Build server	Platform	Status
AppVeyor	Windows
Travis	Linux
Azure DevOps	Linux

• dotnet-retire

• RetireNet.Runtimes.Middleware

• RetireNet.Runtimes.BackgroundServices

A dotnet CLI extension to check your project for known vulnerabilities.

$ dotnet tool install -g dotnet-retire

$ dotnet retire

Additional options:

• [--loglevel] {Trace|Debug|Information|Warning|Error|Critical} (default: Information)
• [--rooturl] <URL_TO_FEED> (default: https://raw.githubusercontent.com/RetireNet/Packages/master/index.json)
• [--ignore-failures] {true|false} to always return a zero exit code (default: false)
• [-p|--path] <PATH> to .csproj or .sln file (default: current directory)

Sample:

$ dotnet retire --loglevel debug

It fetches the packages listed in the corresponding packages repo in this GitHub organization (link), and checks your projects obj\project.assets.json or project.lock.json file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports

$ dotnet add package RetireNet.Runtimes.Middleware

Add it to your ASP.NET Core pipeline on your preferred path:

app.Map("/report", a => a.UseRuntimeVulnerabilityReport());

It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.

Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json

An app running on the vulnerable 2.1.11 runtime on macOS:

{
    "isVulnerable": true,
    "appRuntimeDetails": {
        "os": "OSX",
        "osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
        "osArchitecture": "X64",
        "osBits": "64",
        "appTargetFramework": ".NETCoreApp,Version=v2.1",
        "appRuntimeVersion": "2.1.11",
        "appBits": "64"
    },
    "securityRelease": {
        "runtimeVersion": "2.1.13",
        "cvEs": [
            {
                "cve-id": " CVE-2018-8269",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
            },
            {
                "cve-id": " CVE-2019-1301",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
            },
            {
                "cve-id": " CVE-2019-1302",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
            }
        ]
    }
}

This is the same report as for the middleware, only logging it using the configured ILogger as a WARN log statment.

$ dotnet add package RetireNet.Runtimes.BackgroundServices

Register it into the container, and provide it a interval in milliseconds how often you would like the check to execute.

services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)

The same as for the middleware endpoint.

An app running on the vulnerable 2.1.11 runtime on macOS, using the ConsoleLogger:

warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
      Running on vulnerable runtime 2.1.11. Security release 2.1.13