Skip to content

Puma Scan Hunting

Jump to bottom
Eric Johnson edited this page Jun 12, 2020 · 10 revisions

Puma Scan Hunting

Usage, tips, and tricks for Puma Scan Community.

.NET Core

Scanning .NET Core applications can be accomplished via the command line by running the following commands against a .NET Core .csproj file:

Install the Puma.Security.Rules package into each project that requires analysis:

The following command installs the latest version:

dotnet add path/to/project.csproj package Puma.Security.Rules

The following command pins to a specific version:

dotnet add path/to/project.csproj package Puma.Security.Rules -v 2.1.0

Clean and Build The Project

Build the project using the file logger to write warnings to a file for post processing. The example below writes warnings to a warnings.log file in the current directory.

dotnet clean
dotnet build "/flp:logfile=./build.log;verbosity=normal" "/flp1:logfile=./errors.log;errorsonly" "/flp2:logfile=./warnings.log;warningsonly" API.csproj

Parse Puma Warnings

Run the Puma Parser shipped with the NuGet package to filter the results down to only Puma Scan warnings (SEC###):

dotnet ~/.nuget/packages/puma.security.rules/2.3.0/tools/parser/Puma.Security.Parser.dll -w . -f warnings.log -o puma.log

Threshold Criteria

The Puma Parser ships with an --errors switch that accepts a comma delimited list of rule identifiers. If the scan results contain an error rule identifier, the process will return an exit code value of one for stopping a build pipeline.

dotnet ~/.nuget/packages/puma.security.rules/2.3.0/tools/parser/Puma.Security.Parser.dll -w . -f warnings.log -o puma.log --errors SEC0029,SEC0108

Post Processing

Use the MSBuild parser in your favorite Continuous Integration tool to parse the puma.log file and store the security results with the build.

Docker Scanning

The following commands start a dotnet build container, install the Puma Scan package in a given project (you may have many additional projects to add), build the projects, and parse the puma results into a puma.log file. In Jenkins, the puma.log file can be processed with the MSBuild plugin to report vulnerabilities.

# Start the build container
docker run --name app_build -v ./src:/src --rm -i -t -d microsoft/dotnet:2.2-sdk bash

# Install Puma Scan package
docker exec app_build dotnet add ./src/api.csproj package Puma.Security.Rules

# Build the App (including puma scan results)
docker exec app_build dotnet build "/flp:logfile=./src/results/build.log;verbosity=normal" "/flp1:logfile=./src/results/errors.log;errorsonly" "/flp2:logfile=./src/results/warnings.log;warningsonly" ./src/api.csproj

# Parse Puma Results
docker exec app_build sh -c "dotnet ~/.nuget/packages/puma.security.rules/2.1.0/tools/parser/Puma.Security.Parser.dll -w ./src/results -f ./src/results/warnings.log -o puma.log"

# Kill the build container
docker kill app_build

Clone this wiki locally