You can find vulnerabilities in your .NET repositories using Veracode Software Composition Analysis agent-based scanning. You can run a scan on .NET repositories using the agent-based scanning command-line interface or the CI integrations.
For packaging instructions for Veracode Static Analysis and Veracode SCA upload scans, see Packaging .NET Applications.
Scanning a repository that uses .NET and one of its build or package managers requires the ability to assemble the project dependencies within the environment in which you scan the project. This includes the following requirements based on the various package managers:
- Meet the requirements for the Veracode SCA agent.
- Have .NET, NuGet CLI, or MSBuild installed.
- Have CSPROJ, FSPROJ , or VBPROJ files present in the repository.
- Use the PackageReference format to declare NuGet dependencies in PROJ files.
- If project.assets.json files do not exist in the project directory tree, you must be able to run the nuget restore <path>, dotnet restore <path>, or msbuild /restore:true <path> command, where <path> is an absolute or relative path to an SLN or a PROJ file, from the project root.
Running a Scan
git clone https://github.com/srcclr/example-dotnet
Once the code has been cloned to your desktop, point the Veracode SCA CLI agent at the directory of the repository and scan:
# Replace "example-dotnet" with your project folder name srcclr scan path/to/example-dotnet
To view more verbose output during the scan process, you can add the --loud argument:
srcclr scan path/to/example-dotnet --loud
The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. The command used varies depending on the build or package manager. When the agent evaluates the open-source libraries in use, a summary of the scan results is produced that includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.
By adding a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your .NET code. This scan directive is specific to .NET projects:
- Boolean value that skips the restore step for NuGet packages in MSBuild during the scan.
- String value that specifies the .NET toolchain for the Veracode SCA agent to use.
- String value that specifies the full path to a custom .NET CLI executable.
- String value that specifies the full path to a custom MSBuild CLI executable.
- String value that specifies the full path to a custom NuGet CLI executable.
Viewing Scan Results
After completing a scan, the bottom of the output in your terminal includes a link to the Veracode Platform to view the scan results in more detail:
Licenses Unique Library Licenses 3 Libraries Using GPL 0 Libraries With No License 1 Full Report Details https://sca.analysiscenter.veracode.com/teams/abzs0qx/scans/22679557
Navigating to this link allows you to view the results of your scan in its entirety.
The scan results are broken down into the following categories:
- Issues - This category includes out-of-date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
- Vulnerabilities - This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability only appears once in this list.
- Libraries - Libraries consist of each open source library that Veracode SCA has identified within a code project.
- Licenses - Licenses allow users to view the software license information associated with each open-source library in use.
You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses overview.
Fixing Vulnerability Issues
After viewing the scan results, you can access the clear instructions for fixing vulnerability issues that Veracode SCA provides through the web interface.
Fixing a Direct Vulnerability
When a library is specifically referenced in your configuration file, Veracode SCA refers to the library as a direct dependency. Fixing a vulnerability in a direct dependency using agent-based scanning is simple. Using the open source projects mentioned in Running a Scan and after having navigated to the project scan results within the Veracode Platform, you can filter down to Vulnerability issues which are included only in Direct Libraries.
Validating a Fixed Vulnerability
Validate a fix you have made to your repository by running an agent-based scan prior to committing your code changes by adding the --allow-dirty option to ignore uncommitted changes within your code:
srcclr scan /path/to/example-dotnet --allow-dirty
When you verify that the vulnerability no longer appears in the scan output, you have fixed the vulnerability and you can proceed to commit your code.