We heard from you that direct dependencies are easy to track, but that you struggle with tracking transitive dependencies. We want to make that easier for the day-to-day management of your NuGet packages in Visual Studio.
To help you track transitive dependencies and remediate vulnerabilities quickly with SDK-style projects, we are introducing an experimental feature in Visual Studio 17.3 to help you view and take action regarding your transitive dependencies. If you’re apart of our experiment group, you’ll be able to see your transitive dependencies whenever you’re managing your NuGet packages in Visual Studio.
Know your dependencies
There is now a new dependency section labeled “transitive packages” that you can optionally collapse or expand depending on your daily use.
You can click on the dependencies like you would your top-level dependencies and even promote any transitive dependency to a top-level dependency at any time. One such reason might be overriding a resolved version to an unaffected version of a library that has a known vulnerability until a patch has been released.
Lastly, you can hover over any transitive dependency to understand the top-level dependencies that brought it into your project.
Why should I care?
Managing dependencies for a project is an important task that requires more due diligence than ever to correctly keep track of the many libraries you may depend on.
There is a critical need for a clear insight into your dependency tree to understand the various nuances of a vulnerable path in your codebase that may be newly introduced by disclosed vulnerabilities.
With ecosystems such as NuGet, npm, RubyGems, and Maven Central, there is a significant split between the direct(top-level) and indirect(transitive) dependencies. For many of these ecosystems according to GitHub’s State of the Octoverse 2020 Report, the median number of direct dependencies can be anywhere between 6-10 dependencies. With this in mind, there can be anywhere from 20-70 transitive dependencies additionally included because of those direct dependencies. For an ecosystem like .NET, the average amount of dependencies per project(including transitive) approaches 50 total dependencies.
To make this problem more complex, it is common that majority of vulnerabilities are found in indirect dependencies which can make remediation challenging.
Take action
Not only will these features help you understand your dependency graph better, they should also help you perform routine security audits to help improve the security of your software supply chain. Knowing about your dependencies is half the battle. You can be more confident in the security of your transitive dependencies when assessing your organization’s risk of direct and indirect dependencies. The other half is creating proper security policies that address the major concerns of using open source software and reduce the amount of time it takes to fix a known vulnerability.
For more details on best security practices, see using open source and practices for reducing risk.
Closing
We’re excited to see you use this feature in Visual Studio & include it in your toolset for building the most secure and amazing things with .NET. If you don’t have access to it yet, don’t fret. We are working to release it to everyone in an upcoming Visual Studio release. While we run this experiment, we will also be assessing the feasibility of bringing deprecation and vulnerability affordances to your transitive dependencies and ensure you can remain secure.
For more details on this feature, read up on how NuGet resolves package dependencies and some of the best practices for a secure software supply chain.
Feedback
Your feedback is important to us. If there are any problems with this release, check our GitHub Issues and Visual Studio Developer Community for existing issues. For new issues within NuGet, please report a GitHub Issue. For general NuGet experience issues, let us know via the Report a Problem option found in your favorite IDE under Help > Report a Problem
.
When will this be a feature? Checked with 17.3.5, does not appear to be working. I can confirm that open source vuln scanners grype and trivy both find transitive vulnerabilties with my .NET 6.0 projects that you can’t automatically resolve with Visual Studio 17.3.5 and the nuget package manager.
You can find these transitive vulnerabilties (in your software supply chain) with ‘dotnet list package –vulnerable –include-transitive’
How to join the experimental group?
People will be randomly selected in Visual Studio 17.3. In the future we will release the experience for all.
Kind of related, is there a way to find and “promote” transitive dependencies if they are directly referenced in project? IMO each project would have a reference to all top level dependencies, as in dependencies that are directly used in code. So along with ‘remove unused dependencies’ we can have ‘promote used transitive dependencies’ or something like that. That way can better manage libraries.