Crash when detecting a nuget vulnerability in non-interactive mode

[infocynic]

System: Windows 10 64-bit (1809) Net Framework 4.8 installed

When I run DevAudit with nuget -n -d -f path.to\packages.config it detects some vulnerabilities and eventually crashes (see screenshot and attached packages.config (renamed to .txt); I've removed 4 private packages but otherwise it's identical).

If I remove the -n flag, it will complete, but I need to be able to run this in a CI context, so either I need the -n flag not to crash, or I need to pipe the output through something like grep/findstr, which I can't do without it crashing due to the known issue.

packages.config.txt

[allisterb]

Hi sorry for responding late. What version of DevAudit are you using? (the version is at the top of devaudit --help). On my Win10 64bit it completes the audit of that file without errors.

[infocynic]

3.3.0.0 (confirmed with --help). I can run interactive fine, but the -n switch causes a crash. Since I want this for a CI context, I would either need the -n switch to work or the ability to pipe from interactive output without a crash there.

C:...\DevAudit_3.3.0.0 λ devaudit nuget -n 18:14:30<01> [AUDIT] [INFO] Using default NuGet package source configuration file packages.config 18:14:30<01> [HOST] [INFO] Using OSS Index as default package vulnerabilities data source for NuGet package source. 18:14:30<01> [AUDIT] [STATUS] Scanning NuGet packages. 18:14:30<01> [AUDIT] [SUCCESS] Scanned 96 NuGet packages. 18:14:30<04> [HOST] [STATUS] Searching OSS Index for vulnerabilities for 96 packages. 18:14:30<04> [HOST] [STATUS] Waiting... 18:14:30<04> [HOST] [SUCCESS] Got 13 total vulnerabilities for 96 packages from data source OSS Index. 18:14:31<04> [AUDIT] [INFO] Evaluated 13 vulnerabilities with 13 matches to package version in 980 ms.

Package Source Audit Results

13 total vulnerabilities found in NuGet package source audit. Total time for audit: 1158 ms.

[1/96] Twitter.Bootstrap [VULNERABLE] 6 known vulnerabilities, 6 affecting installed package version(s): [2.3.2] --[1/6] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 2.3.2 --Id: 6dd9e321-93cd-4d79-b33a-ff7e01b15ad9 --Reference: https://ossindex.sonatype.org/vuln/6dd9e321-93cd-4d79-b33a-ff7e01b15ad9 --Provided by: OSS Index --[2/6] [CVE-2018-14042] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. 2.3.2 --Id: e98acd45-5fe5-45d1-8bf2-01631d6b1260 --Reference: https://ossindex.sonatype.org/vuln/e98acd45-5fe5-45d1-8bf2-01631d6b1260 --Provided by: OSS Index --[3/6] [CVE-2019-8331] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute. 2.3.2 --Id: b919d516-c1db-4060-bb17-ef25a07f9fb3 --Reference: https://ossindex.sonatype.org/vuln/b919d516-c1db-4060-bb17-ef25a07f9fb3 --Provided by: OSS Index --[4/6] [CVE-2018-20677] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property. 2.3.2 --Id: b50e5a59-fc61-4f4c-9872-5900d205a7d2 --Reference: https://ossindex.sonatype.org/vuln/b50e5a59-fc61-4f4c-9872-5900d205a7d2 --Provided by: OSS Index --[5/6] [CVE-2018-20676] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute. 2.3.2 --Id: 88d9ae04-16c2-4eee-9d6b-960afe3682ab --Reference: https://ossindex.sonatype.org/vuln/88d9ae04-16c2-4eee-9d6b-960afe3682ab --Provided by: OSS Index --[6/6] [CVE-2018-14040] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute. 2.3.2 --Id: d8419399-889a-4681-ac38-de52c83e9cc7 --Reference: https://ossindex.sonatype.org/vuln/d8419399-889a-4681-ac38-de52c83e9cc7 --Provided by: OSS Index

[2/96] jQuery [VULNERABLE] 5 known vulnerabilities, 5 affecting installed package version(s): [1.12.4] --[1/5] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1.12.4 --Id: 52f593c8-7729-435c-b9df-a7bb9ded8589 --Reference: https://ossindex.sonatype.org/vuln/52f593c8-7729-435c-b9df-a7bb9ded8589 --Provided by: OSS Index --[2/5] [CVE-2015-9251] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") --Description: --jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. 1.12.4 --Id: 3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 --Reference: https://ossindex.sonatype.org/vuln/3b3ba2f8-9c2c-4afe-b593-75c6b3fd4bb7 --Provided by: OSS Index --[3/5] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') --Description: --The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. 1.12.4 --Id: bb07990f-5984-4107-a7ee-27d0c09a1698 --Reference: https://ossindex.sonatype.org/vuln/bb07990f-5984-4107-a7ee-27d0c09a1698 --Provided by: OSS Index --[4/5] [CVE-2019-11358] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") Runtime error! DevAudit will now terminate.

Unhandled Exception: System.FormatException: Input string was not in a correct format. at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args) at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args) at System.String.Format(IFormatProvider provider, String format, Object[] args) at System.IO.TextWriter.Write(String format, Object[] arg) at System.IO.TextWriter.SyncTextWriter.Write(String format, Object[] arg) at System.Console.Write(String format, Object[] arg) at DevAudit.CommandLine.Program.PrintMessage(ConsoleColor color, String format, Object[] args) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 992 at DevAudit.CommandLine.Program.PrintAuditResultMultiLineField(ConsoleColor color, Int32 indent, String field, String value) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 1078 at DevAudit.CommandLine.Program.<>c__DisplayClass40_0.b__11(IVulnerability v) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 821 at System.Collections.Generic.List1.ForEach(Action1 action) at DevAudit.CommandLine.Program.PrintPackageSourceAuditResults(AuditResult ar, AuditResult& exit) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 817 at DevAudit.CommandLine.Program.Main(String[] args) in D:\a\1\s\DevAudit.CommandLine\Program.cs:line 733

On Sun, Jan 26, 2020 at 9:41 PM Allister Beharry notifications@github.com wrote:

Hi sorry for responding late. What version of DevAudit are you using? (the version is at the top of devaudit --help). On my Win10 64bit it completes the audit of that file without errors.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/DevAudit/issues/125?email_source=notifications&email_token=AAGNU2FMHMLCLKHYOFX3CVTQ7ZCVXA5CNFSM4KK24BGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ6FPJI#issuecomment-578574245, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGNU2D55J5JRWMIRU2F3RTQ7ZCVXANCNFSM4KK24BGA .

[allisterb]

Hi really sorry for taking so long to get back to you again. You can download the latest DevAudit builds for Windows from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip Could you try this version and see if the problem persists.

[infocynic]

OK so I got back around to this; the new version doesn't crash.... but it also always returns an exit code of 0, even if I use the ci parameter. I tried various combinations of ci and -n and can't get a non-zero error code even with the above package file, which is known to have errors.

As a workaround, I can pipe to findstr VULNERABLE and look for a zero exit code (zero indicates FINDSTR worked, so something IS vulnerable), but it's a little hacky.

[allisterb]

This is probably a bug handling the ci parameter...I'll check it out.

[allisterb]

Can't seem to reproduce this with the version from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip devaudit nuget -f "C:\Users\Allister\Downloads\packages.config (1).txt" --ci -n -d echo %errorlevel% 13

Are you running devaudit via PowerShell or another kind of command shell?

[infocynic]

Ah it looks like I had missed the -- on ci and it runs fine without it (not sure what it's doing with the parameter, just ignoring it?). With the -- it works as expected now.

On Wed, Feb 19, 2020 at 11:54 PM Allister Beharry notifications@github.com wrote:

Can't seem to reproduce this with the version from https://allisterb-devaudit.s3.us-east-2.amazonaws.com/DevAudit_Latest.zip devaudit nuget -f "C:\Users\Allister\Downloads\packages.config (1).txt" --ci -n -d echo %errorlevel% 13

Are you running devaudit via PowerShell or another kind of command shell?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/DevAudit/issues/125?email_source=notifications&email_token=AAGNU2HXSOO7AOMLW3VXXA3RDYEGZA5CNFSM4KK24BGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMKXK6I#issuecomment-588608889, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGNU2HHCVBP3EO6LEM7YEDRDYEGZANCNFSM4KK24BGA .

[allisterb]

The parameters using (-) are single character only so the CLI should throw an error if a multi-char string is used. I'll fix this too. Thanks for reporting these issues. We'll make an official build with the latest changes soon.

[ken-duck]

I am cleaning up older issues. A new build was pushed out a while ago. Things are running a bit slow at the moment, but I am finally getting older issues cleared out.