VulnerabilityMonitoring

Important Notice

Note: VulnerabilityMonitoring is currently in development and not fully ready for production use. The application is being actively developed, and certain features may be incomplete or subject to change. Use in production environments is not recommended yet.

Description

VulnerabilityMonitoring is an open-source web application designed to enhance the security of .NET applications by continuously scanning for and reporting vulnerabilities in NuGet packages. The project aims to equip developers and organizations with the tools needed to proactively manage security risks and maintain high security standards.

Features

• Automated Scanning: Continuous scanning of NuGet packages for vulnerabilities, using up-to-date security data.
• Dynamic Updates: Automatic updates to NuGet packages triggered by new builds in Azure DevOps Pipelines, facilitated through Azure DevOps Service Hooks.
• Interactive Reporting: User-friendly interface for viewing detailed vulnerability reports.
• Alert System: Configurable email notifications to alert users about critical vulnerabilities, ensuring immediate attention and action.

How It Works

VulnerabilityMonitoring streamlines the process of identifying vulnerabilities in NuGet packages used within .NET applications. Below is a step-by-step overview of the system's operations:

1. Initialization

• Configuration: Upon startup, the application configures itself based on settings defined in the appsettings.json file.
• Project Selection: Users can select Azure DevOps projects to monitor via the application's user interface.

2. Package Retrieval

• API Communication: Utilizes Azure DevOps APIs to fetch the latest NuGet package versions from specified repositories.
• Dependency Management: Automatically downloads necessary project files (e.g., .sln and .csproj) to determine package dependencies.

3. Vulnerability Scanning

• Database Queries: Consults the GitHub Advisory Database for any vulnerabilities associated with the packages.
• Scanning Mechanism: It uses a combination of PowerShell scripts and .NET Core CLI commands (dotnet list package --vulnerable --include-transitive) to scan the project dependencies.

4. Reporting and Alerts

• Vulnerability Reports: Generates detailed reports categorizing vulnerabilities by severity (High, Moderate, Critical, and Low).
• Notification System: Provides dashboard notifications and email alerts for immediate response to critical issues.

5. Continuous Monitoring

• Ongoing Scans: Periodically repeats the scanning process to ensure continuous security monitoring.
• Schedule Configuration: Allows for scheduled scans to be set at specific intervals, enhancing long-term security surveillance.

System Architecture

• Framework: Built on .NET Core MVC 8, suitable for hosting on either on-premise servers or cloud platforms.
• Data Storage: Utilizes a SQL database for storing project data and scan results, ensuring data integrity and fast access.

Installation

1. Clone the repository:

   git clone https://github.com/AlexNordin-dev/VulnerabilityMonitoring.git
   

2. Configure your database and SMTP settings in appsettings.json.

3. Apply migrations to set up the database schema:

   Identity Context:

   Add-Migration [commit] -context IdentityContext
   

   Update-Database -context IdentityContext
   

   Data Context:

   Add-Migration  [commit] -context DataContext
   

   Update-Database -context DataContext
   

4. Start the application.