Blog by Ben Clark-Robinson

  • During an internal development discussion we identified the trust we put into external NuGet and NPM packages, this lead to implementing NuGet scanning using DevAudit and AuditJs.

    Regarding automated scanning we’re currently we’re using Visual Studio Team Services (VSTS) hosted build agents which do not allow for custom applications to be installed. If you’re using a self-hosted VSTS build agent you will be able to automate this at build time.

    Previously I tried out OWASP SafeNuGet and found that the results were not as comprehensive as DevAudit.

    1. DevAudit (NuGet)

    DevAudit offers a lot of fuctionality, my use-case is only for NuGet scanning (for now). I used Chocolatey to install:

    choco install devaudit
    devaudit nuget -note-non-interact > devaudit-nuget-projectname.txt

    A sample of the result from NuGet scan:

    [35/49] Microsoft.AspNet.WebPages (3.2.3) no known vulnerabilities. 
    [36/49] jQuery (1.10.2) Error determining vulnerability version range (>=1.4.0 =1.12.4  or = or ~ or digit (Line 1, Column 1); recently consumed: .
    7 known vulnerabilities, 2 affecting installed version. 

    2. AuditJS (NPM)

    npm install auditjs -g
    auditjs-win > auditjs-npm-projectname.txt

    A sample of the result from AuditJs

    [2/702] @types/draft-js 0.10.12   No known vulnerabilities...
    [3/702] immutable 3.8.1   No known vulnerabilities...

    Hopefully if you’re reading this you’re taking a proactive approach and for that I congratulate you.

    Happy scanning 🙂

    Read more…

  • During an internal development discussion we identified the trust we put into external NuGet packages this lead to implementing automated NuGet scanning using the OWASP SafeNuGet package1.

    This option allows developers to be advised early of issues or at build time in the build server (in our case VSTS).

    Here’s how to set it up:

    1. Add SafeNuGet package

    From Visual Studio click the Tools > NuGet Package Manager > Package Manager Console menu item.

    Install-Package SafeNuGet

    Or if you have multiple projects:

    Get-Project -All | Install-Package SafeNuGet

    2. Analysis of Packages

    By default the build will fail if an issue was found otherwise you can can find the following in the Build Output pane of Visual Studio:

    Using cached list of unsafe packages
    No vulnerable packages found

    3. Options

    If you’d prefer to not break the build you can configure the tool by editing the ./packages/SafeNuGet./build/SafeNuGet.targets file and set the DontBreakBuild option to true.

    1 Update 14/Sep/2017 After testing this process further I’m not 100% happy with it as it is not triggering on known vulnerable NuGet packages (such as older JQuery packages). In my next post I investigate DevAudit and AuditJs.

    Read more…

  • The git-tfs project has some excellent documentation and step-by-step guides to migrate from TFS to git, I recommend you read here for more detail

    In summary here’s the steps I used via the Windows 10 command line:

    Peek into the branches available:

    git tfs list-remote-branches https:///tfs/

    If your TFS repo doesn’t use branches you can use:

    git tfs clone https:///tfs/ $/ .

    Otherwise if you want all the branches:

    git tfs clone https:///tfs/ $/ . --branches=all

    This creates a local git repo from TFS.

    From VSTS create a project or a new repo. Do not set a .gitignore file via the UI.

    Push to the server

    git remote add origin 
    git push -u origin master
    git push --all origin

    Batch file template

    @echo off
    set serverpath=https://site/tfs/project
    set tfsproject="$/projectname"
    set repo="projectname"
    git tfs list-remote-branches %serverpath%
    if [%tfsproject%] == [] GOTO EXIT
    if [%repo%] == [] GOTO EXIT
    echo *** Cloning ***
    if not exist %repo% mkdir %repo%
    echo git tfs clone %serverpath% %tfsproject% %repo% --branches=all
    git tfs clone %serverpath% %tfsproject% %repo% --branches=all
    echo tfsproject or repo variables are empty. Stopping here.

    Removing NuGet packages from history

    git filter-branch --tree-filter 'rm -rf packages' --prune-empty HEAD
    git for-each-ref --format="%(refname)" refs/original/ | xargs -n 1 git update-ref -d
    echo packages/ >> .gitignore
    git add .gitignore
    git commit -m 'Removing packages from git history'
    git gc
    git push origin master --force

    Read more…

  • We’re currently playing with slowly adopting Slack in our R&D department developers quickly raised a request to have TeamCity pump build failures into a Slack channel. Like this…

    Read more…

  • This blog was recently running on a self-hosted WordPress site and found myself dispirited by the user experience of WordPress. For all its flexibilty and functionality I would find myself shying away from blogging for the following reasons:
    • The tools for writing and editing posts – although always improving – compare poorly to my favourite text editor(s),
    • Maintaining security updates and plugins is such a constant frustration,
    • All those posts aren’t in any form of source control but instead a MySQL database that needs a backup strategy,
    • WordPress was missing the fun factor.

    Read more…

Back to top