Snyk (security) scanning for ExplorerPatcher (Getting it working)

[K-a-r-l]

Has anyone got Snyk(.io) scanning to work on the ExplorerPatcher source? I've got the build working, but my companies security team is likely to want the code scanned by Snyk before they'll be happy with it being installed.

Whenever I try to scan using either Snyk command line or using the Visual Studio add-in. I get "ERROR: No valid Dotnet target framework found" for ExplorerPatcher\ExplorerPatcher\packages.config, \ExplorerPatcher\ep_gui\packages.config, and ExplorerPatcher\ep_weather_host\packages.config.

I'm assuming (not a strong dev here), that the framework isn't dotnet, so I mean duh, it's not wrong, but I'm not sure why it's identifying the projects as such.

Also, apologies, I know this isn't an ExplorerPatcher issue, but wondering if anyone has come across this.

[pyrates999]

It has a sln file, but it is a visual studio c project according to the vcxproj. And packages.config is for nuget packages, which do not work yet with visual studio c projects according to this: https://stackoverflow.com/questions/50599104/packagereference-for-nuget-packages-in-c-projects

So my guess is that Snyk assumes it is a dotnet project because of the sln file and therefore expects packages.config to exist.

[K-a-r-l]

Interestingly, when I told Snyk to scan the project using their SCM integration (pointing directly to the github repo, from their web interface) it happily scans all the files. It's only then when using the CLI or Visual studio integration that it fails.

Anyway, it all came back clean with no bugs - which isn't terribly surprising given Snyk is usually about finding bugs with external libraries, and data flow issues, and this is a Microsoft library based tool with very little network communication.

Next step: Running the Joe Security malware analysis virtual machine, then hopefully I can get approval to run it on my work computer.