From 4f01373b1bddb84688d5d239ca1436fdf03cffb8 Mon Sep 17 00:00:00 2001 From: Curtis Carter Date: Fri, 26 Feb 2021 21:46:24 -0600 Subject: [PATCH] Correcting Exit Codes First Pass at correcting Exit code for CI Usage --- Src/NuGetDefense.sln.DotSettings | 2 ++ Src/NuGetDefense/NuGetDefense.csproj | 4 ++-- Src/NuGetDefense/NuGetDefense.nuspec | 2 +- Src/NuGetDefense/Program.cs | 10 ++++++---- Src/NuGetDefense/UtilityMethods.cs | 2 +- Src/NuGetDefense/VulnerabilityReporter.cs | 11 +++++++---- Src/NuGetDefenseTests/NuGetDefenseTests.csproj | 4 ++-- Src/NuGetDefenseTests/VulnerabilityReportsTest.cs | 3 ++- 8 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 Src/NuGetDefense.sln.DotSettings diff --git a/Src/NuGetDefense.sln.DotSettings b/Src/NuGetDefense.sln.DotSettings new file mode 100644 index 00000000..05363485 --- /dev/null +++ b/Src/NuGetDefense.sln.DotSettings @@ -0,0 +1,2 @@ + + True \ No newline at end of file diff --git a/Src/NuGetDefense/NuGetDefense.csproj b/Src/NuGetDefense/NuGetDefense.csproj index 3761f1dc..83dea834 100644 --- a/Src/NuGetDefense/NuGetDefense.csproj +++ b/Src/NuGetDefense/NuGetDefense.csproj @@ -29,7 +29,7 @@ NuGetDefense.Tool true nugetdefense - 2.1.0-pre0011 + 2.1.0 @@ -39,7 +39,7 @@ - + diff --git a/Src/NuGetDefense/NuGetDefense.nuspec b/Src/NuGetDefense/NuGetDefense.nuspec index 615d5e12..0cc45981 100644 --- a/Src/NuGetDefense/NuGetDefense.nuspec +++ b/Src/NuGetDefense/NuGetDefense.nuspec @@ -3,7 +3,7 @@ NuGetDefense NuGetDefense - 2.1.0-pre0011 + 2.1.0 Curtis Carter Curtis Carter https://digitalcoyote.github.io/NuGetDefense/ diff --git a/Src/NuGetDefense/Program.cs b/Src/NuGetDefense/Program.cs index 9ce9d710..6d5d70a8 100644 --- a/Src/NuGetDefense/Program.cs +++ b/Src/NuGetDefense/Program.cs @@ -13,9 +13,10 @@ using NuGet.Versioning; using NuGetDefense.Configuration; using NuGetDefense.Core; -using NuGetDefense.OSSIndex; +using NuGetDefense.NVD; using Serilog; using static NuGetDefense.UtilityMethods; +using Scanner = NuGetDefense.OSSIndex.Scanner; namespace NuGetDefense { @@ -23,12 +24,13 @@ internal static class Program { private static readonly string UserAgentString = @$"NuGetDefense/{Version}"; - private const string Version = "2.1.0-pre0001"; + private const string Version = "2.1.0-pre0012"; private static string _nuGetFile; private static string _projectFileName; private static Dictionary _projects; private static Settings _settings; + public static int NumberOfVulnerabilities; /// /// args[0] is expected to be the path to the project file. @@ -152,7 +154,7 @@ private static int Main(string[] args) VulnerabilityData.IgnoreCVEs(vulnDict, _settings.ErrorSettings.IgnoredCvEs); ReportVulnerabilities(vulnDict); - return vulnDict?.Count ?? 0; + return _settings.WarnOnly ? 0 : NumberOfVulnerabilities; } catch (Exception e) { @@ -283,7 +285,7 @@ private static void ReportVulnerabilities(Dictionary> vulnerabilityDictionary, - IEnumerable pkgs, string nuGetFile, bool warnOnly, double cvss3Threshold) + public void BuildVulnerabilityTextReport(Dictionary> vulnerabilityDictionary, + IEnumerable pkgs, string nuGetFile, bool warnOnly, double cvss3Threshold, out int numberOfVulns) { + numberOfVulns = 0; if (_separateMsBuildMessages) MsBuildMessages = new List(); var logBuilder = new StringBuilder(VulnerabilityTextReport); @@ -72,7 +72,8 @@ public void BuildVulnerabilityTextReport( logBuilder.AppendLine("*************************************"); warnOnly = warnOnly || !vulnerabilities.Any(v => v.Value.CvssScore >= cvss3Threshold); - + + if (!warnOnly) numberOfVulns++; // TODO: Dependencies will need to be listed by package url when this is used. var dependantVulnerabilities = pkg.Dependencies.Where(dep => vulnerabilityDictionary.ContainsKey(dep)); @@ -98,6 +99,7 @@ public void BuildVulnerabilityTextReport( foreach (var cve in vulnerabilities.Keys) { warnOnly = warnOnly || vulnerabilities[cve].CvssScore <= cvss3Threshold && vulnerabilities[cve].CvssScore > -1; + if (!warnOnly) numberOfVulns++; var vulnMsBuildMessage = MsBuild.Log(nuGetFile, warnOnly ? MsBuild.Category.Warning : MsBuild.Category.Error, cve, pkg.LineNumber, pkg.LinePosition, $"{vulnerabilities[cve].Description}"); @@ -126,6 +128,7 @@ public void BuildVulnerabilityTextReport( { warnOnly = warnOnly || vulnerabilities[cve].CvssScore <= cvss3Threshold; + if (!warnOnly) numberOfVulns++; var vulnMsBuildMessage = MsBuild.Log(nuGetFile, warnOnly ? MsBuild.Category.Warning : MsBuild.Category.Error, cve, pkg.LineNumber, pkg.LinePosition, $"{dependancy}: {vulnerabilities[cve].Description}"); diff --git a/Src/NuGetDefenseTests/NuGetDefenseTests.csproj b/Src/NuGetDefenseTests/NuGetDefenseTests.csproj index 8a5a8d5f..3f6f2b9f 100644 --- a/Src/NuGetDefenseTests/NuGetDefenseTests.csproj +++ b/Src/NuGetDefenseTests/NuGetDefenseTests.csproj @@ -11,13 +11,13 @@ - + all runtime; build; native; contentfiles; analyzers; buildtransitive - + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs b/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs index bb7d40d2..bfff335d 100644 --- a/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs +++ b/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs @@ -35,7 +35,8 @@ public void ReportVulnerabilityWithNullReferences() var pkgs = new[] {new NuGetPackage {LineNumber = 1, Id = "TestPkg", Version = "1.0.1"}}; var reporter = new VulnerabilityReporter(); - reporter.BuildVulnerabilityTextReport(vulnDict, pkgs, "NuGetDefense.dll", false, 0D); + reporter.BuildVulnerabilityTextReport(vulnDict, pkgs, "NuGetDefense.dll", false, 0D, out var vulnNumber); + Assert.Equal(0, vulnNumber); //TODO: Assert MSBuildMessages and VulnerabilityReport }