Create fix pull request - NuGet & .NET

README.md

@@ -254,6 +254,8 @@ Supported package management tools:
 
 - Go
 - Maven
+- NuGet
+- .NET
 - npm
 - Pip
 - Pipenv

go.mod

@@ -115,4 +115,6 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-// replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230824124821-a7f84a425af1
+replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230830163227-4abdfd45829f
+
+replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go v1.28.1-0.20230830130057-df2d2a80b555

go.sum

@@ -881,10 +881,10 @@ github.com/jfrog/froggit-go v1.13.4 h1:+pHq3iNkKFvojXCJ74sDV+UsV4Thsi03dsu36jkS7
 github.com/jfrog/froggit-go v1.13.4/go.mod h1:0jRAaZZusaFFnITosmx6CA60SKryuoaCasJyUrP/c1s=
 github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
 github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
-github.com/jfrog/jfrog-cli-core/v2 v2.41.4 h1:+V35NN+UaKl6ZFSjAyZFZ4VijCgsORnGsHug02DROdE=
-github.com/jfrog/jfrog-cli-core/v2 v2.41.4/go.mod h1:Mi3WFUzG2CU6tlLpGsMNRaKkhH/tIMuci4tjnPZ9S3M=
-github.com/jfrog/jfrog-client-go v1.31.6 h1:uWuyT4BDm9s5ES6oDTBny9Gl6yf8iKFjcbmHSHQZrDc=
-github.com/jfrog/jfrog-client-go v1.31.6/go.mod h1:icb00ZJN/mMMNkQduHDkzpqsXH9Flwi3f3COYexq3Nc=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230830163227-4abdfd45829f h1:21oeyFquM/dHQwIr6g/sUk4I66t94/2Os7plYNoLEME=
+github.com/jfrog/jfrog-cli-core/v2 v2.31.1-0.20230830163227-4abdfd45829f/go.mod h1:kaFzB3X83/jdzMcuGOYOaqnlz5MVTnDYt/asrOsCv18=
+github.com/jfrog/jfrog-client-go v1.28.1-0.20230830130057-df2d2a80b555 h1:yaF5J4LNk+ws5+j+BFMJ43NMqpKuCtF7dUfCeGLttl8=
+github.com/jfrog/jfrog-client-go v1.28.1-0.20230830130057-df2d2a80b555/go.mod h1:icb00ZJN/mMMNkQduHDkzpqsXH9Flwi3f3COYexq3Nc=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible/go.mod h1:1c7szIrayyPPB/987hsnvNzLushdWf4o/79s3P08L8A=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=

packagehandlers/commonpackagehandler.go

@@ -30,6 +30,8 @@ func GetCompatiblePackageHandler(vulnDetails *utils.VulnerabilityDetails, detail
 		handler = &PythonPackageHandler{pipRequirementsFile: details.PipRequirementsFile}
 	case coreutils.Maven:
 		handler = &MavenPackageHandler{depsRepo: details.DepsRepo, ServerDetails: details.ServerDetails}
+	case coreutils.Nuget:
+		handler = &NugetPackageHandler{}
 	default:
 		handler = &UnsupportedPackageHandler{}
 	}
@@ -44,18 +46,27 @@ func (cph *CommonPackageHandler) UpdateDependency(vulnDetails *utils.Vulnerabili
 	impactedPackage := strings.ToLower(vulnDetails.ImpactedDependencyName)
 	commandArgs := []string{installationCommand}
 	commandArgs = append(commandArgs, extraArgs...)
-	operator := vulnDetails.Technology.GetPackageOperator()
-	fixedPackage := impactedPackage + operator + vulnDetails.SuggestedFixedVersion
-	commandArgs = append(commandArgs, fixedPackage)
-	return runPackageMangerCommand(vulnDetails.Technology.GetExecCommandName(), commandArgs)
+	versionOperator := vulnDetails.Technology.GetPackageVersionOperator()
+	fixedPackageArgs := getFixedPackage(impactedPackage, versionOperator, vulnDetails.SuggestedFixedVersion)
+	commandArgs = append(commandArgs, fixedPackageArgs...)
+	return runPackageMangerCommand(vulnDetails.Technology.GetExecCommandName(), vulnDetails.Technology.ToString(), commandArgs)
 }
 
-func runPackageMangerCommand(commandName string, commandArgs []string) error {
+func runPackageMangerCommand(commandName string, techName string, commandArgs []string) error {
 	fullCommand := commandName + " " + strings.Join(commandArgs, " ")
 	log.Debug(fmt.Sprintf("Running '%s'", fullCommand))
 	output, err := exec.Command(commandName, commandArgs...).CombinedOutput() // #nosec G204
 	if err != nil {
-		return fmt.Errorf("%s command failed: %s\n%s", fullCommand, err.Error(), output)
+		return fmt.Errorf("failed to update %s dependency: '%s' command failed: %s\n%s", techName, fullCommand, err.Error(), output)
 	}
 	return nil
 }
+
+// Returns the updated package and version as it should be run in the update command:
+// If the package manager expects a single string (example: <packName>@<version>) it returns []string{<packName>@<version>}
+// If the command args suppose to be seperated by spaces (example: <packName> -v <version>) it returns []string{<packName>, "-v", <version>}
+func getFixedPackage(impactedPackage string, versionOperator string, suggestedFixedVersion string) (fixedPackageArgs []string) {
+	fixedPackageString := strings.TrimSpace(impactedPackage) + versionOperator + strings.TrimSpace(suggestedFixedVersion)
+	fixedPackageArgs = strings.Split(fixedPackageString, " ")
+	return
+}

packagehandlers/nugetpackagehandler.go

@@ -0,0 +1,27 @@
+package packagehandlers
+
+import (
+	"github.com/jfrog/frogbot/utils"
+)
+
+const dotnetPackageUpgradeExtraArg = "package"
+
+type NugetPackageHandler struct {
+	CommonPackageHandler
+}
+
+func (nph *NugetPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error {
+	if vulnDetails.IsDirectDependency {
+		return nph.updateDirectDependency(vulnDetails)
+	}
+
+	return &utils.ErrUnsupportedFix{
+		PackageName:  vulnDetails.ImpactedDependencyName,
+		FixedVersion: vulnDetails.SuggestedFixedVersion,
+		ErrorType:    utils.IndirectDependencyFixNotSupported,
+	}
+}
+
+func (nph *NugetPackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
+	return nph.CommonPackageHandler.UpdateDependency(vulnDetails, vulnDetails.Technology.GetPackageInstallationCommand(), dotnetPackageUpgradeExtraArg)
+}

packagehandlers/packagehandlers_test.go

@@ -197,6 +197,27 @@ func TestUpdateDependency(t *testing.T) {
 				fixSupported: false,
 			},
 		},
+
+		// NuGet test cases
+		{
+			{
+				// This test case directs to non-existing directory. It only checks if the dependency update is blocked if the vulnerable dependency is not a direct dependency
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "1.1.1",
+					IsDirectDependency:          false,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Nuget, ImpactedDependencyName: "snappier"},
+				},
+				fixSupported: false,
+			},
+			{
+				vulnDetails: &utils.VulnerabilityDetails{
+					SuggestedFixedVersion:       "1.1.1",
+					IsDirectDependency:          true,
+					VulnerabilityOrViolationRow: formats.VulnerabilityOrViolationRow{Technology: coreutils.Nuget, ImpactedDependencyName: "snappier"},
+				},
+				fixSupported: true,
+			},
+		},
 	}
 
 	for _, testBatch := range testCases {
@@ -550,3 +571,30 @@ func uniquePackageManagerChecks(t *testing.T, test dependencyFixTest) {
 	default:
 	}
 }
+
+func TestGetFixedPackage(t *testing.T) {
+	var testcases = []struct {
+		impactedPackage       string
+		versionOperator       string
+		suggestedFixedVersion string
+		expectedOutput        []string
+	}{
+		{
+			impactedPackage:       "snappier",
+			versionOperator:       " -v ",
+			suggestedFixedVersion: "1.1.1",
+			expectedOutput:        []string{"snappier", "-v", "1.1.1"},
+		},
+		{
+			impactedPackage:       "json",
+			versionOperator:       "@",
+			suggestedFixedVersion: "10.0.0",
+			expectedOutput:        []string{"[email protected]"},
+		},
+	}
+
+	for _, test := range testcases {
+		fixedPackageArgs := getFixedPackage(test.impactedPackage, test.versionOperator, test.suggestedFixedVersion)
+		assert.Equal(t, test.expectedOutput, fixedPackageArgs)
+	}
+}

packagehandlers/pythonpackagehandler.go

@@ -56,7 +56,7 @@ func (py *PythonPackageHandler) handlePoetry(vulnDetails *utils.VulnerabilityDet
 		return
 	}
 	// Update Poetry lock file as well
-	return runPackageMangerCommand(coreutils.Poetry.GetExecCommandName(), []string{"update"})
+	return runPackageMangerCommand(coreutils.Poetry.GetExecCommandName(), coreutils.Poetry.ToString(), []string{"update"})
 }
 
 func (py *PythonPackageHandler) handlePip(vulnDetails *utils.VulnerabilityDetails) (err error) {

scanrepository/scanrepository_test.go

@@ -56,8 +56,8 @@ var testPackagesData = []struct {
 		commandArgs: []string{"install"},
 	},
 	{
-		packageType: coreutils.Dotnet.ToString(),
-		commandName: "dotnet",
+		packageType: coreutils.Nuget.ToString(),
+		commandName: "nuget",
 		commandArgs: []string{"restore"},
 	},
 	{

testdata/projects/nuget/Program.cs

@@ -0,0 +1,2 @@
+// See https://aka.ms/new-console-template for more information
+Console.WriteLine("Hello, World!");

testdata/projects/nuget/nuget.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net6.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="snappier" Version="1.1.0" />
+  </ItemGroup>
+
+</Project>

testdata/projects/nuget/obj/nuget.csproj.nuget.dgspec.json

@@ -0,0 +1,67 @@
+{
+  "format": 1,
+  "restore": {
+    "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj": {}
+  },
+  "projects": {
+    "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj": {
+      "version": "1.0.0",
+      "restore": {
+        "projectUniqueName": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj",
+        "projectName": "nuget",
+        "projectPath": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj",
+        "packagesPath": "/Users/erant/.nuget/packages/",
+        "outputPath": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/obj/",
+        "projectStyle": "PackageReference",
+        "configFilePaths": [
+          "/Users/erant/.nuget/NuGet/NuGet.Config"
+        ],
+        "originalTargetFrameworks": [
+          "net6.0"
+        ],
+        "sources": {
+          "https://api.nuget.org/v3/index.json": {}
+        },
+        "frameworks": {
+          "net6.0": {
+            "targetAlias": "net6.0",
+            "projectReferences": {}
+          }
+        },
+        "warningProperties": {
+          "warnAsError": [
+            "NU1605"
+          ]
+        }
+      },
+      "frameworks": {
+        "net6.0": {
+          "targetAlias": "net6.0",
+          "dependencies": {
+            "snappier": {
+              "target": "Package",
+              "version": "[1.1.0, )"
+            }
+          },
+          "imports": [
+            "net461",
+            "net462",
+            "net47",
+            "net471",
+            "net472",
+            "net48",
+            "net481"
+          ],
+          "assetTargetFallback": true,
+          "warn": true,
+          "frameworkReferences": {
+            "Microsoft.NETCore.App": {
+              "privateAssets": "all"
+            }
+          },
+          "runtimeIdentifierGraphPath": "/usr/local/share/dotnet/sdk/6.0.413/RuntimeIdentifierGraph.json"
+        }
+      }
+    }
+  }
+}

testdata/projects/nuget/obj/nuget.csproj.nuget.g.props

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition=" '$(ExcludeRestorePackageImports)' != 'true' ">
+    <RestoreSuccess Condition=" '$(RestoreSuccess)' == '' ">True</RestoreSuccess>
+    <RestoreTool Condition=" '$(RestoreTool)' == '' ">NuGet</RestoreTool>
+    <ProjectAssetsFile Condition=" '$(ProjectAssetsFile)' == '' ">$(MSBuildThisFileDirectory)project.assets.json</ProjectAssetsFile>
+    <NuGetPackageRoot Condition=" '$(NuGetPackageRoot)' == '' ">/Users/erant/.nuget/packages/</NuGetPackageRoot>
+    <NuGetPackageFolders Condition=" '$(NuGetPackageFolders)' == '' ">/Users/erant/.nuget/packages/</NuGetPackageFolders>
+    <NuGetProjectStyle Condition=" '$(NuGetProjectStyle)' == '' ">PackageReference</NuGetProjectStyle>
+    <NuGetToolVersion Condition=" '$(NuGetToolVersion)' == '' ">6.3.3</NuGetToolVersion>
+  </PropertyGroup>
+  <ItemGroup Condition=" '$(ExcludeRestorePackageImports)' != 'true' ">
+    <SourceRoot Include="/Users/erant/.nuget/packages/" />
+  </ItemGroup>
+</Project>

testdata/projects/nuget/obj/nuget.csproj.nuget.g.targets

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<Project ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" />

testdata/projects/nuget/obj/project.assets.json

@@ -0,0 +1,107 @@
+{
+  "version": 3,
+  "targets": {
+    "net6.0": {
+      "Snappier/1.1.0": {
+        "type": "package",
+        "compile": {
+          "lib/net6.0/Snappier.dll": {
+            "related": ".xml"
+          }
+        },
+        "runtime": {
+          "lib/net6.0/Snappier.dll": {
+            "related": ".xml"
+          }
+        }
+      }
+    }
+  },
+  "libraries": {
+    "Snappier/1.1.0": {
+      "sha512": "ws78FoXdwY5rTwoSqpdl9HFpgSU4ih0byThG2+s+Bm1VSfyhkQxOdrV0aWQ1R1MptA8EwAcrnn3Mh0GkFSssxA==",
+      "type": "package",
+      "path": "snappier/1.1.0",
+      "files": [
+        ".nupkg.metadata",
+        ".signature.p7s",
+        "COPYING.txt",
+        "lib/net6.0/Snappier.dll",
+        "lib/net6.0/Snappier.xml",
+        "lib/net7.0/Snappier.dll",
+        "lib/net7.0/Snappier.xml",
+        "lib/netstandard2.0/Snappier.dll",
+        "lib/netstandard2.0/Snappier.xml",
+        "snappier.1.1.0.nupkg.sha512",
+        "snappier.nuspec"
+      ]
+    }
+  },
+  "projectFileDependencyGroups": {
+    "net6.0": [
+      "snappier >= 1.1.0"
+    ]
+  },
+  "packageFolders": {
+    "/Users/erant/.nuget/packages/": {}
+  },
+  "project": {
+    "version": "1.0.0",
+    "restore": {
+      "projectUniqueName": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj",
+      "projectName": "nuget",
+      "projectPath": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/nuget.csproj",
+      "packagesPath": "/Users/erant/.nuget/packages/",
+      "outputPath": "/Users/erant/Desktop/jfrog/frogbot/testdata/projects/nuget/obj/",
+      "projectStyle": "PackageReference",
+      "configFilePaths": [
+        "/Users/erant/.nuget/NuGet/NuGet.Config"
+      ],
+      "originalTargetFrameworks": [
+        "net6.0"
+      ],
+      "sources": {
+        "https://api.nuget.org/v3/index.json": {}
+      },
+      "frameworks": {
+        "net6.0": {
+          "targetAlias": "net6.0",
+          "projectReferences": {}
+        }
+      },
+      "warningProperties": {
+        "warnAsError": [
+          "NU1605"
+        ]
+      }
+    },
+    "frameworks": {
+      "net6.0": {
+        "targetAlias": "net6.0",
+        "dependencies": {
+          "snappier": {
+            "target": "Package",
+            "version": "[1.1.0, )"
+          }
+        },
+        "imports": [
+          "net461",
+          "net462",
+          "net47",
+          "net471",
+          "net472",
+          "net48",
+          "net481"
+        ],
+        "assetTargetFallback": true,
+        "warn": true,
+        "frameworkReferences": {
+          "Microsoft.NETCore.App": {
+            "privateAssets": "all"
+          }
+        },
+        "runtimeIdentifierGraphPath": "/usr/local/share/dotnet/sdk/6.0.413/RuntimeIdentifierGraph.json"
+      }
+    }
+  }
+}