Feat: NuGet Scanner#686
Conversation
Codecov Report
@@ Coverage Diff @@
## main #686 +/- ##
==========================================
- Coverage 68.66% 68.50% -0.16%
==========================================
Files 57 57
Lines 2202 2210 +8
==========================================
+ Hits 1512 1514 +2
- Misses 558 564 +6
Partials 132 132
Continue to review full report at Codecov.
|
|
@Johannestegner I've read the NuGet documentation. https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#normalized-version-numbers |
|
Hi @masahiro331! I'm thinking that there are multiple ways that this case could be resolved, but I'm not really sure what the best way would be. What do you think would be the best way to handle the case? |
|
@Johannestegner FirstI've created a vulnerability detection feature in my environment. You can implement it by adding the following code. https://github.com/aquasecurity/trivy/blob/master/pkg/detector/library/driver.go#L32 https://github.com/aquasecurity/trivy/blob/master/pkg/detector/library/driver.go#L81 Add const. SecondVersion comparison problem. |
|
Been trying to decipher the nuget docs for version specification... When looking at the up-to-date docs, it seems like NuGet packages are intended to use a SEMVER-2.0 convention, which is good, cause that is what the scanner is currently built to support. BUT, I know that there are packages out there with a The old versioning standard uses: I'm feeling a bit clueless with the versioning issue, I mean... easiest way would just be to ignore the revision number, but that would potentially create issues if someone uses the revision number as something else than just to indicate "same version, we just rebuilt the binaries". Neither could it be seen as a pre-release version as it's the other way around basically. The ways I see it, either the utils code would have to be rewritten in some way (or a new version parsing extension added or something), or the revision number is obliterated and we all pretend it never existed... :P But... I'm only a contributor, so this should be a decision of the maintainers! :) |
Thanks for sharing this @masahiro331 but the way I read this is that going 3.4+ it will conform to semver versioning. Is it not the case? If so is the case we can make a disclaimer that we will only support NuGet 3.4+ or above. |
If the revision generally refers to build metadata, one could convert |
| @@ -11,6 +11,7 @@ import ( | |||
| "github.com/aquasecurity/trivy/pkg/detector/library/composer" | |||
| "github.com/aquasecurity/trivy/pkg/detector/library/ghsa" | |||
| "github.com/aquasecurity/trivy/pkg/detector/library/node" | |||
| "github.com/aquasecurity/trivy/pkg/detector/library/nuget" | |||
There was a problem hiding this comment.
This import probably not necessary.
There was a problem hiding this comment.
Actually, I think that the advisory code might be required again if we are to manipulate the versions of the legacy dependencies, right? Or am I overthinking this? :)
Yes, that is a way it could be handled! Will take a look at that :) |
|
Alright, after throughout code viewing, I have came to the conclusion that if we want to handle this in a neat way (which it should be imho) some extra rewrite is required. The I'm not fully sure how the semver package handles If the constraint is accepted with the metadata version, that should be enough, else an extra check on the metadata version will have to be done. trivy/pkg/scanner/utils/utils.go Line 66 in 0b5d936 Should return a x.x.x+x instead of x.x.x-x version in case there are 4 parts. (guessing version = strings.Join(part[:3], ".") + "-" + strings.Join(part[3:], ".") should use + "+" + instead of -).
|
|
Alright, after a lot of messy work, I did succeed in this. I have added the code to this PR, but I'm about to branch it out and add it as a separate PR instead due to the fact that it is a change that is not nuget specific, but to all "revision" packages (such as ruby and other similar packages). Edit: Removed the code from this pull request in favor of #705 |
e3e0ae8 to
80434c0
Compare
|
Also, it supports more than 3 numbers such as I hope it works with NuGet as well. I'm going to make it possible to use different version libraries for each language. Could you merge/rebase the following branch into this branch? I may update a little bit more according to a review, but I don't believe it will change so much. |
80434c0 to
575c1b5
Compare
|
Rebased and will take a closer look later today! :) |
|
Not urgent at all. Take your time! |
575c1b5 to
f872458
Compare
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
…r in driver.go. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
…nerability.go Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
…ew generic scanner. Signed-off-by: Johannes Tegnér <johannes@jitesoft.com>
f872458 to
12806e7
Compare
|
@Johannestegner Thank you for the great contribution! |
|
Awesome that it got in! Tyvm for the reviews and help :) |
Work in progress for NuGet scanning (#681).
Currently, it uses the GitHub SA vulnsrc only.
Analyzer: aquasecurity/fanal#139
Parser: aquasecurity/go-dep-parser#14 (merged)
Further, due to nugets legacy package versions (x.x.x.x), an update to the package version-check logic is required, which I started to work on in #705 something that also might be possible to help with the following issue: #702