search

karlospn / check-nuget-packages-for-security-vulnerabilities

How to validate in your CI/CD pipeline if any NuGet package on your application contains a security vulnerability
2 stars 1 forks source link

Problems with `grep -q -i` query missing `w` filtering by whole words #1

Open jonasbg opened 1 year ago

jonasbg commented 1 year ago

Hi

Found your post over at https://www.mytechramblings.com/posts/check-if-your-dotnet-app-dependencies-has-a-security-vulnerability-on-you-cicd-pipelines/

I had some problem with your query 

dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log
grep -q -i "critical\|high\|moderate\|low" build.log; [ $? -eq 0 ] && echo "Security Vulnerabilities found on the log output" && exit 1

as the build.log now contains

#cat build.log
Analyze dotnet list package command log output...

The following sources were used:
  https://api.nuget.org/v3/index.json

The given project `...` has no vulnerable packages given the current sources.

The problem is that following is picked up by the grep command, and I had to change it to grep -qiw, added the w word parameter to find by whole word

echo "Analyze dotnet list package command log output..." && \
    dotnet list package --vulnerable --include-transitive 2>&1 | tee /tmp/build.log && \
    grep -qiw "critical\|high\|moderate\|low" /tmp/build.log; [ $? -eq 0 ] && exit 1 || echo "Nothing found"

Ive also included my change after if because I'm running this inside an alpine docker container, and I could not make it work with an echo before exiting with an error exit 1.

karlospn commented 1 year ago

Hi

Found your post over at https://www.mytechramblings.com/posts/check-if-your-dotnet-app-dependencies-has-a-security-vulnerability-on-you-cicd-pipelines/

I had some problem with your query

dotnet list package --vulnerable --include-transitive 2>&1 | tee build.log
grep -q -i "critical\|high\|moderate\|low" build.log; [ $? -eq 0 ] && echo "Security Vulnerabilities found on the log output" && exit 1

as the build.log now contains

#cat build.log
Analyze dotnet list package command log output...

The following sources were used:
  https://api.nuget.org/v3/index.json

The given project `...` has no vulnerable packages given the current sources.

The problem is that following is picked up by the grep command, and I had to change it to grep -qiw, added the w word parameter to find by whole word

echo "Analyze dotnet list package command log output..." && \
    dotnet list package --vulnerable --include-transitive 2>&1 | tee /tmp/build.log && \
    grep -qiw "critical\|high\|moderate\|low" /tmp/build.log; [ $? -eq 0 ] && exit 1 || echo "Nothing found"

Ive also included my change after if because I'm running this inside an alpine docker container, and I could not make it work with an echo before exiting with an error exit 1.

Hello!

Thanks a lot for the heads up, I'll take a look at it and update the post accordingly.

It might interested you that yesterday the .NET SDK 7.0.200 was released, this version contains a new feature for the .NET CLI that allows to specify the output format for the dotnet list package command.
Now you can choose JSON as the format output which makes it easier to query the output.

Here's an example:

dotnet list package --vulnerable --format json
{
  "version": 1,
  "parameters": "--vulnerable",
  "sources": [
    "https://api.nuget.org/v3/index.json"
  ],
  "projects": [
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Contracts/BookingMgmt.Contracts.csproj",
      "frameworks": [
        {
          "framework": "netstandard2.1",
          "topLevelPackages": [
            {
              "id": "Newtonsoft.Json",
              "requestedVersion": "12.0.2",
              "resolvedVersion": "12.0.2",
              "vulnerabilities": [
                {
                  "severity": "High",
                  "advisoryurl": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Application/BookingMgmt.Application.csproj",
      "frameworks": [
        {
          "framework": "netstandard2.1",
          "topLevelPackages": [
            {
              "id": "Newtonsoft.Json",
              "requestedVersion": "12.0.2",
              "resolvedVersion": "12.0.2",
              "vulnerabilities": [
                {
                  "severity": "High",
                  "advisoryurl": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Domain/BookingMgmt.Domain.csproj",
      "frameworks": [
        {
          "framework": "netstandard2.1",
          "topLevelPackages": [
            {
              "id": "Newtonsoft.Json",
              "requestedVersion": "12.0.2",
              "resolvedVersion": "12.0.2",
              "vulnerabilities": [
                {
                  "severity": "High",
                  "advisoryurl": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Infrastructure/BookingMgmt.Infrastructure.csproj",
      "frameworks": [
        {
          "framework": "netstandard2.1",
          "topLevelPackages": [
            {
              "id": "Newtonsoft.Json",
              "requestedVersion": "12.0.2",
              "resolvedVersion": "12.0.2",
              "vulnerabilities": [
                {
                  "severity": "High",
                  "advisoryurl": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr"
                }
              ]
            }
          ]
        }
      ]
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.SharedKernel/BookingMgmt.SharedKernel.csproj"
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.CoreWCF.WebService/BookingMgmt.CoreWCF.WebService.csproj"
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Application.UnitTest/BookingMgmt.Application.UnitTest.csproj"
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.Domain.UnitTest/BookingMgmt.Domain.UnitTest.csproj"
    },
    {
      "path": "E:/Coding/dotnet/modernize-wcf-app-using-corewcf/after/BookingMgmt.CoreWCF.WebService.IntegrationTest/BookingMgmt.CoreWCF.WebService.IntegrationTest.csproj"
    }
  ]