protected IEnumerable <Package> FilterPackagesUsingProfile()
{
if (this.Packages == null || this.Packages.Count() == 0 || this.AuditProfile == null || this.AuditProfile.Rules == null)
{
return(this.Packages);
}
else if (this.AuditProfile.Rules.Any(r => r.Category == "exclude" && r.Target == this.PackageManagerId))
{
List <Package> packages = this.Packages.ToList();
List <AuditProfileRule> exclude_rules = this.AuditProfile.Rules.Where(r => r.Category == "exclude" && r.Target == this.PackageManagerId).ToList();
foreach (AuditProfileRule r in exclude_rules.Where(r => !string.IsNullOrEmpty(r.MatchName)))
{
try
{
if (packages.Any(p => Regex.IsMatch(p.Name, r.MatchName)))
{
int c = packages.RemoveAll(p => Regex.IsMatch(p.Name, r.MatchName) &&
(string.IsNullOrEmpty(r.MatchVersion) || (!string.IsNullOrEmpty(r.MatchVersion) && this.IsVulnerabilityVersionInPackageVersionRange(r.MatchVersion, p.Version))));
AuditEnvironment.Info("Excluded {0} package(s) using audit profile rules.", c);
}
}
catch (Exception e)
{
AuditEnvironment.Warning("Error attempting to match name {0} with a package name: {1}. Skipping rule.", r.MatchName, e.Message);
}
}
return(packages);
}
else
{
return(this.Packages);
}
}
public override async Task <bool> ReportPackageSourceAudit()
{
if (!AuditOptions.ContainsKey("GitHubReportOwner") || !AuditOptions.ContainsKey("GitHubReportName") || !AuditOptions.ContainsKey("GitHubToken"))
{
throw new ArgumentException("The GitHubReportOwner, GitHubReportName, and GitHubReportOwner audit options must be present.");
}
if (AuditOptions.ContainsKey("GitHubReportTitle"))
{
IssueTitle = (string)AuditOptions["GitHubReportTitle"];
}
else
{
IssueTitle = string.Format("[DevAudit] {2} audit on {0} {1}", DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString(), Source.PackageManagerLabel);
}
GitHubClient client;
client = new GitHubClient(new ProductHeaderValue("DevAudit"));
client.Credentials = new Credentials((string)AuditOptions["GitHubToken"]);
Repository repository;
try
{
repository = await client.Repository.Get((string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]);
}
catch (Exception)
{
AuditEnvironment.Warning("Could not get repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]);
}
NewIssue issue = new NewIssue(IssueTitle);
BuildPackageSourceAuditReport();
issue.Body = IssueText.ToString();
try
{
Issue i = await client.Issue.Create((string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"], issue);
AuditEnvironment.Info("Created issue #{0} {1} in GitHub repository {2}/{3}.", i.Number, IssueTitle, (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]);
}
catch (AggregateException ae)
{
AuditEnvironment.Error(ae, "Error creating new issue for repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]);
return(false);
}
catch (Exception e)
{
AuditEnvironment.Error(e, "Error creating new issue for repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]);
return(false);
}
return(true);
}
private List <Package> GetPackagesFromProjectFile(string filename, bool isCsProj)
{
List <Package> packages = new List <Package>();
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(filename);
var fileType = isCsProj ? ".csproj" : "build targets";
this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
var package = isCsProj ? "Include" : "Update";
if (root.Name.LocalName == "Project")
{
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
.SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
.ToList();
IEnumerable <string> skipped_packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
.Select(r => r.Attribute(package).Value);
if (skipped_packages.Count() > 0)
{
this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
}
var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
var nuGetFrameworks = helper.GetFrameworks(root);
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning from project file found 0 packages, checking for packages.config file. ");
nuGetFrameworks = helper.GetFrameworks();
}
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
}
foreach (var framework in nuGetFrameworks)
{
AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
var deps = helper.GetPackageDependencies(packages, framework);
Task.WaitAll(deps);
packages = helper.AddPackageDependencies(deps.Result, packages);
}
return(packages);
}
else
{
this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
return(packages);
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
List <Package> packages = new List <Package>();
var isCsProj = config_file.Name.EndsWith(".csproj");
var isBuildTargets = config_file.Name.EndsWith(".Build.targets");
var isDepsJson = config_file.Name.EndsWith(".deps.json");
if (isCsProj || isBuildTargets)
{
var fileType = isCsProj ? ".csproj" : "build targets";
this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
var package = isCsProj ? "Include" : "Update";
if (root.Name.LocalName == "Project")
{
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
.SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
.ToList();
IEnumerable <string> skipped_packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
.Select(r => r.Attribute(package).Value);
if (skipped_packages.Count() > 0)
{
this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
}
var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
var nuGetFrameworks = helper.GetFrameworks(root);
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
}
foreach (var framework in nuGetFrameworks)
{
AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
var deps = helper.GetPackageDependencies(packages, framework);
Task.WaitAll(deps);
packages = helper.AddPackageDependencies(deps.Result, packages);
}
return(packages);
}
else
{
this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
return(packages);
}
}
if (isDepsJson)
{
try
{
this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest..");
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject libraries = (JObject)json["libraries"];
if (libraries != null)
{
foreach (JProperty p in libraries.Properties())
{
string[] name = p.Name.Split('/');
// Packages with version 0.0.0.0 can show up if the are part of .net framework.
// Checking this version number is quite useless and might give a false positive.
if (name[1] != "0.0.0.0")
{
packages.Add(new Package("nuget", name[0], name[1]));
}
}
}
return(packages);
}
catch (Exception e)
{
this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
return(packages);
}
}
this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
return(packages);
}
