Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable NuGet auditing #30

Merged
merged 5 commits into from
Jul 15, 2024
Merged

Enable NuGet auditing #30

merged 5 commits into from
Jul 15, 2024

Conversation

meziantou
Copy link
Contributor

NuGet provides a way to report vulnerable packages when restoring packages. This PR enables it by default to ensure developers are aware of vulnerabilities in their projects and fix them.

Why?

Make sure developers are aware of .NET vulnerabilities, and so, increase the chances that they fix them:

  • Vulnerabilities are reported in the IDE
  • Vulnerabilities are reported in the CI

image

Considerations

  • Only supported by .NET SDK 8.0.100+. Projects still targeting .NET SDK 6 won't get benefit from this change. However, .NET 6 is EOL by the end of the year. So, all projects will soon benefit from this change.
  • ADO feeds: If you only use ADO NuGet feeds, currently .NET SDK is not able to fetch known vulnerabilities. This will be fixed in a future version of .NET (already implemented, will be available in the next version). Currently it only seems to be possible to define audit sources in the NuGet.config file. I've opened an issue to ask for an MSBuild configuration. This would allow us to define the audit source in the coding standard too.

What if I cannot fix the warning yet?

You can disable the warning for specific packages using NoWarn on the PackageReference

<PackageReference Include="System.Formats.Asn1" Version="8.0.0" NoWarn="NU1903" />

More resources

@meziantou meziantou requested a review from a team as a code owner July 15, 2024 15:30
@asimmon
Copy link
Member

asimmon commented Jul 15, 2024

Can we update the README as well regarding how to disable audit warnings/errors for specific packages?

@meziantou meziantou merged commit d5fecb9 into main Jul 15, 2024
4 checks passed
@meziantou meziantou deleted the feature/idp-1882 branch July 15, 2024 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants