public override AuditResult Audit(CancellationToken ct) { CallerInformation here = this.AuditEnvironment.Here(); try { this.GetModules(); this.GetVersion(); } catch (Exception e) { if (e is NotImplementedException && e.TargetSite.Name == "GetVersion") { this.AuditEnvironment.Debug("{0} application does not implement standalone GetVersion method.", this.ApplicationLabel); } else if (e.TargetSite.Name == "GetVersion") { this.AuditEnvironment.Error(e, "There was an error scanning the {0} application version.", this.ApplicationLabel); return(AuditResult.ERROR_SCANNING_VERSION); } else { this.AuditEnvironment.Error(e, "There was an error scanning the {0} application modules.", this.ApplicationLabel); return(AuditResult.ERROR_SCANNING_MODULES); } } this.GetPackagesTask(ct); this.GetConfigurationTask(ct); try { Task.WaitAll(this.PackagesTask, this.ConfigurationTask); if (!this.SkipPackagesAudit && !this.PrintConfiguration && this.PackageSourceInitialized && this.PackagesTask.Status == TaskStatus.RanToCompletion) { AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel); } } catch (AggregateException ae) { if (ae.InnerException is NotImplementedException && ae.InnerException.TargetSite.Name == "GetConfiguration") { this.AuditEnvironment.Debug("{0} application doe not implement standalone GetConfiguration method.", this.ApplicationId); } else { this.AuditEnvironment.Error(here, ae, "Error occurred in {0} task.", ae.InnerException.TargetSite.Name); if (ae.TargetSite.Name == "GetPackages") { return(AuditResult.ERROR_SCANNING_PACKAGES); } else { return(AuditResult.ERROR_SCANNING_CONFIGURATION); } } } this.GetArtifactsTask(ct); try { this.ArtifactsTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error("Exception thrown in GetArtifacts task.", ae.InnerException); return(AuditResult.ERROR_SEARCHING_ARTIFACTS); } this.GetVulnerableCredentialStorageTask(ct); this.GetVulnerabilitiesTask(ct); this.GetConfigurationRulesTask(ct); if (this.ListPackages || this.ListArtifacts || !this.ConfigurationInitialised || this.PrintConfiguration) { this.DefaultConfigurationRulesTask = Task.CompletedTask; } else { this.DefaultConfigurationRulesTask = Task.Run(() => this.GetDefaultConfigurationRules()); } if (this.ListPackages || this.ListArtifacts || this.PrintConfiguration) { this.GetAnalyzersTask = Task.CompletedTask; } else if (this.ModulesInitialised && !string.IsNullOrEmpty(this.AnalyzerType)) { this.GetAnalyzersTask = Task.Run(() => this.GetAnalyzers()); } else { this.GetAnalyzersTask = Task.CompletedTask; } try { Task.WaitAll(this.VulnerableCredentialStorageTask, this.VulnerabilitiesTask, this.ConfigurationRulesTask, this.DefaultConfigurationRulesTask, this.GetAnalyzersTask); } catch (AggregateException ae) { if (ae.InnerException.TargetSite.Name == "GetVulnerabilities") { this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetVulnerabilities task."); return(AuditResult.ERROR_SEARCHING_VULNERABILITIES); } else if (ae.InnerException.TargetSite.Name == "GetVulnerableCredentialStorage") { this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetVulnerableCredentialStorage task."); return(AuditResult.ERROR_SCANNING_VULNERABLE_CREDENTIAL_STORAGE); } else if (ae.InnerException.TargetSite.Name == "GetConfigurationRules") { this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetDefaultConfigurationRules task."); return(AuditResult.ERROR_SCANNING_DEFAULT_CONFIGURATION_RULES); } else if (ae.InnerException.TargetSite.Name == "GetAnalyzers") { this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetAnalyzers task."); return(AuditResult.ERROR_SCANNING_ANALYZERS); } else { this.AuditEnvironment.Error(here, ae.InnerException); return(AuditResult.ERROR_SEARCHING_VULNERABILITIES); } } if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.Vulnerabilities.Count == 0 || this.PrintConfiguration) { this.EvaluateVulnerabilitiesTask = Task.CompletedTask; } else { this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct); } if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.PrintConfiguration) { this.EvaluateConfigurationRulesTask = Task.CompletedTask; } else { this.EvaluateConfigurationRulesTask = Task.Run(() => this.EvaluateProjectConfigurationRules(), ct); } if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.PrintConfiguration) { this.GetAnalyzersResultsTask = Task.CompletedTask; } else if (this.AnalyzersInitialized) { this.GetAnalyzersResultsTask = Task.Run(() => this.GetAnalyzerResults()); } else { this.GetAnalyzersResultsTask = Task.CompletedTask; } try { Task.WaitAll(this.EvaluateVulnerabilitiesTask, this.EvaluateConfigurationRulesTask, this.GetAnalyzersResultsTask); } catch (AggregateException ae) { this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in {0} task.", ae.InnerException.TargetSite.Name); return(AuditResult.ERROR_EVALUATING_CONFIGURATION_RULES); } return(AuditResult.SUCCESS); }
public virtual AuditResult Audit(CancellationToken ct) { CallerInformation here = this.AuditEnvironment.Here(); this.GetPackagesTask(ct); this.GetVulnerableCredentialStorageTask(ct); try { Task.WaitAll(this.PackagesTask, this.VulnerableCredentialStorageTask); if (!this.SkipPackagesAudit) { AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel); } } catch (AggregateException ae) { this.AuditEnvironment.Error(here, ae, "Error in {0} method in GetPackages task.", ae.InnerException.TargetSite.Name); return(AuditResult.ERROR_SCANNING_PACKAGES); } this.Packages = this.FilterPackagesUsingProfile(); this.GetArtifactsTask(ct); try { this.ArtifactsTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error("Error in GetArtifacts task.", ae); return(AuditResult.ERROR_SEARCHING_ARTIFACTS); } this.GetVulnerabilitiesTask(ct); try { this.VulnerabilitiesTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error(here, ae, "Error in GetVulnerabilities task"); return(AuditResult.ERROR_SEARCHING_VULNERABILITIES); } if (this.Vulnerabilities.Count == 0) { this.EvaluateVulnerabilitiesTask = Task.CompletedTask; } else { this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct); } try { this.EvaluateVulnerabilitiesTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error(here, ae.InnerException, "Error in {0} task.", ae.InnerException.TargetSite.Name); return(AuditResult.ERROR_EVALUATING_VULNERABILITIES); } if (this.Vulnerabilities.Count == 0) { this.ReportAuditTask = Task.CompletedTask; this.AuditEnvironment.Info("Not reporting package source audit with zero vulnerabilities."); } else { this.ReportAuditTask = Task.Run(() => this.ReportAudit(), ct); } try { this.ReportAuditTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error(here, ae, "Error in {0} task.", ae.InnerException.TargetSite.Name); } return(AuditResult.SUCCESS); }
public override Task <bool> ReportPackageSourceAudit() { if (!AuditOptions.ContainsKey("BitBucketReportAccount") || !AuditOptions.ContainsKey("BitBucketReportName") || !AuditOptions.ContainsKey("BitBucketKey")) { throw new ArgumentException("The BitBucketReportAccount, BitBucketReportName, and BitBucketReportKey audit options must be present."); } string key = (string)AuditOptions["BitBucketKey"]; string[] k = key.Split('|'); if (k.Count() != 2) { throw new ArgumentException("The BitBucketReportKey audit option must have the format consumer_key|secret."); } string consumer = k[0], secret = k[1]; string account = (string)AuditOptions["BitBucketReportAccount"]; string repository = (string)AuditOptions["BitBucketReportName"]; if (AuditOptions.ContainsKey("BitBucketReportTitle")) { IssueTitle = (string)AuditOptions["BitBucketReportTitle"]; } else { IssueTitle = string.Format("[DevAudit] {0} audit on {1} {2}", Source.PackageManagerLabel, DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString()); } SharpBucketV2 sharp_bucket = new SharpBucketV2(); sharp_bucket.OAuth2LeggedAuthentication(consumer, secret); RepositoriesEndPoint repository_endpoint = sharp_bucket.RepositoriesEndPoint(account, repository); IssuesResource r; try { r = repository_endpoint.IssuesResource(); } catch (Exception e) { AuditEnvironment.Error(e, "Could not get issues resource for repository {0}/{1}.", account, repository); return(Task.FromResult(false)); } BuildPackageSourceAuditReport(); Issue issue = new Issue() { title = IssueTitle, content = IssueText.ToString(), status = "new", priority = "major", kind = "bug" }; try { Issue i = r.PostIssue(issue); if (i == null) { AuditEnvironment.Error("Could not post issue to repository {0}/{1}.", account, repository); return(Task.FromResult(false)); } else { AuditEnvironment.Success("Created issue {0} at {1}.", i.title, i.resource_uri); } } catch (Exception e) { AuditEnvironment.Error(e, "Could not post issue to repository {0}/{1}.", account, repository); return(Task.FromResult(false)); } return(Task.FromResult(true)); }
public override async Task <bool> ReportPackageSourceAudit() { if (!this.AuditOptions.ContainsKey("GitLabReportUrl") || !this.AuditOptions.ContainsKey("GitLabReportName") || !this.AuditOptions.ContainsKey("GitLabToken")) { throw new ArgumentException("A required audit option for the GitLab environment is missing."); } HostUrl = (string)this.AuditOptions["GitLabReportUrl"]; Token = (string)this.AuditOptions["GitLabToken"]; ProjectName = (string)this.AuditOptions["GitLabReportName"]; GitLabClient client = null; try { this.AuditEnvironment.Info("Connecting to project {0} at {1}", ProjectName, HostUrl); client = new GitLabClient(HostUrl, Token); IEnumerable <Project> projects = await client.Projects.Owned(); Project = projects.Where(p => p.Name == ProjectName).FirstOrDefault(); this.AuditEnvironment.Info("Connected to project {0}.", Project.PathWithNamespace); } catch (AggregateException ae) { AuditEnvironment.Error(ae, "Could not get project {0} at url {1}.", ProjectName, HostUrl); return(false); } catch (Exception e) { AuditEnvironment.Error(e, "Could not get project {0} at url {1}.", ProjectName, HostUrl); return(false); } if (Project == null) { AuditEnvironment.Error("Could not find the project {0}.", Project.Name); return(false); } if (!Project.IssuesEnabled) { AuditEnvironment.Error("Issues are not enabled for the project {0}/{1}.", Project.Owner, Project.Name); return(false); } if (AuditOptions.ContainsKey("GitLabReportTitle")) { IssueTitle = (string)AuditOptions["GitLabReportTitle"]; } else { IssueTitle = string.Format("[DevAudit] {2} audit on {0} {1}", DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString(), Source.PackageManagerLabel); } BuildPackageSourceAuditReport(); try { IssueCreate ic = new IssueCreate { ProjectId = Project.Id, Title = IssueTitle, Description = IssueText.ToString() }; Issue issue = await client.Issues.CreateAsync(ic); if (issue != null) { AuditEnvironment.Success("Created issue #{0} '{1}' in GitLab project {2}/{3} at host url {4}.", issue.IssueId, issue.Title, Project.Owner, ProjectName, HostUrl); return(true); } else { AuditEnvironment.Error("Error creating new issue for project {0} at host url {1}. The issue object is null.", ProjectName, HostUrl); return(false); } } catch (AggregateException ae) { AuditEnvironment.Error(ae, "Error creating new issue for project {0} at host url {1}.", ProjectName, HostUrl); return(false); } catch (Exception e) { AuditEnvironment.Error(e, "Error creating new issue for project {0} at host url {1}.", ProjectName, HostUrl); return(false); } }
public virtual AuditResult Audit(CancellationToken ct) { CallerInformation caller = this.AuditEnvironment.Here(); this.GetPackagesTask(ct); try { this.PackagesTask.Wait(); if (!this.SkipPackagesAudit) { AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel); } } catch (AggregateException ae) { this.AuditEnvironment.Error(caller, ae, "Exception thrown in {0} method in GetPackages task.", ae.InnerException.TargetSite.Name); return(AuditResult.ERROR_SCANNING_PACKAGES); } if (this.ListPackages || this.Packages.Count() == 0) { this.ArtifactsTask = this.VulnerabilitiesTask = this.EvaluateVulnerabilitiesTask = Task.CompletedTask; } else if (this.ListArtifacts) { this.ArtifactsTask = Task.Run(() => this.GetArtifacts(), ct); } else { this.ArtifactsTask = Task.CompletedTask; } try { this.ArtifactsTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error("Exception thrown in GetArtifacts task.", ae.InnerException); return(AuditResult.ERROR_SEARCHING_ARTIFACTS); } if (this.ListPackages || this.Packages.Count() == 0 || this.ListArtifacts) { this.VulnerabilitiesTask = this.EvaluateVulnerabilitiesTask = Task.CompletedTask; } else { this.VulnerabilitiesTask = Task.Run(() => this.GetVulnerabiltiesApiv2(), ct); } try { this.VulnerabilitiesTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error(caller, ae.InnerException, "Exception thrown in GetVulnerabilities task"); return(AuditResult.ERROR_SEARCHING_VULNERABILITIES); } if (this.Vulnerabilities.Count == 0) { this.EvaluateVulnerabilitiesTask = Task.CompletedTask; } else { this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct); } try { this.EvaluateVulnerabilitiesTask.Wait(); } catch (AggregateException ae) { this.AuditEnvironment.Error(caller, ae.InnerException, "Exception thrown in {0} task.", ae.InnerException.TargetSite.Name); return(AuditResult.ERROR_EVALUATING_VULNERABILITIES); } return(AuditResult.SUCCESS); }