//Get bower packages from reading bower.json
public override IEnumerable <Package> GetPackages(params string[] o)
{
var packages = new List <Package>();
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
if (json.Properties().Any(j => j.Name == "name") && json.Properties().Any(j => j.Name == "version"))
{
packages.AddRange(GetDeveloperPackages(
json.Properties().First(j => j.Name == "name").Value.ToString(),
json.Properties().First(j => j.Name == "version").Value.ToString()));
}
JObject dependencies = (JObject)json["dependencies"];
JObject dev_dependencies = (JObject)json["devDependencies"];
if (dev_dependencies != null)
{
packages.AddRange(dev_dependencies.Properties().SelectMany(d => GetDeveloperPackages(d.Name, d.Value.ToString())));
}
if (dependencies != null)
{
packages.AddRange(dependencies.Properties().SelectMany(d => GetDeveloperPackages(d.Name, d.Value.ToString())));
}
return(packages);
}
//Get packages from reading composer.json
public override IEnumerable <OSSIndexQueryObject> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject require = (JObject)json["require"];
JObject require_dev = (JObject)json["require-dev"];
if (require != null)
{
if (require_dev != null)
{
return(require.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First()))
.Concat(require_dev.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First()))));
}
else
{
return(require.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First())));
}
}
else if (require_dev != null)
{
return(require_dev.Properties().Select(d => new OSSIndexQueryObject("composer", d.Name.Split('/').Last(), d.Value.ToString(), "", d.Name.Split('/').First())));
}
else
{
this.AuditEnvironment.Warning("{0} file does not contain a require or require_dev element.", config_file.FullName);
return(new List <OSSIndexQueryObject>());
}
}
public override IEnumerable <Package> GetPackages(params string[] o) ////Get NuGet packages from reading packages.config
{
AuditFileInfo configfile = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = configfile.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
IEnumerable <Package> packages;
if (root.Name.LocalName == "Project")
{
// dotnet core csproj file
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference")
.SelectMany(r => GetDeveloperPackages(r.Attribute("Include").Value, r.Attribute("Version").Value)).ToList();
}
else
{
packages =
root
.Elements("package")
.SelectMany(el => GetDeveloperPackages(el.Attribute("id").Value, el.Attribute("version").Value));
}
return(packages);
}
protected override string GetVersion()
{
string core_version = "8.x";
Stopwatch sw = new Stopwatch();
sw.Start();
AuditFileInfo changelog = this.ApplicationFileSystemMap["ChangeLog"] as AuditFileInfo;
string[] c = changelog.ReadAsText()?.Split(this.AuditEnvironment.LineTerminator.ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
if (c != null && c.Count() > 0)
{
foreach (string l in c)
{
if (l.StartsWith("Drupal "))
{
core_version = l.Split(',')[0].Substring(7);
break;
}
}
}
this.Version = core_version;
sw.Stop();
this.VersionInitialised = true;
this.AuditEnvironment.Success("Got Drupal 8 version {0} in {1} ms.", this.Version, sw.ElapsedMilliseconds);
Package core = this.ModulePackages["core"].Where(p => p.Name == "drupal_core").First();
core.Version = this.Version;
return(this.Version);
}
public override IEnumerable <Package> GetPackages(params string[] o) ////Get NuGet packages from reading packages.config
{
try
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
IEnumerable <Package> packages =
from el in root.Elements("package")
select new Package("nuget", el.Attribute("id").Value, el.Attribute("version").Value, "");
return(packages);
}
catch (XmlException e)
{
throw new Exception("XML exception thrown parsing file: " + this.PackageManagerConfigurationFile, e);
}
catch (Exception e)
{
throw new Exception("Unknown exception thrown attempting to get packages from file: "
+ this.PackageManagerConfigurationFile, e);
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
List <Package> packages = new List <Package>();
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject dependencies = (JObject)json["dependencies"];
JObject dev_dependencies = (JObject)json["devDependencies"];
JObject peer_dependencies = (JObject)json["peerDependencies"];
JObject optional_dependencies = (JObject)json["optionalDependencies"];
JObject bundled_dependencies = (JObject)json["bundledDependencies"];
if (dependencies != null)
{
packages.AddRange(dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
}
if (dev_dependencies != null)
{
packages.AddRange(dev_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
}
if (peer_dependencies != null)
{
packages.AddRange(peer_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
}
if (optional_dependencies != null)
{
packages.AddRange(optional_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
}
if (bundled_dependencies != null)
{
packages.AddRange(bundled_dependencies.Properties().Select(d => new Package("npm", d.Name, d.Value.ToString(), "")));
}
return(packages);
}
protected int GetDefaultConfigurationRules()
{
this.AuditEnvironment.Info("Loading default configuration rules for {0} application.", this.ApplicationLabel);
Stopwatch sw = new Stopwatch();
sw.Start();
AuditFileInfo rules_file = this.HostEnvironment.ConstructFile(Path.Combine(this.DevAuditDirectory, "Rules", this.ApplicationId + "." + "yml"));
if (!rules_file.Exists)
{
throw new Exception(string.Format("The default rules file {0} does not exist.", rules_file.FullName));
}
Deserializer yaml_deserializer = new Deserializer(namingConvention: new CamelCaseNamingConvention(), ignoreUnmatched: true);
Dictionary <string, List <ConfigurationRule> > rules;
rules = yaml_deserializer.Deserialize <Dictionary <string, List <ConfigurationRule> > >(new StringReader(rules_file.ReadAsText()));
if (rules == null)
{
sw.Stop();
throw new Exception(string.Format("Parsing the default rules file {0} returned null.", rules_file.FullName));
}
if (rules.ContainsKey(this.ApplicationId + "_default"))
{
rules.Remove(this.ApplicationId + "_default");
}
foreach (KeyValuePair <string, List <ConfigurationRule> > kv in rules)
{
this.AddConfigurationRules(kv.Key, kv.Value);
}
sw.Stop();
this.AuditEnvironment.Info("Got {0} default configuration rule(s) for {1} module(s) from {2}.yml in {3} ms.", rules.Sum(kv => kv.Value.Count()), rules.Keys.Count, this.ApplicationId, sw.ElapsedMilliseconds);
return(rules.Count);
}
public Drupal8ModuleCodeProject(Dictionary <string, object> project_options, EventHandler <EnvironmentEventArgs> message_handler) : base(project_options, message_handler, "Drupal8Module")
{
AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", this.ProjectName + ".info" + ".yml"));
if (!wf.Exists)
{
throw new ArgumentException(string.Format("The Drupal 8 module file {0} does not exist.", wf.FullName), "project_options");
}
else
{
this.WorkspaceFilePath = this.ProjectName + ".info" + ".yml";
}
}
public List <VulnerableCredentialStorage> GetVulnerableCredentialStorage()
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JSONConfig json_config = new JSONConfig(config_file);
if (!json_config.ParseSucceded)
{
this.AuditEnvironment.Error("Could not parse JSON from {0}.", json_config.FullFilePath);
if (json_config.LastParseException != null)
{
this.AuditEnvironment.Error(json_config.LastParseException);
}
if (json_config.LastIOException != null)
{
this.AuditEnvironment.Error(json_config.LastIOException);
}
return(null);
}
this.AuditEnvironment.Status("Scanning for git credential storage candidates in {0}", config_file.FullName);
IEnumerable <XElement> candidate_elements =
from e in json_config.XmlConfiguration.Root.Descendants()
//where e.Value.Trim().StartsWith("git+https") || e.Value.Trim().StartsWith("git") || e.Value.Trim().StartsWith("https")
where e.Elements().Count() == 0 && Utility.CalculateEntropy(e.Value) > 4.5
select e;
if (candidate_elements != null && candidate_elements.Count() > 0)
{
this.CredentialStorageCandidates = new List <VulnerableCredentialStorage>();
foreach (XElement e in candidate_elements)
{
this.CredentialStorageCandidates.Add(new VulnerableCredentialStorage
{
File = config_file.FullName,
Contents = json_config,
Location = e.AncestorsAndSelf().Reverse().Select(a => a.Name.LocalName).Aggregate((a1, a2) => a1 + "/" + a2)
.Replace("Container/", string.Empty),
Entropy = Utility.CalculateEntropy(e.Value),
Value = e.Value
});
}
this.AuditEnvironment.Success("Found {0} credential storage candidates.", this.CredentialStorageCandidates.Count);
return(this.CredentialStorageCandidates);
}
else
{
this.AuditEnvironment.Info("No credential storage candidates found.");
return(null);
}
#endregion
}
protected override void DetectConfigurationFile(Dictionary <PlatformID, string[]> default_configuration_file_path)
{
bool set_config_from_process_cmdline = false;
bool set_config_from_env = false;
if (this.AuditEnvironment.IsUnix)
{
List <ProcessInfo> processes = this.AuditEnvironment.GetAllRunningProcesses();
if (processes != null && processes.Any(p => p.CommandLine.Contains("postgres") && p.CommandLine.Contains("config_file")))
{
ProcessInfo process = processes.Where(p => p.CommandLine.Contains("postgres") && p.CommandLine.Contains("config_file")).First();
Match m = Regex.Match(process.CommandLine, @"config_file=(\S+)");
if (m.Success)
{
string f = m.Groups[1].Value;
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(f);
if (cf.Exists)
{
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_process_cmdline = true;
}
else
{
this.AuditEnvironment.Warning("The configuration file specified on the mysqld command line {0} does not exist.", cf.FullName);
}
}
}
if (!set_config_from_process_cmdline)
{
Dictionary <string, string> env = this.AuditEnvironment.GetEnvironmentVars();
if (env != null)
{
if (env.ContainsKey("PGDATA"))
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath(env["PGDATA"], "postgresql.conf"));
if (cf.Exists)
{
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_env = true;
}
}
if (!(set_config_from_process_cmdline || set_config_from_env))
{
base.DetectConfigurationFile(default_configuration_file_path);
}
}
}
}
}
public CodeProject(Dictionary <string, object> project_options, EventHandler <EnvironmentEventArgs> message_handler, Dictionary <string, string[]> default_file_location_paths, string analyzer_type) : base(project_options, message_handler)
{
CallerInformation here = this.AuditEnvironment.Here();
this.CodeProjectOptions = project_options;
this.DefaultFileLocationPaths = default_file_location_paths;
if (this.CodeProjectOptions.ContainsKey("RootDirectory"))
{
if (!this.AuditEnvironment.DirectoryExists((string)this.CodeProjectOptions["RootDirectory"]))
{
throw new ArgumentException(string.Format("The root directory {0} was not found.", CodeProjectOptions["RootDirectory"]), "package_source_options");
}
else
{
this.CodeProjectFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)CodeProjectOptions["RootDirectory"]));
}
}
else
{
throw new ArgumentException(string.Format("The root application directory was not specified."), "application_options");
}
if (this.CodeProjectOptions.ContainsKey("ProjectName"))
{
this.ProjectName = (string)CodeProjectOptions["ProjectName"];
}
if (this.CodeProjectOptions.ContainsKey("File"))
{
string fn = (string)this.CodeProjectOptions["File"];
if (!fn.StartsWith("@"))
{
throw new ArgumentException("The workspace file parameter must be relative to the root directory for this audit target.", "project_options");
}
AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", fn.Substring(1)));
if (wf.Exists)
{
this.WorkspaceFilePath = wf.FullName;
}
else
{
throw new ArgumentException(string.Format("The workspace file {0} was not found.", wf.FullName), "project_options");
}
}
this.AnalyzerType = analyzer_type;
if (this.CodeProjectOptions.ContainsKey("ListCodeProjectAnalyzers"))
{
this.ListCodeProjectAnalyzers = true;
}
}
public AuditProfile(AuditEnvironment env, AuditFileInfo pf)
{
this.AuditEnvironment = env;
this.ProfileFile = pf;
this.AuditEnvironment.Info("Using profile file {0}.", pf.FullName);
Deserializer yaml_deserializer = new Deserializer(namingConvention: new CamelCaseNamingConvention(), ignoreUnmatched: true);
try
{
this.Rules = yaml_deserializer.Deserialize <List <AuditProfileRule> >(new StringReader(this.ProfileFile.ReadAsText()));
AuditEnvironment.Info("Loaded {0} rule(s) from audit profile.", this.Rules.Count);
}
catch (Exception e)
{
this.AuditEnvironment.Error(e, "Error occurred reading audit profile from {0}.", this.ProfileFile.FullName);
}
}
//Get bower packages from reading bower.json
public override IEnumerable <OSSIndexQueryObject> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject dependencies = (JObject)json["dependencies"];
JObject dev_dependencies = (JObject)json["devDependencies"];
if (dev_dependencies != null)
{
return(dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), ""))
.Concat(dev_dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), ""))));
}
else
{
return(dependencies.Properties().Select(d => new OSSIndexQueryObject("bower", d.Name, d.Value.ToString(), "")));
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
try
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
IEnumerable <Package> packages;
if (root.Name == "Project")
{
// dotnet core csproj file
packages = root.Descendants().Where(x => x.Name == "PackageReference").Select(r =>
new Package("nuget", r.Attribute("Include").Value, r.Attribute("Version").Value)).ToList();
}
else
{
packages =
from el in root.Elements("package")
select new Package("nuget", el.Attribute("id").Value, el.Attribute("version").Value, "");
}
return(packages);
}
catch (XmlException e)
{
throw new Exception("XML exception thrown parsing file: " + this.PackageManagerConfigurationFile, e);
}
catch (Exception e)
{
throw new Exception("Unknown exception thrown attempting to get packages from file: "
+ this.PackageManagerConfigurationFile, e);
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
List <Package> packages = new List <Package>();
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject dependencies = (JObject)json["dependencies"];
JObject dev_dependencies = (JObject)json["devDependencies"];
JObject peer_dependencies = (JObject)json["peerDependencies"];
JObject optional_dependencies = (JObject)json["optionalDependencies"];
JObject bundled_dependencies = (JObject)json["bundledDependencies"];
if (dependencies != null)
{
packages.AddRange(dependencies.Properties()
.SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
}
if (dev_dependencies != null)
{
packages.AddRange(dev_dependencies.Properties()
.SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
}
if (peer_dependencies != null)
{
packages.AddRange(peer_dependencies.Properties()
.SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
}
if (optional_dependencies != null)
{
packages.AddRange(optional_dependencies.Properties()
.SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
}
if (bundled_dependencies != null)
{
packages.AddRange(bundled_dependencies.Properties()
.SelectMany(d => GetDeveloperPackages(d.Name.Replace("@", ""), d.Value.ToString())));
}
if (!string.IsNullOrEmpty(this.PackageSourceLockFile))
{
this.GetPackageManagerLockFilePackages(packages);
}
return(packages);
}
protected override IConfiguration GetConfiguration()
{
PostgreSQL pgsql = new PostgreSQL(this.ConfigurationFile, this.AlpheusEnvironment);
if (pgsql.ParseSucceded)
{
this.Configuration = pgsql;
this.ConfigurationInitialised = true;
this.AuditEnvironment.Success(this.ConfigurationStatistics);
if (this.AuditEnvironment.OS.Platform == PlatformID.Unix)
{
string auto_file_path = this.FindServerFile(this.CombinePath("@", "var", "lib", "*sql", "*", "postgresql.auto.conf")).FirstOrDefault();
if (!string.IsNullOrEmpty(auto_file_path))
{
AuditFileInfo auto_config_file = this.AuditEnvironment.ConstructFile(auto_file_path);
this.AuditEnvironment.Info("Found PostgreSQL server auto configuration file {0}.", auto_config_file.FullName);
PostgreSQL auto_pgsql = new PostgreSQL(auto_config_file);
if (auto_pgsql.ParseSucceded)
{
pgsql.XmlConfiguration.Root.Element("Values").Add(auto_pgsql.XmlConfiguration.Root.Element("Values").Descendants());
this.AuditEnvironment.Success("Merged configuration from {0}.", auto_pgsql.FullFilePath);
}
}
}
this.Configuration.XmlConfiguration.Root.Add(new XAttribute("Version", this.Version));
}
else
{
this.AuditEnvironment.Error("Could not parse configuration from {0}.", pgsql.FullFilePath);
if (pgsql.LastParseException != null)
{
this.AuditEnvironment.Error(pgsql.LastParseException);
}
if (pgsql.LastIOException != null)
{
this.AuditEnvironment.Error(pgsql.LastIOException);
}
this.Configuration = null;
this.ConfigurationInitialised = false;
}
return(this.Configuration);
}
protected override void DetectServerBinaryFile(Dictionary <PlatformID, string[]> autodetect_binary_file_path)
{
bool set_binary_from_process_cmdline = false;
List <ProcessInfo> processes = this.AuditEnvironment.GetAllRunningProcesses();
if (processes != null && processes.Any(p => p.CommandLine == "postgres"))
{
string f = WhichServerFile("postgres");
if (!string.IsNullOrEmpty(f))
{
AuditFileInfo ab = this.AuditEnvironment.ConstructFile(f);
if (ab.Exists)
{
this.ApplicationBinary = ab;
this.AuditEnvironment.Success("Auto-detected PostgreSQL binary at {0}.", this.ApplicationBinary.FullName);
set_binary_from_process_cmdline = true;
}
}
}
if (!set_binary_from_process_cmdline)
{
base.DetectServerBinaryFile(autodetect_binary_file_path);
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
List <Package> packages = new List <Package>();
var isSnlSolution = config_file.Name.EndsWith(".sln");
var isCsProj = config_file.Name.EndsWith(".csproj");
var isBuildTargets = config_file.Name.EndsWith(".Build.targets");
var isDepsJson = config_file.Name.EndsWith(".deps.json");
if (isSnlSolution)
{
var Content = File.ReadAllText(this.PackageManagerConfigurationFile);
Regex projReg = new Regex("Project\\(\"\\{[\\w-]*\\}\"\\) = \"([\\w _]*.*)\", \"(.*\\.(cs|vcx|vb)proj)\"", RegexOptions.Compiled);
var matches = projReg.Matches(Content).Cast <Match>();
var Projects = matches.Select(x => x.Groups[2].Value).ToList();
for (int i = 0; i < Projects.Count; ++i)
{
if (!Path.IsPathRooted(Projects[i]))
{
Projects[i] = Path.Combine(Path.GetDirectoryName(this.PackageManagerConfigurationFile),
Projects[i]);
}
Projects[i] = Path.GetFullPath(Projects[i]);
}
foreach (var project in Projects)
{
var tmpProject = GetPackagesFromProjectFile(project, true);
if (tmpProject.Count != 0)
{
this.AuditEnvironment.Info($"Found {tmpProject.Count} packages in {project}");
foreach (var tmpPacket in tmpProject)
{
if (!packages.Contains(tmpPacket))
{
packages.Add(tmpPacket);
}
}
}
}
return(packages);
}
if (isCsProj || isBuildTargets)
{
return(GetPackagesFromProjectFile(this.PackageManagerConfigurationFile, isCsProj));
}
if (isDepsJson)
{
try
{
this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest..");
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject libraries = (JObject)json["libraries"];
if (libraries != null)
{
foreach (JProperty p in libraries.Properties())
{
string[] name = p.Name.Split('/');
// Packages with version 0.0.0.0 can show up if the are part of .net framework.
// Checking this version number is quite useless and might give a false positive.
if (name[1] != "0.0.0.0")
{
packages.Add(new Package("nuget", name[0], name[1]));
}
}
}
return(packages);
}
catch (Exception e)
{
this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
return(packages);
}
}
this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
return(packages);
}
private List <Package> GetPackagesFromProjectFile(string filename, bool isCsProj)
{
List <Package> packages = new List <Package>();
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(filename);
var fileType = isCsProj ? ".csproj" : "build targets";
this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
var package = isCsProj ? "Include" : "Update";
if (root.Name.LocalName == "Project")
{
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
.SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
.ToList();
IEnumerable <string> skipped_packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
.Select(r => r.Attribute(package).Value);
if (skipped_packages.Count() > 0)
{
this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
}
var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
var nuGetFrameworks = helper.GetFrameworks(root);
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning from project file found 0 packages, checking for packages.config file. ");
nuGetFrameworks = helper.GetFrameworks();
}
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
}
foreach (var framework in nuGetFrameworks)
{
AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
var deps = helper.GetPackageDependencies(packages, framework);
Task.WaitAll(deps);
packages = helper.AddPackageDependencies(deps.Result, packages);
}
return(packages);
}
else
{
this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
return(packages);
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
List <Package> packages = new List <Package>();
var isCsProj = config_file.Name.EndsWith(".csproj");
var isBuildTargets = config_file.Name.EndsWith(".Build.targets");
var isDepsJson = config_file.Name.EndsWith(".deps.json");
if (isCsProj || isBuildTargets)
{
var fileType = isCsProj ? ".csproj" : "build targets";
this.AuditEnvironment.Info($"Reading packages from .NET Core C# {fileType} file.");
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
var package = isCsProj ? "Include" : "Update";
if (root.Name.LocalName == "Project")
{
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") != null)
.SelectMany(r => GetDeveloperPackages(r.Attribute(package).Value, r.Attribute("Version").Value))
.ToList();
IEnumerable <string> skipped_packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute(package) != null && x.Attribute("Version") == null)
.Select(r => r.Attribute(package).Value);
if (skipped_packages.Count() > 0)
{
this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
}
var helper = new NuGetApiHelper(this.AuditEnvironment, config_file.DirectoryName);
var nuGetFrameworks = helper.GetFrameworks(root);
if (!nuGetFrameworks.Any())
{
AuditEnvironment.Warning("Scanning NuGet transitive dependencies failed because no target framework is found in {0}...", config_file.Name);
}
foreach (var framework in nuGetFrameworks)
{
AuditEnvironment.Info("Scanning NuGet transitive dependencies for {0}...", framework.GetFrameworkString());
var deps = helper.GetPackageDependencies(packages, framework);
Task.WaitAll(deps);
packages = helper.AddPackageDependencies(deps.Result, packages);
}
return(packages);
}
else
{
this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
return(packages);
}
}
if (isDepsJson)
{
try
{
this.AuditEnvironment.Info("Reading packages from .NET Core dependencies manifest..");
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject libraries = (JObject)json["libraries"];
if (libraries != null)
{
foreach (JProperty p in libraries.Properties())
{
string[] name = p.Name.Split('/');
// Packages with version 0.0.0.0 can show up if the are part of .net framework.
// Checking this version number is quite useless and might give a false positive.
if (name[1] != "0.0.0.0")
{
packages.Add(new Package("nuget", name[0], name[1]));
}
}
}
return(packages);
}
catch (Exception e)
{
this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
return(packages);
}
}
this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
return(packages);
}
public AuditTarget(Dictionary <string, object> audit_options, EventHandler <EnvironmentEventArgs> controller_message_handler = null)
{
if (ReferenceEquals(audit_options, null))
{
throw new ArgumentNullException("audit_options");
}
this.AuditOptions = audit_options;
#region Setup host environment
if (this.AuditOptions.ContainsKey("HostEnvironment"))
{
this.HostEnvironment = (LocalEnvironment)this.AuditOptions["HostEnvironment"];
this.HostEnvironmentInitialised = true;
}
else
{
this.ControllerMessage = controller_message_handler;
this.HostEnvironmentMessage = AuditTarget_HostEnvironmentMessageHandler;
this.HostEnvironment = new LocalEnvironment(this.HostEnvironmentMessage);
this.HostEnvironment.ScriptEnvironment.MessageHandler += this.AuditTarget_ScriptEnvironmentMessageHandler;
if (this.AuditOptions.ContainsKey("Dockerized"))
{
this.HostEnvironment.IsDockerContainer = true;
}
this.HostEnvironmentInitialised = true;
}
#endregion
#region Setup audit environment
if (this.AuditOptions.ContainsKey("AuditEnvironment"))
{
this.AuditEnvironment = (AuditEnvironment)this.AuditOptions["AuditEnvironment"];
this.AuditEnvironmentIntialised = true;
}
else
{
if (this.AuditOptions.Keys.Contains("DockerContainer") && !this.AuditOptions.Keys.Contains("RemoteHost"))
{
DockerAuditEnvironment docker_environment = new DockerAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
if (string.IsNullOrEmpty(docker_environment.Container))
{
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise audit environment.");
}
else if (!docker_environment.ContainerRunning)
{
this.AuditEnvironmentIntialised = false;
throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
"audit it.");
}
else
{
this.AuditEnvironment = docker_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
}
else if (this.AuditOptions.Keys.Contains("DockerContainer") && this.AuditOptions.Keys.Contains("RemoteHost"))
{
SshDockerAuditEnvironment ssh_environment = null;
if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
{
if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
{
ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"],
(string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"],
(string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
}
else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
{
ssh_environment = new SshDockerAuditEnvironment(this.HostEnvironmentMessage, "ssh", (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
throw new Exception("Unknown remote host authentication options.");
}
if (ssh_environment.IsConnected)
{
if (string.IsNullOrEmpty(ssh_environment.Container))
{
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise audit environment.");
}
else if (!ssh_environment.ContainerRunning)
{
this.AuditEnvironmentIntialised = false;
throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
"audit it.");
}
else
{
this.AuditEnvironment = ssh_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
}
else
{
ssh_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise SSH Docker audit environment.");
}
}
else if (this.AuditOptions.Keys.Contains("RemoteHost"))
{
string client;
SshAuditEnvironment ssh_environment = null;
if (this.HostEnvironment.OS.Platform == PlatformID.Win32NT)
{
client = this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "plink" : this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "openssh" : "ssh";
}
else
{
client = "ssh";
}
if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
{
if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
}
else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
throw new Exception("Unknown remote host authentication options.");
}
if (ssh_environment.IsConnected)
{
this.AuditEnvironment = ssh_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
ssh_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise SSH audit environment.");
}
}
else if (this.AuditOptions.Keys.Contains("WinRmRemoteIp") || this.AuditOptions.Keys.Contains("WinRmRemoteHost"))
{
if (!this.AuditOptions.Keys.Contains("RemoteUser") || !this.AuditOptions.Keys.Contains("RemotePass"))
{
throw new Exception("A remote user and password must be specified.");
}
WinRmAuditEnvironment winrm;
if (this.AuditOptions.Keys.Contains("WinRmRemoteIp"))
{
winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, this.AuditOptions["WinRmRemoteIp"] as IPAddress,
(string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
if (winrm.IsConnected)
{
this.AuditEnvironment = winrm;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
winrm = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise WinRM audit environment.");
}
}
else
{
winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["WinRmRemoteHost"],
(string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
}
}
else if (this.AuditOptions.Keys.Contains("RemoteUser") || this.AuditOptions.Keys.Contains("RemotePass"))
{
throw new Exception("A remote host name must be specified.");
}
else if (this.AuditOptions.ContainsKey("Dockerized"))
{
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment = new DockerizedLocalEnvironment(this.AuditEnvironmentMessage);
this.AuditEnvironmentIntialised = true;
}
else if (this.AuditOptions.ContainsKey("GitHubRepoName"))
{
if (!this.AuditOptions.ContainsKey("GitHubRepoOwner") || !this.AuditOptions.ContainsKey("GitHubRepoBranch"))
{
throw new ArgumentException("A required audit option for the GitHub environment is missing.");
}
string user_api_token = string.Empty;
if (this.AuditOptions.ContainsKey("GitHubToken"))
{
user_api_token = (string)this.AuditOptions["GitHubToken"];
}
GitHubAuditEnvironment github_environment = new GitHubAuditEnvironment(this.HostEnvironmentMessage, user_api_token, (string)this.AuditOptions["GitHubRepoOwner"],
(string)this.AuditOptions["GitHubRepoName"], (string)this.AuditOptions["GitHubRepoBranch"], this.HostEnvironment);
if (github_environment.RepositoryInitialised)
{
this.AuditEnvironment = github_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
github_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise GitHub audit environment.");
}
}
else if (this.AuditOptions.ContainsKey("GitLabRepoName"))
{
string api_token = string.Empty;
if (!this.AuditOptions.ContainsKey("GitLabRepoUrl") || !this.AuditOptions.ContainsKey("GitLabRepoName") || !this.AuditOptions.ContainsKey("GitLabRepoBranch"))
{
throw new ArgumentException("A required audit option for the GitLab environment is missing.");
}
GitLabAuditEnvironment GitLab_environment = new GitLabAuditEnvironment(this.HostEnvironmentMessage, api_token, (string)this.AuditOptions["GitLabRepoUrl"],
(string)this.AuditOptions["GitLabRepoName"], (string)this.AuditOptions["GitLabRepoBranch"], this.HostEnvironment);
if (GitLab_environment.RepositoryInitialised)
{
this.AuditEnvironment = GitLab_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
GitLab_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise audit environment.");
}
}
else
{
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment = new LocalEnvironment(this.AuditEnvironmentMessage);
this.AuditEnvironmentIntialised = true;
}
if (this.AuditOptions.ContainsKey("Profile"))
{
AuditFileInfo pf = this.AuditEnvironment.ConstructFile((string)this.AuditOptions["Profile"]);
if (pf.Exists)
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
}
else
{
this.AuditEnvironment.Warning("The profile file {0} does not exist. No audit profile will be used.", pf.FullName);
}
}
if (this.AuditEnvironment is IOperatingSystemEnvironment)
{
this.AuditEnvironment.GetOSName();
this.AuditEnvironment.GetOSVersion();
if (this.AuditOptions.ContainsKey("OSName"))
{
this.AuditEnvironment.OSName = (string)this.AuditOptions["OSName"];
this.AuditEnvironment.Info("Overriding audit environment OS name to {0}.", this.AuditEnvironment.OSName);
}
if (this.AuditOptions.ContainsKey("OSVersion"))
{
this.AuditEnvironment.OSVersion = (string)this.AuditOptions["OSVersion"];
this.AuditEnvironment.Info("Overriding audit environment OS version to {0}.", this.AuditEnvironment.OSVersion);
}
}
}
#endregion
#region Setup data source options
if (this.AuditOptions.ContainsKey("NoCache"))
{
this.DataSourceOptions.Add("NoCache", true);
}
if (this.AuditOptions.ContainsKey("DeleteCache"))
{
this.DataSourceOptions.Add("DeleteCache", true);
}
if (this.AuditOptions.ContainsKey("HttpsProxy"))
{
DataSourceOptions.Add("HttpsProxy", (Uri)this.AuditOptions["HttpsProxy"]);
}
if (this.AuditOptions.ContainsKey("IgnoreHttpsCertErrors"))
{
this.DataSourceOptions.Add("IgnoreHttpsCertErrors", true);
}
if (this.AuditOptions.ContainsKey("ApiUser"))
{
this.DataSourceOptions.Add("ApiUser", this.AuditOptions["ApiUser"]);
}
else if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("API_USER")))
{
this.DataSourceOptions.Add("ApiUser", Environment.GetEnvironmentVariable("API_USER"));
}
if (this.AuditOptions.ContainsKey("ApiToken"))
{
this.DataSourceOptions.Add("ApiToken", this.AuditOptions["ApiToken"]);
}
else if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("API_TOKEN")))
{
this.DataSourceOptions.Add("ApiToken", Environment.GetEnvironmentVariable("API_TOKEN"));
}
if (this.AuditOptions.ContainsKey("WithOSSI"))
{
this.DataSources.Add(new OSSIndexApiv3DataSource(this, DataSourceOptions));
}
if (this.AuditOptions.ContainsKey("WithVulners"))
{
this.DataSources.Add(new VulnersDataSource(this, DataSourceOptions));
}
#endregion
#region Setup audit profile
if (this.AuditEnvironment.FileExists("devaudit.yml"))
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, this.AuditEnvironment.ConstructFile("devaudit.yml"));
}
#endregion
}
public void GetPackageManagerLockFilePackages(List <Package> packages)
{
int origCount = packages.Count;
AuditFileInfo f = this.AuditEnvironment.ConstructFile(this.PackageSourceLockFile);
string text = f.ReadAsText();
string[] lines = text.Split(new[] { "\n" }, StringSplitOptions.None);
bool insideDeps = false;
List <string> deps = new List <string>();
for (int i = 0; i < lines.Length; i++)
{
string line = lines[i];
if (!insideDeps && line.Trim().StartsWith("dependencies:"))
{
insideDeps = true;
continue;
}
else if (insideDeps && string.IsNullOrEmpty(line.Trim()) || line.Trim() == "optionalDependencies:")
{
insideDeps = false;
continue;
}
else if (insideDeps)
{
deps.Add(line);
}
else
{
continue;
}
}
foreach (var d in deps)
{
var m = dRegEx.Match(d);
if (m.Success)
{
string n = m.Groups[1].Value.Replace("@", "").Trim();
string v = m.Groups[2].Value.Trim();
var depPackages = GetDeveloperPackages(n, v);
foreach (var package in depPackages)
{
if (!packages.Any(p => p.Name == package.Name && p.Version == package.Version))
{
packages.Add(package);
}
}
}
else
{
this.AuditEnvironment.Error("Could not parse lock file dependency line {0}. Skipping.", d.Trim());
}
}
//var m = l.Matches(text);
if (packages.Count > origCount)
{
this.AuditEnvironment.Info("Added {0} package dependencies from Yarn lock file {1}.",
packages.Count - origCount, this.PackageSourceLockFile);
}
}
public NetFxCodeProject(Dictionary <string, object> project_options, Dictionary <string, string[]> default_file_location_paths, string analyzer_type, EventHandler <EnvironmentEventArgs> message_handler)
: base(project_options, message_handler, default_file_location_paths, analyzer_type)
{
this.message_handler = message_handler;
if (this.CodeProjectOptions.ContainsKey("ProjectFile"))
{
string pf = (string)CodeProjectOptions["ProjectFile"];
if (!pf.StartsWith("@"))
{
throw new ArgumentException("ProjectFile option must be relative to root directory and start with the @ char.", "project_options");
}
AuditFileInfo wf = this.AuditEnvironment.ConstructFile(this.CombinePath(pf));
if (wf.Exists)
{
this.WorkspaceFilePath = pf;
this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf.Directory.FullName);
}
else
{
throw new ArgumentException(string.Format("Could not find the MSBuild project file at {0}.", wf.FullName), "project_options");
}
}
else if (this.CodeProjectOptions.ContainsKey("ProjectName"))
{
string fn_1 = this.CombinePath("@", (string)this.CodeProjectOptions["ProjectName"]); //CodeProjectName/CodeProjectName.xxx
//string fn_2 = this.CombinePath("src", (string)this.CodeProjectOptions["CodeProjectName"], (string)this.CodeProjectOptions["CodeProjectName"]); //CodeProjectName/src/CodeProjectName.xxx
AuditFileInfo wf_11 = this.AuditEnvironment.ConstructFile(fn_1 + ".csproj");
AuditFileInfo wf_12 = this.AuditEnvironment.ConstructFile(fn_1 + ".xproj");
//AuditFileInfo wf_21 = this.AuditEnvironment.ConstructFile(fn_2 + ".csproj");
//AuditFileInfo wf_22 = this.AuditEnvironment.ConstructFile(fn_2 + ".xproj");
if (wf_11.Exists)
{
this.WorkspaceFilePath = "@" + (string)this.CodeProjectOptions["ProjectName"] + ".csproj";
this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf_11.Directory.FullName);
}
else if (wf_12.Exists)
{
this.WorkspaceFilePath = "@" + (string)this.CodeProjectOptions["ProjectName"] + ".xproj";
this.CodeProjectFileSystemMap["RootDirectory"] = this.AuditEnvironment.ConstructDirectory(wf_12.Directory.FullName);
}
/*
* else if (wf_22.Exists)
* {
* this.WorkspaceFilePath = this.CombinePath("src", (string)this.CodeProjectOptions["CodeProjectName"], (string)this.CodeProjectOptions["CodeProjectName"]) + ".xproj";
* this.ProjectDirectory = wf_22.Directory as AuditDirectoryInfo;
* this.CodeProjectFileSystemMap["RootDirectory"] = wf_22.Directory as AuditDirectoryInfo;
* }
*/
else
{
throw new ArgumentException(string.Format("No ProjectFile option was specified and could not find the default project file at {0} or {1}.", wf_11.FullName, wf_12.FullName), "project_options");
}
}
else
{
throw new ArgumentException("Either the ProjectFile or ProjectName option must be specified.", "project_options");
}
this.ProjectDirectory = this.RootDirectory;
this.AuditEnvironment.Info("Using MSBuild project file {0}.", this.WorkspaceFilePath);
//Ensure CSharp assembly gets pulled into build.
var _ = typeof(Microsoft.CodeAnalysis.CSharp.Formatting.CSharpFormattingOptions);
if (this.CodeProjectOptions.ContainsKey("PackageSource"))
{
AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath((string)CodeProjectOptions["PackageSource"]));
if (packages_config.Exists)
{
this.AuditEnvironment.Debug("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
this.PackageSource = new NuGetPackageSource(new Dictionary <string, object>(1)
{
{ "File", packages_config.FullName }
}, message_handler);
this.PackageSourceFile = packages_config;
PackageSourceInitialized = true;
}
else
{
throw new ArgumentException(string.Format("Could not find the NuGet v2 package source file at {0}.", packages_config.FullName), "project_options");
}
}
else
{
AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath("@packages.config"));
if (packages_config.Exists)
{
this.AuditEnvironment.Debug("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
this.PackageSource = new NuGetPackageSource(new Dictionary <string, object>(1)
{
{ "File", packages_config.FullName }
}, message_handler);
this.PackageSourceFile = packages_config;
PackageSourceInitialized = true;
}
else
{
this.AuditEnvironment.Warning("No PackageSource option was specified and the default NuGet v2 package manager configuration file {0} does not exist.", packages_config.FullName);
PackageSourceInitialized = false;
}
}
this.ConfigurationFiles = this.RootDirectory.GetFiles("*.config", SearchOption.TopDirectoryOnly).Select(f => f as AuditFileInfo).ToList();
if (this.CodeProjectOptions.ContainsKey("AppConfig"))
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)this.CodeProjectOptions["AppConfig"]));
if (!cf.Exists)
{
throw new ArgumentException(string.Format("The .NET application configuration file {0} does not exist.", cf.FullName));
}
else
{
this.AppConfigurationFile = cf;
this.AuditEnvironment.Info("Using .NET application configuration file {0}.", cf.FullName);
}
}
else
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath(this.DefaultFileLocationPaths["AppConfig"]));
if (!cf.Exists)
{
this.AuditEnvironment.Warning("The .NET application configuration file was not specified and the default file was not found.");
}
else
{
this.AppConfigurationFile = cf;
this.AuditEnvironment.Info("Using default .NET application configuration file {0}.", cf.FullName);
}
}
if (this.AppConfigurationFile != null)
{
this.GetApplication();
}
}
public PackageSource(Dictionary <string, object> package_source_options, EventHandler <EnvironmentEventArgs> message_handler) : base(package_source_options, message_handler)
{
this.PackageSourceOptions = this.AuditOptions;
if (this.PackageSourceOptions.ContainsKey("File"))
{
this.PackageManagerConfigurationFile = (string)this.PackageSourceOptions["File"];
if (!this.AuditEnvironment.FileExists(this.PackageManagerConfigurationFile))
{
throw new ArgumentException("Could not find the file " + this.PackageManagerConfigurationFile + ".", "package_source_options");
}
}
else if (!this.PackageSourceOptions.ContainsKey("File") && this.DefaultPackageManagerConfigurationFile != string.Empty)
{
if (this.AuditEnvironment.FileExists(this.DefaultPackageManagerConfigurationFile))
{
this.AuditEnvironment.Info("Using default {0} package manager configuration file {1}", this.PackageManagerLabel, this.DefaultPackageManagerConfigurationFile);
this.PackageManagerConfigurationFile = this.DefaultPackageManagerConfigurationFile;
}
else
{
throw new ArgumentException(string.Format("No file option was specified and the default {0} package manager configuration file {1} was not found.", this.PackageManagerLabel, this.DefaultPackageManagerConfigurationFile));
}
}
if (!string.IsNullOrEmpty(this.PackageManagerConfigurationFile))
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
AuditDirectoryInfo d = this.AuditEnvironment.ConstructDirectory(cf.DirectoryName);
IFileInfo[] pf;
if ((pf = d.GetFiles("devaudit.yml")) != null)
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, this.AuditEnvironment.ConstructFile(pf.First().FullName));
}
}
if (this.PackageSourceOptions.ContainsKey("ListPackages"))
{
this.ListPackages = true;
}
if (this.PackageSourceOptions.ContainsKey("ListArtifacts"))
{
this.ListArtifacts = true;
}
if (this.PackageSourceOptions.ContainsKey("SkipPackagesAudit"))
{
this.SkipPackagesAudit = true;
}
if (this.PackageSourceOptions.ContainsKey("WithPackageInfo"))
{
this.WithPackageInfo = true;
}
if (this.PackageSourceOptions.ContainsKey("HttpsProxy"))
{
if (this.AuditOptions.ContainsKey("HttpsProxy"))
{
DataSourceOptions.Add("HttpsProxy", (Uri)this.PackageSourceOptions["HttpsProxy"]);
}
}
string[] ossi_pms = { "bower", "composer", "choco", "msi", "nuget", "oneget", "yarn" };
if (this.DataSources.Count == 0 && ossi_pms.Contains(this.PackageManagerId))
{
this.HostEnvironment.Info("Using OSS Index as default package vulnerabilities data source for {0} package source.", this.PackageManagerLabel);
this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
}
}
public NetFx4Application(Dictionary <string, object> application_options, Dictionary <string, string[]> required_files,
Dictionary <string, string[]> required_directories, string analyzer_type, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options,
required_files, required_directories, analyzer_type, message_handler)
{
if (!this.SkipPackagesAudit)
{
if (application_options.ContainsKey("PackageSource"))
{
application_options.Add("File", this.CombinePath((string)application_options["PackageSource"]));
this.NugetPackageSource = new NuGetPackageSource(application_options, message_handler);
this.PackageSourceInitialized = true;
this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", (string)application_options["PackageSource"]);
}
else if (application_options.ContainsKey("File"))
{
application_options.Add("File", this.CombinePath((string)application_options["File"]));
this.NugetPackageSource = new NuGetPackageSource(application_options, message_handler);
this.PackageSourceInitialized = true;
this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", (string)application_options["File"]);
}
else
{
AuditFileInfo packages_config = this.AuditEnvironment.ConstructFile(this.CombinePath("@packages.config"));
if (packages_config.Exists)
{
application_options.Add("File", packages_config.FullName);
this.NugetPackageSource = new NuGetPackageSource(application_options, message_handler);
this.PackageSourceInitialized = true;
this.AuditEnvironment.Info("Using NuGet v2 package manager configuration file {0}", packages_config.FullName);
}
else
{
this.AuditEnvironment.Warning("The default NuGet v2 package manager configuration file {0} does not exist and no PackageSource parameter was specified.", packages_config.FullName);
PackageSourceInitialized = false;
}
}
}
AuditFileInfo cf;
if (this.ApplicationFileSystemMap.ContainsKey("AppConfig"))
{
this.AppConfig = this.ApplicationFileSystemMap["AppConfig"] as AuditFileInfo;
this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
}
else if (application_options.ContainsKey("AppConfig"))
{
cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)application_options["AppConfig"]));
if (cf.Exists)
{
this.AppConfig = cf;
this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
}
else
{
throw new ArgumentException(string.Format("The configuration file {0} does not exist.", cf.FullName), "application_options");
}
}
else if (application_options.ContainsKey("ConfigurationFile"))
{
cf = this.AuditEnvironment.ConstructFile(this.CombinePath((string)application_options["ConfigurationFile"]));
if (cf.Exists)
{
this.AppConfig = cf;
this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
}
else
{
throw new ArgumentException(string.Format("The configuration file {0} does not exist.", cf.FullName), "application_options");
}
}
else if (this.AuditEnvironment.FileExists(this.CombinePath("@App.config")))
{
cf = this.AuditEnvironment.ConstructFile(this.CombinePath(("@App.config")));
this.AppConfig = cf;
this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
}
else if (this.ApplicationBinary != null)
{
cf = this.AuditEnvironment.ConstructFile(this.ApplicationBinary.FullName + ".config");
if (!cf.Exists)
{
this.AuditEnvironment.Warning("The default .NET application configuration file {0} does not exist and no AppConfig parameter was specified.", cf.FullName);
}
else
{
this.AppConfig = cf;
this.AuditEnvironment.Info("Using {0} configuration file {1}.", this.ApplicationLabel, this.AppConfig.FullName);
}
}
else
{
this.AuditEnvironment.Warning("The default .NET application configuration file could not be determined and no AppConfig parameter was specified.");
}
if (this.PackageSourceInitialized && this.DataSources.Count == 0)
{
// this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
this.DataSources.Add(new OSSIndexApiv3DataSource(this, DataSourceOptions));
}
}
public AuditTarget(Dictionary <string, object> audit_options, EventHandler <EnvironmentEventArgs> controller_message_handler = null)
{
if (ReferenceEquals(audit_options, null))
{
throw new ArgumentNullException("audit_options");
}
this.AuditOptions = audit_options;
this.ControllerMessage = controller_message_handler;
this.HostEnvironmentMessage = AuditTarget_HostEnvironmentMessageHandler;
this.HostEnvironment = new LocalEnvironment(this.HostEnvironmentMessage);
this.HostEnvironment.ScriptEnvironment.MessageHandler += this.AuditTarget_ScriptEnvironmentMessageHandler;
if (this.AuditOptions.ContainsKey("Dockerized"))
{
this.HostEnvironment.IsDockerContainer = true;
}
this.HostEnvironmentInitialised = true;
if (this.AuditOptions.Keys.Contains("DockerContainer"))
{
DockerAuditEnvironment docker_environment = new DockerAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["DockerContainer"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
if (string.IsNullOrEmpty(docker_environment.Container))
{
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise audit environment.");
}
else if (!docker_environment.ContainerRunning)
{
this.AuditEnvironmentIntialised = false;
throw new Exception("The Docker container is not currently running and DevAudit does not know how to run your container. Ensure your container is running before attempting to" +
"audit it.");
}
else
{
this.AuditEnvironment = docker_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
}
else if (this.AuditOptions.Keys.Contains("RemoteHost"))
{
string client;
SshAuditEnvironment ssh_environment = null;
if (this.HostEnvironment.OS.Platform == PlatformID.Win32NT)
{
client = this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "plink" : this.AuditOptions.Keys.Contains("WindowsUsePlink") ? "openssh" : "ssh";
}
else
{
client = "ssh";
}
if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemoteKeyFile"))
{
if (this.AuditOptions.Keys.Contains("RemoteKeyPassPhrase"))
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemoteKeyPassPhrase"], (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], null, (string)this.AuditOptions["RemoteKeyFile"], new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
}
else if (this.AuditOptions.Keys.Contains("RemoteUser") && this.AuditOptions.Keys.Contains("RemotePass"))
{
ssh_environment = new SshAuditEnvironment(this.HostEnvironmentMessage, client, (string)this.AuditOptions["RemoteHost"], (int)this.AuditOptions["RemoteSshPort"],
(string)this.AuditOptions["RemoteUser"], this.AuditOptions["RemotePass"], null, new OperatingSystem(PlatformID.Unix, new Version(0, 0)), this.HostEnvironment);
}
else
{
throw new Exception("Unknown remote host authentication options.");
}
if (ssh_environment.IsConnected)
{
this.AuditEnvironment = ssh_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
ssh_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise SSH audit environment.");
}
}
else if (this.AuditOptions.Keys.Contains("WinRmRemoteIp") || this.AuditOptions.Keys.Contains("WinRmRemoteHost"))
{
if (!this.AuditOptions.Keys.Contains("RemoteUser") || !this.AuditOptions.Keys.Contains("RemotePass"))
{
throw new Exception("A remote user and password must be specified.");
}
WinRmAuditEnvironment winrm;
if (this.AuditOptions.Keys.Contains("WinRmRemoteIp"))
{
winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, this.AuditOptions["WinRmRemoteIp"] as IPAddress,
(string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
if (winrm.IsConnected)
{
this.AuditEnvironment = winrm;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
winrm = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise WinRM audit environment.");
}
}
else
{
winrm = new WinRmAuditEnvironment(this.HostEnvironmentMessage, (string)this.AuditOptions["WinRmRemoteHost"],
(string)this.AuditOptions["RemoteUser"], (SecureString)this.AuditOptions["RemotePass"], this.HostEnvironment);
}
}
else if (this.AuditOptions.Keys.Contains("RemoteUser") || this.AuditOptions.Keys.Contains("RemotePass"))
{
throw new Exception("A remote host name must be specified.");
}
else if (this.AuditOptions.ContainsKey("Dockerized"))
{
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment = new DockerizedLocalEnvironment(this.AuditEnvironmentMessage);
this.AuditEnvironmentIntialised = true;
}
else if (this.AuditOptions.ContainsKey("GitHubRepoName"))
{
if (!this.AuditOptions.ContainsKey("GitHubRepoOwner") || !this.AuditOptions.ContainsKey("GitHubRepoBranch"))
{
throw new ArgumentException("A required audit option for the GitHub environment is missing.");
}
string user_api_token = string.Empty;
if (this.AuditOptions.ContainsKey("GitHubToken"))
{
user_api_token = (string)this.AuditOptions["GitHubToken"];
}
GitHubAuditEnvironment github_environment = new GitHubAuditEnvironment(this.HostEnvironmentMessage, user_api_token, (string)this.AuditOptions["GitHubRepoOwner"],
(string)this.AuditOptions["GitHubRepoName"], (string)this.AuditOptions["GitHubRepoBranch"], this.HostEnvironment);
if (github_environment.RepositoryInitialised)
{
this.AuditEnvironment = github_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
github_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise GitHub audit environment.");
}
}
else if (this.AuditOptions.ContainsKey("GitLabRepoName"))
{
string api_token = string.Empty;
if (!this.AuditOptions.ContainsKey("GitLabRepoUrl") || !this.AuditOptions.ContainsKey("GitLabRepoName") || !this.AuditOptions.ContainsKey("GitLabRepoBranch"))
{
throw new ArgumentException("A required audit option for the GitLab environment is missing.");
}
GitLabAuditEnvironment GitLab_environment = new GitLabAuditEnvironment(this.HostEnvironmentMessage, api_token, (string)this.AuditOptions["GitLabRepoUrl"],
(string)this.AuditOptions["GitLabRepoName"], (string)this.AuditOptions["GitLabRepoBranch"], this.HostEnvironment);
if (GitLab_environment.RepositoryInitialised)
{
this.AuditEnvironment = GitLab_environment;
this.AuditEnvironmentIntialised = true;
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment.MessageHandler -= HostEnvironmentMessage;
this.AuditEnvironment.MessageHandler += this.AuditEnvironmentMessage;
}
else
{
GitLab_environment = null;
this.AuditEnvironmentIntialised = false;
throw new Exception("Failed to initialise audit environment.");
}
}
else
{
this.AuditEnvironmentMessage = AuditTarget_AuditEnvironmentMessageHandler;
this.AuditEnvironment = new LocalEnvironment(this.AuditEnvironmentMessage);
this.AuditEnvironmentIntialised = true;
}
if (this.AuditOptions.ContainsKey("Profile"))
{
AuditFileInfo pf = this.AuditEnvironment.ConstructFile((string)this.AuditOptions["Profile"]);
if (pf.Exists)
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
}
else
{
this.AuditEnvironment.Warning("The profile file {0} does not exist. No audit profile will be used.", pf.FullName);
}
}
}
public Application(Dictionary <string, object> application_options, Dictionary <string, string[]> RequiredFileLocationPaths, Dictionary <string, string[]> RequiredDirectoryLocationPaths, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options, message_handler)
{
this.ApplicationOptions = application_options;
if (this.ApplicationOptions.ContainsKey("RootDirectory"))
{
if (!this.AuditEnvironment.DirectoryExists((string)this.ApplicationOptions["RootDirectory"]))
{
throw new ArgumentException(string.Format("The root directory {0} was not found.", this.ApplicationOptions["RootDirectory"]), "package_source_options");
}
else
{
this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)this.ApplicationOptions["RootDirectory"]));
}
}
else
{
this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory(this.AuditEnvironment.PathSeparator));
}
this.RequiredFileLocations = RequiredFileLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
this.RequiredDirectoryLocations = RequiredDirectoryLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
foreach (KeyValuePair <string, string> f in RequiredFileLocations)
{
if (!this.ApplicationOptions.ContainsKey(f.Key))
{
if (string.IsNullOrEmpty(f.Value))
{
throw new ArgumentException(string.Format("The required application file {0} was not specified and no default path exists.", f), "application_options");
}
else
{
string fn = CombinePath(f.Value);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The default path {0} for required application file {1} does not exist.",
fn, f.Key), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
}
}
}
else
{
string fn = CombinePath((string)ApplicationOptions[f.Key]);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The required application file {0} was not found.", f), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
}
}
}
foreach (KeyValuePair <string, string> d in RequiredDirectoryLocations)
{
string dn = CombinePath(d.Value);
if (!this.ApplicationOptions.ContainsKey(d.Key))
{
if (string.IsNullOrEmpty(d.Value))
{
throw new ArgumentException(string.Format("The required application directory {0} was not specified and no default path exists.", d.Key), "application_options");
}
else
{
if (!this.AuditEnvironment.DirectoryExists(dn))
{
throw new ArgumentException(string.Format("The default path {0} for required application directory {1} does not exist.",
dn, d.Key), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
}
}
}
else
{
dn = CombinePath((string)ApplicationOptions[d.Key]);
if (!this.AuditEnvironment.DirectoryExists(dn))
{
throw new ArgumentException(string.Format("The required application directory {0} was not found.", dn), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
}
}
}
if (this.ApplicationOptions.ContainsKey("ApplicationBinary"))
{
string fn = CombinePath((string)this.ApplicationOptions["ApplicationBinary"]);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The specified application binary {0} does not exist.", fn), "application_options");
}
else
{
this.ApplicationBinary = this.AuditEnvironment.ConstructFile(fn);
}
}
if (this.AuditProfile == null)
{
AuditFileInfo pf = this.AuditEnvironment.ConstructFile(this.CombinePath("@devaudit.yml"));
if (pf.Exists)
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
}
}
if (this.ApplicationOptions.ContainsKey("PrintConfiguration"))
{
this.PrintConfiguration = true;
}
if (this.ApplicationOptions.ContainsKey("ListConfigurationRules"))
{
this.ListConfigurationRules = true;
}
if (this.ApplicationOptions.ContainsKey("OnlyLocalRules"))
{
this.OnlyLocalRules = true;
}
if ((this.ApplicationOptions.ContainsKey("AppDevMode")))
{
this.AppDevMode = true;
}
if ((this.ApplicationOptions.ContainsKey("OSUser")))
{
this.OSUser = (string)this.ApplicationOptions["OSUser"];
}
if ((this.ApplicationOptions.ContainsKey("OSPass")))
{
this.OSPass = this.AuditEnvironment.ToSecureString((string)this.ApplicationOptions["OSPass"]);
}
if ((this.ApplicationOptions.ContainsKey("AppUser")))
{
this.AppUser = (string)this.ApplicationOptions["AppUser"];
}
if ((this.ApplicationOptions.ContainsKey("AppPass")))
{
this.AppPass = this.AuditEnvironment.ToSecureString((string)this.ApplicationOptions["AppPass"]);
}
string[] ossi_apps = { "drupal", "ossi" };
if (this.DataSources.Count == 0 && ossi_apps.Contains(this.PackageManagerId))
{
this.HostEnvironment.Info("Using OSS Index as default package vulnerabilities data source for {0} application.", this.PackageManagerLabel);
this.DataSources.Add(new OSSIndexDataSource(this, this.DataSourceOptions));
}
}
public Application(Dictionary <string, object> application_options, Dictionary <string, string[]> RequiredFileLocationPaths, Dictionary <string, string[]> RequiredDirectoryLocationPaths, EventHandler <EnvironmentEventArgs> message_handler) : base(application_options, message_handler)
{
this.ApplicationOptions = application_options;
if (this.ApplicationOptions.ContainsKey("RootDirectory"))
{
if (!this.AuditEnvironment.DirectoryExists((string)this.ApplicationOptions["RootDirectory"]))
{
throw new ArgumentException(string.Format("The root directory {0} was not found.", this.ApplicationOptions["RootDirectory"]), "package_source_options");
}
else
{
this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory((string)this.ApplicationOptions["RootDirectory"]));
}
}
else
{
//throw new ArgumentException(string.Format("The root application directory was not specified."), "application_options");
this.ApplicationFileSystemMap.Add("RootDirectory", this.AuditEnvironment.ConstructDirectory(this.AuditEnvironment.PathSeparator));
}
this.RequiredFileLocations = RequiredFileLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
this.RequiredDirectoryLocations = RequiredDirectoryLocationPaths.Select(kv => new KeyValuePair <string, string>(kv.Key, this.CombinePath(kv.Value))).ToDictionary(x => x.Key, x => x.Value);
foreach (KeyValuePair <string, string> f in RequiredFileLocations)
{
if (!this.ApplicationOptions.ContainsKey(f.Key))
{
if (string.IsNullOrEmpty(f.Value))
{
throw new ArgumentException(string.Format("The required application file {0} was not specified and no default path exists.", f), "application_options");
}
else
{
string fn = CombinePath(f.Value);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The default path {0} for required application file {1} does not exist.",
fn, f.Key), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
}
}
}
else
{
string fn = CombinePath((string)ApplicationOptions[f.Key]);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The required application file {0} was not found.", f), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(f.Key, this.AuditEnvironment.ConstructFile(fn));
}
}
}
foreach (KeyValuePair <string, string> d in RequiredDirectoryLocations)
{
string dn = CombinePath(d.Value);
if (!this.ApplicationOptions.ContainsKey(d.Key))
{
if (string.IsNullOrEmpty(d.Value))
{
throw new ArgumentException(string.Format("The required application directory {0} was not specified and no default path exists.", d.Key), "application_options");
}
else
{
if (!this.AuditEnvironment.DirectoryExists(dn))
{
throw new ArgumentException(string.Format("The default path {0} for required application directory {1} does not exist.",
dn, d.Key), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
}
}
}
else
{
dn = CombinePath((string)ApplicationOptions[d.Key]);
if (!this.AuditEnvironment.DirectoryExists(dn))
{
throw new ArgumentException(string.Format("The required application directory {0} was not found.", dn), "application_options");
}
else
{
this.ApplicationFileSystemMap.Add(d.Key, this.AuditEnvironment.ConstructDirectory(dn));
}
}
}
if (this.ApplicationOptions.ContainsKey("ApplicationBinary"))
{
string fn = CombinePath((string)this.ApplicationOptions["ApplicationBinary"]);
if (!this.AuditEnvironment.FileExists(fn))
{
throw new ArgumentException(string.Format("The specified application binary {0} does not exist.", fn), "application_options");
}
else
{
this.ApplicationBinary = this.AuditEnvironment.ConstructFile(fn);
}
}
if (this.AuditProfile == null)
{
AuditFileInfo pf = this.AuditEnvironment.ConstructFile(".devaudit");
if (pf.Exists)
{
this.AuditProfile = new AuditProfile(this.AuditEnvironment, pf);
}
}
if (this.ApplicationOptions.ContainsKey("PrintConfiguration"))
{
this.PrintConfiguration = true;
}
if (this.ApplicationOptions.ContainsKey("ListConfigurationRules"))
{
this.ListConfigurationRules = true;
}
if (this.ApplicationOptions.ContainsKey("OnlyLocalRules"))
{
this.OnlyLocalRules = true;
}
if ((this.ApplicationOptions.ContainsKey("AppDevMode")))
{
this.AppDevMode = true;
}
}
public override IEnumerable <Package> GetPackages(params string[] o)
{
AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
List <Package> packages = new List <Package>();
if (config_file.Name.EndsWith(".csproj"))
{
this.AuditEnvironment.Info("Reading packages from .NET Core C# .csproj file.");
string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
string xml = config_file.ReadAsText();
if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
{
var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
xml = xml.Remove(0, lastIndexOfUtf8);
}
XElement root = XElement.Parse(xml);
if (root.Name.LocalName == "Project")
{
packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute("Include") != null && x.Attribute("Version") != null)
.SelectMany(r => GetDeveloperPackages(r.Attribute("Include").Value, r.Attribute("Version").Value))
.ToList();
IEnumerable <string> skipped_packages =
root
.Descendants()
.Where(x => x.Name.LocalName == "PackageReference" && x.Attribute("Include") != null && x.Attribute("Version") == null)
.Select(r => r.Attribute("Include").Value);
if (skipped_packages.Count() > 0)
{
this.AuditEnvironment.Warning("{0} package(s) do not have a version specified and will not be audited: {1}.", skipped_packages.Count(),
skipped_packages.Aggregate((s1, s2) => s1 + "," + s2));
}
return(packages);
}
else
{
this.AuditEnvironment.Error("{0} is not a .NET Core format .csproj file.", config_file.FullName);
return(packages);
}
}
else if (config_file.Name.EndsWith(".deps.json"))
{
try
{
this.AuditEnvironment.Info("Reading packages from .NET Core depedencies manifest..");
JObject json = (JObject)JToken.Parse(config_file.ReadAsText());
JObject libraries = (JObject)json["libraries"];
if (libraries != null)
{
foreach (JProperty p in libraries.Properties())
{
string[] name = p.Name.Split('/');
packages.Add(new Package("nuget", name[0], name[1]));
}
}
return(packages);
}
catch (Exception e)
{
this.AuditEnvironment.Error(e, "Error reading .NET Core dependencies manifest {0}.", config_file.FullName);
return(packages);
}
}
else
{
this.AuditEnvironment.Error("Unknown .NET Core project file type: {0}.", config_file.FullName);
return(packages);
}
}
protected override void DetectConfigurationFile(Dictionary <PlatformID, string[]> default_configuration_file_path)
{
bool set_config_from_process_cmdline = false;
bool set_config_from_env = false;
bool set_config_from_my_cnf = false;
if (this.AuditEnvironment.IsUnix)
{
List <ProcessInfo> processes = this.AuditEnvironment.GetAllRunningProcesses();
if (processes != null && processes.Any(p => p.CommandLine.Contains("mysqld") && (p.CommandLine.Contains("--user") || p.CommandLine.Contains("--datadir") || p.CommandLine.Contains("--basedir"))))
{
ProcessInfo process = processes.Where(p => p.CommandLine.Contains("mysqld") && (p.CommandLine.Contains("--user") || p.CommandLine.Contains("--datadir") || p.CommandLine.Contains("--basedir"))).First();
Match m = Regex.Match(process.CommandLine, @"--defaults-file=(\S+)");
if (m.Success)
{
string f = m.Groups[1].Value;
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(f);
if (cf.Exists)
{
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_process_cmdline = true;
}
}
}
if (!set_config_from_process_cmdline)
{
Dictionary <string, string> env = this.AuditEnvironment.GetEnvironmentVars();
if (env != null)
{
if (env.ContainsKey("MY_CNF"))
{
if (!set_config_from_process_cmdline)
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(env["MY_CNF"]);
if (cf.Exists)
{
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_env = true;
}
}
}
}
}
if (!set_config_from_env)
{
if (this.AuditEnvironment.FileExists(this.CombinePath("@", "etc", "my.cnf")))
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", "etc", "my.cnf"));
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_my_cnf = true;
}
else if (this.AuditEnvironment.FileExists(this.CombinePath("@", "etc", "my", "my.cnf")))
{
AuditFileInfo cf = this.AuditEnvironment.ConstructFile(this.CombinePath("@", "etc", "my", "my.cnf"));
this.AuditEnvironment.Success("Auto-detected {0} server configuration file at {1}.", this.ApplicationLabel, cf.FullName);
this.ApplicationFileSystemMap.Add("ConfigurationFile", cf);
set_config_from_my_cnf = true;
}
}
if (!(set_config_from_process_cmdline || set_config_from_env || set_config_from_my_cnf))
{
base.DetectConfigurationFile(default_configuration_file_path);
}
}
}
