March 2nd, 2021

How to Scan NuGet Packages for Security Vulnerabilities

Drew Gillies

Senior Software Engineer

Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much.

If you are not aware of what is in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal, making you, and your customers, vulnerable to a potential compromise.

Today, we are announcing the public availability of NuGet’s vulnerability features that you can use to ensure your projects are vulnerability free and if not, to take action to securing your software supply chain.

Where do CVE/GHSA come from?

NuGet gets its CVE/GHSA information directly from the centralized GitHub Advisory Database. The database provides two main listings of vulnerabilities:

A CVE is Common Vulnerabilities and Exposures. This is a list of publicly disclosed computer security flaws.
A GHSA is a GitHub Security Advisory. GitHub is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers.

See the following documentation on GitHub Security Advisories.

NuGet.org Package Details

You can now view any known CVE/GHSA directly on NuGet.org. NuGet.org will show you a banner telling you that a vulnerability with a specific severity has been detected and how you might go about resolving it.

For package authors, you will see a banner telling you that a specific package version had a vulnerability detected. You will be able to view the advisory, severity of the advisory, and any actions you should take to protect the NuGet ecosystem.

Additionally, you will see a warning icon of your listed packages to let you know that a vulnerability has been detected.

dotnet CLI

You can now list any known vulnerabilities in your dependencies within your projects & solutions with the dotnet list package --vulnerable command.

You will see any vulnerabilities within your top-level packages. You will be able to understand the version resolved, the severity of the advisory, and a link to the advisory for you to view.

If you are interested in seeing vulnerabilities within your transitive packages, you can use the --include-transitive parameter to see those.

To scan for vulnerabilities within your projects, download the .NET SDK 5.0.200, Visual Studio 2019 16.9, or Visual Studio 2019 for Mac 8.8 which includes the .NET SDK.

Note: Packages listed in examples above have since been patched or have been marked deprecated & unlisted appropriately.

Summary

You have learned about the new tools that NuGet provides to help you scan your NuGet packages for security vulnerabilities. These tools should help you secure your software supply chain and take action today.

Although this is the beginning of bringing a more secure package ecosystem to .NET developers everywhere, we have many exciting plans to help you audit & fix your dependencies in the near future.

If you’re interested in the best practices that you can follow today to secure your software supply chain, check out our documentation on best practices for a secure software supply chain.

Author

Drew Gillies

Senior Software Engineer

Hi! I'm a software engineer (and sometimes lead) at Microsoft. I cut my teeth on Borland languages, Win32 API apps and Java apps/applets, and was very happy when .NET entered the world. I spend some of my time in web apps, some in databases, and some in general cloud architecture.

27 comments

Discussion is closed. Login to edit/delete existing comments.

Sort by :

Newest

Newest Popular Oldest

Lyman Epp March 22, 2021 · Edited

This is definitely very cool!

I've found that it aborts when it encounters a vcxproj in the solution file.

<code>

Edit: I've also found that it aborts with project type guid {349C5851-65DF-11DA-9384-00065B846F21} (old-style web hosting project)

This is definitely very cool!

I’ve found that it aborts when it encounters a vcxproj in the solution file.

error: The imported project "d:\Microsoft.Cpp.Default.props" was not found. Confirm that the expression in the Import declaration "\Microsoft.Cpp.Default.props" is correct, and that the file exists on disk.  d:\dev\trunk\infra\Framework_clean\src\Library\Framework.Resource\Framework.Resource.vcxproj

Usage: NuGet.CommandLine.XPlat.dll package list [arguments] [options]

Arguments:
  <PROJECT | SOLUTION>  A path to a project, solution file or directory.

Options:
  -h|--help               Show help information
  --force-english-output  Forces the application to run using an invariant, English-based culture.
  --framework             Specifies the target framework for which the packages will be listed.
  --deprecated            Displays only the packages marked deprecated by the authors.
  --outdated              Displays only the packages that need updates with the latest version from the sources.
  --vulnerable            Displays only the packages flagged as vulnerable.
  --include-transitive    Includes transitive packages too in the result.
  --include-prerelease    Considers prerelease versions when looking for latest. Works only with `--outdated`.
  --highest-patch         Considers only the versions with matching minor and major. Works only with `--outdated`.
  --highest-minor         Considers only the versions with matching major. Works only with `--outdated`.
  --source                Sources to lookup for latest versions. Works only with `--outdated`.
  --config                A path to a config file to specify sources. Works only with `--outdated`.
  --interactive           Allow the command to block and require manual action for operations like authentication.
  -v|--verbosity          Set the verbosity level of the command. Allowed values are q[uiet], m[inimal], n[ormal], d[etailed], and diag[nostic].

Edit: I’ve also found that it aborts with project type guid {349C5851-65DF-11DA-9384-00065B846F21} (old-style web hosting project)

Wayne ~~ March 18, 2021 1

Is only for .Net Core ?
Peter Row March 17, 2021 0

Can this be used for projects that run on .NET 4.x or is it only for those using .NET Core?
- Colac, Teodora May 12, 2021 0
  
  Good morning! I have the same question, can this command be used for projects on .Net 4.7 ?
  I have the following error:
  "The imported project "C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets" was not found. Confirm that the expression in the Import declaration "C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets" is correct, and that the file exists on disk."
  I have the sdk installed with VS 2019 16.9.2.
  
  Read more
  Good morning! I have the same question, can this command be used for projects on .Net 4.7 ?
  I have the following error:
  “The imported project “C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets” was not found. Confirm that the expression in the Import declaration “C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets” is correct, and that the file exists on disk.”
  I have the sdk installed with VS 2019 16.9.2.
  
  Read less
Peter Tollnes Flem March 9, 2021 0

Thanks for this! It's great to have such a tool.

When I run the command, it seems to use all NuGet sources that it knows of on my machine, even if they are not used in the current project I'm trying to scan. Is there any way to make it only use sources that are relevant to a project, other than manually specifying them with the option? It causes a problem when it can't...
Read more
Thanks for this! It’s great to have such a tool.

When I run the dotnet list package --vulnerable command, it seems to use all NuGet sources that it knows of on my machine, even if they are not used in the current project I’m trying to scan. Is there any way to make it only use sources that are relevant to a project, other than manually specifying them with the --source option? It causes a problem when it can’t authenticate with a NuGet feed, even though the feed isn’t used in the project.

Read less
Christo March 4, 2021 0

This is great, thanks.
- Drew Gillies Author March 8, 2021 0
  
  You’re welcome, and thanks for the comment!
Paco Calvo March 4, 2021 0

It looks great.
Besides the support asked before by Pascal Berger to integrate it in CI pipelines, there’s any plan to integrate this functionality into NuGet Package Manager in Visual Studio?
- Drew Gillies Author March 8, 2021 0
  
  Thank you! And Visual Studio Package Manager integration is something we’re currently working on. Stay tuned!
Matthias Koch March 3, 2021 0

Important work! I just run this on my solution and I got the feeling that it isn’t working very “smart”. It processed the first project which basically references all other projects from the solution, yet all the other projects were inspected again (and again if referenced from another once more).
- Drew Gillies Author March 8, 2021 0
  
  This may be the way the CLI has functioned historically, and could be a good issue for us to look at–would you please file it here (https://github.com/NuGet/Home/issues)? Once you do, please comment back here with a link to it, so I can keep an eye on it.
- Matthias Koch March 3, 2021 0
  
  And a side-note, your blog shows times in PDT although I’m in CET.
Tjeerd Menno Douma March 3, 2021 0

This is very usefull functionality.

But unfortunately it does not work when using NuGet.org packages through an Azure DevOps Artifact feed (NuGet.org configured as upstream source).
Any plans on supporting this?
- Drew Gillies Author March 8, 2021 0
  
  These are both very valuable insights, and I want to replicate this case and see what can be achieved. Thank you so much for bringing it up.
  - Richard Deeming March 12, 2021 0
    
    Another +1 for this.
    
    Running the tool with the “–interactive” flag prompts to open a web page and enter a code. But after completing the device flow and closing the page, the tool just displays the same message with a different code.
    
    I now have multiple personal access tokens added to my account, but the tool doesn’t seem to be able to use them.
  - Peter Tollnes Flem March 9, 2021 0
    
    +1
    
    We have a Azure DevOps NuGet feed as well that’s behind auth.
    But great that this is out 🙂
- Roger Noden March 4, 2021 0
  
  +1
  
  We have an Azure DevOps Artifacts Feed, the dotnet list package –vulnerable command requires the user to run with “–interactive”; this then ends up creating a new Personal Access Token request for EVERY package in our feed. It doesn’t seem to cache or use the cache of tokens. This makes this unusable for our developers.
Drew Freyling March 3, 2021 0

This is great news! Out of curiousity would say the npm lodash vulnerabilities that exist, shouldn’t they also apply to the nuget version as well?
- Drew Gillies Author March 8, 2021 0
  
  This is a good topic for us to explore. Currently we mine our vulnerabilities from GitHub, so what is not reported there is not reported here. But one topic of discussion is going more broadly with sources, and one area I'm interested in is how big a delta we are talking. Lodash would be a good topic of research, given that it shows us some of this delta. I intend to look into where npm...
  Read more
  This is a good topic for us to explore. Currently we mine our vulnerabilities from GitHub, so what is not reported there is not reported here. But one topic of discussion is going more broadly with sources, and one area I’m interested in is how big a delta we are talking. Lodash would be a good topic of research, given that it shows us some of this delta. I intend to look into where npm has sourced this vulnerability and then look at researching further as planning proceeds. Thank you for raising this.
  
  Read less
Pascal Berger March 2, 2021 1

Any plans to support writing the report into a machine readable format which can be further processed in CI pipelines?
- Drew Gillies Author March 8, 2021 0
  
  This has been an ongoing discussion for some time regarding dotnet list in general. Here’s the issue: https://github.com/NuGet/Home/issues/7752. Feel free to comment on it to give it more visibility. There are some thoughts here on output formatting for –outdated and –deprecated reports–it would also be good to get a sense of how the NuGet community would like to consume json (presumably) for –vulnerable reports.
- Drew Gillies Author March 8, 2021 0
  
  It’s definitely something we’ve been talking about. It would be a good discussion to reintroduce in a public forum. We would definitely want to get this right, ensuring we have the most useful information presented to users of the CLI. Thanks for upvoting it, all.
- Francesco March 4, 2021 0
  
  +1 would also be nice to support adding it to a build pipeline and let it fail if vulnerabilities are found
  - Curtis Carter March 6, 2021 0
    
    NuGetDefense is adding this as a vulnerability source. If you have nothing but this scanner enabled, it will run this command after the build and warn/error if there are any vulnerable packages.
- Rehan Saeed March 3, 2021 0
  
  +1 This would be awesome.