Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable NuGet Audit #57698

Closed
wants to merge 1 commit into from
Closed

Enable NuGet Audit #57698

wants to merge 1 commit into from

Conversation

halter73
Copy link
Member

@halter73 halter73 commented Sep 4, 2024

Working on #57560 lead me to NuGet/docs.microsoft.com-nuget#3336 which in turn pointed me to https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#audit-sources which talks about NuGet <auditSources>. This seems like it might be a better alternative to manually calling dotnet list package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json in projects created by our templates in an XUnit test like I'm doing in #57560.

@ViktorHofer I see that this is currently on your plate as part of dotnet/arcade#15019. Feel free to take this over if you want. I plan to add something like <WarningsNotAsErrors Condition="'$(OfficialBuildId)' != ''">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors> to the Directory.Build.props before undrafting this, but first I want to see what fails in the normal PR builds.

@dotnet-issue-labeler dotnet-issue-labeler bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Sep 4, 2024
@halter73 halter73 requested a review from ViktorHofer September 4, 2024 20:40
@ViktorHofer
Copy link
Member

@halter73 I'm currently out for an extended period of time. While I'm tracking this effort (when I'm back) I try to not do the work in the repos but provide guidance.

I plan to add something like $(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904 to the Directory.Build.props

I would recommend to use the following setting so that NuGet Audit warnings get promoted to errors only for official builds. This is essential to make sure that we don't ship assets (to consuming repos or customers) with vulnerability reports.

<WarningsNotAsErrors Condition="'$(OfficialBuild)' != 'true'">$(WarningsNotAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>

@halter73 halter73 closed this Sep 26, 2024
@dotnet-policy-service dotnet-policy-service bot added this to the 9.0.0 milestone Sep 26, 2024
@halter73 halter73 deleted the halter73/arcade-15019 branch November 19, 2024 04:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants