Beispiel #1
0
 /// <summary>
 /// Tries to get information about the project policy.
 /// </summary>
 /// <param name="policy">Object that represents a project policy.</param>
 /// <returns></returns>
 private static bool TryGetPolicy(out ProjectPolicy policy)
 {
     string[] osdaFiles = Directory.GetFiles(projectPath, ".osda");
     if (osdaFiles.Length == 0)
     {
         CommandLineUtils.PrintErrorMessage("This project does not contain a policy file (.osda).");
         policy = null;
         return(false);
     }
     policy = JsonConvert.DeserializeObject <ProjectPolicy>(File.ReadAllText(osdaFiles[0]));
     if (policy.Id == "")
     {
         CommandLineUtils.PrintErrorMessage("Project id not specified in policy.");
         return(false);
     }
     if (policy.Name == "")
     {
         CommandLineUtils.PrintErrorMessage("Project name not specified in policy.");
         return(false);
     }
     if (policy.Admin == "")
     {
         CommandLineUtils.PrintErrorMessage("Project administrator name not specified in policy.");
         return(false);
     }
     return(true);
 }
Beispiel #2
0
        /// <summary>
        /// Stores a report on Central Server.
        /// </summary>
        /// <param name="report">Report to be stored.</param>
        private static void StoreReport(string report)
        {
            HttpRequestMessage req = new HttpRequestMessage(HttpMethod.Post, reportAPIUrl)
            {
                Content = new StringContent(report, Encoding.UTF8, "application/json")
            };

            req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", Environment.GetEnvironmentVariable("CENTRAL_SERVER_TOKEN"));
            try
            {
                var resp = Client.SendAsync(req).Result;
                if (resp.IsSuccessStatusCode)
                {
                    CommandLineUtils.PrintSuccessMessage("Report stored with success");
                }
                else
                {
                    if (resp.StatusCode == System.Net.HttpStatusCode.Unauthorized)
                    {
                        CommandLineUtils.PrintErrorMessage("Invalid Token (CENTRAL_SERVER_TOKEN)");
                    }
                    else
                    {
                        CommandLineUtils.PrintErrorMessage("An error occurred during Report storage.");
                    }
                }
            }
            catch (HttpRequestException)
            {
                CommandLineUtils.PrintErrorMessage("An error occurred during Report storage.");
            }
        }
Beispiel #3
0
        /// <summary>
        /// Validates project dependencies according to their vulnerabilities and licenses.
        /// </summary>
        /// <param name="packages">List of packages of the project.</param>
        /// <param name="policy">Project policy.</param>
        /// <returns></returns>
        private static async Task <List <Dependency> > ValidateProjectDependencies(List <NuGetPackage> packages, ProjectPolicy policy)
        {
            List <Dependency> dependencies = new List <Dependency>();

            VulnerabilityEvaluationResult[] vulnerabilityEvaluationResult = null;
            try
            {
                vulnerabilityEvaluationResult = await VulnerabilityEvaluation.EvaluatePackage(packages, policy.ApiCacheTime);
            }
            catch (Exception e)
            {
                CommandLineUtils.PrintWarningMessage($"An error occurred while trying to fetch dependencies vulnerabilities: {e.Message}");
                vulnerabilitiesFetchError = true;
            }

            List <License>[] dependenciesLicenses = new List <License> [packages.Count];
            int i = 0;

            foreach (NuGetPackage package in packages)
            {
                PackageInfo packageInfo        = PackageManager.GetPackageInfo(packagesRootPath, package.Id, package.Version);
                string      packageDescription = (packageInfo == null) ? "" : packageInfo.Description;
                dependencies.Add(new Dependency(package.Id, package.Version, packageDescription, package.Direct, package.Children));
                dependenciesLicenses[i] = new List <License>();
                // It is not necessary to analyze System libraries license, only vulnerabilities
                if (packageInfo != null && (packageInfo.ProjectUrl != "https://dot.net/" || !package.Id.StartsWith("System.")))
                {
                    try
                    {
                        dependenciesLicenses[i] = await LicenseManager.TryGetLicenseName(packageInfo, policy.ApiCacheTime);
                    }
                    catch (Exception e)
                    {
                        CommandLineUtils.PrintWarningMessage($"An error occurred while trying to fetch {package.Id}.{package.Version} license: {e.Message}");
                        dependenciesLicenses[i] = new List <License>();
                        licensesFetchErrors.Add($"{package.Id}.{package.Version}");
                    }
                }
                ++i;
            }

            i = 0;
            foreach (List <License> licenses in dependenciesLicenses)
            {
                dependencies[i].Licenses = licenses.Select(license =>
                {
                    license.Valid = !policy.InvalidLicenses.Contains(license.Title);
                    return(license);
                })
                                           .ToList();
                if (!vulnerabilitiesFetchError)
                {
                    dependencies[i].VulnerabilitiesCount = vulnerabilityEvaluationResult[i].VulnerabilitiesNumber;
                    dependencies[i].Vulnerabilities      = vulnerabilityEvaluationResult[i].VulnerabilitiesFound;
                }
                ++i;
            }

            return(dependencies);
        }
Beispiel #4
0
        public static void Main(string[] args)
        {
            projectPath = (args.Length == 0) ? "./" : args[0];
            if (Directory.GetFiles(projectPath, "*.csproj").Length == 0)
            {
                Console.WriteLine(args.Length == 0 ? "Project not found in current directory" : "Project not found in the directory specified");
                return;
            }
            DateTime startTime = DateTime.UtcNow;

            CommandLineUtils.PrintInfoMessage("Plugin is running... ");
            string projectName = new DirectoryInfo(projectPath).Name;

            RetrieveNugetProperties(string.Format(nugetPropsFile, projectPath, projectName));
            CommandLineUtils.PrintInfoMessage($"Project Name: {projectName}");
            string projectFilePath = Path.Combine(projectPath, string.Format(projectFile, projectName));

            if (TryGetPolicy(out ProjectPolicy policy))
            {
                if (File.Exists(projectFilePath))
                {
                    CommandLineUtils.PrintInfoMessage("Finding project dependencies...  ");
                    List <NuGetPackage> packagesFound = PackageLoader.LoadPackages(projectFilePath, projectAssetsPath)
                                                        .Distinct()
                                                        .ToList();
                    CommandLineUtils.PrintSuccessMessage("Finding project dependencies DONE");
                    CommandLineUtils.PrintInfoMessage("Searching for dependencies licenses and vulnerabilities...  ");
                    List <Dependency> dependenciesEvaluated = ValidateProjectDependencies(packagesFound, policy).Result;
                    CommandLineUtils.PrintSuccessMessage("Searching for dependencies licenses and vulnerabilities DONE");
                    string report = GenerateReport(dependenciesEvaluated, policy);
                    CommandLineUtils.PrintSuccessMessage("Produced report locally.");
                    StoreReport(report);
                    double seconds = (DateTime.UtcNow - startTime).TotalSeconds;
                    CommandLineUtils.PrintInfoMessage("Plugin execution time: " + seconds);
                }
                else
                {
                    CommandLineUtils.PrintErrorMessage($"Packages.config file not found in project {projectName}");
                }
            }
        }