Blog by Ben Clark-Robinson

15 Sep 2017

Scanning NuGet packages and NPM for vulnerabilities

During an internal development discussion we identified the trust we put into external NuGet and NPM packages, this lead to implementing NuGet scanning using DevAudit and AuditJs.

Regarding automated scanning we’re currently we’re using Visual Studio Team Services (VSTS) hosted build agents which do not allow for custom applications to be installed. If you’re using a self-hosted VSTS build agent you will be able to automate this at build time.

Previously I tried out OWASP SafeNuGet and found that the results were not as comprehensive as DevAudit.

1. DevAudit (NuGet)

DevAudit offers a lot of fuctionality, my use-case is only for NuGet scanning (for now). I used Chocolatey to install:

choco install devaudit
refreshenv
cd <path-with-package.config>
devaudit nuget -note-non-interact > devaudit-nuget-projectname.txt

A sample of the result from NuGet scan:

...
[35/49] Microsoft.AspNet.WebPages (3.2.3) no known vulnerabilities. 
[36/49] jQuery (1.10.2) Error determining vulnerability version range (>=1.4.0 <=1.11.3) | (>=1.12.4 <3.0.0-beta1) in package version range 1.10.2: Parsing failure: unexpected '('; expected <= or >= or < or > or = or ~ or digit (Line 1, Column 1); recently consumed: .
[VULNERABLE]
7 known vulnerabilities, 2 affecting installed version. 
...

2. AuditJS (NPM)

cd <path-with-package.json>
npm install auditjs -g
auditjs-win > auditjs-npm-projectname.txt

A sample of the result from AuditJs

...
[2/702] @types/draft-js 0.10.12   No known vulnerabilities...
[3/702] immutable 3.8.1   No known vulnerabilities...
...

Hopefully if you’re reading this you’re taking a proactive approach and for that I congratulate you.

Happy scanning :)

14 Sep 2017

Scanning NuGet packages for vulnerabilities

During an internal development discussion we identified the trust we put into external NuGet packages this lead to implementing automated NuGet scanning using the OWASP SafeNuGet package¹.

This option allows developers to be advised early of issues or at build time in the build server (in our case VSTS).

Here’s how to set it up:

1. Add SafeNuGet package

From Visual Studio click the Tools > NuGet Package Manager > Package Manager Console menu item.

Install-Package SafeNuGet

Or if you have multiple projects:

Get-Project -All | Install-Package SafeNuGet

2. Analysis of Packages

By default the build will fail if an issue was found otherwise you can can find the following in the Build Output pane of Visual Studio:

Using cached list of unsafe packages
No vulnerable packages found

3. Options

If you’d prefer to not break the build you can configure the tool by editing the ./packages/SafeNuGet.<version>/build/SafeNuGet.targets file and set the DontBreakBuild option to true.

¹ Update 14/Sep/2017 After testing this process further I’m not 100% happy with it as it is not triggering on known vulnerable NuGet packages (such as older JQuery packages). In my next post I investigate DevAudit and AuditJs.

21 Aug 2017

Migrating from TFS to git (VSTS)

The git-tfs project has some excellent documentation and step-by-step guides to migrate from TFS to git, I recommend you read here for more detail https://github.com/git-tfs/git-tfs

In summary here’s the steps I used via the Windows 10 command line:

Peek into the branches available:

git tfs list-remote-branches https://<site:port>/tfs/<projectCollection>

If your TFS repo doesn’t use branches you can use:

git tfs clone https://<site:port>/tfs/<projectCollection> $/<project> .

Otherwise if you want all the branches:

git tfs clone https://<site:port>/tfs/<projectCollection> $/<project> . --branches=all

This creates a local git repo from TFS.

From VSTS create a project or a new repo. Do not set a .gitignore file via the UI.

Push to the server

git remote add origin <url>
git push -u origin master
or
git push --all origin

Batch file template

@echo off
@setlocal

set serverpath=https://site/tfs/project
set tfsproject="$/projectname"
set repo="projectname"

git tfs list-remote-branches %serverpath%

if [%tfsproject%] == [] GOTO EXIT
if [%repo%] == [] GOTO EXIT

echo *** Cloning ***
if not exist %repo% mkdir %repo%
echo git tfs clone %serverpath% %tfsproject% %repo% --branches=all
git tfs clone %serverpath% %tfsproject% %repo% --branches=all
GOTO EXIT

:EXITEMPTY
echo tfsproject or repo variables are empty. Stopping here.

:EXIT

Removing NuGet packages from history

git filter-branch --tree-filter 'rm -rf packages' --prune-empty HEAD
git for-each-ref --format="%(refname)" refs/original/ | xargs -n 1 git update-ref -d
echo packages/ >> .gitignore
git add .gitignore
git commit -m 'Removing packages from git history'
git gc
git push origin master --force

03 Jun 2015

TeamCity Slack Notifier

We’re currently playing with slowly adopting Slack in our R&D department developers quickly raised a request to have TeamCity pump build failures into a Slack channel. Like this…

24 May 2015

Migrating from Wordpress to Github Pages

This blog was recently running on a self-hosted Wordpress site and found myself dispirited by the user experience of Wordpress. For all its flexibilty and functionality I would find myself shying away from blogging for the following reasons:

• The tools for writing and editing posts - although always improving - compare poorly to my favourite text editor(s),
• Maintaining security updates and plugins is such a constant frustration,
• All those posts aren’t in any form of source control but instead a MySQL database that needs a backup strategy,
• Wordpress was missing the fun factor.