How to Scan NuGet Packages for Security Vulnerabilities

Drew Gillies

Senior Software Engineer

Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, but what open-source code you are using, and how much.

If you are not aware of what is in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal, making you, and your customers, vulnerable to a potential compromise.

Today, we are announcing the public availability of NuGet’s vulnerability features that you can use to ensure your projects are vulnerability free and if not, to take action to securing your software supply chain.

Where do CVE/GHSA come from?

NuGet gets its CVE/GHSA information directly from the centralized GitHub Advisory Database. The database provides two main listings of vulnerabilities:

A CVE is Common Vulnerabilities and Exposures. This is a list of publicly disclosed computer security flaws.
A GHSA is a GitHub Security Advisory. GitHub is a CVE Numbering Authority (CNA) and is authorized to assign CVE identification numbers.

See the following documentation on GitHub Security Advisories.

NuGet.org Package Details

You can now view any known CVE/GHSA directly on NuGet.org. NuGet.org will show you a banner telling you that a vulnerability with a specific severity has been detected and how you might go about resolving it.

For package authors, you will see a banner telling you that a specific package version had a vulnerability detected. You will be able to view the advisory, severity of the advisory, and any actions you should take to protect the NuGet ecosystem.

Additionally, you will see a warning icon of your listed packages to let you know that a vulnerability has been detected.

dotnet CLI

You can now list any known vulnerabilities in your dependencies within your projects & solutions with the dotnet list package --vulnerable command.

You will see any vulnerabilities within your top-level packages. You will be able to understand the version resolved, the severity of the advisory, and a link to the advisory for you to view.

If you are interested in seeing vulnerabilities within your transitive packages, you can use the --include-transitive parameter to see those.

To scan for vulnerabilities within your projects, download the .NET SDK 5.0.200, Visual Studio 2019 16.9, or Visual Studio 2019 for Mac 8.8 which includes the .NET SDK.

Note: Packages listed in examples above have since been patched or have been marked deprecated & unlisted appropriately.

Summary

You have learned about the new tools that NuGet provides to help you scan your NuGet packages for security vulnerabilities. These tools should help you secure your software supply chain and take action today.

Although this is the beginning of bringing a more secure package ecosystem to .NET developers everywhere, we have many exciting plans to help you audit & fix your dependencies in the near future.

If you’re interested in the best practices that you can follow today to secure your software supply chain, check out our documentation on best practices for a secure software supply chain.

Topics

Author

Drew Gillies

Senior Software Engineer

Hi! I'm a software engineer (and sometimes lead) at Microsoft. I cut my teeth on Borland languages, Win32 API apps and Java apps/applets, and was very happy when .NET entered the world. I spend some of my time in web apps, some in databases, and some in general cloud architecture.

27 comments

Discussion is closed. Login to edit/delete existing comments.

Lyman Epp March 22, 2021 · Edited

This is definitely very cool!

I've found that it aborts when it encounters a vcxproj in the solution file.

<code>

Edit: I've also found that it aborts with project type guid {349C5851-65DF-11DA-9384-00065B846F21} (old-style web hosting project)

This is definitely very cool!

I’ve found that it aborts when it encounters a vcxproj in the solution file.

error: The imported project "d:\Microsoft.Cpp.Default.props" was not found. Confirm that the expression in the Import declaration "\Microsoft.Cpp.Default.props" is correct, and that the file exists on disk.  d:\dev\trunk\infra\Framework_clean\src\Library\Framework.Resource\Framework.Resource.vcxproj

Usage: NuGet.CommandLine.XPlat.dll package list [arguments] [options]

Arguments:
  <PROJECT | SOLUTION>  A path to a project, solution file or directory.

Options:
  -h|--help               Show help information
  --force-english-output  Forces the application to run using an invariant, English-based culture.
  --framework             Specifies the target framework for which the packages will be listed.
  --deprecated            Displays only the packages marked deprecated by the authors.
  --outdated              Displays only the packages that need updates with the latest version from the sources.
  --vulnerable            Displays only the packages flagged as vulnerable.
  --include-transitive    Includes transitive packages too in the result.
  --include-prerelease    Considers prerelease versions when looking for latest. Works only with `--outdated`.
  --highest-patch         Considers only the versions with matching minor and major. Works only with `--outdated`.
  --highest-minor         Considers only the versions with matching major. Works only with `--outdated`.
  --source                Sources to lookup for latest versions. Works only with `--outdated`.
  --config                A path to a config file to specify sources. Works only with `--outdated`.
  --interactive           Allow the command to block and require manual action for operations like authentication.
  -v|--verbosity          Set the verbosity level of the command. Allowed values are q[uiet], m[inimal], n[ormal], d[etailed], and diag[nostic].

Edit: I’ve also found that it aborts with project type guid {349C5851-65DF-11DA-9384-00065B846F21} (old-style web hosting project)

Wayne ~~ March 18, 2021

Is only for .Net Core ?
Peter Row March 17, 2021

Can this be used for projects that run on .NET 4.x or is it only for those using .NET Core?
- Colac, Teodora May 12, 2021
  
  Good morning! I have the same question, can this command be used for projects on .Net 4.7 ?
  I have the following error:
  “The imported project “C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets” was not found. Confirm that the expression in the Import declaration “C:\Program Files\dotnet\sdk\5.0.201\Microsoft\VisualStudio\v16.0\WebApplications\Microsoft.WebApplication.targets” is correct, and that the file exists on disk.”
  I have the sdk installed with VS 2019 16.9.2.
Peter Tollnes Flem March 9, 2021

Thanks for this! It's great to have such a tool.

When I run the command, it seems to use all NuGet sources that it knows of on my machine, even if they are not used in the current project I'm trying to scan. Is there any way to make it only use sources that are relevant to a project, other than manually specifying them with the option? It causes a problem when it can't authenticate with a NuGet feed, even though the feed isn't used in the project.

Read more
Thanks for this! It’s great to have such a tool.

When I run the dotnet list package --vulnerable command, it seems to use all NuGet sources that it knows of on my machine, even if they are not used in the current project I’m trying to scan. Is there any way to make it only use sources that are relevant to a project, other than manually specifying them with the --source option? It causes a problem when it can’t authenticate with a NuGet feed, even though the feed isn’t used in the project.

Read less