- During an internal development discussion we identified the trust we put into external NuGet and NPM packages, this lead to implementing NuGet scanning using DevAudit and AuditJs.
Regarding automated scanning we’re currently we’re using Visual Studio Team Services (VSTS) hosted build agents which do not allow for custom applications to be installed. If you’re using a self-hosted VSTS build agent you will be able to automate this at build time.
Previously I tried out OWASP SafeNuGet and found that the results were not as comprehensive as DevAudit.
1. DevAudit (NuGet)
DevAudit offers a lot of fuctionality, my use-case is only for NuGet scanning (for now). I used Chocolatey to install:
choco install devaudit refreshenv cd devaudit nuget -note-non-interact > devaudit-nuget-projectname.txt
A sample of the result from NuGet scan:
... [35/49] Microsoft.AspNet.WebPages (3.2.3) no known vulnerabilities. [36/49] jQuery (1.10.2) Error determining vulnerability version range (>=1.4.0 =1.12.4 or = or ~ or digit (Line 1, Column 1); recently consumed: . [VULNERABLE] 7 known vulnerabilities, 2 affecting installed version. ...
2. AuditJS (NPM)
cd npm install auditjs -g auditjs-win > auditjs-npm-projectname.txt
A sample of the result from AuditJs
... [2/702] @types/draft-js 0.10.12 No known vulnerabilities... [3/702] immutable 3.8.1 No known vulnerabilities... ...
Hopefully if you’re reading this you’re taking a proactive approach and for that I congratulate you.
Happy scanning 🙂
- During an internal development discussion we identified the trust we put into external NuGet packages this lead to implementing automated NuGet scanning using the OWASP SafeNuGet package1.
This option allows developers to be advised early of issues or at build time in the build server (in our case VSTS).
Here’s how to set it up:
1. Add SafeNuGet package
From Visual Studio click the Tools > NuGet Package Manager > Package Manager Console menu item.
Or if you have multiple projects:
Get-Project -All | Install-Package SafeNuGet
2. Analysis of Packages
By default the build will fail if an issue was found otherwise you can can find the following in the Build Output pane of Visual Studio:
Using cached list of unsafe packages No vulnerable packages found
If you’d prefer to not break the build you can configure the tool by editing the
./packages/SafeNuGet./build/SafeNuGet.targetsfile and set the
1 Update 14/Sep/2017 After testing this process further I’m not 100% happy with it as it is not triggering on known vulnerable NuGet packages (such as older JQuery packages). In my next post I investigate DevAudit and AuditJs.
- The git-tfs project has some excellent documentation and step-by-step guides to migrate from TFS to git, I recommend you read here for more detail https://github.com/git-tfs/git-tfs
In summary here’s the steps I used via the Windows 10 command line:
Peek into the branches available:
git tfs list-remote-branches https:///tfs/
If your TFS repo doesn’t use branches you can use:
git tfs clone https:///tfs/ $/ .
Otherwise if you want all the branches:
git tfs clone https:///tfs/ $/ . --branches=all
This creates a local git repo from TFS.
From VSTS create a project or a new repo. Do not set a .gitignore file via the UI.
Push to the server
git remote add origin git push -u origin master or git push --all origin
Batch file template
@echo off @setlocal set serverpath=https://site/tfs/project set tfsproject="$/projectname" set repo="projectname" git tfs list-remote-branches %serverpath% if [%tfsproject%] ==  GOTO EXIT if [%repo%] ==  GOTO EXIT echo *** Cloning *** if not exist %repo% mkdir %repo% echo git tfs clone %serverpath% %tfsproject% %repo% --branches=all git tfs clone %serverpath% %tfsproject% %repo% --branches=all GOTO EXIT :EXITEMPTY echo tfsproject or repo variables are empty. Stopping here. :EXIT
Removing NuGet packages from history
git filter-branch --tree-filter 'rm -rf packages' --prune-empty HEAD git for-each-ref --format="%(refname)" refs/original/ | xargs -n 1 git update-ref -d echo packages/ >> .gitignore git add .gitignore git commit -m 'Removing packages from git history' git gc git push origin master --force
- We’re currently
playing withslowly adopting Slack in our R&D department developers quickly raised a request to have TeamCity pump build failures into a Slack channel. Like this…
- This blog was recently running on a self-hosted WordPress site and found myself dispirited by the user experience of WordPress. For all its flexibilty and functionality I would find myself shying away from blogging for the following reasons:
- The tools for writing and editing posts – although always improving – compare poorly to my favourite text editor(s),
- Maintaining security updates and plugins is such a constant frustration,
- All those posts aren’t in any form of source control but instead a MySQL database that needs a backup strategy,
- WordPress was missing the fun factor.