RetireRuntimeMiddleware

Release 0.5.0

An ASP.NET Core middleware to report vulnerable runtimes

Homepage NuGet C# Download

Keywords
dotnet, retire, vulnerable, scanning, security, aspnetcore, audit, dotnet-core, dotnetcore, runtime
License
MIT
Install
Install-Package RetireRuntimeMiddleware -Version 0.5.0

Documentation

Build status

Build

Components

  • NuGet NuGet RetireNet.Runtimes.Middleware

  • NuGet NuGet RetireNet.Runtimes.BackgroundServices

dotnet-retire

❗️DEPRECATED❗️

See this issue for other solutions.

RetireNet.Runtimes.Middleware

We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports

Install

$ dotnet add package RetireNet.Runtimes.Middleware

Usage

Add it to your ASP.NET Core pipeline on your preferred path:

app.Map("/report", a => a.UseRuntimeVulnerabilityReport());

What does it do?

It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.

Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS:

{
    "isVulnerable": true,
    "appRuntimeDetails": {
        "os": "OSX",
        "osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
        "osArchitecture": "X64",
        "osBits": "64",
        "appTargetFramework": ".NETCoreApp,Version=v2.1",
        "appRuntimeVersion": "2.1.11",
        "appBits": "64"
    },
    "securityRelease": {
        "runtimeVersion": "2.1.13",
        "cvEs": [
            {
                "cve-id": " CVE-2018-8269",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
            },
            {
                "cve-id": " CVE-2019-1301",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
            },
            {
                "cve-id": " CVE-2019-1302",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
            }
        ]
    }
}

RetireNet.Runtimes.BackgroundServices

This is the same report as for the middleware, only logging it using the configured ILogger as a WARN log statment.

Install

$ dotnet add package RetireNet.Runtimes.BackgroundServices

Usage

Register it into the container, and provide it a interval in milliseconds how often you would like the check to execute.

services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)

What does it do?

The same as for the middleware endpoint.

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS, using the ConsoleLogger:

warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
      Running on vulnerable runtime 2.1.11. Security release 2.1.13

Stats

Dependencies
2
Dependent packages
0
Dependent repositories
0
Total releases
6
Latest release
First release
Stars
173
Forks
20
Watchers
10
Contributors
5
Repository size
379 KB
SourceRank
5

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.5.0

Contributors

John Korsnes Tobias Sibera Julian Verdurmen Mads Nyborg twsl


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-03-05 12:45:59 UTC

Login to resync this project