Enable NuGet Audit for better DevSecOps in .NET
Auditing is becoming increasingly important in the everyday life of a developer; however, until now there was no particularly good way in .NET - even the lock file still has its deficiencies. You had to rely on third-party packages in order to carry out real auditing of your packages and references or use security software such as WhiteSource or Snyk.
Since NuGet 6.8 or .NET 8 (SDK 8.0.100) there is an integrated SDK option.
Enable NuGet Audit
Open your Directory.Build.props file and add the following:
<!-- NuGet -->
<PropertyGroup>
<NuGetAudit>true</NuGetAudit>
<NuGetAuditLevel>low</NuGetAuditLevel>
<NuGetAuditMode>all</NuGetAuditMode>
</PropertyGroup>
NuGetAuditenables Audit during the build process.NuGetAuditLevelspecifies the minimum severity level of vulnerabilities to report.NuGetAuditModespecifies the mode of the audit.
If you dont have a Directory.Build.props file, you can create one in the root of your project (which is recommended) or add that to all of your projects.
Now, you will see an output like
------ Build started: Project: EntityFrameworkDemo.Database.SqlServer.Migrations, Configuration: Debug Any CPU ------
------ Build started: Project: EntityFrameworkDemo.Apps.Console, Configuration: Debug Any CPU ------
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Azure.Identity' 1.7.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5mfx-4wcx-rv27
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Microsoft.Data.SqlClient' 5.1.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-98g6-xh36-x2p7
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
....
NuGet Audit in Visual Studio
If you are using Visual Studio, you can see the audit results in the Error List / Output window. No additional settings are needed. The only requirement is Visual Studio 2022 v17.8 or newer.
Autor
Benjamin Abt
Ben is a passionate developer and software architect and especially focused on .NET, cloud and IoT. In his professional he works on high-scalable platforms for IoT and Industry 4.0 focused on the next generation of connected industry based on Azure and .NET. He runs the largest german-speaking C# forum myCSharp.de, is the founder of the Azure UserGroup Stuttgart, a co-organizer of the AzureSaturday, runs his blog, participates in open source projects, speaks at various conferences and user groups and also has a bit free time. He is a Microsoft MVP since 2015 for .NET and Azure.