protected IEnumerable <Package> FilterPackagesUsingProfile() { if (this.Packages == null || this.Packages.Count() == 0 || this.AuditProfile == null || this.AuditProfile.Rules == null) { return(this.Packages); } else if (this.AuditProfile.Rules.Any(r => r.Category == "exclude" && r.Target == this.PackageManagerId)) { List <Package> packages = this.Packages.ToList(); List <AuditProfileRule> exclude_rules = this.AuditProfile.Rules.Where(r => r.Category == "exclude" && r.Target == this.PackageManagerId).ToList(); foreach (AuditProfileRule r in exclude_rules.Where(r => !string.IsNullOrEmpty(r.MatchName))) { try { if (packages.Any(p => Regex.IsMatch(p.Name, r.MatchName))) { int c = packages.RemoveAll(p => Regex.IsMatch(p.Name, r.MatchName) && (string.IsNullOrEmpty(r.MatchVersion) || (!string.IsNullOrEmpty(r.MatchVersion) && this.IsVulnerabilityVersionInPackageVersionRange(r.MatchVersion, p.Version)))); AuditEnvironment.Info("Excluded {0} package(s) using audit profile rules.", c); } } catch (Exception e) { AuditEnvironment.Warning("Error attempting to match name {0} with a package name: {1}. Skipping rule.", r.MatchName, e.Message); } } return(packages); } else { return(this.Packages); } }
public override async Task <bool> ReportPackageSourceAudit() { if (!AuditOptions.ContainsKey("GitHubReportOwner") || !AuditOptions.ContainsKey("GitHubReportName") || !AuditOptions.ContainsKey("GitHubToken")) { throw new ArgumentException("The GitHubReportOwner, GitHubReportName, and GitHubReportOwner audit options must be present."); } if (AuditOptions.ContainsKey("GitHubReportTitle")) { IssueTitle = (string)AuditOptions["GitHubReportTitle"]; } else { IssueTitle = string.Format("[DevAudit] {2} audit on {0} {1}", DateTime.UtcNow.ToShortDateString(), DateTime.UtcNow.ToShortTimeString(), Source.PackageManagerLabel); } GitHubClient client; client = new GitHubClient(new ProductHeaderValue("DevAudit")); client.Credentials = new Credentials((string)AuditOptions["GitHubToken"]); Repository repository; try { repository = await client.Repository.Get((string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]); } catch (Exception) { AuditEnvironment.Warning("Could not get repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]); } NewIssue issue = new NewIssue(IssueTitle); BuildPackageSourceAuditReport(); issue.Body = IssueText.ToString(); try { Issue i = await client.Issue.Create((string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"], issue); AuditEnvironment.Info("Created issue #{0} {1} in GitHub repository {2}/{3}.", i.Number, IssueTitle, (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]); } catch (AggregateException ae) { AuditEnvironment.Error(ae, "Error creating new issue for repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]); return(false); } catch (Exception e) { AuditEnvironment.Error(e, "Error creating new issue for repository {0}/{1}.", (string)AuditOptions["GitHubReportOwner"], (string)AuditOptions["GitHubReportName"]); return(false); } return(true); }
private List <Package> GetPackagesFromProjectFile(string filename, bool isCsProj) { List <Package> packages = new List <Package>(); AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(filename); var fileType = isCsProj ? ".csproj" : "build targets"; this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file."); string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble()); string xml = config_file.ReadAsText(); if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal)) { var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length; xml = xml.Remove(0, lastIndexOfUtf8); } XElement root = XElement.Parse(xml); var package = isCsProj ? "Include" : "Update"; if (root.Name.LocalName == "Project") { packages = root .Descendants() .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null) .SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value)) .ToList(); IEnumerable <string> skipped_packages = root .Descendants() .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null) .Select(r => r.Attribute(package).Value); if (skipped_packages.Count() > 0) { this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(), skipped_packages.Aggregate((s1, s2) => s1 + "," + s2)); } var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName); var nuGetFrameworks = helper.GetFrameworks(root); if (!nuGetFrameworks.Any()) { AuditEnvironment.Warning("Scanning from project file found 0 packages, checking for packages.config file. "); nuGetFrameworks = helper.GetFrameworks(); } if (!nuGetFrameworks.Any()) { AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name); } foreach (var framework in nuGetFrameworks) { AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString()); var deps = helper.GetPackageDependencies(packages, framework); Task.WaitAll(deps); packages = helper.AddPackageDependencies(deps.Result, packages); } return(packages); } else { this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName); return(packages); } }
public override IEnumerable <Package> GetPackages(params string[] o) { AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile); List <Package> packages = new List <Package>(); var isCsProj = config_file.Name.EndsWith(".csproj"); var isBuildTargets = config_file.Name.EndsWith(".Build.targets"); var isDepsJson = config_file.Name.EndsWith(".deps.json"); if (isCsProj || isBuildTargets) { var fileType = isCsProj ? ".csproj" : "build targets"; this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file."); string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble()); string xml = config_file.ReadAsText(); if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal)) { var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length; xml = xml.Remove(0, lastIndexOfUtf8); } XElement root = XElement.Parse(xml); var package = isCsProj ? "Include" : "Update"; if (root.Name.LocalName == "Project") { packages = root .Descendants() .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null) .SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value)) .ToList(); IEnumerable <string> skipped_packages = root .Descendants() .Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null) .Select(r => r.Attribute(package).Value); if (skipped_packages.Count() > 0) { this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(), skipped_packages.Aggregate((s1, s2) => s1 + "," + s2)); } var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName); var nuGetFrameworks = helper.GetFrameworks(root); if (!nuGetFrameworks.Any()) { AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name); } foreach (var framework in nuGetFrameworks) { AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString()); var deps = helper.GetPackageDependencies(packages, framework); Task.WaitAll(deps); packages = helper.AddPackageDependencies(deps.Result, packages); } return(packages); } else { this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName); return(packages); } } if (isDepsJson) { try { this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest.."); JObject json = (JObject)JToken.Parse(config_file.ReadAsText()); JObject libraries = (JObject)json["libraries"]; if (libraries != null) { foreach (JProperty p in libraries.Properties()) { string[] name = p.Name.Split('/'); // Packages with version 0.0.0.0 can show up if the are part of .net framework. // Checking this version number is quite useless and might give a false positive. if (name[1] != "0.0.0.0") { packages.Add(new Package("nuget", name[0], name[1])); } } } return(packages); } catch (Exception e) { this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName); return(packages); } } this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName); return(packages); }