public void GetDirectReferencesWithSingleDependency()
        {
            var lockFile   = new MockFileService("SingleTarget").ReadLockFiles().FirstOrDefault();
            var references = _assetsFileParser.GetNugetReferences(lockFile);

            Assert.Single(references);
            Assert.Equal("Libuv", references.First().Id);
            Assert.Equal("1.9.1", references.First().Version);
            Assert.Single(references.First().Dependencies);
            Assert.Equal("Microsoft.NETCore.Platforms", references.First().Dependencies.First().Id);
            Assert.Equal("1.0.1", references.First().Dependencies.First().Version);
        }
Пример #2
0
        public void GetDirectReferencesWithSingleDependency()
        {
            var fileService = new FileService(NullLogger <FileService> .Instance, Options.Create(new RetireServiceOptions {
                Path = "TestFiles/SingleTarget"
            }));
            var references = _assetsFileParser.GetNugetReferences(fileService.ReadLockFiles().First());

            Assert.Single(references);
            Assert.Equal("Libuv", references.First().Id);
            Assert.Equal("1.9.1", references.First().Version);
            Assert.Single(references.First().Dependencies);
            Assert.Equal("Microsoft.NETCore.Platforms", references.First().Dependencies.First().Id);
            Assert.Equal("1.0.1", references.First().Dependencies.First().Version);
        }
Пример #3
0
        internal void LogPackagesToRetireInternal()
        {
            // removing this line breaks logging somehow.
            _logger.LogInformation("Scan starting".Green());

            var packagesToRetire = _retireApiClient.GetPackagesToRetire().ToList();

            foreach (var p in packagesToRetire)
            {
                foreach (var package in p.Packages)
                {
                    _logger.LogTrace($"Looking for {package.Id}/{package.Affected}".Orange());
                }
            }

            var status = _restorer.Restore();

            if (status.IsSuccess)
            {
                _logger.LogDebug("`dotnet restore:`" + status.Output);
            }
            else
            {
                _logger.LogDebug("`dotnet restore output:`" + status.Output);
                _logger.LogDebug("`dotnet restore errors:`" + status.Errors);
                _logger.LogDebug("`dotnet restore exitcode:`" + status.ExitCode);

                _logger.LogError("Failed to `dotnet restore`. Is the current dir missing a csproj?");
                _exitCodeHandler.HandleExitCode(status.ExitCode, true);
            }

            var lockFiles            = _fileService.ReadLockFiles();
            var foundVulnerabilities = false;

            foreach (var lockFile in lockFiles)
            {
                _logger.LogInformation($"Analyzing '{lockFile.PackageSpec.Name}'".Green());

                var nugetReferences = _nugetreferenceservice.GetNugetReferences(lockFile).ToList();
                _logger.LogDebug($"Found in total {nugetReferences.Count} references of NuGets (direct & transient)");

                var usages = _usageFinder.FindUsagesOf(nugetReferences, packagesToRetire);
                if (usages.Any())
                {
                    foundVulnerabilities = true;
                    var plural  = usages.Count > 1 ? "s" : string.Empty;
                    var grouped = usages.GroupBy(g => g.NugetReference.ToString());
                    var sb      = new StringBuilder();
                    sb.AppendLine($"Found use of {grouped.Count()} vulnerable libs in {usages.Count} dependency path{plural}.");

                    foreach (var group in grouped)
                    {
                        sb.AppendLine();
                        sb.AppendLine($"* {group.FirstOrDefault().Description} in {group.Key.Red()}");
                        sb.AppendLine(group.FirstOrDefault().IssueUrl.ToString());

                        foreach (var usage in group.Where(x => !x.IsDirect))
                        {
                            sb.AppendLine(usage.ReadPath());
                        }
                    }

                    sb.AppendLine();
                    _logger.LogError(sb.ToString());
                }
                else
                {
                    _logger.LogInformation("Found no usages of vulnerable libs!".Green());
                }
            }

            _logger.LogInformation("Scan complete.");

            if (foundVulnerabilities)
            {
                _exitCodeHandler.HandleExitCode(ExitCode.FOUND_VULNERABILITIES);
            }
        }
Пример #4
0
        public void LogPackagesToRetire()
        {
            // removing this line breaks logging somehow.
            _logger.LogInformation("Scan starting".Green());

            var packagesToRetire = _retireApiClient.GetPackagesToRetire().ToList();

            foreach (var p in packagesToRetire)
            {
                _logger.LogTrace($"Looking for {p.Id}/{p.Affected}".Orange());
            }

            var status = _restorer.Restore();

            if (status.IsSuccess)
            {
                _logger.LogDebug("`dotnet restore:`" + status.Output);
            }
            else
            {
                _logger.LogDebug("`dotnet restore output:`" + status.Output);
                _logger.LogDebug("`dotnet restore errors:`" + status.Errors);
                _logger.LogDebug("`dotnet restore exitcode:`" + status.ExitCode);

                _logger.LogError("Failed to `dotnet restore`. Is the current dir missing a csproj?");
                return;
            }

            List <NugetReference> nugetReferences;

            try
            {
                nugetReferences = _nugetreferenceservice.GetNugetReferences().ToList();
            }
            catch (NoAssetsFoundException)
            {
                _logger.LogError("No assets found. Are you running the tool from a folder missing a csproj?");
                return;
            }

            _logger.LogDebug($"Found in total {nugetReferences.Count} references of NuGets (direct & transient)");

            var usages = _usageFinder.FindUsagesOf(nugetReferences, packagesToRetire);

            if (usages.Any())
            {
                var plural   = usages.Count > 1 ? "s" : "";
                var grouped  = usages.GroupBy(g => g.NugetReference.ToString());
                var errorLog = $"Found use of {grouped.Count()} vulnerable libs in {usages.Count} dependency path{plural}.";

                foreach (var group in grouped)
                {
                    errorLog += $"\n\n* {group.Key}".Red();

                    if (_logger.IsEnabled(LogLevel.Debug))
                    {
                        foreach (var usage in group)
                        {
                            if (!usage.IsDirect)
                            {
                                errorLog += $"\n{usage.ReadPath()}";
                            }
                        }
                    }
                }

                errorLog += "\n";
                _logger.LogError(errorLog);
            }
            else
            {
                _logger.LogInformation($"Found no usages of vulnerable libs!".Green());
            }

            _logger.LogInformation($"Scan complete.");
        }