Add security audit concept doc #3060
Conversation
|
Learn Build status updates of commit 7f29a0c:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details |
docs/concepts/Auditing-Packages.md
- Line 0, Column 0: [Warning: h1-missing - See documentation]
H1 is required. Use a single hash (#) followed by a space to create your top-level heading. - Line 65, Column 2: [Suggestion: disallowed-html-tag - See documentation]
HTML tag 'Restore' isn't allowed. Replace it with approved Markdown or escape the brackets if the content is a placeholder.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
For any questions, please:
- Try searching the learn.microsoft.com contributor guides
- Post your question in the Learn support channel
|
|
||
| ## About security audits | ||
|
|
||
| A security audit for package managers like NuGet is a process that involves analyzing the security of the packages that are included in a software project. This involves identifying vulnerabilities, evaluating risks, and making recommendations for improving security. The audit can include a review of the packages themselves, as well as any dependencies and their associated risks. The goal of the audit is to identify and mitigate any security vulnerabilities that could be exploited by attackers, such as code injection or cross-site scripting attacks. |
There was a problem hiding this comment.
HTML ignores whitespace, and markdown converts any empty line into a new div or paragraph. So, I suggest starting every new sentence on a new line (without a line of whitespace, obviously), so that after the PR is merged, if someone edits a sentence in the paragraph, only 1 line in the diff will show changes, rather than the entire paragraph. This is particularly useful when git/github gets a bit confused and doesn't highlight what exactly changed in the line, which is more likely on very long lines.
Same for other multi-sentence paragraphs in this doc, please 😃
docs/concepts/Auditing-Packages.md
Outdated
|
|
||
| If security vulnerabilities are found and updates are available for the package, you can either: | ||
|
|
||
| - Edit the `.csproj`, `packages.config`, or other package version location with a newer version containing a security fix. |
There was a problem hiding this comment.
No, you can't edit a packages.config file, because that will leave all the references in the project file pointing to an invalid directory (the old package version directory). For packages.config projects, customers must upgrade the package in Visual Studio.
Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com>
|
Learn Build status updates of commit ae4b9e5:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details |
docs/concepts/Auditing-Packages.md
- Line 0, Column 0: [Warning: h1-missing - See documentation]
H1 is required. Use a single hash (#) followed by a space to create your top-level heading. - Line 73, Column 2: [Suggestion: disallowed-html-tag - See documentation]
HTML tag 'Restore' isn't allowed. Replace it with approved Markdown or escape the brackets if the content is a placeholder.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
For any questions, please:
- Try searching the learn.microsoft.com contributor guides
- Post your question in the Learn support channel
|
Learn Build status updates of commit 136eda6:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details |
docs/concepts/Auditing-Packages.md
- Line 0, Column 0: [Warning: h1-missing - See documentation]
H1 is required. Use a single hash (#) followed by a space to create your top-level heading. - Line 73, Column 2: [Suggestion: disallowed-html-tag - See documentation]
HTML tag 'Restore' isn't allowed. Replace it with approved Markdown or escape the brackets if the content is a placeholder.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
For any questions, please:
- Try searching the learn.microsoft.com contributor guides
- Post your question in the Learn support channel
|
Learn Build status updates of commit ab2b3f8:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| docs/concepts/Auditing-Packages.md | View | Details |
docs/concepts/Auditing-Packages.md
- Line 0, Column 0: [Warning: h1-missing - See documentation]
H1 is required. Use a single hash (#) followed by a space to create your top-level heading.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
For any questions, please:
- Try searching the learn.microsoft.com contributor guides
- Post your question in the Learn support channel
|
Learn Build status updates of commit 499b2d5: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
|
Should be good to review and ship |
Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com>
|
Learn Build status updates of commit cda04e1: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
|
Learn Build status updates of commit 9269104: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
|
Learn Build status updates of commit 3abb595: ✅ Validation status: passed
For more details, please refer to the build report. For any questions, please:
|
* Updated Finding-and-Choosing-Packages.md (#3042) * Add security audit concept doc (#3060) * Add security audit concept doc * Update docs/concepts/Auditing-Packages.md Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com> * Fix editing section * Update Auditing-Packages.md * Add h1 * Update Auditing-Packages.md * Update docs/concepts/Auditing-Packages.md Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com> * Update Auditing-Packages.md --------- Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com> * Update NuGet-FAQ.yml (#3066) Add Q# as supported language * Add the Native Target Framework (#3067) In the Blog Post (https://devblogs.microsoft.com/nuget/native-support/#native-target-framework) it is precisely stated that you should specify the "native" target framework, when developing win32 applications * Document MSBuildSdk package type (#3036) * Update readme page doc (#3025) * update allowlist + additional markdown feature support * reword --------- Co-authored-by: Lynn Dai <lind@microsoft.com> * NuGet June 2023 servicing release udpates (#3072) --------- Co-authored-by: Rishi Joshi <110519406+tangorishi@users.noreply.github.com> Co-authored-by: Andy Zivkovic <zivkan@users.noreply.github.com> Co-authored-by: Bradben <bradben@comcast.net> Co-authored-by: bub1ick <51718131+bub1ick@users.noreply.github.com> Co-authored-by: Rob Mensching <rob@firegiant.com> Co-authored-by: lyndaidaii <64443925+lyndaidaii@users.noreply.github.com> Co-authored-by: Lynn Dai <lind@microsoft.com> Co-authored-by: Heng Liu <45407901+heng-liu@users.noreply.github.com>
Initial drop of security auditing concept doc. Will require screenshots and we can elaborate more on other methods as well such as
dotnet list package --vulnerableand NuGet.org features if desired.