From 8db195eb8c00fe3f27a273484204fb0487fd8555 Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 22:52:00 -0800 Subject: [PATCH 1/7] Add Check-CsprojVulnerabilities.ps1 script --- Check-CsprojVulnerabilities.ps1 | 54 +++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 Check-CsprojVulnerabilities.ps1 diff --git a/Check-CsprojVulnerabilities.ps1 b/Check-CsprojVulnerabilities.ps1 new file mode 100644 index 00000000..ef529751 --- /dev/null +++ b/Check-CsprojVulnerabilities.ps1 @@ -0,0 +1,54 @@ +param +( + [String[]] + $CsprojFilePath +) + +if (-not $CsprojFilePath) +{ + $CsprojFilePath = @( + "$PSScriptRoot/src/Microsoft.Azure.Functions.PowerShellWorker.csproj" + "$PSScriptRoot/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj" + "$PSScriptRoot/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj" + ) +} + +$logFilePath = "$PSScriptRoot/build.log" + +try +{ + foreach ($projectFilePath in $CsprojFilePath) + { + Write-Host "Analyzing '$projectFilePath' for vulnerabilities..." + + $projectFolder = Split-Path $projectFilePath + + Push-Location $projectFolder + & { dotnet restore $projectFileName } + & { dotnet list $projectFilePath package --include-transitive --vulnerable } 3>&1 2>&1 > $logFilePath + Pop-Location + + # Check and report if vulnerabilities are found + $report = Get-Content $logFilePath -Raw + $result = $report | Select-String "has no vulnerable packages given the current sources" + + if ($result) + { + Write-Host "No vulnerabilities found" + } + else + { + $output = [System.Environment]::NewLine + "Vulnerabilities found!" + $report + Write-Host $output -ForegroundColor Red + Exit 1 + } + Write-Host "" + } +} +finally +{ + if (Test-Path $logFilePath) + { + Remove-Item $logFilePath -Force + } +} From 65657e17cb19949b7c5740cf1ca2dbec99e3c32e Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 22:55:36 -0800 Subject: [PATCH 2/7] Add check for security vulnerabilities stage --- azure-pipelines.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 6965edc5..cb3088be 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -49,6 +49,9 @@ steps: - pwsh: ./build.ps1 -NoBuild -Bootstrap displayName: 'Running ./build.ps1 -NoBuild -Bootstrap' +- pwsh: ./Check-CsprojVulnerabilities.ps1 + displayName: 'Check for security vulnerabilities' + - pwsh: | $ErrorActionPreference = "Stop" From 1c1da9a4ae92f1e58232f0366a94f0bef5bff8d3 Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 22:56:21 -0800 Subject: [PATCH 3/7] Update project dependencies --- .../Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj b/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj index e5181e1d..f81bcdd8 100644 --- a/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj +++ b/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj @@ -12,6 +12,8 @@ + + From 0fc2e3a3268792482c3acf3f623cd0011708aad4 Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 22:58:18 -0800 Subject: [PATCH 4/7] Update project dependencies --- .../Azure.Functions.PowerShellWorker.E2E.csproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj b/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj index 8b950f51..06746292 100644 --- a/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj +++ b/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj @@ -13,6 +13,8 @@ + + From f30a57c8476477ff1c792c57b8f1982ccb14ba87 Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 23:32:09 -0800 Subject: [PATCH 5/7] Update path --- Check-CsprojVulnerabilities.ps1 | 2 +- src/Properties/launchSettings.json | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 src/Properties/launchSettings.json diff --git a/Check-CsprojVulnerabilities.ps1 b/Check-CsprojVulnerabilities.ps1 index ef529751..f1a1c2c7 100644 --- a/Check-CsprojVulnerabilities.ps1 +++ b/Check-CsprojVulnerabilities.ps1 @@ -24,7 +24,7 @@ try $projectFolder = Split-Path $projectFilePath Push-Location $projectFolder - & { dotnet restore $projectFileName } + & { dotnet restore $projectFilePath } & { dotnet list $projectFilePath package --include-transitive --vulnerable } 3>&1 2>&1 > $logFilePath Pop-Location diff --git a/src/Properties/launchSettings.json b/src/Properties/launchSettings.json new file mode 100644 index 00000000..d4df9c23 --- /dev/null +++ b/src/Properties/launchSettings.json @@ -0,0 +1,8 @@ +{ + "profiles": { + "Microsoft.Azure.Functions.PowerShellWorker": { + "commandName": "Project", + "commandLineArgs": "--host 127.0.0.1 --port 50821 --workerId e9efd817-47a1-45dc-9e20-e6f975d7a025 --requestId cbef5957-cdb3-4462-9ee7-ac9f91be0a51 --grpcMaxMessageLength 2147483647 --functions-uri http://127.0.0.1:50821 --functions-worker-id e9efd817-47a1-45dc-9e20-e6f975d7a025 --functions-request-id cbef5957-cdb3-4462-9ee7-ac9f91be0a51 --functions-grpc-max-message-length 2147483647" + } + } +} \ No newline at end of file From 0c791e0125338323f3ce63bdd69fb4eca95022dc Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 23:37:59 -0800 Subject: [PATCH 6/7] Remove unused file --- src/Properties/launchSettings.json | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 src/Properties/launchSettings.json diff --git a/src/Properties/launchSettings.json b/src/Properties/launchSettings.json deleted file mode 100644 index d4df9c23..00000000 --- a/src/Properties/launchSettings.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "profiles": { - "Microsoft.Azure.Functions.PowerShellWorker": { - "commandName": "Project", - "commandLineArgs": "--host 127.0.0.1 --port 50821 --workerId e9efd817-47a1-45dc-9e20-e6f975d7a025 --requestId cbef5957-cdb3-4462-9ee7-ac9f91be0a51 --grpcMaxMessageLength 2147483647 --functions-uri http://127.0.0.1:50821 --functions-worker-id e9efd817-47a1-45dc-9e20-e6f975d7a025 --functions-request-id cbef5957-cdb3-4462-9ee7-ac9f91be0a51 --functions-grpc-max-message-length 2147483647" - } - } -} \ No newline at end of file From 55cd2721e0128bb3b17550a1035c38e09deecbee Mon Sep 17 00:00:00 2001 From: Francisco-Gamino Date: Sat, 2 Dec 2023 23:54:51 -0800 Subject: [PATCH 7/7] Do not print report by default --- Check-CsprojVulnerabilities.ps1 | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/Check-CsprojVulnerabilities.ps1 b/Check-CsprojVulnerabilities.ps1 index f1a1c2c7..92f62cfd 100644 --- a/Check-CsprojVulnerabilities.ps1 +++ b/Check-CsprojVulnerabilities.ps1 @@ -1,7 +1,10 @@ param ( [String[]] - $CsprojFilePath + $CsprojFilePath, + + [switch] + $PrintReport ) if (-not $CsprojFilePath) @@ -38,7 +41,12 @@ try } else { - $output = [System.Environment]::NewLine + "Vulnerabilities found!" + $report + $output = [System.Environment]::NewLine + "Vulnerabilities found!" + if ($PrintReport.IsPresent) + { + $output += $report + } + Write-Host $output -ForegroundColor Red Exit 1 }