sonatype-nexus-community / devaudit Goto Github PK
View Code? Open in Web Editor NEWOpen-source, cross-platform, multi-purpose security auditing tool
License: BSD 3-Clause "New" or "Revised" License
Open-source, cross-platform, multi-purpose security auditing tool
License: BSD 3-Clause "New" or "Revised" License
I am running DevAudit from Jenkins on windows and am receiving the following error:
C:\Jenkins\workspace\DevAudit.Windows.MSI>cd C:\Jenkins\workspace\DevAudit.Windows
C:\Jenkins\workspace\DevAudit.Windows>devaudit msi -n
Runtime error! DevAudit will now terminate.
Unhandled Exception: System.IO.IOException: The handle is invalid.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.__Error.WinIOError()
at System.Console.set_CursorVisible(Boolean value)
at DevAudit.CommandLine.Program.Main(String[] args) in C:\Jenkins\workspace\DevAudit.Windows\DevAudit.CommandLine\Program.cs:line 292
When attempting to use a key to log in I am asked for a password, and then an exception is thrown. Things work fine if I don't specify the key and provide a password, or if I use --password-text
./devaudit mysql --root / --host my.ip.address --user myuser --key /path/to/my/key
Password:
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.12.5
Exception: Object reference not set to an instance of an object
Stack trace: at DevAudit.AuditLibrary.Application..ctor (System.Collections.Generic.Dictionary`2[TKey,TValue] application_options, System.Collections.Generic.Dictionary`2[TKey,TValue] RequiredFileLocationPaths, System.Collections.Generic.Dictionary`2[TKey,TValue] RequiredDirectoryLocationPaths, System.EventHandler`1[TEventArgs] message_handler) [0x00102] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.AuditLibrary.ApplicationServer..ctor (System.Collections.Generic.Dictionary`2[TKey,TValue] server_options, System.Collections.Generic.Dictionary`2[TKey,TValue] default_configuration_file_path, System.Collections.Generic.Dictionary`2[TKey,TValue] RequiredFilePaths, System.Collections.Generic.Dictionary`2[TKey,TValue] RequiredDirectoryPaths, System.EventHandler`1[TEventArgs] message_handler) [0x00021] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.AuditLibrary.MySQLServer..ctor (System.Collections.Generic.Dictionary`2[TKey,TValue] server_options, System.EventHandler`1[TEventArgs] message_handler) [0x0008a] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.CommandLine.Program+<Main>c__AnonStorey0.<>m__0 (System.String verb, System.Object options) [0x0028b] in <4bed8c378dcf4e8da87ea46f6010d80d>:0
Though there is no exception, DevAudit msi hangs and then throws an error. This might be a back end problem, but could be resolved by using the new API, which should support MSI packages now.
Please convert DevAudit msi to use the new API, then we willl see what happens.
Make a packages.config file containing this text:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="bootstrap" version="2.0.0" targetFramework="net45" />
</packages>
Run win-audit against the package.config file and the following exception occurs
Unhandled Exception: System.ArgumentException: Could not parse comparing semantic version: <2.1.0.
at WinAudit.AuditLibrary.NuGetPackageSource.<>c.<.ctor>b__14_1(String range, String compare_to_range) in D:\git.vor\winaudit\WinAudit.AuditLibrary\PackageSource\NuGetPackageSource.cs:line 77
at WinAudit.CommandLine.Program.<>c__DisplayClass6_1.<Main>b__10(String v) in D:\git.vor\winaudit\WinAudit.CommandLine\Program.cs:line 226
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at WinAudit.CommandLine.Program.Main(String[] args) in D:\git.vor\winaudit\WinAudit.CommandLine\Program.cs:line 226
The issue is that in some situations instead of a specific version, the "versions" list may contain a range instead.
[
{
"uri": "https://github.com/twbs/bootstrap/pull/3421",
"id": 8397095682,
"title": "Default tooltip option allows users to have XSS vulnerability in some situations",
"summary": "There is an html option for popover/tooltip again. The option is defaulted to true. Having this option allows us to force the popover to use the .text() method to set the title and content of the popover no matter if bootstrap thinks it detects html or not. The problem is that jQuery seems to unescape values grabbed with the .attr() method, so even if you escape <script>alert('data');</script> to &lt;script&gt;alert(&quot;data&quot;)&lt;/script&gt; and set it as your data-content, bootstrap will get the unescaped value from .attr(), detect that this is html and use the .html() method to set the content of the popover causing an XSS issue. Forcing the use of the .text() method by setting the html option to false lets us make sure that doesn't happen. ",
"details": "http://localhost:8080/v1.1/vulnerability/8397095682",
"versions": [
"<2.1.0"
]
}
]
In this case you have a version comparison opposite to what the code is checking for. The user is requesting a specific version, while the vulnerability has a range. This can be solved by flipping the range comparison over. It will have to be done for each *PackageSource file. Note that the vulnerability will only use very simple ranges for now (<#, <=#, >#, >=#).
A more complicated case is when the user requests a range for their package, and the vulnerability is a range as well. Essentially you want to determine if the ranges overlap.
Running on Jenkins we get the following report:
[1/1] Project: mysql. 2 rule(s). 2 rule(s) succeded. [VULNERABLE]
--[1/2] Rule: mysqld runs as the root user. Result: True.
--Summary:
--mysqld can (and should) be run as an ordinary, unprivileged user instead.
--You can create a separate Unix account named mysql to make everything even more secure. Use this account only for administering MySQL.
ps reveals otherwise
ps -ef | grep mysql
mysql 22555 1 0 Dec11 ? 00:06:47 /usr/sbin/mysqld
This is on Ubuntu, where the my.cnf file contains this:
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/
And the /etc/mysql/mysql.conf.d/mysqld.cnf file contains this:
[mysqld]
#
# * Basic Settings
#
user = mysql
Running devaudit with no arguments tells you this for httpd:
Audit an Apache Httpd server instance. Use the --root option to specify the root directory of the Httpd server instance, and the --config-file option to specify the configuration file otherwise conf/httpd.conf will be used.
But for apache, I needed these arguments:
./devaudit httpd --application-binary /usr/sbin/apache2 --config-file /etc/apache2/apache2.conf --root /
The help text was non-obvious. We should mention the application binary argument, and perhaps provide an example.
Application configuration auditing should be done for .NET Framework projects that have a Web.config or app.config. These configuration files often contain vulnerabilities due to insecure configurations by developers and information leakage like storing connection strings and passwords in plaintext . For an ASP.NET MVC project for instance, some things we can check for are the authentication schemes being used (or if for instance no authentication is present) and the presence of SQL Server or Azure or other connection strings stored in plaintext.
This means for a .NET Framework project audit we will do:
I ran a nuget audit against jquery. The package.config file:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="jQuery" version="1.6.1" targetFramework="net45" />
</packages>
The following exception occurs:
[1/1] jQuery 1.6.1
Unhandled Exception: System.ArgumentException: Could not parse comparing semantic version: .
at WinAudit.AuditLibrary.NuGetPackageSource.<>c.<.ctor>b__14_1(String range,String compare_to_range) in D:\git.vor\winaudit\WinAudit.AuditLibrary\PackageSource\NuGetPackageSource.cs:line 77
at WinAudit.CommandLine.Program.<>c__DisplayClass6_1.<Main>b__10(String v) in D:\git.vor\winaudit\WinAudit.CommandLine\Program.cs:line 226
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at WinAudit.CommandLine.Program.Main(String[] args) in D:\git.vor\winaudit\WinAudit.CommandLine\Program.cs:line 226
Signal 67
The problem appears to be that there is a vulnerability in the database with no applicable version. This is the way the vulnerability is and cannot be easily changed in the database.
{
"uri": "cve:/CVE-2007-2379",
"id": 323345,
"title": "[CVE-2007-2379]The jQuery framework exchanges data using JavaScript Object Notation (JSON) with...",
"summary": "The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."",
"cve-id": "CVE-2007-2379",
"details": "http://localhost:8080/v1.1/cve/323345",
"versions": [
""
]
}
Adding this code in NuGetPackageSource.cs seems to resolve the issue, but I cannot be sure that this is the correct fix at this time:
...
public override Func<string, string, bool> PackageVersionInRange { get; } = (range, compare_to_range) =>
{
// Some vulnerabilities do not have ranges. We will ignore them.
if (compare_to_range.Trim().Equals(""))
{
return false;
}
...
Run DevAudit against the test composer.json file. You will see the following output (or something similar).
D:\git.vor\DevAudit\DevAudit.CommandLine\bin\Release>devaudit.exe composer --file Examples\Drupal\core\composer.json
Scanning Composer packages...
Found 34 distinct packages.
Searching OSS Index for 34 Composer packages...
Found 3 artifacts, 1 with an OSS Index project id.
Searching OSS Index for vulnerabilities for 1 projects...
Audit Results
=============
[1/1] bootstrap [VULNERABLE]
1 known vulnerabilities, 1 affecting installed version. [bootstrap 2.0.0]
Default tooltip option allows users to have XSS vulnerability in some situations
There is an html option for popover/tooltip again. The option is defaulted to true.
Having this option allows us to force the popover to use the .text() method to set the title and content of the popover n
o matter if bootstrap thinks it...
Affected versions: <2.1.0
The problem is, manual checking indicates that there are database packages/artifacts for almost all of the packages. How is it that only three are identified by DevAudit?
I understand why projects are not found for most of them, just not why they cannot find artifacts/packages. Here are a few simple requests to show the data is in the database. Note the version number I am using is bogus.
https://ossindex.net/v1.1/search/artifact/composer/symfony/event-dispatcher/2.0.0
https://ossindex.net/v1.1/search/artifact/composer/symfony/dependency-injection/2.0.0
https://ossindex.net/v1.1/search/artifact/composer/symfony/console/2.0.0
https://ossindex.net/v1.1/search/artifact/composer/easyrdf/easyrdf/2.0.0
https://ossindex.net/v1.1/search/artifact/composer/zendframework/zend-feed/2.0.0
https://ossindex.net/v1.1/search/artifact/composer/twbs/bootstrap/2.0.0
The last one is definitely being found, as it is the one with the known vulnerability.
On the http://192.168.1.13/drupal8/admin/modules page I can see that there are security updates for my installed version.
On http://192.168.1.13/drupal8/admin/reports/updates/update I can see my installed version is 8.0.3 and there is a new 8.1.2 version available.
But when I run DevAudit I see that the detected version is "8.x" and it is telling me that there are no vulnerabilities. I don't believe it :)
I presume the detected 8.x version is why it is not finding applicable vulnerabilities. We need to find the real installed version.
AuditLibrary audit targets should use the new back-end API for searching vulnerabilities where supported.
28a55e5
Key-based authentication is supported by the SSH.NET library so it shouldn't be too much effort to add this to the audit library.
New Chocolatey package for public release should be created based on the latest code.
I ran DevAudit on my windows box with the "msi" option. I was informed of vulnerabilities in Silverlight, which I promptly upgraded. Rerunning DevAudit still complains, however.
My installed Silverlight version is 5.1.41212.0
Sample output. Note that my version is not covered by this vulnerability.
Affected versions: 5.1.20125.0, 5.1.20513.0, 5.0.60401.0, 5.0.61118.0, 5.0.60818.0, 5.1.10411.0, 5.0.60818.0
[CVE-2014-0319]Microsoft Silverlight 5 before 5.1.30214.0 and Silverlight 5 Developer Runtime b...
Microsoft Silverlight 5 before 5.1.30214.0 and Silverlight 5 Developer Runtime before 5.1.30214.0 allow attackers to bypa
ss the DEP and ASLR protection mechanisms via unspecified vectors, aka "Silverlight DEP/ASLR Bypass Vulnerability."
Affected versions: 5.0.60818.0, 5.1.20125.0, 5.1.20513.0, 5.1.20913.0, 5.0.60401.0, 5.0.61118.0, 5.0.60818.0, 5.1.10411.0
Use version that uses new API
Run devaudit msi
D:\git.vor\DevAudit>devaudit msi
Runtime error! DevAudit will now terminate.
Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at DevAudit.AuditLibrary.AuditTarget.AuditTarget_AuditEnvironmentMessageHandler(Object sender, EnvironmentEventArgs e)
in D:\git.vor\DevAudit\DevAudit.AuditLibrary\AuditTarget.cs:line 114
at DevAudit.AuditLibrary.AuditEnvironment.OnMessage(EnvironmentEventArgs e) in D:\git.vor\DevAudit\DevAudit.AuditLibrary\AuditEnvironment.cs:line 78
at DevAudit.AuditLibrary.AuditEnvironment.Status(String message_format, Object[] message) in D:\git.vor\DevAudit\DevAudit.AuditLibrary\AuditEnvironment.cs:line 294
at DevAudit.AuditLibrary.PackageSource.GetPackagesTask(CancellationToken ct) in D:\git.vor\DevAudit\DevAudit.AuditLibrary\PackageSource.cs:line 306
at DevAudit.AuditLibrary.PackageSource.Audit(CancellationToken ct) in D:\git.vor\DevAudit\DevAudit.AuditLibrary\PackageSource.cs:line 316
at DevAudit.CommandLine.Program.Main(String[] args) in D:\git.vor\DevAudit\DevAudit.CommandLine\Program.cs:line 357
Docker is an increasingly important way to deploy Linux apps. Having a docker image allows users and orgs to quickly deploy and try out DevAudit in a stable runtime environment without needing to install any dependencies. A DevAudit Docker image based on the latest stable Mono image from Xamarin should be created.
Those classes that use resources like files and network connections must be disposable and disposed by the CLI or any calling interface after auditing is complete. These classes should must also implement a finalizer to clean up unmanaged resources like the work directory in the event of an app crash.
Jenkins test failure: DevAudit.Linux.netfx
SA-NETFX-0001-GendarmeRules analyzing...SA-NETFX-0001-GendarmeRules analyzing.../ 06:36:01<04> [SCRIPT] [ERROR] Exception: Could not load file or assembly '/home/vor/.jenkins/jobs/DevAudit.Linux/workspace/DevAudit.CommandLine/bin/Debug/Gendarme.Rules.Security.dll' or one of its dependencies at at (wrapper managed-to-native) System.Reflection.Assembly:InternalGetAssemblyName (string,System.Reflection.AssemblyName)
at System.Reflection.AssemblyName.GetAssemblyName (System.String assemblyFile) [0x0001d] in <8f2c484307284b51944a1a13a14c0266>:0
at DevAudit.AuditLibrary.DevAuditGendarmeRunner.LoadRulesFromAssembly (System.String assemblyName) [0x00001] in <f07acba1d0914a8f81f3553175c6537d>:0
at DevAudit.AuditLibrary.DevAuditGendarmeRunner..ctor (Mono.Cecil.AssemblyDefinition assembly, System.String rules_library_name, DevAudit.AuditLibrary.ScriptEnvironment environment) [0x00052] in <f07acba1d0914a8f81f3553175c6537d>:0
at DevAudit.AuditLibrary.Analyzers.GendarmeRulesAnalyzer.Analyze () [0x00047] in <3deae16756f949ec924ae196483af742>:0 .
In the last release, the -f argument could be used with a relative path to the configuration file. This is not working in the current development stream.
I think it is reasonably important to allow relative paths, because otherwise tool use gets cumbersome.
There's an issue with the .NET HttpClient class where multiple instances can cause performance problems in high load scenarios. http://aspnetmonsters.com/2016/08/2016-08-27-httpclientwrong/ The DevAudit AuditLibrary uses this class in all its connections to remote servers and may run into these problems if many instances of devaudit are run concurrently like in shell scripts.
However there are some potential pitfalls to be aware of when using it as a singleton: http://byterot.blogspot.co.uk/2016/07/singleton-httpclient-dns.html
This issue with HttpClient should be investigated more and any necessary changes made to the OSSIndexHttpClient class.
After the newest linux commit, Jenkins tests complain about:
In each case, no vulnerabilities are found. In the case of ssh
, no vulnerabilities are found, but the expected configuration errors are found.
Here is some sample output.
+ ./devaudit drupal7 --root /var/www/html/drupal7
+ tee /tmp/devaudit.drupal7.out
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.15.0
04:10:29<05> [AUDIT] [INFO] Loading default configuration rules for Drupal 7 application.
04:10:29<05> [AUDIT] [INFO] Got 0 default configuration rule(s) for 0 project(s) from drupal7.yml in 40 ms.
Application Configuration Audit Results
=======================================
0 total vulnerabilities found in Drupal 7 application configuration audit. Total time for audit: 67 ms.
I actually expect that this option is no longer required
n, non-interact Disable any interctive console output (for
redirecting console output to other devices.)
api-v2 Disable any interctive console output (for
redirecting console output to other devices.)
When running against drupal7 I am getting some vulnerability ranges warnings. I expect it is likely Versatile is receiving some unexpected version numbers.
[AUDIT] [WARNING] Error determining vulnerability version range (5,5.0,5.1,5.2,5.3,5.4,5.5,5.5.,5.6,5.7,5.8,6,6.0,6.1,6.2) in package version range (): Failed parsing version
string 5.5.: unexpected '.'. .
[AUDIT] [WARNING] Error determining vulnerability version range (5.0,5.1,5.10,5.11,5.12,5.13,5.14,5.15,5.16,5.1_rev1.1,5.2,5.3,5.4,5.5,5.5.,5.6,5.7,5.8,5
.9,6,6.0,6.1,6.10,6.2,6.3,6.4,6.5,6.6,6.7,6.8,6.9) in package version range (): Failed parsing version string 5.5.: unexpected '.'. .
[AUDIT] [WARNING] Error determining vulnerability version range (5.0,5.1,5.10,5.11,5.12,5.13,5.14,5.15,5.16,5.1_rev1.1,5.2,5.3,5.4,5.5,5.5.,5.6,5.7,5.8,5.9,6.0,6.1,6.10,6.11,6.12,
6.2,6.3,6.4,6.5,6.6,6.7,6.8,6.9) in package version range (): Failed parsing version string 5.5.: unexpected '.'. .
[AUDIT] [WARNING] Error determining vulnerability version range (5.0,5.1,5.10,5.11,5.12,5.13,5.14,5.15,5.16,5.17,5.18,5.1_rev1.1,5.2,5.3,5.4,5.5,5.5.,5.6,5.7,5.8,5.9,6.0,6.1,6.10,6.
11,6.12,6.2,6.4,6.5,6.6,6.7,6.8,6.9) in package version range (): Failed parsing version string 5.5.: unexpected '.'. .
[AUDIT] [WARNING] Error determining vulnerability version range (4.0,4.0.0,4.1.0,4.2.0_rc,4.4,4.4.0,4.4.1,4.4.2,4.4.3,4.5,4.5.0,4.5.1,4.5.2,4.5.3,4.5.4,4.5.5,4.5.6,4.5.7,4.5.8,4.6,4.6.0,4.6.1,4.6.10,4.6.11,4.6.2,4.6.3,4.6.4,4.6.5,4.6.6,4.6.7,4.6.8,4.6.9,4.7,4.7.0,4.7.1,4.7.10,4.7.2,4.7.3,4.7.4,4.7.5,4.7.6,4.7.7,4.7.8,4.7.9,4.7_rev1.15,4.7_revision_1.2,4.7_rev_1.15,4.7_rev_1.2,5.0,5.1,5.10,5.11,5.12,5.13,5.14,5.15,5.16,5.17,5.18,5.19,5.1_rev1.1,5.2,5.20,5.21,5.22,5.23,5.3,5.4,5.5,5.5.,5.6,5.7,5.8,5.9,5.x,6.0,6.1,6.10,6.11,6.12,6.13,6.14,6.15,6.16,6.17,6.18,6.19,6.2,6.20,6.21,6.22,6.23,6.24,6.3,6.4,6.5,6.6,6.7,6.8,6.9,6.x-dev,7.0,7.1,7.10,7.11,7.12,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,7.x-dev) in package version range (): Failed parsing version string 4.7_revision_1.2: unexpected 'i'. .
[AUDIT] [WARNING] Error determining vulnerability version range (4.0.0,4.1.0,4.2.0_rc,4.4,4.4.1,4.4.2,4.4.3,4.5,4.5.1,4.5.2,4.5.3,4.5.4,4.5.5,4.5.6,4.5.7,4.5.8,4.6,4.6.1,4.6.10,4.6.11,4.6.2,4.6.3,4.6.4,4.6.5,4.6.6,4.6.7,4.6.8,4.6.9,4.7,4.7.1,4.7.10,4.7.2,4.7.3,4.7.4,4.7.5,4.7.6,4.7.7,4.7.8,4.7.9,4.7_rev_1.15,4.7_rev_1.2,5.0,5.1,5.1_rev1.1,5.2,5.3,5.4,5.5.) in package version range (): Failed parsing version string 4.7_rev_1.15: unexpected '_'. .
[AUDIT] [WARNING] Error determining vulnerability version range (4.0.0,4.1.0,4.2.0_rc,4.4,4.4.1,4.4.2,4.4.3,4.5,4.5.1,4.5.2,4.5.3,4.5.4,4.5.5,4.5.6,4.5.7,4.5.8,4.6,4.6.1,4.6.10,4.6.11,4.6.2,4.6.3,4.6.4,4.6.5,4.6.6,4.6.7,4.6.8,4.6.9,4.7,4.7.1,4.7.10,4.7.2,4.7.3,4.7.4,4.7.5,4.7.6,4.7.7,4.7.8,4.7.9,4.7_rev_1.15,4.7_rev_1.2,5.0,5.1,5.1_rev1.1,5.2,5.3,5.4,5.5.) in package version range (): Failed parsing version string 4.7_rev_1.15: unexpected '_'. .
[AUDIT] [WARNING] Error determining vulnerability version range ((>=0) || (>=0)) in package version range (): Failed parsing version string (>=0) || (>=0): unexpected ')'. .
[AUDIT] [WARNING] Error determining vulnerability version range (4.0.0,4.1.0,4.2.0_rc,4.4,4.4.1,4.4.2,4.4.3,4.5,4.5.1,4.5.2,4.5.3,4.5.4,4.5.5,4.5.6,4.5.7,4.5.8,4.6,4.6.1,4.6.10,4.6.11,4.6.2,4.6.3,4.6.4,4.6.5,4.6.6,4.6.7,4.6.8,4.6.9,4.7,4.7.1,4.7.10,4.7.2,4.7.3,4.7.4,4.7.5,4.7.6,4.7.7,4.7.8,4.7.9,4.7_rev_1.15,4.7_rev_1.2,5.0,5.1,5.1_rev1.1,5.2,5.3,5.4,5.5.) in package version range (): Failed parsing version string 4.7_rev_1.15: unexpected '_'. .
[AUDIT] [WARNING] Error determining vulnerability version range (5.0,5.1,5.1_rev1.1,5.2,5.3,5.4,5.5.,5.7) in package version range (): Failed parsing version string 5.5.: unexpected '.'. .
Hi
I get this error whenever running devaudit.
[2/27] AjaxControlToolkit 4.1.60919 HTTP Error searching OSS Index... HTTP status: 500 InternalServerError Reason: Internal Server Error Request: Method: GET, RequestUri: 'https://ossindex.net/v1.1/project/284089289', Version: 1.1, Content: <null>, Headers: { Accept: application/json user-agent: DevAudit }
Thanks,
Daniel
Consider this dependency in compose.json:
"guzzlehttp/guzzle": "~6.1",
When used with the artifact search we receive any artifacts that can match this range:
GET http://localhost:8080/v1.1/search/artifact/composer/guzzlehttp/guzzle/~6.1
[
{
"id": 8397352359,
"groupid": "guzzlehttp",
"name": "guzzle",
"version": "6.1.0.0",
},
{
"id": 8397352374,
"groupid": "guzzlehttp",
"name": "guzzle",
"version": "6.1.1.0",
}
]
Unfortunately, it seems that DevAudit is looking through these artifacts and deciding that none of them match the requested version, so it reports that no artifact is found, when in reality there are two known matches. Try changing the dependency in the composer.json file:
"guzzlehttp/guzzle": "6.1.0.0",
This will now return a result in DevAudit.
I think that one of the following are a reasonable way of handling the situation:
I THINK THE THIRD OPTION IS THE BEST as it will keep working even if the server returns a nonsense version number.
For consistency and market reasons, I would like all version numbers to be updated to 2.0.0
Our latest version numbers were:
But the code says "0.1.19.10"
As this is a fairly significant release, I would like to synchronize things a bit, so the next GitHub release (and assorted binary packages) should be 2.0.0 (and the code can be 2.0.0.x, where x is depends on whether it is a source code number, or Jenkins build, or what have you). The source should report itself as 2.0.0.x, and all Jenkins builds (etc.) should be updated to 2.0.0.x.
I am not particularly concerned about the fourth number being synchronized, but I would like the first three to be consistent for all DevAudit products artifacts for every release forthwith.
All classes that implement IDisposable should set their root references to null (all properties and fields) and/or implement a finalizer if GC.SuppressFinalize() is called, otherwise these objects will not be cleaned up by the GC. This isn't an issue now because program runs are short but can become an issue as the program runs becomes longer and more complex. GC.SuppressFinalize() shouldn't be called by classes that want the GC to finalize their references...this is the simplest option as GC performance hits aren't really an issue for this kind of app.
There's a subtle difference between concurrency and parallelism: parallelism is a type of concurrency achieved using multiple threads running in parallel on data that is segmented and where data access synchronized using primitives like locks etc. In .NET concurrency can be achieved using the async/await patterns for asynchronous operations but this is not parallelism and may not be ideal in cases where operations truly need to run in parallel for maximum performance.
E.g when fetching artifacts the call to the remote web server is asynchronous and control is returned to the main thread immediately so multiple HTTP requests happen concurrently. However only one thread is available to service the completion of each i/O request and this lone thread must then do the computations for matching vulnerabilities with package versions for every artifact. In contrast a true parallel operation would start multiple threads that would handle each request and block until the request and computation completes. This should make the CLI app more responsive as results will be returned to the user much more quickly.
Async operations might be better for DevAudit web applications where thousands of requests per second must be handled by threads and it can improve scalability by re-using threads as they become available and async operations complete so probably the best option is to make this async/parallel mode a switchable option in the library.
Build FAILED.
Errors:
/home/vor/.jenkins/jobs/DevAudit.Linux/workspace/DevAudit.Mono.sln (default targets) ->
(Build target) ->
/home/vor/.jenkins/jobs/DevAudit.Linux/workspace/DevAudit.AuditLibrary/DevAudit.AuditLibrary.Mono.csproj (default targets) ->
/usr/lib/mono/xbuild/14.0/bin/Microsoft.CSharp.targets (CoreCompile target) ->
Projects/NetFxCodeProject.cs(179,40): error CS0246: The type or namespace name `NetFx4Application' could not be found. Are you missing an assembly reference?
0 Warning(s)
1 Error(s)
p, password Specifies that a password will be typed for the user
name to login to the remote host.
password-text Specifies that a password will be typed for the user
name to login to the remote host.
Consider the Nancy Project: https://ossindex.net/resource/project/8398863527
There are multiple packages. The vulnerabilities are actually related to the main "Nancy" package only, but get reported for all of the dependencies.
Though in this case every package can be upgraded past the "vulnerable" version, the results of DevAudit are misleading.
The resolution for the rule " mysqld accepts TCP/IP connections on all IPv6 and IPv4 interfaces" is actually the resolution for the root user problem.
receiving the following error when trying to process my packages.config file
Please let me know if you need me to attach the entire packages.config file
Audit Results
=============
[1/40] Newtonsoft.Json 7.0.1 No known vulnerabilities.
[2/40] Modernizr 2.8.3 No known vulnerabilities.
[3/40] AutoMapper 4.1.1 No known vulnerabilities.
[4/40] Newtonsoft.Json 7.0.1 No known vulnerabilities.
[5/40] Microsoft.Owin.Security 3.0.1 No known vulnerabilities.
[6/40] RestSharp 105.2.3 No known vulnerabilities.
[7/40] Microsoft.Owin 3.0.1 No known vulnerabilities.
[8/40] Newtonsoft.Json 7.0.1 No known vulnerabilities.
[9/40] Owin 1.0.0 No known vulnerabilities.
[10/40] NLog.Extended 4.0.0.1
Unhandled Exception: Sprache.ParseException: Parsing failure: unexpected 'c'; expected <= or >= or < or > or = or ~ or digit (Line 1, Column 1); recently consumed:
at Sprache.ParserExtensions.Parse[T](Parser`1 parser, String input)
at SemverSharp.SemanticVersion.RangeIntersect(String left, String right)
at DevAudit.AuditLibrary.NuGetPackageSource.IsVulnerabilityVersionInPackageVersionRange(String vulnerability_version, String package_version)
at DevAudit.CommandLine.Program.<>c__DisplayClass6_3.<Main>b__13(String v)
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at DevAudit.CommandLine.Program.Main(String[] args)
./devaudit mysql --root / --config-file /etc/mysql/my.cnf
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.12.6
01:03:57<01> [AUDIT] [STATUS] Scanning MySQL packages.
Scanning MySQL packages...
01:03:57<01> [AUDIT] [SUCCESS] Scanned 1 MySQL packages.
Searching OSS Index for artifacts for 1 packages...
01:03:57<04> [AUDIT] [SUCCESS] Found 1 artifacts on OSS Index in 483 ms.
Searching OSS Index for vulnerabilities for 1 packages...
01:03:57<06> [AUDIT] [INFO] Searching OSS Index for configuration rules for 1 artifact(s).
Searching OSS Index for vulnerabilities for 1 packages...
01:03:57<04> [AUDIT] [INFO] Loading default configuration rules for MySQL application.
Searching OSS Index for vulnerabilities for 1 packages...
01:03:58<06> [AUDIT] [INFO] Found 0 configuration rule(s) on OSS Index in 210 ms.
Searching OSS Index for vulnerabilities for 1 packages...
01:04:02<07> [AUDIT] [SUCCESS] Found 481 vulnerabilities for 1 package(s) on OSS Index in 4230 ms.
01:04:02<01> [AUDIT] [ERROR] Exception thrown in GetDefaultConfigurationRules task.
01:04:02<01> [AUDIT] [ERROR] Exception: (Line: 9, Col: 21, Idx: 432) - (Line: 11, Col: 1, Idx: 534): While scanning a block scalar, find a tab character where an intendation space is expected. at at YamlDotNet.Core.Scanner.ScanBlockScalarBreaks (System.Int32 currentIndent, System.Text.StringBuilder breaks, YamlDotNet.Core.Mark start, YamlDotNet.Core.Mark& end) [0x00086] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Scanner.ScanBlockScalar (System.Boolean isLiteral) [0x00260] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Scanner.FetchBlockScalar (System.Boolean isLiteral) [0x0000d] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Scanner.FetchNextToken () [0x0027d] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Scanner.FetchMoreTokens () [0x00065] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Scanner.MoveNextWithoutConsuming () [0x00010] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Parser.GetCurrentToken () [0x00052] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Parser.ParseBlockMappingValue () [0x0001f] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Parser.StateMachine () [0x000d9] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.Parser.MoveNext () [0x0001f] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.EventReader.MoveNext () [0x00000] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.EventReader.Allow[T] () [0x0001d] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Core.EventReader.Expect[T] () [0x00000] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Serialization.NodeDeserializers.ObjectNodeDeserializer.YamlDotNet.Serialization.INodeDeserializer.Deserialize (YamlDotNet.Core.EventReader reader, System.Type expectedType, System.Func`3[T1,T2,TResult] nestedObjectDeserializer, System.Object& value) [0x00028] in <cfa0690886f74135a5b00896cc288be8>:0
at YamlDotNet.Serialization.ValueDeserializers.NodeValueDeserializer.DeserializeValue (YamlDotNet.Core.EventReader reader, System.Type expectedType, YamlDotNet.Serialization.Utilities.SerializerState state, YamlDotNet.Serialization.IValueDeserializer nestedObjectDeserializer) [0x00039] in <cfa0690886f74135a5b00896cc288be8>:0 .
Go to: https://ossindex.net/v2.0/package/nuget/marked
Note the following:
{
"id": 8398941962,
"title": "Content & Code Injection (XSS)",
"description": "Using the HTML Coded Character Set, attackers can inject `javascript:` code snippets into the output.",
"versions": [
"<=0.3.5"
],
"references": [
"https://cwe.mitre.org/data/definitions/94.html",
"https://github.com/chjj/marked/pull/592",
"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523",
"https://snyk.io/vuln/npm:marked:20150520"
],
"published": 1463550221248,
"updated": 1463550221248
},
{
"id": 8399946985,
"title": "XSS (Cross Site Scripting)",
"description": "With the sanitize option on it is possible to create a link with a javascript: protocol with the following: [URL](javascript:document;alert(1)).",
"versions": [
"<0.3.6"
],
"references": [
"https://github.com/chjj/marked/pull/592",
"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523",
"https://nodesecurity.io/advisories/101"
],
"published": 1469222593783,
"updated": 1485187367344
}
Neither of these vulnerabilities are approved.
I have checked the contents of Examples\Drupal\core\composer.json and there are packages therein that are definitely in the database. It seems that either they are being queried for incorrectly, or the database is not responding correctly.
Running DevAudit on Linux is often causing exceptions.
+ ./devaudit bower --file Examples/bower.json.example
+ tee /tmp/devaudit.bower.out
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.19.5
05:05:30<01> [AUDIT] [STATUS] Scanning Bower packages.
Scanning Bower packages...Scanning Bower packages.../- 05:05:30<01> [AUDIT] [SUCCESS] Scanned 4 Bower packages.
Searching OSS Index for vulnerabilities for 4 packages...\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/ 05:05:48<06> [AUDIT] [ERROR] Exception thrown waiting for http task to complete in Throw.
Searching OSS Index for vulnerabilities for 4 packages... 05:05:48<06> [AUDIT] [ERROR] Exception: Exception of type 'DevAudit.AuditLibrary.OSSIndexHttpException' was thrown. at at DevAudit.AuditLibrary.OSSIndexHttpClient+<SearchVulnerabilitiesAsync>c__async6.MoveNext () [0x0026b] in <30d07cea01624328847df9cab12ef65d>:0
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Runtime.CompilerServices.TaskAwaiter`1[TResult].GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
at DevAudit.AuditLibrary.PackageSource+<GetVulnerabiltiesApiv2>c__AnonStorey15+<GetVulnerabiltiesApiv2>c__async14.MoveNext () [0x0008b] in <30d07cea01624328847df9cab12ef65d>:0 .
Searching OSS Index for vulnerabilities for 4 packages... 05:05:48<06> [AUDIT] [WARNING] Found 0 vulnerabilities for 4 package(s) on OSS Index in 18822 ms.
Searching OSS Index for vulnerabilities for 4 packages...
My packages.config file:
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="FluentBootstrap" version="3.3.5.2" targetFramework="net45" />
</packages>
FluentBootstrap has a vulnerability against version 3.3.5.3.
DevAudit output:
> devaudit.exe nuget -f Examples\packages.config.example
Scanning NuGet packages...
Found 1 distinct packages.
Searching OSS Index for 1 NuGet packages...
Found 1 artifacts, 1 with an OSS Index project id.
Searching OSS Index for vulnerabilities for 1 projects...
Audit Results
=============
[1/1] FluentBootstrap (3.3.5.2) 1 known vulnerabilities, 0 affecting installed version. [FluentBootstrap 3.3.5.2]
I have a fresh build of DevAudit and drupal7. On startup, DevAudit immediately throws an exception:
vor@uror:~/.jenkins/jobs/DevAudit.Linux/workspace$ ./devaudit drupal7 --root /var/www/html/drupal7
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.12.5
Runtime error! DevAudit will now terminate.
[ERROR] FATAL UNHANDLED EXCEPTION: System.NotImplementedException: The method or operation is not implemented.
at DevAudit.AuditLibrary.Drupal7Application.GetVersion () [0x00001] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.AuditLibrary.Application.Audit (System.Threading.CancellationToken ct) [0x0001c] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.CommandLine.Program.Main (System.String[] args) [0x00820] in <4bed8c378dcf4e8da87ea46f6010d80d>:0
Jenkins has complained about a build problem on windows:
"C:\Jenkins\workspace\DevAudit.Windows\DevAudit.sln" (default target) (1) ->
"C:\Jenkins\workspace\DevAudit.Windows\DevAudit.AuditLibrary\DevAudit.AuditLibrary.csproj" (default target) (2) ->
(CoreCompile target) ->
SshAuditEnvironment.cs(16,7): error CS0246: The type or namespace name 'SharpCompress' could not be found (are you missing a using directive or an assembly reference?) [C:\Jenkins\workspace\DevAudit.Windows\DevAudit.AuditLibrary\DevAudit.AuditLibrary.csproj]
SshAuditEnvironment.cs(17,7): error CS0246: The type or namespace name 'SharpCompress' could not be found (are you missing a using directive or an assembly reference?) [C:\Jenkins\workspace\DevAudit.Windows\DevAudit.AuditLibrary\DevAudit.AuditLibrary.csproj]
12 Warning(s)
2 Error(s)
What is curious is that a build from the VisualStudio UI works fine.
Any thoughts?
There are now a number of program features and capabilities and many command-line options. User documentation for all features and options should be added to the wiki.
In version 1.x, the package name and version were in bold
[19/22] WebGrease (1.6.0) no known vulnerabilities.
In version 2.x this is not the case, and it makes it harder to distinguish between different packages.
I ran the Beta "composer" check against my drupal8 composer.json file and received the following output:
$ ./devaudit.exe composer --file ../../Examples/composer.json.drupal8 -n
Scanning Composer packages...
Error(s) encountered scanning for Composer packages: Object reference not set to an instance of an object.
Run devaudit msi
on a system with vulnerabilities
Look at the missing space between the CVE name and the title
[CVE-2012-0159]Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Wi...
On Ubuntu I manually installed modules in the following locations:
Drupal8 was identifying the modules, but DevAudit was not.
I installed DevAudit using the windows alpha DevAudit.zip file
vor@njord:~/wut/DevAudit$ mono devaudit.exe drupal --root /var/www/html/drupal8/
Scanning Drupal packages...
Found 1 distinct packages.
Searching OSS Index for 1 Drupal packages...
Found 1 artifacts, 1 with an OSS Index project id.
Searching OSS Index for vulnerabilities for 1 projects...
Audit Results
=============
[1/1] drupal_core 195 known vulnerabilities, 0 affecting installed version. [drupal_core 8.x]
I forced a clean build for Linux on Jenkins, and started getting some dependency errors:
ByteCodeAnalyzer.cs(7,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Analyzers/NetFxAnalyzer.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Applications/NetFxApplication.cs(7,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Projects/Drupal8ModuleCodeProject.cs(7,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Projects/PHPCodeProject.cs(10,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Application.cs(15,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Applications/Drupal7Application.cs(14,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Applications/Drupal7Application.cs(15,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Applications/Drupal8Application.cs(12,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Applications/Drupal8Application.cs(13,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
AuditFileSystemInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
LocalAuditFileInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
CodeProject.cs(16,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Projects/NetFxCodeProject.cs(9,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
SshAuditFileInfo.cs(9,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
AuditEnvironment.cs(11,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
AuditFileInfo.cs(9,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Servers/NginxServer.cs(10,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Servers/HttpdServer.cs(10,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Servers/SSHDServer.cs(12,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Servers/SSHDServer.cs(13,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
Servers/MySQLServer.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
SshAuditEnvironment.cs(16,7): error CS0246: The type or namespace name `SharpCompress' could not be found. Are you missing an assembly reference?
SshAuditEnvironment.cs(17,7): error CS0246: The type or namespace name `SharpCompress' could not be found. Are you missing an assembly reference?
DockerAuditFileInfo.cs(9,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(8,7): error CS0246: The type or namespace name `Alpheus' could not be found. Are you missing an assembly reference?
AuditFileSystemInfo.cs(11,49): error CS0246: The type or namespace name `IFileSystemInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(12,69): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditFileInfo.cs(13,64): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
ByteCodeAnalyzer.cs(32,92): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
ByteCodeAnalyzer.cs(51,19): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Analyzers/NetFxAnalyzer.cs(13,89): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Application.cs(172,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Application.cs(213,16): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Applications/NetFxApplication.cs(224,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
CodeProject.cs(172,16): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Applications/Drupal7Application.cs(186,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Applications/Drupal8Application.cs(169,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(15,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(16,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(20,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(21,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(22,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(23,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(24,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
AuditDirectoryInfo.cs(32,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(16,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(24,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(42,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(48,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(60,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(66,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(72,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
LocalAuditDirectoryInfo.cs(78,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
AuditFileInfo.cs(17,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
AuditFileInfo.cs(27,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
LocalAuditFileInfo.cs(33,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
LocalAuditFileInfo.cs(112,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
SshAuditFileInfo.cs(75,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditFileInfo.cs(113,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
SshAuditFileInfo.cs(210,17): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(28,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(37,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(74,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(89,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(104,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(109,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(125,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
SshAuditDirectoryInfo.cs(153,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
Servers/NginxServer.cs(97,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Servers/HttpdServer.cs(65,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Servers/SSHDServer.cs(104,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
Servers/MySQLServer.cs(81,28): error CS0246: The type or namespace name `IConfiguration' could not be found. Are you missing an assembly reference?
DockerAuditFileInfo.cs(82,25): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditFileInfo.cs(120,25): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
DockerAuditFileInfo.cs(210,17): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(19,19): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(28,19): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(65,19): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(80,19): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(95,19): error CS0246: The type or namespace name `IDirectoryInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(100,19): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(116,19): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
DockerAuditDirectoryInfo.cs(144,19): error CS0246: The type or namespace name `IFileInfo' could not be found. Are you missing an assembly reference?
Currently I have hidden 3 features for release 2.0 -- dpkg, rpm, and yup -- since the server support is insufficient at this time. They have been hidden on the 2.0.x stream, which is sufficient, they can remain enabled in master.
The question is, which of the remaining features and command line arguments should remain enabled for the release? Here is the current help text to help with the selection. Note that I am only removing things from the help text, I don't particularly care if the code is still accessible, just that they are not officially supported.
ANYTHING that is in dubious shape (that was not previously released) can be disabled. I would rather things be nice and stable for the release.
DevAudit 0.1.19.10
Copyright © 2016 Vör Security
nuget Audit NuGet packages. Use the --file option to
specify a particular packages.config file otherwise
the one in the current directory will be used.
msi Audit MSI packages on Windows. Packages are scanned
from the registry.
choco Audit Chocolatey packages on Windows. Packages are
scanned from C:\ProgramData\chocolatey.
bower Audit Bower packages. Use the --file option to
specify a particular bower.json file otherwise the
one in the current directory will be used.
oneget Audit OneGet packages on Windows. Packages are
scanned from the system OneGet repository.
composer Audit PHP Composer packages. Use the --file option
to specify a particular composer.json file otherwise
the one in the current directory will be used.
drupal8 Audit a Drupal 8 application instance. Use the -r
option to specify the root directory of the Drupal 8
instance, otherwise the current directory will be
used.
drupal7 Audit a Drupal 7 application instance. Use the -r
option to specify the root directory of the Drupal 7
instance, otherwise the current directory will be
used.
mysql Audit a MySQL application server instance. Use the
-r option to specify the root directory of the
mysqld server. Use the -b option to specify the path
to the mysqld server binary and the -c option to
specify the configuration file otherwise default
values will be used for these 2 parameters.
sshd Audit an OpenSSH sshd-compatibile application server
instance. Use the -r option to specify the root
directory of the sshd server. Use the -b option to
specify the path to the sshd server binary, and the
-c option to specify the configuration file
otherwise default values will be used for these 2
parameters.
httpd Audit an Apache httpd server instance. Use the -r
option to specify the root directory of the httpd
server. Use the -b option to specify the path to the
httpd server binary and the -c option to specify the
configuration file otherwise default values will be
used for these 2 parameters.
nginx Audit an Nginx server instance. Use the -r option to
specify the root directory of the httpd server. Use
the -b option to specify the path to the httpd
server binary and the -c option to specify the
configuration file otherwise default values will be
used for these 2 parameters.
netfx Audit a .NET Framework application. Use the --root
option to specify the root directory of the
application and the -b option to specify the
application .NET assembly.
netfx-code Audit a .NET Framework 4 code project. Use the
--root option to specify the root directory of the
solution, and the --project-name option to specify
the name of the project.
aspnet-code Audit an ASP.NET code project. Use the --root option
to specify the root directory of the solution, and
the --project-name option to specify the name of the
project.
aspnet Audit an ASP.NET application or code project
deployed to a web server. Use the --root option to
specify the root directory of the application and
the -b option to specify the application .NET
assembly.
php Audit a PHP code project. Use the --root option to
specify the root directory of the code project.
drupal8-module Audit a Drupal 8 module project. Use the --root
option to specify the root directory of the code
project and the --code-project option to specify the
Drupal 8 module name.
d, enable-debug Enable printing debug messages and other behavior
useful for debugging the program.
n, non-interactive Disable any interctive console output (for
redirecting console output to other devices.)
o, options Specify a set of comma delimited, key=value options
for an audit target. E.g for a mvc5-app audit target
you can specify -o
package_source=mypackages.config,config_file=myapp.co
nfig
f, file For a package source, specifies the file containing
packages to be audited. For a code project,
specifies the code project file.
s, host Specifies the remote host that will be audited.
u, user Specifies the user name to login to the remote host.
p, password Specifies that a password will be entered
interactively for the user name or as a pass-phrase
for the user's private-key authentication file to
login to the remote host.
password-text Specifies the password text for the user name or
pass-phrase for the user's private-key
authentication file to login to the remote host.
k, key Specifies the private-key file for the user to login
to the remote host. Use the -p or --password-text
option to specify the pass-phrase for the file if
needed.
c, config-file Specifies the configuration file for the application
server to be audited.
r, root The root directory of the application instance to
audit.
b, application-binary The path to the application or server binary.
i, docker Run the audit on a Docker container with this name
or id.
m, project-name The name of the code project to audit.
list-packages Only list the local packages that will be audited.
list-artifacts Only list the artifacts corresponding to local
packages found on OSS Index.
list-rules Only list the configuration rules found for the
application or application server.
list-analyzers Only list the analyzers found for the code project.
skip-packages-audit Skip the package audit for applications or
application servers.
only-local-rules Only use the configuration rules for the application
or application server listed in YAML rules files.
help Display this help screen.
No audit target specified.
D:\git.vor\DevAudit>
We should have at least 10 rules each in the YAML default rules file for each application server currently supported. The security best practices should be compiled from online sources and converted to our YAML rule format.
./devaudit php --root /var/www/html/drupal8/
_____ _______ __ __ __
| \ .-----..--.--.| _ |.--.--..--| ||__|| |_
| -- || -__|| | || || | || _ || || _|
|_____/ |_____| \___/ |___|___||_____||_____||__||____|
v0.1.12.5
21:26:09<06> [HOST] [INFO] Using local directory /var/www/html/drupal8/ for code analysis.
21:26:09<06> [HOST] [STATUS] Parsing PHP source files.
Parsing PHP source files...
21:26:10<09> [HOST] [ERROR] Exception thrown attempting to read PHP file /var/www/html/drupal8/core/lib/Drupal/Component/DependencyInjection/Container.php.
Parsing PHP source files...
21:26:10<09> [HOST] [ERROR] Exception: Object reference not set to an instance of an object at at DevAudit.AuditLibrary.PHPAuditSourceUnit..ctor (DevAudit.AuditLibrary.AuditEnvironment audit_env, System.String code, System.IO.FileInfo file) [0x00085] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.AuditLibrary.PHPCodeProject+<GetWorkspaceAsync>c__async0+<GetWorkspaceAsync>c__AnonStorey1.<>m__0 (System.IO.FileInfo f) [0x00022] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0 .
Parsing PHP source files...
21:26:10<06> [HOST] [ERROR] Exception thrown attempting to read PHP file /var/www/html/drupal8/core/lib/Drupal/Component/Assertion/Inspector.php.
Parsing PHP source files...
21:26:10<06> [HOST] [ERROR] Exception: Object reference not set to an instance of an object at at DevAudit.AuditLibrary.PHPAuditSourceUnit..ctor (DevAudit.AuditLibrary.AuditEnvironment audit_env, System.String code, System.IO.FileInfo file) [0x00085] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.AuditLibrary.PHPCodeProject+<GetWorkspaceAsync>c__async0+<GetWorkspaceAsync>c__AnonStorey1.<>m__0 (System.IO.FileInfo f) [0x00022] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0 .
Parsing PHP source files...
21:26:10<01> [HOST] [ERROR] Exception throw during GetWorkspace task.
Parsing PHP source files...
21:26:10<01> [HOST] [ERROR] Exception: One or more errors occurred. at at System.Threading.Tasks.Task.ThrowIfExceptional (System.Boolean includeTaskCanceledExceptions) [0x00014] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) [0x00052] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Threading.Tasks.Task.Wait () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
at System.Threading.Tasks.Parallel.ForWorker[TLocal] (System.Int32 fromInclusive, System.Int32 toExclusive, System.Threading.Tasks.ParallelOptions parallelOptions, System.Action`1[T] body, System.Action`2[T1,T2] bodyWithState, System.Func`4[T1,T2,T3,TResult] bodyWithLocal, System.Func`1[TResult] localInit, System.Action`1[T] localFinally) [0x00152] in <8f2c484307284b51944a1a13a14c0266>:0 .
Parsing PHP source files...Runtime error! DevAudit will now terminate.
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
at DevAudit.AuditLibrary.CodeProject.Audit (System.Threading.CancellationToken ct) [0x0008c] in <b0e9c34b34e746f9bb1e6fc394f249b9>:0
at DevAudit.CommandLine.Program.Main (System.String[] args) [0x0092a] in <4bed8c378dcf4e8da87ea46f6010d80d>:0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.