Skip to content

NuGet auditing package dependencies for security vulnerabilities#23860

Merged
rmarinho merged 1 commit into
mainfrom
mu-20240520-security-wave-1-nuget-audit
Jul 30, 2024
Merged

NuGet auditing package dependencies for security vulnerabilities#23860
rmarinho merged 1 commit into
mainfrom
mu-20240520-security-wave-1-nuget-audit

Conversation

@moljac
Copy link
Copy Markdown
Contributor

@moljac moljac commented Jul 26, 2024
edited
Loading

Description of Change

Added Nuget auditing package dependencies for security vulnerabilities.

https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages

https://learn.microsoft.com/en-us/nuget/concepts/security-best-practices

@moljac moljac requested a review from a team as a code owner July 26, 2024 18:40
@moljac moljac requested review from jfversluis and jsuarezruiz July 26, 2024 18:40
jonathanpeppers
jonathanpeppers reviewed Jul 26, 2024
View reviewed changes
Comment thread Directory.Build.props
Comment on lines +39 to +43
<PropertyGroup>
<NuGetAuditMode>all</NuGetAuditMode>
<NuGetAuditLevel>moderate</NuGetAuditLevel>
</PropertyGroup>

Copy link
Copy Markdown
Member

@jonathanpeppers jonathanpeppers Jul 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are they enabling these by default in newer .NET SDKs anyway?

https://github.com/NuGet/NuGet.Client/blob/5485ea697de98eee58746e0b0054cd478e33a1a5/src/NuGet.Core/NuGet.Build.Tasks/NuGet.targets#L71-L86

I remember seeing NuGetAudit setup by default in .NET 9 at one point.

Copy link
Copy Markdown
Contributor Author

@moljac moljac Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe here

https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

I missed it.

@rmarinho rmarinho requested review from mattleibow and removed request for jfversluis and jsuarezruiz July 30, 2024 10:58
@rmarinho rmarinho merged commit a8b7afa into main Jul 30, 2024
@rmarinho rmarinho deleted the mu-20240520-security-wave-1-nuget-audit branch July 30, 2024 16:20
@samhouts samhouts added fixed-in-net9.0-nightly This may be available in a nightly release! fixed-in-8.0.80 and removed fixed-in-net9.0-nightly This may be available in a nightly release! labels Aug 2, 2024
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jonathanpeppers jonathanpeppers jonathanpeppers left review comments

@rmarinho rmarinho rmarinho approved these changes

@mattleibow mattleibow Awaiting requested review from mattleibow

Assignees

No one assigned

Labels

fixed-in-8.0.80 fixed-in-net9.0-nightly This may be available in a nightly release!

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@moljac @jonathanpeppers @rmarinho @samhouts