Closed Meghana3193 closed 1 month ago
Meghana3193
commented
1 month ago 
jonsth131
commented
1 month ago Hi.
So you don't get any output from the task at all?
The only dependency is the dotnet command, and the task should fail if it isn't found.
What does your pipeline configuration look like?
When no vulnerabilities are found the output should look something like this:
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
The given project `Test` has no vulnerable packages given the current sources.
Finishing: NuGetVulnerabilityScanHi Jonas,
Thank you for your immediate response!
There are some vulnerabilities within the application but still it is showing as there are no vulnerabilities found in the output. Just wondering if there any additional steps needed to detect those vulnerable packages on that task.
FYI - We validated outside the pipelines, there are some vulnerable packages on that particular application.
Thank you! From: Jonas S @.> Sent: Wednesday, July 10, 2024 7:52 AM To: jonsth131/NuGetVulnerabilityScan @.> Cc: Meghana Srungarapati @.>; Author @.> Subject: Re: [jonsth131/NuGetVulnerabilityScan] Setting up build pipelines for NuGet Vulnerability Scan Extension (Issue #5)
You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification
WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hi.
So you don't get any output from the task at all?
The only dependency is the dotnet command, and the task should fail if it isn't found.
What does your pipeline configuration look like?
When no vulnerabilities are found the output should look something like this:
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
The given project Test has no vulnerable packages given the current sources.
Finishing: NuGetVulnerabilityScan
- Reply to this email directly, view it on GitHubhttps://github.com/jonsth131/NuGetVulnerabilityScan/issues/5#issuecomment-2220433316, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJYKRCVCLZSZN3CSGJ7HG63ZLUU5NAVCNFSM6AAAAABKTPGDICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRQGQZTGMZRGY. You are receiving this because you authored the thread.Message ID: @.***>
Confidentiality Notice - This communication and any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient(s), please contact the sender by replying to this e-mail and destroy/delete all copies of this e-mail message.
jonsth131
commented
1 month ago What is the output when running the command dotnet list package --vulnerable in the project folder?
Task tested with dotnet 8.0.302 and a vulnerable version of Moment.js as a package reference.
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
Project `Test-Vuln` has the following vulnerable packages
[net8.0]:
Top-level Package Requested Resolved Severity Advisory URL
> Moment.js 2.29.1 2.29.1 High https://github.com/advisories/GHSA-8hfj-j24r-96c4
High https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Vulnerabilities found
##[error]Vulnerabilities found
Finishing: NuGetVulnerabilityScanWe are pointing to the working directory in the build definition and for NuGet restore pointing to path to solution.
I believe task is not tested with dotnet 8.0.302 version in the output that's where we are not seeing vulnerable packages list?
Thank you!
From: Jonas S @.> Sent: Thursday, July 11, 2024 4:26 PM To: jonsth131/NuGetVulnerabilityScan @.> Cc: Meghana Srungarapati @.>; Author @.> Subject: Re: [jonsth131/NuGetVulnerabilityScan] Setting up build pipelines for NuGet Vulnerability Scan Extension (Issue #5)
You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification
WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
What is the output when running the command dotnet list package --vulnerable in the project folder?
Task tested with dotnet 8.0.302 and a vulnerable version of Moment.js as a package reference.
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
Project Test-Vuln has the following vulnerable packages
[net8.0]:
Top-level Package Requested Resolved Severity Advisory URL
Moment.js 2.29.1 2.29.1 High https://github.com/advisories/GHSA-8hfj-j24r-96c4
High https://github.com/advisories/GHSA-wc69-rhjr-hc9gVulnerabilities found
Finishing: NuGetVulnerabilityScan
- Reply to this email directly, view it on GitHubhttps://github.com/jonsth131/NuGetVulnerabilityScan/issues/5#issuecomment-2223965813, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJYKRCR6FEFDLAQO3KIDDVDZL3Z6NAVCNFSM6AAAAABKTPGDICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRTHE3DKOBRGM. You are receiving this because you authored the thread.Message ID: @.***>
Confidentiality Notice - This communication and any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient(s), please contact the sender by replying to this e-mail and destroy/delete all copies of this e-mail message.
jonsth131
commented
1 month ago What is the vulnerable package name and version you are expecting to get listed in the output?
What is the output when running the command dotnet list package --vulnerable in the project folder?
What does the pipeline configuration look like?
The task should work for all .NET versions that has the vulnerable package feature, so all .NET versions from .NET 5.
Meghana3193
commented
1 month ago Hi Jon,
In the project folder, I am seeing these vulnerable packages.
Azure.Identity 1.11.3 1.11.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 Microsoft.Identity.Client 4.60.3 4.60.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9 System.Text.Json 8.0.1 8.0.1 High https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
We are getting these results using this command dotnet list package --vulnerable in the project folder in command prompt but not on the build pipelines output.
Also, we are using from .NET 6 and later for all the applications.
Thank You! From: Jonas S @.> Sent: Saturday, July 13, 2024 11:27 AM To: jonsth131/NuGetVulnerabilityScan @.> Cc: Meghana Srungarapati @.>; Author @.> Subject: Re: [jonsth131/NuGetVulnerabilityScan] Setting up build pipelines for NuGet Vulnerability Scan Extension (Issue #5)
You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification
WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
What is the vulnerable package name and version you are expecting to get listed in the output?
What is the output when running the command dotnet list package --vulnerable in the project folder?
What does the pipeline configuration look like?
The task should work for all .NET versions that has the vulnerable package feature, so all .NET versions from .NET 5.
- Reply to this email directly, view it on GitHubhttps://github.com/jonsth131/NuGetVulnerabilityScan/issues/5#issuecomment-2226988766, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJYKRCT5Q2SWZQAQJ6XRMKTZMFIMJAVCNFSM6AAAAABKTPGDICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRWHE4DQNZWGY. You are receiving this because you authored the thread.Message ID: @.***>
Confidentiality Notice - This communication and any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient(s), please contact the sender by replying to this e-mail and destroy/delete all copies of this e-mail message.
jonsth131
commented
1 month ago Tested with a project using the dependencies listed.
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<RootNamespace>Test_Vuln</RootNamespace>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.11.3" />
<PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
<PackageReference Include="System.Text.Json" Version="8.0.1" />
</ItemGroup>
</Project>Got the output
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
Project `Test-Vuln` has the following vulnerable packages
[net6.0]:
Top-level Package Requested Resolved Severity Advisory URL
> Azure.Identity 1.11.3 1.11.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
> Microsoft.Identity.Client 4.60.3 4.60.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
> System.Text.Json 8.0.1 8.0.1 High https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
Vulnerabilities found
##[error]Vulnerabilities found
Finishing: NuGetVulnerabilityScanThe pipeline configuration used
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: DotNetCoreCLI@2
inputs:
command: 'restore'
feedsToUse: 'select'
- task: NuGetVulnerabilityScan@1
inputs:
path: '$(Build.SourcesDirectory)'
level: 'high'Can't see any issue with the task, so I'll close this issue.
Meghana3193
commented
1 month ago Hi Jon,
What are the build definitions that you are pointing on NuGet restore and NuGet Vulnerability Scan Tasks?
I am wondering if we are missing any steps get those vulnerabilities seeing on the output. The issue is not resolved, the build is getting succeeded, but we are not seeing the end results with vulnerabilities listed.
On which task are you giving these steps for dotnet CLI command?
steps:
task: @.***
inputs:
command: 'restore'
feedsToUse: 'select'
task: @.***
inputs:
path: '$(Build.SourcesDirectory)'
level: 'high'
Would you please share the screenshots of the build definition to those tasks?
Thank you!
From: Jonas S @.> Sent: Thursday, July 18, 2024 6:13 AM To: jonsth131/NuGetVulnerabilityScan @.> Cc: Meghana Srungarapati @.>; Author @.> Subject: Re: [jonsth131/NuGetVulnerabilityScan] Setting up build pipelines for NuGet Vulnerability Scan Extension (Issue #5)
You don't often get email from @.*** Learn why this is importanthttps://aka.ms/LearnAboutSenderIdentification
WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Tested with a project using the dependencies listed.
Got the output
Starting: NuGetVulnerabilityScan
==============================================================================
Task : NuGet Vulnerability Scan
Description : NuGet Vulnerability Scanner
Version : 1.1.0
Author : Jonas S
Help :
==============================================================================
/usr/bin/dotnet list package --vulnerable
The following sources were used:
https://api.nuget.org/v3/index.json
Project Test-Vuln has the following vulnerable packages
[net6.0]:
Top-level Package Requested Resolved Severity Advisory URL
Azure.Identity 1.11.3 1.11.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
Microsoft.Identity.Client 4.60.3 4.60.3 Moderate https://github.com/advisories/GHSA-m5vv-6r4h-3vj9
System.Text.Json 8.0.1 8.0.1 High https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
Vulnerabilities found
Finishing: NuGetVulnerabilityScan
The pipeline configuration used
trigger:
pool:
vmImage: ubuntu-latest
steps:
task: @.***
inputs:
command: 'restore'
feedsToUse: 'select'
task: @.***
inputs:
path: '$(Build.SourcesDirectory)'
level: 'high'
Can't see any issue with the task, so I'll close this issue.
- Reply to this email directly, view it on GitHubhttps://github.com/jonsth131/NuGetVulnerabilityScan/issues/5#issuecomment-2236242745, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BJYKRCQHV4G5ITETGBUA6FLZM6PNHAVCNFSM6AAAAABKTPGDICVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZWGI2DENZUGU. You are receiving this because you authored the thread.Message ID: @.***>
Confidentiality Notice - This communication and any attachments are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, distribution or copying is prohibited. If you are not the intended recipient(s), please contact the sender by replying to this e-mail and destroy/delete all copies of this e-mail message.