Usage of dependency-check in .Net

jeremylong / DependencyCheck

OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.

https://owasp.org/www-project-dependency-check/

Apache License 2.0

6.17k stars 1.25k forks source link

Usage of dependency-check in .Net #4043

Closed sspizzirri closed 1 year ago

sspizzirri commented 2 years ago

Hi, Hope you're doing great. I've been using dependency-check plugin on Java without any worries. Got to scan my code and get the report of the different vulnerabilites. But, that's not the case when i'm trying to use it on .net, the error i keep stumbling on is: [WARN] An error occurred with the .NET AssemblyAnalyzer; this can be ignored unless you are scanning .NET DLLs. Please see the log for more details. [ERROR] Exception occurred initializing Assembly Analyzer.

Regarding that, I have two questions:

Is there any Documentation to rely on and try to debug a little bit more? Got to use the different answers you posted on different posts but i don't really know where to put the builded GrokAssembly.dll (On which directory).
Related to that, which is the directory to use when you specify the route of .net launching dependency-check.sh (the flag needed in order the script to work )

Thanks in advance!

jeremylong commented 2 years ago

You need to have dotnet core 3.1 installed to use dependency-check to analyze dotnet projects. Our documentation and error message is pretty bad regarding this. Note that with the pending release of ODC 7.0.0 - the engine will require dotnet 6.0 - see https://github.com/jeremylong/DependencyCheck/pull/4045.

sspizzirri commented 2 years ago

Jeremy, thanks for the quick response. We alreay have dotnet version 3.1 installed. As i commented, we searched for some posts regarding GrokAssembly.dll, such as this one: https://github.com/jeremylong/DependencyCheck/issues/3951, but really don't know where to put it (The dll file). May you tell us where specific it should be located? Previously we added GrokAssembly.dll on the base path (/usr/lib64/dotnet/sdk/3.1.416/) Also, adding some info about our side:

**.NET Core SDK (reflecting any global.json): Version: 3.1.416 Commit: 8d3765c609

Runtime Environment: OS Name: rhel OS Version: 8 OS Platform: Linux RID: rhel.8-x64 Base Path: /usr/lib64/dotnet/sdk/3.1.416/

Host (useful for support): Version: 3.1.22 Commit: 35fa579a30

.NET Core SDKs installed: 3.1.416 [/usr/lib64/dotnet/sdk]

.NET Core runtimes installed: Microsoft.AspNetCore.App 3.1.22 [/usr/lib64/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.1.22 [/usr/lib64/dotnet/shared/Microsoft.NETCore.App]**

jeremylong commented 2 years ago

GrokAssembly is embedded in dependency-check - you do not need to put it anywhere. If you have mulitple versions of dotnet on the system you would need to provide the path to the version 3.1 (or dotnet 6.x in the soon to be released ODC version 7). For instance on my system:

$ which dotnet
/usr/local/share/dotnet/dotnet
~/Projects/odc-falsepositives[master*] 
$ /usr/local/share/dotnet/dotnet --version
6.0.101
$ dependency-check.sh --dotnet /usr/local/share/dotnet/dotnet  -s . -o .

mushu999 commented 2 years ago

So I just upgraded and ran a scan and got the same error. We don't use dotNet "Core" we are using the final dotNet Framework 4.8 under Windows for our code builds.

Are you saying that we must install dotNet Core 6.0 separately just in order to be able to scan any dotNet Assemblies? Or are you saying instead that you are only going to scan dotNet Core Assemblies from now on (thus leaving Framework 4.x customers in the dark...)?

jeremylong commented 1 year ago

Yes