retirenet / dotnet-retire Goto Github PK

View Code? Open in Web Editor NEW

179.0 9.0 23.0 391 KB

Open source vulnerability scanner for .NET Core projects

License: MIT License

C# 97.40% Batchfile 0.65% Shell 1.95%

dotnet-core dotnetcore security aspnetcore audit runtime

dotnet-retire's Introduction

Build status

Components

RetireNet.Runtimes.Middleware
RetireNet.Runtimes.BackgroundServices

dotnet-retire

❗️DEPRECATED❗️

See this issue for other solutions.

RetireNet.Runtimes.Middleware

We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports

Install

$ dotnet add package RetireNet.Runtimes.Middleware

Usage

Add it to your ASP.NET Core pipeline on your preferred path:

app.Map("/report", a => a.UseRuntimeVulnerabilityReport());

What does it do?

It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.

Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS:

{
    "isVulnerable": true,
    "appRuntimeDetails": {
        "os": "OSX",
        "osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
        "osArchitecture": "X64",
        "osBits": "64",
        "appTargetFramework": ".NETCoreApp,Version=v2.1",
        "appRuntimeVersion": "2.1.11",
        "appBits": "64"
    },
    "securityRelease": {
        "runtimeVersion": "2.1.13",
        "cvEs": [
            {
                "cve-id": " CVE-2018-8269",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
            },
            {
                "cve-id": " CVE-2019-1301",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
            },
            {
                "cve-id": " CVE-2019-1302",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
            }
        ]
    }
}

RetireNet.Runtimes.BackgroundServices

This is the same report as for the middleware, only logging it using the configured ILogger as a WARN log statment.

Install

$ dotnet add package RetireNet.Runtimes.BackgroundServices

Usage

services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)

What does it do?

The same as for the middleware endpoint.

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS, using the ConsoleLogger:

warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
      Running on vulnerable runtime 2.1.11. Security release 2.1.13

dotnet-retire's People

Contributors

Stargazers

Watchers

dotnet-retire's Issues

Note2Self: Look into `DependencyContext` for getting dependencies instead of project.assets.json

See https://github.com/dotnet/core-setup/blob/master/src/managed/Microsoft.Extensions.DependencyModel/DependencyContext.cs

False Positives for Multiple Packages (CVE-2018-0786)

According to dotnet/corefx#26236, multiple System.ServiceModel.* packages were vulnerable at 4.4.0 but this is fixed in 4.4.1. However this tool is still reporting them as vulnerabilities. Output of dotnet retire loglevel=debug:

dbug: dotnet_retire.RetireLogger[0]
      Found in total 60 references of NuGets (direct & transient)
fail: dotnet_retire.RetireLogger[0]
      Found use of 6 vulnerable libs in 36 dependency paths.
      
      * System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Duplex/4.4.1
            ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Duplex/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Http/4.4.1
            ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Http/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.NetTcp/4.4.1
            ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.NetTcp/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Primitives/4.4.1
            ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Primitives/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Duplex/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Duplex/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
              ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Http/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Http/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
              ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.NetTcp/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.NetTcp/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
              ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Security/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Security/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
              ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Security/4.4.1
            ╚ System.Private.ServiceModel/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Security/4.4.1
             ╚ System.Private.ServiceModel/4.4.1
      
      * System.ServiceModel.Duplex/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Duplex/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Duplex/4.4.1
      
      * System.ServiceModel.Http/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Http/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Http/4.4.1
      
      * System.ServiceModel.NetTcp/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.NetTcp/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.NetTcp/4.4.1
      
      * System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Duplex/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Duplex/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Http/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Http/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.NetTcp/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.NetTcp/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Security/4.4.1
            ╚ System.ServiceModel.Primitives/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Security/4.4.1
             ╚ System.ServiceModel.Primitives/4.4.1
      
      * System.ServiceModel.Security/4.4.1
      
          Topshelf/4.1.0
          ╚ Microsoft.Windows.Compatibility/2.0.1
           ╚ System.ServiceModel.Security/4.4.1
      
          Topshelf/4.1.0
          ╚ TopShelf.ServiceInstaller/4.1.0
           ╚ Microsoft.Windows.Compatibility/2.0.1
            ╚ System.ServiceModel.Security/4.4.1
      
info: dotnet_retire.RetireLogger[0]
      Scan complete.

Add Microsoft Security Advisory CVE-2019-0657: .NET Core Domain Spoofing Vulnerability #97

dotnet/announcements#97

Add Microsoft Security Advisory CVE-2018-0765: .NET Core Denial Of Service Vulnerability

See dotnet/announcements#67 for affected packages.

[Announcement] Deprecating `dotnet retire`

With the latest .NET 5 SDK (5.0.200) now including a vulnerability scanner, the CLI tool dotnet retire is no longer needed and will be deprecated. See https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/.

Microsoft has so far no plans/ solutions for automating reporting on vulnerable runtimes , so that component will still live on here until they do (if they do).

False positives: .NET Core 2+ uses the shared framework libs instead of NuGets

Per comment by @natemcmaster in this issue :

For .NET Core 2.X apps:

The runtime gets System.Net.Security.dll from the shared framework, not from NuGet packages.

Consider filtering out the overridden packages from vulnerability warnings, if the client is targeting .NET Core 2+.

For .NET Core 1, no such override is taking place, so in that case there might still be a vulnerable version in use.

Add support for .NET 5.0

If only the .NET 5.0 SDK is installed, the tool fails to run

It was not possible to find any compatible framework version
The framework 'Microsoft.AspNetCore.App', version '3.0.0' was not found.
  - The following frameworks were found:
      5.0.0 at [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]

I believe this should be a simple change to the relevant .csproj files.

See this similar discussion regarding the Swagger CLI tool ~ domaindrivendev/Swashbuckle.AspNetCore#1898

Add ServiceModel vulnerabilities - dotnet/announcements#73

See dotnet/announcements#73

Suppress output to display warnings/errors only

Hello,

I couldn't find any way to reduce the output of the tool to skip debug messages. Is that possible? If not, is there any chance to get such feature?

LogLevel is bit broken

Setting the loglevel=Error won´t show any output when running against a vulnerable project.
For some reason, commenting out a log statement has impact on later log statments.

Add Kestrel vulnerabilities to vulnerabilties feed — aspnet/announcements#311

Check aspnet/Announcements#311

Package name	Vulnerable versions	Secure versions
Microsoft.AspNetCore.Server.Kestrel.Core	2.0.0, 2.0.1, 2.0.2, 2.0.3 2.1.0, 2.1.1	2.0.4 2.1.2
Microsoft.AspNetCore.All	2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8 2.1.0, 2.1.1	2.0.9 2.1.2
Microsoft.AspNetCore.App	2.1.0, 2.1.1	2.1.2

Add Microsoft.AspNetCore.Identity vulnerabilities to feed — aspnet/announcements#310

Add new vulnerabilities to the package feed:

aspnet/Announcements#310

Non-zero return code when vulnerabilities found

Could the tool return a non-zero value when vulnerabilities are found so it can be run as part of a CI pipeline.

Thanks

Add https://github.com/dotnet/announcements/issues/95

Output format glitch

I saw this project and it looked cool so I tried it out and while the functionality seems to be doing fine, I'm running into what looks like a color formatting problem:

For reference's sake, I tried this on Powershell Core 6.0.2, and Powershell 5.1.17134.765 and got the same result. I am getting color output on some labels (info), but getting what looks like the directive for the color output on the actual log values for them. I haven'e seen any messages other than dbug or info yet, so I don't know if there's a problem with those as well.

False positives

Hi there,

How do I work around the false positives I'm getting for a dotnet core 2.2 application? The out put I get for a blank, just created dotnet core 2.2 webapi application is below.
These seem to be reporting vulnerabilities in 2.2.0 but the application is run using the latest 2.2 so these seem to be false positives.

What can I do?

Peter

RetireNet.Packages.Tool.Services.RetireLogger[0]
      Found use of 6 vulnerable libs in 18 dependency paths.

      * Microsoft Security Advisory CVE-2019-0564: ASP.NET Core Denial of Service Vulnerability in Microsoft.AspNetCore.App/2.2.0
      https://github.com/aspnet/Announcements/issues/334

      * Microsoft Security Advisory CVE-2019-1302: ASP.NET Core Elevation Of Privilege Vulnerability in Microsoft.AspNetCore.SpaServices/2.2.0
      https://github.com/aspnet/Announcements/issues/384

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SpaServices/2.2.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SpaServices.Extensions/2.2.0
           ╚ Microsoft.AspNetCore.SpaServices/2.2.0

      * Microsoft Security Advisory CVE-2019-0564: ASP.NET Core Denial of Service Vulnerability in Microsoft.AspNetCore.WebSockets/2.2.0
      https://github.com/aspnet/Announcements/issues/334

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.WebSockets/2.2.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.Http.Connections/1.1.0
           ╚ Microsoft.AspNetCore.WebSockets/2.2.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SignalR/1.1.0
           ╚ Microsoft.AspNetCore.Http.Connections/1.1.0
            ╚ Microsoft.AspNetCore.WebSockets/2.2.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SpaServices.Extensions/2.2.0
           ╚ Microsoft.AspNetCore.WebSockets/2.2.0

      * Microsoft Security Advisory CVE-2019-0564: ASP.NET Core Denial of Service Vulnerability in Microsoft.NETCore.App/2.2.0
      https://github.com/aspnet/Announcements/issues/334

      * Microsoft Security Advisory CVE-2018-8292: .NET Core Information Disclosure Vulnerability in System.Net.Http/4.3.0
      https://github.com/dotnet/announcements/issues/88

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.Authentication.JwtBearer/2.2.0
           ╚ Microsoft.IdentityModel.Protocols.OpenIdConnect/5.3.0
            ╚ Microsoft.IdentityModel.Protocols/5.3.0
             ╚ System.Net.Http/4.3.0

          Microsoft.AspNetCore.Authentication.AzureADB2C.UI/2.2.0
          ╚ Microsoft.AspNetCore.Authentication.JwtBearer/2.2.0
           ╚ Microsoft.IdentityModel.Protocols.OpenIdConnect/5.3.0
            ╚ Microsoft.IdentityModel.Protocols/5.3.0
             ╚ System.Net.Http/4.3.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.Authentication.OpenIdConnect/2.2.0
           ╚ Microsoft.IdentityModel.Protocols.OpenIdConnect/5.3.0
            ╚ Microsoft.IdentityModel.Protocols/5.3.0
             ╚ System.Net.Http/4.3.0

          Microsoft.AspNetCore.Authentication.AzureADB2C.UI/2.2.0
          ╚ Microsoft.AspNetCore.Authentication.OpenIdConnect/2.2.0
           ╚ Microsoft.IdentityModel.Protocols.OpenIdConnect/5.3.0
            ╚ Microsoft.IdentityModel.Protocols/5.3.0
             ╚ System.Net.Http/4.3.0

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.Authentication.WsFederation/2.2.0
           ╚ Microsoft.IdentityModel.Protocols.WsFederation/5.3.0
            ╚ Microsoft.IdentityModel.Protocols/5.3.0
             ╚ System.Net.Http/4.3.0

      * Microsoft Security Advisory CVE-2019-0564: ASP.NET Core Denial of Service Vulnerability in System.Net.WebSockets.WebSocketProtocol/4.5.1
      https://github.com/aspnet/Announcements/issues/334

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.WebSockets/2.2.0
           ╚ System.Net.WebSockets.WebSocketProtocol/4.5.1

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.Http.Connections/1.1.0
           ╚ Microsoft.AspNetCore.WebSockets/2.2.0
            ╚ System.Net.WebSockets.WebSocketProtocol/4.5.1

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SignalR/1.1.0
           ╚ Microsoft.AspNetCore.Http.Connections/1.1.0
            ╚ Microsoft.AspNetCore.WebSockets/2.2.0
             ╚ System.Net.WebSockets.WebSocketProtocol/4.5.1

          Microsoft.AspNetCore.App/2.2.0
          ╚ Microsoft.AspNetCore.SpaServices.Extensions/2.2.0
           ╚ Microsoft.AspNetCore.WebSockets/2.2.0
            ╚ System.Net.WebSockets.WebSocketProtocol/4.5.1

.NET Core 3.1 Support

Hello,
I'd really love to use this tool in our pipeline, but it doesn't seem to be working with .NET Core 3.1.

Installed as per instructions: dotnet tool install -g dotnet-retire

Output: Tool 'dotnet-retire' (version '4.0.0') was successfully installed.

It was not possible to find any compatible framework version
The framework 'Microsoft.NETCore.App', version '2.1.0' was not found.
  - The following frameworks were found:
      3.1.1 at [/usr/share/dotnet/shared/Microsoft.NETCore.App]

The message is self-explanatory, but I've been wondering if you could publish a newer version, perhaps it'd fix this problem?

Thank you

Look into the `PackageURL` format

https://www.riskbasedsecurity.com/2018/08/thoughts-on-the-ntia-software-component-transparency-meeting/

https://github.com/package-url/packageurl-dotnet

Running dotnet retire on linux alpine

Hello, Am trying to run the dotnet retire on our jenkins slave (linux alpine) but we keep getting below error

�[40m�[37mtrce�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.RetireLogger[0]
      �[33mLooking for System.Management.Automation/6.1.5�[0m�[39m�[49m
�[40m�[37mdbug�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.DotNet.DotNetRunner[0]
      Path to `dotnet` : /root/dotnet/dotnet
�[40m�[37mdbug�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.RetireLogger[0]
      `dotnet restore output:`  Determining projects to restore...
      
�[40m�[37mdbug�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.RetireLogger[0]
      `dotnet restore errors:`
�[40m�[37mdbug�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.RetireLogger[0]
      `dotnet restore exitcode:`-1
�[41m�[30mfail�[39m�[22m�[49m: RetireNet.Packages.Tool.Services.RetireLogger[0]
      Failed to `dotnet restore`. Is the current dir missing a csproj?

I can confirm dotnet project file does exists on the path and the same shell script works on windows machine.

Was wondering if any have got similar issue in past running dotnet retire from jenkins?

Better output for multitargeting projects

Scanning a multitargeting project, like NLog.Web, we get a project.assets.json with multiple targets in them. If vulnerable nugets are included for both targets, they're shown one time for each target platform. Today it only looks like a dup. To make it clear, make the output list once target platform as well as nuget package+version.

Package dotnet-retire 2.3.2 is not compatible with netcoreapp2.1

After upgrading to version 2.x.x from 1.x.x. I receive the following error:

Package dotnet-retire 2.3.2 is ot compatible with netcoreapp2.1 (.NETCoreApp,Version=v2.1). Package dotnet-retire 2.3.2 supports: netcoreapp2.1 (.NETCoreApp,Version=v2.1) / any

Am I missing something?

Add https://github.com/aspnet/Announcements/issues/334

Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: <

When I execute the CLI tool I get following exception:

❯ dotnet retire                                                                                                         info: dotnet_retire.RetireLogger[0]                                                                                           Scan starting                                                                                                     
Unhandled Exception: Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
   at Newtonsoft.Json.JsonTextReader.ParseValue()
   at Newtonsoft.Json.JsonReader.ReadForType(JsonContract contract, Boolean hasConverter)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at dotnet_retire.HttpService.Get[T](Uri uri) in /Users/johnkors/koding/retirenet/dotnet-retire/dotnet-retire/Services/HttpService.cs:line 15
   at dotnet_retire.RetireApiClient.GetPackagesToRetire() in /Users/johnkors/koding/retirenet/dotnet-retire/dotnet-retire/Services/RetireApiClient.cs:line 21
   at dotnet_retire.RetireLogger.LogPackagesToRetire() in /Users/johnkors/koding/retirenet/dotnet-retire/dotnet-retire/Services/RetireLogger.cs:line 29
   at dotnet_retire.Program.Main(String[] args) in /Users/johnkors/koding/retirenet/dotnet-retire/dotnet-retire/Program.cs:line 9

Please add some sort of output format

Please add some sort of output format, like Json, Html or just a simple PNG that could be used as a badge!

Add AspNetCore.All/App metapackages/2.1.x < 2.14

Announcement: aspnet/Announcements#316
Discussion: https://github.com/aspnet/KestrelHttpServer/issues/2914

Package as a global installable tool

As of the .NET Core SDK 2.1.3XX (as of writing in preview) :

it will be possible to install tools via the cli
it will be possible to install tools globally

https://dasmulli.blog/2018/01/23/exploring-global-net-core-tools/

Consider:

Does it make sense to have a global tool run on all projections found recursively?
Naming: retire is taken by retire.js, so in any case avoid using that.

Add Microsoft Security Advisory ASPNETCore-Mar18: ASP.NET Core Denial Of Service Vulnerability

See aspnet/Announcements#300 for affected packages.

Execute at solution level

When trying to execute dotnet retire at solution level, i do get the following exception

No assets found. Are you running the tool from a folder missing a csproj?

Therefore support for solutions instead of csproj only would be really nice

Please add a link to the vulnerability in the output

Please add a link to the vulnerability in the output. (the link field in the json!)

Exclude certain projects from scan

This is a great and useful tool! I would really like to exclude my test projects though.

Some ideas I had to allow this could be:

Whitelisting to allow --path to be specified multiple times eg -p src/Project1/Project1.csproj -p src/Project2/Project2.csproj
Allowing --path to take a glob eg -p src/**/*.csproj
Adding an --exclude flag to exclude a directory eg --exclude test

At the moment I am maintaining a bash script that finds a list of *.csproj files and calls dotnet retire on them one-by-one. Are there any other known solutions?

Add vulnerability: System.IO.Pipeline/4.5.0

Announcement: dotnet/announcements#83
Discussion: https://github.com/dotnet/corefx/issues/32228

Insufficient memory to continue the execution of the program

I have a small solution with ~11 projects, running on a Windows 10 laptop with 32 GB RAM and (at the time of the run) have around 22 GB memory available to run.

However, I'm getting an out-of-memory error:

C:\augustoproiete\my-project>dotnet retire
info: RetireNet.Packages.Tool.Services.RetireLogger[0]
      Scan starting
info: RetireNet.Packages.Tool.Services.RetireLogger[0]
      Analyzing 'My.Project'
fail: RetireNet.Packages.Tool.Services.RetireLogger[0]
      Insufficient memory to continue the execution of the program.

My.Project is an ASP .NET Core app targeting .NET Core 3.1.

Microsoft Security Advisory CVE-2018-8292: .NET Core Information Disclosure Vulnerability

dotnet/announcements#88

Package name	Vulnerable versions	Secure versions
System.Net.Http	2.0.20126.16343, 2.0.20505, 2.0.20710, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3	4.3.4 or later

Exception on mixed format solutions

An exception is thrown on running dotnet retire when

Running on a solution containing the old MSBuild style csprojs
Running it on a MSbuild style csproj directly

$ dotnet retire
info: RetireNet.Packages.Tool.Services.RetireLogger[0]
      Scan starting

Unhandled Exception: RetireNet.Packages.Tool.Services.NoAssetsFoundException: Exception of type 'RetireNet.Packages.Tool.Services.NoAssetsFoundException' was thrown.
   at RetireNet.Packages.Tool.Services.FileService.ReadLockFiles() in /Users/johnkors/koding/retirenet/dotnet-retire/src/RetireNet.Packages.Tool/Services/FileService.cs:line 64
   at RetireNet.Packages.Tool.Services.RetireLogger.LogPackagesToRetire() in /Users/johnkors/koding/retirenet/dotnet-retire/src/RetireNet.Packages.Tool/Services/RetireLogger.cs:line 62
   at RetireNet.Packages.Tool.Program.Main(String[] args) in /Users/johnkors/koding/retirenet/dotnet-retire/src/RetireNet.Packages.Tool/Program.cs:line 9

Microsoft Security Advisory CVE-2020-1597 | ASP.NET Core Denial of Service Vulnerability #431

aspnet/Announcements#431

Is this something dotnet retire can detect?

Kind regards

Add support for CycloneDX output format

I would be nice having a different output formats like CycloneDX.

They also provide a vulnerability extension to add all vulnerabilities for specific component.

The output is a bom.xml which then can be imported into Dependency Track.

What do you think?

retirenet / dotnet-retire Goto Github PK

dotnet-retire's Introduction

Build status

Components

dotnet-retire

RetireNet.Runtimes.Middleware

Install

Usage

What does it do?

Sample output

RetireNet.Runtimes.BackgroundServices

Install

Usage

What does it do?

Sample output

dotnet-retire's People

Contributors

Stargazers

Watchers

Forkers

dotnet-retire's Issues

Recommend Projects

Recommend Topics

Recommend Org