Auditing is becoming increasingly important in the everyday life of a developer; however, until now there was no particularly good way in .NET - even the lock file still has its deficiencies. You had to rely on third-party packages in order to carry out real auditing of your packages and references or use security software such as WhiteSource or Snyk.
Since NuGet 6.8 or .NET 8 (SDK 8.0.100) there is an integrated SDK option.
Enable NuGet Audit
Open your Directory.Build.props file and add the following:
1 <!-- NuGet -->
2 <PropertyGroup>
3 <NuGetAudit>true</NuGetAudit>
4 <NuGetAuditLevel>low</NuGetAuditLevel>
5 <NuGetAuditMode>all</NuGetAuditMode>
6 </PropertyGroup>
NuGetAuditenables Audit during the build process.NuGetAuditLevelspecifies the minimum severity level of vulnerabilities to report.NuGetAuditModespecifies the mode of the audit.
If you dont have a Directory.Build.props file, you can create one in the root of your project
(which is recommended) or add that to all of your projects.
Now, you will see an output like
1------ Build started: Project: EntityFrameworkDemo.Database.SqlServer.Migrations, Configuration: Debug Any CPU ------
2------ Build started: Project: EntityFrameworkDemo.Apps.Console, Configuration: Debug Any CPU ------
3
4C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Azure.Identity' 1.7.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5mfx-4wcx-rv27
5C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1903: Package 'Microsoft.Data.SqlClient' 5.1.1 has a known high severity vulnerability, https://github.com/advisories/GHSA-98g6-xh36-x2p7
6C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
7C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'Microsoft.IdentityModel.JsonWebTokens' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
8C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52
9C:\source\benabt\ba-efcore-best-practises\src\EntityFrameworkDemo.Apps.Console\EntityFrameworkDemo.Apps.Console.csproj : warning NU1902: Package 'System.IdentityModel.Tokens.Jwt' 6.24.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-8g9c-28fc-mcx2
10....
NuGet Audit in Visual Studio
If you are using Visual Studio, you can see the audit results in the Error List / Output window. No additional settings are needed. The only requirement is Visual Studio 2022 v17.8 or newer.
{class=thumbox}
Author
BEN ABT
Ben is a Principal Software Engineer at Medialesson.de, with a strong focus on .NET and Microsoft Azure. In his professional role, he designs and builds highly scalable platforms for hybrid and cloud-based scenarios. He also advises companies and C-levels on migrating to the sovereign cloud.
He runs myCSharp.de, the largest and most active German-speaking C# community forum, actively contributes to both his own and external open-source projects, and regularly shares his knowledge through his blog, at community events, conferences, and as a writer for technical magazines.
Comments