Closed infocynic closed 3 years ago
Hi sorry for responding late. What version of DevAudit are you using? (the version is at the top of devaudit --help
). On my Win10 64bit it completes the audit of that file without errors.
3.3.0.0 (confirmed with --help). I can run interactive fine, but the -n switch causes a crash. Since I want this for a CI context, I would either need the -n switch to work or the ability to pipe from interactive output without a crash there.
C:...\DevAudit_3.3.0.0 λ devaudit nuget -n 18:14:30<01> [AUDIT] [INFO] Using default NuGet package source configuration file packages.config 18:14:30<01> [HOST] [INFO] Using OSS Index as default package vulnerabilities data source for NuGet package source. 18:14:30<01> [AUDIT] [STATUS] Scanning NuGet packages. 18:14:30<01> [AUDIT] [SUCCESS] Scanned 96 NuGet packages. 18:14:30<04> [HOST] [STATUS] Searching OSS Index for vulnerabilities for 96 packages. 18:14:30<04> [HOST] [STATUS] Waiting... 18:14:30<04> [HOST] [SUCCESS] Got 13 total vulnerabilities for 96 packages from data source OSS Index. 18:14:31<04> [AUDIT] [INFO] Evaluated 13 vulnerabilities with 13 matches to package version in 980 ms.
13 total vulnerabilities found in NuGet package source audit. Total time for audit: 1158 ms.
[1/96] Twitter.Bootstrap [VULNERABLE] 6 known vulnerabilities, 6 affecting installed package version(s): [2.3.2] --[1/6] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 2.3.2 --Id: 6dd9e321-93cd-4d79-b33a-ff7e01b15ad9 --Reference: https://ossindex.sonatype.org/vuln/6dd9e321-93cd-4d79-b33a-ff7e01b15ad9 --Provided by: OSS Index --[2/6] [CVE-2018-14042] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. 2.3.2 --Id: e98acd45-5fe5-45d1-8bf2-01631d6b1260 --Reference: https://ossindex.sonatype.org/vuln/e98acd45-5fe5-45d1-8bf2-01631d6b1260 --Provided by: OSS Index --[3/6] [CVE-2019-8331] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. 2.3.2 --Id: b919d516-c1db-4060-bb17-ef25a07f9fb3 --Reference: https://ossindex.sonatype.org/vuln/b919d516-c1db-4060-bb17-ef25a07f9fb3 --Provided by: OSS Index --[4/6] [CVE-2018-20677] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. 2.3.2 --Id: b50e5a59-fc61-4f4c-9872-5900d205a7d2 --Reference: https://ossindex.sonatype.org/vuln/b50e5a59-fc61-4f4c-9872-5900d205a7d2 --Provided by: OSS Index --[5/6] [CVE-2018-20676] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. 2.3.2 --Id: 88d9ae04-16c2-4eee-9d6b-960afe3682ab --Reference: https://ossindex.sonatype.org/vuln/88d9ae04-16c2-4eee-9d6b-960afe3682ab --Provided by: OSS Index --[6/6] [CVE-2018-14040] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. 2.3.2 --Id: d8419399-889a-4681-ac38-de52c83e9cc7 --Reference: https://ossindex.sonatype.org/vuln/d8419399-889a-4681-ac38-de52c83e9cc7 --Provided by: OSS Index
[2/96] jQuery [VULNERABLE] 5 known vulnerabilities, 5 affecting installed package version(s): [1.12.4] --[1/5] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1.12.4 --Id: 52f593c8-7729-435c-b9df-a7bb9ded8589 --Reference: https://ossindex.sonatype.org/vuln/52f593c8-7729-435c-b9df-a7bb9ded8589 --Provided by: OSS Index --[2/5] [CVE-2015-9251] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1.12.4 --Id: 3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 --Reference: https://ossindex.sonatype.org/vuln/3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 --Provided by: OSS Index --[3/5] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1.12.4 --Id: bb07990f-5984-4107-a7ee-27d0c09a1698 --Reference: https://ossindex.sonatype.org/vuln/bb07990f-5984-4107-a7ee-27d0c09a1698 --Provided by: OSS Index --[4/5] [CVE-2019-11358] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") Runtime error! DevAudit will now terminate.
Unhandled Exception: System.FormatException: Input string was not in a
correct format.
at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider
provider, String format, ParamsArray args)
at System.String.FormatHelper(IFormatProvider provider, String format,
ParamsArray args)
at System.String.Format(IFormatProvider provider, String format,
Object[] args)
at System.IO.TextWriter.Write(String format, Object[] arg)
at System.IO.TextWriter.SyncTextWriter.Write(String format, Object[] arg)
at System.Console.Write(String format, Object[] arg)
at DevAudit.CommandLine.Program.PrintMessage(ConsoleColor color, String
format, Object[] args) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 992
at
DevAudit.CommandLine.Program.PrintAuditResultMultiLineField(ConsoleColor
color, Int32 indent, String field, String value) in
D:\a\1\s\DevAudit.CommandLine\Program.cs:line 1078
at
DevAudit.CommandLine.Program.<>c__DisplayClass40_0.1.ForEach(Action
1 action)
at
DevAudit.CommandLine.Program.PrintPackageSourceAuditResults(AuditResult ar,
AuditResult& exit) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 817
at DevAudit.CommandLine.Program.Main(String[] args) in
D:\a\1\s\DevAudit.CommandLine\Program.cs:line 733
On Sun, Jan 26, 2020 at 9:41 PM Allister Beharry notifications@github.com wrote:
Hi sorry for responding late. What version of DevAudit are you using? (the version is at the top of devaudit --help). On my Win10 64bit it completes the audit of that file without errors.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/DevAudit/issues/125?email_source=notifications&email_token=AAGNU2FMHMLCLKHYOFX3CVTQ7ZCVXA5CNFSM4KK24BGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ6FPJI#issuecomment-578574245, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGNU2D55J5JRWMIRU2F3RTQ7ZCVXANCNFSM4KK24BGA .
Hi really sorry for taking so long to get back to you again. You can download the latest DevAudit builds for Windows from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip Could you try this version and see if the problem persists.
OK so I got back around to this; the new version doesn't crash.... but it also always returns an exit code of 0, even if I use the ci
parameter. I tried various combinations of ci
and -n
and can't get a non-zero error code even with the above package file, which is known to have errors.
As a workaround, I can pipe to findstr VULNERABLE
and look for a zero exit code (zero indicates FINDSTR worked, so something IS vulnerable), but it's a little hacky.
This is probably a bug handling the ci parameter...I'll check it out.
Can't seem to reproduce this with the version from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip
devaudit nuget -f "C:\Users\Allister\Downloads\packages.config (1).txt" --ci -n -d
echo %errorlevel%
13
Are you running devaudit via PowerShell or another kind of command shell?
Ah it looks like I had missed the -- on ci and it runs fine without it (not sure what it's doing with the parameter, just ignoring it?). With the -- it works as expected now.
On Wed, Feb 19, 2020 at 11:54 PM Allister Beharry notifications@github.com wrote:
Can't seem to reproduce this with the version from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip devaudit nuget -f "C:\Users\Allister\Downloads\packages.config (1).txt" --ci -n -d echo %errorlevel% 13
Are you running devaudit via PowerShell or another kind of command shell?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/DevAudit/issues/125?email_source=notifications&email_token=AAGNU2HXSOO7AOMLW3VXXA3RDYEGZA5CNFSM4KK24BGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMKXK6I#issuecomment-588608889, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGNU2HHCVBP3EO6LEM7YEDRDYEGZANCNFSM4KK24BGA .
The parameters using (-) are single character only so the CLI should throw an error if a multi-char string is used. I'll fix this too. Thanks for reporting these issues. We'll make an official build with the latest changes soon.
I am cleaning up older issues. A new build was pushed out a while ago. Things are running a bit slow at the moment, but I am finally getting older issues cleared out.
System: Windows 10 64-bit (1809) Net Framework 4.8 installed
When I run DevAudit with
nuget -n -d -f path.to\packages.config
it detects some vulnerabilities and eventually crashes (see screenshot and attached packages.config (renamed to .txt); I've removed 4 private packages but otherwise it's identical).If I remove the -n flag, it will complete, but I need to be able to run this in a CI context, so either I need the -n flag not to crash, or I need to pipe the output through something like grep/findstr, which I can't do without it crashing due to the known issue.
packages.config.txt