new csproj nuget reference support

[danpowell88]

Modifying the following code in NugetPackageSource.cs will allow scanning of any dotnet projects that use the new project structure where the nuget references are directly in the project itself and the packages.config no longer exists.

Specifically the if (root.Name == "Project") branch

public override IEnumerable<Package> GetPackages(params string[] o) ////Get NuGet packages from reading packages.config
        {
            try
            {
                AuditFileInfo config_file = this.AuditEnvironment.ConstructFile(this.PackageManagerConfigurationFile);
                string _byteOrderMarkUtf8 = Encoding.UTF8.GetString(Encoding.UTF8.GetPreamble());
                string xml = config_file.ReadAsText();
                if (xml.StartsWith(_byteOrderMarkUtf8, StringComparison.Ordinal))
                {
                    var lastIndexOfUtf8 = _byteOrderMarkUtf8.Length;
                    xml = xml.Remove(0, lastIndexOfUtf8);
                }
                XElement root = XElement.Parse(xml);
                IEnumerable<Package> packages;

                if (root.Name == "Project")
                {
                    // dotnet core csproj file
                    packages = root.Descendants().Where(x => x.Name == "PackageReference").Select(r =>
                        new Package("nuget", r.Attribute("Include").Value, r.Attribute("Version").Value)).ToList();
                }
                else
                {
                    packages =
                        from el in root.Elements("package")
                        select new Package("nuget", el.Attribute("id").Value, el.Attribute("version").Value, "");
                }

                return packages;
            }
            catch (XmlException e)
            {
                throw new Exception("XML exception thrown parsing file: " + this.PackageManagerConfigurationFile, e);
            }
            catch (Exception e)
            {
                throw new Exception("Unknown exception thrown attempting to get packages from file: "
                    + this.PackageManagerConfigurationFile, e);
            }

        }

[ken-duck]

Wicked. Thanks for the information. I will look into adding it shortly.

[OSSIndex-Admin]

Many apologies for lateness. SO many things on the go at the moment. I have finally been able to turn my attention to DevAudit, which includes upgrades that will enable it to work with the new OSS Index v3 REST API. This will provide access to many additional vulnerabilities (and is now the actively maintained database).

I am getting to all of these issues now. Please bear with me and I will (finally) get things back on track.

Sorry for the delay and thanks for your patience.

[ken-duck]

I am away for a week, but expect to complete the port not too long thereafter. It is almost code complete, but requires some more testing and bug fixing. Since it is a pretty big upgrade already, I expect I will be able to add these changes in at the same time.

You don't happen to have a simple example project you could point at that I could use for testing? It would definitely shortcut the required testing work for this feature.

[twoducks]

I added the code you posted above. Sorry again for the delay. I will be fixing another bug or two then posting a release.

The v3 stuff is coming along as well. I am hoping to complete that update in the not too far future as well. The upgrade to v3 has been consuming my time for the past several months; first in completing the server changes, then in upgrading a whole wack of other client tools that I work on as well. Sorry for the delay in turning my attention here.

[danpowell88]

All good!

On Sun, 30 Sep. 2018, 11:24 am twoducks, notifications@github.com wrote:

I added the code you posted above. Sorry again for the delay. I will be fixing another bug or two then posting a release.

The v3 stuff is coming along as well. I am hoping to complete that update in the not too far future as well. The upgrade to v3 has been consuming my time for the past several months; first in completing the server changes, then in upgrading a whole wack of other client tools that I work on as well. Sorry for the delay in turning my attention here.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/OSSIndex/DevAudit/issues/89#issuecomment-425686248, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDKbTwkIqopqkJthWH-4k68yLuQV556ks5ugB1HgaJpZM4Vrkds .

[OSSIndex-Admin]

The Chocolatey v2.3.0.2 release is finally out, and it has this option. There were some publish issue, but they have finally been resolved. If you get a chance to try this feature out I would love to hear whether it works. If it does not, I would appreciate a pointer to test project I could run against; I am a C# and .NET neophyte.

[danpowell88]

Wheres the PR that enables this functionality can't seem to find any changes to the nuget package source or any new one that would include it.

The linked issue seems to mention yarn which has a different structure.

the csproj references look as follows

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>netcoreapp2.1</TargetFramework>
  </PropertyGroup>

  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
    <DebugType>full</DebugType>
    <DebugSymbols>true</DebugSymbols>
    <NoWarn>1701;1702;1705;1591</NoWarn>
    <LangVersion>latest</LangVersion>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="autofac" Version="4.8.1" />
    <PackageReference Include="autofac.extensions.dependencyinjection" Version="4.3.0" />
    <PackageReference Include="FluentValidation.AspNetCore" Version="8.0.0" />
    <PackageReference Include="JetBrains.ReSharper.CommandLineTools" Version="2018.2.1" />
    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.3" />
    <PackageReference Include="Microsoft.AspNetCore" Version="2.1.3" />
    <PackageReference Include="Microsoft.AspNetCore.HealthChecks" Version="1.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.Http.Abstractions" Version="2.1.1" />
    <PackageReference Include="microsoft.aspnetcore.httpoverrides" Version="2.1.1" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc" Version="2.1.2" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Versioning" Version="2.3.0" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Versioning.ApiExplorer" Version="2.2.0" />
    <PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="2.1.1" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="2.1.2" />
    <PackageReference Include="Microsoft.Extensions.PlatformAbstractions" Version="1.1.0" />
    <PackageReference Include="Microsoft.VisualStudio.Web.BrowserLink" Version="2.1.1" />
    <PackageReference Include="runtime.linux-x64.CoreCompat.System.Drawing" Version="1.0.0-beta009" />
    <PackageReference Include="Serilog" Version="2.7.1" />
    <PackageReference Include="Serilog.AspNetCore" Version="2.1.1" />
    <PackageReference Include="Serilog.Enrichers.Environment" Version="2.1.2" />
    <PackageReference Include="Serilog.Enrichers.Process" Version="2.0.1" />
    <PackageReference Include="Serilog.Enrichers.Thread" Version="3.0.0" />
    <PackageReference Include="Serilog.Extensions.Logging" Version="2.0.2" />
    <PackageReference Include="Serilog.Settings.Configuration" Version="2.6.1" />
    <PackageReference Include="Serilog.Sinks.Console" Version="3.1.1" />
    <PackageReference Include="Serilog.Sinks.RollingFile" Version="3.3.0" />
    <PackageReference Include="Serilog.Sinks.Seq" Version="4.0.0" />
    <PackageReference Include="SerilogAnalyzer" Version="0.14.0" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="3.0.0" />
    <PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="3.0.0" />
    <PackageReference Include="system.net.http" Version="4.3.3" />
  </ItemGroup>

  <ItemGroup>
    <DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.0" />
  </ItemGroup>
</Project>

[OSSIndex-Admin]

Odd. I'll find it and get back to you.

[danpowell88]

Seems like it was put in the drupal stuff which is odd

https://github.com/OSSIndex/DevAudit/blob/master/DevAudit.AuditLibrary/Applications/Drupal7Application.cs

https://github.com/OSSIndex/DevAudit/commit/6f0e29be1237c2edcb12e9854d69c3de1acd78a4

[OSSIndex-Admin]

That is very odd. Sorry about this. I will double check and fix that. Ya, I see that now. Must have been late night code :(

[OSSIndex-Admin]

Do you use the chocolatey install, or the binary generated and uploaded to GitHub?

[danpowell88]

Github

[OSSIndex-Admin]

In theory I have done the correct change and created a new release here: https://github.com/OSSIndex/DevAudit/releases/tag/v2.3.0.3-beta

I reverted the dumbass edit and added this one: https://github.com/OSSIndex/DevAudit/commit/e5377429d6406427911e9449ddbebcfe00fdb941

[danpowell88]

Appears to be working correctly on one of my private projects

~\Desktop\DevAudit> .\devaudit.exe nuget -f MyProject.csproj

---

| \ .-----..--.--.| _ |.--.--..--| |||| |_ | -- || -_|| | || || | || || || _| |___/ |__| \/ ||||||||||__|

v2.3.0.3 04:05:48<01> [HOST] [INFO] Using OSS Index as default package vulnerabilities data source for NuGet package source. 04:05:48<01> [AUDIT] [STATUS] Scanning NuGet packages. /Scanning NuGet packages.. 04:05:48<01> [AUDIT] [SUCCESS] Scanned 12 NuGet packages. Searching OSS Index for vulnerabilities for 12 packages... 04:05:50<05> [HOST] [WARNING] Got 0 total vulnerabilities for none of 12 packages from data source OSS Index. Searching OSS Index for vulnerabilities for 12 packages... 04:05:50<01> [AUDIT] [INFO] Not reporting package source audit with zero vulnerabilities. Searching OSS Index for vulnerabilities for 12 packages...

Package Source Audit Results

0 total vulnerabilities found in NuGet package source audit. Total time for audit: 1708 ms.

[OSSIndex-Admin]

That is terrific news.

I will keep the issue open for a little longer in case you find anything.

Thanks for the help!