCannotRun, Boolean selfUpdate)
--- End of inner exception stack trace ---
at NuGetDefense.NVD.Scanner..ctor(String nugetFile, TimeSpan vulnDataReaTimeout, Boolean breakIfCannotRun, Boolean selfUpdate)
at NuGetDefense.Program.Main(String[] args) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 85
I confirmed the file VulnerabilityData.bin is indeed missing, do i need run a vuln data load?
To Reproduce
See above
Expected behavior
I would expect the tool run and give me results to dependencies issues within the app
Tools (please complete the following information):
PS > $PSVersionTable
Name Value
---- -----
PSVersion 7.0.3
PSEdition Core
GitCommitId 7.0.3
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Additional context
Add any other context about the problem here.
No proxy, well never had any issues with a proxy before.
What is the Feature? Please describe.
Hello! As someone who works on or around OSS Index, basically we'd love it if you could set a User-Agent when communicating with the service.
If you can read Golang, this package has a bunch of tests and code where we generate one:
https://github.com/sonatype-nexus-community/nancy/tree/master/useragent
If TypeScript is more your thing:
Use Case
Essentially this lets us see a bit better how much your tool is calling OSS Index, and is not used for any nefarious purposes, just ultimately let's us know if we should maybe get more involved with helping on the tool, as well on how much effort we put into specific ecosystems related to the data.
Describe alternatives you've considered
Nothing really, this one is pretty cut and dried.
Additional context
Nothing, but we love that you made this tool, and appreciate you!
Describe the bug
I got the following build error after I added NuGetDefense to my existing project:
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : 7 vulnerabilities found for bootstrap @ 3.4.1
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): error : CVE-2019-8331: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1> Description: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
1> CVE: CVE-2019-8331
1> CWE: CWE-79
1> CVSS Score: 6.1
1> CVSS Vector: NETWORK
1> References:
1> Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
1> at NuGetDefense.Core.VulnerabilityReports.ReportVulnerabilities(Dictionary`2 vulnerabilityDictionary, IEnumerable`1 pkgs, String nuGetFile, Boolean warnOnly, Double cvss3Threshold)
1> at NuGetDefense.Program.Main(String[] args)
1>C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\packages\NuGetDefense.1.0.4\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Users\dahls\OneDrive\WorkDocs\Pluralsight\SecurityAnalysisAspNetCore\m3\WiredBrain-ASP.NET\WiredBrain.CustomerPortal.AspNet\WiredBrain.CustomerPortal.AspNet.csproj " exited with code -1073741819.
========== Rebuild All: 0 succeeded, 1 failed, 0 skipped ==========
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Build should complete without NuGet Defense throwing an exception.
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Additional context
I strongly suspect the problem is right here in NuGetDefense.Core/VulnerabilityReports.cs
:
foreach (var reference in vulnerabilities[cve].References) Console.WriteLine(reference);
Console.WriteLine("---------------------------");
The output above does not show the dashed line, and if References
is null that would cause the problem.
On further review, though, checking the NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-8331) shows a lengthy list of references. Maybe something caused a problem parsing them? But I'd rather not throw that exception and be missing the references if the full resolution for this takes some time.
I can submit a PR for the simple change but to test it I may need some guidance / docs.
What is the Feature? Please describe.
OSS Index has support for authentication that can be used to increase the rate limiting threshold
Use Case
Users with many projects and/or frequent builds may hit rate limiting errors more often.
Describe alternatives you've considered
N/A, this is suggested by OSS Index
Additional context
https://ossindex.sonatype.org/doc/rest
Describe the bug
Below error is thrown on compiling the project after updating the NugetDefense package to any version higher than 1.0.7.2
error : NuGetDefense : OSS Index scan failed with exception: System.NullReferenceException: Object reference not set to an instance of an object.
at NuGetDefense.OSSIndex.ComponentReportVulnerability.ToVulnerability()
Expected behavior
No error should be thrown on compiling.
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Additional context
Add any other context about the problem here.
Hi,
great work!
I ran into some issue on Windows, as having the NuGet in dependecies results in the following in VS output:
1>'...nuget\packages\nugetdefense\0.0.2\build../tools/netcoreapp3.1/NuGetDefense' is not recognized as an internal or external command,
My q&d fix for Windows is to replace the line in nugetdefense.targets to the following:
<NuGetDefenseExe>dotnet.exe $(MSBuildThisFileDirectory)..\tools\netcoreapp3.1\NuGetDefense.dll</NuGetDefenseExe>
This way, it runs correctly - but still not cross platform.
Found related issue with no clear solution: dotnet/msbuild#1024
The source should change based on the file the error was found in.
ex. if package is listed in a package.config, the error should link to package.config not Example.csproj
Describe the bug
v0.0.5 does not report Zilb.Portable.Signed vulnerabilities returned by OSS Index because they lack a CVE.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Report the CVE as Unknown
Additional context
A bad assumption in development that checked for duplicate vulnerabilities allowed this to slip through.
I have been able to successfully run this tool in a .NET Framework 4.5.2 project and it detected a bad package that I tested with an failed the build.
I have tried running this in .NET Core 3.1 and while it does show in the output that there are bad packages with CVEs, the build process does not fail. I tested using:
<PackageReference Include="jQuery" Version="1.5.0" />
and I can see the vulnerability scan run in my output.
1>Target CheckForVulnerableNuGetPkgs: 1> Using "Exec" task from assembly "Microsoft.Build.Tasks.Core, Version=15.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a". 1> Task "Exec" 1> dotnet "C:\Users\jwilliamson\.nuget\packages\nugetdefense\1.0.2\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj netcoreapp3.1 1> ************************************* 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : 7 vulnerabilities found for jQuery @ 1.5.0 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1> Description: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1> CVE: CVE-2015-9251 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: 5143404a-0e8c-420a-aef1-dccfd1bb3ea4: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: 5143404a-0e8c-420a-aef1-dccfd1bb3ea4 1> CWE: CWE-79 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/5143404a-0e8c-420a-aef1-dccfd1bb3ea4 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: 52f593c8-7729-435c-b9df-a7bb9ded8589: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: 52f593c8-7729-435c-b9df-a7bb9ded8589 1> CWE: CWE-79 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/52f593c8-7729-435c-b9df-a7bb9ded8589 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : OSS Index ID: bb07990f-5984-4107-a7ee-27d0c09a1698: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> Description: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1> CVE: OSS Index ID: bb07990f-5984-4107-a7ee-27d0c09a1698 1> CWE: CWE-79 1> CVSS Score: 7.199999809265137 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/bb07990f-5984-4107-a7ee-27d0c09a1698 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2012-6708: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. 1> Description: jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common. 1> CVE: CVE-2012-6708 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/b510dae9-a933-4169-b010-0325829abf42 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2019-11358: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. 1> Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. 1> CVE: CVE-2019-11358 1> CWE: 1> CVSS Score: 6.099999904632568 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/11b6563a-ead6-4040-83e5-455f36519d1b 1> --------------------------- 1> C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj(18,6): error : CVE-2011-4969: Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. 1> Description: Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag. 1> CVE: CVE-2011-4969 1> CWE: 1> CVSS Score: 4.300000190734863 1> CVSS Vector: NETWORK 1> References: 1> https://ossindex.sonatype.org/vuln/fe8b44f2-8604-4d1a-95be-ffce5f6f8f97 1> --------------------------- 1> The command "dotnet "C:\Users\jwilliamson\.nuget\packages\nugetdefense\1.0.2\build\..\tools\netcoreapp3.1\NuGetDefense.dll" C:\Gitlab\gateway\unreal-gateway\src\unreal-gateway\unreal-gateway.csproj netcoreapp3.1" exited with code -1. 1> Done executing task "Exec". 1>Done building target "CheckForVulnerableNuGetPkgs" in project "unreal-gateway.csproj".
{ "WarnOnly": false, "ErrorSettings": { "ErrorSeverityThreshold": 5, "CVSS3Threshold": -1, "IgnoredPackages": [ { "Id": "NugetDefense", "Version": null, "PackageUrl": "pkg:nuget/NugetDefense@" } ], "IgnoredCvEs": [], "WhiteListedPackages": [], "BlackListedPackages": [] }, "OssIndex": { "Enabled": true, "BreakIfCannotRun": false }, "NVD": { "SelfUpdate": false, "Enabled": true, "BreakIfCannotRun": false } }
Describe the bug
NuGetDefense.Tool throws an exception on a Solution Items
project from the solution file.
To Reproduce
Steps to reproduce the behavior:
Solution Items
folderdotnet tool install NuGetDefense.Tool -g
nugetdefense .\MySolution.sln Release
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{DAC32E4B-F605-4584-A629-554E7523B1FD}"
ProjectSection(SolutionItems) = preProject
.editorconfig = .editorconfig
.gitlab-ci.yml = .gitlab-ci.yml
common\GenerateBuildInfo.sh = common\GenerateBuildInfo.sh
README.md = README.md
EndProjectSection
EndProject
`dotnet list` Errors:
`dotnet list` Errors:
`dotnet list` Errors:
: Error : Encountered a fatal exception while checking for Dependencies in . Exception: System.IO.FileNotFoundException: Could not find file 'C:\Users\RobBos\source\repos\MyRepoName\Solution Items'.
File name: 'C:\Users\RobBos\source\repos\MyRepoName\Solution Items'
at System.IO.FileStream.ValidateFileHandle(SafeFileHandle fileHandle)
at System.IO.FileStream.CreateFileOpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
at System.Xml.XmlDownloadManager.GetStream(Uri uri, ICredentials credentials, IWebProxy proxy)
at System.Xml.XmlUrlResolver.GetEntity(Uri absoluteUri, String role, Type ofObjectToReturn)
at System.Xml.XmlTextReaderImpl.FinishInitUriString()
at System.Xml.XmlTextReaderImpl..ctor(String uriStr, XmlReaderSettings settings, XmlParserContext context, XmlResolver uriResolver)
at System.Xml.XmlReaderSettings.CreateReader(String inputUri, XmlParserContext inputContext)
at System.Xml.XmlReader.Create(String inputUri, XmlReaderSettings settings)
at System.Xml.Linq.XDocument.Load(String uri, LoadOptions options)
at System.Xml.Linq.XDocument.Load(String uri)
at ByteDev.DotNet.Project.DotNetProject.Load(String projFilePath)
at NuGetDefense.Program.LoadMultipleProjects(String TopLevelProject, String[] projects, Boolean specificFramework, String targetFramework, Boolean solutionFile) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 193 at NuGetDefense.Program.Main(String[] args) in /home/codingcoyote/Code/NuGetDefense/Src/NuGetDefense/Program.cs:line 73
Expected behavior
Not fail :-). Perhaps detect the type of project and skip it.
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Additional context
Found the link to the source code here:
NuGetDefense/Src/NuGetDefense/Program.cs
Line 193 in 4f01373
Unfortunately you only push in the names of the projects to this method.
I see three options:
Add ability to define a whitelist of allowed packages. Break build if an unlisted package is added to the project.
Describe the bug
Running the build on a net fw project returns this error:
MyProject\packages.config : Warning : NuGetDefense : NVD scan failed with exception: System.ArgumentException: '1.2.9_beta' is not a valid version string.
The project includes both public nugets and private ones, but no direct reference to any package on version 1.2.9_beta is present in the package.config
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Security vulnerabilities should be detected
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Additional context
Warning : NuGetDefense : NVD scan failed with exception: System.ArgumentException: '1.2.9_beta' is not a valid version string.
at NuGet.Versioning.VersionRange.Parse(String value, Boolean allowFloating)
at NuGet.Versioning.VersionRange.Parse(String value)
at NuGetDefense.NVD.Scanner.<>c__DisplayClass8_0.b__1(String v)
at System.Linq.Enumerable.Any[TSource](IEnumerable1 source, Func
2 predicate)
at NuGetDefense.NVD.Scanner.<>c__DisplayClass8_1.b__0(String cve)
at System.Linq.Enumerable.WhereEnumerableIterator1.MoveNext() at NuGetDefense.NVD.Scanner.GetVulnerabilitiesForPackages(NuGetPackage[] pkgs, Dictionary
2 vulnDict)
Describe the bug
After updating from v.1.0.5 to 1.0.6 the scan errors out for me. If I downgrade back to 1.0.5 things work as before, and uninstalling the package removes all errors.
To Reproduce
Here is the contents of my packages.config file:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Antlr" version="3.5.0.2" targetFramework="net472" />
<package id="bootstrap" version="4.4.1" targetFramework="net472" />
<package id="Effort.EF6" version="2.2.2" targetFramework="net472" />
<package id="Elasticsearch.Net" version="7.0.0" targetFramework="net472" />
<package id="EntityFramework" version="6.2.0" targetFramework="net472" />
<package id="jQuery" version="3.3.1" targetFramework="net472" />
<package id="jQuery.Validation" version="1.17.0" targetFramework="net472" />
<package id="Microsoft.AspNet.Mvc" version="5.2.7" targetFramework="net472" />
<package id="Microsoft.AspNet.Razor" version="3.2.7" targetFramework="net472" />
<package id="Microsoft.AspNet.Web.Optimization" version="1.1.3" targetFramework="net472" />
<package id="Microsoft.AspNet.WebPages" version="3.2.7" targetFramework="net472" />
<package id="Microsoft.CodeDom.Providers.DotNetCompilerPlatform" version="2.0.0" targetFramework="net472" />
<package id="Microsoft.Data.Edm" version="5.8.4" targetFramework="net472" />
<package id="Microsoft.Data.OData" version="5.8.4" targetFramework="net472" />
<package id="Microsoft.jQuery.Unobtrusive.Validation" version="3.2.11" targetFramework="net472" />
<package id="Microsoft.Web.Infrastructure" version="1.0.0.0" targetFramework="net472" />
<package id="Modernizr" version="2.8.3" targetFramework="net472" />
<package id="Newtonsoft.Json" version="11.0.1" targetFramework="net472" />
<package id="NMemory" version="3.1.0" targetFramework="net472" />
<package id="NuGetDefense" version="1.0.6" targetFramework="net472" />
<package id="popper.js" version="1.16.0" targetFramework="net472" />
<package id="SecurityCodeScan" version="3.5.0.0" targetFramework="net472" developmentDependency="true" />
<package id="Serilog" version="2.9.0" targetFramework="net472" />
<package id="Serilog.Enrichers.HttpContextData" version="0.1.3" targetFramework="net472" />
<package id="Serilog.Formatting.Compact" version="1.0.0" targetFramework="net472" />
<package id="Serilog.Formatting.Elasticsearch" version="8.0.0" targetFramework="net472" />
<package id="Serilog.Sinks.Console" version="3.1.1" targetFramework="net472" />
<package id="Serilog.Sinks.Elasticsearch" version="8.0.0" targetFramework="net472" />
<package id="Serilog.Sinks.File" version="4.0.0" targetFramework="net472" />
<package id="Serilog.Sinks.PeriodicBatching" version="2.1.1" targetFramework="net472" />
<package id="SerilogWeb.Classic" version="5.0.52" targetFramework="net472" />
<package id="System.Buffers" version="4.5.0" targetFramework="net472" />
<package id="System.Diagnostics.DiagnosticSource" version="4.5.1" targetFramework="net472" />
<package id="System.Spatial" version="5.8.4" targetFramework="net472" />
<package id="WebGrease" version="1.6.0" targetFramework="net472" />
</packages>
Expected behavior
Was hoping to just have bootstrap not be a reported vulnerability any longer.
Screenshots
This is the build output I got (I first updated the package from 1.0.5 to 1.0.6 and then uninstalled package and installed 1.0.6):
1>------ Build started: Project: WiredBrain.CustomerPortal.AspNet, Configuration: Debug Any CPU ------
1> WiredBrain.CustomerPortal.AspNet -> C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\bin\WiredBrain.CustomerPortal.AspNet.dll
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(3,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(4,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(5,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(6,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(7,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(8,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(9,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(10,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(11,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(12,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(13,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(14,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(15,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(16,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(17,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(18,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(19,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(20,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(21,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(22,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(23,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(24,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(25,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(26,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(27,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(28,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(29,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(30,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(31,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(32,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(33,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(34,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(35,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(36,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config(37,4): warning : is not a valid NuGetVersion and is being ignored. See 'https://docs.microsoft.com/en-us/nuget/concepts/package-versioning' for more info on valid versions
1>C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\packages.config : error : NuGetDefense : OSS Index scan failed with exception: System.AggregateException: One or more errors occurred. (The JSON value could not be converted to NuGetDefense.OSSIndex.ComponentReport[]. Path: $ | LineNumber: 0 | BytePositionInLine: 1.)
1> ---> System.Text.Json.JsonException: The JSON value could not be converted to NuGetDefense.OSSIndex.ComponentReport[]. Path: $ | LineNumber: 0 | BytePositionInLine: 1.
1> at System.Text.Json.ThrowHelper.ThrowJsonException_DeserializeUnableToConvertValue(Type propertyType)
1> at System.Text.Json.JsonSerializer.HandleStartObject(JsonSerializerOptions options, ReadStack& state)
1> at System.Text.Json.JsonSerializer.ReadCore(JsonSerializerOptions options, Utf8JsonReader& reader, ReadStack& readStack)
1> at System.Text.Json.JsonSerializer.ReadCore(JsonReaderState& readerState, Boolean isFinalBlock, ReadOnlySpan`1 buffer, JsonSerializerOptions options, ReadStack& readStack)
1> at System.Text.Json.JsonSerializer.ReadAsync[TValue](Stream utf8Json, Type returnType, JsonSerializerOptions options, CancellationToken cancellationToken)
1> at NuGetDefense.OSSIndex.Scanner.GetReportsForPackagesAsync(NuGetPackage[] pkgs)
1> --- End of inner exception stack trace ---
1> at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
1> at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
1> at System.Threading.Tasks.Task`1.get_Result()
1> at NuGetDefense.OSSIndex.Scanner.GetVulnerabilitiesForPackages(NuGetPackage[] pkgs, Dictionary`2 vulnDict)
1>C:\temp\wired-brain-aspnet\packages\NuGetDefense.1.0.6\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\temp\wired-brain-aspnet\packages\NuGetDefense.1.0.6\build\..\tools\netcoreapp3.1\NuGetDefense.dll" "C:\temp\wired-brain-aspnet\WiredBrain.CustomerPortal.AspNet\WiredBrain.CustomerPortal.AspNet.csproj" " exited with code -1.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========
Tools (please complete the following information):
Additional context
Add any other context about the problem here.
Describe the bug
[email protected] reported 3 vulnerabilities including CVE-2017-0249 that was fixed in 4.3.2
Expected behavior
4.3.0 and 4.3.2 should not report CVE-2017-0249
Additional context
This did not appear prior to updating to 2.1.0, so I suspect there are new issues brought about by correcting the parsing that prevented showing a vulnerability for log4net in earlier versions of the NVD Data.
Workaround
If you are using System.Net.Http, confirm it is not affected and add the CVE(s) to the ignore list for that project.
What is the Feature? Please describe.
NVD Feed should be able to update itself.
Use Case
In the event that vulnerabilities are released between releases of NuGetDefense, the user could allow it to update and import the newer vulnerabilities.
Describe alternatives you've considered
CI will be setup soon to handle automatic updates when NVD feeds are updated.
Describe the bug
The Vector returned by OSS Index is not an Access Vector, but a CVSS 3 Vector string.
Additional context
Parsing the string to get the access vector should be enough to fix it for now. It may be more considerate to pull in the whole string and try to find a CVSS Vector in NVD to import inplace of the AccessVector
Describe the bug
I tried upgrading my project to use NuGetDefense 1.0.15, however Visual Studio fails the build with the following error
MSB3073 The command "dotnet "C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll" "C:\test\test\test.csproj" netcoreapp3.1" exited with code 1. test C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\nugetdefense.targets 10
1>------ Build started: Project: test, Configuration: Debug Any CPU ------
1>test -> C:\test\test\bin\Debug\netcoreapp3.1\test.dll
1>Could not execute because the specified command or file was not found.
1>Possible reasons for this include:
1> * You misspelled a built-in dotnet command.
1> * You intended to execute a .NET Core program, but dotnet-C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll does not exist.
1> * You intended to run a global tool, but a dotnet-prefixed executable with this name could not be found on the PATH.
1>C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\nugetdefense.targets(10,5): error MSB3073: The command "dotnet "C:\Users\auser\.nuget\packages\nugetdefense\1.0.15\build\..\tools\net5.0\NuGetDefense.dll" "C:\test\test\test.csproj" netcoreapp3.1" exited with code 1.
1>Done building project "test.csproj" -- FAILED.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Tools (please complete the following information):
Additional context
Check NVD for updated feed and check for known vulnerabilities.
Describe the bug
When my projects depend an the Nancy nuget I get a warning that 0 vulnerabilities was found for Nancy
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I would not expect any warning
Tools (please complete the following information):
Describe the bug
Log4Net CVE-2018-1285
To Reproduce
Install Log4Net v2.0.8 and build
Expected behavior
No Errors unless version is below 2.0.8
Additional context
The problem is unknown and we can assume there are other false positives until proven otherwise. Double Check any reports you receive for now
Please Provide a Build Task Example for MSBUILD style project and sdk projects.
In documentation https://digitalcoyote.github.io/NuGetDefense/ it is mentioned that "NuGetDefense is a bundled dotnet tool that runs using an MSBuild ExecTask after your project finishes building."
But how to configure this build task? What are the correct values? Please find below my example that is not working (MSBUILD style - related to .NET 4.6.2 Fullframework project )
<Target Name="AfterBuild">
<UsingTask TaskName="NuGetDefense.Tool" AssemblyFile="C:\Users\{user}\.dotnet\tools\.store\nugetdefense.tool\2.0.2\nugetdefense.tool\2.0.2\tools\net5.0\any\NugetDefense.dll" />
<NuGetDefense.Tool />
</Target>
Source
https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/
Why should this source be considered?
It's probably going to be the go to source for most dev's
Should this source be checked by default?
yes
Would this be better in an independent package?
No
Packing a .Net 4.8 version of the tool would remove the need for .Net Core 3.1 on Windows.
Hi im running a dotnetcore 3.1 project on Visual studio Professional 2019 Version 16.7.7
my NugetDefense.json file contain property "WarnOnly": false
but still show vulnerabilities as warnings after build phase
i have alse ErrorSettings property with:
"ErrorSeverityThreshold": "any",
"Cvss3Threshold": -1
Steps to reproduce the behavior:
Expected behavior:
I expect that build phase will failed with jQuery vulnerabilities errors (i got 5)
Tools (please complete the following information):
What is the Feature? Please describe.
When NugetDefense is installed on the project a NuGetDefense.json is created. If you have a solution that contains multiple projects a NuGetDefense.json is required for each project. It would be nice if NugetDefense behaved a bit like .nugetconfig where when the file is not found in the project folder it checks parent folders. This would allow a single NuGetDefense.json to set the defense configuration for an entire solution
Use Case
When a project is part of a larger solution and all have NuGetDefense installed
Describe the bug
For some reason, I set the properties for these setting as internal and did not catch it (I always leave them on in manual testing). This prevents them from Serializing/Deserializing.
I plan to pack this for Chocolatey so it can be used. In the meantime DevAudit should be a good alternative.
Describe the bug
Exit Code is not 0 when all vulnerabilities are warnings
Expected behavior
Tools (please complete the following information):
Describe the bug
Although this seems to be as easy as flipping the switch for Linux, NuGet.OSSIndex throws an Exception in Windoiws when Adding the UserAgent to the header.
To Reproduce
Steps to reproduce the behavior:
1.Run with the now de-listed v2.0.0.1 (repackage of 2.0.0)
Expected behavior
Runs the same on Windows and Linux
Tools (please complete the following information):
Additional context
It looks like it may be expecting a simpler User Agent
What is the Feature? Please describe.
Log References for Vulnerabilities in the Build Log. These are usually links to pages that disclose more information about the vulnerability.
Use Case
Describe alternatives you've considered
Describe the bug
The tool does not exclude the listed packages.
To Reproduce
Steps to reproduce the behavior:
"IgnoredPackages": [
{
"Id": "NugetDefense",
"Version": "1.0.8.0"
},
{
"Id": "NLog",
"Version": "4.7.5"
}
],
or
"IgnoredPackages": [
{
"Id": "NugetDefense",
"Version": "1.0.8.0"
},
{
"Id": "NLog"
}
],
error : 1 vulnerabilities found for NLog @ 4.7.5
Expected behavior
The package should be ignored.
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Additional context
The IgnoredPackages property is not used at all.
Describe the bug
Using a directory with a whitespace in the path, makes VS return code 532462766.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The build should complete even with the whitspace
Screenshots
If applicable, add screenshots to help explain your problem.
Tools (please complete the following information):
Describe the bug
Packages from private feeds should be ignored. Therefore I excluded them from NuGetDefense.json. Nevertheless an unhandled exception is thrown after calling dotnet build.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Ignred packages from private feeds should not be restored to avoid unhandled exceptions.
Additional context
A plain package restore works as expected (dotnet restore).
Describe the bug
Building multiple projects concurrently can cause a System.IO.IOException when the NVD Source is enabled because the first instance of NuGetDefense has a lock on the file (writing to it to update it).
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Builds without error and only updates the file once per Solution Build
Error Example
Unhandled exception. System.IO.IOException: The process cannot access the file
'/home/codingcoyote/.nuget/packages/nugetdefense/1.0.3/tools/netcoreapp3.1/VulnerabilityData.bin' because it is being used by another process. (TaskId:64)
at System.IO.FileStream.Init(FileMode mode, FileShare share, String originalPath) (TaskId:64)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) (TaskId:64)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share) (TaskId:64)
at System.IO.File.Open(String path, FileMode mode, FileAccess access) (TaskId:64)
at NuGetDefense.NVD.Scanner..ctor(String nugetFile, Boolean breakIfCannotRun, Boolean selfUpdate) (TaskId:64)
at NuGetDefense.Program.Main(String[] args) (TaskId:64)
Tools (please complete the following information):
Additional context
Found building the new Test Solution
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.