/// <summary>
/// args[0] is expected to be the path to the project file.
/// </summary>
/// <param name="args"></param>
private static void Main(string[] args)
{
var nugetFile = new NuGetFile(args[0]);
_nuGetFile = nugetFile.Path;
_settings = Settings.LoadSettings(Path.GetDirectoryName(args[0]));
ConfigureLogging(Path.GetFileName(args[0]));
var targetFramework = args.Length > 1 ? args[1] : "";
_pkgs = nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray();
if (_settings.ErrorSettings.BlockedPackages.Length > 0)
{
CheckBlockedPackages();
}
if (_settings.ErrorSettings.AllowedPackages.Length > 0)
{
CheckAllowedPackages();
}
Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null;
if (_settings.OssIndex.Enabled)
{
vulnDict =
new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString)
.GetVulnerabilitiesForPackages(_pkgs);
}
if (_settings.NVD.Enabled)
{
vulnDict =
new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds),
_settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate)
.GetVulnerabilitiesForPackages(_pkgs,
vulnDict);
}
if (_settings.ErrorSettings.IgnoredCvEs.Length > 0)
{
VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs);
}
if (vulnDict == null)
{
Log.Logger.Information("No Vulnerabilities found in {0} packages", _pkgs.Length);
}
ReportVulnerabilities(vulnDict);
}
/// <summary>
/// args[0] is expected to be the path to the project file.
/// </summary>
/// <param name="args"></param>
private static int Main(string[] args)
{
#if DOTNETTOOL
if (args.Length == 0)
{
Console.WriteLine($"NuGetDefense v{Version}");
Console.WriteLine("-------------");
Console.WriteLine($"{Environment.NewLine}Usage:");
Console.WriteLine($"{Environment.NewLine} nugetdefense projectFile.proj TargetFrameworkMoniker");
Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Release");
Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Debug|Any CPU");
return(0);
}
#endif
_settings = Settings.LoadSettings(Path.GetDirectoryName(args[0]));
_projectFileName = Path.GetFileName(args[0]);
ConfigureLogging();
try
{
Log.Logger.Verbose("Logging Configured");
Log.Logger.Verbose("Started NuGetDefense with arguments: {args}", args);
var targetFramework = args.Length == 2 ? args[1] : "";
if (args[0].EndsWith(".sln", StringComparison.OrdinalIgnoreCase))
{
var projects = DotNetSolution.Load(args[0]).Projects.Where(p => !p.Type.IsSolutionFolder).Select(p => p.Path).ToArray();
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework, true);
}
else if (_settings.CheckReferencedProjects)
{
var projects = new List <string> {
args[0]
};
GetProjectsReferenced(in args[0], in projects);
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects.ToArray(), specificFramework, targetFramework, false);
}
else
{
var nugetFile = new NuGetFile(args[0]);
_nuGetFile = nugetFile.Path;
Log.Logger.Verbose("NuGetFile Path: {nugetFilePath}", _nuGetFile);
Log.Logger.Information("Target Framework: {framework}", string.IsNullOrWhiteSpace(targetFramework) ? "Undefined" : targetFramework);
Log.Logger.Verbose("Loading Packages");
Log.Logger.Verbose("Transitive Dependencies Included: {CheckTransitiveDependencies}", _settings.CheckTransitiveDependencies);
if (_settings.CheckTransitiveDependencies && nugetFile.PackagesConfig)
{
var projects = DotNetProject.Load(args[0]).ProjectReferences.Select(p => p.FilePath).ToArray();
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework);
}
else
{
_projects = new Dictionary <string, NuGetPackage[]>();
_projects.Add(nugetFile.Path, nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray());
}
}
GetNonSensitivePackages(out var nonSensitivePackages);
if (_settings.ErrorSettings.IgnoredPackages.Length > 0)
{
foreach (var(project, packages) in _projects.ToArray())
{
IgnorePackages(in packages, _settings.ErrorSettings.IgnoredPackages, out var projPackages);
_projects[project] = projPackages;
}
}
Log.Logger.Information("Loaded {packageCount} packages", _projects.Sum(p => p.Value.Length));
if (_settings.ErrorSettings.BlockedPackages.Length > 0)
{
CheckBlockedPackages();
}
if (_settings.ErrorSettings.AllowedPackages.Length > 0)
{
CheckAllowedPackages();
}
Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null;
if (_settings.OssIndex.Enabled)
{
Log.Logger.Verbose("Checking with OSSIndex for Vulnerabilities");
vulnDict =
new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString, _settings.OssIndex.Username, _settings.OssIndex.ApiToken)
.GetVulnerabilitiesForPackages(nonSensitivePackages.SelectMany(p => p.Value).ToArray());
}
if (_settings.NVD.Enabled)
{
Log.Logger.Verbose("Checking the embedded NVD source for Vulnerabilities");
foreach (var(proj, pkgs) in _projects)
{
vulnDict =
new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds),
_settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate)
.GetVulnerabilitiesForPackages(pkgs,
vulnDict);
}
}
Log.Logger.Information("ignoring {ignoredCVECount} Vulnerabilities", _settings.ErrorSettings.IgnoredCvEs.Length);
if (_settings.ErrorSettings.IgnoredCvEs.Length > 0)
{
VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs);
}
ReportVulnerabilities(vulnDict);
return(_settings.WarnOnly ? 0 : NumberOfVulnerabilities);
}
catch (Exception e)
{
var msBuildMessage = MsBuild.Log(_nuGetFile, MsBuild.Category.Error,
$"Encountered a fatal exception while checking for Dependencies in {_nuGetFile}. Exception: {e}");
Console.WriteLine(msBuildMessage);
Log.Logger.Fatal(msBuildMessage);
return(-1);
}
}
