From 23cec0eff4fb370c9341e5a0634e66f876a330ea Mon Sep 17 00:00:00 2001 From: Francisco Gamino Date: Fri, 8 Dec 2023 22:50:26 -0800 Subject: [PATCH] Updating build to check for vulnerabilities (#1026) * Add Check-CsprojVulnerabilities.ps1 script * Do not print report by default * Add check for security vulnerabilities stage in the pipeline * Update test projects dependencies --- Check-CsprojVulnerabilities.ps1 | 62 +++++++++++++++++++ azure-pipelines.yml | 3 + ...zure.Functions.PowerShellWorker.E2E.csproj | 2 + ...ure.Functions.PowerShellWorker.Test.csproj | 2 + 4 files changed, 69 insertions(+) create mode 100644 Check-CsprojVulnerabilities.ps1 diff --git a/Check-CsprojVulnerabilities.ps1 b/Check-CsprojVulnerabilities.ps1 new file mode 100644 index 00000000..92f62cfd --- /dev/null +++ b/Check-CsprojVulnerabilities.ps1 @@ -0,0 +1,62 @@ +param +( + [String[]] + $CsprojFilePath, + + [switch] + $PrintReport +) + +if (-not $CsprojFilePath) +{ + $CsprojFilePath = @( + "$PSScriptRoot/src/Microsoft.Azure.Functions.PowerShellWorker.csproj" + "$PSScriptRoot/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj" + "$PSScriptRoot/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj" + ) +} + +$logFilePath = "$PSScriptRoot/build.log" + +try +{ + foreach ($projectFilePath in $CsprojFilePath) + { + Write-Host "Analyzing '$projectFilePath' for vulnerabilities..." + + $projectFolder = Split-Path $projectFilePath + + Push-Location $projectFolder + & { dotnet restore $projectFilePath } + & { dotnet list $projectFilePath package --include-transitive --vulnerable } 3>&1 2>&1 > $logFilePath + Pop-Location + + # Check and report if vulnerabilities are found + $report = Get-Content $logFilePath -Raw + $result = $report | Select-String "has no vulnerable packages given the current sources" + + if ($result) + { + Write-Host "No vulnerabilities found" + } + else + { + $output = [System.Environment]::NewLine + "Vulnerabilities found!" + if ($PrintReport.IsPresent) + { + $output += $report + } + + Write-Host $output -ForegroundColor Red + Exit 1 + } + Write-Host "" + } +} +finally +{ + if (Test-Path $logFilePath) + { + Remove-Item $logFilePath -Force + } +} diff --git a/azure-pipelines.yml b/azure-pipelines.yml index b99e357d..23de901c 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -49,6 +49,9 @@ steps: - pwsh: ./build.ps1 -NoBuild -Bootstrap displayName: 'Running ./build.ps1 -NoBuild -Bootstrap' +- pwsh: ./Check-CsprojVulnerabilities.ps1 + displayName: 'Check for security vulnerabilities' + - pwsh: | $ErrorActionPreference = "Stop" diff --git a/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj b/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj index 1d53e976..8c12b05e 100644 --- a/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj +++ b/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj @@ -13,6 +13,8 @@ + + diff --git a/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj b/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj index 91f02e63..26f5e9d0 100644 --- a/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj +++ b/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj @@ -11,6 +11,8 @@ + +