/// <summary>
/// Tries to get information about the project policy.
/// </summary>
/// <param name="policy">Object that represents a project policy.</param>
/// <returns></returns>
private static bool TryGetPolicy(out ProjectPolicy policy)
{
string[] osdaFiles = Directory.GetFiles(projectPath, ".osda");
if (osdaFiles.Length == 0)
{
CommandLineUtils.PrintErrorMessage("This project does not contain a policy file (.osda).");
policy = null;
return(false);
}
policy = JsonConvert.DeserializeObject <ProjectPolicy>(File.ReadAllText(osdaFiles[0]));
if (policy.Id == "")
{
CommandLineUtils.PrintErrorMessage("Project id not specified in policy.");
return(false);
}
if (policy.Name == "")
{
CommandLineUtils.PrintErrorMessage("Project name not specified in policy.");
return(false);
}
if (policy.Admin == "")
{
CommandLineUtils.PrintErrorMessage("Project administrator name not specified in policy.");
return(false);
}
return(true);
}
/// <summary>
/// Stores a report on Central Server.
/// </summary>
/// <param name="report">Report to be stored.</param>
private static void StoreReport(string report)
{
HttpRequestMessage req = new HttpRequestMessage(HttpMethod.Post, reportAPIUrl)
{
Content = new StringContent(report, Encoding.UTF8, "application/json")
};
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", Environment.GetEnvironmentVariable("CENTRAL_SERVER_TOKEN"));
try
{
var resp = Client.SendAsync(req).Result;
if (resp.IsSuccessStatusCode)
{
CommandLineUtils.PrintSuccessMessage("Report stored with success");
}
else
{
if (resp.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
CommandLineUtils.PrintErrorMessage("Invalid Token (CENTRAL_SERVER_TOKEN)");
}
else
{
CommandLineUtils.PrintErrorMessage("An error occurred during Report storage.");
}
}
}
catch (HttpRequestException)
{
CommandLineUtils.PrintErrorMessage("An error occurred during Report storage.");
}
}
/// <summary>
/// Validates project dependencies according to their vulnerabilities and licenses.
/// </summary>
/// <param name="packages">List of packages of the project.</param>
/// <param name="policy">Project policy.</param>
/// <returns></returns>
private static async Task <List <Dependency> > ValidateProjectDependencies(List <NuGetPackage> packages, ProjectPolicy policy)
{
List <Dependency> dependencies = new List <Dependency>();
VulnerabilityEvaluationResult[] vulnerabilityEvaluationResult = null;
try
{
vulnerabilityEvaluationResult = await VulnerabilityEvaluation.EvaluatePackage(packages, policy.ApiCacheTime);
}
catch (Exception e)
{
CommandLineUtils.PrintWarningMessage($"An error occurred while trying to fetch dependencies vulnerabilities: {e.Message}");
vulnerabilitiesFetchError = true;
}
List <License>[] dependenciesLicenses = new List <License> [packages.Count];
int i = 0;
foreach (NuGetPackage package in packages)
{
PackageInfo packageInfo = PackageManager.GetPackageInfo(packagesRootPath, package.Id, package.Version);
string packageDescription = (packageInfo == null) ? "" : packageInfo.Description;
dependencies.Add(new Dependency(package.Id, package.Version, packageDescription, package.Direct, package.Children));
dependenciesLicenses[i] = new List <License>();
// It is not necessary to analyze System libraries license, only vulnerabilities
if (packageInfo != null && (packageInfo.ProjectUrl != "https://dot.net/" || !package.Id.StartsWith("System.")))
{
try
{
dependenciesLicenses[i] = await LicenseManager.TryGetLicenseName(packageInfo, policy.ApiCacheTime);
}
catch (Exception e)
{
CommandLineUtils.PrintWarningMessage($"An error occurred while trying to fetch {package.Id}.{package.Version} license: {e.Message}");
dependenciesLicenses[i] = new List <License>();
licensesFetchErrors.Add($"{package.Id}.{package.Version}");
}
}
++i;
}
i = 0;
foreach (List <License> licenses in dependenciesLicenses)
{
dependencies[i].Licenses = licenses.Select(license =>
{
license.Valid = !policy.InvalidLicenses.Contains(license.Title);
return(license);
})
.ToList();
if (!vulnerabilitiesFetchError)
{
dependencies[i].VulnerabilitiesCount = vulnerabilityEvaluationResult[i].VulnerabilitiesNumber;
dependencies[i].Vulnerabilities = vulnerabilityEvaluationResult[i].VulnerabilitiesFound;
}
++i;
}
return(dependencies);
}
public static void Main(string[] args)
{
projectPath = (args.Length == 0) ? "./" : args[0];
if (Directory.GetFiles(projectPath, "*.csproj").Length == 0)
{
Console.WriteLine(args.Length == 0 ? "Project not found in current directory" : "Project not found in the directory specified");
return;
}
DateTime startTime = DateTime.UtcNow;
CommandLineUtils.PrintInfoMessage("Plugin is running... ");
string projectName = new DirectoryInfo(projectPath).Name;
RetrieveNugetProperties(string.Format(nugetPropsFile, projectPath, projectName));
CommandLineUtils.PrintInfoMessage($"Project Name: {projectName}");
string projectFilePath = Path.Combine(projectPath, string.Format(projectFile, projectName));
if (TryGetPolicy(out ProjectPolicy policy))
{
if (File.Exists(projectFilePath))
{
CommandLineUtils.PrintInfoMessage("Finding project dependencies... ");
List <NuGetPackage> packagesFound = PackageLoader.LoadPackages(projectFilePath, projectAssetsPath)
.Distinct()
.ToList();
CommandLineUtils.PrintSuccessMessage("Finding project dependencies DONE");
CommandLineUtils.PrintInfoMessage("Searching for dependencies licenses and vulnerabilities... ");
List <Dependency> dependenciesEvaluated = ValidateProjectDependencies(packagesFound, policy).Result;
CommandLineUtils.PrintSuccessMessage("Searching for dependencies licenses and vulnerabilities DONE");
string report = GenerateReport(dependenciesEvaluated, policy);
CommandLineUtils.PrintSuccessMessage("Produced report locally.");
StoreReport(report);
double seconds = (DateTime.UtcNow - startTime).TotalSeconds;
CommandLineUtils.PrintInfoMessage("Plugin execution time: " + seconds);
}
else
{
CommandLineUtils.PrintErrorMessage($"Packages.config file not found in project {projectName}");
}
}
}