search

sonatype-nexus-community / DevAudit

Open-source, cross-platform, multi-purpose security auditing tool
BSD 3-Clause "New" or "Revised" License
360 stars 74 forks source link

Jenkins AspNet tests are failing -- no longer finding application configuration audit results #68

Closed OSSIndex-Admin closed 7 years ago

OSSIndex-Admin commented 7 years ago

We used to get rule failures on the AstNet tests:

> /devaudit aspnet -r /tmp/BlogEngine.NET/
...
v2.1.0.0
...

Application Configuration Audit Results
=======================================
3 total vulnerabilities found in ASP.NET application configuration audit. Total time for audit: 2653 ms.

[1/1] Module: aspnet. 10 rule(s).  3 rule(s) succeeded. [VULNERABLE]
--[1/10] Rule: ASP.NET cookieless forms authentication is enabled. Result: False.

...

--[10/10] Rule: ASP.NET cookieless sessions are enabled. Result: False.

Now it appears that there are no rules checked:

> ./devaudit aspnet -r /tmp/BlogEngine.NET/
...
v2.1.0.0
...
Application Configuration Audit Results
=======================================
0 total vulnerabilities found in ASP.NET application configuration audit. Total time for audit: 2165 ms.
allisterb commented 7 years ago

The issue is that is not finding the ASP.NET configuration file: 19:33:54<01> [AUDIT] [WARNING] The default .NET application configuration file could not be determined and no AppConfig parameter was specified.

the default file checked is "Web.config" but that particular project has the file named "Web.Config" and under Linux filename checks are case-sensitive. You should add a -c @Web.Config to the DevAudit commandline for it to pick up the config file.

OSSIndex-Admin commented 7 years ago

Test fixed and passing