Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a Marketplace task for use by Azure DevOps #52

Open
phatcher opened this issue Jan 3, 2021 · 6 comments
Open

Provide a Marketplace task for use by Azure DevOps #52

phatcher opened this issue Jan 3, 2021 · 6 comments
Labels
enhancement New feature or request Hacktoberfest

Comments

@phatcher
Copy link

phatcher commented Jan 3, 2021
edited
Loading

What is the Feature? Please describe.
Provide a wrapper for the dotnet tool so it can be installed into an Azure DevOps organisation.

Use Case
Most people would not want to modify their projects, but adding a task to a build pipeline is much less intrusive

Describe alternatives you've considered
Dependabot, nukeeper etc.
@phatcher phatcher added the enhancement New feature or request label Jan 3, 2021
@digitalcoyote
Copy link
Owner

i'm willing to look into this, but it will be after the other issues are taken care of. I'd like to consider features for various other ecosystems as well.

@digitalcoyote digitalcoyote added the Hold This item may be revisited, but is not going to be worked/merged at this time label Jan 7, 2021
@hacker1db
Copy link

Hi all, Any update on this work?

@digitalcoyote
Copy link
Owner

@hacker1db not from my end. Im working on refactoring and adding more vulnerability sources at the moment. Contributions are welcome :)

@digitalcoyote digitalcoyote added Hacktoberfest and removed Hold This item may be revisited, but is not going to be worked/merged at this time labels Sep 29, 2021
@a-teece
Copy link
Contributor

a-teece commented Jun 15, 2022

@hacker1db This is my intended use of the tool too for efficiency. My plan was to use the ".NET Core Global Tool Installer" task to ensure it is installed on the build server and then just use a ".NET Core" with a custom command or a "Command line" task to run it.

@nitewulf
Copy link

I'd be happy to work on the marketplace extension - after I figure out how to get it to at least work in my pipeline. I'm installing the tool globally and then running it against my test project using a config file in my template folder after my restore and build tasks. I just see:

dotnet list Errors:

grc_process_control: -v8100 is not parsable as a NuGetVersion String and is not being listed as a version for CVE-2023-0019
grc_process_control: -v1100_700 is not parsable as a NuGetVersion String and is not being listed as a version for CVE-2023-0019
grc_process_control: -v1100_731 is not parsable as a NuGetVersion String and is not being listed as a version for CVE-2023-0019

Similar lines get repeated about 57,000 times

@digitalcoyote
Copy link
Owner

Those lines indicate it failed to parse a version returned from a vulnerability source. They are generally a non-issue but represent that the source gave a version range that doesn't seem to be a valid NuGet version.

When it caches the version ranges for a vulnerability it tries to read all ranges reported and cache them to avoid repeating API calls for those packages unnecessarily.

I probably need to have those hidden behind a verbosity switch instead of outputting the errors by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@phatcher @hacker1db @nitewulf @digitalcoyote @a-teece