Fix CVSS Score stored as double

digitalcoyote · Jun 1, 2024 · ddbf27a · ddbf27a
1 parent 140204b
commit ddbf27a
Show file tree

Hide file tree

Showing 14 changed files with 92 additions and 44 deletions.
diff --git a/Src/NuGetDefense.Lib/Configuration/BuildErrorSettings.cs b/Src/NuGetDefense.Lib/Configuration/BuildErrorSettings.cs
@@ -8,9 +8,9 @@ public Severity ErrorSeverityThreshold
     {
         get
         {
-            if (Cvss3Threshold > 8.9) return Severity.Critical;
-            if (Cvss3Threshold > 6.9) return Severity.High;
-            if (Cvss3Threshold > 3.9) return Severity.Medium;
+            if (Cvss3Threshold > 8.9M) return Severity.Critical;
+            if (Cvss3Threshold > 6.9M) return Severity.High;
+            if (Cvss3Threshold > 3.9M) return Severity.Medium;
             if (Cvss3Threshold > 0) return Severity.Low;
             return Cvss3Threshold < 0 ? Severity.Any : Severity.None;
         }
@@ -20,59 +20,59 @@ public Severity ErrorSeverityThreshold
             {
                 Severity.Any => -1,
                 Severity.None => 0,
-                Severity.Low => 0.1,
-                Severity.Medium => 4.0,
-                Severity.High => 7.0,
-                Severity.Critical => 9.0,
+                Severity.Low => 0.1M,
+                Severity.Medium => 4.0M,
+                Severity.High => 7.0M,
+                Severity.Critical => 9.0M,
                 _ => Cvss3Threshold
             };
         }
     }
 
-    public double Cvss3Threshold { get; set; } = -1;
+    public decimal Cvss3Threshold { get; set; } = -1;
 
     /// <summary>
     ///     List Package Id and Version/Range to be ignored
     ///     (https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges-and-wildcards)
     ///     Version is "any" if omitted
     /// </summary>
     public NuGetPackage[]? IgnoredPackages { get; set; } =
-    {
+    [
         new() { Id = "NugetDefense" }
-    };
+    ];
 
     /// <summary>
     ///     List CVE to be ignored
     ///     (https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges-and-wildcards)
     /// </summary>
     public string[]? IgnoredCvEs { get; set; } =
-    {
-    };
+    [
+    ];
 
     /// <summary>
     ///     List Package Id and Version/Range to be Allowed
     ///     (https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges-and-wildcards)
     ///     Version is "any" if omitted
     /// </summary>
-    public NuGetPackage[]? AllowedPackages { get; set; } = Array.Empty<NuGetPackage>();
+    public NuGetPackage[]? AllowedPackages { get; set; } = [];
 
     /// <summary>
     /// Old name for <see cref="AllowedPackages"/>.
     /// </summary>
     [Obsolete("Here for support of old config files")]
-    public NuGetPackage[]? WhiteListedPackages { get; set; } = Array.Empty<NuGetPackage>();
+    public NuGetPackage[]? WhiteListedPackages { get; set; } = [];
 
 
     /// <summary>
     ///     List Package Id and Version/Range to be Blocked
     ///     (https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges-and-wildcards)
     ///     Version is "any" if omitted
     /// </summary>
-    public BlockedPackage[]? BlockedPackages { get; set; } = Array.Empty<BlockedPackage>();
+    public BlockedPackage[]? BlockedPackages { get; set; } = [];
 
     /// <summary>
     /// Old name for <see cref="BlockedPackages"/>.
     /// </summary>
     [Obsolete("Here for support of old config files")]
-    public BlockedPackage[]? BlacklistedPackages { get; set; } = Array.Empty<BlockedPackage>();
+    public BlockedPackage[]? BlacklistedPackages { get; set; } = [];
 }
diff --git a/Src/NuGetDefense.Lib/Configuration/Settings.cs b/Src/NuGetDefense.Lib/Configuration/Settings.cs
@@ -15,7 +15,7 @@ public class Settings
     public FileLogSettings? Log
     {
         get => Logs?.Length > 0 ? Logs[0] : null;
-        set { Logs = new[] { value }; }
+        set { Logs = [value]; }
     }
 
     public VulnerabilityReportsSettings VulnerabilityReports { get; set; } = new();
@@ -35,7 +35,7 @@ public FileLogSettings? Log
 
     public RemoteVulnerabilitySourceConfiguration NvdApi { get; set; } = new();
 
-    public string[] SensitivePackages { get; set; } = Array.Empty<string>();
+    public string[] SensitivePackages { get; set; } = [];
 
     public static Settings LoadSettings(string? settingsFilePath = "")
     {

diff --git a/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj b/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj
@@ -23,7 +23,7 @@
         <Description>NuGetDefense ~ Check for Known Vulnerabilities at Build</Description>
         <PackageDescription>NuGetDefense was inspired by [OWASP SafeNuGet](https://nuget.org/packages/SafeNuGet/) but aims to check with multiple sources for known vulnerabilities.</PackageDescription>
         <Copyright>Curtis Carter 2024</Copyright>
-        <Version>4.1.2</Version>
+        <Version>4.1.3</Version>
         <RepositoryType>git</RepositoryType>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
@@ -37,10 +37,10 @@
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
         <PackageReference Include="NuGet.Versioning" Version="6.10.0" />
-        <PackageReference Include="NuGetDefense.Core" Version="2.0.12" />
+        <PackageReference Include="NuGetDefense.Core" Version="2.0.13.1" />
         <PackageReference Include="NuGetDefense.GitHubAdvisoryDatabase" Version="2.0.6" />
-        <PackageReference Include="NuGetDefense.NVD" Version="2.1.5" />
-        <PackageReference Include="NuGetDefense.OSSIndex" Version="2.1.3" />
+        <PackageReference Include="NuGetDefense.NVD" Version="2.1.6" />
+        <PackageReference Include="NuGetDefense.OSSIndex" Version="2.1.4" />
         <PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" />
         <PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
         <PackageReference Include="System.Text.Json" Version="8.0.3" />

diff --git a/Src/NuGetDefense.Lib/Scanner.cs b/Src/NuGetDefense.Lib/Scanner.cs
@@ -22,7 +22,7 @@ namespace NuGetDefense;
 
 public class Scanner
 {
-    public const string Version = "4.1.2";
+    public const string Version = "4.1.3";
     public const string UserAgentString = @$"NuGetDefense/{Version}";
     public const string DefaultSettingsFileName = "NuGetDefense.json";
     public const string DefaultVulnerabilityDataFileName = "VulnerabilityData.bin";

diff --git a/Src/NuGetDefense.Lib/SqlLiteVulnerabilityCache.cs b/Src/NuGetDefense.Lib/SqlLiteVulnerabilityCache.cs
@@ -81,12 +81,12 @@ public List<NuGetPackage> GetUncachedPackages(IEnumerable<NuGetPackage> pkgs, Ti
     {
         if (!Enabled)
         {
-            cachedPackages = Array.Empty<NuGetPackage>();
+            cachedPackages = [];
             return pkgs.ToList();
         }
 
-        List<NuGetPackage> uncachedPackages = new();
-        List<(NuGetPackage Package, DateTime DateChecked)> datePackageTuples = new();
+        List<NuGetPackage> uncachedPackages = [];
+        List<(NuGetPackage Package, DateTime DateChecked)> datePackageTuples = [];
         foreach (var pkg in pkgs)
         {
             var connectionString = new SqliteConnectionStringBuilder
@@ -232,7 +232,7 @@ public void GetPackageCachedVulnerabilitiesForSource(NuGetPackage package, strin
             vulnerabilities.Add(
                 new(
                     (string)reader["cve"],
-                    (double)reader["score"],
+                    (decimal)reader["score"],
                     (string)reader["cwe"],
                     (string)reader["description"],
                     ((string)reader["refs"]).Split(' '),

diff --git a/Src/NuGetDefense.Lib/VulnerabilityReport.cs b/Src/NuGetDefense.Lib/VulnerabilityReport.cs
@@ -7,7 +7,7 @@ public class VulnerabilityReport
 {
     [XmlAttribute] public int VulnerabilitiesCount { get; set; }
 
-    public VulnerableNuGetPackage[] Packages { get; set; } = Array.Empty<VulnerableNuGetPackage>();
+    public VulnerableNuGetPackage[] Packages { get; set; } = [];
 }
 
 public class VulnerableNuGetPackage
@@ -17,7 +17,7 @@ public class VulnerableNuGetPackage
     public string PackageUrl => $"pkg:nuget/{Id}@{Version}";
     [XmlAttribute] public string? Version { get; set; }
 
-    public ReportedVulnerability[] Vulnerabilities { get; set; } = Array.Empty<ReportedVulnerability>();
+    public ReportedVulnerability[] Vulnerabilities { get; set; } = [];
 }
 
 public class ReportedVulnerability
@@ -28,7 +28,7 @@ public class ReportedVulnerability
 
     [XmlAttribute] public string? Cwe { get; set; }
 
-    [XmlAttribute] public double CvssScore { get; set; }
+    [XmlAttribute] public decimal CvssScore { get; set; }
 
     [XmlAttribute] public string? CvssVector { get; set; }
 }
diff --git a/Src/NuGetDefense.Lib/VulnerabilityReporter.cs b/Src/NuGetDefense.Lib/VulnerabilityReporter.cs
@@ -56,10 +56,10 @@ public void BuildVulnerabilityReport(
     }
 
     public void BuildVulnerabilityTextReport(Dictionary<string, Dictionary<string, Vulnerability>> vulnerabilityDictionary,
-        IEnumerable<NuGetPackage> pkgs, string nuGetFile, bool warnOnly, double cvss3Threshold, out int numberOfVulns)
+        IEnumerable<NuGetPackage> pkgs, string nuGetFile, bool warnOnly, decimal cvss3Threshold, out int numberOfVulns)
     {
         numberOfVulns = 0;
-        if (_separateMsBuildMessages) MsBuildMessages = new();
+        if (_separateMsBuildMessages) MsBuildMessages = [];
 
         var logBuilder = new StringBuilder(VulnerabilityTextReport);
         var nuGetPackages = pkgs as NuGetPackage[] ?? pkgs.ToArray();

diff --git a/Src/NuGetDefense/NuGetDefense.csproj b/Src/NuGetDefense/NuGetDefense.csproj
@@ -21,8 +21,8 @@
         <IncludeSymbols>true</IncludeSymbols>
         <SymbolPackageFormat>snupkg</SymbolPackageFormat>
         <Nullable>enable</Nullable>
-        <AssemblyVersion>4.1.2</AssemblyVersion>
-        <FileVersion>4.1.2</FileVersion>
+        <AssemblyVersion>4.1.3</AssemblyVersion>
+        <FileVersion>4.1.3</FileVersion>
         <PackageIcon>icon.png</PackageIcon>
     </PropertyGroup>
     <PropertyGroup Condition="'$(Configuration)'=='Release'">
@@ -37,7 +37,7 @@
         <PackageId>NuGetDefense.Tool</PackageId>
         <PackAsTool>true</PackAsTool>
         <ToolCommandName>nugetdefense</ToolCommandName>
-        <Version>4.1.2</Version>
+        <Version>4.1.3</Version>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
     <ItemGroup>

diff --git a/Src/NuGetDefense/NuGetDefense.nuspec b/Src/NuGetDefense/NuGetDefense.nuspec
@@ -3,7 +3,7 @@
     <metadata>
         <id>NuGetDefense</id>
         <title>NuGetDefense</title>
-        <version>4.1.2</version>
+        <version>4.1.3</version>
         <authors>Curtis Carter</authors>
         <owners>Curtis Carter</owners>
         <projectUrl>https://digitalcoyote.github.io/NuGetDefense/</projectUrl>

diff --git a/Src/NuGetDefenseTests/NuGetDefenseTests.csproj b/Src/NuGetDefenseTests/NuGetDefenseTests.csproj
@@ -16,9 +16,9 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
-        <PackageReference Include="xunit" Version="2.8.0" />
-        <PackageReference Include="xunit.runner.visualstudio" Version="2.8.0">
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
+        <PackageReference Include="xunit" Version="2.8.1" />
+        <PackageReference Include="xunit.runner.visualstudio" Version="2.8.1">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>

diff --git a/Src/NuGetDefenseTests/SqliteCacheTests.cs b/Src/NuGetDefenseTests/SqliteCacheTests.cs
@@ -64,7 +64,7 @@ public void UpdateCacheWithVulnsCached()
                 {
                     {
                         "TestCVE",
-                        new("TestCVE", 1.0, "test", "TestDescription", new[] { "ref1", "ref2" }, Vulnerability.AccessVectorType.NETWORK, "TestVendor")
+                        new("TestCVE", 1.0M, "test", "TestDescription", ["ref1", "ref2"], Vulnerability.AccessVectorType.NETWORK, "TestVendor")
                     }
                 }
             }
@@ -108,7 +108,7 @@ public void VulnerabilityUpsertSucceedsWhenVulnerabilityExists()
                 {
                     {
                         "TestCVE",
-                        new("TestCVE", 1.0, "test", "TestDescription", new[] { "ref1", "ref2" }, Vulnerability.AccessVectorType.NETWORK, "TestVendor")
+                        new("TestCVE", 1.0M, "test", "TestDescription", ["ref1", "ref2"], Vulnerability.AccessVectorType.NETWORK, "TestVendor")
                     }
                 }
             }
@@ -145,7 +145,7 @@ public void VulnerabilityUpsertSucceedsWhenVulnerabilityDoesNotExsist()
                 {
                     {
                         "TestCVE",
-                        new("TestCVE", 1.0, "test", "TestDescription", new[] { "ref1", "ref2" }, Vulnerability.AccessVectorType.NETWORK, "TestVendor")
+                        new("TestCVE", 1.0M, "test", "TestDescription", ["ref1", "ref2"], Vulnerability.AccessVectorType.NETWORK, "TestVendor")
                     }
                 }
             }

diff --git a/Src/NuGetDefenseTests/TestFiles/NuGetDefense.json b/Src/NuGetDefenseTests/TestFiles/NuGetDefense.json
@@ -17,6 +17,9 @@
     "Output": "~/nugetdefenseresult.json",
     "LogLevel": "Information"
   },
+  "VulnerabilityReports": {
+    "JsonReportPath": "/home/codingcoyote/RiderProjects/NuGetDefense/Src/NuGetDefenseTests/TestFiles/report.json"
+  },
   "OssIndex": {
     "Enabled": true,
     "BreakIfCannotRun": false

diff --git a/Src/NuGetDefenseTests/TestFiles/report.json b/Src/NuGetDefenseTests/TestFiles/report.json
@@ -0,0 +1,45 @@
+{
+  "VulnerabilitiesCount": 4,
+  "Packages": [
+    {
+      "Id": "jQuery",
+      "Version": "3.3.1",
+      "Vulnerabilities": [
+        {
+          "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.\n\nSonatype\u0027s research suggests that this CVE\u0027s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2019-11358 for details",
+          "Cve": "CVE-2019-11358",
+          "Cwe": "CWE-1321",
+          "CvssScore": 6.1,
+          "CvssVector": "NETWORK"
+        },
+        {
+          "Description": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing \u003Coption\u003E elements from untrusted sources - even after sanitizing it - to one of jQuery\u0027s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.",
+          "Cve": "CVE-2020-11023",
+          "Cwe": "CWE-79",
+          "CvssScore": 6.1,
+          "CvssVector": "NETWORK"
+        },
+        {
+          "Description": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-11023. Reason: This candidate is a duplicate of CVE-2020-11023. Notes: All CVE users should reference CVE-2020-11023 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.\n\nSonatype\u0027s research suggests that this CVE\u0027s details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-23064 for details",
+          "Cve": "CVE-2020-23064",
+          "Cwe": "CWE-79",
+          "CvssScore": 6.1,
+          "CvssVector": "NETWORK"
+        }
+      ]
+    },
+    {
+      "Id": "jQuery.Validation",
+      "Version": "1.17.0",
+      "Vulnerabilities": [
+        {
+          "Description": "jquery-validation - Regular expression Denial of Service (ReDoS)\n\njquery-validation - Regular expression Denial of Service (ReDoS)",
+          "Cve": "CVE-2021-43306",
+          "Cwe": "CWE-1333",
+          "CvssScore": 5.9,
+          "CvssVector": "NETWORK"
+        }
+      ]
+    }
+  ]
+}
diff --git a/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs b/Src/NuGetDefenseTests/VulnerabilityReportsTest.cs
@@ -23,7 +23,7 @@ public void ReportVulnerabilityWithNullReferences()
                     {
                         "CVE-Test", new Vulnerability(
                             "CVE-Test",
-                            6.6,
+                            6.6M,
                             "CWE-Test",
                             "Test Description",
                             null,
@@ -38,7 +38,7 @@ public void ReportVulnerabilityWithNullReferences()
         var pkgs = new[] { new NuGetPackage { LineNumber = 1, Id = "TestPkg", Version = "1.0.1" } };
 
         var reporter = new VulnerabilityReporter();
-        reporter.BuildVulnerabilityTextReport(vulnDict, pkgs, "NuGetDefense.dll", false, 0D, out var vulnNumber);
+        reporter.BuildVulnerabilityTextReport(vulnDict, pkgs, "NuGetDefense.dll", false, 0M, out var vulnNumber);
         Assert.Equal(0, vulnNumber);
         //TODO: Assert MSBuildMessages and VulnerabilityReport
     }