Multiple Fixes in dependencies

digitalcoyote · Sep 15, 2020 · 2e4b0b2 · 2e4b0b2
1 parent 5820f66
commit 2e4b0b2
Show file tree

Hide file tree

Showing 10 changed files with 263 additions and 154 deletions.
diff --git a/.github/workflows/dotnet-core.yml b/.github/workflows/dotnet-core.yml
diff --git a/Src/NuGetDefense.sln b/Src/NuGetDefense.sln
@@ -14,7 +14,6 @@ Global
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{FD8D19BA-3ADE-4CD0-AF7C-BD9A79F1A394}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{FD8D19BA-3ADE-4CD0-AF7C-BD9A79F1A394}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{FD8D19BA-3ADE-4CD0-AF7C-BD9A79F1A394}.Release|Any CPU.Build.0 = Release|Any CPU
 		{13F67705-3383-4BAD-B2C5-30D643E3747E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{13F67705-3383-4BAD-B2C5-30D643E3747E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{13F67705-3383-4BAD-B2C5-30D643E3747E}.Release|Any CPU.ActiveCfg = Release|Any CPU

diff --git a/Src/NuGetDefense/Configuration/Settings.cs b/Src/NuGetDefense/Configuration/Settings.cs
@@ -2,6 +2,7 @@
 using System.IO;
 using System.Linq;
 using System.Text.Json;
+using System.Threading;
 using NuGetDefense.Core;
 
 namespace NuGetDefense.Configuration
@@ -32,28 +33,36 @@ public static Settings LoadSettings(string directory)
         {
             Settings settings;
 
+            var settingsFilePath = Path.Combine(directory, "NuGetDefense.json");
             try
             {
-                if (File.Exists(Path.Combine(directory, "NuGetDefense.json")))
+                //Edit to allow it to repeatedly check if hte file exists prior to multiple instances trying to save over it.
+                if (File.Exists(settingsFilePath))
                 {
-                    var ops = new JsonSerializerOptions
-                    {
-                        IgnoreReadOnlyProperties = true,
-                        PropertyNameCaseInsensitive = true,
-                        ReadCommentHandling = JsonCommentHandling.Skip
-                    };
-                    settings = JsonSerializer.Deserialize<Settings>(
-                        File.ReadAllText(Path.Combine(directory, "NuGetDefense.json")), ops);
+                    settings = LoadSettingsFile(settingsFilePath);
                 }
                 else
                 {
                     settings = new Settings();
-                    SaveSettings(settings, directory);
+                    SpinWait.SpinUntil(() =>
+                    {
+                        try
+                        {
+                            if (SaveSettings(settings, settingsFilePath)) return true;
+                            settings = LoadSettingsFile(settingsFilePath);
+
+                            return true;
+                        }
+                        catch
+                        {
+                            return false;
+                        }
+                    }, TimeSpan.FromMinutes(5));
                 }
             }
             catch (Exception e)
             {
-                Console.WriteLine(MsBuild.Log(Path.Combine(directory, "NuGetDefense.json"), MsBuild.Category.Error,
+                Console.WriteLine(MsBuild.Log(settingsFilePath, MsBuild.Category.Error,
                     $"NuGetDefense Settings failed to load. Default Settings were used instead. Exception: {e}"));
                 settings = new Settings();
             }
@@ -70,7 +79,43 @@ public static Settings LoadSettings(string directory)
             return settings;
         }
 
-        public static void SaveSettings(Settings settings, string directory)
+        private static Settings LoadSettingsFile(string settingsFilePath)
+        {
+            Settings settings;
+            var settingsFileContents = ReadSettingsFileWhenAble(settingsFilePath, TimeSpan.FromMinutes(5));
+
+            var ops = new JsonSerializerOptions
+            {
+                IgnoreReadOnlyProperties = true,
+                PropertyNameCaseInsensitive = true,
+                ReadCommentHandling = JsonCommentHandling.Skip
+            };
+            settings = JsonSerializer.Deserialize<Settings>(settingsFileContents, ops);
+            return settings;
+        }
+
+        private static string ReadSettingsFileWhenAble(string settingsFile, TimeSpan timeout)
+        {
+            var settingsFileContents = string.Empty;
+            SpinWait.SpinUntil(() =>
+            {
+                try
+                {
+                    using Stream settingsStream = File.Open(settingsFile, FileMode.Open, FileAccess.Read, FileShare.Read);
+                    using var settingsReader = new StreamReader(settingsStream);
+                    settingsFileContents = settingsReader.ReadToEnd();
+                    return true;
+                }
+                catch
+                {
+                    return false;
+                }
+            }, timeout);
+
+            return settingsFileContents;
+        }
+
+        private static bool SaveSettings(Settings settings, string settingsFilePath)
         {
             var ops = new JsonSerializerOptions
             {
@@ -80,8 +125,16 @@ public static void SaveSettings(Settings settings, string directory)
                 WriteIndented = true
             };
 
-            File.WriteAllText(Path.Combine(directory, "NuGetDefense.json"),
-                JsonSerializer.Serialize(settings, ops));
+            try
+            {
+                File.WriteAllText(settingsFilePath,
+                    JsonSerializer.Serialize(settings, ops));
+                return true;
+            }
+            catch
+            {
+                return false;
+            }
         }
     }
 }
diff --git a/Src/NuGetDefense/Configuration/VulnerabilityReportsSettings.cs b/Src/NuGetDefense/Configuration/VulnerabilityReportsSettings.cs
@@ -1,23 +1,23 @@
 namespace NuGetDefense.Configuration
 {
     /// <summary>
-    /// Toggles the output of various reports on vulnerabilities
+    ///     Toggles the output of various reports on vulnerabilities
     /// </summary>
     public class VulnerabilityReportsSettings
     {
         /// <summary>
-        /// Toggles the output of the original text report to the console/logs
+        ///     Toggles an json report of the Vulnerabilities by providing a path to the destination.
         /// </summary>
-        public bool OutputTextReport = true;
-        
+        public string JsonReportPath = null;
+
         /// <summary>
-        /// Toggles an xml report of the Vulnerabilities by providing a path to the destination.
+        ///     Toggles the output of the original text report to the console/logs
         /// </summary>
-        public string XmlReportPath = null;
-        
+        public bool OutputTextReport = true;
+
         /// <summary>
-        /// Toggles an json report of the Vulnerabilities by providing a path to the destination.
+        ///     Toggles an xml report of the Vulnerabilities by providing a path to the destination.
         /// </summary>
-        public string JsonReportPath = null;
+        public string XmlReportPath = null;
     }
 }
diff --git a/Src/NuGetDefense/NuGetDefense.csproj b/Src/NuGetDefense/NuGetDefense.csproj
@@ -20,14 +20,14 @@
     </PropertyGroup>
 
     <ItemGroup>
-      <PackageReference Include="MessagePack" Version="2.1.165" />
-      <PackageReference Include="NuGet.Versioning" Version="5.7.0" />
-      <PackageReference Include="NuGetDefense.Core" Version="1.0.6-beta9" />
-      <PackageReference Include="NuGetDefense.NVD" Version="1.0.2.2-beta" />
-      <PackageReference Include="NuGetDefense.OSSIndex" Version="1.0.1.7-beta" />
-      <PackageReference Include="Serilog.Sinks.Console" Version="3.1.1" />
-      <PackageReference Include="Serilog.Sinks.File" Version="4.1.0" />
-      <PackageReference Include="System.Text.Json" Version="4.7.2" />
+      <PackageReference Include="MessagePack" Version="2.1.194" />
+      <PackageReference Include="NuGet.Versioning" Version="[5.7.0]" />
+      <PackageReference Include="NuGetDefense.Core" Version="[1.0.6]" />
+      <PackageReference Include="NuGetDefense.NVD" Version="1.0.2.2" />
+      <PackageReference Include="NuGetDefense.OSSIndex" Version="1.0.2" />
+      <PackageReference Include="Serilog.Sinks.Console" Version="[3.1.1]" />
+      <PackageReference Include="Serilog.Sinks.File" Version="[4.1.0]" />
+      <PackageReference Include="System.Text.Json" Version="[4.7.2]" />
     </ItemGroup>
 
     <ItemGroup>

diff --git a/Src/NuGetDefense/NuGetDefense.nuspec b/Src/NuGetDefense/NuGetDefense.nuspec
@@ -3,10 +3,10 @@
   <metadata>
     <id>NuGetDefense</id>
     <title>NuGetDefense</title>
-    <version>1.0.8.0-beta7</version>
+    <version>1.0.8</version>
     <authors>Curtis Carter</authors>
     <owners>Curtis Carter</owners>
-    <projectUrl>https://github.com/DigitalCoyote/NuGetDefense</projectUrl>
+    <projectUrl>https://digitalcoyote.github.io/NuGetDefense/</projectUrl>
     <requireLicenseAcceptance>false</requireLicenseAcceptance>
     <summary>NuGetDefense ~ Check for Known Vulnerabilities at Build</summary>
     <description>NuGetDefense was inspired by OWASP SafeNuGet but checks with multiple sources for known vulnerabilities.</description>
@@ -30,9 +30,9 @@
     <file src="bin/Release/netcoreapp3.1/Microsoft.Bcl.AsyncInterfaces.dll" target="tools/netcoreapp3.1/Microsoft.Bcl.AsyncInterfaces.dll" />
     <file src="bin/Release/netcoreapp3.1/NuGet.Versioning.dll" target="tools/netcoreapp3.1/NuGet.Versioning.dll" />
     <file src="bin/Release/netcoreapp3.1/Serilog.dll" target="tools/netcoreapp3.1/Serilog.dll" />
+    <file src="bin/Release/netcoreapp3.1/Serilog.Sinks.Console.dll" target="tools/netcoreapp3.1/Serilog.Sinks.Console.dll" />
     <file src="bin/Release/netcoreapp3.1/Serilog.Sinks.File.dll" target="tools/netcoreapp3.1/Serilog.Sinks.File.dll" />
     <file src="bin/Release/netcoreapp3.1/System.Text.Json.dll" target="tools/netcoreapp3.1/System.Text.Json.dll" />
     <file src="bin/Release/netcoreapp3.1/VulnerabilityData.bin" target="tools/netcoreapp3.1/VulnerabilityData.bin" />
-
   </files>
 </package>
diff --git a/Src/NuGetDefense/Program.cs b/Src/NuGetDefense/Program.cs
@@ -27,7 +27,7 @@ internal class Program
         ///     args[0] is expected to be the path to the project file.
         /// </summary>
         /// <param name="args"></param>
-        private static void Main(string[] args)
+        private static int Main(string[] args)
         {
             _settings = Settings.LoadSettings(Path.GetDirectoryName(args[0]));
             ConfigureLogging(Path.GetFileName(args[0]));
@@ -75,14 +75,18 @@ private static void Main(string[] args)
                     VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs);
 
                 ReportVulnerabilities(vulnDict);
+                if (vulnDict?.Count == 0) return 0;
             }
             catch (Exception e)
             {
                 var msBuildMessage = MsBuild.Log(_nuGetFile, MsBuild.Category.Error,
                     $"Encountered a fatal exception while checking for Dependencies in {_nuGetFile}. Exception: {e}");
                 Console.WriteLine(msBuildMessage);
                 Log.Logger.Fatal(msBuildMessage);
+                return -1;
             }
+
+            return 0;
         }
 
         private static void CheckAllowedPackages()
@@ -120,9 +124,11 @@ private static void ReportVulnerabilities(Dictionary<string, Dictionary<string,
                     Log.Logger.Debug(msBuildMessage);
                 }
 
-                var fileTimestamp = DateTime.Now.ToString("u");
 
                 if (string.IsNullOrWhiteSpace(_settings.VulnerabilityReports.JsonReportPath) && string.IsNullOrWhiteSpace(_settings.VulnerabilityReports.XmlReportPath)) return;
+
+                var fileTimestamp = DateTime.Now.ToString("u");
+
                 vulnReporter.BuildVulnerabilityReport(vulnDict, _pkgs, _nuGetFile, _settings.WarnOnly,
                     _settings.ErrorSettings.Cvss3Threshold);
                 if (!string.IsNullOrWhiteSpace(_settings.VulnerabilityReports.JsonReportPath))
@@ -141,7 +147,7 @@ private static void ReportVulnerabilities(Dictionary<string, Dictionary<string,
                 }
 
                 if (string.IsNullOrWhiteSpace(_settings.VulnerabilityReports.XmlReportPath)) return;
-
+                
                 var xmlser = new XmlTextWriter(Path.Combine(_settings.VulnerabilityReports.JsonReportPath, $"VulnerabilityReport-{fileTimestamp}.xml"), Encoding.Default);
                 var xser = new XmlSerializer(typeof(VulnerabilityReport));
                 xser.Serialize(xmlser, vulnReporter.Report);

diff --git a/Src/NuGetDefense/VulnerabilityReporter.cs b/Src/NuGetDefense/VulnerabilityReporter.cs
@@ -18,6 +18,14 @@ public VulnerabilityReporter(bool separateMsBuildMessages = true)
             if (separateMsBuildMessages) MsBuildMessages = new List<string>();
         }
 
+        /// <summary>
+        ///     Builds an object used for the various reporting methods
+        /// </summary>
+        /// <param name="vulnerabilityDictionary"></param>
+        /// <param name="pkgs">Parsed Packages</param>
+        /// <param name="nuGetFile">Either the project or packages file</param>
+        /// <param name="warnOnly">If True, suppresses all errors</param>
+        /// <param name="cvss3Threshold">Threshold CVSS score for error suppresion</param>
         public void BuildVulnerabilityReport(
             Dictionary<string, Dictionary<string, Vulnerability>> vulnerabilityDictionary,
             IEnumerable<NuGetPackage> pkgs, string nuGetFile, bool warnOnly, double cvss3Threshold)

diff --git a/Src/NuGetDefenseTests/NuGetDefenseTests.csproj b/Src/NuGetDefenseTests/NuGetDefenseTests.csproj
@@ -7,10 +7,16 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.2.0" />
-        <PackageReference Include="xunit" Version="2.4.0" />
-        <PackageReference Include="xunit.runner.visualstudio" Version="2.4.0" />
-        <PackageReference Include="coverlet.collector" Version="1.0.1" />
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.7.1" />
+        <PackageReference Include="xunit" Version="2.4.1" />
+        <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+        <PackageReference Include="coverlet.collector" Version="1.3.0">
+          <PrivateAssets>all</PrivateAssets>
+          <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
     </ItemGroup>
 
     <ItemGroup>

diff --git a/build/Build.cs b/build/Build.cs
@@ -13,7 +13,7 @@
 class Build : NukeBuild
 {
     [Parameter("Configuration to build - Default is 'Debug' (local) or 'Release' (server)")]
-    readonly Configuration Configuration = Configuration.Release;//IsLocalBuild ? Configuration.Debug : Configuration.Release;
+    readonly Configuration Configuration = Configuration.Release; //IsLocalBuild ? Configuration.Debug : Configuration.Release;
 
     [GitRepository] readonly GitRepository GitRepository;
     [GitVersion] readonly GitVersion GitVersion;