I have this .bat file which scans one of mine applications at work.
I'm comparing two ways I've generated the .fpr file:
Using Scan Wizard
Using the HP Fortify Plugin for Visual Studio.
What is happening is that when the .fpr file is generated by Scan Wizard's .bat file it seems to ignore completely all my .aspx, aspx.cs and .cs files inside the application .
My app is an old Web Forms, which in order to publish it, we need to select that precompiled option in Visual Studio.
I've already tried Eric's solution in the post.
HP Fortify scans get ASP Pre-Compilation error
But still nothing.
I've already tryed to generate the bat file before and after the publish, but both returned the same number of vulnerabilities. Something around 15.
After the publish it generates dll's to all pages though, which means that theorically it should detect all the application code.
In the other hand, when I've generated the .fpr file through the Visual Studio plugin, it returns me about 600 vulnerabilities.
My real problem is that we need to run over the .bat file, not the Visual Studio, because we have a continuous integration process, in which we build the app, run code analyze and then the HP Fortify to complete the process, so I need that the number of vulnerabilities returned running the plugin to be the same one when I run with the .bat file.
Any help would be very appreciated.
Thank you for your time !
There are several different options you can do.
1) Have Visual Studio installed on the CI machine with the Fortify Plugin installed. Here is a sample batch file that I used to scan WebGoat.Net using Visual Studio
sourceanalyzer -b test -clean
sourceanalyzer -b test -Xmx6G -verbose -debug -logfile vs_translate.txt "C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\devenv.exe" NewWebForms.sln /REBUILD Debug
sourceanalyzer -b test -show-files > vs_files.txt
sourceanalyzer -b test -show-build-warnings > vs_warnings.txt
sourceanalyzer -b test -verbose -debug -logfile vs_scanlog.txt -scan -f vs_scan.fpr
fprutility -information -categoryIssueCounts -project vs_scan.fpr
2) With the latest version of Fortify (16.20) you can scan .Net code directly. Here is the batch file I created to scan WebGoat.Net
sourceanalyzer -b test -clean
sourceanalyzer -b test -dotnet-version 4.5.2 -cs-extern-alias "global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.EntityFramework.2.2.1\lib\net45\Microsoft.AspNet.Identity.EntityFramework.dll;global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.Core.2.2.1\lib\net45\Microsoft.AspNet.Identity.Core.dll;global=C:\Samples\NewWebForms\packages\Microsoft.AspNet.Identity.Owin.2.2.1\lib\net45\Microsoft.AspNet.Identity.Owin.dll;global=C:\Samples\NewWebForms\packages\Microsoft.Owin.3.0.1\lib\net45\Microsoft.Owin.dll" -dotnetwebroot NewWebForms\ -libdirs packages\**/*.dll;NewWebForms\bin\*.dll NewWebForms\**/*
sourceanalyzer -b test -show-files > cmd_files.txt
sourceanalyzer -b test -show-build-warnings > cmd_warnings.txt
sourceanalyzer -b test -Xmx6G -verbose -debug -logfile cmd_scanlog.txt -scan -f cmd_scan.fpr
fprutility -information -categoryIssueCounts -project cmd_scan.fpr
3) If you want, you can also scan the compile .dll's of your project. Here is what I did to scan WebGoat.Net
sourceanalyzer -b test -Xmx8G -vsversion 14.0
#excludelist.txt
-Dcom.fortify.sca.SourceFiles=WebGoat.NET\WebGoat
-libdirs WebGoat.NET\WebGoat\bin WebGoat.NET\**/*.dll
WebGoat.NET/**/*
For a more detailed look at this, take a look at my answer over at Fortify to scan 3rd party dll's
Related
is it possible to create a single exe file with only third party libraries included?
I have a small console app with a third party library.
If i use the following code it is still 26 MB.
dotnet publish -c Release -r win10-x64 /p:PublishSingleFile=true /p:PublishTrimmed=true
I have found a solution.
Run the following code in the folder which contains the project file.
dotnet publish -r <rid> --self-contained=false /p:PublishSingleFile=true
You can get the rid (runtime id) from:
https://learn.microsoft.com/en-us/dotnet/core/rid-catalog
In visual studio solution I have single .net core 2.0 library project. And to the publish the library i am using dotnet publish -c release command
however its not zipping the publish folder. I have read the issue 6598 and use the suggested approach using dotnet build command as below
dotnet build ApiRouting.sln /nologo /p:PublishProfile=Release /p:PackageLocation="C:\temp\Routing\package" /p:OutDir="C:\temp\Routing\out" /p:DeployOnBuild=true /p:WebPublishMethod=Package /p:PackageAsSingleFile=true /maxcpucount:1 /p:platform="Any CPU" /p:configuration="Release" /p:DesktopBuildPackageLocation="C:\temp\Routing\package\package.zip"
`
but that did not work either.
My project is aws lambda project which is C# library project not asp.net web project so i tried removing /p:WebPublishMethod=Package option but that did not work either.
Questions
1>What parameters i need to pass to publish command so that it would create zip file of publish folder.
2>In linked issue 6598 why its suggested to use build command instead of publish when build command only builds the project?
(on side note i can use aws tools for visual studio and use Publish to AWS Lambda and it creates zip file and deploys it to AWS directly from visual studio. However, we are using Jenkins for CI so i want use dotnet cli to create zip file so jenkins can execute that command and create zip file.)
i found it. These 2 links helped me
https://docs.aws.amazon.com/lambda/latest/dg/lambda-dotnet-how-to-create-deployment-package.html
https://docs.aws.amazon.com/lambda/latest/dg/lambda-dotnet-coreclr-deployment-package.html
first installed Amazon.Lambda.Tools
dotnet tool install -g Amazon.Lambda.Tools
and then to package and deploy
dotnet lambda deploy-function apirouting –-function-role myrole --profile lambdadep --profile-location C:\test\testawsprofile
I'm attempting to create a script to simplify the process of publishing a .NET Core website. I'm running into an issue when I run dotnet publish against an already running server. The server is IIS with the dotnet bundle installed, so IIS uses its app pool to start dotnet.
Here's my batch file. I'm happy to use another script type:
cd src/app
dotnet build --no-incremental
dotnet publish --framework netcoreapp1.0 --configuration Release --output ../../dist
When I run the script I get this error:
"The process cannot access the file 'C:\inetpub\wwwroot\app\dist\app.dll' because it is being used by another process."
This makes sense, it appears I need to stop, deploy, and restart dotnet. Can I do this from the script? Or is my approach to this problem wrong?
The best way is to drop an app_offline.htm file to your application folder. This will make IIS stop your application and serve the contents of the app_offline.htm file to the user while you are copying the new version. Once you complete copying the new version of your application remove the app_offline.htm file and IIS will start your application.
You can find more details on running ASP.NET Core applications with IIS in my post.
Based on Pawel's answer, I have a deploy folder containing my app_offline.html file and multiple deploy scripts to IIS. Here's a sample script I use to deploy:
copy .\app_offline.htm C:\hosting\my-project\app_offline.htm
dotnet publish ../MyProject.csproj -r win-x64 -f netcoreapp2.1 --self-contained -c Release -o C:\hosting\my-project
del C:\hosting\my-project\app_offline.htm
I think this is a valid solution, but doesn't help when I want to script the build process.
Stop-Website "xxx"
Stop-WebAppPool "xxx"
Start-Sleep -Seconds 5
dotnet publish --output d:\publocation
Stop-WebAppPool "xxx"
Start-Website "xxx"
if you've created a published profile in Visual Studio and you're using IIS, then you can use that profile instead of writing directly to the destination directory:
dotnet publish /p:PublishProfile=Properties\PublishProfiles\IISProfile.pubxml
I want to publish my dotnet core app to IIS from mac. I use VS code for code writing and Dotnet Core 1.1 for publishing to local directory. (for example: bin/release/publish). There are compiled my files, ready to copy to IIS. On my IIS I currently have installed web deploy 3.6 and this is my VPS machine. Is there elegant way, how to copy files? The another way is using docker, but in this case I have the same problem. Generated docker file with docker publisher tool and I need to copy from mac os.
Thank you for your time.
From a terminal window navigate to the folder where your .csproj file is. From there run 'dotnet publish -c release'. A folder called publish will be created in bin/Release/netcoreappX.X. You can copy those files to the appropriate directory on your server. If you need help setting up IIS, follow the link below.
https://learn.microsoft.com/en-us/aspnet/core/publishing/iis
You can also run 'dotnet publish -h' to see all of the different arguments you can pass to the publish command.
Web Deploy (msdeploy.exe) seems to work in Mono, at least in WSL (Ubuntu 18.04). The tricky part is to extract the msi package somehow, which you can do easily on a Windows machine (you'll find the files in C:\Program Files\IIS\Microsoft Web Deploy V3).
Once you install Mono and obtain msdeploy.exe, just call the command, e.g.
mono msdeploy.exe -verb:sync -source:contentPath=/mnt/c/Data -dest:contentPath=test,ComputerName=https://example.com:8172/msdeploy.axd,UserName=WDeployAdmin,Password=PASSWORD,IncludeAcls=False,AuthType=Basic -enableRule:AppOffline -enableRule:DoNotDeleteRule -verbose -allowUntrusted:true
This lets you sync/copy the contents of /mnt/c/Data with the test web site in IIS on example.com with Web Deploy enabled.
I have a VS 2012 solution(ASP.NET) that contains three projects. I'm trying to deploy/publish the site via MsBuild command line without installing Visual Studio on our build machine.
I am using:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild Myproject.csproj /p:DeployOnBuild=true /p:PublishProfile= pubfile.pubxml /p:Password=user1 /p:AllowUntrustedCertificate=true
MY Command line output show only "build successfully" of the solution but nothing about the publish profile.
The same solution and batch file run successfully on my local machine.
Please suggest If any option for publishing without install VS on build Machine
I had to add the following to my command line
/p:VisualStudioVersion=11.0
or you might have to install Web Deploy on your build machine.
The other thing I had to do was publish from VS and save a publish profile and then used that on the command line. I see you have pubfile.xml, but all I had to do was reference the profile name, not the file name. QA being my profile name from the project. Try removing the .xml on the end of yours.
/p:PublishProfile=QA
Add C:\Windows\Microsoft.NET\Framework\v4.0.30319\ to your %PATH% system environment variable and invoke your command:
msbuild Myproject.csproj /p:DeployOnBuild=true /p:PublishProfile= pubfile.pubxml /p:Password=user1 /p:AllowUntrustedCertificate=true