A security audit for package managers like NuGet is indeed a critical process for ensuring the security of software projects. NuGet has a feature to assist with this process. It can run a security audit with the dotnet restore command, which checks your dependencies against a list of known vulnerabilities from the GitHub Advisory Database.
If vulnerabilities are found, you can update the affected packages to a newer version containing a security fix, or if no updates are available, check for mitigating factors or use a suggested alternative package.
NuGet auditing requires .NET SDK 8.0.100 or later. To enable NuGet auditing for your .NET projects, add the following properties to your project file:
MyProject.csproj (csproj (MSBuild project file))
<Project>
<PropertyGroup>
<!-- Enable NuGet package auditing -->
<NuGetAudit>true</NuGetAudit>
<!-- Audit direct and transitive packages -->
<NuGetAuditMode>all</NuGetAuditMode>
<!-- Report low, moderate, high and critical advisories -->
<NuGetAuditLevel>low</NuGetAuditLevel>
<!-- Fails the build on CI or on release when a vulnerability is detected -->
<WarningsAsErrors Condition="$(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release'">
(WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
</WarningsAsErrors>
</PropertyGroup>
<Project>
Note that you can also check for vulnerabilities in your projects using the dotnet list package --vulnerable command.
If you cannot fix a vulnerability yet, you can disable the warning per package using NoWarn on the PackageReference element. If the reference is transitive, you can add a direct reference to the vulnerable package.
MyProject.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
<ItemGroup>
<PackageReference Include="System.Formats.Asn1" Version="8.0.0"
NoWarn="NU1903" />
<PackageReference Include="System.Text.Json" Version="8.0.1" />
</ItemGroup>
</Project>
You can also disable specific vulnerabilities:
MyProject.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
<ItemGroup>
<PackageReference Include="System.Formats.Asn1" Version="8.0.0" />
</ItemGroup>
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-447r-wph3-92pm" />
</ItemGroup>
</Project>
If you enable <WarningsAsErrors> globally in your project file, but you don't want this behavior for vulnerabilities, you can use WarningsNotAsErrors:
MyProject.csproj (csproj (MSBuild project file))
<Project>
<PropertyGroup>
<WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
</PropertyGroup>
<Project>
If you are using sources to restore packages that doesn't support the audit feature, you can use the <auditSources> element in nuget.config to specify alternative sources that support auditing:
nuget.config (XML)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- sources to restore packages -->
<packageSources>
<add key="example" value="https://example.com/nuget/v3/index.json" />
</packageSources>
<!-- sources for auditing -->
<auditSources>
<add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
</auditSources>
</configuration>
#Additional resources
Do you have a question or a suggestion about this post? Contact me!
