A CakeBuild plugin to scan a dotnet project/solution dependecies for vulneraiblties using Sonatype OssIndex | https://ossindex.sonatype.org/
The plugin could be used as cakebuild script plugin or cake frosting task.
- Add the plugin to your cake script :
#addin nuget:?package=Cake.VulnerabilityScanner&version=[specify the version here]
- Add a task
Task("ScanPackages")
.Does( async () =>
{
var ossIndexToken = Environment.GetEnvironmentVariable("OSS_INDEX_TOKEN");
await ScanPackagesAsync(new ScanPackagesSettings
{
Ecosystem="nuget",
FailOnVulnerability=false,
OssIndexBaseUrl="https://ossindex.sonatype.org/",
OssIndexToken=ossIndexToken,
SolutionFile="../../Cake.VulnerabilityScanner.sln",
Verbosity= Microsoft.Extensions.Logging.LogLevel.Debug
}, System.Threading.CancellationToken.None);
});
- Install the pacakge
dotnet add package Cake.VulnerabilityScanner --version 0.3.0
- add the task as following
[TaskName("scan pacakges")]
public sealed class ScanPackagesTask : AsyncFrostingTask<FrostingContext>
{
public override async Task RunAsync(FrostingContext context)
{
// SonaType token, base64 username:password
var ossIndexToken = context.Environment.GetEnvironmentVariable("OSS_INDEX_TOKEN");
await context.ScanPackagesAsync(new ScanPackagesSettings
{
Ecosystem="nuget",
FailOnVulnerability=true,
OssIndexBaseUrl="https://ossindex.sonatype.org/",
OssIndexToken=ossIndexToken,
SolutionFile="../../../../../Cake.VulnerabilityScanner.sln",
Verbosity= Microsoft.Extensions.Logging.LogLevel.Debug
}, CancellationToken.None);
}
}
This project is licensed under the MIT License - see the LICENSE file for details.