public void DotNetListPackagesTest(string dotnetOutput)
{
var dependencies = NuGetFile.ParseListPackages(dotnetOutput);
Assert.True(dependencies.Count == 4);
Assert.True(dependencies["Bootstrap"].Version == "3.0.7");
Assert.True(dependencies["NuGetDefense"].Version == "1.0.6");
Assert.True(dependencies["jQuery"].Version == "1.9.0");
Assert.True(dependencies["IdentityServer4"].Version == "3.1.3");
}
public void LegacyPackagesLoad()
{
var net461TestProjectDirectory =
Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().GetAssemblyLocation()) !, "TestFiles",
"net461.TestLib");
var nugetFile = new NuGetFile(Path.Combine(net461TestProjectDirectory, "net461.TestLib.csproj"));
var packages = nugetFile.LoadPackages();
Assert.Equal(2, packages.Count);
Assert.Equal(Path.Combine(net461TestProjectDirectory, "packages.config"), nugetFile.Path);
}
public void DotNetListSlnPackagesTest(string dotnetOutput)
{
var projects = NuGetFile.ParseListSlnPackages(dotnetOutput);
Assert.True(projects.Count == 2);
Assert.True(projects["ConsoleApp1"].Count == 3);
Assert.True(projects["ClassLibrary1"].Count == 2);
Assert.True(projects["ConsoleApp1"]["IdentityServer4"].Version == "3.1.3");
Assert.True(projects["ClassLibrary1"]["Bootstrap"].Version == "3.0.7");
Assert.True(projects["ConsoleApp1"]["NuGetDefense"].Version == "1.0.6");
Assert.True(projects["ConsoleApp1"]["jQuery"].Version == "1.9.0");
Assert.True(projects["ClassLibrary1"]["jQuery"].Version == "1.9.0");
}
public void SdkPackagesLoadNoTransitiveDependencies()
{
var netcoreapp31TestProjectDirectory =
Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().GetAssemblyLocation()) !, "TestFiles",
"net5.0.Lib");
var projectFile = Path.Combine(netcoreapp31TestProjectDirectory, "NuGetDefense.Core.csproj");
var nugetFile = new NuGetFile(projectFile);
RestorePackage(projectFile);
var packages = nugetFile.LoadPackages("net5.0", false);
Assert.Equal(4, packages.Count);
Assert.Equal(projectFile, nugetFile.Path);
}
/// <summary>
/// args[0] is expected to be the path to the project file.
/// </summary>
/// <param name="args"></param>
private static void Main(string[] args)
{
var nugetFile = new NuGetFile(args[0]);
_nuGetFile = nugetFile.Path;
_settings = Settings.LoadSettings(Path.GetDirectoryName(args[0]));
ConfigureLogging(Path.GetFileName(args[0]));
var targetFramework = args.Length > 1 ? args[1] : "";
_pkgs = nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray();
if (_settings.ErrorSettings.BlockedPackages.Length > 0)
{
CheckBlockedPackages();
}
if (_settings.ErrorSettings.AllowedPackages.Length > 0)
{
CheckAllowedPackages();
}
Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null;
if (_settings.OssIndex.Enabled)
{
vulnDict =
new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString)
.GetVulnerabilitiesForPackages(_pkgs);
}
if (_settings.NVD.Enabled)
{
vulnDict =
new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds),
_settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate)
.GetVulnerabilitiesForPackages(_pkgs,
vulnDict);
}
if (_settings.ErrorSettings.IgnoredCvEs.Length > 0)
{
VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs);
}
if (vulnDict == null)
{
Log.Logger.Information("No Vulnerabilities found in {0} packages", _pkgs.Length);
}
ReportVulnerabilities(vulnDict);
}
public void NuGet_Serialization()
{
// Arrange
string testDir = TestUtils.CreateTestDirectory(this.TestContext);
string filePath = Path.Combine(testDir, "Diagnostic.nuspec");
NuGetPackage pkg = new NuGetPackage();
pkg.Metadata = new Metadata();
pkg.Metadata.Id = "id";
pkg.Metadata.Version = "version";
pkg.Metadata.Authors = "authors";
pkg.Files = new NuGetFiles();
pkg.Files.Items = new List <NuGetFile>();
NuGetFile file1 = new NuGetFile()
{
Source = "source",
Target = "target",
Exclude = "exclude"
};
NuGetFile file2 = new NuGetFile()
{
Source = "source2",
Target = "target2",
Exclude = "exclude2"
};
pkg.Files.Items.Add(file1);
pkg.Files.Items.Add(file2);
// Act
pkg.Save(filePath);
this.TestContext.AddResultFile(filePath);
NuGetPackage reloaded = NuGetPackage.Load(filePath);
// Assert
Assert.IsNotNull(reloaded);
Assert.IsNotNull(reloaded.Metadata);
Assert.IsNotNull(reloaded.Files);
Assert.IsNotNull(reloaded.Files.Items);
Assert.AreEqual(2, reloaded.Files.Items.Count);
}
/// <summary>
/// args[0] is expected to be the path to the project file.
/// </summary>
/// <param name="args"></param>
private static int Main(string[] args)
{
#if DOTNETTOOL
if (args.Length == 0)
{
Console.WriteLine($"NuGetDefense v{Version}");
Console.WriteLine("-------------");
Console.WriteLine($"{Environment.NewLine}Usage:");
Console.WriteLine($"{Environment.NewLine} nugetdefense projectFile.proj TargetFrameworkMoniker");
Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Release");
Console.WriteLine($"{Environment.NewLine} nugetdefense SolutionFile.sln Debug|Any CPU");
return(0);
}
#endif
_settings = Settings.LoadSettings(Path.GetDirectoryName(args[0]));
_projectFileName = Path.GetFileName(args[0]);
ConfigureLogging();
try
{
Log.Logger.Verbose("Logging Configured");
Log.Logger.Verbose("Started NuGetDefense with arguments: {args}", args);
var targetFramework = args.Length == 2 ? args[1] : "";
if (args[0].EndsWith(".sln", StringComparison.OrdinalIgnoreCase))
{
var projects = DotNetSolution.Load(args[0]).Projects.Where(p => !p.Type.IsSolutionFolder).Select(p => p.Path).ToArray();
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework, true);
}
else if (_settings.CheckReferencedProjects)
{
var projects = new List <string> {
args[0]
};
GetProjectsReferenced(in args[0], in projects);
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects.ToArray(), specificFramework, targetFramework, false);
}
else
{
var nugetFile = new NuGetFile(args[0]);
_nuGetFile = nugetFile.Path;
Log.Logger.Verbose("NuGetFile Path: {nugetFilePath}", _nuGetFile);
Log.Logger.Information("Target Framework: {framework}", string.IsNullOrWhiteSpace(targetFramework) ? "Undefined" : targetFramework);
Log.Logger.Verbose("Loading Packages");
Log.Logger.Verbose("Transitive Dependencies Included: {CheckTransitiveDependencies}", _settings.CheckTransitiveDependencies);
if (_settings.CheckTransitiveDependencies && nugetFile.PackagesConfig)
{
var projects = DotNetProject.Load(args[0]).ProjectReferences.Select(p => p.FilePath).ToArray();
var specificFramework = !string.IsNullOrWhiteSpace(targetFramework);
if (specificFramework)
{
Log.Logger.Information("Target Framework: {framework}", targetFramework);
}
_projects = LoadMultipleProjects(args[0], projects, specificFramework, targetFramework);
}
else
{
_projects = new Dictionary <string, NuGetPackage[]>();
_projects.Add(nugetFile.Path, nugetFile.LoadPackages(targetFramework, _settings.CheckTransitiveDependencies).Values.ToArray());
}
}
GetNonSensitivePackages(out var nonSensitivePackages);
if (_settings.ErrorSettings.IgnoredPackages.Length > 0)
{
foreach (var(project, packages) in _projects.ToArray())
{
IgnorePackages(in packages, _settings.ErrorSettings.IgnoredPackages, out var projPackages);
_projects[project] = projPackages;
}
}
Log.Logger.Information("Loaded {packageCount} packages", _projects.Sum(p => p.Value.Length));
if (_settings.ErrorSettings.BlockedPackages.Length > 0)
{
CheckBlockedPackages();
}
if (_settings.ErrorSettings.AllowedPackages.Length > 0)
{
CheckAllowedPackages();
}
Dictionary <string, Dictionary <string, Vulnerability> > vulnDict = null;
if (_settings.OssIndex.Enabled)
{
Log.Logger.Verbose("Checking with OSSIndex for Vulnerabilities");
vulnDict =
new Scanner(_nuGetFile, _settings.OssIndex.BreakIfCannotRun, UserAgentString, _settings.OssIndex.Username, _settings.OssIndex.ApiToken)
.GetVulnerabilitiesForPackages(nonSensitivePackages.SelectMany(p => p.Value).ToArray());
}
if (_settings.NVD.Enabled)
{
Log.Logger.Verbose("Checking the embedded NVD source for Vulnerabilities");
foreach (var(proj, pkgs) in _projects)
{
vulnDict =
new NVD.Scanner(_nuGetFile, TimeSpan.FromSeconds(_settings.NVD.TimeoutInSeconds),
_settings.NVD.BreakIfCannotRun, _settings.NVD.SelfUpdate)
.GetVulnerabilitiesForPackages(pkgs,
vulnDict);
}
}
Log.Logger.Information("ignoring {ignoredCVECount} Vulnerabilities", _settings.ErrorSettings.IgnoredCvEs.Length);
if (_settings.ErrorSettings.IgnoredCvEs.Length > 0)
{
VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs);
}
ReportVulnerabilities(vulnDict);
return(_settings.WarnOnly ? 0 : NumberOfVulnerabilities);
}
catch (Exception e)
{
var msBuildMessage = MsBuild.Log(_nuGetFile, MsBuild.Category.Error,
$"Encountered a fatal exception while checking for Dependencies in {_nuGetFile}. Exception: {e}");
Console.WriteLine(msBuildMessage);
Log.Logger.Fatal(msBuildMessage);
return(-1);
}
}
