Finding Vulnerabilities in .NET repositories
Finding vulnerabilities in your .NET repositories using SourceClear is simple. This page includes steps for running a SourceClear scan using the SourceClear Command Line Interface, but you can scan with any of the SourceClear CI Integrations as well.
Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes the following requirements based on the various package managers:
- Requirements for the SourceClear agent
- .NET, Nuget CLI, or MSBuild installed
- CSPROJ, FSPROJ , or VBPROJ files present in the repository
Running a Scan
git clone https://github.com/srcclr/example-dotnet
Once the code has been cloned to your desktop, point the SourceClear CLI agent at the directory of the repository and scan:
# Replace "example-dotnet" with your project folder name srcclr scan path/to/example-dotnet
To view more verbose output during the scan process, you can add the --loud argument:
srcclr scan path/to/example-dotnet --loud
The SourceClear agent uses the native package managers to identify the dependencies and their versions in your project. The command used varies depending on the build or package manager. When the agent evaluates the open source libraries in use, a summary of the scan results is produced that includes counts for total libraries used, vulnerable libraries, percentage of third party code, and a list of the vulnerabilities found.
Viewing Scan Results
After completing a scan, the bottom of the output in your terminal includes a link to the SourceClear platform to view the scan results in more detail:
Licenses Unique Library Licenses 3 Libraries Using GPL 0 Libraries With No License 1 Full Report Details https://acmedemo.sourceclear.io/teams/X33hObV/scans/2188500
Navigating to this link allows you to view the results of your scan in its entirety.
The scan results are broken down into the following categories:
- Issues - This category includes out-of-date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
- Vulnerabilities - This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
- Libraries - Libraries consist of each open source library that SourceClear has identified within a code project.
- Licenses - Licenses allow users to view the software license information associated with each open-source library in use.
You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses overview.
Fixing Vulnerability Issues
After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that SourceClear provides through the web interface.
Fixing a Direct Vulnerability
When a library is specifically referenced in your configuration file, SourceClear refers to the library as a direct dependency. Fixing a vulnerability in a direct dependency using SourceClear is simple. Using the open source projects mentioned in Running a Scan and after having navigated to the project scan results within the SourceClear UI, you can filter down to Vulnerability issues which are included only in Direct Libraries.
Validating a Fixed Vulnerability
Validate a fix you have made to your repository by running a SourceClear scan prior to committing your code changes by adding the --allow-dirty option to ignore uncommitted changes within your code:
srcclr scan /path/to/example-dotnet --allow-dirty
When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can proceed to commit your code.