AutoTrust is a Command Line Interface (CLI) tool for C# that fetches metadata about a NuGet package to help developers assess the package before installing it. It was made as part of a master's thesis that can be found here.
These instructions will get you a copy of the project up and running on your local machine.
- .NET 7.0 or higher
git clone https://github.com/HallvardMM/AutoTrust.git
cd AutoTrust/AutoTrust
dotnet packdotnet tool install --global --add-source ./nupkg AutoTrustdotnet tool install --tool-path ~/bin --add-source ./nupkg AutoTrustdotnet tool uninstall --global AutoTrustdotnet tool uninstall --tool-path ~/bin AutoTrustThe Github API has a rate limit that can lead to unsuccessful API calls. You can increase the limit by creating and adding a Github token. We recommend using fine grained personal access token with permission for "Public Repositories (read-only)".
The application looks for GITHUB_API_TOKEN in the environment variables. Examples below on how to add environment variable (insert your token instead of "github_pat_tokenString").
Temporary in current shell:
set GITHUB_API_TOKEN github_pat_tokenStringPermanent user environment variable:
setx GITHUB_API_TOKEN github_pat_tokenStringFor MacOS or Linux and it will try to fetch from environment variables defined in the shell. Example on how to add temporary (insert your token instead of "github_pat_tokenString"):
export GITHUB_API_TOKEN=github_pat_tokenStringHow to permanantly store the GITHUB_API_TOKEN will depend on which shell you use. If you use zsh (mac standard) store it in .zshenv and for bash (standard for most linux distributions) store it in .bashrc. To open the file .zshenv in the terminal run $ vim ~/.zshenv or to open in text editor run $ touch ~/.zshenv; open ~/.zshenv.
For both .zshenv and .bashrc add the following to the file:
export GITHUB_API_TOKEN=github_pat_tokenStringNote that you have to restart the terminal after adding the token for it to be available.
autotrust add [<PROJECT>] package <PACKAGE_NAME> [options]Information about AutoTrust:
autotrust add package -?, -h, --help
autotrust add package [PackageName] -?, -h, --helpMore detailed output for AutoTrust:
autotrust add package [PackageName] -ve, --verbosity <d|detailed|diag|diagnostic|n|normal|>autotrust is used prior to installing a dotnet package. It can be embed in your daily dotnet usage so you do not need to remember to run autotrust explicitly.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserFind profile file:
echo $profileIf the file does not exisit in the folder create a file using:
New-Item -path $profile -type File -forceOpen the file and add the command:
New-Alias -Name dotnet -Value autotrustYou might need to unblock the file using:
Unblock-File -Path .\PathToProfileFileRestart PowerShell.
alias dotnet='autotrust'AutoTrust checks dependencies, two steps down (direct and first-level transitive) for the relevant trust criteria, described as dependencies in the table.
| Trust Criteria Name | Description of Threshold | Notes | Importance (1-10) |
|---|---|---|---|
| Age | Fails if the package version is less than 3 weeks old or over 1 year old old | 6 | |
| Analyzers | Fails if the package or its dependencies contain analyzers analyzers | 3 | |
| Contributors | Fails if the number of total contributors is less than 2 or there are 0 active maintainers. Warns if there is 1 active maintainer | An active maintainer is defined as a maintainer that has 3 or more commits either during the last year or of the 100 last commits | 3 |
| Deprecated Package | Fails if the package is marked as deprecated by NuGet | 10 | |
| Deprecated Dependencies | Fails if any of the dependencies are marked as deprecated by NuGet | 10 | |
| Direct and Transitive Dependencies | Warns if there are more than 20 direct dependencies or more than 50 transitive dependencies | Direct dependencies are the dependencies that are directly used by the package while transitive are the dependencies of the direct dependencies, and all dependencies further below | 5 |
| Documentation | Checks for a README in NuGet and GitHub. If none of those are present it checks for a project URL on NuGet, or a wiki or homepage on GitHub. It fails if none of the above is found | It also checks if the size of the README is larger than 300 bytes (more than just a title). | 5 |
| Initialization Script | Fails if the package or its dependencies contain initialization scripts | 8 | |
| Known Vulnerabilities | Fails if any reported vulnerabilities are found on NuGet or in the OSV database. | If a vulnerability is found, but not for the version being used in the project, the criteria will pass but inform about the vulnerability | 10 |
| License | Fails if no license is found or the license is considered high risk. Warns if the license is considered medium risk, or AutoTrust cannot evaluate if it is a standard license | The licenses are automatically checked if an SPDX is used. The ranking is based on Synopsys | 7 |
| Open Issues | Fails if there are no open issues, or the number of open issues is more than 60% of the total number, or if less than 30% of the open issues have been updated over the last year. Warns if the total amount of issues is less than 30. | 3 | |
| Open Pull Requests | Fails if there are no open pull requests, or the number of open pull requests is more than 60% of the total number, or if less than 30% of the open pull requests have been updated over the last year. Warns if the total amount of pull requests is less than 10. | 3 | |
| Popularity | Fails if the number of downloads is less than 10000, or GitHub stars are less than 2, or forks or watchers are less than 1. Warns if less than 10 NuGet packages or GitHub repositories are using the package. | 7 | |
| Verified Prefix | Checks if the Prefix is reserved on NuGet | 7 | |
| Widespread Use | Fails if the oldest version of the package is less than 1 year old. Fails if 10 previous versions, or less if less than 10 exist, have a combined download of less than 100000. Warns if there are less than 10 prior versions. | 6 |
The total security score (stars) is calculated based on the importance of the trust criteria and their status (Pass/Warning/Fail). The score for each of the trust criteria is the importance multiplied by either 0, 0.5, or 1 (Pass=1, Warning=0.5, Fail=0). To get the total score we add all the individual scores and divide that by the total possible score.
Please see the CONTRIBUTING for guidelines on contributing to this project.
This project is licensed under the Apache License - see the LICENSE file for details.