✨ add support for Nuget ad-hoc commands (add/install) in Pinned Dependency checks

checker/raw_result.go

@@ -97,8 +97,10 @@ const (
 	DependencyUseTypeChocoCommand DependencyUseType = "chocoCommand"
 	// DependencyUseTypeNpmCommand is an npm command.
 	DependencyUseTypeNpmCommand DependencyUseType = "npmCommand"
-	// DependencyUseTypePipCommand is a pipp command.
+	// DependencyUseTypePipCommand is a pip command.
 	DependencyUseTypePipCommand DependencyUseType = "pipCommand"
+	// DependencyUseTypeNugetCommand is a nuget command.
+	DependencyUseTypeNugetCommand DependencyUseType = "nugetCommand"
 )
 
 // PinningDependenciesData represents pinned dependency data.

checks/raw/pinned_dependencies_test.go

@@ -261,7 +261,7 @@ func TestGithubWorkflowPkgManagerPinning(t *testing.T) {
 		{
 			name:     "npm packages without verification",
 			filename: "./testdata/.github/workflows/github-workflow-pkg-managers.yaml",
-			warns:    46,
+			warns:    49,
 		},
 	}
 	for _, tt := range tests {
@@ -819,6 +819,24 @@ func TestShellscriptInsecureDownloadsLineNumber(t *testing.T) {
 					endLine:   56,
 					t:         checker.DependencyUseTypePipCommand,
 				},
+				{
+					snippet:   "nuget install some-package",
+					startLine: 59,
+					endLine:   59,
+					t:         checker.DependencyUseTypeNugetCommand,
+				},
+				{
+					snippet:   "dotnet add package some-package",
+					startLine: 63,
+					endLine:   63,
+					t:         checker.DependencyUseTypeNugetCommand,
+				},
+				{
+					snippet:   "dotnet add SomeProject package some-package",
+					startLine: 64,
+					endLine:   64,
+					t:         checker.DependencyUseTypeNugetCommand,
+				},
 			},
 		},
 	}
@@ -971,7 +989,7 @@ func TestDockerfileScriptDownload(t *testing.T) {
 		{
 			name:     "pkg managers",
 			filename: "./testdata/Dockerfile-pkg-managers",
-			warns:    57,
+			warns:    60,
 		},
 		{
 			name:     "download with some python",
@@ -1089,7 +1107,7 @@ func TestShellScriptDownload(t *testing.T) {
 		{
 			name:     "pkg managers",
 			filename: "./testdata/script-pkg-managers",
-			warns:    53,
+			warns:    56,
 		},
 		{
 			name:     "invalid shell script",

checks/raw/shell_download_validate.go

@@ -45,8 +45,9 @@ var (
 	pythonInterpreters = []string{"python", "python3", "python2.7"}
 	shellInterpreters  = append([]string{"exec", "su"}, shellNames...)
 	otherInterpreters  = []string{"perl", "ruby", "php", "node", "nodejs", "java"}
-	interpreters       = append(otherInterpreters,
-		append(shellInterpreters, append(shellNames, pythonInterpreters...)...)...)
+	dotnetInterpreters = []string{"dotnet", "nuget"}
+	interpreters       = append(dotnetInterpreters, append(otherInterpreters,
+		append(shellInterpreters, append(shellNames, pythonInterpreters...)...)...)...)
 )
 
 // Note: aws is handled separately because it uses different
@@ -696,6 +697,93 @@ func isChocoUnpinnedDownload(cmd []string) bool {
 	return true
 }
 
+func isUnpinnedNugetCliInstall(cmd []string) bool {
+	// looking for command of type nuget install ...
+	if len(cmd) < 2 {
+		return false
+	}
+
+	// Search for nuget commands.
+	if !isBinaryName("nuget", cmd[0]) && !isBinaryName("nuget.exe", cmd[0]) {
+		return false
+	}
+
+	// Search for install commands.
+	if !strings.EqualFold(cmd[1], "install") {
+		return false
+	}
+
+	// Assume installing a project with PackageReference (with versions)
+	// or packages.config at the root of command
+	if len(cmd) == 2 {
+		return false
+	}
+
+	// Assume that the script is installing from a packages.config file (with versions)
+	// package.config schema has required version field
+	// https://learn.microsoft.com/en-us/nuget/reference/packages-config#schema
+	// and Nuget follows Semantic Versioning 2.0.0 (versions are immutable)
+	// https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#semantic-versioning-200
+	if strings.HasSuffix(cmd[2], "packages.config") {
+		return false
+	}
+
+	unpinnedDependency := true
+	for i := 2; i < len(cmd); i++ {
+		// look for version flag
+		if strings.EqualFold(cmd[i], "-Version") {
+			unpinnedDependency = false
+			break
+		}
+	}
+
+	return unpinnedDependency
+}
+
+func isUnpinnedDotNetCliInstall(cmd []string) bool {
+	// Search for command of type dotnet add <PROJECT> package <PACKAGE_NAME>
+	if len(cmd) < 4 {
+		return false
+	}
+	// Search for dotnet commands.
+	if !isBinaryName("dotnet", cmd[0]) && !isBinaryName("dotnet.exe", cmd[0]) {
+		return false
+	}
+
+	// Search for add commands.
+	if !strings.EqualFold(cmd[1], "add") {
+		return false
+	}
+
+	// Search for package commands (can be either the second or the third word)
+	if !(strings.EqualFold(cmd[2], "package") || strings.EqualFold(cmd[3], "package")) {
+		return false
+	}
+
+	unpinnedDependency := true
+	for i := 3; i < len(cmd); i++ {
+		// look for version flag
+		// https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-add-package
+		if strings.EqualFold(cmd[i], "-v") || strings.EqualFold(cmd[i], "--version") {
+			unpinnedDependency = false
+			break
+		}
+	}
+	return unpinnedDependency
+}
+
+func isNugetUnpinnedDownload(cmd []string) bool {
+	if isUnpinnedDotNetCliInstall(cmd) {
+		return true
+	}
+
+	if isUnpinnedNugetCliInstall(cmd) {
+		return true
+	}
+
+	return false
+}
+
 func collectUnpinnedPakageManagerDownload(startLine, endLine uint, node syntax.Node,
 	cmd, pathfn string, r *checker.PinningDependenciesData,
 ) {
@@ -782,6 +870,24 @@ func collectUnpinnedPakageManagerDownload(startLine, endLine uint, node syntax.N
 
 		return
 	}
+
+	// Nuget install.
+	if isNugetUnpinnedDownload(c) {
+		r.Dependencies = append(r.Dependencies,
+			checker.Dependency{
+				Location: &checker.File{
+					Path:      pathfn,
+					Type:      finding.FileTypeSource,
+					Offset:    startLine,
+					EndOffset: endLine,
+					Snippet:   cmd,
+				},
+				Type: checker.DependencyUseTypeNugetCommand,
+			},
+		)
+
+		return
+	}
 	// TODO(laurent): add other package managers.
 }
 

checks/raw/shell_download_validate_test.go

@@ -107,6 +107,109 @@ func TestValidateShellFile(t *testing.T) {
 	}
 }
 
+func Test_isDotNetUnpinnedDownload(t *testing.T) {
+	type args struct {
+		cmd []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "nuget install",
+			args: args{
+				cmd: []string{"nuget", "install", "Newtonsoft.Json"},
+			},
+			want: true,
+		},
+		{
+			name: "nuget restore",
+			args: args{
+				cmd: []string{"nuget", "restore"},
+			},
+			want: false,
+		},
+		{
+			name: "nuget install with -Version",
+			args: args{
+				cmd: []string{"nuget", "install", "Newtonsoft.Json", "-Version", "2"},
+			},
+			want: false,
+		},
+		{
+			name: "nuget install with packages.config",
+			args: args{
+				cmd: []string{"nuget", "install", "config\\packages.config"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add",
+			args: args{
+				cmd: []string{"dotnet", "add", "package", "Newtonsoft.Json"},
+			},
+			want: true,
+		},
+		{
+			name: "dotnet add to project",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "package", "Newtonsoft.Json"},
+			},
+			want: true,
+		},
+		{
+			name: "dotnet add reference to project",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "reference", "OtherProject"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet build",
+			args: args{
+				cmd: []string{"dotnet", "build"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add with -v",
+			args: args{
+				cmd: []string{"dotnet", "add", "package", "Newtonsoft.Json", "-v", "2.0"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add to project with -v",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "package", "Newtonsoft.Json", "-v", "2.0"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add reference to project with -v",
+			args: args{
+				cmd: []string{"dotnet", "add", "project1", "reference", "Newtonsoft.Json", "-v", "2.0"},
+			},
+			want: false,
+		},
+		{
+			name: "dotnet add with --version",
+			args: args{
+				cmd: []string{"dotnet", "add", "package", "Newtonsoft.Json", "--version", "2.0"},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isNugetUnpinnedDownload(tt.args.cmd); got != tt.want {
+				t.Errorf("isNugetUnpinnedDownload() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func Test_isGoUnpinnedDownload(t *testing.T) {
 	type args struct {
 		cmd []string

checks/raw/testdata/.github/workflows/github-workflow-pkg-managers.yaml

@@ -161,4 +161,26 @@ jobs:
       - name:
         run: choco install --requirechecksums 'some-package'
       - name:
-        run: choco install --require-checksums 'some-package'
+        run: choco install --require-checksums 'some-package'
+      - name:
+        run: nuget install 'some-package'
+      - name:
+        run: nuget restore
+      - name:
+        run: dotnet add package 'some-package'
+      - name:
+        run: dotnet add SomeProject package 'some-package'
+      - name:
+        run: nuget install 'some-package' -Version 1.2.3
+      - name:
+        run: nuget install packages.config
+      - name:
+        run: nuget install packages/packages.config
+      - name:
+        run: dotnet add package 'some-package' -v 1.2.3
+      - name:
+        run: dotnet build
+      - name:
+        run: dotnet add package 'some-package' --version 1.2.3
+      - name:
+        run: dotnet add SomeProject package 'some-package' --version 1.2.3

checks/raw/testdata/Dockerfile-pkg-managers

@@ -122,4 +122,16 @@ RUN choco install 'some-package'
 RUN choco install 'some-other-package'
 RUN choco install --requirechecksum 'some-package'
 RUN choco install --requirechecksums 'some-package'
-RUN choco install --require-checksums 'some-package'
+RUN choco install --require-checksums 'some-package'
+
+
+RUN nuget install some-package
+RUN nuget restore
+RUN nuget install some-package -Version 1.2.3
+RUN nuget install packages.config
+RUN dotnet add package some-package
+RUN dotnet add SomeProject package some-package
+RUN dotnet build
+RUN dotnet add package some-package -v 1.2.3
+RUN dotnet add package some-package --version 1.2.3
+RUN dotnet add SomeProject package some-package --version 1.2.3

checks/raw/testdata/script-pkg-managers

@@ -123,3 +123,13 @@ choco install 'some-other-package'
 choco install --requirechecksum 'some-package'
 choco install --requirechecksums 'some-package'
 choco install --require-checksums 'some-package'
+
+nuget install some-package
+nuget restore
+nuget install some-package -Version 1.2.3
+nuget install packages.config
+dotnet add package some-package
+dotnet add SomeProject package some-package
+dotnet build
+dotnet add package some-package -v 1.2.3
+dotnet add package some-package --version 1.2.3

checks/raw/testdata/shell-download-lines.sh

@@ -54,4 +54,14 @@ pip install --no-deps -e . git+https://github.com/username/repo.git
 pip install --no-deps -e . git+https://github.com/username/repo.git@0123456789abcdef0123456789abcdef01234567#egg=package
 
 python -m pip install --no-deps -e git+https://github.com/username/repo.git
-python -m pip install --no-deps -e git+https://github.com/username/repo.git@0123456789abcdef0123456789abcdef01234567#egg=package
+python -m pip install --no-deps -e git+https://github.com/username/repo.git@0123456789abcdef0123456789abcdef01234567#egg=package
+
+nuget install some-package
+nuget restore
+nuget install some-package -Version 1.2.3
+nuget install packages.config
+dotnet add package some-package
+dotnet add SomeProject package some-package
+dotnet build
+dotnet add package some-package -v 1.2.3
+dotnet add package some-package --version 1.2.3