Code Scan is not working for C# project

[svommina]

I have followed the instruction given to set up repository scan of C# project, but it scan for nuget dependencies only not the exact code. I have written a small vulnerable code it has got spotted this code.

Instructions followed from this page https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-azure-pipelines

[eranturgeman]

Hello @svommina and thank you for using Frogbot! Can you explain which scanner you expect yo see running but is not working? Did you see them running on other projects? Do you have our advanced security package?

[svommina]

Hello @eranturgeman ,

Thanks for repsonding on my question. I am running the windows scanner downloading from the following url and running the exe with cfpr parameter as per the frog doc. https://releases.jfrog.io/artifactory/frogbot/v2/2.20.2/forgot-windows-amd64/frogbot.exe .\frogbot.exe cfpr

Output is showing as follows

[ { "Techology": "nuget", "workingDirectory": "c:\users\ ... " "Descriptors": [ c:\users\ ... c:\users\ ... c:\users\ ...

 ]

} ] Running SCA scan for nuget vulnerable depencies in c:\Users\xxx\AppData\Locat\Temp\jfrog.cli.temp calculating Nuget dependecies... Dependencies sources wer not detected not 'install' command provide. Running 'restrore' command Scanning 142 nuget dependencies.... Wait for scan to complete on JFrog Xray.... Xray scan completed Frogbot "scan-repository" command finished successfuly

is it scanning only nuget packages, not the actual C# source code.

I am trying to setup this first time.

We have JFrog 7.84 version and XRay installed on it.
Could you suggest, how to check advanced security pacakge exist or not ?

Am I missing anything in running the scan?

can you give some c# code so that scan can fail and identify vulnerabilities.

[eranturgeman]

@svommina Ok so couple of things: 1) Frogbot is not intended to be executed from within the CLI, but rather from within a CI. Let us check the command that is more suited to the CLI - 'jf audit'. You can run this command and see if the issues you are expecting to see are there (Frogbot itself is executing the exact same command and uses its output). 2) As for the JFrog advanced security package - this is our paid security package. In order to check if this package is available to you please contact you Jfrog representative and he/she can help you with that, I cannot see the your entitlement status without your customer details. If you are not entitled for this package, the results you are seeing make sense since our basic scan scans only packages. 3) As for the C# code you asked - Lets first check if you are entitled for the advanced security package so we will know what kinds of vulnerabilities your can insert, and that will be found by our scanners. If you are not entitled for JAS (Jfrog Advanced Security) you can try to insert any C# vulnerable package to your project and check the results. You can find a variety of known vulnerable dependencies here: https://nvd.nist.gov/vuln/search

[svommina]

@eranturgeman

Thanks for explation and confirming to work with Frogbot we need Advanced Security Package. In our installation we dont have this package. I guess without this package jf audit also will not work right ?