private async Task AssignAssetDependencies(Extract extract, Asset asset)
{
string version = extract.EcosystemVersion;
string name = extract.EcosystemIdentifier;
Dependency dependency = await GetOrCreateDependency(asset.Kind, name);
DependencyVersion latest = await versionProvider.GetLatestMetaDataAsync(dependency);
if (await context.DependencyVersions.AllAsync(dv => dv.Version != latest.Version))
{
context.DependencyVersions.Add(latest);
await context.SaveChangesAsync();
}
DependencyVersion dependencyVersion = await GetOrCreateDependencyVersion(dependency, version);
context.AssetDependencies.Add(new AssetDependency
{
AssetId = asset.Id,
DependencyId = dependency.Id,
DependencyVersionId = dependencyVersion.Id,
Asset = asset,
DependencyVersion = dependencyVersion,
Dependency = dependency
});
}
public async Task <Vulnerability> GetByDependencyVersionAsync(DependencyVersion dependencyVersion)
{
Uri packageUri = coordinateBuilder.GetPackageUrl(dependencyVersion);
using (var httpClient = new HttpClient())
{
OSSIndexClient client = new OSSIndexClient(httpClient);
OSSIndexResponse <ComponentReport> response = await client.GetAsync(packageUri);
if (response.StatusCode == (int)HttpStatusCode.OK && response.Result.Vulnerabilities.Count > 0)
{
return(new Vulnerability
{
DependencyVersionId = dependencyVersion.Id,
DependencyVersion = dependencyVersion,
Kind = Kind,
Link = response.Result.Reference.AbsoluteUri,
CheckTime = DateTime.Now,
ResponseData = System.Text.Json.JsonSerializer.Serialize(response.Result),
});
}
}
return(null);
}
public async Task <DependencyVersion> GetLatestMetaDataAsync(RegistryDto registry, Dependency dependency)
{
RegistryClientConfiguration clientConfig = new RegistryClientConfiguration(new Uri(registry.Endpoint).GetComponents(UriComponents.HostAndPort, UriFormat.SafeUnescaped));
DependencyVersion version;
if (!string.IsNullOrWhiteSpace(registry.Username) && !string.IsNullOrWhiteSpace(registry.Password))
{
using (IRegistryClient client = clientConfig.CreateClient(new PasswordOAuthAuthenticationProvider(registry.Username, registry.Password)))
{
ListImageTagsResponse imageTags = await client.Tags.ListImageTagsAsync(dependency.Name, new ListImageTagsParameters());
version = new DependencyVersion {
Dependency = dependency, DependencyId = dependency.Id, Version = imageTags.Tags.Last(), IsLatest = true
};
}
}
else
{
using (IRegistryClient client = clientConfig.CreateClient())
{
ListImageTagsResponse imageTags = await client.Tags.ListImageTagsAsync(dependency.Name, new ListImageTagsParameters());
version = new DependencyVersion {
Dependency = dependency, DependencyId = dependency.Id, Version = imageTags.Tags.Last(), IsLatest = true
};
}
}
return(version);
}
public Uri GetPackageUrl(DependencyVersion version)
{
return(version.Dependency.Kind switch
{
EcosystemKind.NuGet => new Uri($"pkg:nuget/{version.Dependency.Name}@{version.Version}"),
EcosystemKind.Npm => new Uri($"pkg:npm/{version.Dependency.Name}@{version.Version}"),
EcosystemKind.Maven => new Uri($"pkg:maven/{version.Dependency.Name}@{version.Version}"),
EcosystemKind.RubyGem => new Uri($"pkg:gem/{version.Dependency.Name}@{version.Version}"),
EcosystemKind.PyPi => new Uri($"pkg:pypi/{version.Dependency.Name}@{version.Version}"),
EcosystemKind.Docker => new Uri($"pkg:docker/{version.Dependency.Name}@{version.Version}"),
_ => throw new NotSupportedException($"Could not build OSS Index Package URI because {version.Dependency.Kind} is not supported.")
});
private async Task <DependencyVersion> GetOrCreateDependencyVersion(Dependency dependency, string version)
{
DependencyVersion dependencyVersion = await context.DependencyVersions.FirstOrDefaultAsync(v => v.DependencyId == dependency.Id && v.Version == version) ?? new DependencyVersion
{
Dependency = dependency, DependencyId = dependency.Id, Version = version
};
if (context.Entry(dependencyVersion).State == EntityState.Detached)
{
context.DependencyVersions.Add(dependencyVersion);
await context.SaveChangesAsync();
}
return(dependencyVersion);
}
private async Task <DependencyVersion> GetVersionByProviders(Dependency dependency)
{
List <RegistryDto> registries = await registryService.GetEnabledByKindAsync(dependency.Kind);
foreach (var registry in registries)
{
encryptionService.Decrypt(registry);
}
DependencyVersion version = null;
foreach (IDependencyVersionProvider service in providers.Where(service => service.Supports(dependency.Kind)))
{
foreach (RegistryDto registry in registries)
{
try
{
version = await GetVersionByProviderAndRegistry(dependency, service, registry);
if (version != null)
{
break;
}
}
catch (Exception e)
{
logger.LogError(e, $"{nameof(GetVersionByProviders)}::[{dependency.Name}]::[{registry.Endpoint}]::ERROR");
}
}
if (version != null)
{
break;
}
}
if (version == null)
{
logger.LogInformation($"{nameof(GetVersionByProviders)}::[{dependency.Name}]::SEARCH::FAIL");
version = new DependencyVersion {
IsLatest = false, Version = "UNKNOWN", Dependency = dependency, DependencyId = dependency.Id
};
}
cache.Set(dependency.Id, version, absoluteExpiration: DateTimeOffset.Now.AddHours(24));
return(version);
}
public async Task <IEnumerable <Vulnerability> > GetByDependencyVersionAsync(DependencyVersion dependencyVersion)
{
List <Vulnerability> reports = new List <Vulnerability>();
using (var scope = logger.BeginScope($"{nameof(GetByDependencyVersionAsync)}::[{dependencyVersion.Dependency.Name}]::[{dependencyVersion.Version}]::REPORT"))
{
foreach (IVulnerabilityProvider provider in providers)
{
Vulnerability report = await provider.GetByDependencyVersionAsync(dependencyVersion);
reports.Add(report);
}
}
return(reports);
}
public async Task RefreshDependencyByIdAsync(Guid dependencyId)
{
Dependency dependency = await context.Dependencies.FindAsync(dependencyId);
DependencyVersion latestVersion = await versionProvider.GetLatestMetaDataAsync(dependency);
List <DependencyVersion> currentVersions = await context.DependencyVersions.Where(x => x.DependencyId == dependencyId).ToListAsync();
if (currentVersions.All(current => current.Version != latestVersion.Version))
{
currentVersions.ForEach(v => v.IsLatest = false);
context.DependencyVersions.UpdateRange(currentVersions);
context.DependencyVersions.Add(latestVersion);
}
await context.SaveChangesAsync();
}
private async Task <DependencyVersion> GetVersionByProviderAndRegistry(Dependency dependency, IDependencyVersionProvider service, RegistryDto registry)
{
logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::SEARCH::");
DependencyVersion version = null;
using (var serviceScope = logger.BeginScope($"{nameof(GetVersionByProviderAndRegistry)}::[{service.GetType().Name}]::SEARCH"))
{
version = await service.GetLatestMetaDataAsync(registry, dependency);
}
if (version != null)
{
logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::SUCCESS::[{version.Version}]");
}
else
{
logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::FAIL");
}
return(version);
}
