public void GetDirectReferencesWithSingleDependency()
{
var lockFile = new MockFileService("SingleTarget").ReadLockFiles().FirstOrDefault();
var references = _assetsFileParser.GetNugetReferences(lockFile);
Assert.Single(references);
Assert.Equal("Libuv", references.First().Id);
Assert.Equal("1.9.1", references.First().Version);
Assert.Single(references.First().Dependencies);
Assert.Equal("Microsoft.NETCore.Platforms", references.First().Dependencies.First().Id);
Assert.Equal("1.0.1", references.First().Dependencies.First().Version);
}
public void GetDirectReferencesWithSingleDependency()
{
var fileService = new FileService(NullLogger <FileService> .Instance, Options.Create(new RetireServiceOptions {
Path = "TestFiles/SingleTarget"
}));
var references = _assetsFileParser.GetNugetReferences(fileService.ReadLockFiles().First());
Assert.Single(references);
Assert.Equal("Libuv", references.First().Id);
Assert.Equal("1.9.1", references.First().Version);
Assert.Single(references.First().Dependencies);
Assert.Equal("Microsoft.NETCore.Platforms", references.First().Dependencies.First().Id);
Assert.Equal("1.0.1", references.First().Dependencies.First().Version);
}
internal void LogPackagesToRetireInternal()
{
// removing this line breaks logging somehow.
_logger.LogInformation("Scan starting".Green());
var packagesToRetire = _retireApiClient.GetPackagesToRetire().ToList();
foreach (var p in packagesToRetire)
{
foreach (var package in p.Packages)
{
_logger.LogTrace($"Looking for {package.Id}/{package.Affected}".Orange());
}
}
var status = _restorer.Restore();
if (status.IsSuccess)
{
_logger.LogDebug("`dotnet restore:`" + status.Output);
}
else
{
_logger.LogDebug("`dotnet restore output:`" + status.Output);
_logger.LogDebug("`dotnet restore errors:`" + status.Errors);
_logger.LogDebug("`dotnet restore exitcode:`" + status.ExitCode);
_logger.LogError("Failed to `dotnet restore`. Is the current dir missing a csproj?");
_exitCodeHandler.HandleExitCode(status.ExitCode, true);
}
var lockFiles = _fileService.ReadLockFiles();
var foundVulnerabilities = false;
foreach (var lockFile in lockFiles)
{
_logger.LogInformation($"Analyzing '{lockFile.PackageSpec.Name}'".Green());
var nugetReferences = _nugetreferenceservice.GetNugetReferences(lockFile).ToList();
_logger.LogDebug($"Found in total {nugetReferences.Count} references of NuGets (direct & transient)");
var usages = _usageFinder.FindUsagesOf(nugetReferences, packagesToRetire);
if (usages.Any())
{
foundVulnerabilities = true;
var plural = usages.Count > 1 ? "s" : string.Empty;
var grouped = usages.GroupBy(g => g.NugetReference.ToString());
var sb = new StringBuilder();
sb.AppendLine($"Found use of {grouped.Count()} vulnerable libs in {usages.Count} dependency path{plural}.");
foreach (var group in grouped)
{
sb.AppendLine();
sb.AppendLine($"* {group.FirstOrDefault().Description} in {group.Key.Red()}");
sb.AppendLine(group.FirstOrDefault().IssueUrl.ToString());
foreach (var usage in group.Where(x => !x.IsDirect))
{
sb.AppendLine(usage.ReadPath());
}
}
sb.AppendLine();
_logger.LogError(sb.ToString());
}
else
{
_logger.LogInformation("Found no usages of vulnerable libs!".Green());
}
}
_logger.LogInformation("Scan complete.");
if (foundVulnerabilities)
{
_exitCodeHandler.HandleExitCode(ExitCode.FOUND_VULNERABILITIES);
}
}
public void LogPackagesToRetire()
{
// removing this line breaks logging somehow.
_logger.LogInformation("Scan starting".Green());
var packagesToRetire = _retireApiClient.GetPackagesToRetire().ToList();
foreach (var p in packagesToRetire)
{
_logger.LogTrace($"Looking for {p.Id}/{p.Affected}".Orange());
}
var status = _restorer.Restore();
if (status.IsSuccess)
{
_logger.LogDebug("`dotnet restore:`" + status.Output);
}
else
{
_logger.LogDebug("`dotnet restore output:`" + status.Output);
_logger.LogDebug("`dotnet restore errors:`" + status.Errors);
_logger.LogDebug("`dotnet restore exitcode:`" + status.ExitCode);
_logger.LogError("Failed to `dotnet restore`. Is the current dir missing a csproj?");
return;
}
List <NugetReference> nugetReferences;
try
{
nugetReferences = _nugetreferenceservice.GetNugetReferences().ToList();
}
catch (NoAssetsFoundException)
{
_logger.LogError("No assets found. Are you running the tool from a folder missing a csproj?");
return;
}
_logger.LogDebug($"Found in total {nugetReferences.Count} references of NuGets (direct & transient)");
var usages = _usageFinder.FindUsagesOf(nugetReferences, packagesToRetire);
if (usages.Any())
{
var plural = usages.Count > 1 ? "s" : "";
var grouped = usages.GroupBy(g => g.NugetReference.ToString());
var errorLog = $"Found use of {grouped.Count()} vulnerable libs in {usages.Count} dependency path{plural}.";
foreach (var group in grouped)
{
errorLog += $"\n\n* {group.Key}".Red();
if (_logger.IsEnabled(LogLevel.Debug))
{
foreach (var usage in group)
{
if (!usage.IsDirect)
{
errorLog += $"\n{usage.ReadPath()}";
}
}
}
}
errorLog += "\n";
_logger.LogError(errorLog);
}
else
{
_logger.LogInformation($"Found no usages of vulnerable libs!".Green());
}
_logger.LogInformation($"Scan complete.");
}