diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index afdc9c68c..cd1c9ead0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,17 @@ jobs:
- uses: actions/checkout@v3
- name: Check dotnet Style
run: dotnet-format --check --exclude /
+ security:
+ runs-on: windows-2022
+ steps:
+ - name: Install security-code-scan
+ run: dotnet tool install -g security-scan
+ - uses: actions/checkout@v3
+ - name: Run security analysis
+ run: security-scan EasyPost.sln --ignore-msbuild-errors --verbose
+ # "--ignore-msbuild-errors" needed since MSBuild does not like F#: https://github.com/security-code-scan/security-code-scan/issues/235
+ # In the future, we can collect the output logs by enabling Code Scanning and using the pre-built GitHub Action: https://github.com/marketplace/actions/securitycodescan
+ # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
NET_Tests:
# derived from https://dev.to/felipetofoli/github-actions-for-net-full-framework-build-and-test-299h
runs-on: windows-2022
diff --git a/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj b/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj
index 9bd8a0462..603c44f05 100644
--- a/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj
+++ b/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj
@@ -14,9 +14,13 @@
-
-
-
+
+
+
+
+ all
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+
diff --git a/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj b/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj
index b9758c26b..15961dcef 100644
--- a/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj
+++ b/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj
@@ -10,9 +10,13 @@
-
-
-
+
+
+
+
+ all
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+
diff --git a/EasyPost.Tests/EasyPost.Tests.csproj b/EasyPost.Tests/EasyPost.Tests.csproj
index d54a6ae94..dd34f5df3 100644
--- a/EasyPost.Tests/EasyPost.Tests.csproj
+++ b/EasyPost.Tests/EasyPost.Tests.csproj
@@ -12,13 +12,17 @@
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+ all
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+
diff --git a/EasyPost/Base/Address.cs b/EasyPost/Base/Address.cs
index 57839af97..d2d12d0b5 100644
--- a/EasyPost/Base/Address.cs
+++ b/EasyPost/Base/Address.cs
@@ -1,5 +1,4 @@
using System;
-using System.Collections.Generic;
using Newtonsoft.Json;
namespace EasyPost.Base
diff --git a/EasyPost/EasyPost.csproj b/EasyPost/EasyPost.csproj
index eb1e1b388..fc41e3ffa 100644
--- a/EasyPost/EasyPost.csproj
+++ b/EasyPost/EasyPost.csproj
@@ -61,6 +61,10 @@
+
+ all
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+
diff --git a/EasyPost/Exception.cs b/EasyPost/Exception.cs
index cedf9c88b..3c56bc0e9 100644
--- a/EasyPost/Exception.cs
+++ b/EasyPost/Exception.cs
@@ -1,7 +1,6 @@
using System;
using System.Collections.Generic;
using System.Runtime.Serialization;
-using System.Security.Permissions;
namespace EasyPost
{
@@ -52,14 +51,14 @@ public class PropertyMissing : Exception
{
private readonly string _property;
- public PropertyMissing(string property)
+ public override string Message
{
- _property = property;
+ get { return $"Missing {_property}"; }
}
- public override string Message
+ public PropertyMissing(string property)
{
- get { return $"Missing {_property}"; }
+ _property = property;
}
}
diff --git a/EasyPost/Pickup.cs b/EasyPost/Pickup.cs
index 019a61abd..5e74cf008 100644
--- a/EasyPost/Pickup.cs
+++ b/EasyPost/Pickup.cs
@@ -1,7 +1,6 @@
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
-using EasyPost.Utilities;
using Newtonsoft.Json;
using RestSharp;
diff --git a/EasyPost/Shipment.cs b/EasyPost/Shipment.cs
index 531585664..38112a7e6 100644
--- a/EasyPost/Shipment.cs
+++ b/EasyPost/Shipment.cs
@@ -1,6 +1,5 @@
using System;
using System.Collections.Generic;
-using System.Linq;
using System.Threading.Tasks;
using EasyPost.Utilities;
using Newtonsoft.Json;
diff --git a/Makefile b/Makefile
index 5ce70cfbf..ad54137ed 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,10 @@ build:
install-cert:
scripts\install_cert.bat ${cert} ${pass}
+## install-scanner - Install SecurityCodeScan to your system
+install-scanner:
+ dotnet tool install -g security-scan
+
## sign - Sign all generated DLLs and NuGet packages with the provided certificate (Windows only)
# @parameters:
# cert= - The certificate to use for signing the built assets.
@@ -56,4 +60,10 @@ test:
lint-scripts:
scripts\lint_scripts.bat
-.PHONY: help release build-dev build install-cert sign clean restore lint lint-check test lint-scripts
+## scan - Scan the project for security issues (must run install-scanner first)
+# Makefile cannot access global dotnet tools, so you need to run the below command manually.
+scan:
+ security-scan --verbose --no-banner --ignore-msbuild-errors EasyPost.sln
+ # "--ignore-msbuild-errors" needed since MSBuild does not like F#: https://github.com/security-code-scan/security-code-scan/issues/235
+
+.PHONY: help release build-dev build install-cert sign clean restore lint lint-check test lint-scripts install-scanner scan