Comments (2)
At the moment DevSkim doesn't have a robust story for scanning project dependencies for known security issues - it currently is just doing vulnerable pattern analysis of source code. We are designing/prototyping different approaches to analyzing manifest and project files for known vulnerable (or abandoned/deprecated) dependencies. Since we are still designing that we are a fair ways out for being able to talk about what our response time would eventually be when a new bulletin is released (though ideally we would be feeding off of NVD or other vuln feed, and able to automatically update as soon as details are available from whatever feed we use). As a stop gap, I'll talk with @scovetta about a much more immediate (and fairly hard coded) solution for the advisory above.
I would encourage you to also open an issue under the Roslyn Analyzers (or respond to Barry's advisory post asking for an analyzer). It would really behoove the .Net community to have a built in analyzer that at the very least alerted when using a built in component that has a bulletin issued for it (if you are unfamiliar with Roslyn, its the .Net compiler. It supports analyzers that expand its analytic capabilities beyond just syntax errors, and as it is the compiler, its incredibly easy to integrate into CI builds since it is already part of the build. Here are more details and links to some security relevant analyzer, ). The .Net Security Guard project might also be interested in adding a dependency checker to their Roslyn analyzer package
from devskim.
Closing stale issues.
from devskim.
Related Issues (20)
- Confusing help text for `-g`/`--ignore-globs` option HOT 7
- Need to suppress multiple pinned TLS version issues in one line HOT 3
- Dotnet process is spawned multiple times HOT 3
- Specifying globs to be ignored in the JSON config file has no effect HOT 2
- Visual Studio Extension Not Flagging csharp Issues HOT 1
- DevSkim entering infinite loop in wild causing Visual Studio responsiveness issues HOT 2
- Suggestions are not reliably ordered in VS 2022
- Outdated Actions and runners HOT 2
- deprecate broken advisory-parser.py HOT 3
- CLI Suppress Command Does not properly comment XML suppressions
- DevSkim pipelines are not publishing extension artifacts
- Guidance for 172411 is missing HOT 1
- Support Suppressions for file types without comments HOT 1
- Add Export Report option to IDE HOT 3
- Console output provides guidance link with . at the end of it. HOT 1
- Document rule ID HOT 3
- No "Scanned Files" Displayed HOT 2
- Devskim is only reporting errors with no severity HOT 6
- Populate Security-Severity Value
- [False Positive] DS126858 flagging --nomd5 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from devskim.