Enable NuGet auditing for your .NET projects

 
 
  • Gérald Barré

A security audit for package managers like NuGet is indeed a critical process for ensuring the security of software projects. NuGet has a feature to assist with this process. It can run a security audit with the dotnet restore command, which checks your dependencies against a list of known vulnerabilities from the GitHub Advisory Database.

If vulnerabilities are found, you can update the affected packages to a newer version containing a security fix, or if no updates are available, check for mitigating factors or use a suggested alternative package.

NuGet auditing requires .NET SDK 8.0.100 or later. To enable NuGet auditing for your .NET projects, add the following properties to your project file:

MyProject.csproj (csproj (MSBuild project file))
<Project>
    <PropertyGroup>
        <!-- Enable NuGet package auditing -->
        <NuGetAudit>true</NuGetAudit>

        <!-- Audit direct and transitive packages -->
        <NuGetAuditMode>all</NuGetAuditMode>

        <!-- Report low, moderate, high and critical advisories -->
        <NuGetAuditLevel>low</NuGetAuditLevel>

        <!-- Fails the build on CI or on release when a vulnerability is detected -->
        <WarningsAsErrors Condition="$(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release'">
            (WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
        </WarningsAsErrors>
    </PropertyGroup>
<Project>

Note that you can also check for vulnerabilities in your projects using the dotnet list package --vulnerable command.

If you cannot fix a vulnerability yet, you can disable the warning per package using NoWarn on the PackageReference element. If the reference is transitive, you can add a direct reference to the vulnerable package.

MyProject.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
  <ItemGroup>
    <PackageReference Include="System.Formats.Asn1" Version="8.0.0"
                      NoWarn="NU1903" />
    <PackageReference Include="System.Text.Json" Version="8.0.1" />
  </ItemGroup>
</Project>

If you enable <WarningsAsErrors> globally in your project file, but you don't want this behavior for vulnerabilities, you can use WarningsNotAsErrors:

MyProject.csproj (csproj (MSBuild project file))
<Project>
  <PropertyGroup>
    <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
  </PropertyGroup>
<Project>

#Additional resources

Do you have a question or a suggestion about this post? Contact me!

Follow me:
Enjoy this blog?Buy Me A Coffee💖 Sponsor on GitHub