public void LogPackagesToRetire()
{
try
{
LogPackagesToRetireInternal();
}
catch (DirectoryNotFoundException ex)
{
_logger.LogError(ex.Message);
_exitCodeHandler.HandleExitCode(ExitCode.DIRECTORY_NOT_FOUND, true);
}
catch (FileNotFoundException ex)
{
_logger.LogError(ex.Message);
_exitCodeHandler.HandleExitCode(ExitCode.FILE_NOT_FOUND, true);
}
catch (NoAssetsFoundException)
{
_logger.LogError("No assets found. Are you running the tool from a folder missing a csproj?");
_exitCodeHandler.HandleExitCode(ExitCode.ASSETS_NOT_FOUND, true);
}
catch (Exception ex)
{
_logger.LogError(ex.Message);
_exitCodeHandler.HandleExitCode(ExitCode.UNEXPECTED_TERMINATION, true);
}
}
public void LogPackagesToRetire()
{
// removing this line breaks logging somehow.
_logger.LogInformation("Scan starting".Green());
var packagesToRetire = _retireApiClient.GetPackagesToRetire().ToList();
foreach (var p in packagesToRetire)
{
foreach (var package in p.Packages)
{
_logger.LogTrace($"Looking for {package.Id}/{package.Affected}".Orange());
}
}
var status = _restorer.Restore();
if (status.IsSuccess)
{
_logger.LogDebug("`dotnet restore:`" + status.Output);
}
else
{
_logger.LogDebug("`dotnet restore output:`" + status.Output);
_logger.LogDebug("`dotnet restore errors:`" + status.Errors);
_logger.LogDebug("`dotnet restore exitcode:`" + status.ExitCode);
_logger.LogError("Failed to `dotnet restore`. Is the current dir missing a csproj?");
_exitCodeHandler.HandleExitCode(status.ExitCode, true);
}
var lockFiles = _fileService.ReadLockFiles();
if (!lockFiles.Any())
{
_logger.LogError("No assets found. Are you running the tool from a folder missing a csproj or sln?");
_exitCodeHandler.HandleExitCode(ExitCode.FILE_NOT_FOUND, true);
}
var foundVulnerabilities = false;
foreach (var lockFile in lockFiles)
{
_logger.LogInformation($"Analyzing '{lockFile.PackageSpec.Name}'".Green());
List <NugetReference> nugetReferences = null;
try
{
nugetReferences = _nugetreferenceservice.GetNugetReferences(lockFile).ToList();
}
catch (NoAssetsFoundException ex)
{
_logger.LogError("No assets found. Are you running the tool from a folder missing a csproj?");
_exitCodeHandler.HandleExitCode(ex.HResult, true);
}
_logger.LogDebug($"Found in total {nugetReferences.Count} references of NuGets (direct & transient)");
var usages = _usageFinder.FindUsagesOf(nugetReferences, packagesToRetire);
if (usages.Any())
{
foundVulnerabilities = true;
var plural = usages.Count > 1 ? "s" : string.Empty;
var grouped = usages.GroupBy(g => g.NugetReference.ToString());
var sb = new StringBuilder();
sb.AppendLine($"Found use of {grouped.Count()} vulnerable libs in {usages.Count} dependency path{plural}.");
foreach (var group in grouped)
{
sb.AppendLine();
sb.AppendLine($"* {group.FirstOrDefault().Description} in {group.Key.Red()}");
sb.AppendLine(group.FirstOrDefault().IssueUrl.ToString());
foreach (var usage in group.Where(x => !x.IsDirect))
{
sb.AppendLine(usage.ReadPath());
}
}
sb.AppendLine();
_logger.LogError(sb.ToString());
}
else
{
_logger.LogInformation("Found no usages of vulnerable libs!".Green());
}
}
_logger.LogInformation("Scan complete.");
if (foundVulnerabilities)
{
_exitCodeHandler.HandleExitCode(ExitCode.FOUND_VULNERABILITIES);
}
}