RetireNet.Runtimes.Middleware
6.0.0
dotnet add package RetireNet.Runtimes.Middleware --version 6.0.0
NuGet\Install-Package RetireNet.Runtimes.Middleware -Version 6.0.0
<PackageReference Include="RetireNet.Runtimes.Middleware" Version="6.0.0" />
paket add RetireNet.Runtimes.Middleware --version 6.0.0
#r "nuget: RetireNet.Runtimes.Middleware, 6.0.0"
// Install RetireNet.Runtimes.Middleware as a Cake Addin #addin nuget:?package=RetireNet.Runtimes.Middleware&version=6.0.0 // Install RetireNet.Runtimes.Middleware as a Cake Tool #tool nuget:?package=RetireNet.Runtimes.Middleware&version=6.0.0
Build status
Components
dotnet-retire
❗️DEPRECATED❗️
See this issue for other solutions.
RetireNet.Runtimes.Middleware
We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports
Install
$ dotnet add package RetireNet.Runtimes.Middleware
Usage
Add it to your ASP.NET Core pipeline on your preferred path:
app.Map("/report", a => a.UseRuntimeVulnerabilityReport());
What does it do?
It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.
Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json
Sample output
An app running on the vulnerable 2.1.11 runtime on macOS:
{
"isVulnerable": true,
"appRuntimeDetails": {
"os": "OSX",
"osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
"osArchitecture": "X64",
"osBits": "64",
"appTargetFramework": ".NETCoreApp,Version=v2.1",
"appRuntimeVersion": "2.1.11",
"appBits": "64"
},
"securityRelease": {
"runtimeVersion": "2.1.13",
"cvEs": [
{
"cve-id": " CVE-2018-8269",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
},
{
"cve-id": " CVE-2019-1301",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
},
{
"cve-id": " CVE-2019-1302",
"cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
}
]
}
}
RetireNet.Runtimes.BackgroundServices
This is the same report as for the middleware, only logging it using the configured ILogger
as a WARN log statment.
Install
$ dotnet add package RetireNet.Runtimes.BackgroundServices
Usage
Register it into the container, and provide it a interval in milliseconds how often you would like the check to execute.
services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)
What does it do?
The same as for the middleware endpoint.
Sample output
An app running on the vulnerable 2.1.11 runtime on macOS, using the ConsoleLogger
:
warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
Running on vulnerable runtime 2.1.11. Security release 2.1.13
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net5.0 is compatible. net5.0-windows was computed. net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net5.0
- No dependencies.
-
net6.0
- No dependencies.
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
6.0.0 | 58,755 | 11/26/2021 |
6.0.0-ci0010-363f59e | 256 | 11/2/2021 |
6.0.0-ci0007-1428fc9 | 248 | 11/2/2021 |
5.0.0 | 5,072 | 11/27/2020 |
2.0.0 | 45,033 | 12/10/2019 |
0.8.0 | 541 | 12/10/2019 |
0.7.1 | 886 | 10/21/2019 |