From c78ecc7bdf9a08d37b79370930fcf58ba172673b Mon Sep 17 00:00:00 2001 From: Nate Harris Date: Wed, 6 Jul 2022 15:26:48 -0600 Subject: [PATCH] Add static analysis tool (#290) - Add SecurityCodeScan as NuGet dependency (during build, not install) - Add SecurityCodeScan as CI step - Makefile command for security scan (must run manually) - Fix some linting --- .github/workflows/ci.yml | 11 +++++++++++ .../EasyPost.Tests.FSharp.fsproj | 10 +++++++--- EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj | 10 +++++++--- EasyPost.Tests/EasyPost.Tests.csproj | 18 +++++++++++------- EasyPost/Base/Address.cs | 1 - EasyPost/EasyPost.csproj | 4 ++++ EasyPost/Exception.cs | 9 ++++----- EasyPost/Pickup.cs | 1 - EasyPost/Shipment.cs | 1 - Makefile | 12 +++++++++++- 10 files changed, 55 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index afdc9c68c..cd1c9ead0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,17 @@ jobs: - uses: actions/checkout@v3 - name: Check dotnet Style run: dotnet-format --check --exclude / + security: + runs-on: windows-2022 + steps: + - name: Install security-code-scan + run: dotnet tool install -g security-scan + - uses: actions/checkout@v3 + - name: Run security analysis + run: security-scan EasyPost.sln --ignore-msbuild-errors --verbose + # "--ignore-msbuild-errors" needed since MSBuild does not like F#: https://github.com/security-code-scan/security-code-scan/issues/235 + # In the future, we can collect the output logs by enabling Code Scanning and using the pre-built GitHub Action: https://github.com/marketplace/actions/securitycodescan + # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions NET_Tests: # derived from https://dev.to/felipetofoli/github-actions-for-net-full-framework-build-and-test-299h runs-on: windows-2022 diff --git a/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj b/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj index 9bd8a0462..603c44f05 100644 --- a/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj +++ b/EasyPost.Tests.FSharp/EasyPost.Tests.FSharp.fsproj @@ -14,9 +14,13 @@ - - - + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + diff --git a/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj b/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj index b9758c26b..15961dcef 100644 --- a/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj +++ b/EasyPost.Tests.VB/EasyPost.Tests.VB.vbproj @@ -10,9 +10,13 @@ - - - + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + diff --git a/EasyPost.Tests/EasyPost.Tests.csproj b/EasyPost.Tests/EasyPost.Tests.csproj index d54a6ae94..dd34f5df3 100644 --- a/EasyPost.Tests/EasyPost.Tests.csproj +++ b/EasyPost.Tests/EasyPost.Tests.csproj @@ -12,13 +12,17 @@ - - - - - - - + + + + + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + diff --git a/EasyPost/Base/Address.cs b/EasyPost/Base/Address.cs index 57839af97..d2d12d0b5 100644 --- a/EasyPost/Base/Address.cs +++ b/EasyPost/Base/Address.cs @@ -1,5 +1,4 @@ using System; -using System.Collections.Generic; using Newtonsoft.Json; namespace EasyPost.Base diff --git a/EasyPost/EasyPost.csproj b/EasyPost/EasyPost.csproj index eb1e1b388..fc41e3ffa 100644 --- a/EasyPost/EasyPost.csproj +++ b/EasyPost/EasyPost.csproj @@ -61,6 +61,10 @@ + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + diff --git a/EasyPost/Exception.cs b/EasyPost/Exception.cs index cedf9c88b..3c56bc0e9 100644 --- a/EasyPost/Exception.cs +++ b/EasyPost/Exception.cs @@ -1,7 +1,6 @@ using System; using System.Collections.Generic; using System.Runtime.Serialization; -using System.Security.Permissions; namespace EasyPost { @@ -52,14 +51,14 @@ public class PropertyMissing : Exception { private readonly string _property; - public PropertyMissing(string property) + public override string Message { - _property = property; + get { return $"Missing {_property}"; } } - public override string Message + public PropertyMissing(string property) { - get { return $"Missing {_property}"; } + _property = property; } } diff --git a/EasyPost/Pickup.cs b/EasyPost/Pickup.cs index 019a61abd..5e74cf008 100644 --- a/EasyPost/Pickup.cs +++ b/EasyPost/Pickup.cs @@ -1,7 +1,6 @@ using System; using System.Collections.Generic; using System.Threading.Tasks; -using EasyPost.Utilities; using Newtonsoft.Json; using RestSharp; diff --git a/EasyPost/Shipment.cs b/EasyPost/Shipment.cs index 531585664..38112a7e6 100644 --- a/EasyPost/Shipment.cs +++ b/EasyPost/Shipment.cs @@ -1,6 +1,5 @@ using System; using System.Collections.Generic; -using System.Linq; using System.Threading.Tasks; using EasyPost.Utilities; using Newtonsoft.Json; diff --git a/Makefile b/Makefile index 5ce70cfbf..ad54137ed 100644 --- a/Makefile +++ b/Makefile @@ -24,6 +24,10 @@ build: install-cert: scripts\install_cert.bat ${cert} ${pass} +## install-scanner - Install SecurityCodeScan to your system +install-scanner: + dotnet tool install -g security-scan + ## sign - Sign all generated DLLs and NuGet packages with the provided certificate (Windows only) # @parameters: # cert= - The certificate to use for signing the built assets. @@ -56,4 +60,10 @@ test: lint-scripts: scripts\lint_scripts.bat -.PHONY: help release build-dev build install-cert sign clean restore lint lint-check test lint-scripts +## scan - Scan the project for security issues (must run install-scanner first) +# Makefile cannot access global dotnet tools, so you need to run the below command manually. +scan: + security-scan --verbose --no-banner --ignore-msbuild-errors EasyPost.sln + # "--ignore-msbuild-errors" needed since MSBuild does not like F#: https://github.com/security-code-scan/security-code-scan/issues/235 + +.PHONY: help release build-dev build install-cert sign clean restore lint lint-check test lint-scripts install-scanner scan