Dependency Scanning NuGet [4.9+] support using packages.lock.json behind feature flag or not announced until vulnerability DB has content

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms

Problem to solve

.NET Core / C# are both in the top 10 languages used at GitLab, GitHub, and has been requested by our potential and current users. We need to expand support for ~"Category:Dependency Scanning" in order to support these languages.

This must work with offline.

Please see: Engineering research - Decide next language to add to Dependency Scanning

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

no change, identical to other supported managers

Proposal

• Add NuGet as a supported package manager, and scan packages.lock.json. This file is generated by NuGet when lock files are enabled.
• Add metrics if needed (if #229617 (closed) finished you may need to, if it is not yet finished make sure #229617 (closed) includes NuGet)
• In parallel, request NuGet vulnerabilities be ingested
• Update user documentation when both scanner is available and security advisories are ingested

Further details

NuGet lock files packages.lock.json can be supported in Gemnasium. Users need to configure their .NET project to enable lock files, and add packages.lock.json to their repo. This feature is available with NuGet 4.9 or above and with Visual Studio 2017 15.9 or above.

NuGet uses Semantic Versioning 2.0.0, and a Maven-like syntax for version ranges. All that could be supported in the Gemnasium vrange library since we already have SemVer support and Maven support. We might have to implement a new vrange plugin that combines SemVer versions with Maven version ranges though. We might be able to implement that in Go, in gemnasium/semver.

Dependency file support (as opposed to lock file) could later be implemented by running nuget to generate the lock file before parsing it. This lock file parsers would be reused.

Implementation plan

Add advisories to the vulnerability database:

• provide information about new package type gitlab-org/security-products/gemnasium-db#137 (closed)
• start ingest advisories #201781 (closed)

Prepare test project and CI template:

• open a MR that updates the CI templates so that the rules:exists of the scanning job match the supported dependency file !37553 (merged)
• set up a test project that features the dependency file gitlab-org/security-products/tests/csharp-nuget-dotnetcore!19 (merged)

Update analyzer gitlab-org/security-products/analyzers/gemnasium!87 (merged)

• declare package type as a Go const
• implement lock file parser; it's registered with the new package type, and the dependency files it supports
• implement vrange resolver, to match the affected range with the dependency version
• register the version range resolver with the package type
• add a downstream pipeline to the CI config, to use the test project for QA
• release a new version https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/releases/v2.13.0

Also update the Rails frontend:

• present the nuget package type as C# (NuGet) in the dependency list !38892 (closed)

Merge CI template, update doc, clean up test project:

• submit the changes to the CI template !37553 (merged)
• make the test project use the master of the CI template gitlab-org/security-products/tests/csharp-nuget-dotnetcore!20 (merged)
• add the package manager to the supported languages and package managers !37609 (merged)

As a side task, it would be useful to improve developer docs.

• document the steps involved in supporting a new package manager in gemnasium gitlab-org/security-products/analyzers/gemnasium!94 (merged)
• [-] turn this issue into an issue template, to be added to the Secure section of the handbook

Permissions and Security

There should be no changes to ~"Category:Dependency Scanning" permissions.

Documentation

This should work as documented for the other ~"Category:Dependency Scanning" supported languages and frameworks

Please add this to the supported languages and frameworks table, be explicit about versions and lock files

Please add any variables, notes or warnings that are needed for this into the user documentation. For example what type of lock files are expected or looked at and links to places where they can see how they turn on their lock files (external docs)

Please link to the feedback issue: #227875 to allow people to request other versions.

Availability & Testing

You must have a test project, and basic tests, specific to making sure NuGet is supported that will run each release to ensure nothing breaks (if a parameter is changed and is not backwards compatible)

This must be incorporated into both online and offline test suites. Work with Quality to accomplish, they will setup what to mimic, and you will implement based on the pattern.

The test project should also be documented in the list of test projects quality is maintaining.

What does success look like, and how can we measure that?

Users with NuGet projects get Dependency Scanning reports. They can see the dependencies of their NuGet projects in the Dependency List, and are notified about vulnerabilities affecting these dependencies.

Links / references

#217024 (closed)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.