RetireNet.Runtimes.BackgroundServices 6.0.0

.NET 5.0
NuGet\Install-Package RetireNet.Runtimes.BackgroundServices -Version 6.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
dotnet add package RetireNet.Runtimes.BackgroundServices --version 6.0.0
<PackageReference Include="RetireNet.Runtimes.BackgroundServices" Version="6.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add RetireNet.Runtimes.BackgroundServices --version 6.0.0
#r "nuget: RetireNet.Runtimes.BackgroundServices, 6.0.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install RetireNet.Runtimes.BackgroundServices as a Cake Addin
#addin nuget:?package=RetireNet.Runtimes.BackgroundServices&version=6.0.0

// Install RetireNet.Runtimes.BackgroundServices as a Cake Tool
#tool nuget:?package=RetireNet.Runtimes.BackgroundServices&version=6.0.0

Build status

Build

Components

  • NuGet NuGet RetireNet.Runtimes.Middleware

  • NuGet NuGet RetireNet.Runtimes.BackgroundServices

dotnet-retire

❗️DEPRECATED❗️

See this issue for other solutions.

RetireNet.Runtimes.Middleware

We cannot detect the runtime of the app at build time, so to report use of vulnerable runtimes the app itself, the host itself can provide us reports

Install

$ dotnet add package RetireNet.Runtimes.Middleware

Usage

Add it to your ASP.NET Core pipeline on your preferred path:

app.Map("/report", a => a.UseRuntimeVulnerabilityReport());

What does it do?

It will fetch the releases listed in the official metadata API provided by Microsoft, and check if your app is running on a runtime with known CVEs.

Metadata endpoint used: https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS:

{
    "isVulnerable": true,
    "appRuntimeDetails": {
        "os": "OSX",
        "osPlatform": "Darwin 18.6.0 Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64",
        "osArchitecture": "X64",
        "osBits": "64",
        "appTargetFramework": ".NETCoreApp,Version=v2.1",
        "appRuntimeVersion": "2.1.11",
        "appBits": "64"
    },
    "securityRelease": {
        "runtimeVersion": "2.1.13",
        "cvEs": [
            {
                "cve-id": " CVE-2018-8269",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8269"
            },
            {
                "cve-id": " CVE-2019-1301",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1301"
            },
            {
                "cve-id": " CVE-2019-1302",
                "cve-url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1302"
            }
        ]
    }
}

RetireNet.Runtimes.BackgroundServices

This is the same report as for the middleware, only logging it using the configured ILogger as a WARN log statment.

Install

$ dotnet add package RetireNet.Runtimes.BackgroundServices

Usage

Register it into the container, and provide it a interval in milliseconds how often you would like the check to execute.

services.AddRetireRuntimeHostedService(c => c.CheckInterval = 60000)

What does it do?

The same as for the middleware endpoint.

Sample output

An app running on the vulnerable 2.1.11 runtime on macOS, using the ConsoleLogger:

warn: RetireNet.Runtimes.BackgroundServices.RetireRuntimeBackgroundService[0]
      Running on vulnerable runtime 2.1.11. Security release 2.1.13
Product Versions
.NET net5.0 net5.0-windows net6.0 net6.0-android net6.0-ios net6.0-maccatalyst net6.0-macos net6.0-tvos net6.0-windows
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
6.0.0 2,048 11/26/2021
6.0.0-ci0010-363f59e 117 11/2/2021
5.0.0 5,131 11/27/2020
2.0.0 2,830 12/10/2019
0.8.0 303 12/10/2019
0.7.1 720 10/21/2019