Merging #111

DevAudit.AuditLibrary/DevAudit.AuditLibrary.csproj

@@ -41,6 +41,9 @@
     <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
   </PropertyGroup>
   <ItemGroup>
+    <Reference Include="Newtonsoft.Json, Version=12.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\packages\Newtonsoft.Json.12.0.2\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
     <Reference Include="Sprache, Version=2.0.0.51, Culture=neutral, processorArchitecture=MSIL">
       <HintPath>..\packages\Sprache.2.0.0.51\lib\portable-net4+netcore45+win8+wp8+sl5+MonoAndroid+Xamarin.iOS10+MonoTouch\Sprache.dll</HintPath>
       <Private>True</Private>
@@ -64,10 +67,6 @@
       <HintPath>..\packages\Naos.WinRM.1.0.45\lib\net45\Naos.WinRM.dll</HintPath>
       <Private>True</Private>
     </Reference>
-    <Reference Include="Newtonsoft.Json, Version=10.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
-      <HintPath>..\packages\Newtonsoft.Json.10.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
-      <Private>True</Private>
-    </Reference>
     <Reference Include="NGitLab, Version=2.0.0.0, Culture=neutral, processorArchitecture=MSIL">
       <HintPath>..\packages\NGitLab.2.0.0-beta-0065\lib\net45\NGitLab.dll</HintPath>
       <Private>True</Private>
@@ -225,6 +224,7 @@
     <Compile Include="DataSources\OSSIndex3\OSSIndexApiv3Query.cs" />
     <Compile Include="DataSources\OSSIndex3\PackageURL\MalformedPackageUrlException.cs" />
     <Compile Include="DataSources\OSSIndex3\PackageURL\PackageURL.cs" />
+    <Compile Include="Serializers\PackageSourceSerializer.cs" />
     <Compile Include="DataSources\Vulnersdotcom\Models\VulnersAuditQuery.cs" />
     <Compile Include="DataSources\Vulnersdotcom\Models\VulnersAuditResult.cs" />
     <Compile Include="DataSources\Vulnersdotcom\Models\VulnersIdSearchResult.cs" />

DevAudit.AuditLibrary/Serializers/PackageSourceSerializer.cs

@@ -0,0 +1,46 @@
+using Newtonsoft.Json;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace DevAudit.AuditLibrary
+{
+    public class PackageSourceSerializer : JsonConverter
+    {
+        public override void WriteJson(JsonWriter writer, object value, JsonSerializer serializer)
+        {
+            PackageSource val = (PackageSource)value;
+
+            writer.WriteStartObject();
+            writer.WritePropertyName("Packages Audited");
+            serializer.Serialize(writer, val.Vulnerabilities.Values.Count());
+            writer.WritePropertyName("Vulnerabilities Found");
+            int total_vulnerabilities = val.Vulnerabilities.Sum(v => v.Value != null ? v.Value.Count(pv => pv.PackageVersionIsInRange) : 0);
+            serializer.Serialize(writer, total_vulnerabilities);
+            writer.WritePropertyName("Packages");
+            writer.WriteStartArray();
+            foreach (var vul in val.Vulnerabilities)
+            {
+                writer.WriteStartObject();
+                writer.WritePropertyName("Package");
+                serializer.Serialize(writer, vul.Key);
+                writer.WritePropertyName("Vulnerabilities");
+                serializer.Serialize(writer, vul.Value);
+                writer.WriteEndObject();
+            }
+            writer.WriteEndObject();
+        }
+
+        public override object ReadJson(JsonReader reader, Type objectType, object existingValue, JsonSerializer serializer)
+        {
+            throw new NotImplementedException();
+        }
+
+        public override bool CanConvert(Type objectType)
+        {
+            return typeof(PackageSource).IsAssignableFrom(objectType);
+        }
+    }
+}

DevAudit.AuditLibrary/Targets/PackageSource.cs

@@ -13,9 +13,12 @@
 using Sprache;
 using Versatile;
 using Alpheus.IO;
+using Newtonsoft.Json;
 
 namespace DevAudit.AuditLibrary
 {
+
+    [JsonConverter(typeof(PackageSourceSerializer))]
     public abstract class PackageSource : AuditTarget
     {
         #region Constructors

DevAudit.AuditLibrary/app.config

@@ -20,7 +20,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
       </dependentAssembly>
     </assemblyBinding>
   </runtime>

DevAudit.AuditLibrary/packages.config

@@ -7,7 +7,7 @@
   <package id="Microsoft.Composition" version="1.0.27" targetFramework="net461" />
   <package id="Naos.External.MS-WinRM" version="1.0.0.1" targetFramework="net461" />
   <package id="Naos.WinRM" version="1.0.45" targetFramework="net461" />
-  <package id="Newtonsoft.Json" version="10.0.3" targetFramework="net461" />
+  <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net461" />
   <package id="NGitLab" version="2.0.0-beta-0065" targetFramework="net461" />
   <package id="Octokit" version="0.24.0" targetFramework="net461" />
   <package id="RestSharp" version="105.2.3" targetFramework="net461" />

DevAudit.CommandLine/DevAudit.CommandLine.csproj

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
-    <PropertyGroup>
+  <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
     <ProjectGuid>{86EE75FC-D05D-42BC-B2C2-B80CF3734332}</ProjectGuid>
@@ -52,6 +52,9 @@
       <HintPath>..\packages\CommandLineParser.1.9.71\lib\net45\CommandLine.dll</HintPath>
       <Private>True</Private>
     </Reference>
+    <Reference Include="Newtonsoft.Json, Version=12.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
+      <HintPath>..\packages\Newtonsoft.Json.12.0.2\lib\net45\Newtonsoft.Json.dll</HintPath>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.Core" />
     <Reference Include="System.Drawing" />

DevAudit.CommandLine/Options.cs

@@ -123,6 +123,9 @@ class Options
         [Option("https-proxy", Required = false, HelpText = "Use the specified Url as the proxy for HTTPS calls made to the OSS Index API.")]
         public string HttpsProxy { get; set; }
 
+        [Option("output-file", Required = false, HelpText = "Path to the output file.")]
+        public string OutputFile { get; set; }
+
         [Option("ignore-https-cert-errors", Required = false, HelpText = "Ignore certain certificate errors for HTTPS requests. This is useful for testing but is extremely insecure and should never be used in production.")]
         public bool IgnoreHttpsCertErrors { get; set; }
 

DevAudit.CommandLine/Program.cs

@@ -2,14 +2,13 @@
 using System.Reflection;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Drawing;
 using System.IO;
 using System.Linq;
 using System.Net;
 using System.Security;
 using System.Text;
 using System.Threading;
-using System.Threading.Tasks;
+using Newtonsoft.Json;
 
 using CL = CommandLine; //Avoid type name conflict with external CommandLine library
 using CC = Colorful; //Avoid type name conflict with System Console class
@@ -812,6 +811,13 @@ static int PrintPackageSourceAuditResults(AuditTarget.AuditResult ar, out AuditT
                     return 0;
                 }
             }
+
+            if (!string.IsNullOrEmpty(ProgramOptions.OutputFile))
+            {
+                Console.WriteLine("In Here");
+                File.WriteAllText(ProgramOptions.OutputFile, JsonConvert.SerializeObject(Source));
+            }
+
             int total_vulnerabilities = Source.Vulnerabilities.Sum(v => v.Value != null ? v.Value.Count(pv => pv.PackageVersionIsInRange) : 0);
             PrintMessageLine(ConsoleColor.White, "\nPackage Source Audit Results\n============================");
             PrintMessageLine(ConsoleColor.White, "{0} total vulnerabilit{3} found in {1} package source audit. Total time for audit: {2} ms.\n", total_vulnerabilities, Source.PackageManagerLabel, Stopwatch.ElapsedMilliseconds, total_vulnerabilities == 0 || total_vulnerabilities > 1 ? "ies" : "y");

DevAudit.CommandLine/app.config

@@ -20,7 +20,7 @@
       </dependentAssembly>
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
       </dependentAssembly>
     </assemblyBinding>
   </runtime>

DevAudit.CommandLine/packages.config

@@ -2,4 +2,5 @@
 <packages>
   <package id="Colorful.Console" version="2.0.0.1" targetFramework="net461" />
   <package id="CommandLineParser" version="1.9.71" targetFramework="net46" />
+  <package id="Newtonsoft.Json" version="12.0.2" targetFramework="net461" />
 </packages>

DevAudit.Tests.VMRequired/app.config

@@ -4,7 +4,7 @@
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
       </dependentAssembly>
     </assemblyBinding>
   </runtime>

DevAudit.Tests/app.config

@@ -4,7 +4,7 @@
     <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
       <dependentAssembly>
         <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
-        <bindingRedirect oldVersion="0.0.0.0-10.0.0.0" newVersion="10.0.0.0" />
+        <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />
       </dependentAssembly>
     </assemblyBinding>
   </runtime>

README.md

@@ -1,3 +1,7 @@
+
+**Note**: The 3.x release uses the new 3.x OSS Index database, which has some rate limiting. If you notice you are hitting the limit please raise an issue. Authenticated users get a higher limit, and we am implementing authentication into DevAudit soon. Most non-authenticated users probably won't notice the limit for many use cases. It usually kicks in only in much larger projects or higher project volumes.
+
+
 # DevAudit: Development Auditing
 Get the latest release from the [releases](https://github.com/OSSIndex/DevAudit/releases) page.
 
@@ -190,13 +194,13 @@ Package sources tagged [Experimental] are only available in the master branch of
 - `aspnet` Do an application audit on a ASP.NET application. The relevant options are:
 	- `-r --root-directory` Specify the root directory of the application. This is just the top-level application directory that contains files like Global.asax and Web.config.
 	- `-b --application-binary` Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory.
-	- `-c --configuration-file` or `-o AppConfig=configuration-file` Specifies the ASP.NET application configuration file. This file is usually named Web.config and located in the application root directory. You can override the default @Web.config value with this option.
+	- `--config-file` or `-o AppConfig=configuration-file` Specifies the ASP.NET application configuration file. This file is usually named Web.config and located in the application root directory. You can override the default @Web.config value with this option.
 	- `-o AppDevMode=enabled` Specifies that application development mode should be enabled for the audit. This mode can be used when auditing an application that is under development. Certain configuration rules that are tagged as disabled for AppDevMode (e.g running the application in ASP.NET debug mode) will not be enabled during the audit.
 
 - `netfx` Do an application audit on a .NET application. The relevant options are:
 	- `-r --root-directory` Specify the root directory of the application. This is just the top-level application directory that contains files like App.config.
 	- `-b --application-binary` Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is usually a .DLL and located in the bin sub-folder of the ASP.NET application root directory.
-	- `-c --configuration-file` or `-o AppConfig=configuration-file` Specifies the .NET application configuration file. This file is usually named App.config and located in the application root directory. You can override the default @App.config value with this option.
+	- `--config-file` or `-o AppConfig=configuration-file` Specifies the .NET application configuration file. This file is usually named App.config and located in the application root directory. You can override the default @App.config value with this option.
 	- `-o GendarmeRules=RuleLibrary` Specifies that the [Gendarme](http://www.mono-project.com/docs/tools+libraries/tools/gendarme/) static analyzer should enabled for the audit with rules from the specified rules library used. For example: 
 	`devaudit netfx -r /home/allisterb/vbot-debian/vbot.core -b @bin/Debug/vbot.core.dll --skip-packages-audit -o GendarmeRules=Gendarme.Rules.Naming`
 	will run the Gendarme static analyzer on the vbot.core.dll assembly using rules from Gendarme.Rules.Naming library. 	The complete list of rules libraries is (taken from the Gendarme wiki):
@@ -247,12 +251,12 @@ All applications also support the following common options for auditing the appl
 - `pgsql` Do an application server audit on a PostgreSQL server.
 
 This is an example command line for an application server audit:
-`./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ -c @conf/httpd.conf -b @bin/httpd`
+`./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ --config-file @conf/httpd.conf -b @bin/httpd`
 which audits an Apache Httpd server running on a Docker container named httpd-2.2.
 
 The following are audit options common to all application servers:
 - `-r --root-directory` Specifies the root directory of the server. This is just the top-level of your server filesystem and defaults to `/` unless you want a different server root. 
-- `-c --configuration-file` Specifies the server configuration file. e.g in the above audit the Apache configuration file is located at `/usr/local/apache2/conf/httpd.conf`. If you don't specify the configuration file DevAudit will attempt to auto-detect the configuration file for the server selected.
+- `--config-file` Specifies the server configuration file. e.g in the above audit the Apache configuration file is located at `/usr/local/apache2/conf/httpd.conf`. If you don't specify the configuration file DevAudit will attempt to auto-detect the configuration file for the server selected.
 - `-b --application-binary` Specifies the server binary. e.g in the above audit the Apache binary is located at `/usr/local/apache2/bin/httpd`. If you don't specify the binary path DevAudit will attempt to auto-detect the server binary for the server selected.
 
 Application servers also support the following common options for auditing the server modules or plugins:
@@ -310,8 +314,8 @@ The GitHub audit environment allows audits to be performed directly on a GitHub
 
 `PATH` Specifies the branch of the project to connect to
 
-You can use the `-r`, `-c`, and `-f` options as usual to specify the path to file-system files and directories required for the audit. e.g the following commad:
-`devaudit aspnet -g "Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2" -r /Website -c@web.config`
+You can use the `-r`, `--config-file`, and `-f` options as usual to specify the path to file-system files and directories required for the audit. e.g the following commad:
+`devaudit aspnet -g "Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2" -r /Website --config-file @web.config`
 will do an ASP.NET audit on this repository https://github.com/dnnsoftware/Dnn.Platform/ using the `/Website` source folder as the root directory and the `web.config` file as the ASP.NET configuration file. Note that filenames are case-sensitive in most environments.  
 
 ![Screenshot of a GitHub project audit](https://cdn-images-1.medium.com/max/800/1*Uj0WBK9RlS8YvN0qW-IFZQ.png)
@@ -340,7 +344,7 @@ You must mount any directories on the Docker host machine that DevAudit needs to
 
 will allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You _must_ mount your local root in this way to audit _other_ Docker containers from the DevAudit container e.g. 
 
-`docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / -c /etc/my.cnf --skip-packages-audit`
+`docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / --config-file /etc/my.cnf --skip-packages-audit`
 
 will run a MySQL audit on a Docker container named `myapp1` from the `ossindex/devaudit` container.
 

azure-pipelines.yml

@@ -1,38 +1,38 @@
-# .NET Desktop
-# https://docs.microsoft.com/azure/devops/pipelines/apps/windows/dot-net
-
-name: Dev.$(Date:yyyyMMdd).$(Rev:.r)
-
-variables:
-  solution: 'DevAudit.sln'
-  buildPlatform: 'Any CPU'
-  buildConfiguration: 'RuntimeDebug'
-
-jobs:
-- job: Windows
-  pool:
-    vmImage: 'VS2017-Win2016'
-  steps:
-  - task: NuGetToolInstaller@0
-  - task: NuGetCommand@2
-    inputs:
-      restoreSolution: '$(solution)'
-      feedsToUse: 'config'
-      nugetConfigPath: 'NuGet.Config'
-
-  - task: VSBuild@1
-    inputs:
-      solution: '$(solution)'
-      platform: '$(buildPlatform)'
-      configuration: '$(buildConfiguration)'
-
-  - task: VSTest@2
-    inputs:
-      testAssemblyVer2: '$(Build.SourcesDirectory)/DevAudit.Tests/bin/Debug/DevAudit.Tests.dll'
-
-- job: Linux
-  pool:
-    vmImage: 'ubuntu-16.04'
-  steps:
-  - script: $(Build.SourcesDirectory)/build.sh
+# .NET Desktop
+# https://docs.microsoft.com/azure/devops/pipelines/apps/windows/dot-net
+
+name: Dev.$(Date:yyyyMMdd).$(Rev:.r)
+
+variables:
+  solution: 'DevAudit.sln'
+  buildPlatform: 'Any CPU'
+  buildConfiguration: 'RuntimeDebug'
+
+jobs:
+- job: Windows
+  pool:
+    vmImage: 'VS2017-Win2016'
+  steps:
+  - task: NuGetToolInstaller@0
+  - task: NuGetCommand@2
+    inputs:
+      restoreSolution: '$(solution)'
+      feedsToUse: 'config'
+      nugetConfigPath: 'NuGet.Config'
+
+  - task: VSBuild@1
+    inputs:
+      solution: '$(solution)'
+      platform: '$(buildPlatform)'
+      configuration: '$(buildConfiguration)'
+
+  - task: VSTest@2
+    inputs:
+      testAssemblyVer2: '$(Build.SourcesDirectory)/DevAudit.Tests/bin/Debug/DevAudit.Tests.dll'
+
+- job: Linux
+  pool:
+    vmImage: 'ubuntu-16.04'
+  steps:
+  - script: $(Build.SourcesDirectory)/build.sh