/// <summary> /// args[0] is expected to be the path to the project file. /// </summary> /// <param name="args"></param> private static void Main(string[] args) { var nugetFile = new NuGetFile(args[0]); _nuGetFile = nugetFile.Path; _settings = Settings.LoadSettings(Path.GetDirectoryName(args[0])); ConfigureLogging(Path.GetFileName(args[0])); var targetFramework = args.Length > 1 ? args[1] : ""; _pkgs = nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray(); if (_settings.ErrorSettings.BlockedPackages.Length > 0) { CheckBlockedPackages(); } if (_settings.ErrorSettings.AllowedPackages.Length > 0) { CheckAllowedPackages(); } Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null; if (_settings.OssIndex.Enabled) { vulnDict = new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString) .GetVulnerabilitiesForPackages(_pkgs); } if (_settings.NVD.Enabled) { vulnDict = new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds), _settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate) .GetVulnerabilitiesForPackages(_pkgs, vulnDict); } if (_settings.ErrorSettings.IgnoredCvEs.Length > 0) { VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs); } if (vulnDict == null) { Log.Logger.Information("No Vulnerabilities found in {0} packages", _pkgs.Length); } ReportVulnerabilities(vulnDict); }
/// <summary> /// args[0] is expected to be the path to the project file. /// </summary> /// <param name="args"></param> private static int Main(string[] args) { #if DOTNETTOOL if (args.Length == 0) { Console.WriteLine($"NuGetDefense v{Version}"); Console.WriteLine("-------------"); Console.WriteLine($"{Environment.NewLine}Usage:"); Console.WriteLine($"{Environment.NewLine} nugetdefense projectFile.proj TargetFrameworkMoniker"); Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Release"); Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Debug|Any CPU"); return(0); } #endif _settings = Settings.LoadSettings(Path.GetDirectoryName(args[0])); _projectFileName = Path.GetFileName(args[0]); ConfigureLogging(); try { Log.Logger.Verbose("Logging Configured"); Log.Logger.Verbose("Started NuGetDefense with arguments: {args}", args); var targetFramework = args.Length == 2 ? args[1] : ""; if (args[0].EndsWith(".sln", StringComparison.OrdinalIgnoreCase)) { var projects = DotNetSolution.Load(args[0]).Projects.Where(p => !p.Type.IsSolutionFolder).Select(p => p.Path).ToArray(); var specificFramework = !string.IsNullOrWhiteSpace(targetFramework); if (specificFramework) { Log.Logger.Information("Target Framework: {framework}", targetFramework); } _projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework, true); } else if (_settings.CheckReferencedProjects) { var projects = new List <string> { args[0] }; GetProjectsReferenced(in args[0], in projects); var specificFramework = !string.IsNullOrWhiteSpace(targetFramework); if (specificFramework) { Log.Logger.Information("Target Framework: {framework}", targetFramework); } _projects = LoadMultipleProjects(args[0], projects.ToArray(), specificFramework, targetFramework, false); } else { var nugetFile = new NuGetFile(args[0]); _nuGetFile = nugetFile.Path; Log.Logger.Verbose("NuGetFile Path: {nugetFilePath}", _nuGetFile); Log.Logger.Information("Target Framework: {framework}", string.IsNullOrWhiteSpace(targetFramework) ? "Undefined" : targetFramework); Log.Logger.Verbose("Loading Packages"); Log.Logger.Verbose("Transitive Dependencies Included: {CheckTransitiveDependencies}", _settings.CheckTransitiveDependencies); if (_settings.CheckTransitiveDependencies && nugetFile.PackagesConfig) { var projects = DotNetProject.Load(args[0]).ProjectReferences.Select(p => p.FilePath).ToArray(); var specificFramework = !string.IsNullOrWhiteSpace(targetFramework); if (specificFramework) { Log.Logger.Information("Target Framework: {framework}", targetFramework); } _projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework); } else { _projects = new Dictionary <string, NuGetPackage[]>(); _projects.Add(nugetFile.Path, nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray()); } } GetNonSensitivePackages(out var nonSensitivePackages); if (_settings.ErrorSettings.IgnoredPackages.Length > 0) { foreach (var(project, packages) in _projects.ToArray()) { IgnorePackages(in packages, _settings.ErrorSettings.IgnoredPackages, out var projPackages); _projects[project] = projPackages; } } Log.Logger.Information("Loaded {packageCount} packages", _projects.Sum(p => p.Value.Length)); if (_settings.ErrorSettings.BlockedPackages.Length > 0) { CheckBlockedPackages(); } if (_settings.ErrorSettings.AllowedPackages.Length > 0) { CheckAllowedPackages(); } Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null; if (_settings.OssIndex.Enabled) { Log.Logger.Verbose("Checking with OSSIndex for Vulnerabilities"); vulnDict = new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString, _settings.OssIndex.Username, _settings.OssIndex.ApiToken) .GetVulnerabilitiesForPackages(nonSensitivePackages.SelectMany(p => p.Value).ToArray()); } if (_settings.NVD.Enabled) { Log.Logger.Verbose("Checking the embedded NVD source for Vulnerabilities"); foreach (var(proj, pkgs) in _projects) { vulnDict = new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds), _settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate) .GetVulnerabilitiesForPackages(pkgs, vulnDict); } } Log.Logger.Information("ignoring {ignoredCVECount} Vulnerabilities", _settings.ErrorSettings.IgnoredCvEs.Length); if (_settings.ErrorSettings.IgnoredCvEs.Length > 0) { VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs); } ReportVulnerabilities(vulnDict); return(_settings.WarnOnly ? 0 : NumberOfVulnerabilities); } catch (Exception e) { var msBuildMessage = MsBuild.Log(_nuGetFile, MsBuild.Category.Error, $"Encountered a fatal exception while checking for Dependencies in {_nuGetFile}. Exception: {e}"); Console.WriteLine(msBuildMessage); Log.Logger.Fatal(msBuildMessage); return(-1); } }