Comments (9)
I can see the issue. I just don't know how to correct it. It appears to be a problem in the Versatile library which is pulled in and used to parse the versions.
- in the case of 5.0.0.rc4.0, it is interpreting the last period as part of the version
- in the case of 1.0.0-rc-00260, it can't interpret the multiple hyphens. I am adding these findings to issues in the https://github.com/allisterb/Versatile repo
from devaudit.
Sorry for the delay, and thanks for the help! We have been dealing with a bit of a backlog, and will try to resolve this issue shortly. Thanks for helping with the root cause, that will surely help speed things up!
from devaudit.
Hi, I created a pull request on the allisterb/Versatile repo to fix the 2nd case with multiple dashes.
I saw that the public version of Versatile is much older (0.1.14) than the version available in NuGet (0.2.6), but I expect that the fixes also be applicable to the latest version of Versatile for someone who has that code.
from devaudit.
Thanks for this. I have finally managed to get back into working the project. I will figure out where this newer version resides and get it patched and merged in. Sorry again for all the delays. We are currently without a full time maintainer, but are working hard on getting that resolved. The chaos caused by Covid has made things a bit more complicated than before :|
from devaudit.
I suspect that the code in GitHub just has not have the version incremented, as it was last updated in March 2019 and the 0.2.6 NuGet release was on April 1rst, 2019.
I made a fork and will merge your code in there and draft a release using that code. We can see how that works.
from devaudit.
I have linked an unreleased build of DevAudit here. It has an embedded Versatile library with your changes to it. The code is directly from Versatile master with your changes merged on top, as I think the version numbering is handled by an Azure Devops build and the code just doesn't update accordingly.
If you could give this a check and see if it resolves your problem that would be swell. If it doesn't work then I will finish getting a working reproduction of your bug and try and go further.
from devaudit.
Thanks for the update. I can confirm that your version 3.4.1.0 not longer crashed on project containing at least one package with complex version number (multiple dashes and dots in the end for example 1.0.0-rc-00260.23).
Unfortunately my/our patch does not fix the the issue reported by aidansteele for netcore parsing of csproj.
Update:
My patch existed in a fix issue in a dependent library (Versatile) that parses nuget library versions. I did not realize that for netcore the versions are parsed in a different way.
from devaudit.
Please update the chocolatey build to version 3.4.1.0, so that we can use this fix in our projects
from devaudit.
I (still) have the same issue with the linked version v3.4.1.0 on a scan for netcore:
One or more errors occurred. Inner Exception: '1.0.0.beta2.0' is not a valid version string.
from devaudit.
Related Issues (20)
- Exception trying to dump CSV file HOT 1
- Chocolatey package not up to date HOT 7
- No known vulnerabilities found HOT 4
- Add authentication support for OSSI backend calls HOT 1
- Option -n causes DevAudit crash HOT 6
- Crash when detecting a nuget vulnerability in non-interactive mode HOT 9
- Is there a way to out put at standard error or success from cli? HOT 1
- Add support for new csproj file format HOT 6
- not found vulnerabilities at bootstrap v 3.4.1 HOT 1
- Hey, it's been a little while now and I am still seeing 3.3 as the latest release on the releases page. Some of the code hints at a 3.4, but it isn't there. HOT 4
- netcore Documentation and .sln support HOT 4
- Absolute path of DevAudit's Developer Shows in Exception message HOT 1
- Impossible to ran DevAudit from TFS Agent HOT 2
- netcore (.csproj style) fails to process versions on separate lines
- DevAudit reports vulnerability on Nuget package for lower vulnerable version not in csproj file. HOT 1
- Error in First method in GetPackages task when csproj file doesn't contain any packagereferences HOT 1
- no more postgresql audit support?
- Nuget package dependency - nearest wins in DevAudit HOT 3
- An HTTP Error Occurred
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from devaudit.