Set proper exit code on dotnet list package --vulnerable to enable usage in CI pipelines
#16852
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
|
We're currently using @rajbos this feature was added in #13318. It looks like this is just being forwarded to NuGet. |
|
Comparing this with npm, |
|
This was quite unexpected. We will now check the output for the absence of |
|
This is really disappointing, I can't really recall but there was another dotnet call that really doesn't work well with DevOps scripts. In today's world the automation capability must be a first class citizen. @PSanetra , about covering multiple projects, we can check |
baronfel
added
the
cli-ux
|
@omeryesil The problem with checking for |
|
@PSanetra totally agree with you, but i think it is the only way at the moment unless we use another tool like sonarqube, synk, etc.. |
|
Hi, As a workaround, I use these lines to make my (linux-based) CI work: So yes, it may break with future dotnet versions but since I'm very optimistic, I hope dotnet will implement a correct return code so my added line will never be executed 😉. |
|
@JonDouglas - This sounds related to the "nuget audit" command that you are thinking of. |
|
Hi all, I wrote a proposal for this sometime last year I published a couple months ago. If this would fill the gap, please upvote or comment appropriately Thanks! |
|
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue! If you believe this issue was closed out of error, please comment to let us know. Happy Coding! |
ghost
closed this as 
|
Similar issue opened with NuGet.Client: NuGet/Home#11781 |
|
To add to this discussion, I found this issue and adopted @mrjoops answer a bit. The echo parts are specific for Azure pipelines, but it might be helpful to others: dotnet restore
dotnet list package --vulnerable --include-transitive | tee vulnerable.out
vulnCritical=`grep -o -i 'Critical' vulnerable.out | wc -l`
vulnHigh=`grep -o -i 'High' vulnerable.out | wc -l`
vulnModerate=`grep -o -i 'Moderate' vulnerable.out | wc -l`
vulnLow=`grep -o -i 'Low' vulnerable.out | wc -l`
vulnTotal=`grep -o -i 'Critical\|High\|Moderate\|Low' vulnerable.out | wc -l`
if [[ $vulnTotal != 0 ]]; then
echo "##vso[task.logissue type=error;]There are vulnarabilities found: Critical($vulnCritical) - High($vulnHigh) - Moderate($vulnModerate) - Low($vulnLow)"
echo "##vso[task.complete result=Failed;]Text"
fi |
Running
dotnet list package --vulnerabledoes not use the exit code to indicate issues. I'd think vulnerable packages with medium / high severity would at least be returned with an exitcode <> 0.Usage example:
I want to include this command in our CI pipeline to enable a shift left mentality and warn us earlier about possible vulnerabilities. Currently the only option I see is parsing the result for something like
has the following vulnerable packages.Alternatively I can image adding a parameter to return either a number of vulnerable packages (that we can then test to larger then 0) or a json object we can parse the right way to look for the numbers per severity.
I've been searching the source code but could not find where to look for the exit code setup 😁 .
The text was updated successfully, but these errors were encountered: