private async Task AssignAssetDependencies(Extract extract, Asset asset) { string version = extract.EcosystemVersion; string name = extract.EcosystemIdentifier; Dependency dependency = await GetOrCreateDependency(asset.Kind, name); DependencyVersion latest = await versionProvider.GetLatestMetaDataAsync(dependency); if (await context.DependencyVersions.AllAsync(dv => dv.Version != latest.Version)) { context.DependencyVersions.Add(latest); await context.SaveChangesAsync(); } DependencyVersion dependencyVersion = await GetOrCreateDependencyVersion(dependency, version); context.AssetDependencies.Add(new AssetDependency { AssetId = asset.Id, DependencyId = dependency.Id, DependencyVersionId = dependencyVersion.Id, Asset = asset, DependencyVersion = dependencyVersion, Dependency = dependency }); }
public async Task <Vulnerability> GetByDependencyVersionAsync(DependencyVersion dependencyVersion) { Uri packageUri = coordinateBuilder.GetPackageUrl(dependencyVersion); using (var httpClient = new HttpClient()) { OSSIndexClient client = new OSSIndexClient(httpClient); OSSIndexResponse <ComponentReport> response = await client.GetAsync(packageUri); if (response.StatusCode == (int)HttpStatusCode.OK && response.Result.Vulnerabilities.Count > 0) { return(new Vulnerability { DependencyVersionId = dependencyVersion.Id, DependencyVersion = dependencyVersion, Kind = Kind, Link = response.Result.Reference.AbsoluteUri, CheckTime = DateTime.Now, ResponseData = System.Text.Json.JsonSerializer.Serialize(response.Result), }); } } return(null); }
public async Task <DependencyVersion> GetLatestMetaDataAsync(RegistryDto registry, Dependency dependency) { RegistryClientConfiguration clientConfig = new RegistryClientConfiguration(new Uri(registry.Endpoint).GetComponents(UriComponents.HostAndPort, UriFormat.SafeUnescaped)); DependencyVersion version; if (!string.IsNullOrWhiteSpace(registry.Username) && !string.IsNullOrWhiteSpace(registry.Password)) { using (IRegistryClient client = clientConfig.CreateClient(new PasswordOAuthAuthenticationProvider(registry.Username, registry.Password))) { ListImageTagsResponse imageTags = await client.Tags.ListImageTagsAsync(dependency.Name, new ListImageTagsParameters()); version = new DependencyVersion { Dependency = dependency, DependencyId = dependency.Id, Version = imageTags.Tags.Last(), IsLatest = true }; } } else { using (IRegistryClient client = clientConfig.CreateClient()) { ListImageTagsResponse imageTags = await client.Tags.ListImageTagsAsync(dependency.Name, new ListImageTagsParameters()); version = new DependencyVersion { Dependency = dependency, DependencyId = dependency.Id, Version = imageTags.Tags.Last(), IsLatest = true }; } } return(version); }
public Uri GetPackageUrl(DependencyVersion version) { return(version.Dependency.Kind switch { EcosystemKind.NuGet => new Uri($"pkg:nuget/{version.Dependency.Name}@{version.Version}"), EcosystemKind.Npm => new Uri($"pkg:npm/{version.Dependency.Name}@{version.Version}"), EcosystemKind.Maven => new Uri($"pkg:maven/{version.Dependency.Name}@{version.Version}"), EcosystemKind.RubyGem => new Uri($"pkg:gem/{version.Dependency.Name}@{version.Version}"), EcosystemKind.PyPi => new Uri($"pkg:pypi/{version.Dependency.Name}@{version.Version}"), EcosystemKind.Docker => new Uri($"pkg:docker/{version.Dependency.Name}@{version.Version}"), _ => throw new NotSupportedException($"Could not build OSS Index Package URI because {version.Dependency.Kind} is not supported.") });
private async Task <DependencyVersion> GetOrCreateDependencyVersion(Dependency dependency, string version) { DependencyVersion dependencyVersion = await context.DependencyVersions.FirstOrDefaultAsync(v => v.DependencyId == dependency.Id && v.Version == version) ?? new DependencyVersion { Dependency = dependency, DependencyId = dependency.Id, Version = version }; if (context.Entry(dependencyVersion).State == EntityState.Detached) { context.DependencyVersions.Add(dependencyVersion); await context.SaveChangesAsync(); } return(dependencyVersion); }
private async Task <DependencyVersion> GetVersionByProviders(Dependency dependency) { List <RegistryDto> registries = await registryService.GetEnabledByKindAsync(dependency.Kind); foreach (var registry in registries) { encryptionService.Decrypt(registry); } DependencyVersion version = null; foreach (IDependencyVersionProvider service in providers.Where(service => service.Supports(dependency.Kind))) { foreach (RegistryDto registry in registries) { try { version = await GetVersionByProviderAndRegistry(dependency, service, registry); if (version != null) { break; } } catch (Exception e) { logger.LogError(e, $"{nameof(GetVersionByProviders)}::[{dependency.Name}]::[{registry.Endpoint}]::ERROR"); } } if (version != null) { break; } } if (version == null) { logger.LogInformation($"{nameof(GetVersionByProviders)}::[{dependency.Name}]::SEARCH::FAIL"); version = new DependencyVersion { IsLatest = false, Version = "UNKNOWN", Dependency = dependency, DependencyId = dependency.Id }; } cache.Set(dependency.Id, version, absoluteExpiration: DateTimeOffset.Now.AddHours(24)); return(version); }
public async Task <IEnumerable <Vulnerability> > GetByDependencyVersionAsync(DependencyVersion dependencyVersion) { List <Vulnerability> reports = new List <Vulnerability>(); using (var scope = logger.BeginScope($"{nameof(GetByDependencyVersionAsync)}::[{dependencyVersion.Dependency.Name}]::[{dependencyVersion.Version}]::REPORT")) { foreach (IVulnerabilityProvider provider in providers) { Vulnerability report = await provider.GetByDependencyVersionAsync(dependencyVersion); reports.Add(report); } } return(reports); }
public async Task RefreshDependencyByIdAsync(Guid dependencyId) { Dependency dependency = await context.Dependencies.FindAsync(dependencyId); DependencyVersion latestVersion = await versionProvider.GetLatestMetaDataAsync(dependency); List <DependencyVersion> currentVersions = await context.DependencyVersions.Where(x => x.DependencyId == dependencyId).ToListAsync(); if (currentVersions.All(current => current.Version != latestVersion.Version)) { currentVersions.ForEach(v => v.IsLatest = false); context.DependencyVersions.UpdateRange(currentVersions); context.DependencyVersions.Add(latestVersion); } await context.SaveChangesAsync(); }
private async Task <DependencyVersion> GetVersionByProviderAndRegistry(Dependency dependency, IDependencyVersionProvider service, RegistryDto registry) { logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::SEARCH::"); DependencyVersion version = null; using (var serviceScope = logger.BeginScope($"{nameof(GetVersionByProviderAndRegistry)}::[{service.GetType().Name}]::SEARCH")) { version = await service.GetLatestMetaDataAsync(registry, dependency); } if (version != null) { logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::SUCCESS::[{version.Version}]"); } else { logger.LogInformation($"{nameof(GetVersionByProviderAndRegistry)}::[{dependency.Name}]::[{registry.Endpoint}]::FAIL"); } return(version); }