Enable NuGet auditing for your .NET projects

 
 
  • Gérald Barré

Security auditing is a critical step for protecting your software supply chain. NuGet supports this natively: it runs a security audit during dotnet restore, checking your dependencies against known vulnerabilities from the GitHub Advisory Database.

When vulnerabilities are found, update the affected packages to a version that includes a security fix. If no update is available, check for mitigating factors or consider a suggested alternative package.

NuGet auditing requires .NET SDK 8.0.100 or later. To enable it, add the following properties to your project file:

MyProject.csproj (csproj (MSBuild project file))
<Project>
    <PropertyGroup>
        <!-- Enable NuGet package auditing -->
        <NuGetAudit>true</NuGetAudit>

        <!-- Audit direct and transitive packages -->
        <NuGetAuditMode>all</NuGetAuditMode>

        <!-- Report low, moderate, high and critical advisories -->
        <NuGetAuditLevel>low</NuGetAuditLevel>

        <!-- Fails the build on CI or on release when a vulnerability is detected -->
        <WarningsAsErrors Condition="$(ContinuousIntegrationBuild) == 'true' OR '$(Configuration)' == 'Release'">
            (WarningsAsErrors);NU1900;NU1901;NU1902;NU1903;NU1904
        </WarningsAsErrors>
    </PropertyGroup>
<Project>

You can also check for vulnerabilities using the dotnet list package --vulnerable command.

If you cannot fix a vulnerability immediately, suppress the warning per package using NoWarn on the PackageReference element. For transitive references, add a direct reference to the vulnerable package.

MyProject.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
  <ItemGroup>
    <PackageReference Include="System.Formats.Asn1" Version="8.0.0"
                      NoWarn="NU1903" />
    <PackageReference Include="System.Text.Json" Version="8.0.1" />
  </ItemGroup>
</Project>

You can also disable specific vulnerabilities:

MyProject.csproj (csproj (MSBuild project file))
<Project Sdk="Microsoft.NET.Sdk">
  <ItemGroup>
    <PackageReference Include="System.Formats.Asn1" Version="8.0.0" />
  </ItemGroup>
  <ItemGroup>
    <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-447r-wph3-92pm" />
  </ItemGroup>
</Project>

If <WarningsAsErrors> is enabled globally in your project file but you want to exclude vulnerabilities, use WarningsNotAsErrors:

MyProject.csproj (csproj (MSBuild project file))
<Project>
  <PropertyGroup>
    <WarningsNotAsErrors>NU1901;NU1902;NU1903;NU1904</WarningsNotAsErrors>
  </PropertyGroup>
<Project>

If your package sources don't support the audit feature, use the <auditSources> element in nuget.config to specify alternative sources that do:

nuget.config (XML)
<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <!-- sources to restore packages -->
  <packageSources>
    <add key="example" value="https://example.com/nuget/v3/index.json" />
  </packageSources>

  <!-- sources for auditing -->
  <auditSources>
    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
  </auditSources>
</configuration>

#Additional resources

Do you have a question or a suggestion about this post? Contact me!

Follow me:
Enjoy this blog?