public override AuditResult Audit(CancellationToken ct)
{
CallerInformation here = this.AuditEnvironment.Here();
try
{
this.GetModules();
this.GetVersion();
}
catch (Exception e)
{
if (e is NotImplementedException && e.TargetSite.Name == "GetVersion")
{
this.AuditEnvironment.Debug("{0} application does not implement standalone GetVersion method.", this.ApplicationLabel);
}
else if (e.TargetSite.Name == "GetVersion")
{
this.AuditEnvironment.Error(e, "There was an error scanning the {0} application version.", this.ApplicationLabel);
return(AuditResult.ERROR_SCANNING_VERSION);
}
else
{
this.AuditEnvironment.Error(e, "There was an error scanning the {0} application modules.", this.ApplicationLabel);
return(AuditResult.ERROR_SCANNING_MODULES);
}
}
this.GetPackagesTask(ct);
this.GetConfigurationTask(ct);
try
{
Task.WaitAll(this.PackagesTask, this.ConfigurationTask);
if (!this.SkipPackagesAudit && !this.PrintConfiguration && this.PackageSourceInitialized && this.PackagesTask.Status == TaskStatus.RanToCompletion)
{
AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel);
}
}
catch (AggregateException ae)
{
if (ae.InnerException is NotImplementedException && ae.InnerException.TargetSite.Name == "GetConfiguration")
{
this.AuditEnvironment.Debug("{0} application doe not implement standalone GetConfiguration method.", this.ApplicationId);
}
else
{
this.AuditEnvironment.Error(here, ae, "Error occurred in {0} task.", ae.InnerException.TargetSite.Name);
if (ae.TargetSite.Name == "GetPackages")
{
return(AuditResult.ERROR_SCANNING_PACKAGES);
}
else
{
return(AuditResult.ERROR_SCANNING_CONFIGURATION);
}
}
}
this.GetArtifactsTask(ct);
try
{
this.ArtifactsTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error("Exception thrown in GetArtifacts task.", ae.InnerException);
return(AuditResult.ERROR_SEARCHING_ARTIFACTS);
}
this.GetVulnerableCredentialStorageTask(ct);
this.GetVulnerabilitiesTask(ct);
this.GetConfigurationRulesTask(ct);
if (this.ListPackages || this.ListArtifacts || !this.ConfigurationInitialised || this.PrintConfiguration)
{
this.DefaultConfigurationRulesTask = Task.CompletedTask;
}
else
{
this.DefaultConfigurationRulesTask = Task.Run(() => this.GetDefaultConfigurationRules());
}
if (this.ListPackages || this.ListArtifacts || this.PrintConfiguration)
{
this.GetAnalyzersTask = Task.CompletedTask;
}
else if (this.ModulesInitialised && !string.IsNullOrEmpty(this.AnalyzerType))
{
this.GetAnalyzersTask = Task.Run(() => this.GetAnalyzers());
}
else
{
this.GetAnalyzersTask = Task.CompletedTask;
}
try
{
Task.WaitAll(this.VulnerableCredentialStorageTask, this.VulnerabilitiesTask, this.ConfigurationRulesTask, this.DefaultConfigurationRulesTask, this.GetAnalyzersTask);
}
catch (AggregateException ae)
{
if (ae.InnerException.TargetSite.Name == "GetVulnerabilities")
{
this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetVulnerabilities task.");
return(AuditResult.ERROR_SEARCHING_VULNERABILITIES);
}
else if (ae.InnerException.TargetSite.Name == "GetVulnerableCredentialStorage")
{
this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetVulnerableCredentialStorage task.");
return(AuditResult.ERROR_SCANNING_VULNERABLE_CREDENTIAL_STORAGE);
}
else if (ae.InnerException.TargetSite.Name == "GetConfigurationRules")
{
this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetDefaultConfigurationRules task.");
return(AuditResult.ERROR_SCANNING_DEFAULT_CONFIGURATION_RULES);
}
else if (ae.InnerException.TargetSite.Name == "GetAnalyzers")
{
this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in GetAnalyzers task.");
return(AuditResult.ERROR_SCANNING_ANALYZERS);
}
else
{
this.AuditEnvironment.Error(here, ae.InnerException);
return(AuditResult.ERROR_SEARCHING_VULNERABILITIES);
}
}
if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.Vulnerabilities.Count == 0 || this.PrintConfiguration)
{
this.EvaluateVulnerabilitiesTask = Task.CompletedTask;
}
else
{
this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct);
}
if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.PrintConfiguration)
{
this.EvaluateConfigurationRulesTask = Task.CompletedTask;
}
else
{
this.EvaluateConfigurationRulesTask = Task.Run(() => this.EvaluateProjectConfigurationRules(), ct);
}
if (this.ListPackages || this.ListArtifacts || this.ListConfigurationRules || this.PrintConfiguration)
{
this.GetAnalyzersResultsTask = Task.CompletedTask;
}
else if (this.AnalyzersInitialized)
{
this.GetAnalyzersResultsTask = Task.Run(() => this.GetAnalyzerResults());
}
else
{
this.GetAnalyzersResultsTask = Task.CompletedTask;
}
try
{
Task.WaitAll(this.EvaluateVulnerabilitiesTask, this.EvaluateConfigurationRulesTask, this.GetAnalyzersResultsTask);
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(here, ae.InnerException, "Exception thrown in {0} task.", ae.InnerException.TargetSite.Name);
return(AuditResult.ERROR_EVALUATING_CONFIGURATION_RULES);
}
return(AuditResult.SUCCESS);
}
public virtual AuditResult Audit(CancellationToken ct)
{
CallerInformation here = this.AuditEnvironment.Here();
this.GetPackagesTask(ct);
this.GetVulnerableCredentialStorageTask(ct);
try
{
Task.WaitAll(this.PackagesTask, this.VulnerableCredentialStorageTask);
if (!this.SkipPackagesAudit)
{
AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel);
}
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(here, ae, "Error in {0} method in GetPackages task.", ae.InnerException.TargetSite.Name);
return(AuditResult.ERROR_SCANNING_PACKAGES);
}
this.Packages = this.FilterPackagesUsingProfile();
this.GetArtifactsTask(ct);
try
{
this.ArtifactsTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error("Error in GetArtifacts task.", ae);
return(AuditResult.ERROR_SEARCHING_ARTIFACTS);
}
this.GetVulnerabilitiesTask(ct);
try
{
this.VulnerabilitiesTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(here, ae, "Error in GetVulnerabilities task");
return(AuditResult.ERROR_SEARCHING_VULNERABILITIES);
}
if (this.Vulnerabilities.Count == 0)
{
this.EvaluateVulnerabilitiesTask = Task.CompletedTask;
}
else
{
this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct);
}
try
{
this.EvaluateVulnerabilitiesTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(here, ae.InnerException, "Error in {0} task.", ae.InnerException.TargetSite.Name);
return(AuditResult.ERROR_EVALUATING_VULNERABILITIES);
}
if (this.Vulnerabilities.Count == 0)
{
this.ReportAuditTask = Task.CompletedTask;
this.AuditEnvironment.Info("Not reporting package source audit with zero vulnerabilities.");
}
else
{
this.ReportAuditTask = Task.Run(() => this.ReportAudit(), ct);
}
try
{
this.ReportAuditTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(here, ae, "Error in {0} task.", ae.InnerException.TargetSite.Name);
}
return(AuditResult.SUCCESS);
}
public override Task <bool> ReportPackageSourceAudit()
{
if (!AuditOptions.ContainsKey("BitBucketReportAccount") || !AuditOptions.ContainsKey("BitBucketReportName") || !AuditOptions.ContainsKey("BitBucketKey"))
{
throw new ArgumentException("The BitBucketReportAccount, BitBucketReportName, and BitBucketReportKey audit options must be present.");
}
string key = (string)AuditOptions["BitBucketKey"];
string[] k = key.Split('|');
if (k.Count() != 2)
{
throw new ArgumentException("The BitBucketReportKey audit option must have the format consumer_key|secret.");
}
string consumer = k[0], secret = k[1];
string account = (string)AuditOptions["BitBucketReportAccount"];
string repository = (string)AuditOptions["BitBucketReportName"];
if (AuditOptions.ContainsKey("BitBucketReportTitle"))
{
IssueTitle = (string)AuditOptions["BitBucketReportTitle"];
}
else
{
IssueTitle = string.Format("[DevAudit] {0} audit on {1} {2}", Source.PackageManagerLabel, DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString());
}
SharpBucketV2 sharp_bucket = new SharpBucketV2();
sharp_bucket.OAuth2LeggedAuthentication(consumer, secret);
RepositoriesEndPoint repository_endpoint = sharp_bucket.RepositoriesEndPoint(account, repository);
IssuesResource r;
try
{
r = repository_endpoint.IssuesResource();
}
catch (Exception e)
{
AuditEnvironment.Error(e, "Could not get issues resource for repository {0}/{1}.", account, repository);
return(Task.FromResult(false));
}
BuildPackageSourceAuditReport();
Issue issue = new Issue()
{
title = IssueTitle,
content = IssueText.ToString(),
status = "new",
priority = "major",
kind = "bug"
};
try
{
Issue i = r.PostIssue(issue);
if (i == null)
{
AuditEnvironment.Error("Could not post issue to repository {0}/{1}.", account, repository);
return(Task.FromResult(false));
}
else
{
AuditEnvironment.Success("Created issue {0} at {1}.", i.title, i.resource_uri);
}
}
catch (Exception e)
{
AuditEnvironment.Error(e, "Could not post issue to repository {0}/{1}.", account, repository);
return(Task.FromResult(false));
}
return(Task.FromResult(true));
}
public override async Task <bool> ReportPackageSourceAudit()
{
if (!this.AuditOptions.ContainsKey("GitLabReportUrl") || !this.AuditOptions.ContainsKey("GitLabReportName") || !this.AuditOptions.ContainsKey("GitLabToken"))
{
throw new ArgumentException("A required audit option for the GitLab environment is missing.");
}
HostUrl = (string)this.AuditOptions["GitLabReportUrl"];
Token = (string)this.AuditOptions["GitLabToken"];
ProjectName = (string)this.AuditOptions["GitLabReportName"];
GitLabClient client = null;
try
{
this.AuditEnvironment.Info("Connecting to project {0} at {1}", ProjectName, HostUrl);
client = new GitLabClient(HostUrl, Token);
IEnumerable <Project> projects = await client.Projects.Owned();
Project = projects.Where(p => p.Name == ProjectName).FirstOrDefault();
this.AuditEnvironment.Info("Connected to project {0}.", Project.PathWithNamespace);
}
catch (AggregateException ae)
{
AuditEnvironment.Error(ae, "Could not get project {0} at url {1}.", ProjectName, HostUrl);
return(false);
}
catch (Exception e)
{
AuditEnvironment.Error(e, "Could not get project {0} at url {1}.", ProjectName, HostUrl);
return(false);
}
if (Project == null)
{
AuditEnvironment.Error("Could not find the project {0}.", Project.Name);
return(false);
}
if (!Project.IssuesEnabled)
{
AuditEnvironment.Error("Issues are not enabled for the project {0}/{1}.", Project.Owner, Project.Name);
return(false);
}
if (AuditOptions.ContainsKey("GitLabReportTitle"))
{
IssueTitle = (string)AuditOptions["GitLabReportTitle"];
}
else
{
IssueTitle = string.Format("[DevAudit] {2} audit on {0} {1}", DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString(), Source.PackageManagerLabel);
}
BuildPackageSourceAuditReport();
try
{
IssueCreate ic = new IssueCreate
{
ProjectId = Project.Id,
Title = IssueTitle,
Description = IssueText.ToString()
};
Issue issue = await client.Issues.CreateAsync(ic);
if (issue != null)
{
AuditEnvironment.Success("Created issue #{0} '{1}' in GitLab project {2}/{3} at host url {4}.", issue.IssueId, issue.Title, Project.Owner, ProjectName, HostUrl);
return(true);
}
else
{
AuditEnvironment.Error("Error creating new issue for project {0} at host url {1}. The issue object is null.", ProjectName, HostUrl);
return(false);
}
}
catch (AggregateException ae)
{
AuditEnvironment.Error(ae, "Error creating new issue for project {0} at host url {1}.", ProjectName, HostUrl);
return(false);
}
catch (Exception e)
{
AuditEnvironment.Error(e, "Error creating new issue for project {0} at host url {1}.", ProjectName, HostUrl);
return(false);
}
}
public virtual AuditResult Audit(CancellationToken ct)
{
CallerInformation caller = this.AuditEnvironment.Here();
this.GetPackagesTask(ct);
try
{
this.PackagesTask.Wait();
if (!this.SkipPackagesAudit)
{
AuditEnvironment.Success("Scanned {0} {1} packages.", this.Packages.Count(), this.PackageManagerLabel);
}
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(caller, ae, "Exception thrown in {0} method in GetPackages task.", ae.InnerException.TargetSite.Name);
return(AuditResult.ERROR_SCANNING_PACKAGES);
}
if (this.ListPackages || this.Packages.Count() == 0)
{
this.ArtifactsTask = this.VulnerabilitiesTask = this.EvaluateVulnerabilitiesTask = Task.CompletedTask;
}
else if (this.ListArtifacts)
{
this.ArtifactsTask = Task.Run(() => this.GetArtifacts(), ct);
}
else
{
this.ArtifactsTask = Task.CompletedTask;
}
try
{
this.ArtifactsTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error("Exception thrown in GetArtifacts task.", ae.InnerException);
return(AuditResult.ERROR_SEARCHING_ARTIFACTS);
}
if (this.ListPackages || this.Packages.Count() == 0 || this.ListArtifacts)
{
this.VulnerabilitiesTask = this.EvaluateVulnerabilitiesTask = Task.CompletedTask;
}
else
{
this.VulnerabilitiesTask = Task.Run(() => this.GetVulnerabiltiesApiv2(), ct);
}
try
{
this.VulnerabilitiesTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(caller, ae.InnerException, "Exception thrown in GetVulnerabilities task");
return(AuditResult.ERROR_SEARCHING_VULNERABILITIES);
}
if (this.Vulnerabilities.Count == 0)
{
this.EvaluateVulnerabilitiesTask = Task.CompletedTask;
}
else
{
this.EvaluateVulnerabilitiesTask = Task.Run(() => this.EvaluateVulnerabilities(), ct);
}
try
{
this.EvaluateVulnerabilitiesTask.Wait();
}
catch (AggregateException ae)
{
this.AuditEnvironment.Error(caller, ae.InnerException, "Exception thrown in {0} task.", ae.InnerException.TargetSite.Name);
return(AuditResult.ERROR_EVALUATING_VULNERABILITIES);
}
return(AuditResult.SUCCESS);
}
