Search
97 results for “codingcoyote”
-
If anyone wants to celebrate #Hacktoberfest with #NuGetDefense, it's got some low hanging fruit you can look into and I'll make time to review and label any PRs that are quality code.
Issues:
1. NuGetDefense needs to be evaluated for #dotnet 10 in each project. I expect it to be mostly just changing the target, but it may have a couple fixes needed.
2. Failing Unit Tests
3. Missing Unit Tests
4. Documentation Updates
I'll also make time to help with anyone who finds an issue difficult.
-
If anyone has been using #NuGetDefense after my unexpected pause in development, know that a new release was pushed recently that fixes what is IMHO one of the most annoying bugs. The file access retry on the vulnerability data was failing before it entered the try/catch used to trigger the retry logic.
-
I feel like a hypocrite, I preach the joys of CI/CD at work, but I manually package and deploy my open source releases even though it's painful.
Gonna have to invest some time to automate released for #NuGetDefense soon. Half the time I don't have time to do small fixes is that a small fix still takes 30 minutes to an hour to fully release if the bug is in NuGetDefense.Core.
-
Found time to maintain my #foss project #NuGetDefense for the first time in a while. Proprietary work has been bleeding me dry, but we just had a sudden change in management so hopefully I'll have more time for maintaining and even contributing to other projects.
-
#NuGetDefense v4.1.3 has been released: https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.1.3
This includes a fix for vulnerable packages failing to report when severity thresholds are used (due to CVSS scores being stored as a double), and a fix for Vulnerable packages not being listed in Reports generated from NuGetDefense.
This required updates to all NuGetDefense packages including NuGetDefense.Lib and NuGetDefense.NVD.API (NVD API 2.0 client library used in NuGetDefense).
-
#NuGetDefense (the #foss #security tool) has a new prerelease (v4.1.0-pre0001). It's deprecating the dotnet list parsing and will now parse the project.assets.json file for resolved dependencies.
I'm expecting this to weed out the intermittent dotnet list errors. But I need brave souls to give it a test drive before it releases.
-
#NVD is lowering their maximum results per page in April. This will likely affect older #NuGetDefense versions that are used to create the global vulnerability data for offline NVD scanning as well as potentially scans made using the NuGetDefense NVD API client. I'm going to try to get a preview version up this weekend to get ahead of the change and expect 500 or less results per page.
This probably won't affect many people unless you're using the global tool (NuGetDefense.Tool).
-
Absolutely amazing Superbowl tonight. I read some wonderful pages of the #InfiniteDendrogram #LightNovel before doing some much needed crafting for my base in #Enshrouded and got a big fix in for #NuGetDefense
Also, my wife is very excited that the Chiefs won. (I heard the screams of joy from the living room)
-
Trying to start my daughter on actual bug fixes for #OpenSource projects next. Anyone willing to accept a PR from a 10yo (she's only worked in C#)? I'm going to try to start her with #NuGetDefense since I'm familiar with it, but I need to teach her how to dig into a new codebase as well. It's like working with an intern, but I also get to yell at her across the house for not cleaning her room lol.
-
The first #dotnet 8.0 version of #NuGetDefense has been released as v4.0.0.0-prerelase1. https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.0.0.0-prerelease1 Give it a spin and in the next week without .Net 8 specific issues it will be fully released.
-
#dotnet global tools aren't working on an install of EndeavorOS. I think it's an issue with the AUR script, but I haven't had time to investigate yet and probably won't until Monday. Once I figure that out, I'll be able to test/publish #NuGetDefense 4.0.0.0 the first version to run on .Net 8.
Remember .Net 6 is still being supported through Nov 2024, so I'll continue to support the 3.x versions for that duration as well.
-
#NuGetDefense v3.2.0.0 has been released. This includes a few fixes for the SQLite vulnerability cache. That includes a PR from xtbmedia that fixes a crash that can occur when initially creating the cache.
This release still relies on the #dotnet 6.0 runtime being installed.
-
#NuGetDefense development should be resuming soon. A long series of unfortunate events including a death march, keyboard failure and then surgery have hopefully come to an end. That said, anyone willing to contribute would be much appreciated.
Looking to upgrade to #dotnet 8, handle some extra details through NuGet 6.8's internal vulnerable package checking and move to an ORM (likely EF) to allow using any DB for caching (and potentially supporting a shared cache) instead of just SQLite
-
#NuGetDefense , the #opensource #dotnet #security tool has a new release (3.2.0.0-prerelease2). This is not production ready, but it utilizes the NVD API to generate and update the offline vuln data. Any help testing it would be appreciated.
The current releases should still work for those using the GitHub Security Advisories Database or the OSSIndex remote sources. This push is going to address the deprecation of the NVD JSON feeds.
Hoping to run it through my tests Monday night.
-
Last night I stumbled across system.threading.ratelimiting a #nuget package with basic rate limiting functionality. I'm reworking the API clients in #NuGetDefense and this package allows me to setup explicit policies to take some of the burden off the API's I consume. Basically you can add a handler that returns 429 responses (TooManyRequests) from an http client without actually sending the request.
https://devblogs.microsoft.com/dotnet/announcing-rate-limiting-for-dotnet/
It's a #dotnet 7 package, but it's built for netstandard 2.0 as well.
-
Well, the National Vulnerability Database is apparently doing away with their legacy feeds, so I'm throwing together a #NVD 2.0 API client for #NuGetDefense that will be published as a #nuget package for #dotnet 6+. This explains the issues I was having getting it to update the NVD feed recently.
-
Found another bug in #NuGetDefense. Doesn't seem to affect the common use cases so far, but it's problematic for a new CI setup I'm using at work. As much as I Work with Unit Tests, one would think I'd have more tests for my own projects.
-
I've been thinking about ways to whitelist #nuget packages before allowing them to be installed (explicitly to prevent unauthorized build targets or PowerShell scripts. I'm considering building this sort of protection into #NuGetDefense ( #foss nuget security tool) but I need more insight into how the PowerShell scripts are triggered (ex. Old docs, blog posts, etc). Any insight, ideas, or opinions would be appreciated.
-
Found article about malicious #nuget packages in the wild. It seems to mainly concern malicious PowerShell init scripts that #visualstudio runs. Although #NuGetDefense has a blocklist for packages, when installed in a project, it checks them after the init script would have already run. I'm going to start running scans prior to letting it restore packages.
NOTE: I don't know if the #dotnet cli or #jetbrainsrider run those scripts. Hopefully I'll have an update tonight.
-
Was looking for a way to get a standard folder for some #NuGetDefense features that's cross-platform. Environment.GetFolderPath() is one I wasn't aware of. It provides an enum of special folders such as ApplicationData which maps to the functionally similar directories on Linux and Windows.
https://learn.microsoft.com/en-us/dotnet/api/system.environment.getfolderpath?view=net-8.0
-
#NuGetDefense v3.0.10 has released! This is a minor bugfix release of the known vulnerability scanner for .Net packages. https://github.com/digitalcoyote/NuGetDefense
-
I like #GitLab, and I like their CI/CD but compared to #JetBrains #TeamCity it feels incredibly underpowered when it comes to cross project pipelines.
I've built multiproject chains of configs in team city that know to wait on various builds, automatically pull the latest artifacts, and deploy to a spread of endpoints. Doing a Y shaped pipeline in Girls has been exhausting.
-
Today I learned some of my team has been using deploy scripts in #TeamCity to rewrite code for test sites and special builds.
I cannot stress enough how bad of a habit this is. If you are redirecting code, it should be done via configuration file changes not find/replace powershell scripts run on the codebase. This should be treated as dangerous since it could be used to circumvent security reviews if it happened on the production configuration.
-
Why is it no college or code camp properly teaches debugging. It's not always an option, but it's a powerful option when it is.
Even more so if you have the ability to do live editing/hot reloading or #TimeTravelDebugging (really wish I could use this one at work).
-
Someone updated #easyspeak to put on #GrapheneOS and saved me a ton of time. A custom #AOSP based OS I've been working with needed a TTS service for our proprietary app and the devices we have didn't have one. I need to make a few modifications so we don't have to configure it for every device we have, but #FOSS has saved me a significant amount of headache.
#SherpaTTS also worked well, but required too many resources and I didn't have enough vespene gas to justify building more pylons...
-
Multi-language projects aren't terrible. Multi-framework projects are bearable, but multi-paradigm projects are not fun.
Working in what appeared to be a purely #functionalprogramming project and I find one feature where it's all suddenly #objectorientedprogramming. This too is only an issue while swapping between the two though (or trying to write reusable code).
-
Friendly reminder that #httpstatuscodes like 405 have specific meanings to make it easier to troubleshoot simple errors.
Please do not return a "Method Not Allowed" for business logic restrictions/errors.
-
When making changes in a function do you believe it's ok to bring the function in line with the projects coding style? I'd love to know your thoughts in detail as well, it's not something I ever considered controversial.
#softwareDevelopment #coding #codeFormatting -
For the sake of my sanity, please do not use a Rube Goldberg cartoon as your SRS. If I see one more button that writes to a database, so a timer can write to a different database, so another timer can trigger an update in a cache, so a service watching the cache can send a message to Even grid, so #eventgrid can send a message to a #signalR hub, so a signal r client can receive the event and call up to an API to get the data set by the button, I may lose my cool.
-
#frontend and #fullstack devs: Be optimistic about API calls. Research has shown that as little as 100ms of delay is the time it takes for a user to go from perceiving they did something to perceiving they are waiting on something. And 250ms is enough for them to be upset about it.
I've seen too many instances where the UI doesn't update til the API call returns or a #signalr event comes back. If you can anticipate a response, let the UI assume it will succeed for the best UX that feels "magic"