This looks like something that would be nice to have integrated in nuget.org, showing the report output for every package/version (and maybe highlighting deltas across versions).
If you're running this across your own project output, especially for a big code base, it's definitely not going to be as useful as across each dependency. For example your app having "analytics services" and "outbound http connections" might be totally normal, but if a library you're using for encryption adds those, that would be a concern.
This is a great idea - would love to have this info integrated into nuget.
Most likely people aren't going bother to run this on dependencies themselves (not to mention every version update), so having the info surfaced at the point of decision would be very useful and reach a ton more folks.
Hey folks, I'm on the NuGet team and I noticed this thread this morning. This is the first I've heard of Application Inspector (Microsoft is a big place!) but the tool looks awesome and the output is easy to understand for a variety of experience levels. The idea of integrating with NuGet sounds very promising! Caveats need to be investigated, i.e. my guess is the report is not exhaustive since code could perhaps call scary APIs in esoteric ways but perhaps there is value even if it covers just MOST of the cases.
I've tracked a feature request on GitHub here attempting to represent what was suggested here:
Add additional comments if you have thoughts on how it should work or anything else. Our backlog is pretty full right now but we'll update this GitHub issue if there is movement.
In addition / instead of showing the results in the web UI, it would be valuable to make Nuget enforce user selected criteria. When referencing a package I would like to annotate that reference with some criteria that are currently met (e.g. the referenced package makes no network calls) and then later for a package upgrade Nuget would automatically check if these criteria are still met, or fail the upgrade.
This sounds like a request for the NuGet client experience and less for browsing nuget.org. My expertise is more on the nuget.org side and less on the client side (like .NET CLI or Visual Studio). Could you file an issue for the NuGet client suggestion here?
Just wanted to introduce myself as the lead developer on the tool. Valid comments and questions have been dropped here and I've responded to a couple of them already by posting clarifications below and on the project wiki. Yes we are thinking of using the tool for repos like NuGet and maybe Github as a service that automatically identifies detected features for each component. Stay tuned and keep the ideas coming. Happy to answer any further questions.
I ran this against a file sharing application I am working on and the results were strange. Security features were supremely emphasized, even security concepts I didn’t realize I was focusing energy on. I am not saying the tool is wrong, but just that it picked security better than I had intentionally considered. No other features were highlighted though, so you still have no idea what the application is doing.
My team has been desperately searching for something like this. We actually started the effort to build our own, and were well into the prototyping phase. You may see some contributions from us in the future.
Over 93% of new software applications today use open source from public repositories of source code or other third party code and average over 100 components code that they didn't directly write. Often they have only a partial understanding of what is in them due to time constraints to release their products. That's a big attack surface and knowing what is in the code that developers choose to build their products with is becoming urgent. This tool scans code and reports the types of features found in it to help developers decide whether it does more than they expected from a features standpoint. See the project site and wiki for more https://github.com/Microsoft/ApplicationInspector
Yeah this happens pretty often, though I'm surprised it continues with Font Awesome's organizational changes: The "fab" prefix is specifically supposed to communicate that it's an icon from the "Brands" style. (Non-brand icons use "fas".) If you find yourself using a "fab" icon generically, you might want to double-check what it's supposed to represent...
Honestly, a lot of times when I'm doing quick designs, I just open the font page with all the images and just visually pick any that looks best. Definitely needed some sort of legal pass before release.
I spy logos for GitHub, Wordpress, Adobe, Linux, and Facebook as well. Not sure what they represent though. I would imagine that most of them make sense (Linux is an OS, Facebook is a cloud service, GitHub is a development tool, etc). The only one I'm curious about is Adobe. "Active Content" meaning Flash?
EDIT: Thanks to xroot's comment above, it is indeed Adobe Flash.
I pointed it at my Clojure project [1]. It correctly inferred [2] that the project is doing multithreaded network connections, which is nice, especially given that Clojure's a rather niche language.
It quite confidently pointed out an "App container" category, on grounds of the repo containing a circleci/config.yml, which is... technically correct, I guess, but less than useful.
I think an important warning should be, that it can maybe to some extent tell "what's [for sure] in it", but I suspect it definitely shouldn't be used to verify "what's NOT in it", as in any kind of "security verification". Meaning, if you want to hide some code/malware snippet from it on purpose, I assume you'll definitely find a way to do that. And even if not on purpose, it may still happen accidentally.
> The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more and includes html, json and text output formats with the default being an html report similar to the one shown here.
I don't see any mention of the languages that it recognizes, but a perusal of some of the JSON files leads me to believe that this handles many different languages. It seems that it's by way of regular expressions, though, not language-specific parsing.
The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more and includes html, json and text output formats with the default being an html report
The README has been updated since your comment to include:
> The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more
You can't parse it properly with a Regular Expression, but you can parse it with regex-like systems. However I doubt it is parsing outright - it only has to look for certain keywords and patterns that indicate certain behaviors.
I wonder if they could marry this with ILSpy [1]. Basically point it at a compiled program, de-compile it, then analyze the decompiled code to see what it's doing. Might be useful in malware analysis and other areas.
It's a big company! Even people are not that consistent! For one, I'm seeing that the "mono" culture (not sure if pun intended, or not) is going away from there!
I could see this as handy when I'm trying to troubleshoot an opaque/proprietary/legacy application. Things like knowing it's talking to environment variables or the registry would be a lot of help drilling down into what it's touching so I know where to look for what's breaking it.
Mac Catalina restrictions appear to be the issue which where app launch checks were relaxed for a bit then made more aggressive very recently. We added an issue on the app project site to look into whether the app or just .net core or both need a macOS notice fix but there's a work around discussed here https://www.cultofmac.com/672576/cant-launch-your-apps-on-ma...
One thing I'm not a fan of C# is how often library usually lack bundled code source, while other similar language(eg. Java), you can use "Go to to Definition" on pretty much any third-party library/anything without hassle.
.NET decompilers are really good these days. It's usually easier than finding the source code, and definitely easier than finding documentation that explains how things are supposed to, let alone actually, work.
> The application is a client .NET Core based tool so it will run on Windows, Linux or macOS and does not require elevated privileges and there is no local database or network communications or telemetry.
If you're running this across your own project output, especially for a big code base, it's definitely not going to be as useful as across each dependency. For example your app having "analytics services" and "outbound http connections" might be totally normal, but if a library you're using for encryption adds those, that would be a concern.