[Epic] NuGet Package Vulnerability Auditing #8087
Comments
anangaur
changed the title
|
Are there plans to support writing the output of |
Why are only .NET Core customers the target audience for this? Are there any technical restrictions why it does not work for .NET Framework projects? Will it be only |
|
Great questions @pascalberger. We should be making this info available to nuget.exe or msbuild.exe or both. We did discuss this but looks like we failed to mention it in the spec. /cc: @xavierdecoster |
|
My main concern with this spec as-is is that it focuses so much on the informational aspect. When designing |
|
@zkat This is definitely on the cards as part of Stage 2 where we plan to implement an |
|
@skofman1 This should be the epic issue that should link any intermediate issues tracking the feature. Can you help me in linking the in-progress and planed items here from https://github.com/NuGet/nugetgallery/ or anywhere else? |
|
@anangaur , converted this to an epic and linked the Gallery epic to it. |
|
Tagging folks from community who have similar tools in the space to get their comments, feedback on the proposed experience:
It will be great to get your perspective on this feature. As you will notice, the feature is divided into 2 parts/phases:
|
|
Thanks for pinging. Here's a summary of what has arised in the Exit codesUse a meaningful exit code for this to run as part of a build in CI, so one has the option to fail the build easily. Console/terminal formatHuman readable format in the console, with a full dependency chain shown in case of transient vulnerabilities so they are
As a developer, it should be clear: "ok, I need to update this top-level dep, or install this transient as a direct dep from this version to this version". Report formatsFor the output format, there are many standards, including SWID, SPDX, CycloneDX, Package URL, and others. Look into those. See this article. Choosing a standard format, would make it easier for monitoring tools to import, examples: .NET specific handling:
Other features:
Another aspect: In case of larger API sets of a vulnerable library, it might be that the consumer is only using the unaffected parts. |
|
Building on @johnkors response: OutputOutput should give all the information a developer needs to take action on the vulnerability and if at all possible, be configurable. If developers start ignoring output the battle is lost.
Custom Vulnerability FeedsNuGet supports custom feeds that may include packages for which there are only internal sources that cover their vulnerabilities. Having a standard for obtaining these that could be implemented by third-parties to provide that data. This can also help when bandwidth is an issue. Offline Support/CachingA number of issues could be resolved with an offline cache of vulnerability data. NuGetDefense provides a cache like this containing data from NVD (ends up being < 30MB). Dependencies and FrameworksA multi-target package may have dependencies for .Net 4.8 that are not present in .Net Core 1.0 or .Net Standard 2.1. NuGet should be able to resolve the correct vulnerabilies and vulnerabilities of dependencies for the target framework. Ability to Ignore VulnerabilitiesThis leans on the idea from earlier. If they feel they need to ignore part of the output, they may start ignoring all of it.
|
|
Thanks @johnkors, @digitalcoyote for detailed comments and suggestions. Super helpful. /cc: @drewgillies |
|
Yes--thank you! |
This would be very helpful, but it seems like it wasn't implemented. Why not? |
|
dotnet list package --vulnerable does not warn about netcoreapp2.2 projects not supported? |
|
@anangaur make sure you consider false positives in packages which might be part of the NuGet package graph, but will be removed by the SDK conflict resolution cc @dsplaisted. This is the way we handled packages which were "absorbed" by frameworks since there is no way to express to NuGet to not download them if they are dependencies of packages. Since these packages are dead-ended it's very likely they will be old and potentially be marked vulnerable. Those vulnerabilities would never impact the application since the SDK would remove the package assets. Alternatively you can add functionality to NuGet to tell it which packages are "provided by" the framework and avoid that download / conflict-resolution step entirely. |
|
Adding @JonDouglas who owns this feature. |
|
@ericstj We'll revisit this shortly. I believe the latter option is what we're hoping to improve on in terms of in-the-box vs. out-the-box dependencies. We don't detect packages provided by framework today and will need to work with SDK team on that scenario. |
JonDouglas
changed the title
|
Since the planned package audit features are going in the right direction 👏👍, are there any plans to actively help putting vulnerability information into the system? (server side) One pretty famous example in my opinion is the recent event with a very outdated curl package: |
|
@kapsiR This is a very complex topic. I hope to write a blog shortly talking about some of the challenges here. NuGet is an intermediate. We use a centralized supplier known as the CVE (list of publicly disclosed vulnerabilities) through GitHub Advisories. For libraries like Curl, they maintain a thorough list of CVEs. As you may imagine, the challenge here happens when a package derives another and whether it is actually maintained or not. NuGet being an intermediate, we do not issue CVEs. We rely on a CNA(CVE Numbering Authority) to do so on behalf of the reporter and the maintainer of a package who becomes aware of a vulnerability. When we become aware of any vulnerability, we tend to bridge the connection of the reporter and the maintainer to take action and our due diligence on behalf of the community. If you have ideas for how we can bridge this gap further, please do file another issue with more details. We rely on the effort of our maintainer ecosystem to stay current with known vulnerabilities and ensuring each CVE has high-quality data. If you suspect any other notable libraries and their NuGet derivatives may contain known vulnerabilities, please reach out to the maintainer and send us a support request so we can be aware of it if they are unresponsive. |
JonDouglas
changed the title
|
Hi folks, Much of this work was released with NuGet 6.8: https://devblogs.microsoft.com/nuget/announcing-nuget-6-8-maintaining-security-with-ease/ We may need to re-organize this issue with our plans going into next year. You can also view our documentation for auditing experiences here: https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages I will likely work with the team to create individual epics based on the new work areas we have started such as auditing at restore time, auditing affordances in tooling, and security enhancements made to NuGet gallery. Thus we may close this to better track work long term on an area basis. This epic might be too large right now to know what's actually happening. |
The NuGet team is following a know, prevent, fix framework to be proactive and take preventive measures to avoid security problems such as known vulnerabilities. This can be described as the following:
The following work below represents each of these categories.
Know your vulnerabilities 👀
Prevent new vulnerabilities⚠️
Fix or remove vulnerabilities 🔧
Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Further tracking issues will be created shortly as requirements are gathered and planned.
The text was updated successfully, but these errors were encountered: