Prisma 云应用程序安全:使用 csproj 文件中的 .NET Framework 8.0 扫描 Azure Repos 时 Checkov 给出空结果

Prisma 云应用程序安全:使用 csproj 文件中的 .NET Framework 8.0 扫描 Azure Repos 时 Checkov 给出空结果

263
Created On 08/16/24 16:00 PM - Last Modified 04/22/26 19:39 PM


Symptom


假设您正在扫描 Azure 目录,并且有多个 csproj 文件详细说明存储库的包信息。

如果这些文件中的目标框架是“net 6.0”,Checkov 可以扫描存储库并显示软件包信息。如果列出的框架是“net 8.0”,则 Checkov 将产生空结果。

.csproj 文件中的目标框架规范:
.csproj 文件中指定的目标框架

Environment


  • Prisma Cloud
  • 微软 Azure
  • 契可夫

Cause


In the .csproj files, the target framework specified is "net 8.0". In other file, it's "net 6.0".

When running a Checkov scan on both files, the file with framework "net 6.0" works fine. However, "net 8.0" produces empty scan results.

使用 .NET 8.0 
checkov -d ./src --support --hard-fail-on HIGH --framework sca_package --bc-api-key **************::************** --prisma-api-url https://api.prismacloud.io --output spdx --output json --output-file-path "SCA/" --repo-id "****/****" --branch "****"
{
"passed": 0,
"failed": 0,
"skipped": 0,
"parsing_errors": 0,
"resource_count": 0,
"checkov_version": "3.2.219"
}

--- OUTPUT DELIMITER ---

## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: checkov-sbom
DocumentNamespace: https://spdx.org/spdxdocs/checkov-sbom-3.2.219-454a024b-d83b-4152-bf58-8e26789deb93

## Creation Information
Creator: Tool: checkov
Creator: Organization: bridgecrew (meet@bridgecrew.io)
Created: 2024-08-09T16:47:05Z

使用 .NET 6.0 
checkov -d ./src --support --hard-fail-on HIGH --framework sca_package --bc-api-key **************::************** --prisma-api-url https://api.prismacloud.io --output spdx --output json --output-file-path "SCA/" --repo-id "****/****" --branch "****"
## Package Information
PackageName: ag.framework.validators
SPDXID: SPDXRef-ag.framework.validators
PackageVersion: 1.2.0
PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj
PackageDownloadLocation: NONE
FilesAnalyzed: true

## Package Information
PackageName: coverlet.collector
SPDXID: SPDXRef-coverlet.collector
PackageVersion: 3.1.2
PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj
PackageDownloadLocation: NONE
FilesAnalyzed: true

## Package Information
PackageName: fluentvalidation.validators.unittestextension
SPDXID: SPDXRef-fluentvalidation.validators.unittestextension
PackageVersion: 1.11.0.2
PackageFileName: /Ag.Pmkt.Api.Test/Ag.Pmkt.Test.csproj
PackageDownloadLocation: NONE
FilesAnalyzed: true

...

With .NET 6.0, you are able to see package information from the csproj files. You can't with .NET 8.0.

Resolution


目前,我们仅支持 .NET 7.0 或更低版本。一旦目标框架满足此要求,Checkov 便能够扫描文件。

我们目前正在致力于与更高版本的 .NET 兼容。
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HDvBCAW&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language