dotnet-retire

by RetireNet

RetireNet / dotnet-retire

Open source vulnerability scanner for .NET Core projects

151 Stars 16 Forks Last release: Not found MIT License 103 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Build status

Build

Components

  • NuGet NuGet

    dotnet-retire
  • NuGet NuGet

    RetireNet.Runtimes.Middleware
  • NuGet NuGet

    RetireNet.Runtimes.BackgroundServices

dotnet-retire

A

dotnet
CLI extension to check your project for known vulnerabilities.

Install

$ dotnet tool install -g dotnet-retire

Usage

$ dotnet retire

Additional options:

Sample:

$ dotnet retire --loglevel debug

Sample output:

image

How does it work?

It fetches the packages listed in the corresponding

packages
repo in this GitHub organization (link), and checks your projects
obj\project.assets.json
or
project.lock.json
file for any match (direct, or transient).

Keeping the list of packages up to date will be done via updating that repo when announcements occur from Microsoft with additional json files with links to announcements from Microsofts security team.

Other projects with similar functionality:

SafeNuGet

Runs as part of the build (MSBuild target). Analyzes packages.config, does not handle transient dependencies.

DevAudit

Standalone .NET console app that analyzes a packages.config. Analyzes packages.config, does not handle transient dependencies.

NuGetDefense

Works on both MSBuild and SDK style projects. Executes as a MSBuild task.

RetireNet.Runtimes.Middleware

We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports

Install

$ dotnet add package RetireNet.Runtimes.Middleware

Usage

Add it to your ASP.NET Core pipeline on your preferred path:

app.Map("/report", a => a.UseRuntimeVulnerabilityReport());

What does it do?

It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.

Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS:

json
{
    "isVulnerable": true,
    "appRuntimeDetails": {
        "os": "OSX",
        "osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
        "osArchitecture": "X64",
        "osBits": "64",
        "appTargetFramework": ".NETCoreApp,Version=v2.1",
        "appRuntimeVersion": "2.1.11",
        "appBits": "64"
    },
    "securityRelease": {
        "runtimeVersion": "2.1.13",
        "cvEs": [
            {
                "cve-id": " CVE-2018-8269",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
            },
            {
                "cve-id": " CVE-2019-1301",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
            },
            {
                "cve-id": " CVE-2019-1302",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
            }
        ]
    }
}

RetireNet.Runtimes.BackgroundServices

This is the same report as for the middleware, only logging it using the configured

ILogger
as a WARN log statment.

Install

$ dotnet add package RetireNet.Runtimes.BackgroundServices

Usage

Register it into the container, and provide it a interval in milliseconds how often you would like the check to execute.

services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)

What does it do?

The same as for the middleware endpoint.

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS, using the

ConsoleLogger
:
warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
      Running on vulnerable runtime 2.1.11. Security release 2.1.13

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.