{"id":2385,"date":"2022-05-04T10:22:21","date_gmt":"2022-05-04T17:22:21","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=2385"},"modified":"2022-05-04T10:22:21","modified_gmt":"2022-05-04T17:22:21","slug":"quickly-map-your-nuget-packages-to-sources","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/quickly-map-your-nuget-packages-to-sources\/","title":{"rendered":"Quickly Map Your NuGet Packages to Sources"},"content":{"rendered":"

Package Source Mapper<\/h2>\n

When we introduced Package Source Mapping late last year, we noticed a certain challenge to make onboarding to using the feature easier. Could there be a way for us to automatically generate a NuGet.config for you based on your project\u2019s known packages and sources?<\/p>\n

We started to develop a tool that does just that for you. Learn more about how you can use it below.<\/p>\n

Getting the Tool<\/h2>\n

You can download the tool directly from NuGet.org as a dotnet tool<\/a>:<\/p>\n

dotnet tool install --global NuGet.PackageSourceMapper --version 0.1.3-preview.22218.1\n<\/code><\/pre>\n
Alternatively, you can download and compile the code locally<\/a> if you prefer to.<\/p>\n
Using Package Source Mapper<\/h2>\n
The package source mapper tool requires you to have completed a successful package restore in which it will read each respective .nupkg.metadata<\/code> file generated as part of your build to best understand how you map your respective packages and sources.<\/p>\n
Here\u2019s what one of those files looks like. Take a package like NuGet.Protocol<\/code> that was restored successfully:<\/p>\n
{\n  \"version\": 2,\n  \"contentHash\": \"W8SShKZ3bMvO2OzwPQj9BfdXnwgQTivs8lKtRIBcrgqKhY\/ylNG0JLmGz6BTYDqe89+USnAot6H0\/s1ZGC0eTw==\",\n  \"source\": \"https:\/\/api.nuget.org\/v3\/index.json\"\n}\n<\/code><\/pre>\n
This specific version was restored by only the NuGet.org endpoint as indicated by its contentHash<\/code> and source<\/code> properties. We can easily verify that it came directly from NuGet.org at any time with this information.<\/p>\n
Get Started<\/h2>\n
Let\u2019s take the NuGetPackageExplorer<\/a> repository for example. Once we restore the packages via an IDE or dotnet restore<\/code> command, we will be ready to use the tool in full.<\/p>\n
With the tool already installed, we can run the following command to generate a new NuGet.config<\/code> file with the appropriate source mappings to get us started with our onboarding to the feature:<\/p>\n
packagesourcemapper generate nuget.config\n<\/code><\/pre>\n
When we open the newly generated nugetPackageSourceMapping.config<\/code> file, we will now see a complete mapping of our packages and their respective sources.<\/p>\n
<packageSourceMapping>\n  <packageSource key=\"NuGet CI packages\">\n    <package pattern=\"microsoft.*\" \/>\n    <package pattern=\"nuget.jobs.common\" \/>\n    \u2026\n    <package pattern=\"nugetgallery.core\" \/>\n    <package pattern=\"strathweb.cacheoutput.webapi2.strongname\" \/>\n  <\/packageSource>\n  <packageSource key=\"dotnet-tools\">\n    <package pattern=\"microsoft.*\" \/>\n  <\/packageSource>\n  <packageSource key=\"BuildPackages\">\n    <package pattern=\"nuget.common\" \/>\n    <package pattern=\"nuget.configuration\" \/>\n    \u2026\n    <package pattern=\"nuget.protocol\" \/>\n    <package pattern=\"nuget.versioning\" \/>\n  <\/packageSource>\n  <packageSource key=\"nuget.org\">\n    <package pattern=\"antlr\" \/>\n    <package pattern=\"appinsights.windowsdesktop\" \/>\n    \u2026\n    <package pattern=\"xunit\" \/>\n    <package pattern=\"xunit.*\" \/>\n  <\/packageSource>\n<\/packageSourceMapping>\n<\/code><\/pre>\n
This gives you the foundation of mapping each of your sources more appropriately to the ideal source you\u2019d like it to come from. One best practice for this feature is to map a single package to a single source in a 1:1 relationship.<\/strong> This tool will do its best to provide you the best security practices such as complete package ID patterns and using wildcard (*) globs where appropriate.<\/p>\n
For further instructions on using this tool or getting started with it, please visit the NuGet.PackageSourceMapper<\/a> package on NuGet.org.<\/p>\n
Closing<\/h2>\n
You\u2019ve learned how to quickly map your NuGet packages to sources to secure your software supply chain.<\/p>\n
For more information on using this feature, please see our documentation on package source mapping<\/a>.<\/p>\n
For more tips and tricks on how to further secure your software with NuGet, check out our documentation on best practices for a secure software supply chain<\/a>.<\/p>\n
Feedback<\/h2>\n
Your feedback is important to us. If there are any problems with this tool, check our GitHub Issues<\/a>. For new issues within this experience, please report a GitHub Issue<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Package Source Mapper When we introduced Package Source Mapping late last year, we noticed a certain challenge to make onboarding to using the feature easier. Could there be a way for us to automatically generate a NuGet.config for you based on your project\u2019s known packages and sources? We started to develop a tool that does […]<\/p>\n","protected":false},"author":90553,"featured_media":2389,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[7933,7874],"tags":[7974,7975,7976,7977],"class_list":["post-2385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-feature-announcement","category-nuget","tag-package-source","tag-package-source-mapper","tag-package-source-mapping","tag-source-mapping"],"acf":[],"blog_post_summary":"
Package Source Mapper When we introduced Package Source Mapping late last year, we noticed a certain challenge to make onboarding to using the feature easier. Could there be a way for us to automatically generate a NuGet.config for you based on your project\u2019s known packages and sources? We started to develop a tool that does […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/90553"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=2385"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/2385\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/2389"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=2385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=2385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=2385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}