Enable NuGet Audit for better DevSecOps in .NET

Auditing is becoming increasingly important in the everyday life of a developer; however, until now there was no particularly good way in .NET - even the lock file still has its deficiencies. You had to rely on third-party packages in order to carry out real auditing of your packages and references or use security software such as WhiteSource or Snyk.

Since NuGet 6.8 or .NET 8 (SDK 8.0.100) there is an integrated SDK option.

Enable NuGet Audit

Open your Directory.Build.props file and add the following:

    <!-- NuGet -->
    <PropertyGroup>
        <NuGetAudit>true</NuGetAudit>
        <NuGetAuditLevel>low</NuGetAuditLevel>
        <NuGetAuditMode>all</NuGetAuditMode>
    </PropertyGroup>

NuGetAudit enables Audit during the build process.
NuGetAuditLevel specifies the minimum severity level of vulnerabilities to report.
NuGetAuditMode specifies the mode of the audit.

If you dont have a Directory.Build.props file, you can create one in the root of your project (which is recommended) or add that to all of your projects.

Now, you will see an output like

------ Build started: Project: EntityFrameworkDemo.Database.SqlServer.Migrations, Configuration: Debug Any CPU ------
------ Build started: Project: EntityFrameworkDemo.Apps.Console, Configuration: Debug Any CPU ------

C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Azure.Identity' 1.7.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5mfx-4wcx-rv27
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Microsoft.Data.SqlClient' 5.1.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-98g6-xh36-x2p7
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
....

NuGet Audit in Visual Studio

If you are using Visual Studio, you can see the audit results in the Error List / Output window. No additional settings are needed. The only requirement is Visual Studio 2022 v17.8 or newer.

Autor

Benjamin Abt

Ben is a passionate developer and software architect and especially focused on .NET, cloud and IoT. In his professional he works on high-scalable platforms for IoT and Industry 4.0 focused on the next generation of connected industry based on Azure and .NET. He runs the largest german-speaking C# forum myCSharp.de, is the founder of the Azure UserGroup Stuttgart, a co-organizer of the AzureSaturday, runs his blog, participates in open source projects, speaks at various conferences and user groups and also has a bit free time. He is a Microsoft MVP since 2015 for .NET and Azure.