Fix #179

digitalcoyote · digitalcoyote · commit 0257ba2bc4ff · 2024-03-16T12:35:46.000-05:00
Possible Index Outside bounds of array when more than 128 packages are scanned
diff --git a/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj b/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj
@@ -23,7 +23,7 @@
         <Description>NuGetDefense ~ Check for Known Vulnerabilities at Build</Description>
         <PackageDescription>NuGetDefense was inspired by [OWASP SafeNuGet](https://nuget.org/packages/SafeNuGet/) but aims to check with multiple sources for known vulnerabilities.</PackageDescription>
         <Copyright>Curtis Carter 2023</Copyright>
-        <Version>4.0.2.0</Version>
+        <Version>4.0.4.0</Version>
         <RepositoryType>git</RepositoryType>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
diff --git a/Src/NuGetDefense.Lib/Scanner.cs b/Src/NuGetDefense.Lib/Scanner.cs
@@ -22,7 +22,7 @@ namespace NuGetDefense;
 
 public class Scanner
 {
-    public const string Version = "4.0.2.0";
+    public const string Version = "4.0.4.0";
     public const string UserAgentString = @$"NuGetDefense/{Version}";
     public const string DefaultSettingsFileName = "NuGetDefense.json";
     public const string DefaultVulnerabilityDataFileName = "VulnerabilityData.bin";
@@ -196,12 +196,13 @@ private void ScanVulnerabilities(ScanOptions options)
                 var modUncached = uncachedPkgs.Count % 128;
                 if (modUncached > 0 && cachedPackages.Length > 0)
                 {
-                    for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)
+                    var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);
+                    for (var i = cachedPackages.Length - 1; i >= 0; i--)
                     {
                         uncachedPkgs.Add(cachedPackages[i]);
                     }
-                    
-                    cachedPackages = cachedPackages[..^modUncached];
+
+                    cachedPackages = cachedPackages[..^rescanCount];
                 }
                 // Round out the calls to have a full set of packages each to refresh oldest cached packages
                 if (uncachedPkgs.Count > 0) uncachedPkgs.AddRange(cachedPackages.Take(uncachedPkgs.Count % 128));
@@ -236,12 +237,13 @@ private void ScanVulnerabilities(ScanOptions options)
                     var modUncached = uncachedPkgs.Count % 128;
                     if (modUncached > 0 && cachedPackages.Length > 0)
                     {
-                        for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)
+                        var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);
+                        for (var i = cachedPackages.Length - 1; i >= 0; i--)
                         {
                             uncachedPkgs.Add(cachedPackages[i]);
                         }
-                    
-                        cachedPackages = cachedPackages[..^modUncached];
+
+                        cachedPackages = cachedPackages[..^rescanCount];
                     }
                     Log.Logger.Verbose("Checking the GitHub Security Advisory Database for Vulnerabilities");
                     var ghsaVulnDict =
diff --git a/Src/NuGetDefense/NuGetDefense.csproj b/Src/NuGetDefense/NuGetDefense.csproj
@@ -21,8 +21,8 @@
         <IncludeSymbols>true</IncludeSymbols>
         <SymbolPackageFormat>snupkg</SymbolPackageFormat>
         <Nullable>enable</Nullable>
-        <AssemblyVersion>4.0.2.0</AssemblyVersion>
-        <FileVersion>4.0.2.0</FileVersion>
+        <AssemblyVersion>4.0.4.0</AssemblyVersion>
+        <FileVersion>4.0.4.0</FileVersion>
         <PackageIcon>icon.png</PackageIcon>
     </PropertyGroup>
     <PropertyGroup Condition="'$(Configuration)'=='Release'">
@@ -37,7 +37,7 @@
         <PackageId>NuGetDefense.Tool</PackageId>
         <PackAsTool>true</PackAsTool>
         <ToolCommandName>nugetdefense</ToolCommandName>
-        <Version>4.0.2.0</Version>
+        <Version>4.0.4.0</Version>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
     <ItemGroup>
diff --git a/Src/NuGetDefense/NuGetDefense.nuspec b/Src/NuGetDefense/NuGetDefense.nuspec
@@ -3,7 +3,7 @@
     <metadata>
         <id>NuGetDefense</id>
         <title>NuGetDefense</title>
-        <version>4.0.2.0</version>
+        <version>4.0.4.0</version>
         <authors>Curtis Carter</authors>
         <owners>Curtis Carter</owners>
         <projectUrl>https://digitalcoyote.github.io/NuGetDefense/</projectUrl>
@@ -12,7 +12,7 @@
         <description>
             vulnerabilities.
         </description>
-        <releaseNotes>https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.0.2.0</releaseNotes>
+        <releaseNotes>https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.0.4.0</releaseNotes>
         <repository type="git" url="https://github.com/digitalcoyote/NuGetDefense.git"/>
         <license type="expression">MIT</license>
         <icon>images\icon.png</icon>

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ namespace NuGetDefense;`
`22`	`22`
`23`	`23`	`public class Scanner`
`24`	`24`	`{`
`25`		`- public const string Version = "4.0.2.0";`
	`25`	`+ public const string Version = "4.0.4.0";`
`26`	`26`	`public const string UserAgentString = @$"NuGetDefense/{Version}";`
`27`	`27`	`public const string DefaultSettingsFileName = "NuGetDefense.json";`
`28`	`28`	`public const string DefaultVulnerabilityDataFileName = "VulnerabilityData.bin";`
`@@ -196,12 +196,13 @@ private void ScanVulnerabilities(ScanOptions options)`
`196`	`196`	`var modUncached = uncachedPkgs.Count % 128;`
`197`	`197`	`if (modUncached > 0 && cachedPackages.Length > 0)`
`198`	`198`	`{`
`199`		`- for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)`
	`199`	`+ var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);`
	`200`	`+ for (var i = cachedPackages.Length - 1; i >= 0; i--)`
`200`	`201`	`{`
`201`	`202`	`uncachedPkgs.Add(cachedPackages[i]);`
`202`	`203`	`}`
`203`		`-`
`204`		`- cachedPackages = cachedPackages[..^modUncached];`
	`204`	`+`
	`205`	`+ cachedPackages = cachedPackages[..^rescanCount];`
`205`	`206`	`}`
`206`	`207`	`// Round out the calls to have a full set of packages each to refresh oldest cached packages`
`207`	`208`	`if (uncachedPkgs.Count > 0) uncachedPkgs.AddRange(cachedPackages.Take(uncachedPkgs.Count % 128));`
`@@ -236,12 +237,13 @@ private void ScanVulnerabilities(ScanOptions options)`
`236`	`237`	`var modUncached = uncachedPkgs.Count % 128;`
`237`	`238`	`if (modUncached > 0 && cachedPackages.Length > 0)`
`238`	`239`	`{`
`239`		`- for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)`
	`240`	`+ var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);`
	`241`	`+ for (var i = cachedPackages.Length - 1; i >= 0; i--)`
`240`	`242`	`{`
`241`	`243`	`uncachedPkgs.Add(cachedPackages[i]);`
`242`	`244`	`}`
`243`		`-`
`244`		`- cachedPackages = cachedPackages[..^modUncached];`
	`245`	`+`
	`246`	`+ cachedPackages = cachedPackages[..^rescanCount];`
`245`	`247`	`}`
`246`	`248`	`Log.Logger.Verbose("Checking the GitHub Security Advisory Database for Vulnerabilities");`
`247`	`249`	`var ghsaVulnDict =`